From nobody Fri Jun 12 21:42:36 2026 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC1813AFAF1 for ; Tue, 12 May 2026 14:28:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778596095; cv=none; b=jw0DESpwvfb59t6sRD5VOQaJTPFn16IOYKk89hGogWSnGyPuS9mJD2yVF1JXyK4n29buulxt9Q1LkeoObFD0nkGJMHaE31I3deDHisP34QXeAibco/+WXFH4utJYU9kEM1ov+oVsqwG/+wTVkbAxa8vtxu9/m9t5uQnqElaLGEc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778596095; c=relaxed/simple; bh=zPhyqa5u2KBrafywdFL39mOjSHIacaNselwTAm6H6R8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=CLT0skiSZqmeqIpTzKeBCDw72m6NWx1yhcE4BJRmRKY72Lj6BNgwe9EIlY7Lx9l/8zS8DB97caqJ/hdJwO9TJcK/Yp5IotcGPCpgTmKtx9gGZIFPXrgZ8TpnbavyOsyyXPhKzqCPDzbTBD2d6yduxzOCYEaf11sF1i6k+HfBeNI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fewOg2eq; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fewOg2eq" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2bd2051167eso1090405ad.1 for ; Tue, 12 May 2026 07:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778596093; x=1779200893; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fDt9lvWWIss5l7S+jZrMRRKou8og9/yBAhB/HlvVJl4=; b=fewOg2eqdKc0Q10UjI2QPP+VTwVPWFgN0dudhH0bAGuxZtmIQh0Wx9pg82vTLPjU+/ eCixib1CyOuddD/4RU1oQT7/bE/k3mN5ofdmwcq9J2TB44Re51vMlX/IJQbDqrhEnhxu Kvp04ouUJSUACpUl4LmQIhudgkDMq2QnRQJ3txNL7qPfvBip5MA/pb+hQN10KMdcKGla eWrCXleyjtfhlV00YJ+f1otj4YXd/69PuWDBa/cF+oFxQ9QRoVJG42uXI5FuDkbeJxQ8 wrhSUhbsr5Cseh+BNlx75aIcaUOT/CHD4/c8/4lykXfSo/t5UHe2UkNv66r7F7+3ol4Q a5iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778596093; x=1779200893; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fDt9lvWWIss5l7S+jZrMRRKou8og9/yBAhB/HlvVJl4=; b=Onk+zprEejjjGdXDni3dOXwL1uDgQWPWI8sJVdwUkWXMgFhaYBhESgp0kmMmcu5E8x LksvWDmVbX0kmct3JBfCxZs87U8/5xtZvTlKbNkdxmno5MzIz2yNcrh6M9I6xGb0Q5ow NvLiTitnxt+YzNJ2wKBcMGPaImzbmCSw8keJlWNKAlo9+YBTuYlIE8yscJJc3BLe7Waj /HDPK0cXeheZ/MDJZJHfFTmI9IqhtaJX/AR/kQ/OZq2klb9MmU0D3Uz3OcfGGPzDnmOt xXHzMRKMo6umLCQoj9jO1i0Vwfk8lXts3rdwsXIF1GpNY5aEu0v2ZK357t6c4LraxBq0 APew== X-Forwarded-Encrypted: i=1; AFNElJ+Z6hi7oc+hn/sdvYobxuo/E+apNGyqPRnBR76MGR86UyRXYni4FArCXZymMkX/YSGOFW37xx405meK7FM=@vger.kernel.org X-Gm-Message-State: AOJu0Yx4jMFik98koh8dm9SYrjzdo5KZqzz1U9STop7o0FiqfHOFori6 lbB5W/mU+GSMMZmRGZAtESUzzmgwWhvLCp9Glw5yX80THsnlMFF0oRyP X-Gm-Gg: Acq92OEQmLT637fG6+61XCoxlwPOHXZzZ3/jeGJGZkzf/dWc63TzkfKUSBq7gDrfBk1 Pzd8llCy9IWkCh3fYujB0DmhAXlteiWmDs2Zet0QTuEBrc5an+q3NpwJ/pxYyiHuEU1h0qI+3pP L4r6wEH36Ebo4BBXb0E4GU3fBtGfgMesLAl34D4+vLQNZY8TDox7vDHkvDCUWFx9zm9HWRV2D6c Dqu8bHotMawdaitL+jlnE+KE0Xfy9kkQKf+Ogm/ww0RtxqKTGyF+bEP5OGcEaIznBn1lp1k0hil 4A82PSCgAB0YIr8ZOVi4NVw2DAfkzP92kjA8XH0XQmHPjHc3uwfAAB+40HM76yjzfIY0wwpSG8E t2A8nxidCPQ8j3iQiP/0/Syu5S1eEJNRkLXGOPZeaxGIWZ5feF3azD/c0/+BX1ggCPfg8hUcaac JyDQ9fkMzrAnT4bw8YpTEhJqXOCmmEl1EvK/htApvlYkXEaA== X-Received: by 2002:a17:903:b46:b0:2b2:eb9d:1648 with SMTP id d9443c01a7336-2ba79c25ad9mr318963505ad.37.1778596092734; Tue, 12 May 2026 07:28:12 -0700 (PDT) Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d405adsm140861765ad.28.2026.05.12.07.28.