From: Jason Gunthorpe <jgg@nvidia.com>
To: Zhu Yanjun <yanjun.zhu@linux.dev>
Cc: zyjzyj2000@gmail.com, leon@kernel.org,
linux-rdma@vger.kernel.org,
syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/1] RDMA/rxe: Fix Use-After-Free problem in rxe_net_del
Date: Wed, 3 Jun 2026 13:25:37 -0300 [thread overview]
Message-ID: <20260603162537.GD1170766@nvidia.com> (raw)
In-Reply-To: <3cdac159-4c61-448c-8327-d39ac0f87fe3@linux.dev>
On Wed, Jun 03, 2026 at 08:43:31AM -0700, Zhu Yanjun wrote:
>
> 在 2026/6/2 18:25, Jason Gunthorpe 写道:
> > On Tue, May 19, 2026 at 04:35:41AM +0200, Zhu Yanjun wrote:
> >
> > > index 50a2cb5405e2..0bf5b0eabc7b 100644
> > > --- a/drivers/infiniband/sw/rxe/rxe_net.c
> > > +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> > > @@ -135,13 +135,21 @@ static struct dst_entry *rxe_find_route6(struct rxe_qp *qp,
> > > {
> > > struct dst_entry *ndst;
> > > struct flowi6 fl6 = {};
> > > + struct sock *sk;
> > > fl6.flowi6_oif = ndev->ifindex;
> > > memcpy(&fl6.saddr, saddr, sizeof(*saddr));
> > > memcpy(&fl6.daddr, daddr, sizeof(*daddr));
> > > fl6.flowi6_proto = IPPROTO_UDP;
> > > - ndst = ip6_dst_lookup_flow(net, rxe_ns_pernet_sk6(net), &fl6, NULL);
> > > + rxe_ns_lock(net);
> > > + sk = rxe_ns_pernet_sk6(net);
> > > + if (sk)
> > > + sock_hold(sk);
> > > + rxe_ns_unlock(net);
> > > +
> > > + ndst = ip6_dst_lookup_flow(net, sk, &fl6, NULL);
> > > + sock_put(sk);
> > Sashiko says this crashes when sk is null, which it can be.
> >
> > But this really seems weird, the rxe can be in only one namespace, why
> > not reach the listening sks associated with the ib_dev through
> > qp->pd->dev and not do net lookups?
> >
> > I would expect net lookups to only exist in the add/del link paths?
>
> Thanks a lot. I will send out the new patch, following your advice.
I was thinking later I don't really know what rxe did here and normal
rdma core code has multiple namespace flow. IIRC the namespace
flows from the selected GID entry and the namespace mode selects how
gid entries are created from namespaces.
So this still looks quite odd, by the time we get to RXE we should
have already locked down a source gid entry and that should be where
the sk really comes from??
Jason
prev parent reply other threads:[~2026-06-03 16:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 2:35 [PATCH v2 1/1] RDMA/rxe: Fix Use-After-Free problem in rxe_net_del Zhu Yanjun
2026-05-26 6:31 ` Zhu Yanjun
2026-06-03 1:25 ` Jason Gunthorpe
2026-06-03 15:43 ` Zhu Yanjun
2026-06-03 16:25 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603162537.GD1170766@nvidia.com \
--to=jgg@nvidia.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com \
--cc=yanjun.zhu@linux.dev \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox