Re: [PATCH net v4] rds: filter RDS_INFO_* getsockopt by caller's netns

Next message: Petr Machata: "Re: [PATCH net-next] mlxsw: spectrum_ethtool: expose per-PG rx_discards"
Previous message: Jan Polensky: "Re: [PATCH 4/4] s390: enable Rust support"
In reply to: Simon Horman: "Re: [PATCH net v4] rds: filter RDS_INFO_* getsockopt by caller's netns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maoyi Xie

Date: Mon May 18 2026 - 13:37:32 EST

Hi Simon,

Confirmed. net/rds/bind.c writes rs_bound_addr at lines 123,
138, and 160 without taking rds_sock_lock. The race is real,
and the len=0 path you described reaches the NULL iter->pages.

v5 caps the second pass at cnt in all four handlers
(rds_sock_info, rds6_sock_info, rds_tcp_tc_info,
rds6_tcp_tc_info):

unsigned int copied = 0;
list_for_each_entry(rs, &rds_sock_list, rs_item) {
if (copied >= cnt)
break;
if (!net_eq(sock_net(rds_rs_to_sk(rs)), net))
continue;
if (!ipv6_addr_v4mapped(&rs->rs_bound_addr))
continue;
...
rds_info_copy(iter, &sinfo, sizeof(sinfo));
copied++;
}

Sent as v5 in a separate mail.

Thanks,
Maoyi Xie