)]}' { "commit": "ea5fe6a73ca57e5150b8a38b341aef2636eb72f0", "tree": "f4a1f3a0b6f1292240edfa6921793afa3621a964", "parents": [ "204a5efde5ed52932840ee1d15d3b581cfda48e2" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:22 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:32 2026 +0200" }, "message": "net/handshake: Drain pending requests at net namespace exit\n\nThe arguments to list_splice_init() in handshake_net_exit() are\nreversed. The call moves the local empty \"requests\" list onto\nhn-\u003ehn_requests, leaving the local list empty, so the subsequent\ndrain loop runs zero iterations. Pending handshake requests that\nhad not yet been accepted are not torn down when the net namespace\nis destroyed; each one keeps a reference on a socket file and on\nthe handshake_req allocation.\n\nPass the source and destination in the documented order\n(list_splice_init(list, head) moves list onto head) so the pending\nlist is transferred to the local scratch list and drained through\nhandshake_complete().\n\nFixing the splice direction exposes a list-corruption race. After\nthe splice each req-\u003ehr_list still has non-empty link pointers,\nthreading the stack-local scratch list rather than hn_requests.\nA concurrent handshake_req_cancel() -- for example, from sunrpc\u0027s\nTLS timeout on a kernel socket whose netns reference was not\ntaken -- finds the request through the rhashtable, calls\nremove_pending(), and sees !list_empty(\u0026req-\u003ehr_list).\n__remove_pending_locked() then list_del_init()s an entry off the\nscratch list while the drain iterates, corrupting it. The same\ncall arriving after the drain loop has run list_del() on an\nentry hits LIST_POISON instead.\n\nHave remove_pending() check HANDSHAKE_F_NET_DRAINING under\nhn_lock and report not-found when drain is in progress. The\ndrain has already taken ownership; handshake_complete()\u0027s existing\ntest_and_set on HANDSHAKE_F_REQ_COMPLETED still arbitrates\nbetween drain and cancel for who calls the consumer\u0027s hp_done. Use\nlist_del_init() rather than list_del() in the drain so req-\u003ehr_list\ndoes not carry LIST_POISON after drain releases the entry.\n\nThe DRAINING guard in remove_pending() makes cancel return false,\nbut cancel still falls through to test_and_set_bit on\nHANDSHAKE_F_REQ_COMPLETED and drops the request\u0027s hr_file reference.\nWithout another pin, if that is the last reference, sk_destruct frees\nthe request while it is still linked on the drain loop\u0027s local list.\nPin each request\u0027s hr_file under hn_lock before releasing the list,\nand drop that drain pin after the loop finishes with the request.\n\nFixes: 3b3009ea8abb (\"net/handshake: Create a NETLINK service for handling handshake requests\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-8-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "21d6cbd52fcdb603b0322507d65fbd1b60b947f7", "old_mode": 33188, "old_path": "net/handshake/netlink.c", "new_id": "3fd4fef9bab1a47421911b73d47d5d69d850708e", "new_mode": 33188, "new_path": "net/handshake/netlink.c" }, { "type": "modify", "old_id": "bd3d9467ab91b774d34124ea651c76feef4d100b", "old_mode": 33188, "old_path": "net/handshake/request.c", "new_id": "cd30d54d0501d3029ef8fb2a25f26b436acfce82", "new_mode": 33188, "new_path": "net/handshake/request.c" } ] }