On Fri, 19 Sep 2025 02:52:12 +0000, Gui-Dong Han wrote:
When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task().
While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free.
[...]
Applied, thanks!
[1/1] RDMA/rxe: Fix race in do_task() when draining https://git.kernel.org/rdma/rdma/c/8ca7eada62fcfa
Best regards,