inpcb: Close some SO_REUSEPORT_LB races
ClosedPublic
Actions

Authored by markj on Dec 10 2024, 7:10 PM.

Details

Reviewers

glebius
ae

Group Reviewers

network

Commits

rG5f610cf1ec62: inpcb: Close some SO_REUSEPORT_LB races
rGa600aabe9b04: inpcb: Close some SO_REUSEPORT_LB races

Summary

For a long time, the inpcb lookup path has been lockless in the common
case: we use net_epoch to synchronize lookups. However, the routines
which update lbgroups were not careful to synchronize with unlocked
lookups. I believe that in the worst case this can result in spurious
connection aborts (I have a regression test case to exercise this), but
it's hard to be certain.

Modify in_pcblbgroup* routines to synchronize with unlocked lookup:

When removing inpcbs from an lbgroup, do not shrink the array. The maximum number of lbgroup entries is INPCBLBGROUP_SIZMAX (256), and it doesn't seem worth the complexity to shrink the array when a socket is removed.
When resizing an lbgroup, do not insert it into the hash table until it is fully initialized; otherwise lookups may observe a partially constructed lbgroup.
When adding an inpcb to the group, increment the counter after adding the array entry, using a release store. Otherwise it's possible for lookups to observe a null array slot.
When looking up an entry, use a corresponding acquire load.

Sponsored by: Klara, Inc.
Sponsored by: Stormshield