[PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send

[PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send

[Yi Liu]

Hi,

I discovered a missing input validation issue in ib_uverbs_post_send().

The function uses cmd.wqe_size from userspace without validation before
passing it to kmalloc() and accessing the buffer as struct ib_uverbs_send_wr.

Security Impact:
- If wqe_size is too small: out-of-bounds read from kernel heap memory,
  potentially leaking sensitive kernel information.
- If wqe_size is too large: triggers WARNING in the memory allocator.

This patch addresses the first issue (wqe_size too small) by adding a
lower bound check, consistent with ib_uverbs_unmarshall_recv(). The
upper bound check is not included in this patch and may need further
discussion on what a reasonable limit should be.

Given the potential for kernel heap information disclosure, I believe
the first issue may warrant a CVE assignment. I would appreciate it if
the security team could evaluate this.

Thanks,
Yi Liu

Yi Liu (1):
  RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

 drivers/infiniband/core/uverbs_cmd.c | 3 +++
 1 file changed, 3 insertions(+)

--
2.34.1

[PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

[Yi Liu]

ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.

If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.

Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).

Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
---
 drivers/infiniband/core/uverbs_cmd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cd..a80b95948 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
 	if (ret)
 		return ret;
 
+	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+		return -EINVAL;
+
 	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
 	if (!user_wr)
 		return -ENOMEM;
-- 
2.34.1

Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

[Greg KH]

On Thu, Jan 22, 2026 at 10:29:00PM +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
> 
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
> 
> Additionally, providing an excessively large wqe_size can trigger a
> WARNING in the memory allocation path, as reported by syzkaller.
> 
> This is inconsistent with ib_uverbs_unmarshall_recv() which properly
> validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
> proceeding.
> 
> Add the same validation for ib_uverbs_post_send() to ensure wqe_size
> is at least sizeof(struct ib_uverbs_send_wr).
> 
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
> Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
> ---
>  drivers/infiniband/core/uverbs_cmd.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index ce16404cd..a80b95948 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
>  	if (ret)
>  		return ret;
>  
> +	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
> +		return -EINVAL;
> +
>  	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
>  	if (!user_wr)
>  		return -ENOMEM;
> -- 
> 2.34.1
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- You have marked a patch with a "Fixes:" tag for a commit that is in an
  older released kernel, yet you do not have a cc: stable line in the
  signed-off-by area at all, which means that the patch will not be
  applied to any older kernel releases.  To properly fix this, please
  follow the documented rules in the
  Documentation/process/stable-kernel-rules.rst file for how to resolve
  this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

[Leon Romanovsky]

On Thu, Jan 22, 2026 at 10:29:00PM +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
> 
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
> 
> Additionally, providing an excessively large wqe_size can trigger a
> WARNING in the memory allocation path, as reported by syzkaller.
> 
> This is inconsistent with ib_uverbs_unmarshall_recv() which properly
> validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
> proceeding.
> 
> Add the same validation for ib_uverbs_post_send() to ensure wqe_size
> is at least sizeof(struct ib_uverbs_send_wr).
> 
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")

The commit referenced in the "fixes" tag already includes the cmd.wqe_size  
check. The correct commit is c3bea3d2dc53 ("RDMA/uverbs: Use the iterator  
for ib_uverbs_unmarshall_recv()").

In addition, I added _GFP_NOWARN to suppress warnings when a large size is  
provided.

I took this patch and fixed it.

Thanks

> Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
> ---
>  drivers/infiniband/core/uverbs_cmd.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index ce16404cd..a80b95948 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
>  	if (ret)
>  		return ret;
>  
> +	if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
> +		return -EINVAL;
> +
>  	user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
>  	if (!user_wr)
>  		return -ENOMEM;
> -- 
> 2.34.1
> 
> 

Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send

[Leon Romanovsky]

On Thu, 22 Jan 2026 22:29:00 +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
> 
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
> 
> [...]

Applied, thanks!

[1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
      https://git.kernel.org/rdma/rdma/c/1956f0a74ccf5d

Best regards,
-- 
Leon Romanovsky <leon@kernel.org>

Re: [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send

[Greg KH]

On Thu, Jan 22, 2026 at 10:28:59PM +0800, Yi Liu wrote:
> Given the potential for kernel heap information disclosure, I believe
> the first issue may warrant a CVE assignment. I would appreciate it if
> the security team could evaluate this.

The kernel security team has nothing to do with CVEs, sorry.  Please see
the in-kernel documentation at:
	https://www.kernel.org/doc/html/latest/process/cve.html
for how that works.

And as this is a public issue, the kernel security team doesn't need to
be involved at all :)

thanks,

greg k-h