* [Bug] KASAN: null-ptr-deref in range in ib-comp-unb-wq ib_cq_poll_work @ 2026-01-30 11:00 yunje shin 2026-01-31 14:09 ` [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write YunJe Shin 0 siblings, 1 reply; 6+ messages in thread From: yunje shin @ 2026-01-30 11:00 UTC (permalink / raw) To: Jason Gunthorpe, Leon Romanovsky; +Cc: YunJe Shin, linux-rdma, Joonkyoo Jeong in drivers/infiniband/core/user_mad.c [ 1621.970286] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: I [ 1621.971167] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 1621.971925] CPU: 0 UID: 0 PID: 43 Comm: kworker/u9:0 Not tainted 6.19.0-rc7-g8dfce8991b95-dirty #4 [ 1621.972373] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 4 [ 1621.972850] Workqueue: ib-comp-unb-wq ib_cq_poll_work [ 1621.973486] RIP: 0010:ib_free_send_mad+0xf3/0x270 [ 1621.973718] Code: 85 22 01 00 00 49 8d 7e 08 48 8b 4b 08 48 89 fe 48 c1 ee 03 42 80 3c 3e 00 0f 85 2 [ 1621.974316] RSP: 0018:ffff888008487a30 EFLAGS: 00000246 [ 1621.974522] RAX: dffffc0000000000 RBX: ffff888007c8c600 RCX: 0000000000000000 [ 1621.974721] RDX: 1ffff11000f918c0 RSI: 0000000000000000 RDI: ffff88800be6c168 [ 1621.974919] RBP: ffff88800be6c160 R08: ffffffff8198dcf3 R09: ffffffff81990d3b [ 1621.975227] R10: ffffffff8198da24 R11: ffffffff8198d9a3 R12: dead000000000122 [ 1621.975571] R13: dead000000000100 R14: ffff88800be6c160 R15: dffffc0000000000 [ 1621.975934] FS: 0000000000000000(0000) GS:ffff8880e6191000(0000) knlGS:0000000000000000 [ 1621.976269] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1621.976491] CR2: dffffc0000000000 CR3: 000000000a7eb000 CR4: 00000000000006f0 [ 1621.976833] Call Trace: [ 1621.977113] <TASK> [ 1621.977292] ? rdma_destroy_ah_user+0xf1/0x170 [ 1621.977520] send_handler+0x1b0/0x330 [ 1621.977748] ib_mad_complete_send_wr+0x1de/0x920 [ 1621.977902] ib_mad_send_done+0x706/0x1200 [ 1621.978063] ? __pfx_ib_mad_send_done+0x10/0x10 [ 1621.978258] ? __pfx_ib_mad_send_done+0x10/0x10 [ 1621.978545] __ib_process_cq+0xe1/0x330 [ 1621.978676] ib_cq_poll_work+0x46/0x150 [ 1621.978853] process_one_work+0x5e7/0xf30 [ 1621.979012] worker_thread+0x763/0x12b0 [ 1621.979128] ? __pfx_worker_thread+0x10/0x10 [ 1621.979246] kthread+0x30d/0x630 [ 1621.979346] ? __pfx_kthread+0x10/0x10 [ 1621.979447] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 1621.979592] ? __pfx_kthread+0x10/0x10 [ 1621.979696] ret_from_fork+0x308/0x3f0 [ 1621.979808] ? __pfx_ret_from_fork+0x10/0x10 [ 1621.979934] ? __switch_to+0xaec/0xe60 [ 1621.980046] ? __switch_to_asm+0x39/0x70 [ 1621.980163] ? __switch_to_asm+0x33/0x70 [ 1621.980281] ? __pfx_kthread+0x10/0x10 [ 1621.980385] ret_from_fork_asm+0x1a/0x30 [ 1621.980537] </TASK> [ 1621.980659] Modules linked in: [ 1621.982033] ---[ end trace 0000000000000000 ]--- [ 1621.982642] RIP: 0010:ib_free_send_mad+0xf3/0x270 [ 1621.982890] Code: 85 22 01 00 00 49 8d 7e 08 48 8b 4b 08 48 89 fe 48 c1 ee 03 42 80 3c 3e 00 0f 85 2 [ 1621.983468] RSP: 0018:ffff888008487a30 EFLAGS: 00000246 [ 1621.983748] RAX: dffffc0000000000 RBX: ffff888007c8c600 RCX: 0000000000000000 [ 1621.983953] RDX: 1ffff11000f918c0 RSI: 0000000000000000 RDI: ffff88800be6c168 [ 1621.984135] RBP: ffff88800be6c160 R08: ffffffff8198dcf3 R09: ffffffff81990d3b [ 1621.984305] R10: ffffffff8198da24 R11: ffffffff8198d9a3 R12: dead000000000122 [ 1621.984470] R13: dead000000000100 R14: ffff88800be6c160 R15: dffffc0000000000 [ 1621.985284] FS: 0000000000000000(0000) GS:ffff8880e6191000(0000) knlGS:0000000000000000 [ 1621.985656] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1621.986069] CR2: dffffc0000000000 CR3: 000000000a7eb000 CR4: 00000000000006f0 [ 1621.986500] Kernel panic - not syncing: Fatal exception [ 1621.988088] Kernel Offset: disabled [ 1621.988350] Rebooting in 1 seconds.. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write 2026-01-30 11:00 [Bug] KASAN: null-ptr-deref in range in ib-comp-unb-wq ib_cq_poll_work yunje shin @ 2026-01-31 14:09 ` YunJe Shin 2026-02-01 9:30 ` Michael Gur 2026-02-02 18:34 ` Jason Gunthorpe 0 siblings, 2 replies; 6+ messages in thread From: YunJe Shin @ 2026-01-31 14:09 UTC (permalink / raw) To: yjshin0438; +Cc: ioerts, jgg, joonkyoj, leon, linux-rdma ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80 Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support") Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> --- drivers/infiniband/core/user_mad.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index fd67fc9fe85a..db1643aab029 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, } base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version; + if (count < hdr_size(file) + hdr_len) { + ret = -EINVAL; + goto err_ah; + } data_len = count - hdr_size(file) - hdr_len; + if (data_len < 0) { + ret = -EINVAL; + goto err_ah; + } packet->msg = ib_create_send_mad(agent, be32_to_cpu(packet->mad.hdr.qpn), packet->mad.hdr.pkey_index, rmpp_active, -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write 2026-01-31 14:09 ` [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write YunJe Shin @ 2026-02-01 9:30 ` Michael Gur 2026-02-02 18:34 ` Jason Gunthorpe 1 sibling, 0 replies; 6+ messages in thread From: Michael Gur @ 2026-02-01 9:30 UTC (permalink / raw) To: YunJe Shin; +Cc: ioerts, jgg, joonkyoj, leon, linux-rdma On 1/31/2026 4:09 PM, YunJe Shin wrote: > @@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, > } > > base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version; > + if (count < hdr_size(file) + hdr_len) { > + ret = -EINVAL; > + goto err_ah; > + } > data_len = count - hdr_size(file) - hdr_len; > + if (data_len < 0) { > + ret = -EINVAL; > + goto err_ah; > + } The second check is redundant. The first already ensures data_len >= 0. > packet->msg = ib_create_send_mad(agent, > be32_to_cpu(packet->mad.hdr.qpn), > packet->mad.hdr.pkey_index, rmpp_active, ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write 2026-01-31 14:09 ` [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write YunJe Shin 2026-02-01 9:30 ` Michael Gur @ 2026-02-02 18:34 ` Jason Gunthorpe 2026-02-03 6:46 ` YunJe Shin 1 sibling, 1 reply; 6+ messages in thread From: Jason Gunthorpe @ 2026-02-02 18:34 UTC (permalink / raw) To: YunJe Shin; +Cc: ioerts, joonkyoj, leon, linux-rdma On Sat, Jan 31, 2026 at 11:09:14PM +0900, YunJe Shin wrote: > ib_umad_write computes data_len from user-controlled count and the > MAD header sizes. With a mismatched user MAD header size and RMPP > header length, data_len can become negative and reach ib_create_send_mad(). > This can make the padding calculation exceed the segment size and trigger > an out-of-bounds memset in alloc_send_rmpp_list(). > > Add an explicit check to reject negative data_len before creating the > send buffer. > > KASAN splat: > [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 > [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 > [ 211.365867] ib_create_send_mad+0xa01/0x11b0 > [ 211.365887] ib_umad_write+0x853/0x1c80 > > Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support") > Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> > --- > drivers/infiniband/core/user_mad.