git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Xuanqiang Luo <luoxuanqiang@kylinos.cn>
	Wed, 15 Oct 2025 02:02:35 +0000 (10:02 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Dec 2025 12:54:44 +0000 (13:54 +0100)
commit	e1480cc48d416917f949b67a63c8dad66e52cfd3
tree	386770f845e9f9546fc0ef2172cde85a2c673002	tree
parent	6b9cbefb73c35c54eae971160cd952434c792da2	commit \| diff

inet: Avoid ehash lookup race in inet_ehash_insert()

[ Upstream commit 1532ed0d0753c83e72595f785f82b48c28bbe5dc ]

Since ehash lookups are lockless, if one CPU performs a lookup while
another concurrently deletes and inserts (removing reqsk and inserting sk),
the lookup may fail to find the socket, an RST may be sent.

The call trace map is drawn as follows:
   CPU 0                           CPU 1
   -----                           -----
inet_ehash_insert()
                                spin_lock()
                                sk_nulls_del_node_init_rcu(osk)
__inet_lookup_established()
(lookup failed)
                                __sk_nulls_add_node_rcu(sk, list)
                                spin_unlock()

As both deletion and insertion operate on the same ehash chain, this patch
introduces a new sk_nulls_replace_node_init_rcu() helper functions to
implement atomic replacement.

Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251015020236.431822-3-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/sock.h		diff \| blob \| blame \| history
net/ipv4/inet_hashtables.c		diff \| blob \| blame \| history