On Mon, Mar 17, 2025 at 05:22:55PM +0800, Jiayuan Chen wrote:
There are potential concurrency issues, as shown below. ''' CPU0 CPU1 sk_psock_verdict_data_ready: socket *sock = sk->sk_socket if (!sock) return close(fd): ... ops->release() if (!sock->ops) return sock->ops = NULL rcu_call(sock) free(sock) READ_ONCE(sock->ops) ^ use 'sock' after free '''
RCU is not applicable to Unix sockets read path, because the Unix socket implementation itself assumes it's always in process context and heavily uses mutex_lock, so, we can't call read_skb within rcu lock.
Hm, I guess the RCU work in sk_psock_drop() does not work for Unix domain sockets either?
Thanks.