Re: [PATCH net] tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	Neal Cardwell <ncardwell@google.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com
Subject: Re: [PATCH net] tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction
Date: Mon, 11 May 2026 13:23:25 -0700	[thread overview]
Message-ID: <20260511132325.54be1fe7@kernel.org> (raw)
In-Reply-To: <20260511151559.1916614-1-edumazet@google.com>

On Mon, 11 May 2026 15:15:59 +0000 Eric Dumazet wrote:
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index d13d49bfef19457cc5902cb556605a80f4c0ab2c..079f2324a3a777cfe30dd59777c9d3d6d9a6bae0 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1641,6 +1641,7 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
>  reset:
>  	tcp_v6_send_reset(sk, skb, sk_rst_convert_drop_reason(reason));
>  discard:
> +	__this_cpu_write(tcp_tw_isn, 0);
>  	if (opt_skb)
>  		__kfree_skb(opt_skb);
>  	sk_skb_reason_drop(sk, skb, reason);
> @@ -1839,6 +1840,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
>  		}
>  	}
>  
> +	DEBUG_NET_WARN_ON_ONCE(__this_cpu_read(tcp_tw_isn));
>  process:
>  	if (static_branch_unlikely(&ip6_min_hopcount)) {
>  		/* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
> @@ -1913,6 +1915,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
>  	}
>  
>  discard_it:
> +	__this_cpu_write(tcp_tw_isn, 0);
>  	SKB_DR_OR(drop_reason, NOT_SPECIFIED);
>  	sk_skb_reason_drop(sk, skb, drop_reason);
>  	return 0;

CI says:

[  288.637769][ T3492] BUG: using __this_cpu_write() in preemptible [00000000] code: python3/3492
[  288.638116][ T3492] caller is tcp_v6_do_rcv+0x204/0x1cb0
[  288.638240][ T3492] CPU: 1 UID: 0 PID: 3492 Comm: python3 Not tainted 7.1.0-rc2-virtme #1 PREEMPT(full) 
[  288.638245][ T3492] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  288.638247][ T3492] Call Trace:
[  288.638248][ T3492]  <TASK>
[  288.638250][ T3492]  dump_stack_lvl+0x6f/0xa0
[  288.638257][ T3492]  check_preemption_disabled+0xdb/0xf0
[  288.638261][ T3492]  tcp_v6_do_rcv+0x204/0x1cb0
[  288.638265][ T3492]  __release_sock+0x135/0x3a0
[  288.638272][ T3492]  release_sock+0x19c/0x240
[  288.638275][ T3492]  tcp_sendmsg+0x39/0x50
[  288.638279][ T3492]  __sys_sendto+0x2c9/0x400
[  288.638282][ T3492]  ? __ia32_sys_getpeername+0xd0/0xd0
[  288.638288][ T3492]  ? sock_ioctl+0x3cb/0x5f0
[  288.638294][ T3492]  ? find_held_lock+0x2b/0x80
[  288.638299][ T3492]  ? __lock_release.isra.0+0x6b/0x1a0
[  288.638302][ T3492]  __x64_sys_sendto+0xe4/0x1f0
[  288.638304][ T3492]  ? trace_irq_enable.constprop.0+0x9b/0x180
[  288.638308][ T3492]  ? lockdep_hardirqs_on+0x8c/0x130
[  288.638310][ T3492]  ? do_syscall_64+0x82/0xfc0
[  288.638312][ T3492]  do_syscall_64+0x117/0xfc0
[  288.638314][ T3492]  ? irq_exit_rcu+0x1a/0x30
[  288.638318][ T3492]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[  288.638321][ T3492] RIP: 0033:0x7f895f8fe08e

next prev parent reply	other threads:[~2026-05-11 20:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11 15:15 [PATCH net] tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction Eric Dumazet
2026-05-11 20:23 ` Jakub Kicinski [this message]
2026-05-12  6:18 ` [syzbot ci] " syzbot ci

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511132325.54be1fe7@kernel.org \
    --to=kuba@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=horms@kernel.org \
    --cc=kuniyu@google.com \
    --cc=ncardwell@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.