[Bug] KASAN: null-ptr-deref in range in ib-comp-unb-wq ib_cq_poll_work

[Bug] KASAN: null-ptr-deref in range in ib-comp-unb-wq ib_cq_poll_work

[yunje shin]

in drivers/infiniband/core/user_mad.c



[ 1621.970286] Oops: general protection fault, probably for
non-canonical address 0xdffffc0000000000: I
[ 1621.971167] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[ 1621.971925] CPU: 0 UID: 0 PID: 43 Comm: kworker/u9:0 Not tainted
6.19.0-rc7-g8dfce8991b95-dirty #4
[ 1621.972373] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX,
1996), BIOS 1.16.3-debian-1.16.3-2 4
[ 1621.972850] Workqueue: ib-comp-unb-wq ib_cq_poll_work
[ 1621.973486] RIP: 0010:ib_free_send_mad+0xf3/0x270
[ 1621.973718] Code: 85 22 01 00 00 49 8d 7e 08 48 8b 4b 08 48 89 fe
48 c1 ee 03 42 80 3c 3e 00 0f 85 2
[ 1621.974316] RSP: 0018:ffff888008487a30 EFLAGS: 00000246
[ 1621.974522] RAX: dffffc0000000000 RBX: ffff888007c8c600 RCX: 0000000000000000
[ 1621.974721] RDX: 1ffff11000f918c0 RSI: 0000000000000000 RDI: ffff88800be6c168
[ 1621.974919] RBP: ffff88800be6c160 R08: ffffffff8198dcf3 R09: ffffffff81990d3b
[ 1621.975227] R10: ffffffff8198da24 R11: ffffffff8198d9a3 R12: dead000000000122
[ 1621.975571] R13: dead000000000100 R14: ffff88800be6c160 R15: dffffc0000000000
[ 1621.975934] FS:  0000000000000000(0000) GS:ffff8880e6191000(0000)
knlGS:0000000000000000
[ 1621.976269] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1621.976491] CR2: dffffc0000000000 CR3: 000000000a7eb000 CR4: 00000000000006f0
[ 1621.976833] Call Trace:
[ 1621.977113]  <TASK>
[ 1621.977292]  ? rdma_destroy_ah_user+0xf1/0x170
[ 1621.977520]  send_handler+0x1b0/0x330
[ 1621.977748]  ib_mad_complete_send_wr+0x1de/0x920
[ 1621.977902]  ib_mad_send_done+0x706/0x1200
[ 1621.978063]  ? __pfx_ib_mad_send_done+0x10/0x10
[ 1621.978258]  ? __pfx_ib_mad_send_done+0x10/0x10
[ 1621.978545]  __ib_process_cq+0xe1/0x330
[ 1621.978676]  ib_cq_poll_work+0x46/0x150
[ 1621.978853]  process_one_work+0x5e7/0xf30
[ 1621.979012]  worker_thread+0x763/0x12b0
[ 1621.979128]  ? __pfx_worker_thread+0x10/0x10
[ 1621.979246]  kthread+0x30d/0x630
[ 1621.979346]  ? __pfx_kthread+0x10/0x10
[ 1621.979447]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 1621.979592]  ? __pfx_kthread+0x10/0x10
[ 1621.979696]  ret_from_fork+0x308/0x3f0
[ 1621.979808]  ? __pfx_ret_from_fork+0x10/0x10
[ 1621.979934]  ? __switch_to+0xaec/0xe60
[ 1621.980046]  ? __switch_to_asm+0x39/0x70
[ 1621.980163]  ? __switch_to_asm+0x33/0x70
[ 1621.980281]  ? __pfx_kthread+0x10/0x10
[ 1621.980385]  ret_from_fork_asm+0x1a/0x30
[ 1621.980537]  </TASK>
[ 1621.980659] Modules linked in:
[ 1621.982033] ---[ end trace 0000000000000000 ]---
[ 1621.982642] RIP: 0010:ib_free_send_mad+0xf3/0x270
[ 1621.982890] Code: 85 22 01 00 00 49 8d 7e 08 48 8b 4b 08 48 89 fe
48 c1 ee 03 42 80 3c 3e 00 0f 85 2
[ 1621.983468] RSP: 0018:ffff888008487a30 EFLAGS: 00000246
[ 1621.983748] RAX: dffffc0000000000 RBX: ffff888007c8c600 RCX: 0000000000000000
[ 1621.983953] RDX: 1ffff11000f918c0 RSI: 0000000000000000 RDI: ffff88800be6c168
[ 1621.984135] RBP: ffff88800be6c160 R08: ffffffff8198dcf3 R09: ffffffff81990d3b
[ 1621.984305] R10: ffffffff8198da24 R11: ffffffff8198d9a3 R12: dead000000000122
[ 1621.984470] R13: dead000000000100 R14: ffff88800be6c160 R15: dffffc0000000000
[ 1621.985284] FS:  0000000000000000(0000) GS:ffff8880e6191000(0000)
knlGS:0000000000000000
[ 1621.985656] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1621.986069] CR2: dffffc0000000000 CR3: 000000000a7eb000 CR4: 00000000000006f0
[ 1621.986500] Kernel panic - not syncing: Fatal exception
[ 1621.988088] Kernel Offset: disabled
[ 1621.988350] Rebooting in 1 seconds..

