From: Zhu Yanjun <yanjun.zhu@linux.dev>
To: Kuniyuki Iwashima <kuniyu@google.com>, Zhu Yanjun <yanjun.zhu@linux.dev>
Cc: David Ahern <dsahern@kernel.org>,
Zhu Yanjun <zyjzyj2000@gmail.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Leon Romanovsky <leon@kernel.org>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
linux-rdma@vger.kernel.org,
syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] RDMA/rxe: Fix null-ptr-deref in kernel_sock_shutdown().
Date: Sun, 26 Apr 2026 20:53:11 -0700 [thread overview]
Message-ID: <e2e1406f-8d9d-4a96-949d-e75096446d1a@linux.dev> (raw)
In-Reply-To: <CAAVpQUAh2KT=YpfDO5nkqrzH0kbAXEBVe6jtOtLc93wjs3N7Fg@mail.gmail.com>
在 2026/4/26 20:10, Kuniyuki Iwashima 写道:
> On Sun, Apr 26, 2026 at 7:57 PM Zhu Yanjun <yanjun.zhu@linux.dev> wrote:
>> 在 2026/4/26 9:42, David Ahern 写道:
>>> On 4/25/26 3:25 PM, Zhu Yanjun wrote:
>>>> 在 2026/4/24 23:04, Kuniyuki Iwashima 写道:
>>>>> syzbot reported null-ptr-deref in kernel_sock_shutdown(). [0]
>>>>>
>>>>> The problem is ->newlink() and ->dellink() can be called
>>>>> concurrently with no synchronisation, leading sk leak or
>>>>> double free, etc.
>>>>>
>>>>> We defer UDP tunnel allocation to the first device creation,
>>>>> but this would requrie per-netns locking.
>>>>>
>>>>> Let's allocate UDP tunnels in the __init_net hook.
>>>>>
>>>>> Now extra sock_hold() and __sock_put() are no longer needed.
>>>>>
>>>>> Note that rxe_ns_pernet_sk6() is broken and will be fixed
>>>>> in the following patch.
>>>>>
>>> ...
>>>> All the commits are functionally correct, but I noticed some regressions
>>>> when running:
>>>> make -C tools/testing/selftests/rdma/ TARGET=rdma run_tests
>>>>
>>>> After applying this commit, the UDP port 4791 starts listening in both
>>>> init_net and all other net namespaces as soon as modprobe rdma_rxe is
>>>> executed. This breaks tests that expect the port to be unoccupied until
>>>> a device is actually created.
>>> Not opening the port until an rxe device is created in that namespace
>>> needs to be kept.
>> This change alters the user-visible behavior:
>> the UDP port is now always listening per netns,
>> even without an rxe device.
>>
>> Is this intentional, or should we preserve the
>> previous lazy allocation semantics?
> I did it intentionally because before f1327abd6abe
> the port was reserved while loading the module, and
> if the tunnel creation failed, the module was unloaded.
>
> Rather I feel f1327abd6abe introduced the user-visible
> change.
>
> That said, I don't have a strong preference, so up to you
> maintainers. Simple lockless solution vs per-newlink/dellink
> locking.
To be honest, I do not have a strong preference here, though
I lean slightly toward the per-newlink/dellink locking approach.
Both the simple lockless solution and the locking approach seem
reasonable, depending on whether we prioritize simplicity or
explicit synchronization and lifecycle clarity.
It would be helpful to get feedback from David Ahern, Leon,
and Jason to converge on a final direction.
Zhu Yanjun
>
> FWIW, there is another example that reserves a port in every
> netns while loading the module, see rds_tcp_listen_init().
>
--
Best Regards,
Yanjun.Zhu
next prev parent reply other threads:[~2026-04-27 3:53 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-25 6:04 [PATCH v2 0/2] RDMA/rxe: Fix per-netns UDP tunnel issues Kuniyuki Iwashima
2026-04-25 6:04 ` [PATCH v2 1/2] RDMA/rxe: Fix null-ptr-deref in kernel_sock_shutdown() Kuniyuki Iwashima
2026-04-25 15:47 ` David Ahern
2026-04-25 20:55 ` Kuniyuki Iwashima
2026-04-26 16:40 ` David Ahern
2026-04-25 21:25 ` Zhu Yanjun
2026-04-26 16:42 ` David Ahern
2026-04-27 2:57 ` Zhu Yanjun
2026-04-27 3:10 ` Kuniyuki Iwashima
2026-04-27 3:53 ` Zhu Yanjun [this message]
2026-04-25 6:04 ` [PATCH v2 2/2] RDMA/rxe: Fix up RCU usage for rxe_ns_pernet_sk6() Kuniyuki Iwashima
2026-04-25 21:26 ` Zhu Yanjun
-- strict thread matches above, loose matches on Subject: below --
2026-04-11 14:49 [PATCH rdma-next v2 00/15] RDMA: Introduce generic buffer descriptor infrastructure for umem Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 01/15] RDMA/core: " Jiri Pirko
2026-04-12 12:33 ` Michael Margolin
2026-04-13 8:32 ` Jiri Pirko
2026-04-13 16:02 ` Michael Margolin
2026-04-13 18:22 ` Jiri Pirko
2026-04-16 12:10 ` Michael Margolin
2026-04-16 13:34 ` Jiri Pirko
2026-04-21 12:50 ` Jason Gunthorpe
2026-04-21 12:52 ` Jason Gunthorpe
2026-04-22 10:32 ` Jiri Pirko
2026-04-22 16:30 ` Jason Gunthorpe
2026-04-21 13:46 ` Jason Gunthorpe
2026-04-22 11:33 ` Jiri Pirko
2026-04-22 14:06 ` Jiri Pirko
2026-04-22 16:51 ` Jason Gunthorpe
2026-04-23 13:08 ` Jiri Pirko
2026-04-23 15:08 ` Jason Gunthorpe
[not found] ` <20260426135340.GH440345@unreal>
2026-04-26 22:50 ` Jason Gunthorpe
2026-04-11 14:49 ` [PATCH rdma-next v2 02/15] RDMA/uverbs: Push out CQ buffer umem processing into a helper Jiri Pirko
2026-04-21 13:25 ` Jason Gunthorpe
2026-04-22 10:56 ` Jiri Pirko
2026-04-22 16:32 ` Jason Gunthorpe
2026-04-11 14:49 ` [PATCH rdma-next v2 03/15] RDMA/uverbs: Integrate umem_list into CQ creation Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 04/15] RDMA/efa: Use umem_list for user CQ buffer Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 05/15] RDMA/mlx5: " Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 06/15] RDMA/bnxt_re: " Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 07/15] RDMA/mlx4: " Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 08/15] RDMA/uverbs: Remove legacy umem field from struct ib_cq Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 09/15] RDMA/uverbs: Verify all umem_list buffers are consumed after CQ creation Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 10/15] RDMA/uverbs: Integrate umem_list into QP creation Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 11/15] RDMA/mlx5: Use umem_list for QP buffers in create_qp Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 12/15] RDMA/uverbs: Add doorbell record buffer slot to CQ umem_list Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 13/15] RDMA/mlx5: Use umem_list for CQ doorbell record Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 14/15] RDMA/uverbs: Add doorbell record buffer slot to QP umem_list Jiri Pirko
2026-04-11 14:49 ` [PATCH rdma-next v2 15/15] RDMA/mlx5: Use umem_list for QP doorbell record Jiri Pirko
2026-03-31 5:56 [PATCH v2 0/4] Firmware LSM hook Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 1/4] bpf: add firmware command validation hook Leon Romanovsky
2026-04-16 8:43 ` Matt Bobrowski
2026-03-31 5:56 ` [PATCH v2 2/4] selftests/bpf: add test cases for fw_validate_cmd hook Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 3/4] RDMA/mlx5: Externally validate FW commands supplied in DEVX interface Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 4/4] fwctl/mlx5: Externally validate FW commands supplied in fwctl Leon Romanovsky
2026-04-09 12:12 ` [PATCH v2 0/4] Firmware LSM hook Leon Romanovsky
2026-04-09 12:27 ` Roberto Sassu
2026-04-09 12:45 ` Leon Romanovsky
2026-04-09 21:04 ` Paul Moore
2026-04-12 9:00 ` Leon Romanovsky
2026-04-13 1:38 ` Paul Moore
2026-04-13 15:53 ` Leon Romanovsky
2026-04-13 16:42 ` Jason Gunthorpe
2026-04-13 17:36 ` Casey Schaufler
2026-04-13 19:09 ` Casey Schaufler
2026-04-13 22:36 ` Paul Moore
2026-04-13 23:19 ` Jason Gunthorpe
2026-04-14 17:05 ` Casey Schaufler
2026-04-14 19:09 ` Paul Moore
2026-04-14 20:09 ` Casey Schaufler
2026-04-14 20:44 ` Paul Moore
2026-04-14 22:42 ` Casey Schaufler
2026-04-15 21:03 ` Paul Moore
2026-04-15 21:21 ` Casey Schaufler
2026-04-14 20:27 ` Paul Moore
2026-04-15 13:47 ` Jason Gunthorpe
2026-04-15 21:40 ` Paul Moore
2026-04-17 19:17 ` Jason Gunthorpe
2026-04-21 0:58 ` Paul Moore
2026-04-24 14:36 ` Jason Gunthorpe
2026-04-24 20:59 ` Paul Moore
2026-04-24 22:13 ` Jason Gunthorpe
2026-04-23 14:09 ` Leon Romanovsky
2026-04-24 14:19 ` Jason Gunthorpe
2026-04-26 10:39 ` Leon Romanovsky
2026-04-23 13:05 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2e1406f-8d9d-4a96-949d-e75096446d1a@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=dsahern@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=syzbot+d8f76778263ab65c2b21@syzkaller.appspotmail.com \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox