From: Zhu Yanjun <yanjun.zhu@linux.dev>
To: David Ahern <dsahern@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
"yanjun.zhu@linux.dev" <yanjun.zhu@linux.dev>
Cc: Zhu Yanjun <zyjzyj2000@gmail.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Leon Romanovsky <leon@kernel.org>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
linux-rdma@vger.kernel.org,
syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] RDMA/rxe: Fix null-ptr-deref in kernel_sock_shutdown().
Date: Mon, 27 Apr 2026 22:12:17 -0700 [thread overview]
Message-ID: <bbaf583c-2170-41d8-9226-2d4e742f71d1@linux.dev> (raw)
In-Reply-To: <0ef2f2e0-e437-4ec9-8ebe-21c702041acb@linux.dev>
在 2026/4/27 19:15, Zhu Yanjun 写道:
>
> 在 2026/4/27 17:58, David Ahern 写道:
>> On 4/27/26 6:52 PM, Kuniyuki Iwashima wrote:
>>> To be clear, you meant implementing David' idea, right ?
>>> I'm asking because dellink won't need locking then.
>> dellink is not needed with my suggestion. It was added to manage
>> basically a refcount on the socket to close on last rxe delete in the
>
> This is my original implementation.
>
> @Kuniyuki Iwashima, can you reproduce this problem in your local host or
> other test environments?
>
> If yes, can you make tests after applying the commit in the link:
> https://patchwork.kernel.org/project/linux-rdma/
> patch/20260424043522.22901-1-yanjun.zhu@linux.dev/
>
> Thanks a lot.
Hi, David && Kuniyuki
I read the call trace again.
If net namespace has already released socket in A thread, then rdma link
del command is called in B thread to release socket.
So A thread has released socket firstly, then B thread also release socket.
The similar call trace would appear.
The followiing is the explanation to the commit
https://patchwork.kernel.org/project/linux-rdma/patch/20260424043522.22901-1-yanjun.zhu@linux.dev/
The double-free occurs as follows:
CPU 0 (Net NameSpace cleanup) CPU 1 (RDMA device removal)
--------------------- ---------------------------
rxe_ns_exit() rxe_link_delete() (rdma link del )
-> sk = ns_sk->rxe_sk4 -> sk = ns_sk->rxe_sk4
-> udp_tunnel_sock_release(sk)
[Success: First Free] -> udp_tunnel_sock_release(sk)
[Crash: Double Free]
After removing the socket release logic from rxe_ns_exit(), we ensure
that only the device destruction path (rxe_link_delete) is responsible
for freeing the tunnel sockets, effectively eliminating the double-free
problem.
I am not sure if this is the root cause or not.
Please comment.
Thanks a lot.
Zhu Yanjun
>
> Zhu Yanjun
>
>> namespace.
>
--
Best Regards,
Yanjun.Zhu
next prev parent reply other threads:[~2026-04-28 5:12 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-25 6:04 [PATCH v2 0/2] RDMA/rxe: Fix per-netns UDP tunnel issues Kuniyuki Iwashima
2026-04-25 6:04 ` [PATCH v2 1/2] RDMA/rxe: Fix null-ptr-deref in kernel_sock_shutdown() Kuniyuki Iwashima
2026-04-25 15:47 ` David Ahern
2026-04-25 20:55 ` Kuniyuki Iwashima
2026-04-26 16:40 ` David Ahern
2026-04-25 21:25 ` Zhu Yanjun
2026-04-26 16:42 ` David Ahern
2026-04-27 2:57 ` Zhu Yanjun
2026-04-27 3:10 ` Kuniyuki Iwashima
2026-04-27 3:53 ` Zhu Yanjun
2026-04-27 14:38 ` David Ahern
2026-04-27 20:20 ` yanjun.zhu
2026-04-28 0:52 ` Kuniyuki Iwashima
2026-04-28 0:58 ` David Ahern
2026-04-28 2:15 ` Zhu Yanjun
2026-04-28 5:12 ` Zhu Yanjun [this message]
2026-04-28 5:22 ` Kuniyuki Iwashima
2026-04-28 6:30 ` Zhu Yanjun
2026-04-28 6:39 ` Kuniyuki Iwashima
2026-04-28 16:56 ` yanjun.zhu
2026-04-25 6:04 ` [PATCH v2 2/2] RDMA/rxe: Fix up RCU usage for rxe_ns_pernet_sk6() Kuniyuki Iwashima
2026-04-25 21:26 ` Zhu Yanjun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bbaf583c-2170-41d8-9226-2d4e742f71d1@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=dsahern@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.