* [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work
@ 2026-06-03 10:09 Jordan Walters
2026-06-04 1:42 ` Zhu Yanjun
2026-06-05 17:47 ` Jason Gunthorpe
0 siblings, 2 replies; 3+ messages in thread
From: Jordan Walters @ 2026-06-03 10:09 UTC (permalink / raw)
To: linux-rdma, linux-kernel
rxe_net_del() drops its reference to the underlying net_device
via dev_put() but does not clear the netdev pointer from the
ib_device. This leaves a dangling pointer that the async
smc_ib_port_event_work worker can dereference after the
net_device has been freed, causing a use-after-free in
__ethtool_get_link_ksettings().
An unprivileged user can trigger this via user namespaces
by creating a dummy interface, binding it to rdma_rxe, and
immediately destroying the namespace before the worker fires.
Clear the netdev pointer via ib_device_set_netdev() before
releasing the reference. Downstream callers such as
ib_get_eth_speed() already handle a NULL netdev safely.
Note: this is a distinct issue from the socket TOCTOU race
fixed by Zhu Yanjun in [1]. That patch addresses a race on
the pernet socket pointers (rxe_sk4/sk6) leading to a NULL
deref in kernel_sock_shutdown(). This patch fixes a dangling
netdev pointer leading to a UAF in
__ethtool_get_link_ksettings via smc_ib_port_event_work.
Link: https://lore.kernel.org/all/20260519023541.8594-1-yanjun.zhu@linux.dev/ [1]
Signed-off-by: Jordan Walters <jaggyaur@gmail.com>
---
drivers/infiniband/sw/rxe/rxe_net.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
index 50a2cb5405e2..a8f91d6e3b17 100644
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -663,6 +663,7 @@ void rxe_net_del(struct ib_device *dev)
if (sk)
rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
+ ib_device_set_netdev(dev, NULL, 1);
dev_put(ndev);
}
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work
2026-06-03 10:09 [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work Jordan Walters
@ 2026-06-04 1:42 ` Zhu Yanjun
2026-06-05 17:47 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Zhu Yanjun @ 2026-06-04 1:42 UTC (permalink / raw)
To: Jordan Walters, linux-rdma, linux-kernel, yanjun.zhu@linux.dev
在 2026/6/3 3:09, Jordan Walters 写道:
> rxe_net_del() drops its reference to the underlying net_device
> via dev_put() but does not clear the netdev pointer from the
> ib_device. This leaves a dangling pointer that the async
> smc_ib_port_event_work worker can dereference after the
> net_device has been freed, causing a use-after-free in
> __ethtool_get_link_ksettings().
>
> An unprivileged user can trigger this via user namespaces
> by creating a dummy interface, binding it to rdma_rxe, and
> immediately destroying the namespace before the worker fires.
>
> Clear the netdev pointer via ib_device_set_netdev() before
> releasing the reference. Downstream callers such as
> ib_get_eth_speed() already handle a NULL netdev safely.
>
> Note: this is a distinct issue from the socket TOCTOU race
> fixed by Zhu Yanjun in [1]. That patch addresses a race on
> the pernet socket pointers (rxe_sk4/sk6) leading to a NULL
> deref in kernel_sock_shutdown(). This patch fixes a dangling
> netdev pointer leading to a UAF in
> __ethtool_get_link_ksettings via smc_ib_port_event_work.
>
> Link: https://lore.kernel.org/all/20260519023541.8594-1-yanjun.zhu@linux.dev/ [1]
Thanks a lot. I am fine with this commit.
Although Sashiko complains about this commit, it seems that all the
problems have already existed.
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Zhu Yanjun
>
> Signed-off-by: Jordan Walters <jaggyaur@gmail.com>
> ---
> drivers/infiniband/sw/rxe/rxe_net.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
> index 50a2cb5405e2..a8f91d6e3b17 100644
> --- a/drivers/infiniband/sw/rxe/rxe_net.c
> +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> @@ -663,6 +663,7 @@ void rxe_net_del(struct ib_device *dev)
> if (sk)
> rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
>
> + ib_device_set_netdev(dev, NULL, 1);
> dev_put(ndev);
> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work
2026-06-03 10:09 [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work Jordan Walters
2026-06-04 1:42 ` Zhu Yanjun
@ 2026-06-05 17:47 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2026-06-05 17:47 UTC (permalink / raw)
To: Jordan Walters; +Cc: linux-rdma, linux-kernel
On Wed, Jun 03, 2026 at 06:09:19AM -0400, Jordan Walters wrote:
> @@ -663,6 +663,7 @@ void rxe_net_del(struct ib_device *dev)
> if (sk)
> rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
>
> + ib_device_set_netdev(dev, NULL, 1);
> dev_put(ndev);
None of how rxe is handling the netdev seems to be correct at all.
The affiliated netdev of an IB device cannot be unrefed until the ib
device itself is destroyed, the above is just more racy wrongness even
if it makes the splat go away.
rxe_net_del() needs to be deleted, not patched.
I'm getting very fed up with all this RXE garbage, it has got a lot
worse lately with all these attempts to "improve" it and I don't want
to be looking at this endless stream of bugs reports.
and zhu don't send me any more AI written emails.
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-05 17:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 10:09 [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work Jordan Walters
2026-06-04 1:42 ` Zhu Yanjun
2026-06-05 17:47 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox