From: Ratheesh Kannoth <rkannoth@marvell.com>
To: <linux-kernel@vger.kernel.org>, <linux-rdma@vger.kernel.org>,
<netdev@vger.kernel.org>, <oss-drivers@corigine.com>
Cc: <akiyano@amazon.com>, <andrew+netdev@lunn.ch>,
<anthony.l.nguyen@intel.com>, <arkadiusz.kubalewski@intel.com>,
<brett.creeley@amd.com>, <darinzon@amazon.com>,
<davem@davemloft.net>, <donald.hunter@gmail.com>,
<edumazet@google.com>, <horms@kernel.org>, <idosch@nvidia.com>,
<ivecera@redhat.com>, <jiri@resnulli.us>, <kuba@kernel.org>,
<leon@kernel.org>, <mbloch@nvidia.com>,
<michael.chan@broadcom.com>, <pabeni@redhat.com>,
<pavan.chebbi@broadcom.com>, <petrm@nvidia.com>,
<Prathosh.Satish@microchip.com>, <przemyslaw.kitszel@intel.com>,
<saeedm@nvidia.com>, <sgoutham@marvell.com>, <tariqt@nvidia.com>,
<vadim.fedorenko@linux.dev>
Subject: Re: [PATCH v13 net-next 4/9] devlink: Implement devlink param multi attribute nested data values
Date: Thu, 14 May 2026 09:28:13 +0530 [thread overview]
Message-ID: <agVIVZFmVAltTiJI@rkannoth-OptiPlex-7090> (raw)
In-Reply-To: <20260511033923.1301976-5-rkannoth@marvell.com>
On 2026-05-11 at 09:09:18, Ratheesh Kannoth (rkannoth@marvell.com) wrote:
> From: Saeed Mahameed <saeedm@nvidia.com>
>
> Devlink param value attribute is not defined since devlink is handling
> the value validating and parsing internally, this allows us to implement
> multi attribute values without breaking any policies.
>
>> diff --git a/net/devlink/param.c b/net/devlink/param.c
>> index 1a196d3a843db..4cc479bd019fd 100644
>> --- a/net/devlink/param.c
>> +++ b/net/devlink/param.c
>> @@ -252,6 +252,11 @@ devlink_nl_param_value_put(struct sk_buff *msg, enum devlink_param_type type,
>> return -EMSGSIZE;
>> }
>> break;
>> + case DEVLINK_PARAM_TYPE_U64_ARRAY:
>> + for (int i = 0; i < val->u64arr.size; i++)
>Can this loop read out of bounds of val->u64arr.val[]?
>There is no bounds check against __DEVLINK_PARAM_MAX_ARRAY_SIZE. If
>val->u64arr.size contains garbage or a maliciously large value, this will read
>past the end of the u64arr.val array.
>Could this leak adjacent kernel memory to userspace via nla_put_uint()?
>> + if (nla_put_uint(msg, nla_type, val->u64arr.val[i]))
>> + return -EMSGSIZE;
>> + break;
>> }
>> return 0;
>> }
pw-bot: changes-requested
ACK.
>[ ... ]
>> + param_value = kcalloc(DEVLINK_PARAM_CMODE_MAX + 1,
>> + sizeof(*param_value), GFP_KERNEL);
>> + if (!param_value) {
>> + kfree(default_value);
>> + return -ENOMEM;
>> + }
>> +
>> + ctx = kmalloc_obj(*ctx);
>Does this allocation need to be zero-initialized?
>Since kmalloc_obj() does not zero the memory, if a driver's get callback
>successfully returns but fails to initialize ctx->val.u64arr.size, the struct
>will contain uninitialized kernel heap garbage.
>This data is then copied into the param_value array and eventually read by
>devlink_nl_param_value_put(), potentially causing the out-of-bounds read
>mentioned above.
>> + if (!ctx) {
>> + kfree(param_value);
>> + kfree(default_value);
>> + return -ENOMEM;
>> + }
There is no issue with these uninitialized kernel heap garbage.
next prev parent reply other threads:[~2026-05-14 3:59 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 3:39 [PATCH v13 net-next 0/9] octeontx2-af: npc: Enhancements Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 1/9] octeontx2-af: npc: cn20k: debugfs enhancements Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 2/9] net/mlx5e: Reduce stack use reading PCIe congestion thresholds Ratheesh Kannoth
2026-05-11 9:02 ` Dragos Tatulea
2026-05-11 3:39 ` [PATCH v13 net-next 3/9] devlink: pass param values by pointer Ratheesh Kannoth
2026-05-11 8:52 ` Petr Machata
2026-05-12 1:43 ` Kiyanovski, Arthur
2026-05-11 3:39 ` [PATCH v13 net-next 4/9] devlink: Implement devlink param multi attribute nested data values Ratheesh Kannoth
2026-05-12 15:54 ` Ratheesh Kannoth
2026-05-14 3:58 ` Ratheesh Kannoth [this message]
2026-05-11 3:39 ` [PATCH v13 net-next 5/9] octeontx2-af: npc: cn20k: add subbank search order control Ratheesh Kannoth
2026-05-14 4:01 ` Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 6/9] octeontx2: cn20k: Coordinate default rules with NIX LF lifecycle Ratheesh Kannoth
2026-05-14 4:12 ` Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 7/9] octeontx2-af: npc: Support for custom KPU profile from filesystem Ratheesh Kannoth
2026-05-14 4:13 ` Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 8/9] octeontx2: cn20k: Respect NPC MCAM X2/X4 profile in flows and DFT alloc Ratheesh Kannoth
2026-05-14 4:14 ` Ratheesh Kannoth
2026-05-11 3:39 ` [PATCH v13 net-next 9/9] octeontx2-af: npc: cn20k: Allocate npc_priv and dstats dynamically Ratheesh Kannoth
2026-05-14 4:15 ` Ratheesh Kannoth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agVIVZFmVAltTiJI@rkannoth-OptiPlex-7090 \
--to=rkannoth@marvell.com \
--cc=Prathosh.Satish@microchip.com \
--cc=akiyano@amazon.com \
--cc=andrew+netdev@lunn.ch \
--cc=anthony.l.nguyen@intel.com \
--cc=arkadiusz.kubalewski@intel.com \
--cc=brett.creeley@amd.com \
--cc=darinzon@amazon.com \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mbloch@nvidia.com \
--cc=michael.chan@broadcom.com \
--cc=netdev@vger.kernel.org \
--cc=oss-drivers@corigine.com \
--cc=pabeni@redhat.com \
--cc=pavan.chebbi@broadcom.com \
--cc=petrm@nvidia.com \
--cc=przemyslaw.kitszel@intel.com \
--cc=saeedm@nvidia.com \
--cc=sgoutham@marvell.com \
--cc=tariqt@nvidia.com \
--cc=vadim.fedorenko@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.