Re: [PATCH RDMA v2] RDMA/rxe: add mutual exclusion in rxe_net_del()

[Zhu Yanjun]

在 2026/5/16 7:00, Edward Adam Davis 写道:
> We must serialize calls to rxe_net_del() or risk a crash as syzbot
> reported:
>
> KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
> Call Trace:
>   udp_tunnel_sock_release+0x6d/0x80 net/ipv4/udp_tunnel_core.c:197
>   rxe_release_udp_tunnel drivers/infiniband/sw/rxe/rxe_net.c:294 [inline]
>   rxe_sock_put drivers/infiniband/sw/rxe/rxe_net.c:639 [inline]
>   rxe_net_del+0xfb/0x290 drivers/infiniband/sw/rxe/rxe_net.c:660
>   rxe_dellink+0x15/0x20 drivers/infiniband/sw/rxe/rxe.c:254
>
> Jason Gunthorpe suggest placing the lock within rxe to protect its racy
> implementation of rxe_net_del(), which looks like it is possibly also
> triggered by NETDEV_UNREGISTER.
>
> The patch addressing this issue in nldev_dellink() has already been
> applied(0b28000b64f4); however, since the fix has now been relocated
> to rxe, the corresponding remedial code in nldev has been removed.
>
> Fixes: f1327abd6abe ("RDMA/rxe: Support RDMA link creation and destruction per net namespace")
> Fixes: 0b28000b64f4 ("RDMA/nldev: Add mutual exclusion in nldev_dellink()")
> Reported-by: syzbot+d8f76778263ab65c2b21@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=d8f76778263ab65c2b21
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> v1 -> v2: serialize calls to rxe net del

I looked through the commit. I am not sure if this commit should be sent 
to syzbot to verify.

Zhu Yanjun

>   drivers/infiniband/core/nldev.c     | 4 ----
>   drivers/infiniband/sw/rxe/rxe_net.c | 7 ++++++-
>   2 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
> index 3cb3cb7629fe..96c745d5bac4 100644
> --- a/drivers/infiniband/core/nldev.c
> +++ b/drivers/infiniband/core/nldev.c
> @@ -1816,8 +1816,6 @@ static int nldev_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   	return err;
>   }
>   
> -static DEFINE_MUTEX(nldev_dellink_mutex);
> -
>   static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   			  struct netlink_ext_ack *extack)
>   {
> @@ -1848,9 +1846,7 @@ static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
>   	 * implicitly scoped to the driver supporting dynamic link deletion like RXE.
>   	 */
>   	if (device->link_ops && device->link_ops->dellink) {
> -		mutex_lock(&nldev_dellink_mutex);
>   		err = device->link_ops->dellink(device);
> -		mutex_unlock(&nldev_dellink_mutex);
>   		if (err)
>   			return err;
>   	}
> diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
> index 50a2cb5405e2..92847e955ca2 100644
> --- a/drivers/infiniband/sw/rxe/rxe_net.c
> +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> @@ -642,6 +642,8 @@ static void rxe_sock_put(struct sock *sk,
>   	}
>   }
>   
> +static DEFINE_MUTEX(rxe_net_del_mutex);
> +
>   void rxe_net_del(struct ib_device *dev)
>   {
>   	struct rxe_dev *rxe = container_of(dev, struct rxe_dev, ib_dev);
> @@ -649,9 +651,10 @@ void rxe_net_del(struct ib_device *dev)
>   	struct sock *sk;
>   	struct net *net;
>   
> +	mutex_lock(&rxe_net_del_mutex);
>   	ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
>   	if (!ndev)
> -		return;
> +		goto out;
>   
>   	net = dev_net(ndev);
>   
> @@ -664,6 +667,8 @@ void rxe_net_del(struct ib_device *dev)
>   		rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
>   
>   	dev_put(ndev);
> +out:
> +	mutex_unlock(&rxe_net_del_mutex);
>   }
>   
>   static void rxe_port_event(struct rxe_dev *rxe,