[PATCH v2] RDMA/umad: Reject negative data_len in ib_umad_write

[PATCH v2] RDMA/umad: Reject negative data_len in ib_umad_write

[YunJe Shin]

ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().

Add an explicit check to reject negative data_len before creating the
send buffer.

KASAN splat:
[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[  211.365867] ib_create_send_mad+0xa01/0x11b0
[  211.365887] ib_umad_write+0x853/0x1c80

Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
v2:
- make data_len size_t to avoid truncation
- use check_sub_overflow() for count - hdr_size - hdr_len
---
 drivers/infiniband/core/user_mad.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index fd67fc9fe85a..2f7e3c4483fc 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -514,7 +514,8 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	struct rdma_ah_attr ah_attr;
 	struct ib_ah *ah;
 	__be64 *tid;
-	int ret, data_len, hdr_len, copy_offset, rmpp_active;
+	int ret, hdr_len, copy_offset, rmpp_active;
+	size_t data_len;
 	u8 base_version;
 
 	if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
@@ -588,7 +589,10 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	}
 
 	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
-	data_len = count - hdr_size(file) - hdr_len;
+	if (check_sub_overflow(count, hdr_size(file) + hdr_len, &data_len)) {
+		ret = -EINVAL;
+		goto err_ah;
+	}
 	packet->msg = ib_create_send_mad(agent,
 					 be32_to_cpu(packet->mad.hdr.qpn),
 					 packet->mad.hdr.pkey_index, rmpp_active,
-- 
2.43.0

Re: [PATCH v2] RDMA/umad: Reject negative data_len in ib_umad_write

[Leon Romanovsky]

On Tue, 03 Feb 2026 19:06:21 +0900, YunJe Shin wrote:
> ib_umad_write computes data_len from user-controlled count and the
> MAD header sizes. With a mismatched user MAD header size and RMPP
> header length, data_len can become negative and reach ib_create_send_mad().
> This can make the padding calculation exceed the segment size and trigger
> an out-of-bounds memset in alloc_send_rmpp_list().
> 
> Add an explicit check to reject negative data_len before creating the
> send buffer.
> 
> [...]

Applied, thanks!

[1/1] RDMA/umad: Reject negative data_len in ib_umad_write
      https://git.kernel.org/rdma/rdma/c/5551b02fdbfd85

Best regards,
-- 
Leon Romanovsky <leon@kernel.org>

Re: [PATCH v2] RDMA/umad: Reject negative data_len in ib_umad_write

[yunje shin]

I noticed I missed the Cc: stable tag. Should this fix be backported
to stable trees as well?

Thanks, YunJe Shin

On Thu, Feb 5, 2026 at 9:53 PM Leon Romanovsky <leon@kernel.org> wrote:
>
>
> On Tue, 03 Feb 2026 19:06:21 +0900, YunJe Shin wrote:
> > ib_umad_write computes data_len from user-controlled count and the
> > MAD header sizes. With a mismatched user MAD header size and RMPP
> > header length, data_len can become negative and reach ib_create_send_mad().
> > This can make the padding calculation exceed the segment size and trigger
> > an out-of-bounds memset in alloc_send_rmpp_list().
> >
> > Add an explicit check to reject negative data_len before creating the
> > send buffer.
> >
> > [...]
>
> Applied, thanks!
>
> [1/1] RDMA/umad: Reject negative data_len in ib_umad_write
>       https://git.kernel.org/rdma/rdma/c/5551b02fdbfd85
>
> Best regards,
> --
> Leon Romanovsky <leon@kernel.org>
>

Re: [PATCH v2] RDMA/umad: Reject negative data_len in ib_umad_write

[Leon Romanovsky]

On Sun, Feb 08, 2026 at 03:00:41PM +0900, yunje shin wrote:
> I noticed I missed the Cc: stable tag. Should this fix be backported
> to stable trees as well?

1. We (the RDMA maintainers) almost always remove stable@ tags from
   submitted patches. We prefer to reserve those tags for cases that
   truly warrant them, where we can take the extra step of preparing a
   proper backport.

2. Patches that include a Fixes line are automatically considered for
   stable@ inclusion by the AUTOSEL tool used by the stable maintainers.

Thanks

> 
> Thanks, YunJe Shin
> 
> On Thu, Feb 5, 2026 at 9:53 PM Leon Romanovsky <leon@kernel.org> wrote:
> >
> >
> > On Tue, 03 Feb 2026 19:06:21 +0900, YunJe Shin wrote:
> > > ib_umad_write computes data_len from user-controlled count and the
> > > MAD header sizes. With a mismatched user MAD header size and RMPP
> > > header length, data_len can become negative and reach ib_create_send_mad().
> > > This can make the padding calculation exceed the segment size and trigger
> > > an out-of-bounds memset in alloc_send_rmpp_list().
> > >
> > > Add an explicit check to reject negative data_len before creating the
> > > send buffer.
> > >
> > > [...]
> >
> > Applied, thanks!
> >
> > [1/1] RDMA/umad: Reject negative data_len in ib_umad_write
> >       https://git.kernel.org/rdma/rdma/c/5551b02fdbfd85
> >
> > Best regards,
> > --
> > Leon Romanovsky <leon@kernel.org>
> >
>