[PATCH net v1 0/2] net/rds: Fix use-after-free in RDS/IB for non-init namespaces

[PATCH net v1 0/2] net/rds: Fix use-after-free in RDS/IB for non-init namespaces

[Allison Henderson]

This series fixes syzbot bug da8e060735ae02c8f3d1
https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1

The report finds a use-after-free bug where ib connections access an
invalid network namespace after it has been freed.  The stack is:

    rds_rdma_cm_event_handler_cmn
      rds_conn_path_drop
        rds_destroy_pending
          check_net()  <-- use-after-free

This is initially introduced in:
d5a8ac28a7ff ("RDS-TCP: Make RDS-TCP work correctly when it is set up
in a netns other than init_net").

Here, we made RDS aware of the namespace by storing a net pointer in
each connection.  But it is not explicitly restricted to init_net in
the case of ib. The RDS/TCP transport has its own pernet exit handler
(rds_tcp_exit_net) that destroys connections when a namespace is torn
down. But RDS/IB does not support more than the initial namespace and
has no such handler. The initial namespace is statically allocated,
and never torn down, so it always has at least one reference.

Allowing non init namespaces that do not have a persistent reference
means that when their refcounts drop to zero, they are released through
cleanup_net(). Which would call any registered pernet clean up handlers
if it had any, but since they don't in this case, the extra
rds_connections remain with stale c_net pointers.  Which are then
accessed later causing the use-after-free bug.

So, the simple fix is to disallow more than the initial namespace
to be created in the case of ib connections.

Fixes are ported from UEK patches found here:

  https://github.com/oracle/linux-uek/commit/8ed9a82376b7
  Patch 1 is a prerequisite optimization to rds_ib_laddr_check() that
  avoids excessive rdma_bind_addr() calls during transport probing by
  first checking rds_ib_get_device().  This is needed because patch 2
  adds a namespace check at the top of the same function.

    UEK: 8ed9a82376b7 ("rds: ib: Optimize rds_ib_laddr_check")

  https://github.com/oracle/linux-uek/commit/bd9489a08004
  Patch 2 restricts RDS/IB to the initial network namespace.  It adds
  checks in both rds_ib_laddr_check() and rds_set_transport() to reject
  IB use from non-init namespaces with -EPROTOTYPE.  This prevents the
  use-after-free by ensuring IB connections cannot exist in namespaces
  that may be torn down.

    UEK: bd9489a08004 ("net/rds: Restrict use of RDS/IB to the initial
    network namespace")

Questions, comments and feedback appreciated!

Thank you!
Allison

Greg Jumper (1):
  net/rds: Restrict use of RDS/IB to the initial network namespace

Håkon Bugge (1):
  net/rds: Optimize rds_ib_laddr_check

 net/rds/af_rds.c  | 10 ++++++++--
 net/rds/ib.c      | 23 +++++++++++++++++++++--
 net/rds/ib.h      |  1 +
 net/rds/ib_rdma.c |  2 +-
 4 files changed, 31 insertions(+), 5 deletions(-)

-- 
2.43.0

[PATCH net v1 1/2] net/rds: Optimize rds_ib_laddr_check

[Allison Henderson]

From: Håkon Bugge <haakon.bugge@oracle.com>

rds_ib_laddr_check() creates a CM_ID and attempts to bind the address
in question to it. This in order to qualify the allegedly local
address as a usable IB/RoCE address.

In the field, ExaWatcher runs rds-ping to all ports in the fabric from
all local ports. This using all active ToS'es. In a full rack system,
we have 14 cell servers and eight db servers. Typically, 6 ToS'es are
used. This implies 528 rds-ping invocations per ExaWatcher's "RDSinfo"
interval.

Adding to this, each rds-ping invocation creates eight sockets and
binds the local address to them:

socket(AF_RDS, SOCK_SEQPACKET, 0)       = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 4
bind(4, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 5
bind(5, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 6
bind(6, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 7
bind(7, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 8
bind(8, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 9
bind(9, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0)       = 10
bind(10, {sa_family=AF_INET, sin_port=htons(0),
	sin_addr=inet_addr("192.168.36.2")}, 16) = 0

So, at every interval ExaWatcher executes rds-ping's, 4224 CM_IDs are
allocated, considering this full-rack system. After the a CM_ID has
been allocated, rdma_bind_addr() is called, with the port number being
zero. This implies that the CMA will attempt to search for an un-used
ephemeral port. Simplified, the algorithm is to start at a random
position in the available port space, and then if needed, iterate
until an un-used port is found.

