Re: [PATCH] fix: infiniband/rxe: check_rkey: fix refcount underflow due to unchecked rxe_get return value

Next message: Jakub Kicinski: "Re: [PATCH v2] netdevsim: fix use-after-free in nsim_create and __nsim_dev_port_del"
Previous message: H. Peter Anvin: "Re: [PATCH 08/18] raid6: warn when using less than four devices"
In reply to: WenTao Liang: "[PATCH] fix: infiniband/rxe: check_rkey: fix refcount underflow due to unchecked rxe_get return value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: yanjun.zhu

Date: Fri Jun 26 2026 - 21:43:22 EST

On 6/26/26 8:05 AM, WenTao Liang wrote:

rxe_get is a conditional get (kref_get_unless_zero) that returns 0 when
the object's refcount is already zero. In check_rkey, the return value of
rxe_get(mr) is ignored. If rxe_get fails (returns 0), the code continues
to use mr without a valid reference, and error paths will call
rxe_put(mr) on an unheld reference, causing a refcount underflow.

Check the return value of rxe_get and bail out with an error when it fails.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 290c4a902b79 ("RDMA/rxe: Fix \"Replace mr by rkey in responder resources\"")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/infiniband/sw/rxe/rxe_resp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
index 9cb2f6fbf2dd..0c3f3930b494 100644
--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -514,7 +514,12 @@ static enum resp_states check_rkey(struct rxe_qp *qp,
if (mw->access & IB_ZERO_BASED)
qp->resp.offset = mw->addr;
- rxe_get(mr);
+ if (!rxe_get(mr)) {

Can you reproduce this (rxe_get(mr) = 0)?

Thanks a lot.

Zhu Yanjun

+ rxe_put(mw);
+ mw = NULL;
+ state = get_rkey_violation_state(pkt);
+ goto err;
+ }
rxe_put(mw);
mw = NULL;
} else {