From: Jason Gunthorpe <jgg@nvidia.com>
To: Yishai Hadas <yishaih@nvidia.com>
Cc: leonro@nvidia.com, linux-rdma@vger.kernel.org, maorg@nvidia.com,
error27@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
Date: Wed, 3 Jun 2026 14:59:16 -0300 [thread overview]
Message-ID: <20260603175916.GA1558131@nvidia.com> (raw)
In-Reply-To: <20260525142136.28165-1-yishaih@nvidia.com>
On Mon, May 25, 2026 at 05:21:36PM +0300, Yishai Hadas wrote:
> The cpu_id attribute supplied by user space through
> UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu()
> without first verifying that the value is within the valid CPU range.
>
> Passing such untrusted data to cpumask_test_cpu() may lead to an
> out-of-bounds read of the underlying cpumask bitmap: the helper expands
> to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with
> no bound check.
>
> In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips
> the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this
> turns a bad user input into a machine reboot.
>
> Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL
> before it is used.
>
> Reported by Smatch.
>
> Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs")
> Cc: stable@vger.kernel.org
> Reported-by: Dan Carpenter <error27@gmail.com>
> Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/
> Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
> ---
> drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++
> 1 file changed, 5 insertions(+)
Applied to for-rc
Thanks,
Jason
prev parent reply other threads:[~2026-06-03 17:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 14:21 [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Yishai Hadas
2026-06-03 17:59 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603175916.GA1558131@nvidia.com \
--to=jgg@nvidia.com \
--cc=error27@gmail.com \
--cc=leonro@nvidia.com \
--cc=linux-rdma@vger.kernel.org \
--cc=maorg@nvidia.com \
--cc=stable@vger.kernel.org \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox