From: Michal Schmidt <mschmidt@redhat.com>
To: Krzysztof Czurylo <krzysztof.czurylo@intel.com>,
Tatyana Nikolova <tatyana.e.nikolova@intel.com>,
Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>,
Shiraz Saleem <shiraz.saleem@intel.com>,
Mustafa Ismail <mustafa.ismail@intel.com>
Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] RDMA/irdma: avoid invalid read in irdma_net_event
Date: Thu, 27 Nov 2025 15:31:50 +0100 [thread overview]
Message-ID: <20251127143150.121099-1-mschmidt@redhat.com> (raw)
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
==================================================================
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
<TASK>
__local_bh_enable_ip+0xfd/0x120
ip6_finish_output2+0x55d/0x10b0
ip6_finish_output+0x549/0x12e0
ndisc_send_skb+0x92d/0x17e0
ndisc_send_ns+0x9a/0x100
rt6_probe_deferred+0xe1/0x1c0
process_one_work+0x89c/0x1ab0
worker_thread+0x588/0xd30
kthread+0x2d3/0x370
ret_from_fork+0x2b/0x50
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900075d9000, ffffc900075e2000) created by:
irq_init_percpu_irqstack+0x1f4/0x310
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x180d209
flags: 0x57ffffc0004000(reserved|node=1|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0057ffffc0004000 ffffea0060348248 ffffea0060348248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffc900075e0680: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffffc900075e0700: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900075e0780: 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 02 f3 f3 f3 00
^
ffffc900075e0800: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffffc900075e0880: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
---
drivers/infiniband/hw/irdma/utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index 8b94d87b0192..b6c4ccf38eb7 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -250,17 +250,18 @@ int irdma_inet6addr_event(struct notifier_block *notifier, unsigned long event,
int irdma_net_event(struct notifier_block *notifier, unsigned long event,
void *ptr)
{
struct neighbour *neigh = ptr;
- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
+ struct net_device *real_dev, *netdev;
struct irdma_device *iwdev;
struct ib_device *ibdev;
__be32 *p;
u32 local_ipaddr[4] = {};
bool ipv4 = true;
switch (event) {
case NETEVENT_NEIGH_UPDATE:
+ netdev = neigh->dev;
real_dev = rdma_vlan_dev_real_dev(netdev);
if (!real_dev)
real_dev = netdev;
ibdev = ib_device_get_by_netdev(real_dev, RDMA_DRIVER_IRDMA);
--
2.51.1
next reply other threads:[~2025-11-27 14:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 14:31 Michal Schmidt [this message]
2025-12-17 18:03 ` [PATCH] RDMA/irdma: avoid invalid read in irdma_net_event Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251127143150.121099-1-mschmidt@redhat.com \
--to=mschmidt@redhat.com \
--cc=jgg@ziepe.ca \
--cc=krzysztof.czurylo@intel.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mustafa.ismail@intel.com \
--cc=shiraz.saleem@intel.com \
--cc=tatyana.e.nikolova@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.