Re: [PATCH v2] audit: Fix data races of skb_queue_len() readers on audit_queue
From: Paul Moore
Date: Tue Jun 30 2026 - 16:15:52 EST
On Jun 19, 2026 Chi Wang <wangchi@xxxxxxxxxx> wrote:
>
> Multiple readers access audit_queue.qlen via skb_queue_len() without
> holding the queue lock or using READ_ONCE(), while kauditd writes to
> this field via the skb_dequeue() → __skb_unlink() path with WRITE_ONCE()
> protected by a spinlock. This constitutes data races.
>
> All affected skb_queue_len(&audit_queue) call sites:
> - kauditd_thread() wait_event_freezable() condition
> - audit_receive_msg() AUDIT_GET handler (s.backlog assignment)
> - audit_receive() backlog check
> - audit_log_start() backlog check and pr_warn()
>
> KCSAN reports the following conflicting access pattern (one example):
> ==================================================================
> BUG: KCSAN: data-race in audit_log_start / skb_dequeue
>
> write (marked) to 0xffffffff8512ee20 of 4 bytes by task 661 on cpu 57:
> skb_dequeue+0x70/0xf0
> kauditd_send_queue+0x71/0x220
> kauditd_thread+0x1cb/0x430
> kthread+0x1c2/0x210
> ret_from_fork+0x162/0x1a0
> ret_from_fork_asm+0x1a/0x30
>
> read to 0xffffffff8512ee20 of 4 bytes by task 36586 on cpu 1:
> audit_log_start+0x2a0/0x6b0
> audit_core_dumps+0x64/0xa0
> do_coredump+0x14b/0x1260
> get_signal+0xeb2/0xf70
> arch_do_signal_or_restart+0x41/0x170
> exit_to_user_mode_loop+0xa2/0x1c0
> do_syscall_64+0x1a3/0x1c0
> entry_SYSCALL_64_after_hwframe+0x76/0xe0
>
> value changed: 0x00000001 -> 0x00000000
> ==================================================================
>
> Resolve the race by switching to lockless helper skb_queue_len_lockless(),
> which internally uses READ_ONCE() and properly pairs with the WRITE_ONCE()
> write accesses already present on the writer side.
>
> Fixes: 3197542482df ("audit: rework audit_log_start()")
> Signed-off-by: Chi Wang <wangchi@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
> ---
> kernel/audit.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
Merged into stable-7.2, thanks.
--
paul-moore.com