Re: [PATCH net-next v8 3/3] inet: Avoid ehash lookup race in... | netdev

Re: [PATCH net-next v8 3/3] inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule()

From: Eric Dumazet <edumazet@google.com>
Date: 2025-10-15 09:02:21

On Tue, Oct 14, 2025 at 7:04 PM [off-list ref] wrote:

From: Xuanqiang Luo <redacted>

Since ehash lookups are lockless, if another CPU is converting sk to tw
concurrently, fetching the newly inserted tw with tw->tw_refcnt == 0 cause
lookup failure.

The call trace map is drawn as follows:
   CPU 0                                CPU 1
   -----                                -----
                                     inet_twsk_hashdance_schedule()
                                     spin_lock()
                                     inet_twsk_add_node_rcu(tw, ...)
__inet_lookup_established()
(find tw, failure due to tw_refcnt = 0)
                                     __sk_nulls_del_node_init_rcu(sk)
                                     refcount_set(&tw->tw_refcnt, 3)
                                     spin_unlock()

By replacing sk with tw atomically via hlist_nulls_replace_init_rcu() after
setting tw_refcnt, we ensure that tw is either fully initialized or not
visible to other CPUs, eliminating the race.

It's worth noting that we held lock_sock() before the replacement, so
there's no need to check if sk is hashed. Thanks to Kuniyuki Iwashima!

Fixes: 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Xuanqiang Luo <redacted>

Reviewed-by: Eric Dumazet <edumazet@google.com>

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help