[PATCH net 6/7] net/handshake: Close the submit-side sock_hold race
Hannes Reinecke
hare at suse.de
Tue May 19 01:01:12 PDT 2026
On 5/18/26 20:24, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever at oracle.com>
>
> handshake_req_submit() publishes the request via
> handshake_req_hash_add() and __add_pending_locked(), drops
> hn_lock, and calls handshake_genl_notify() (which can sleep)
> before taking sock_hold() on req->hr_sk. A fast tlshd ACCEPT
> followed by DONE can drive handshake_complete()'s sock_put()
> into the window between the spin_unlock and the late
> sock_hold(); on a system where the consumer's fd held the
> only sk reference, the late sock_hold() then operates on an
> sk whose refcount has reached zero.
>
> The preceding two patches install an explicit file reference
> on struct handshake_req. That file pins sock->file, which
> pins the embedded struct socket, which defers inet_release()'s
> sock_put(). As long as hr_file is held, sk cannot reach refcount
> zero from the consumer side, and the submit-side sock_hold()
> with its matching sock_put() calls in handshake_complete() and
> handshake_req_cancel() is now redundant.
>
> Drop all three. Submit's pinning is strictly the file reference
> acquired earlier in the function, and the lifetime story is
> contained in a single get_file()/fput() pair.
>
> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
> Signed-off-by: Chuck Lever <chuck.lever at oracle.com>
> ---
> net/handshake/request.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
Reviewed-by: Hannes Reinecke <hare at kernel.org>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list