Re: [PATCH 1/1] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "yanjun.zhu" <yanjun.zhu@linux.dev>
To: Leon Romanovsky <leon@kernel.org>
Cc: zyjzyj2000@gmail.com, jgg@ziepe.ca, linux-rdma@vger.kernel.org,
	Liu Yi <asatsuyu.liu@gmail.com>
Subject: Re: [PATCH 1/1] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
Date: Mon, 27 Oct 2025 14:29:23 -0700	[thread overview]
Message-ID: <08fbf2f3-8f1d-41ed-9afa-79b187d7a483@linux.dev> (raw)
In-Reply-To: <20251027200438.GP12554@unreal>

On 10/27/25 1:04 PM, Leon Romanovsky wrote:
> On Mon, Oct 27, 2025 at 10:43:06AM -0700, Zhu Yanjun wrote:
>> A NULL pointer dereference can occur in rxe_srq_chk_attr() when
>> ibv_modify_srq() is invoked twice in succession under certain error
>> conditions. The first call may fail in rxe_queue_resize(), which leads
>> rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
>> triggers a crash (null deref) when accessing
>> srq->rq.queue->buf->index_mask.
>>
>> Call Trace:
>> <TASK>
>> rxe_modify_srq+0x170/0x480 [rdma_rxe]
>> ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
>> ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
>> ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
>> ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
>> ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
>> ? tryinc_node_nr_active+0xe6/0x150
>> ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
>> ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
>> ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
>> ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
>> ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
>> ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
>> ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
>> ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
>> ? __pfx___raw_spin_lock_irqsave+0x10/0x10
>> ? __pfx_do_vfs_ioctl+0x10/0x10
>> ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
>> ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
>> ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
>> ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
>> __x64_sys_ioctl+0x138/0x1c0
>> do_syscall_64+0x82/0x250
>> ? fdget_pos+0x58/0x4c0
>> ? ksys_write+0xf3/0x1c0
>> ? __pfx_ksys_write+0x10/0x10
>> ? do_syscall_64+0xc8/0x250
>> ? __pfx_vm_mmap_pgoff+0x10/0x10
>> ? fget+0x173/0x230
>> ? fput+0x2a/0x80
>> ? ksys_mmap_pgoff+0x224/0x4c0
>> ? do_syscall_64+0xc8/0x250
>> ? do_user_addr_fault+0x37b/0xfe0
>> ? clear_bhb_loop+0x50/0xa0
>> ? clear_bhb_loop+0x50/0xa0
>> ? clear_bhb_loop+0x50/0xa0
>> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>
>> Root cause:
>>     The queue is released when the first failure of rxe_cq_resize_queue.
>> Thus, when rxe_cq_resize_queue is called again, the above call trace
>> will occur.
>>
>> Fix:
>> Aligning the error handling path in rxe_srq_from_attr() with
>> rxe_cq_resize_queue(), which also uses rxe_queue_resize(): do not
>> nullify the queue when resize fails.
> 
> Did these two paragraphs come from AI? They don't add any new
> information, let's remove them.
> 
>>
>> Reported-by: Liu Yi <asatsuyu.liu@gmail.com>
>> Closes: https://paste.ubuntu.com/p/Zhj65q6gr9/
> 
> Link in "Closes" tag should point to report and not to some random
> place.
> 
>> Fixes: 8700e3e7c485 ("Soft RoCE driver")
>> Tested-by: Liu Yi <asatsuyu.liu@gmail.com>
>> Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
>> ---
>>   drivers/infiniband/sw/rxe/rxe_srq.c | 7 +------
>>   1 file changed, 1 insertion(+), 6 deletions(-)
> 
> It is second version of previously sent patch. Please add changelog.

OK. I will send the 3rd patch.

Yanjun.Zhu
> 
> Thanks

     prev parent reply	other threads:[~2025-10-27 21:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-27 17:43 [PATCH 1/1] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure Zhu Yanjun
2025-10-27 18:08 ` yanjun.zhu
2025-10-27 20:04 ` Leon Romanovsky
2025-10-27 21:29   ` yanjun.zhu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=08fbf2f3-8f1d-41ed-9afa-79b187d7a483@linux.dev \
    --to=yanjun.zhu@linux.dev \
    --cc=asatsuyu.liu@gmail.com \
    --cc=jgg@ziepe.ca \
    --cc=leon@kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=zyjzyj2000@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.