From nobody Mon Jun 8 07:22:52 2026 Received: from mail-dy1-f195.google.com (mail-dy1-f195.google.com [74.125.82.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A9C62F8EB7 for ; Wed, 3 Jun 2026 10:09:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780481384; cv=none; b=GF1taprhy5P3teD0DDOZJNYze3QTHdqHZL1v7c+vXS3IvQ7788LZaBon4l8cRl1y7wUS0nhdizDAVmLkTjMDFekJNFFUSJD2FhUYUKidHdUXgKyHkdZY1mlf7FLye1LtXANCfJiq6ANVd4CMc+OJUMF4OezLKxUBX8wd0Ap4xvQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780481384; c=relaxed/simple; bh=HuETMB4PLYYz65jC3yyMI47575oQkI0xm1Txko0El1g=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=nDBH850S7J84j447pi1bDL0drPHkLhH20ZyZUlyqqAC90Z5cVxS5jYg1BGsTwn/4Bw7H3q3F/GVHmghGAfmkrdZ+5IwgI6UGJhf1nZKx9mT9riw/rdfCUV5zpq5OvAWdw+fFSRu01ZzYZoZndKUOfa6Ow6pflJOckmJ+WKN0L3k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cJzjaf5N; arc=none smtp.client-ip=74.125.82.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cJzjaf5N" Received: by mail-dy1-f195.google.com with SMTP id 5a478bee46e88-3075afe5247so116362eec.0 for ; Wed, 03 Jun 2026 03:09:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780481383; x=1781086183; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=03ieKC9B6pSYMZB8yCD7Lxz2rXtF0I/QZ/gfZx53cXw=; b=cJzjaf5NPeboaHSDqvAoLj4FKXXTWrck7G5rKtM4zmulJdC+QhAEm3ZOjl9sQ/qZNx 40IeTyzkYB4rt+37wsbI+K/ueuVapx2yUnOVCudWsmkgdzMmCEflvQ4CJZpp7dw6dRdM TUJ5roHKmqlqueSsaQUgNPCl/BLOXo6XE9QyUHj5AXZpkQgyfC7GntBD1rDRnz1i8kTU uFxC07iDvrk5uKXzJoIufeb78ZWNvjckxmLQpW6rC1FUEkWUuHepmtG3XOKsV7TK/Ajt uPuJvighm2XtiRUWysoOv/VMeqIN1EL/AoHZuiH0cGIqJXaXiv8JCUlK76Bc3FUbCaYo CJWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780481383; x=1781086183; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=03ieKC9B6pSYMZB8yCD7Lxz2rXtF0I/QZ/gfZx53cXw=; b=ZOy56Tm4vlR5waQ2LkkyKlGMve4epVGV5RzNoePeX4l/BM5DRYM6recQDKffsLcbYD ABgnXpguR4i5oL+/XabuasUj0eWIgBHsTwKWZTzVQ2iwKxicMBBLAqHzgeNuGp4LSV/F rkjKcjHZZr0GVFoGd9Mx35OgV5czjDJ1hme9ijfPyy3kkNCFoIFAlzZyXe4552dUKmpG kL4l4p8UDb5RV4p98gyToJXHSzYlEbJhuoACXvkolu8oVG2yfbtWB9ca8ISOGjPYvjGN aAAFsjD1VK+sGqWij6TdjVJEuBvBzUSyNjCoc1Mo5WMn1MkrandhUmoGyTju3Bs09YcR 6ycQ== X-Forwarded-Encrypted: i=1; AFNElJ9+BaMP118O7sFRnoYa9oKF6XgA4Ee8VZKi4HfzayUvv2bV/akyrXKrl0HN+FGbR7VOVqVjUOkuAaAGFGA=@vger.kernel.org X-Gm-Message-State: AOJu0YwMHC1gE8MrlSD9EAHyYvWizWcDLTif+rnOsw2FNYkwV4n2yVe3 GKcz0Ra6XlYZgZMYuM6U6+aMxzPIhpSIGRYPBDw0qmUJoZYlmEnuRyS9eDLzSr7y5mUT X-Gm-Gg: Acq92OG7gpljCxq4EPoH4pHQXyRoAxG2oMKKBiaKK+u1YXnrBOGFECLHYL7fRDcVzNa bwtqkhqkd+1vXyJLxO52CppOB7eUmPnvG7BNw9BMeCG8/VMGntr4u6OQoX/aIJoHMfFNDMwYjt5 qWQGL6g2JbeBbGgGP2vFMCaHG9qn3AZQrmO+om+7SHiIuralmbzUADMG+4GCXkWOWF3EmC/vwGy D5I9yjNS3epCGIotVpQhKNfDoH8jdUDIGbmpXxN9XhAPQZhGsz91v5TjJ88wNIKNeuUEe/qaN3E P4pcpr8mZlnBS5wHRfj3uMuTtaAUzhh7xuAC2nDA3l3yWp1EbH50VR1D4a09+Te3l9ARevzmWx4 RtygVtYwYTgD9vjK8vW3ZzhgJpizPkHEFx7DPyRmJ0diTBSrYqMOoytCRvUCjmp5hRD+eXShqLq dUje6INo/ByJEOt0h8k2gNoRRj9g1AHcPzIB+2mZ68XZXxXWmT9iRuTXldnIFig4s= X-Received: by 2002:a05:693c:380a:b0:304:8366:7456 with SMTP id 5a478bee46e88-3074fa52a93mr1364400eec.3.1780481382593; Wed, 03 Jun 2026 03:09:42 -0700 (PDT) Received: from rainbow (static-23-234-72-105.cust.tzulo.com. [23.234.72.105]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-3074db56697sm2091177eec.2.2026.06.03.03.09.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 03:09:42 -0700 (PDT) From: Jordan Walters To: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] RDMA/rxe: Fix use-after-free of netdev in smc_ib_port_event_work Date: Wed, 3 Jun 2026 06:09:19 -0400 Message-ID: <20260603100919.268055-1-jaggyaur@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rxe_net_del() drops its reference to the underlying net_device via dev_put() but does not clear the netdev pointer from the ib_device. This leaves a dangling pointer that the async smc_ib_port_event_work worker can dereference after the net_device has been freed, causing a use-after-free in __ethtool_get_link_ksettings(). An unprivileged user can trigger this via user namespaces by creating a dummy interface, binding it to rdma_rxe, and immediately destroying the namespace before the worker fires. Clear the netdev pointer via ib_device_set_netdev() before releasing the reference. Downstream callers such as ib_get_eth_speed() already handle a NULL netdev safely. Note: this is a distinct issue from the socket TOCTOU race fixed by Zhu Yanjun in [1]. That patch addresses a race on the pernet socket pointers (rxe_sk4/sk6) leading to a NULL deref in kernel_sock_shutdown(). This patch fixes a dangling netdev pointer leading to a UAF in __ethtool_get_link_ksettings via smc_ib_port_event_work. Link: https://lore.kernel.org/all/20260519023541.8594-1-yanjun.zhu@linux.de= v/ [1] Signed-off-by: Jordan Walters Reviewed-by: Zhu Yanjun --- drivers/infiniband/sw/rxe/rxe_net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rx= e/rxe_net.c index 50a2cb5405e2..a8f91d6e3b17 100644 --- a/drivers/infiniband/sw/rxe/rxe_net.c +++ b/drivers/infiniband/sw/rxe/rxe_net.c @@ -663,6 +663,7 @@ void rxe_net_del(struct ib_device *dev) if (sk) rxe_sock_put(sk, rxe_ns_pernet_set_sk6, net); =20 + ib_device_set_netdev(dev, NULL, 1); dev_put(ndev); } =20 --=20 2.49.0