From: sashiko-bot@kernel.org
To: "Leon Romanovsky" <leon@kernel.org>
Cc: linux-hyperv@vger.kernel.org
Subject: Re: [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources
Date: Mon, 13 Jul 2026 08:28:07 +0000 [thread overview]
Message-ID: <20260713082807.EB6D11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713-fix-destroy-no-udata-v1-1-fcca2e34fd57@nvidia.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing hash_del on error paths in CQ and SRQ creation leads to hash table corruption and use-after-free.
- [Critical] Lockless modifications and iterations over device-global hash tables (cq_hash and srq_hash) risk linked-list corruption.
- [High] Hardware Address Handle (AH) resource leak in bnxt_re_create_ah on udata response failure.
- [High] Hardware and driver state modification applied before udata validation in modify/resize callbacks.
- [High] Memory leak of rdma_user_mmap_entry in bnxt_re_alloc_ucontext if udata validation or response fails.
--
--- Patch [1]: [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources ---
commit 1661d6c7bf0fdc123a46584fd78311e626482940
Author: Leon Romanovsky <leon@kernel.org>
RDMA/bnxt_re: Validate udata before destroying resources
This commit modifies the destroy callbacks to validate user data earlier
using ib_no_udata_io() before resources are torn down. This prevents
userspace access failures from leaving the driver and hardware in an
inconsistent state.
> diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> index 5657625290076..ef9943be18861 100644
> --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
[ ... ]
> @@ -3471,7 +3471,7 @@ int bnxt_re_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata)
> nq = cq->qplib_cq.nq;
> cctx = rdev->chip_ctx;
>
> - ret = ib_is_udata_in_empty(udata);
> + ret = ib_no_udata_io(udata);
> if (ret)
> return ret;
[Severity: Critical]
This is a pre-existing issue, but does removing the CQ from the global hash
table here require locking?
In bnxt_re_destroy_cq(), just after this udata validation, the CQ is deleted
from rdev->cq_hash via hash_del() without any locks:
if (cctx->modes.toggle_bits & BNXT_QPLIB_CQ_TOGGLE_BIT)
hash_del(&cq->hash_entry);
However, concurrent additions occur in bnxt_re_create_user_cq() via
hash_add() and lockless iterations happen in bnxt_re_search_for_cq(). Can
this cause list corruption or use-after-free if multiple threads create,
destroy, or query CQs concurrently?
[Severity: Critical]
This isn't a bug introduced by this patch, but can this leak a dangling
pointer into the hash table on error?
In bnxt_re_create_user_cq(), if memory allocation for the page fails or
ib_respond_udata() fails, we jump to the error path and free the CQ without
removing it from the hash table:
bnxt_re_create_user_cq() {
...
if (cctx->modes.toggle_bits & BNXT_QPLIB_CQ_TOGGLE_BIT) {
hash_add(rdev->cq_hash, &cq->hash_entry, cq->qplib_cq.id);
/* Allocate a page */
cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL);
if (!cq->uctx_cq_page) {
rc = -ENOMEM;
goto destroy_cq;
}
...
rc = ib_respond_udata(udata, resp);
if (rc)
goto free_mem;
...
free_mem:
free_page((unsigned long)cq->uctx_cq_page);
destroy_cq:
bnxt_qplib_destroy_cq(&rdev->qplib_res, &cq->qplib_cq);
free_umem:
ib_umem_release(cq->umem);
return rc;
}
Since hash_del() isn't called here, could subsequent lookups hit a
use-after-free? This same pattern also appears in bnxt_re_create_srq()
where srq_hash is modified.
[Severity: High]
This isn't a bug introduced by this patch, but since this patch fixes udata
validation in destroy callbacks, should similar fixes be applied to the
modify and resize callbacks?
In functions like bnxt_re_modify_srq(), bnxt_re_modify_qp(), and
bnxt_re_resize_cq(), the hardware and driver state is modified before the
final copy-to-user response:
drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_modify_qp() {
...
/* hardware QP state is modified here */
...
return ib_respond_empty_udata(udata);
}
If the udata response buffer is invalid, the function fails, but the hardware
and driver states are already updated. Can this desynchronize kernel state
from userspace state?
[Severity: High]
This is a pre-existing issue, but does this error path permanently leak the
hardware Address Handle?
If ib_respond_empty_udata() fails in bnxt_re_create_ah(), the function
returns the error directly without cleaning up the hardware AH or
decrementing ah_count:
drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_create_ah() {
...
return ib_respond_empty_udata(udata);
}
Can an unprivileged application repeatedly trigger this by passing an invalid
udata response buffer to exhaust hardware resources and kernel memory?
[Severity: High]
This is a pre-existing issue, but does the cfail error path leak the mmap
entry?
In bnxt_re_alloc_ucontext(), if validation or the udata response fails, we
jump to cfail:
drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_alloc_ucontext() {
...
rc = ib_respond_udata(udata, resp);
if (rc) {
rc = -EFAULT;
goto cfail;
}
...
cfail:
free_page((unsigned long)uctx->shpg);
uctx->shpg = NULL;
fail:
return rc;
}
This path skips calling rdma_user_mmap_entry_remove(uctx->shpage_mmap).
Does this permanently leak the kzalloc'd mmap entry, allowing memory
exhaustion if triggered repeatedly by userspace?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713-fix-destroy-no-udata-v1-0-fcca2e34fd57@nvidia.com?part=1
next prev parent reply other threads:[~2026-07-13 8:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 8:10 [PATCH rdma-next 0/2] RDMA: Small batch of cleanups Leon Romanovsky
2026-07-13 8:10 ` [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources Leon Romanovsky
2026-07-13 8:28 ` sashiko-bot [this message]
2026-07-13 14:21 ` Jacob Moroni
2026-07-13 14:56 ` Leon Romanovsky
2026-07-14 6:50 ` Selvin Xavier
2026-07-13 8:10 ` [PATCH rdma-next 2/2] RDMA: Remove redundant memset() from query_device callbacks Leon Romanovsky
2026-07-14 6:53 ` (subset) [PATCH rdma-next 0/2] RDMA: Small batch of cleanups Leon Romanovsky
2026-07-14 6:54 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713082807.EB6D11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=leon@kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.