[rds-devel] [net, v2] net/rds: fix recursive lock in rds_tcp_conn_slots_available
Simon Horman
horms at kernel.org
Thu Feb 19 08:44:58 UTC 2026
On Wed, Feb 18, 2026 at 06:13:56PM +0100, Fernando Fernandez Mancera wrote:
> On 2/18/26 11:02 AM, Simon Horman wrote:
...
> > The commit message states "For rds_tcp_conn_slots_available() the lock is
> > already held because we are in the receiving path." Is this claim accurate
> > across all receive paths?
> >
> > Looking at the two receive sub-paths:
> >
> > 1. In the backlog processing path (shown in the syzbot stack trace), the
> > socket IS owned because __release_sock() runs while the lock_sock
> > ownership bit is still set:
> >
> > tcp_sock_set_cork() -> lock_sock() -> release_sock() -> __release_sock()
> > -> sk_backlog_rcv() -> tcp_v6_do_rcv() -> tcp_rcv_established()
> > -> tcp_data_ready() -> sk->sk_data_ready() -> rds_tcp_data_ready()
> > -> rds_tcp_read_sock()
> >
> > 2. However, rds_tcp_data_ready() can also be called directly from the
> > normal softirq receive path via tcp_data_ready() -> sk->sk_data_ready(),
> > where the socket lock is NOT held. In this path, rds_tcp_read_sock()
> > calls tcp_read_sock() without lock_sock.
> >
> > The fix is still correct in both cases because inet_dport is a stable
> > atomic-width field, but the claim "the lock is already held" is not
> > universally true for all receiving paths.
> >
> > Should the commit message be more precise about when the lock is held?
> >
>
> While I think that is right, the relevant part is the atomicity. The
> operation is safe but it requires a READ_ONCE() annotation probably.
Thanks. I don't have a deep understanding of this.
But I agree that seems correct.
More information about the rds-devel
mailing list