Thread (8 messages) 8 messages, 3 authors, 2025-10-14

Re: [RESEND PATCH net-next v7 3/3] inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule()

From: "Jiayuan Chen" <jiayuan.chen@linux.dev>
Date: 2025-10-14 06:46:29

October 14, 2025 at 10:27, xuanqiang.luo@linux.dev mailto:xuanqiang.luo@linux.dev  wrote:

From: Xuanqiang Luo <redacted>

Since ehash lookups are lockless, if another CPU is converting sk to tw
concurrently, fetching the newly inserted tw with tw->tw_refcnt == 0 cause
lookup failure.

The call trace map is drawn as follows:
 CPU 0 CPU 1
 ----- -----
 inet_twsk_hashdance_schedule()
 spin_lock()
 inet_twsk_add_node_rcu(tw, ...)
__inet_lookup_established()
(find tw, failure due to tw_refcnt = 0)
 __sk_nulls_del_node_init_rcu(sk)
 refcount_set(&tw->tw_refcnt, 3)
 spin_unlock()

By replacing sk with tw atomically via hlist_nulls_replace_init_rcu() after
setting tw_refcnt, we ensure that tw is either fully initialized or not
visible to other CPUs, eliminating the race.

It's worth noting that we held lock_sock() before the replacement, so
there's no need to check if sk is hashed. Thanks to Kuniyuki Iwashima!

Fixes: 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Xuanqiang Luo <redacted>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help