From: Kuniyuki Iwashima <kuniyu@google.com>
To: Zhu Yanjun <zyjzyj2000@gmail.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Leon Romanovsky <leon@kernel.org>
Cc: David Ahern <dsahern@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
linux-rdma@vger.kernel.org
Subject: [PATCH v2 2/2] RDMA/rxe: Fix up RCU usage for rxe_ns_pernet_sk6().
Date: Sat, 25 Apr 2026 06:04:14 +0000 [thread overview]
Message-ID: <20260425060436.2316620-3-kuniyu@google.com> (raw)
In-Reply-To: <20260425060436.2316620-1-kuniyu@google.com>
rxe_ns_pernet_sk6() is fundamentally broken.
rcu_read_lock() only silences rcu_dereference() splat.
The returned socket is no longer protected, and it may be
freed during ip6_dst_lookup_flow().
Let's call rxe_ns_pernet_sk6() and ip6_dst_lookup_flow()
under RCU.
Fixes: f1327abd6abe ("RDMA/rxe: Support RDMA link creation and destruction per net namespace")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
drivers/infiniband/sw/rxe/rxe_net.c | 11 ++++++++---
drivers/infiniband/sw/rxe/rxe_ns.c | 7 +------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 9080d4c893a1..8fca5c24c8b1 100644
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -133,16 +133,21 @@ static struct dst_entry *rxe_find_route6(struct rxe_qp *qp,
struct in6_addr *saddr,
struct in6_addr *daddr)
{
- struct dst_entry *ndst;
+ struct dst_entry *ndst = NULL;
struct flowi6 fl6 = {};
+ struct sock *sk;
fl6.flowi6_oif = ndev->ifindex;
memcpy(&fl6.saddr, saddr, sizeof(*saddr));
memcpy(&fl6.daddr, daddr, sizeof(*daddr));
fl6.flowi6_proto = IPPROTO_UDP;
- ndst = ip6_dst_lookup_flow(net, rxe_ns_pernet_sk6(net), &fl6, NULL);
- if (IS_ERR(ndst)) {
+ rcu_read_lock();
+ sk = rxe_ns_pernet_sk6(net);
+ if (sk)
+ ndst = ip6_dst_lookup_flow(net, sk, &fl6, NULL);
+ rcu_read_unlock();
+ if (IS_ERR_OR_NULL(ndst)) {
rxe_dbg_qp(qp, "no route to %pI6\n", daddr);
return NULL;
}
diff --git a/drivers/infiniband/sw/rxe/rxe_ns.c b/drivers/infiniband/sw/rxe/rxe_ns.c
index 06eb2e2387a1..ef408ffc0558 100644
--- a/drivers/infiniband/sw/rxe/rxe_ns.c
+++ b/drivers/infiniband/sw/rxe/rxe_ns.c
@@ -91,13 +91,8 @@ static struct pernet_operations rxe_net_ops = {
struct sock *rxe_ns_pernet_sk6(struct net *net)
{
struct rxe_ns_sock *ns_sk = net_generic(net, rxe_pernet_id);
- struct sock *sk;
-
- rcu_read_lock();
- sk = rcu_dereference(ns_sk->rxe_sk6);
- rcu_read_unlock();
- return sk;
+ return rcu_dereference(ns_sk->rxe_sk6);
}
#endif /* IPV6 */
--
2.54.0.rc2.544.gc7ae2d5bb8-goog
next prev parent reply other threads:[~2026-04-25 6:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-25 6:04 [PATCH v2 0/2] RDMA/rxe: Fix per-netns UDP tunnel issues Kuniyuki Iwashima
2026-04-25 6:04 ` [PATCH v2 1/2] RDMA/rxe: Fix null-ptr-deref in kernel_sock_shutdown() Kuniyuki Iwashima
2026-04-25 15:47 ` David Ahern
2026-04-25 20:55 ` Kuniyuki Iwashima
2026-04-26 16:40 ` David Ahern
2026-04-25 21:25 ` Zhu Yanjun
2026-04-26 16:42 ` David Ahern
2026-04-27 2:57 ` Zhu Yanjun
2026-04-27 3:10 ` Kuniyuki Iwashima
2026-04-27 3:53 ` Zhu Yanjun
2026-04-27 14:38 ` David Ahern
2026-04-27 20:20 ` yanjun.zhu
2026-04-28 0:52 ` Kuniyuki Iwashima
2026-04-28 0:58 ` David Ahern
2026-04-28 2:15 ` Zhu Yanjun
2026-04-28 5:12 ` Zhu Yanjun
2026-04-28 5:22 ` Kuniyuki Iwashima
2026-04-28 6:30 ` Zhu Yanjun
2026-04-28 6:39 ` Kuniyuki Iwashima
2026-04-28 16:56 ` yanjun.zhu
2026-04-25 6:04 ` Kuniyuki Iwashima [this message]
2026-04-25 21:26 ` [PATCH v2 2/2] RDMA/rxe: Fix up RCU usage for rxe_ns_pernet_sk6() Zhu Yanjun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260425060436.2316620-3-kuniyu@google.com \
--to=kuniyu@google.com \
--cc=dsahern@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kuni1840@gmail.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.