[PATCH] RDMA/umad: Reject negative data_len in ib_umad_write

[YunJe Shin]

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[  211.365867] ib_create_send_mad+0xa01/0x11b0
[  211.365887] ib_umad_write+0x853/0x1c80

Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
---
 drivers/infiniband/core/user_mad.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index fd67fc9fe85a..db1643aab029 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	}
 
 	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
+	if (count < hdr_size(file) + hdr_len) {
+		ret = -EINVAL;
+		goto err_ah;
+	}
 	data_len = count - hdr_size(file) - hdr_len;
+	if (data_len < 0) {
+		ret = -EINVAL;
+		goto err_ah;
+	}
 	packet->msg = ib_create_send_mad(agent,
 					 be32_to_cpu(packet->mad.hdr.qpn),
 					 packet->mad.hdr.pkey_index, rmpp_active,
-- 
2.43.0

Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write

[Michael Gur]

On 1/31/2026 4:09 PM, YunJe Shin wrote:
> @@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
>   	}
>   
>   	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
> +	if (count < hdr_size(file) + hdr_len) {
> +		ret = -EINVAL;
> +		goto err_ah;
> +	}
>   	data_len = count - hdr_size(file) - hdr_len;
> +	if (data_len < 0) {
> +		ret = -EINVAL;
> +		goto err_ah;
> +	}

The second check is redundant.
The first already ensures data_len >= 0.

>   	packet->msg = ib_create_send_mad(agent,
>   					 be32_to_cpu(packet->mad.hdr.qpn),
>   					 packet->mad.hdr.pkey_index, rmpp_active,

Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write

[Jason Gunthorpe]

On Sat, Jan 31, 2026 at 11:09:14PM +0900, YunJe Shin wrote:
> ib_umad_write computes data_len from user-controlled count and the
> MAD header sizes. With a mismatched user MAD header size and RMPP
> header length, data_len can become negative and reach ib_create_send_mad().
> This can make the padding calculation exceed the segment size and trigger
> an out-of-bounds memset in alloc_send_rmpp_list().
> 
> Add an explicit check to reject negative data_len before creating the
> send buffer.
> 
> KASAN splat:
> [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
> [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
> [  211.365867] ib_create_send_mad+0xa01/0x11b0
> [  211.365887] ib_umad_write+0x853/0x1c80
> 
> Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
> Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
> ---
>  drivers/infiniband/core/user_mad.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
> index fd67fc9fe85a..db1643aab029 100644
> --- a/drivers/infiniband/core/user_mad.c
> +++ b/drivers/infiniband/core/user_mad.c
> @@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
>  	}
>  
>  	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
> +	if (count < hdr_size(file) + hdr_len) {
> +		ret = -EINVAL;
> +		goto err_ah;
> +	}
>  	data_len = count - hdr_size(file) - hdr_len;
> +	if (data_len < 0) {
> +		ret = -EINVAL;
> +		goto err_ah;
> +	}

data_len should also be a size_t to prevent truncation of count.

But I think I would prefer to replace both of these 'ifs' with a
simple check_sub_overflow() after making data_len unsigned.

Jason

[PATCH] RDMA/umad: Reject negative data_len in ib_umad_write

[YunJe Shin]

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[  211.365867] ib_create_send_mad+0xa01/0x11b0
[  211.365887] ib_umad_write+0x853/0x1c80

Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
---
 drivers/infiniband/core/user_mad.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index fd67fc9fe85a..2f7e3c4483fc 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -514,7 +514,8 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	struct rdma_ah_attr ah_attr;
 	struct ib_ah *ah;
 	__be64 *tid;
-	int ret, data_len, hdr_len, copy_offset, rmpp_active;
+	int ret, hdr_len, copy_offset, rmpp_active;
+	size_t data_len;
 	u8 base_version;
 
 	if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
@@ -588,7 +589,10 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	}
 
 	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
-	data_len = count - hdr_size(file) - hdr_len;
+	if (check_sub_overflow(count, hdr_size(file) + hdr_len, &data_len)) {
+		ret = -EINVAL;
+		goto err_ah;
+	}
 	packet->msg = ib_create_send_mad(agent,
 					 be32_to_cpu(packet->mad.hdr.qpn),
 					 packet->mad.hdr.pkey_index, rmpp_active,
-- 
2.43.0

Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write

[Leon Romanovsky]

On Tue, Feb 03, 2026 at 03:46:08PM +0900, YunJe Shin wrote:
> ib_umad_write computes data_len from user-controlled count and the
> MAD header sizes. With a mismatched user MAD header size and RMPP
> header length, data_len can become negative and reach ib_create_send_mad().
> This can make the padding calculation exceed the segment size and trigger
> an out-of-bounds memset in alloc_send_rmpp_list().
> 
> Add an explicit check to reject negative data_len before creating the
> send buffer.
> 
> KASAN splat:
> [  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
> [  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
> [  211.365867] ib_create_send_mad+0xa01/0x11b0
> [  211.365887] ib_umad_write+0x853/0x1c80
> 
> Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
> Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
> ---
>  drivers/infiniband/core/user_mad.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Please submit this patch as a separate email, not as a reply.

Include a version number in the commit subject, and provide a changelog
below the Signed-off-by tag and the "---" marker.

Thanks