From: Jason Gunthorpe <jgg@ziepe.ca>
To: Leon Romanovsky <leon@kernel.org>
Cc: Zhu Yanjun <yanjun.zhu@linux.dev>,
Tristan Madani <tristmd@gmail.com>,
Zhu Yanjun <zyjzyj2000@gmail.com>,
linux-rdma@vger.kernel.org,
Tristan Madani <tristan@talencesecurity.com>
Subject: Re: [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in receive path
Date: Tue, 19 May 2026 12:00:42 -0300 [thread overview]
Message-ID: <20260519150042.GL7702@ziepe.ca> (raw)
In-Reply-To: <20260519145610.GA33515@unreal>
On Tue, May 19, 2026 at 05:56:10PM +0300, Leon Romanovsky wrote:
> On Mon, May 18, 2026 at 07:03:18PM -0700, Zhu Yanjun wrote:
> > 在 2026/5/18 14:50, Tristan Madani 写道:
> > > RXE queue buffers are mapped read-write into userspace. The receive
> > > path reads WQE fields from these shared buffers, which lets a
> > > concurrent userspace thread modify them between validation and use.
> >
> > To be honest, can you implement the above? If yes, please show us the steps
> > to reproduce this problem.
>
> It is an imaginary problem. One would need to run RXE (development,
> virtual RNIC), write a buggy userspace application, and then be
> surprised when RXE misbehaves after running it.
Simple misbehave is one thing, but if userspace can hack the kernel
and gain control of it through this shared memory then we have to fix
it.
Jason
next prev parent reply other threads:[~2026-05-19 15:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 21:50 [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in receive path Tristan Madani
2026-05-18 21:50 ` [PATCH 1/2] RDMA/rxe: fix TOCTOU heap overflow in get_srq_wqe Tristan Madani
2026-05-18 21:50 ` [PATCH 2/2] RDMA/rxe: copy WQE to local buffer in non-SRQ receive path Tristan Madani
2026-05-19 2:03 ` [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in " Zhu Yanjun
2026-05-19 14:56 ` Leon Romanovsky
2026-05-19 15:00 ` Jason Gunthorpe [this message]
2026-05-19 22:30 ` Tristan Madani
2026-05-20 0:07 ` Yanjun.Zhu
2026-05-20 12:03 ` Tristan Madani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519150042.GL7702@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=tristan@talencesecurity.com \
--cc=tristmd@gmail.com \
--cc=yanjun.zhu@linux.dev \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox