On Mon, Mar 17, 2025 at 05:22:54PM +0800, Jiayuan Chen wrote: > The sk->sk_socket is not locked or referenced, and during the call to Hm? We should have a reference in socket map, whether directly or indirectly, right? When we add a socket to a socket map, we do call sock_map_psock_get_checked() to obtain a reference. > skb_send_sock(), there is a race condition with the release of sk_socket. > All types of sockets(tcp/udp/unix/vsock) will be affected. > > Race conditions: > ''' > CPU0 CPU1 > skb_send_sock > sendmsg_unlocked > sock_sendmsg > sock_sendmsg_nosec > close(fd): > ... > ops->release() IIRC, ->release() is only called when the refcnt of fd becomes zero, so I wonder how we reach here despite we have a reference of psock->refcnt? > sock_map_close() > sk_socket->ops = NULL > free(socket) > sock->ops->sendmsg > ^ > panic here Thanks.
