[PATCH net 0/7] net/handshake: anchor request lifetime to a pinned file reference

Mon May 18 11:24:27 PDT 2026

handshake_nl_accept_doit() has accumulated four follow-on fixes
since 3b3009ea8abb ("net/handshake: Create a NETLINK service for
handling handshake requests"): 7ea9c1ec66bc, 7798b59409c3,
fe67b063f687, and dabac51b8102.  Each was a local refcount or
NULL-check correction; none moved where the file reference is
owned, and the same code keeps producing the same class of bug.
Reworking the ownership is what breaks the pattern.

For the duration of a request, sock->file has no single owner.
Submit publishes the request without taking a file reference;
accept_doit acquires one inside the handler, after the request
has already left the pending list.  The consumer can drop its
own reference at any time, including the moment between
handshake_req_next() popping the request and accept_doit
reaching get_file().  The submit-side sock_hold() pins only
struct sock; struct socket and sock->file remain under the
consumer's control via the file descriptor.

This series places the file reference under unambiguous
ownership.  handshake_req_submit() pins it on the request and
completion or cancel drops it (patches 4-5); the submit-side
sock_hold() then becomes redundant, and dropping it also closes
a publish-before-pin race the late sock_hold itself opened
(patch 6).  Patch 3 normalizes the errno sign convention across
the handshake_complete() API and its consumers, and patch 2 is
the matching correction in nvme-tcp.  Patch 1 fixes an unrelated
netns-exit leak.  Patch 7 adds KUnit file-count assertions to
verify the new refcount contract.

Three things in this restructuring want a careful look.  In
handshake_complete(), the fput() of the request's file
reference has to come after hp_done() and after the sock_put()
that may free sk -- fput() can transitively run
handshake_sk_destruct() and free the request, so the patch
stashes hr_file in a local first.  handshake_sk_destruct()
itself is kept on purpose: it owns rhashtable removal and
kfree, and remains the backstop if a consumer path bypasses
handshake_complete() entirely.  Third, handshake_req_next() now
returns its request with an extra get_file() held under
hn_lock; accept_doit must consume that reference (FD_PREPARE on
success, explicit fput on the fdf.err path), and any future
caller has to honor the same contract.

Patches 1, 3, 5, and 6 carry Fixes: 3b3009ea8abb and should
travel to stable together.  Patch 2 carries Fixes: be8e82caa685.

Signed-off-by: Chuck Lever <chuck.lever at oracle.com>

---
Chuck Lever (7):
      net/handshake: Drain pending requests at net namespace exit
      nvme-tcp: store negative errno in queue->tls_err
      net/handshake: Pass negative errno through handshake_complete()
      net/handshake: Take a long-lived file reference at submit
      net/handshake: hand off the pinned file reference to accept_doit
      net/handshake: Close the submit-side sock_hold race
      net/handshake: Verify file-reference balance in submit paths

 drivers/nvme/host/tcp.c        |  2 +-
 net/handshake/handshake-test.c | 38 +++++++++++++++++++++++++++++++-
 net/handshake/handshake.h      |  6 +++--
 net/handshake/netlink.c        | 26 ++++++++++------------
 net/handshake/request.c        | 50 ++++++++++++++++++++++++++++++++++--------
 net/handshake/tlshd.c          |  4 ++--
 6 files changed, 96 insertions(+), 30 deletions(-)
---
base-commit: f5b2772d14884f4be9e718644f1203d4d0e6f0d6
change-id: 20260516-handshake-file-pin-21390f5f3513

Best regards,
--  
Chuck Lever <chuck.lever at oracle.com>