Linux-HyperV List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Leon Romanovsky" <leon@kernel.org>
Cc: linux-hyperv@vger.kernel.org
Subject: Re: [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources
Date: Mon, 13 Jul 2026 08:28:07 +0000	[thread overview]
Message-ID: <20260713082807.EB6D11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713-fix-destroy-no-udata-v1-1-fcca2e34fd57@nvidia.com>

Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Missing hash_del on error paths in CQ and SRQ creation leads to hash table corruption and use-after-free.
- [Critical] Lockless modifications and iterations over device-global hash tables (cq_hash and srq_hash) risk linked-list corruption.
- [High] Hardware Address Handle (AH) resource leak in bnxt_re_create_ah on udata response failure.
- [High] Hardware and driver state modification applied before udata validation in modify/resize callbacks.
- [High] Memory leak of rdma_user_mmap_entry in bnxt_re_alloc_ucontext if udata validation or response fails.
--

--- Patch [1]: [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources ---
commit 1661d6c7bf0fdc123a46584fd78311e626482940
Author: Leon Romanovsky <leon@kernel.org>

RDMA/bnxt_re: Validate udata before destroying resources

This commit modifies the destroy callbacks to validate user data earlier
using ib_no_udata_io() before resources are torn down. This prevents
userspace access failures from leaving the driver and hardware in an
inconsistent state.

> diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> index 5657625290076..ef9943be18861 100644
> --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c

[ ... ]

> @@ -3471,7 +3471,7 @@ int bnxt_re_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata)
>  	nq = cq->qplib_cq.nq;
>  	cctx = rdev->chip_ctx;
>  
> -	ret = ib_is_udata_in_empty(udata);
> +	ret = ib_no_udata_io(udata);
>  	if (ret)
>  		return ret;

[Severity: Critical]
This is a pre-existing issue, but does removing the CQ from the global hash
table here require locking?

In bnxt_re_destroy_cq(), just after this udata validation, the CQ is deleted
from rdev->cq_hash via hash_del() without any locks:

    if (cctx->modes.toggle_bits & BNXT_QPLIB_CQ_TOGGLE_BIT)
        hash_del(&cq->hash_entry);

However, concurrent additions occur in bnxt_re_create_user_cq() via
hash_add() and lockless iterations happen in bnxt_re_search_for_cq(). Can
this cause list corruption or use-after-free if multiple threads create,
destroy, or query CQs concurrently?

[Severity: Critical]
This isn't a bug introduced by this patch, but can this leak a dangling
pointer into the hash table on error?

In bnxt_re_create_user_cq(), if memory allocation for the page fails or
ib_respond_udata() fails, we jump to the error path and free the CQ without
removing it from the hash table:

bnxt_re_create_user_cq() {
    ...
    if (cctx->modes.toggle_bits & BNXT_QPLIB_CQ_TOGGLE_BIT) {
        hash_add(rdev->cq_hash, &cq->hash_entry, cq->qplib_cq.id);
        /* Allocate a page */
        cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL);
        if (!cq->uctx_cq_page) {
            rc = -ENOMEM;
            goto destroy_cq;
        }
    ...
    rc = ib_respond_udata(udata, resp);
    if (rc)
        goto free_mem;
    ...
free_mem:
    free_page((unsigned long)cq->uctx_cq_page);
destroy_cq:
    bnxt_qplib_destroy_cq(&rdev->qplib_res, &cq->qplib_cq);
free_umem:
    ib_umem_release(cq->umem);
    return rc;
}

Since hash_del() isn't called here, could subsequent lookups hit a
use-after-free? This same pattern also appears in bnxt_re_create_srq()
where srq_hash is modified.

[Severity: High]
This isn't a bug introduced by this patch, but since this patch fixes udata
validation in destroy callbacks, should similar fixes be applied to the
modify and resize callbacks?

In functions like bnxt_re_modify_srq(), bnxt_re_modify_qp(), and
bnxt_re_resize_cq(), the hardware and driver state is modified before the
final copy-to-user response:

drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_modify_qp() {
    ...
    /* hardware QP state is modified here */
    ...
    return ib_respond_empty_udata(udata);
}

If the udata response buffer is invalid, the function fails, but the hardware
and driver states are already updated. Can this desynchronize kernel state
from userspace state?

[Severity: High]
This is a pre-existing issue, but does this error path permanently leak the
hardware Address Handle?

If ib_respond_empty_udata() fails in bnxt_re_create_ah(), the function
returns the error directly without cleaning up the hardware AH or
decrementing ah_count:

drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_create_ah() {
    ...
    return ib_respond_empty_udata(udata);
}

Can an unprivileged application repeatedly trigger this by passing an invalid
udata response buffer to exhaust hardware resources and kernel memory?

[Severity: High]
This is a pre-existing issue, but does the cfail error path leak the mmap
entry?

In bnxt_re_alloc_ucontext(), if validation or the udata response fails, we
jump to cfail:

drivers/infiniband/hw/bnxt_re/ib_verbs.c:bnxt_re_alloc_ucontext() {
    ...
    rc = ib_respond_udata(udata, resp);
    if (rc) {
        rc = -EFAULT;
        goto cfail;
    }
    ...
cfail:
    free_page((unsigned long)uctx->shpg);
    uctx->shpg = NULL;
fail:
    return rc;
}

This path skips calling rdma_user_mmap_entry_remove(uctx->shpage_mmap).
Does this permanently leak the kzalloc'd mmap entry, allowing memory
exhaustion if triggered repeatedly by userspace?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713-fix-destroy-no-udata-v1-0-fcca2e34fd57@nvidia.com?part=1

  reply	other threads:[~2026-07-13  8:28 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13  8:10 [PATCH rdma-next 0/2] RDMA: Small batch of cleanups Leon Romanovsky
2026-07-13  8:10 ` [PATCH rdma-next 1/2] RDMA/bnxt_re: Validate udata before destroying resources Leon Romanovsky
2026-07-13  8:28   ` sashiko-bot [this message]
2026-07-13 14:21   ` Jacob Moroni
2026-07-13 14:56     ` Leon Romanovsky
2026-07-14  6:50       ` Selvin Xavier
2026-07-13  8:10 ` [PATCH rdma-next 2/2] RDMA: Remove redundant memset() from query_device callbacks Leon Romanovsky
2026-07-14  6:53 ` (subset) [PATCH rdma-next 0/2] RDMA: Small batch of cleanups Leon Romanovsky
2026-07-14  6:54 ` Leon Romanovsky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713082807.EB6D11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=leon@kernel.org \
    --cc=linux-hyperv@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox