Re: [PATCH RDMA v2] RDMA/rxe: add mutual exclusion in rxe_net_del()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Zhu Yanjun <yanjun.zhu@linux.dev>
To: Edward Adam Davis <eadavis@qq.com>,
	"yanjun.zhu@linux.dev" <yanjun.zhu@linux.dev>
Cc: akpm@linux-foundation.org, arjan@linux.intel.com,
	davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
	hdanton@sina.com, horms@kernel.org, jgg@ziepe.ca,
	kuba@kernel.org, kuniyu@google.com, leon@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	netdev@vger.kernel.org, pabeni@redhat.com,
	syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com, zyjzyj2000@gmail.com
Subject: Re: [PATCH RDMA v2] RDMA/rxe: add mutual exclusion in rxe_net_del()
Date: Sat, 16 May 2026 07:31:38 -0700	[thread overview]
Message-ID: <39e752db-f34c-4070-b4c8-974fb76ee7f9@linux.dev> (raw)
In-Reply-To: <tencent_330636464A367423778966A63DD1360E9609@qq.com>

在 2026/5/16 7:00, Edward Adam Davis 写道:
> We must serialize calls to rxe_net_del() or risk a crash as syzbot
> reported:
> 
> KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
> Call Trace:
>   udp_tunnel_sock_release+0x6d/0x80 net/ipv4/udp_tunnel_core.c:197
>   rxe_release_udp_tunnel drivers/infiniband/sw/rxe/rxe_net.c:294 [inline]
>   rxe_sock_put drivers/infiniband/sw/rxe/rxe_net.c:639 [inline]
>   rxe_net_del+0xfb/0x290 drivers/infiniband/sw/rxe/rxe_net.c:660
>   rxe_dellink+0x15/0x20 drivers/infiniband/sw/rxe/rxe.c:254
> 
> Jason Gunthorpe suggest placing the lock within rxe to protect its racy
> implementation of rxe_net_del(), which looks like it is possibly also
> triggered by NETDEV_UNREGISTER.
> 
> The patch addressing this issue in nldev_dellink() has already been
> applied(0b28000b64f4); however, since the fix has now been relocated
> to rxe, the corresponding remedial code in nldev has been removed.
> 
> Fixes: f1327abd6abe ("RDMA/rxe: Support RDMA link creation and destruction per net namespace")
> Fixes: 0b28000b64f4 ("RDMA/nldev: Add mutual exclusion in nldev_dellink()")
> Reported-by: syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d8f76778263ab65c2b21
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> v1 -> v2: serialize calls to rxe net del

I looked through the commit. I am not sure if this commit should be sent 
to syzbot to verify.

Zhu Yanjun

> 
>   drivers/infiniband/core/nldev.c     | 4 ----
>   drivers/infiniband/sw/rxe/rxe_net.c | 7 ++++++-
>   2 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
> index 3cb3cb7629fe..96c745d5bac4 100644
> --- a/drivers/infiniband/core/nldev.c
> +++ b/drivers/infiniband/core/nldev.c
> @@ -1816,8 +1816,6 @@ static int nldev_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   	return err;
>   }
>   
> -static DEFINE_MUTEX(nldev_dellink_mutex);
> -
>   static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   			  struct netlink_ext_ack *extack)
>   {
> @@ -1848,9 +1846,7 @@ static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   	 * implicitly scoped to the driver supporting dynamic link deletion like RXE.
>   	 */
>   	if (device->link_ops && device->link_ops->dellink) {
> -		mutex_lock(&nldev_dellink_mutex);
>   		err = device->link_ops->dellink(device);
> -		mutex_unlock(&nldev_dellink_mutex);
>   		if (err)
>   			return err;
>   	}
> diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
> index 50a2cb5405e2..92847e955ca2 100644
> --- a/drivers/infiniband/sw/rxe/rxe_net.c
> +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> @@ -642,6 +642,8 @@ static void rxe_sock_put(struct sock *sk,
>   	}
>   }
>   
> +static DEFINE_MUTEX(rxe_net_del_mutex);
> +
>   void rxe_net_del(struct ib_device *dev)
>   {
>   	struct rxe_dev *rxe = container_of(dev, struct rxe_dev, ib_dev);
> @@ -649,9 +651,10 @@ void rxe_net_del(struct ib_device *dev)
>   	struct sock *sk;
>   	struct net *net;
>   
> +	mutex_lock(&rxe_net_del_mutex);
>   	ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
>   	if (!ndev)
> -		return;
> +		goto out;
>   
>   	net = dev_net(ndev);
>   
> @@ -664,6 +667,8 @@ void rxe_net_del(struct ib_device *dev)
>   		rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
>   
>   	dev_put(ndev);
> +out:
> +	mutex_unlock(&rxe_net_del_mutex);
>   }
>   
>   static void rxe_port_event(struct rxe_dev *rxe,

next prev parent reply	other threads:[~2026-05-16 14:32 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-23 15:01 [syzbot] [net?] general protection fault in kernel_sock_shutdown (4) syzbot
2026-04-23 17:41 ` Jakub Kicinski
2026-04-24 16:47 ` Arjan van de Ven
2026-04-24 18:08 ` Arjan van de Ven
2026-04-25  1:12 ` Arjan van de Ven
2026-04-25  1:14   ` Kuniyuki Iwashima
2026-05-06 13:48 ` [syzbot] [rdma] " syzbot
2026-05-06 14:28   ` Zhu Yanjun
2026-05-06 15:19     ` Kuniyuki Iwashima
2026-05-07  1:30   ` Hillf Danton
2026-05-07  1:57     ` syzbot
2026-05-07  3:52 ` syzbot
2026-05-07 10:12   ` Edward Adam Davis
2026-05-07 12:02     ` syzbot
2026-05-07 12:50   ` [PATCH] RDMA/nldev: add mutual exclusion in nldev_dellink() Edward Adam Davis
2026-05-07 13:25     ` Zhu Yanjun
2026-05-07 13:40       ` Edward Adam Davis
2026-05-07 14:11         ` Zhu Yanjun
2026-05-13 18:17     ` Leon Romanovsky
2026-05-13 23:46       ` Jason Gunthorpe
2026-05-14  7:31         ` Edward Adam Davis
2026-05-14 11:50           ` Jason Gunthorpe
2026-05-14 13:58             ` David Ahern
2026-05-14 14:14               ` Jason Gunthorpe
2026-05-14 14:26                 ` David Ahern
2026-05-14 15:46                   ` Zhu Yanjun
2026-05-16 12:40                 ` Edward Adam Davis
2026-05-16 14:00                   ` [PATCH RDMA v2] RDMA/rxe: add mutual exclusion in rxe_net_del() Edward Adam Davis
2026-05-16 14:31                     ` Zhu Yanjun [this message]
2026-05-14  5:15   ` [syzbot] [rdma] general protection fault in kernel_sock_shutdown (4) Zhu Yanjun
2026-05-16  5:44     ` Zhu Yanjun
2026-05-16  7:02       ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=39e752db-f34c-4070-b4c8-974fb76ee7f9@linux.dev \
    --to=yanjun.zhu@linux.dev \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@linux.intel.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=eadavis@qq.com \
    --cc=edumazet@google.com \
    --cc=hdanton@sina.com \
    --cc=horms@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=zyjzyj2000@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.