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 07:28:12 -0700 (PDT) From: Maoyi Xie X-Google-Original-From: Maoyi Xie To: achender@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: horms@kernel.org, netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org, Maoyi Xie Subject: [PATCH net] rds_tcp: close NULL deref window in rds_tcp_set_callbacks Date: Tue, 12 May 2026 22:28:07 +0800 Message-Id: <20260512142807.1855619-1-maoyi.xie@ntu.edu.sg> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rds_tcp_set_callbacks() links a new rds_tcp_connection onto rds_tcp_tc_list under rds_tcp_tc_list_lock. It releases the lock, then assigns tc->t_sock =3D sock outside the lock. rds_tcp_tc_info() and rds6_tcp_tc_info() walk rds_tcp_tc_list under the same lock. Both dereference tc->t_sock->sk without a NULL check. A reader can acquire rds_tcp_tc_list_lock between the writer's spin_unlock and the t_sock store. It then sees a list entry whose t_sock is NULL. The dereference of tc->t_sock->sk is a NULL access. Move tc->t_sock =3D sock inside rds_tcp_tc_list_lock, before list_add_tail. A reader holding the lock then observes the linkage and the t_sock store together. The restore path is safe. rds_tcp_restore_callbacks() does list_del_init inside the lock. The matching tc->t_sock =3D NULL after unlink is harmless to readers holding the lock. Fixes: 70041088e3b9 ("RDS: Add TCP transport to RDS") Suggested-by: Simon Horman Signed-off-by: Maoyi Xie Reviewed-by: Allison Henderson --- net/rds/tcp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/rds/tcp.c b/net/rds/tcp.c index 654e23d13..5830b31a1 100644 --- a/net/rds/tcp.c +++ b/net/rds/tcp.c @@ -198,8 +198,13 @@ void rds_tcp_set_callbacks(struct socket *sock, struct= rds_conn_path *cp) rdsdebug("setting sock %p callbacks to tc %p\n", sock, tc); write_lock_bh(&sock->sk->sk_callback_lock); =20 - /* done under the callback_lock to serialize with write_space */ + /* done under the callback_lock to serialize with write_space. + * Set t_sock inside rds_tcp_tc_list_lock so readers walking + * rds_tcp_tc_list under the same lock cannot observe an + * entry whose t_sock is NULL. + */ spin_lock(&rds_tcp_tc_list_lock); + tc->t_sock =3D sock; list_add_tail(&tc->t_list_item, &rds_tcp_tc_list); #if IS_ENABLED(CONFIG_IPV6) rds6_tcp_tc_count++; @@ -211,8 +216,6 @@ void rds_tcp_set_callbacks(struct socket *sock, struct = rds_conn_path *cp) /* accepted sockets need our listen data ready undone */ if (sock->sk->sk_data_ready =3D=3D rds_tcp_listen_data_ready) sock->sk->sk_data_ready =3D sock->sk->sk_user_data; - - tc->t_sock =3D sock; if (!tc->t_rtn) tc->t_rtn =3D net_generic(sock_net(sock->sk), rds_tcp_netid); tc->t_cpath =3D cp; base-commit: b266bacba796ff5c4dcd2ae2fc08aacf7ab39153 --=20 2.34.1