* [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send
@ 2026-01-22 14:28 Yi Liu
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
2026-01-22 17:10 ` [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation " Greg KH
0 siblings, 2 replies; 7+ messages in thread
From: Yi Liu @ 2026-01-22 14:28 UTC (permalink / raw)
To: jgg, leon; +Cc: linux-rdma, security, Yi Liu
Hi,
I discovered a missing input validation issue in ib_uverbs_post_send().
The function uses cmd.wqe_size from userspace without validation before
passing it to kmalloc() and accessing the buffer as struct ib_uverbs_send_wr.
Security Impact:
- If wqe_size is too small: out-of-bounds read from kernel heap memory,
potentially leaking sensitive kernel information.
- If wqe_size is too large: triggers WARNING in the memory allocator.
This patch addresses the first issue (wqe_size too small) by adding a
lower bound check, consistent with ib_uverbs_unmarshall_recv(). The
upper bound check is not included in this patch and may need further
discussion on what a reasonable limit should be.
Given the potential for kernel heap information disclosure, I believe
the first issue may warrant a CVE assignment. I would appreciate it if
the security team could evaluate this.
Thanks,
Yi Liu
Yi Liu (1):
RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
drivers/infiniband/core/uverbs_cmd.c | 3 +++
1 file changed, 3 insertions(+)
--
2.34.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
2026-01-22 14:28 [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send Yi Liu
@ 2026-01-22 14:29 ` Yi Liu
2026-01-22 17:10 ` Greg KH
` (2 more replies)
2026-01-22 17:10 ` [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation " Greg KH
1 sibling, 3 replies; 7+ messages in thread
From: Yi Liu @ 2026-01-22 14:29 UTC (permalink / raw)
To: jgg, leon; +Cc: linux-rdma, security, Yi Liu
ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.
If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.
Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.
This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.
Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).
Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
---
drivers/infiniband/core/uverbs_cmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cd..a80b95948 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
if (ret)
return ret;
+ if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+ return -EINVAL;
+
user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
if (!user_wr)
return -ENOMEM;
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send
2026-01-22 14:28 [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send Yi Liu
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
@ 2026-01-22 17:10 ` Greg KH
1 sibling, 0 replies; 7+ messages in thread
From: Greg KH @ 2026-01-22 17:10 UTC (permalink / raw)
To: Yi Liu; +Cc: jgg, leon, linux-rdma, security
On Thu, Jan 22, 2026 at 10:28:59PM +0800, Yi Liu wrote:
> Given the potential for kernel heap information disclosure, I believe
> the first issue may warrant a CVE assignment. I would appreciate it if
> the security team could evaluate this.
The kernel security team has nothing to do with CVEs, sorry. Please see
the in-kernel documentation at:
https://www.kernel.org/doc/html/latest/process/cve.html
for how that works.
And as this is a public issue, the kernel security team doesn't need to
be involved at all :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
@ 2026-01-22 17:10 ` Greg KH
2026-01-26 13:07 ` Leon Romanovsky
2026-01-26 13:07 ` Leon Romanovsky
2 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2026-01-22 17:10 UTC (permalink / raw)
To: Yi Liu; +Cc: jgg, leon, linux-rdma, security
On Thu, Jan 22, 2026 at 10:29:00PM +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
>
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
>
> Additionally, providing an excessively large wqe_size can trigger a
> WARNING in the memory allocation path, as reported by syzkaller.
>
> This is inconsistent with ib_uverbs_unmarshall_recv() which properly
> validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
> proceeding.
>
> Add the same validation for ib_uverbs_post_send() to ensure wqe_size
> is at least sizeof(struct ib_uverbs_send_wr).
>
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
> Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
> ---
> drivers/infiniband/core/uverbs_cmd.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index ce16404cd..a80b95948 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
> if (ret)
> return ret;
>
> + if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
> + return -EINVAL;
> +
> user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
> if (!user_wr)
> return -ENOMEM;
> --
> 2.34.1
>
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documentation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
2026-01-23 1:42 [PATCH v2 " Yi Liu
@ 2026-01-23 1:42 ` Yi Liu
0 siblings, 0 replies; 7+ messages in thread
From: Yi Liu @ 2026-01-23 1:42 UTC (permalink / raw)
To: jgg, leon; +Cc: linux-rdma, security, Yi Liu, stable
ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
validation before passing it to kmalloc() and using the allocated
buffer as struct ib_uverbs_send_wr.
