Bug 274873

Summary: A possible data race in sys/netpfil/ipfw/dn_aqm_pie.c
Product: Base System Reporter: Tuo Li <islituo>
Component: kernAssignee: freebsd-ipfw (Nobody) <ipfw>
Status: Closed Not A Bug    
Severity: Affects Only Me CC: markj
Priority: ---    
Version: 14.0-RELEASE   
Hardware: Any   
OS: Any   

Description Tuo Li 2023-11-02 16:27:22 UTC 
The struct field pst->measurement_start is initialized by init_activate_pie().
And in this function pst->measurement_start is set to AQM_UNOW after pst->sflags is set:

  pst->sflags = PIE_INMEASUREMENT;
  pst->measurement_start = AQM_UNOW;

However, if aqm_pie_dequeue() is called right after pst->sflags is set to PIE_INMEASUREMENT, a data race can occur:

  dq_time = now - pst->measurement_start;

because pst->measurement_start is accessed without holding the lock pst->lock_mtx.

The value of dq_time may be invalid in this condition.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2023-11-03 00:04:11 UTC 
These functions are all serialized by DN_BH_WLOCK().  pst->lock_mtx serves to synchronize with calls to calculate_drop_prob() from a callout.  I don't see how the described race can occur.
Comment 2 Tuo Li 2023-11-03 15:12:15 UTC 
(In reply to Mark Johnston from comment #1)
Thank you for your reply! It is very helpful. I did not consider the global lock operation DN_BH_WLOCK() and thus reported this false data race. I am sorry to bother you and I will be more careful in the subsequent reports.