The book-keeping of used ports uses the idr system, which again uses
slab to allocate new struct idr_layer's. The size is 2092 bytes and
slab tries to reduce the wasted space. Hence, it chooses an order:3
allocation, for which 15 idr_layer structs will fit and only 1388
bytes are wasted per the 32KiB order:3 chunk.

Although this order:3 allocation seems like a good space/speed
trade-off, it does not resonate well with how it used by the CMA. The
combination of the randomized starting point in the port space (which
has close to zero spatial locality) and the close proximity in time of
the 4224 invocations of the rds-ping's, creates a memory hog for
order:3 allocations.

These costly allocations may need reclaims and/or compaction. At
worst, they may fail and produce a stack trace such as (from uek4):

[<ffffffff811a72d5>] __inc_zone_page_state+0x35/0x40
[<ffffffff811c2e97>] page_add_file_rmap+0x57/0x60
[<ffffffffa37ca1df>] remove_migration_pte+0x3f/0x3c0 [ksplice_6cn872bt_vmlinux_new]
[<ffffffff811c3de8>] rmap_walk+0xd8/0x340
[<ffffffff811e8860>] remove_migration_ptes+0x40/0x50
[<ffffffff811ea83c>] migrate_pages+0x3ec/0x890
[<ffffffff811afa0d>] compact_zone+0x32d/0x9a0
[<ffffffff811b00ed>] compact_zone_order+0x6d/0x90
[<ffffffff811b03b2>] try_to_compact_pages+0x102/0x270
[<ffffffff81190e56>] __alloc_pages_direct_compact+0x46/0x100
[<ffffffff8119165b>] __alloc_pages_nodemask+0x74b/0xaa0
[<ffffffff811d8411>] alloc_pages_current+0x91/0x110
[<ffffffff811e3b0b>] new_slab+0x38b/0x480
[<ffffffffa41323c7>] __slab_alloc+0x3b7/0x4a0 [ksplice_s0dk66a8_vmlinux_new]
[<ffffffff811e42ab>] kmem_cache_alloc+0x1fb/0x250
[<ffffffff8131fdd6>] idr_layer_alloc+0x36/0x90
[<ffffffff8132029c>] idr_get_empty_slot+0x28c/0x3d0
[<ffffffff813204ad>] idr_alloc+0x4d/0xf0
[<ffffffffa051727d>] cma_alloc_port+0x4d/0xa0 [rdma_cm]
[<ffffffffa0517cbe>] rdma_bind_addr+0x2ae/0x5b0 [rdma_cm]
[<ffffffffa09d8083>] rds_ib_laddr_check+0x83/0x2c0 [ksplice_6l2xst5i_rds_rdma_new]
[<ffffffffa05f892b>] rds_trans_get_preferred+0x5b/0xa0 [rds]
[<ffffffffa05f09f2>] rds_bind+0x212/0x280 [rds]
[<ffffffff815b4016>] SYSC_bind+0xe6/0x120
[<ffffffff815b4d3e>] SyS_bind+0xe/0x10
[<ffffffff816b031a>] system_call_fastpath+0x18/0xd4

To avoid these excessive calls to rdma_bind_addr(), we optimize
rds_ib_laddr_check() by simply checking if the address in question has
been used before. The rds_rdma module keeps track of addresses
associated with IB devices, and the function rds_ib_get_device() is
used to determine if the address already has been qualified as a valid
local address. If not found, we call the legacy rds_ib_laddr_check(),
now renamed to rds_ib_laddr_check_cm().

Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
---
 net/rds/ib.c      | 18 ++++++++++++++++--
 net/rds/ib.h      |  1 +
 net/rds/ib_rdma.c |  2 +-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/net/rds/ib.c b/net/rds/ib.c
index ac6affa33ce7..73e01984ee9a 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -401,8 +401,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
  * allowed to influence which paths have priority.  We could call userspace
  * asserting this policy "routing".
  */
-static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
-			      __u32 scope_id)
+static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
+				 __u32 scope_id)
 {
 	int ret;
 	struct rdma_cm_id *cm_id;
@@ -487,6 +487,20 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
 	return ret;
 }
 
+static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
+			      __u32 scope_id)
+{
+	struct rds_ib_device *rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
+
+	if (rds_ibdev) {
+		rds_ib_dev_put(rds_ibdev);
+
+		return 0;
+	}
+
+	return rds_ib_laddr_check_cm(net, addr, scope_id);
+}
+
 static void rds_ib_unregister_client(void)
 {
 	ib_unregister_client(&rds_ib_client);
diff --git a/net/rds/ib.h b/net/rds/ib.h
index 8ef3178ed4d6..5ff346a1e8ba 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -381,6 +381,7 @@ void rds_ib_cm_connect_complete(struct rds_connection *conn,
 	__rds_ib_conn_error(conn, KERN_WARNING "RDS/IB: " fmt)
 
 /* ib_rdma.c */
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr);
 int rds_ib_update_ipaddr(struct rds_ib_device *rds_ibdev,
 			 struct in6_addr *ipaddr);
 void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn);
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 2cfec252eeac..9594ea245f7f 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -43,7 +43,7 @@ struct workqueue_struct *rds_ib_mr_wq;
 
 static void rds_ib_odp_mr_worker(struct work_struct *work);
 
-static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
 {
 	struct rds_ib_device *rds_ibdev;
 	struct rds_ib_ipaddr *i_ipaddr;
-- 
2.43.0

Re: [PATCH net v1 1/2] net/rds: Optimize rds_ib_laddr_check

[Jakub Kicinski]

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net/rds: Optimize rds_ib_laddr_check

This patch optimizes rds_ib_laddr_check() to avoid excessive
rdma_bind_addr() calls by checking if an address has been used before.
It renames the original function to rds_ib_laddr_check_cm() and
introduces a new wrapper that first checks rds_ib_get_device() before
falling back to the CM-based check.

> diff --git a/net/rds/ib.c b/net/rds/ib.c
> index ac6affa33ce7..73e01984ee9a 100644
> --- a/net/rds/ib.c
> +++ b/net/rds/ib.c
> @@ -401,8 +401,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
>   * allowed to influence which paths have priority.  We could call userspace
>   * asserting this policy "routing".
>   */
> -static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
> -			      __u32 scope_id)
> +static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
> +				 __u32 scope_id)
>  {
>  	int ret;
>  	struct rdma_cm_id *cm_id;

[ ... ]

> @@ -487,6 +487,20 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
>  	return ret;
>  }
>
> +static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
> +			      __u32 scope_id)
> +{
> +	struct rds_ib_device *rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
> +
> +	if (rds_ibdev) {
> +		rds_ib_dev_put(rds_ibdev);
> +
> +		return 0;
> +	}
> +
> +	return rds_ib_laddr_check_cm(net, addr, scope_id);
> +}
> +

Can this code handle pure IPv6 addresses correctly? The function extracts
addr->s6_addr32[3] and passes it to rds_ib_get_device(), which looks up
devices by IPv4 address.

For IPv4-mapped IPv6 addresses, addr->s6_addr32[3] contains the IPv4
address. But for pure IPv6 addresses (when CONFIG_IPV6 is enabled),
addr->s6_addr32[3] contains the last 32 bits of the IPv6 address, which
could accidentally match a stored IPv4 address.

When this collision occurs, the function returns 0 (success) without
calling rds_ib_laddr_check_cm(), which performs the full validation
including rdma_bind_addr() and IPv6 link-local scope_id checks. This
means a pure IPv6 address could be incorrectly accepted as valid for IB
transport.

Should this be guarded with an ipv6_addr_v4mapped(addr) check? For
example:

    if (ipv6_addr_v4mapped(addr)) {
        rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
        ...
    }

The existing callers of rds_ib_get_device (rds_ib_get_mr,
rds_ib_update_ipaddr) operate in post-connection contexts where the
address type is already validated, but rds_ib_laddr_check is the
validation gate called during bind/transport-selection for any address
type.

>  static void rds_ib_unregister_client(void)
>  {
>  	ib_unregister_client(&rds_ib_client);

[ ... ]
-- 
pw-bot: cr

Re: [PATCH net v1 1/2] net/rds: Optimize rds_ib_laddr_check

[Allison Henderson]

On Mon, 2026-04-06 at 18:19 -0700, Jakub Kicinski wrote:
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
> 
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> net/rds: Optimize rds_ib_laddr_check
> 
> This patch optimizes rds_ib_laddr_check() to avoid excessive
> rdma_bind_addr() calls by checking if an address has been used before.
> It renames the original function to rds_ib_laddr_check_cm() and
> introduces a new wrapper that first checks rds_ib_get_device() before
> falling back to the CM-based check.
> 
> > diff --git a/net/rds/ib.c b/net/rds/ib.c
> > index ac6affa33ce7..73e01984ee9a 100644
> > --- a/net/rds/ib.c
> > +++ b/net/rds/ib.c
> > @@ -401,8 +401,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
> >   * allowed to influence which paths have priority.  We could call userspace
> >   * asserting this policy "routing".
> >   */
> > -static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
> > -			      __u32 scope_id)
> > +static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
> > +				 __u32 scope_id)
> >  {
> >  	int ret;
> >  	struct rdma_cm_id *cm_id;
> 
> [ ... ]
> 
> > @@ -487,6 +487,20 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
> >  	return ret;
> >  }
> > 
> > +static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
> > +			      __u32 scope_id)
> > +{
> > +	struct rds_ib_device *rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
> > +
> > +	if (rds_ibdev) {
> > +		rds_ib_dev_put(rds_ibdev);
> > +
> > +		return 0;
> > +	}
> > +
> > +	return rds_ib_laddr_check_cm(net, addr, scope_id);
> > +}
> > +
> 
> Can this code handle pure IPv6 addresses correctly? The function extracts
> addr->s6_addr32[3] and passes it to rds_ib_get_device(), which looks up
> devices by IPv4 address.
> 
> For IPv4-mapped IPv6 addresses, addr->s6_addr32[3] contains the IPv4
> address. But for pure IPv6 addresses (when CONFIG_IPV6 is enabled),
> addr->s6_addr32[3] contains the last 32 bits of the IPv6 address, which
> could accidentally match a stored IPv4 address.
> 
> When this collision occurs, the function returns 0 (success) without
> calling rds_ib_laddr_check_cm(), which performs the full validation
> including rdma_bind_addr() and IPv6 link-local scope_id checks. This
> means a pure IPv6 address could be incorrectly accepted as valid for IB
> transport.
> 
> Should this be guarded with an ipv6_addr_v4mapped(addr) check? For
> example:
> 
>     if (ipv6_addr_v4mapped(addr)) {
>         rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
>         ...
>     }
> 
> The existing callers of rds_ib_get_device (rds_ib_get_mr,
> rds_ib_update_ipaddr) operate in post-connection contexts where the
> address type is already validated, but rds_ib_laddr_check is the
> validation gate called during bind/transport-selection for any address
> type.

Ok  I think the correct ports to fix this would be these two commits:
https://github.com/oracle/linux-uek/commit/caffdcae6593	 
caffdcae6593 ("rds: Enable RDS IPv6 support")

https://github.com/oracle/linux-uek/commit/cb82f22bbff5  
cb82f22bbff5 ("rds: Changed IP address internal representation to struct in6_addr")

But that is starting to snowball quite a bit outside the scope of the syzbot bug, and a lot of rds port patches tend to
domino like this if we don't find a way to contain it.  So for the syzbot report, I think the ai suggestion is
reasonable.  So, if folks agree, I am fine to add that check in v2.

Thank you!
Allison

> 
> >  static void rds_ib_unregister_client(void)
> >  {
> >  	ib_unregister_client(&rds_ib_client);
> 
> [ ... ]

Re: [PATCH net v1 1/2] net/rds: Optimize rds_ib_laddr_check

[Jakub Kicinski]

On Sat,  4 Apr 2026 21:16:12 -0700 Allison Henderson wrote:
> From: Håkon Bugge <haakon.bugge@oracle.com>

> Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
> Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
> Signed-off-by: Allison Henderson <achender@kernel.org>

Author's sign-off missing on this patch (I sent out the AI reviews
as well, without looking, take them with a grain of salt).

Re: [PATCH net v1 1/2] net/rds: Optimize rds_ib_laddr_check

[Allison Henderson]

On Mon, 2026-04-06 at 18:19 -0700, Jakub Kicinski wrote:
> On Sat,  4 Apr 2026 21:16:12 -0700 Allison Henderson wrote:
> > From: Håkon Bugge <haakon.bugge@oracle.com>
> 
> > Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
> > Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
> > Signed-off-by: Allison Henderson <achender@kernel.org>
> 
> Author's sign-off missing on this patch (I sent out the AI reviews
> as well, without looking, take them with a grain of salt).

Yes, Håkon's sob should be here, I will add it.

Thanks!
Allison

[PATCH net v1 2/2] net/rds: Restrict use of RDS/IB to the initial network namespace

[Allison Henderson]

From: Greg Jumper <greg.jumper@oracle.com>

Prevent using RDS/IB in network namespaces other than the initial one.
The existing RDS/IB code will not work properly in non-initial network
namespaces, and there are currently no plans to support such use.

Fixes: d5a8ac28a7ff ("RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net")
Reported-by: syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1
Signed-off-by: Greg Jumper <greg.jumper@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
---
 net/rds/af_rds.c | 10 ++++++++--
 net/rds/ib.c     |  7 ++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index b396c673dfaf..896d4cfda5c3 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -357,7 +357,8 @@ static int rds_cong_monitor(struct rds_sock *rs, sockptr_t optval, int optlen)
 	return ret;
 }
 
-static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
+static int rds_set_transport(struct net *net, struct rds_sock *rs,
+			     sockptr_t optval, int optlen)
 {
 	int t_type;
 
@@ -373,6 +374,10 @@ static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
 	if (t_type < 0 || t_type >= RDS_TRANS_COUNT)
 		return -EINVAL;
 
+	/* Only RDS/TCP supports non-initial network namespaces */
+	if (t_type != RDS_TRANS_TCP && !net_eq(net, &init_net))
+		return -EPROTOTYPE;
+
 	rs->rs_transport = rds_trans_get(t_type);
 
 	return rs->rs_transport ? 0 : -ENOPROTOOPT;
@@ -433,6 +438,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
 			  sockptr_t optval, unsigned int optlen)
 {
 	struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+	struct net *net = sock_net(sock->sk);
 	int ret;
 
 	if (level != SOL_RDS) {
@@ -461,7 +467,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
 		break;
 	case SO_RDS_TRANSPORT:
 		lock_sock(sock->sk);
-		ret = rds_set_transport(rs, optval, optlen);
+		ret = rds_set_transport(net, rs, optval, optlen);
 		release_sock(sock->sk);
 		break;
 	case SO_TIMESTAMP_OLD:
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 73e01984ee9a..1bdbe8eaf3fc 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -490,8 +490,13 @@ static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
 static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
 			      __u32 scope_id)
 {
-	struct rds_ib_device *rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
+	struct rds_ib_device *rds_ibdev;
+
+	/* RDS/IB is only supported in the initial network namespace */
+	if (!net_eq(net, &init_net))
+		return -EPROTOTYPE;
 
+	rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
 	if (rds_ibdev) {
 		rds_ib_dev_put(rds_ibdev);
 
-- 
2.43.0

Re: [PATCH net v1 2/2] net/rds: Restrict use of RDS/IB to the initial network namespace

[Jakub Kicinski]

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net/rds: Restrict use of RDS/IB to the initial network namespace

Prevent using RDS/IB in network namespaces other than the initial one.
The existing RDS/IB code will not work properly in non-initial network
namespaces, and there are currently no plans to support such use.

Closes: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1

> diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
> --- a/net/rds/af_rds.c
> +++ b/net/rds/af_rds.c

[ ... ]

> @@ -373,6 +374,10 @@ static int rds_set_transport(struct net *net, struct rds_sock *rs,
>  	if (t_type < 0 || t_type >= RDS_TRANS_COUNT)
>  		return -EINVAL;
>
> +	/* Only RDS/TCP supports non-initial network namespaces */
> +	if (t_type != RDS_TRANS_TCP && !net_eq(net, &init_net))
> +		return -EPROTOTYPE;
> +

[ ... ]

> diff --git a/net/rds/ib.c b/net/rds/ib.c
> --- a/net/rds/ib.c
> +++ b/net/rds/ib.c
> @@ -490,8 +490,13 @@
>  static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
>  			      __u32 scope_id)
>  {
> -	struct rds_ib_device *rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
> +	struct rds_ib_device *rds_ibdev;
>
> +	/* RDS/IB is only supported in the initial network namespace */
> +	if (!net_eq(net, &init_net))
> +		return -EPROTOTYPE;
> +
                                   ^^^^
Is the wording "is only supported" in this comment precise? Looking at the
existing codebase, rds_ib_cm_handle_connect() already has a comment that
says "RDS/IB is not currently netns aware, thus init_net" with the phrase
"for now" in rds_ib_laddr_check_cm() suggesting this could change. Before
this patch, it was technically possible to attempt using RDS/IB in
non-init namespaces (though it led to the UAF bug). The comment might be
clearer if it said "RDS/IB does not work correctly in non-initial network
namespaces" or "RDS/IB is restricted to the initial network namespace" to
better distinguish between the technical limitation and the enforcement.

> +	rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
>  	if (rds_ibdev) {
>  		rds_ib_dev_put(rds_ibdev);
>

The commit message states "there are currently no plans to support such
use." While the existing code clearly does not support non-init namespaces
(with hardcoded &init_net references throughout), this statement about
future plans cannot be verified from code. The existing comments in
rds_ib_cm_handle_connect() and rds_ib_laddr_check_cm() use phrases like
"for now" and "not currently" which could suggest plans might exist or
could be placeholders. Is this policy statement necessary in the commit
message, or would it be sufficient to state the technical facts about the
current limitation?