From: "yanjun.zhu" <yanjun.zhu@linux.dev>
To: Junxian Huang <huangjunxian6@hisilicon.com>,
Yi Liu <asatsuyu.liu@gmail.com>,
linux-rdma@vger.kernel.org
Cc: Jason Gunthorpe <jgg@ziepe.ca>, "leon@kernel.org" <leon@kernel.org>
Subject: Re: [PATCH] RDMA/rxe: fix null deref on srq->rq.queue after resize failure
Date: Tue, 21 Oct 2025 11:06:55 -0700 [thread overview]
Message-ID: <35b05f34-543b-4180-a18e-3ba4fbbd16b5@linux.dev> (raw)
In-Reply-To: <91be3a58-c7e4-7250-9826-a8294386f2a0@hisilicon.com>
On 10/21/25 6:42 AM, Junxian Huang wrote:
>
>
> On 2025/10/21 10:20, Yi Liu wrote:
>> A NULL pointer dereference can occur in rxe_srq_chk_attr() when
>> ibv_modify_srq() is invoked twice in succession under certain error
>> conditions. The first call may fail in rxe_queue_resize(), which leads
>> rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
>> triggers a crash (null deref) when accessing
>> srq->rq.queue->buf->index_mask.
>>
>> Call Trace:
>> <TASK>
>> rxe_modify_srq+0x170/0x480 [rdma_rxe]
>> ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
>> ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
>> ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
>> ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
>> ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
>> ? tryinc_node_nr_active+0xe6/0x150
>> ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
>> ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
>> ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
>> ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
>> ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
>> ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
>> ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
>> ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
>> ? __pfx___raw_spin_lock_irqsave+0x10/0x10
>> ? __pfx_do_vfs_ioctl+0x10/0x10
>> ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
>> ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
>> ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
>> ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
>> __x64_sys_ioctl+0x138/0x1c0
>> do_syscall_64+0x82/0x250
>> ? fdget_pos+0x58/0x4c0
>> ? ksys_write+0xf3/0x1c0
>> ? __pfx_ksys_write+0x10/0x10
>> ? do_syscall_64+0xc8/0x250
>> ? __pfx_vm_mmap_pgoff+0x10/0x10
>> ? fget+0x173/0x230
>> ? fput+0x2a/0x80
>> ? ksys_mmap_pgoff+0x224/0x4c0
>> ? do_syscall_64+0xc8/0x250
>> ? do_user_addr_fault+0x37b/0xfe0
>> ? clear_bhb_loop+0x50/0xa0
>> ? clear_bhb_loop+0x50/0xa0
>> ? clear_bhb_loop+0x50/0xa0
>> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>
>> Fix by aligning the error handling path in rxe_srq_from_attr() with
>> rxe_cq_resize_queue(), which also uses rxe_queue_resize(): do not
>> nullify the queue when resize fails.
>>
>> Reported-by: Liu Yi <asatsuyu.liu@gmail.com>
>> Link: https://paste.ubuntu.com/p/Zhj65q6gr9/
>> Fixes: 8700e3e7c485 ("Soft RoCE driver")
>> Tested-by: Zhu Yanjun <yanjun.zhu@linux.dev>
>> Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
>> ---
>> drivers/infiniband/sw/rxe/rxe_srq.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c
>> b/drivers/infiniband/sw/rxe/rxe_srq.c
>> index 3661cb627d28..2764dc00e2f3 100644
>> --- a/drivers/infiniband/sw/rxe/rxe_srq.c
>> +++ b/drivers/infiniband/sw/rxe/rxe_srq.c
>> @@ -182,8 +182,6 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct
>> rxe_srq *srq,
>> return 0;
>>
>> err_free:
>> - rxe_queue_cleanup(q);
>> - srq->rq.queue = NULL;
>> return err;
>
> A minor suggestion, this err_free label doesn’t seem necessary any more.
> You can return directly at the place where you jump to err_free currently.
Thanks a lot. It might be better to return immediately when an error
occurs, but keeping the current state unchanged could also be a valid
option.
Best Regards,
Yanjun.Zhu
>
> Junxian
>
>> }
>>
>> --
>> 2.34.1
>>
next prev parent reply other threads:[~2025-10-21 18:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 2:20 [PATCH] RDMA/rxe: fix null deref on srq->rq.queue after resize failure Yi Liu
2025-10-21 3:48 ` Zhu Yanjun
2025-10-21 13:42 ` Junxian Huang
2025-10-21 18:06 ` yanjun.zhu [this message]
2025-10-27 13:30 ` Leon Romanovsky
2025-10-27 16:56 ` Yanjun.Zhu
2025-10-28 2:31 ` Yi Liu
2025-10-28 4:19 ` Zhu Yanjun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=35b05f34-543b-4180-a18e-3ba4fbbd16b5@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=asatsuyu.liu@gmail.com \
--cc=huangjunxian6@hisilicon.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.