Re: [PATCH RDMA v2] RDMA/rxe: add mutual exclusion in rxe_net_del()

[Kuniyuki Iwashima]

On Sat, May 16, 2026 at 4:40 PM Yanjun.Zhu <yanjun.zhu@xxxxxxxxx> wrote:
>
>
> On 5/16/26 7:00 AM, Edward Adam Davis wrote:
> > We must serialize calls to rxe_net_del() or risk a crash as syzbot
> > reported:
> >
> > KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
> > Call Trace:
> >   udp_tunnel_sock_release+0x6d/0x80 net/ipv4/udp_tunnel_core.c:197
> >   rxe_release_udp_tunnel drivers/infiniband/sw/rxe/rxe_net.c:294 [inline]
> >   rxe_sock_put drivers/infiniband/sw/rxe/rxe_net.c:639 [inline]
> >   rxe_net_del+0xfb/0x290 drivers/infiniband/sw/rxe/rxe_net.c:660
> >   rxe_dellink+0x15/0x20 drivers/infiniband/sw/rxe/rxe.c:254
> >
> > Jason Gunthorpe suggest placing the lock within rxe to protect its racy
> > implementation of rxe_net_del(), which looks like it is possibly also
> > triggered by NETDEV_UNREGISTER.
> >
> > The patch addressing this issue in nldev_dellink() has already been
> > applied(0b28000b64f4); however, since the fix has now been relocated
> > to rxe, the corresponding remedial code in nldev has been removed.
> >
> > Fixes: f1327abd6abe ("RDMA/rxe: Support RDMA link creation and destruction per net namespace")
> > Fixes: 0b28000b64f4 ("RDMA/nldev: Add mutual exclusion in nldev_dellink()")
> > Reported-by: syzbot+d8f76778263ab65c2b21@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=d8f76778263ab65c2b21
> > Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> > ---
> > v1 -> v2: serialize calls to rxe net del
> >
> >   drivers/infiniband/core/nldev.c     | 4 ----
> >   drivers/infiniband/sw/rxe/rxe_net.c | 7 ++++++-
> >   2 files changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
> > index 3cb3cb7629fe..96c745d5bac4 100644
> > --- a/drivers/infiniband/core/nldev.c
> > +++ b/drivers/infiniband/core/nldev.c
> > @@ -1816,8 +1816,6 @@ static int nldev_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
> >       return err;
> >   }
> >
> > -static DEFINE_MUTEX(nldev_dellink_mutex);
> > -
> >   static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
> >                         struct netlink_ext_ack *extack)
> >   {
> > @@ -1848,9 +1846,7 @@ static int nldev_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
> >        * implicitly scoped to the driver supporting dynamic link deletion like RXE.
> >        */
> >       if (device->link_ops && device->link_ops->dellink) {
> > -             mutex_lock(&nldev_dellink_mutex);
> >               err = device->link_ops->dellink(device);
> > -             mutex_unlock(&nldev_dellink_mutex);
> >               if (err)
> >                       return err;
> >       }
> > diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
> > index 50a2cb5405e2..92847e955ca2 100644
> > --- a/drivers/infiniband/sw/rxe/rxe_net.c
> > +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> > @@ -642,6 +642,8 @@ static void rxe_sock_put(struct sock *sk,
> >       }
> >   }
> >
> I read this commit carefully. There are two paths that can invoke
> rxe_net_del().
>
> One is through the rdma link del xxx command, while the other is through
> the netdevice notification chain.
>
> In the netdevice notification chain path, rtnl_lock is already held, and
> rxe_net_del() is called under that lock.
>
> However, in the rdma link del xxx path, no rtnl_lock is taken.
>
> Because of this, I would like to use the existing rtnl_lock to serialize
> calls to rxe_net_del().

-1 for this.

It's a global mutex and heavily contended because many
components use it without much care.  We are working
to reduce the RTNL pressure for years by converting such
users with a dedicated lock or per-netns RTNL mutex.

RTNL is not needed here at all, so please use a dedicated lock.


>
> My proposed commit is shown below. I am not sure whether it fully
> resolves the problem.
>
> diff --git a/drivers/infiniband/sw/rxe/rxe.c
> b/drivers/infiniband/sw/rxe/rxe.c
> index b0714f9abe3d..84266dc416c4 100644
> --- a/drivers/infiniband/sw/rxe/rxe.c
> +++ b/drivers/infiniband/sw/rxe/rxe.c
> @@ -251,7 +251,9 @@ static int rxe_newlink(const char *ibdev_name,
> struct net_device *ndev)
>
>   static int rxe_dellink(struct ib_device *dev)
>   {
> +       rtnl_lock();
>          rxe_net_del(dev);
> +       rtnl_unlock();
>
>          return 0;
>   }
> diff --git a/drivers/infiniband/sw/rxe/rxe_net.c
> b/drivers/infiniband/sw/rxe/rxe_net.c
> index 50a2cb5405e2..ac53ea73996d 100644
> --- a/drivers/infiniband/sw/rxe/rxe_net.c
> +++ b/drivers/infiniband/sw/rxe/rxe_net.c
> @@ -649,6 +649,8 @@ void rxe_net_del(struct ib_device *dev)
>          struct sock *sk;
>          struct net *net;
>
> +       ASSERT_RTNL();
> +
>          ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
>          if (!ndev)
>                  return;
>
> Zhu Yanjun
>
> > +static DEFINE_MUTEX(rxe_net_del_mutex);
> > +
> >   void rxe_net_del(struct ib_device *dev)
> >   {
> >       struct rxe_dev *rxe = container_of(dev, struct rxe_dev, ib_dev);
> > @@ -649,9 +651,10 @@ void rxe_net_del(struct ib_device *dev)
> >       struct sock *sk;
> >       struct net *net;
> >
> > +     mutex_lock(&rxe_net_del_mutex);
> >       ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
> >       if (!ndev)
> > -             return;
> > +             goto out;
> >
> >       net = dev_net(ndev);
> >
> > @@ -664,6 +667,8 @@ void rxe_net_del(struct ib_device *dev)
> >               rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net);
> >
> >       dev_put(ndev);
> > +out:
> > +     mutex_unlock(&rxe_net_del_mutex);
> >   }
> >
> >   static void rxe_port_event(struct rxe_dev *rxe,