[PATCH rdma-next 08/10] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg()

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

From: Edward Srouji <edwards@nvidia.com>
To: Leon Romanovsky <leon@kernel.org>, Jason Gunthorpe <jgg@ziepe.ca>,
	"Chiara Meiohas" <cmeiohas@nvidia.com>,
	Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
	Gal Pressman <galpress@amazon.com>,
	Mark Bloch <markb@mellanox.com>,
	Steve Wise <larrystevenwise@gmail.com>,
	Mark Zhang <markzhang@nvidia.com>,
	"Neta Ostrovsky" <netao@nvidia.com>,
	Patrisious Haddad <phaddad@nvidia.com>,
	"Doug Ledford" <dledford@redhat.com>,
	Matan Barak <matanb@mellanox.com>, <majd@mellanox.com>
Cc: <linux-rdma@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	"Edward Srouji" <edwards@nvidia.com>,
	Maher Sanalla <msanalla@nvidia.com>
Subject: [PATCH rdma-next 08/10] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg()
Date: Wed, 25 Mar 2026 21:00:08 +0200	[thread overview]
Message-ID: <20260325-security-bug-fixes-v1-8-c8332981ad26@nvidia.com> (raw)
In-Reply-To: <20260325-security-bug-fixes-v1-0-c8332981ad26@nvidia.com>

From: Maher Sanalla <msanalla@nvidia.com>

When resolving an RDMA-CM IPv6 address, ib_nl_ip_send_msg() sends a
netlink request to the userspace daemon to perform IP-to-GID
resolution in certain cases. The function allocates the netlink message
buffer using nla_total_size(sizeof(size)), which passes 8 bytes (the
size of size_t) instead of 16 bytes (the size of an IPv6 address).
This results in an 8-byte under-allocation.

This is currently masked by nlmsg_new() over-allocation of the skb
in its internal logic. However, the code remains incorrect.

Fix the issue by supplying the proper IPv6 address length to
nla_total_size().

Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Edward Srouji <edwards@nvidia.com>
---
 drivers/infiniband/core/addr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 866746695712aeae425100eefb231e44d52d52d4..01c8e8806eebe511b405d17604cca28e3ed92571 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -150,7 +150,7 @@ static int ib_nl_ip_send_msg(struct rdma_dev_addr *dev_addr,
 		attrtype = RDMA_NLA_F_MANDATORY | LS_NLA_TYPE_IPV6;
 	}
 
-	len = nla_total_size(sizeof(size));
+	len = nla_total_size(size);
 	len += NLMSG_ALIGN(sizeof(*header));
 
 	skb = nlmsg_new(len, GFP_KERNEL);

-- 
2.49.0

next prev parent reply	other threads:[~2026-03-25 19:01 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-25 19:00 [PATCH rdma-next 00/10] RDMA: Stability and race condition fixes Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 01/10] RDMA/mlx5: Remove DCT restrack tracking Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 02/10] RDMA/core: Preserve restrack resource ID on reinsertion Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 03/10] RDMA/core: Fix use after free in ib_query_qp() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 04/10] RDMA/core: Fix potential use after free in ib_destroy_cq_user() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 05/10] RDMA/core: Fix potential use after free in ib_destroy_srq_user() Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 06/10] RDMA/mlx5: Fix UAF in SRQ destroy due to race with create Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 07/10] RDMA/mlx5: Fix UAF in DCT " Edward Srouji
2026-03-25 19:00 ` Edward Srouji [this message]
2026-03-25 19:00 ` [PATCH rdma-next 09/10] RDMA/core: Fix rereg_mr use-after-free race Edward Srouji
2026-03-25 19:00 ` [PATCH rdma-next 10/10] RDMA/mlx5: Fix null-ptr-deref in Raw Packet QP creation Edward Srouji

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:866746695712aeae425100eefb231e44d52d52d
dfblob:01c8e8806eebe511b405d17604cca28e3ed9257 )
 OR (
bs:"[PATCH rdma-next 08/10] IB/core: Fix IPv6 netlink message size in ib_nl_ip_send_msg()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260325-security-bug-fixes-v1-8-c8332981ad26@nvidia.com \
    --to=edwards@nvidia.com \
    --cc=cmeiohas@nvidia.com \
    --cc=dennis.dalessandro@cornelisnetworks.com \
    --cc=dledford@redhat.com \
    --cc=galpress@amazon.com \
    --cc=jgg@ziepe.ca \
    --cc=larrystevenwise@gmail.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=majd@mellanox.com \
    --cc=markb@mellanox.com \
    --cc=markzhang@nvidia.com \
    --cc=matanb@mellanox.com \
    --cc=msanalla@nvidia.com \
    --cc=netao@nvidia.com \
    --cc=phaddad@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox