[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 Nov 2020 18:05:55 +0000
From: Ricardo Dias <rdias@...glestore.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3] tcp: fix race condition when creating child sockets
from syncookies
On Wed, Nov 11, 2020 at 05:05:11PM +0100, Eric Dumazet wrote:
> On Wed, Nov 11, 2020 at 8:35 AM Ricardo Dias <rdias@...glestore.com> wrote:
>
> ...
>
> > + * If an existing socket already exists, it returns that socket
> > + * through the osk parameter.
>
>
> I think this deserves a third parameter, to avoid confusion.
Yes, I agree. It will make much clearer the semantics of this function.
> ...
>
> > + if (unlikely(!refcount_inc_not_zero(&esk->sk_refcnt)))
>
> Can you explain how this could happen ?
> Again, we own the lock here, finding a socket in ehash, with a zero
> refcount can not happen.
>
> Only a true rcu lookup could see a zero refcount.
Ah! Now I understand what you are saying. Indeed we just need to
increment the ref counter. We don't need to check if it's zero.
> ...
>
> > - inet_ehash_nolisten(sk, (struct sock *)tw);
> > + inet_ehash_nolisten(sk, (struct sock **)&tw);
>
> Why could not we 'find' a prior socket, and since you ignore the result,
> leave a refcount increment, and a socket leak ?
>
> Same remark for all callers.
>
> > }
> > if (tw)
>
> See the problem here ?
>
> If tw was initially NULL, then inet_ehash_nolisten() could have overwritten tw
> with another socket.
>
> Surely calling inet_twsk_bind_unhash() could be disastrous.
Yes, you're right.
I adapted this call to match the new signature assuming `tw` would never
be NULL. Shame on me for not noticing the `if (tw)` statement right
below :-).
I'll check each caller code, to make sure I'm not leaking the socket.
Thanks for your reviews. I'm learning more and more with each review
iteration.
Powered by blists - more mailing lists