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c > index fd67fc9fe85a..db1643aab029 100644 > --- a/drivers/infiniband/core/user_mad.c > +++ b/drivers/infiniband/core/user_mad.c > @@ -588,7 +588,15 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, > } > > base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version; > + if (count < hdr_size(file) + hdr_len) { > + ret = -EINVAL; > + goto err_ah; > + } > data_len = count - hdr_size(file) - hdr_len; > + if (data_len < 0) { > + ret = -EINVAL; > + goto err_ah; > + } data_len should also be a size_t to prevent truncation of count. But I think I would prefer to replace both of these 'ifs' with a simple check_sub_overflow() after making data_len unsigned. Jason ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write 2026-02-02 18:34 ` Jason Gunthorpe @ 2026-02-03 6:46 ` YunJe Shin 2026-02-03 9:46 ` Leon Romanovsky 0 siblings, 1 reply; 6+ messages in thread From: YunJe Shin @ 2026-02-03 6:46 UTC (permalink / raw) To: jgg; +Cc: ioerts, joonkyoj, leon, linux-rdma, yjshin0438 ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80 Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support") Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> --- drivers/infiniband/core/user_mad.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index fd67fc9fe85a..2f7e3c4483fc 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -514,7 +514,8 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, struct rdma_ah_attr ah_attr; struct ib_ah *ah; __be64 *tid; - int ret, data_len, hdr_len, copy_offset, rmpp_active; + int ret, hdr_len, copy_offset, rmpp_active; + size_t data_len; u8 base_version; if (count < hdr_size(file) + IB_MGMT_RMPP_HDR) @@ -588,7 +589,10 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, } base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version; - data_len = count - hdr_size(file) - hdr_len; + if (check_sub_overflow(count, hdr_size(file) + hdr_len, &data_len)) { + ret = -EINVAL; + goto err_ah; + } packet->msg = ib_create_send_mad(agent, be32_to_cpu(packet->mad.hdr.qpn), packet->mad.hdr.pkey_index, rmpp_active, -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write 2026-02-03 6:46 ` YunJe Shin @ 2026-02-03 9:46 ` Leon Romanovsky 0 siblings, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2026-02-03 9:46 UTC (permalink / raw) To: YunJe Shin; +Cc: jgg, ioerts, joonkyoj, linux-rdma On Tue, Feb 03, 2026 at 03:46:08PM +0900, YunJe Shin wrote: > ib_umad_write computes data_len from user-controlled count and the > MAD header sizes. With a mismatched user MAD header size and RMPP > header length, data_len can become negative and reach ib_create_send_mad(). > This can make the padding calculation exceed the segment size and trigger > an out-of-bounds memset in alloc_send_rmpp_list(). > > Add an explicit check to reject negative data_len before creating the > send buffer. > > KASAN splat: > [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 > [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 > [ 211.365867] ib_create_send_mad+0xa01/0x11b0 > [ 211.365887] ib_umad_write+0x853/0x1c80 > > Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support") > Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> > --- > drivers/infiniband/core/user_mad.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) Please submit this patch as a separate email, not as a reply. Include a version number in the commit subject, and provide a changelog below the Signed-off-by tag and the "---" marker. Thanks ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-03 9:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-01-30 11:00 [Bug] KASAN: null-ptr-deref in range in ib-comp-unb-wq ib_cq_poll_work yunje shin 2026-01-31 14:09 ` [PATCH] RDMA/umad: Reject negative data_len in ib_umad_write YunJe Shin 2026-02-01 9:30 ` Michael Gur 2026-02-02 18:34 ` Jason Gunthorpe 2026-02-03 6:46 ` YunJe Shin 2026-02-03 9:46 ` Leon Romanovsky
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox