* [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
@ 2026-05-25 14:21 Yishai Hadas
2026-06-03 17:59 ` Jason Gunthorpe
0 siblings, 1 reply; 2+ messages in thread
From: Yishai Hadas @ 2026-05-25 14:21 UTC (permalink / raw)
To: jgg, leonro; +Cc: linux-rdma, yishaih, maorg, error27, stable
The cpu_id attribute supplied by user space through
UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu()
without first verifying that the value is within the valid CPU range.
Passing such untrusted data to cpumask_test_cpu() may lead to an
out-of-bounds read of the underlying cpumask bitmap: the helper expands
to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with
no bound check.
In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips
the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this
turns a bad user input into a machine reboot.
Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL
before it is used.
Reported by Smatch.
Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs")
Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/
Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
---
drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/infiniband/core/uverbs_std_types_dmah.c b/drivers/infiniband/core/uverbs_std_types_dmah.c
index 453ce656c6f2..97101e093826 100644
--- a/drivers/infiniband/core/uverbs_std_types_dmah.c
+++ b/drivers/infiniband/core/uverbs_std_types_dmah.c
@@ -47,6 +47,11 @@ static int UVERBS_HANDLER(UVERBS_METHOD_DMAH_ALLOC)(
if (ret)
goto err;
+ if (dmah->cpu_id >= nr_cpu_ids) {
+ ret = -EINVAL;
+ goto err;
+ }
+
if (!cpumask_test_cpu(dmah->cpu_id, current->cpus_ptr)) {
ret = -EPERM;
goto err;
--
2.18.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
2026-05-25 14:21 [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Yishai Hadas
@ 2026-06-03 17:59 ` Jason Gunthorpe
0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2026-06-03 17:59 UTC (permalink / raw)
To: Yishai Hadas; +Cc: leonro, linux-rdma, maorg, error27, stable
On Mon, May 25, 2026 at 05:21:36PM +0300, Yishai Hadas wrote:
> The cpu_id attribute supplied by user space through
> UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu()
> without first verifying that the value is within the valid CPU range.
>
> Passing such untrusted data to cpumask_test_cpu() may lead to an
> out-of-bounds read of the underlying cpumask bitmap: the helper expands
> to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with
> no bound check.
>
> In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips
> the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this
> turns a bad user input into a machine reboot.
>
> Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL
> before it is used.
>
> Reported by Smatch.
>
> Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs")
> Cc: stable@vger.kernel.org
> Reported-by: Dan Carpenter <error27@gmail.com>
> Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/
> Signed-off-by: Yishai Hadas <yishaih@nvidia.com>
> ---
> drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++
> 1 file changed, 5 insertions(+)
Applied to for-rc
Thanks,
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-03 17:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-25 14:21 [PATCH] RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc Yishai Hadas
2026-06-03 17:59 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox