Re: [PATCH] net/smc: bound the peer producer cursor on SMC-D and SMC-R CDC receive

Next message: Mike Rapoport: "Re: [PATCH v2] liveupdate: luo_session: include linux/mm.h for virt/phys translation"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net] kcm: use WRITE_ONCE() when changing lower socket callbacks"
In reply to: Jakub Kicinski: "Re: [PATCH] net/smc: bound the peer producer cursor on SMC-D and SMC-R CDC receive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas

Date: Sun Jun 14 2026 - 04:33:35 EST

On Sat, 13 Jun 2026 17:31:11 -0700, Jakub Kicinski wrote:
> Is this clamp safe against a concurrent smc_rx_recvmsg() on another CPU?

Confirmed -- the tasklet read-then-set is racy: a recvmsg()/sendmsg() on
another CPU reads the inflated value in the window between the
atomic_add() and the clamp (recvmsg() runs under lock_sock(), which
leaves the slock free, so it is not serialized against the
bh_lock_sock() CDC tasklet). Reworked as a v3 series:

https://lore.kernel.org/netdev/20260614-b4-disp-edd64be9-v3-0-551fa514257e@xxxxxxxxx/

The bound now lives at the consumer (smc_rx_recvmsg() / smc_tx_sendmsg()),
where it is race-free; it also rejects a sign-overflowed (negative)
accumulator (per the sashiko-bot review on the sndbuf_space patch); and
the producer-cursor clamp is applied to the producer cursor only, so the
consumer cursor stays bounded by peer_rmbe_size, not rmb_desc->len. The
sndbuf_space fix is folded in as patch 3/3.

Thanks for the review.

Bryam