Re: [PATCH net-next v5 3/3] inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule()
From: Jakub Kicinski <kuba@kernel.org>
Date: 2025-09-25 00:55:28
On Wed, 24 Sep 2025 09:50:34 +0800 xuanqiang.luo@linux.dev wrote:
From: Xuanqiang Luo <redacted> Since ehash lookups are lockless, if another CPU is converting sk to tw concurrently, fetching the newly inserted tw with tw->tw_refcnt == 0 cause lookup failure. The call trace map is drawn as follows: CPU 0 CPU 1 ----- ----- inet_twsk_hashdance_schedule() spin_lock() inet_twsk_add_node_rcu(tw, ...) __inet_lookup_established() (find tw, failure due to tw_refcnt = 0) __sk_nulls_del_node_init_rcu(sk) refcount_set(&tw->tw_refcnt, 3) spin_unlock() By replacing sk with tw atomically via hlist_nulls_replace_init_rcu() after setting tw_refcnt, we ensure that tw is either fully initialized or not visible to other CPUs, eliminating the race.
This one doesn't build cleanly
net/ipv4/inet_timewait_sock.c:116:28: warning: unused variable 'ehead' [-Wunused-variable]
116 | struct inet_ehash_bucket *ehead = inet_ehash_bucket(hashinfo, sk->sk_hash);
| ^~~~~
net/ipv4/inet_timewait_sock.c:91:13: warning: unused function 'inet_twsk_add_node_rcu' [-Wunused-function]
91 | static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw,
| ^~~~~~~~~~~~~~~~~~~~~~
--
pw-bot: cr