git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Xuanqiang Luo <luoxuanqiang@kylinos.cn>
	Wed, 15 Oct 2025 02:02:36 +0000 (10:02 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Dec 2025 12:54:44 +0000 (13:54 +0100)
commit	fe89feb2bdce1046311f46f2d9f2f0585cf31009
tree	bc95f05304db9e1b3198428dd756dd7231ce3a37	tree
parent	e1480cc48d416917f949b67a63c8dad66e52cfd3	commit \| diff

inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule()

[ Upstream commit b8ec80b130211e7bf076ef72365952979d5f7a72 ]

Since ehash lookups are lockless, if another CPU is converting sk to tw
concurrently, fetching the newly inserted tw with tw->tw_refcnt == 0 cause
lookup failure.

The call trace map is drawn as follows:
   CPU 0                                CPU 1
   -----                                -----
     inet_twsk_hashdance_schedule()
     spin_lock()
     inet_twsk_add_node_rcu(tw, ...)
__inet_lookup_established()
(find tw, failure due to tw_refcnt = 0)
     __sk_nulls_del_node_init_rcu(sk)
     refcount_set(&tw->tw_refcnt, 3)
     spin_unlock()

By replacing sk with tw atomically via hlist_nulls_replace_init_rcu() after
setting tw_refcnt, we ensure that tw is either fully initialized or not
visible to other CPUs, eliminating the race.

It's worth noting that we held lock_sock() before the replacement, so
there's no need to check if sk is hashed. Thanks to Kuniyuki Iwashima!

Fixes: 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251015020236.431822-4-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>