From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=nrQyAqIz; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id F1DDE5A08B5 for ; Tue, 11 Nov 2025 04:25:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202510; t=1762831522; bh=f13GzyhdUeGXEMbmPz/HBzOiOEjE646jN83orTu2CkE=; h=From:To:Cc:Subject:Date:From; b=nrQyAqIz/irKTRPVBWRZ00biYjy2JSfFXTn7U/Zglui20CXnNjgB/4L7KjnEo6Op+ 2KmW/copLUoGEfpjyyV4bRkrGOrx/sguIY9QLDT7CIUxXdTzHub49k9CgJjwok+8p5 EVUS97gkkq4qHBA6y28N6ApGcs5fxGsYsR6LwPCPpDuqhJW4Nva5JpSZa6d1ptvAPr AX41TYwQ207TNCjAcLThPB23lYsIMmpTFhh1TXQTZIxOITcYTLnPkCLQrcJcDcRAgt hbPCgbIU6lIclo/jSZXie9b/W4nXRYzhu0K7I+W6+1uKmhxN8GC+pydPwgTqjmEOyy PaGR7Q53i/7Gg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4d5BkB4gk6z4wCB; Tue, 11 Nov 2025 14:25:22 +1100 (AEDT) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH] tcp: Properly remove sockets from epoll loop when connection is closed Date: Tue, 11 Nov 2025 14:25:20 +1100 Message-ID: <20251111032520.64266-1-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.51.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: UUBCXEOOJXRGYA7VK4UKFHVP67YD2RJO X-Message-ID-Hash: UUBCXEOOJXRGYA7VK4UKFHVP67YD2RJO X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Most of the handling for closing a TCP connectin is in conn_event_do() when it receives a 'CLOSED' event. We specifically check for this case and, correctly, remove the connection from the flow hash table. However, we also bypass the call tp tcp_epoll_ctl() which is not correct. By skipping tcp_epoll_ctl() we skip it's specific handling of the CLOSED event, which includes removing the TCP socket from epoll. If we somehow get an event on such a stale socket, we'll get a stale flow reference. That flow slot might have been re-used, leading to to a crash in conn_at_sidx(). Fixes: b86afe3559c0 ("tcp: Don't defer hash table removal") Signed-off-by: David Gibson --- tcp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tcp.c b/tcp.c index e91c0cf5..3202d338 100644 --- a/tcp.c +++ b/tcp.c @@ -694,12 +694,13 @@ void conn_event_do(const struct ctx *c, struct tcp_tap_conn *conn, flow_dbg(conn, "%s", num == -1 ? "CLOSED" : tcp_event_str[num]); - if (event == CLOSED) - flow_hash_remove(c, TAP_SIDX(conn)); - else if ((event == TAP_FIN_RCVD) && !(conn->events & SOCK_FIN_RCVD)) + if ((event == TAP_FIN_RCVD) && !(conn->events & SOCK_FIN_RCVD)) { conn_flag(c, conn, ACTIVE_CLOSE); - else + } else { + if (event == CLOSED) + flow_hash_remove(c, TAP_SIDX(conn)); tcp_epoll_ctl(c, conn); + } if (CONN_HAS(conn, SOCK_FIN_SENT | TAP_FIN_ACKED)) tcp_timer_ctl(conn); -- 2.51.1