If a user provides a small wqe_size value (e.g., 1), kmalloc() will
succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
and other fields will read beyond the allocated buffer, resulting in
an out-of-bounds read from kernel heap memory. This could potentially
leak sensitive kernel information to userspace.
Additionally, providing an excessively large wqe_size can trigger a
WARNING in the memory allocation path, as reported by syzkaller.
This is inconsistent with ib_uverbs_unmarshall_recv() which properly
validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
proceeding.
Add the same validation for ib_uverbs_post_send() to ensure wqe_size
is at least sizeof(struct ib_uverbs_send_wr).
Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Cc: stable@vger.kernel.org
Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
---
drivers/infiniband/core/uverbs_cmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index ce16404cd..a80b95948 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
if (ret)
return ret;
+ if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
+ return -EINVAL;
+
user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
if (!user_wr)
return -ENOMEM;
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
2026-01-22 17:10 ` Greg KH
@ 2026-01-26 13:07 ` Leon Romanovsky
2026-01-26 13:07 ` Leon Romanovsky
2 siblings, 0 replies; 7+ messages in thread
From: Leon Romanovsky @ 2026-01-26 13:07 UTC (permalink / raw)
To: Yi Liu; +Cc: jgg, linux-rdma
On Thu, Jan 22, 2026 at 10:29:00PM +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
>
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
>
> Additionally, providing an excessively large wqe_size can trigger a
> WARNING in the memory allocation path, as reported by syzkaller.
>
> This is inconsistent with ib_uverbs_unmarshall_recv() which properly
> validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before
> proceeding.
>
> Add the same validation for ib_uverbs_post_send() to ensure wqe_size
> is at least sizeof(struct ib_uverbs_send_wr).
>
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
The commit referenced in the "fixes" tag already includes the cmd.wqe_size
check. The correct commit is c3bea3d2dc53 ("RDMA/uverbs: Use the iterator
for ib_uverbs_unmarshall_recv()").
In addition, I added _GFP_NOWARN to suppress warnings when a large size is
provided.
I took this patch and fixed it.
Thanks
> Signed-off-by: Yi Liu <liuy22@mails.tsinghua.edu.cn>
> ---
> drivers/infiniband/core/uverbs_cmd.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index ce16404cd..a80b95948 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -2049,6 +2049,9 @@ static int ib_uverbs_post_send(struct uverbs_attr_bundle *attrs)
> if (ret)
> return ret;
>
> + if (cmd.wqe_size < sizeof(struct ib_uverbs_send_wr))
> + return -EINVAL;
> +
> user_wr = kmalloc(cmd.wqe_size, GFP_KERNEL);
> if (!user_wr)
> return -ENOMEM;
> --
> 2.34.1
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
2026-01-22 17:10 ` Greg KH
2026-01-26 13:07 ` Leon Romanovsky
@ 2026-01-26 13:07 ` Leon Romanovsky
2 siblings, 0 replies; 7+ messages in thread
From: Leon Romanovsky @ 2026-01-26 13:07 UTC (permalink / raw)
To: jgg, Yi Liu; +Cc: linux-rdma, security
On Thu, 22 Jan 2026 22:29:00 +0800, Yi Liu wrote:
> ib_uverbs_post_send() uses cmd.wqe_size from userspace without any
> validation before passing it to kmalloc() and using the allocated
> buffer as struct ib_uverbs_send_wr.
>
> If a user provides a small wqe_size value (e.g., 1), kmalloc() will
> succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge,
> and other fields will read beyond the allocated buffer, resulting in
> an out-of-bounds read from kernel heap memory. This could potentially
> leak sensitive kernel information to userspace.
>
> [...]
Applied, thanks!
[1/1] RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
https://git.kernel.org/rdma/rdma/c/1956f0a74ccf5d
Best regards,
--
Leon Romanovsky <leon@kernel.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-01-26 13:07 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-22 14:28 [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation in ib_uverbs_post_send Yi Liu
2026-01-22 14:29 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
2026-01-22 17:10 ` Greg KH
2026-01-26 13:07 ` Leon Romanovsky
2026-01-26 13:07 ` Leon Romanovsky
2026-01-22 17:10 ` [PATCH 0/1] RDMA/uverbs: Fix missing wqe_size validation " Greg KH
-- strict thread matches above, loose matches on Subject: below --
2026-01-23 1:42 [PATCH v2 " Yi Liu
2026-01-23 1:42 ` [PATCH 1/1] RDMA/uverbs: Validate wqe_size before using it " Yi Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox