From: sashiko-bot@kernel.org
To: "Zhiping Zhang" <zhipingz@meta.com>
Cc: kvm@vger.kernel.org, linux-pci@vger.kernel.org,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v7 1/5] net/mlx5: free mlx5_st_idx_data on final dealloc
Date: Thu, 11 Jun 2026 20:25:58 +0000 [thread overview]
Message-ID: <20260611202559.80EF21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260610193158.2614209-2-zhipingz@meta.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Out-of-bounds read in UVERBS_METHOD_DMAH_ALLOC handler due to missing bounds check on user-supplied cpu_id.
--
commit efb72743b37fe4c5005fca2d75b36ef50832bc6c
Author: Zhiping Zhang <zhipingz@meta.com>
net/mlx5: free mlx5_st_idx_data on final dealloc
When the last reference to an ST table entry is dropped,
mlx5_st_dealloc_index() removed the entry from idx_xa but leaked the
backing mlx5_st_idx_data allocation. Repeated alloc/dealloc cycles
therefore accumulate one struct mlx5_st_idx_data per cycle.
Free idx_data after the xa_erase() so the lifetime of the bookkeeping
struct matches the lifetime of the ST entry it tracks.
Fixes: 888a7776f4fb ("net/mlx5: Add support for device steering tag")
Signed-off-by: Zhiping Zhang <zhipingz@meta.com>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/st.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/st.c
> index 997be91f0a135..7cedc348790db 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/st.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/st.c
> @@ -175,6 +175,7 @@ int mlx5_st_dealloc_index(struct mlx5_core_dev *dev, u16 st_index)
>
> if (refcount_dec_and_test(&idx_data->usecount)) {
> xa_erase(&st->idx_xa, st_index);
> + kfree(idx_data);
> /* We leave PCI config space as was before, no mkey will refer to it */
> }
>
[Severity: Critical]
This is a pre-existing issue, but does
UVERBS_HANDLER(UVERBS_METHOD_DMAH_ALLOC) in
drivers/infiniband/core/uverbs_std_types_dmah.c lack bounds checking on the
untrusted user-supplied dmah->cpu_id?
drivers/infiniband/core/uverbs_std_types_dmah.c:UVERBS_HANDLER(UVERBS_METHOD_DMAH_ALLOC)() {
...
ret = uverbs_copy_from(&dmah->cpu_id, attrs,
UVERBS_ATTR_ALLOC_DMAH_CPU_ID);
if (ret)
goto err;
if (!cpumask_test_cpu(dmah->cpu_id, current->cpus_ptr)) {
ret = -EPERM;
goto err;
}
...
}
The dmah->cpu_id is copied directly from an untrusted uverbs attribute
without value validation.
Since cpumask_check only emits a warning if the CPU ID is out of bounds and
does not cap the value, could test_bit compute a bit offset far outside the
bounds of current->cpus_ptr?
Can an attacker exploit this to read unmapped kernel memory (causing a kernel
panic) or infer the contents of kernel memory by observing whether the
syscall succeeds or fails with -EPERM?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610193158.2614209-1-zhipingz@meta.com?part=1
next prev parent reply other threads:[~2026-06-11 20:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260610193158.2614209-1-zhipingz@meta.com>
[not found] ` <20260610193158.2614209-4-zhipingz@meta.com>
2026-06-11 10:35 ` [PATCH v7 3/5] dma-buf: add optional get_tph() callback Christian König
2026-06-11 23:07 ` Zhiping Zhang
2026-06-11 20:26 ` sashiko-bot
[not found] ` <20260610193158.2614209-6-zhipingz@meta.com>
2026-06-11 12:44 ` [PATCH v7 5/5] RDMA/mlx5: get tph for p2p access when registering dma-buf mr Michael Gur
2026-06-11 23:09 ` Zhiping Zhang
2026-06-11 20:26 ` sashiko-bot
[not found] ` <20260610193158.2614209-2-zhipingz@meta.com>
2026-06-11 7:47 ` [PATCH v7 1/5] net/mlx5: free mlx5_st_idx_data on final dealloc Christian König
2026-06-11 22:53 ` Zhiping Zhang
2026-06-11 23:45 ` Zhiping Zhang
2026-06-11 20:25 ` sashiko-bot [this message]
2026-06-11 22:54 ` Zhiping Zhang
2026-06-11 16:11 [PATCH v7 0/5] vfio/dma-buf: add TPH support for peer-to-peer access Zhiping Zhang
2026-06-11 16:11 ` [PATCH v7 1/5] net/mlx5: free mlx5_st_idx_data on final dealloc Zhiping Zhang
2026-06-12 16:46 ` sashiko-bot
2026-06-14 7:06 ` Michael Gur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611202559.80EF21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zhipingz@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox