Re: [PATCH v3] tcp: fix race condition when creating child sockets from syncookies

From: Ricardo Dias
Date: Wed Nov 11 2020 - 13:06:03 EST


On Wed, Nov 11, 2020 at 05:05:11PM +0100, Eric Dumazet wrote:
> On Wed, Nov 11, 2020 at 8:35 AM Ricardo Dias <rdias@xxxxxxxxxxxxxxx> wrote:
>
> ...
>
> > + * If an existing socket already exists, it returns that socket
> > + * through the osk parameter.
>
>
> I think this deserves a third parameter, to avoid confusion.

Yes, I agree. It will make much clearer the semantics of this function.

> ...
>
> > + if (unlikely(!refcount_inc_not_zero(&esk->sk_refcnt)))
>
> Can you explain how this could happen ?
> Again, we own the lock here, finding a socket in ehash, with a zero
> refcount can not happen.
>
> Only a true rcu lookup could see a zero refcount.

Ah! Now I understand what you are saying. Indeed we just need to
increment the ref counter. We don't need to check if it's zero.

> ...
>
> > - inet_ehash_nolisten(sk, (struct sock *)tw);
> > + inet_ehash_nolisten(sk, (struct sock **)&tw);
>
> Why could not we 'find' a prior socket, and since you ignore the result,
> leave a refcount increment, and a socket leak ?
>
> Same remark for all callers.
>
> > }
> > if (tw)
>
> See the problem here ?
>
> If tw was initially NULL, then inet_ehash_nolisten() could have overwritten tw
> with another socket.
>
> Surely calling inet_twsk_bind_unhash() could be disastrous.

Yes, you're right.
I adapted this call to match the new signature assuming `tw` would never
be NULL. Shame on me for not noticing the `if (tw)` statement right
below :-).

I'll check each caller code, to make sure I'm not leaking the socket.


Thanks for your reviews. I'm learning more and more with each review
iteration.