[PATCH] IB/mlx5: Fix potential NULL dereference in query

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] IB/mlx5: Fix potential NULL dereference in query_device
@ 2026-03-31  1:44 Prathamesh Deshpande
  2026-03-31 13:49 ` Leon Romanovsky
  0 siblings, 1 reply; 5+ messages in thread
From: Prathamesh Deshpande @ 2026-03-31  1:44 UTC (permalink / raw)
  To: Leon Romanovsky, Jason Gunthorpe
  Cc: Haggai Eran, Doug Ledford, linux-rdma, linux-kernel,
	Prathamesh Deshpande

Smatch reported an inconsistent NULL check for 'uhw' in
mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
the function before calling ib_copy_to_udata(), 'uhw' is explicitly
checked for NULL earlier in the same function.

If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
ib_copy_to_udata() will attempt to dereference 'uhw', leading to a
kernel panic. Fix this by checking the 'uhw' pointer directly.

Fixes: 4835709176e8 ("RDMA/mlx5: Don't fake udata for kernel path")

Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
---
 drivers/infiniband/hw/mlx5/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 635002e684a5..471dc8df4a52 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -1353,7 +1353,7 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
 			fill_esw_mgr_reg_c0(mdev, &resp);
 	}
 
-	if (uhw_outlen) {
+	if (uhw) {
 		err = ib_copy_to_udata(uhw, &resp, resp.response_length);
 
 		if (err)
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device
  2026-03-31  1:44 [PATCH] IB/mlx5: Fix potential NULL dereference in query_device Prathamesh Deshpande
@ 2026-03-31 13:49 ` Leon Romanovsky
  2026-03-31 18:25   ` Prathamesh Deshpande
  0 siblings, 1 reply; 5+ messages in thread
From: Leon Romanovsky @ 2026-03-31 13:49 UTC (permalink / raw)
  To: Prathamesh Deshpande
  Cc: Jason Gunthorpe, Haggai Eran, Doug Ledford, linux-rdma,
	linux-kernel

On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> Smatch reported an inconsistent NULL check for 'uhw' in
> mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> checked for NULL earlier in the same function.
> 
> If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> ib_copy_to_udata() will attempt to dereference 'uhw',

How is it possible?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device
  2026-03-31 13:49 ` Leon Romanovsky
@ 2026-03-31 18:25   ` Prathamesh Deshpande
  2026-03-31 19:04     ` Leon Romanovsky
  0 siblings, 1 reply; 5+ messages in thread
From: Prathamesh Deshpande @ 2026-03-31 18:25 UTC (permalink / raw)
  To: leon; +Cc: dledford, haggaie, jgg, linux-kernel, linux-rdma,
	prathameshdeshpande7

On Tue, Mar 31, 2026 at 04:49:55PM +0300, Leon Romanovsky wrote:
> On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> > Smatch reported an inconsistent NULL check for 'uhw' in
> > mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> > the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> > checked for NULL earlier in the same function.
> >
> > If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> > ib_copy_to_udata() will attempt to dereference 'uhw',
>
> How is it possible?

Hi Leon,

You are right that in the current uverbs paths, 'uhw_outlen' and 'uhw'
should stay in sync.

However, Smatch flags this as an inconsistency because 'uhw' is explicitly
checked for NULL earlier in this same function (at line 968). If the code
assumes 'uhw' could be NULL there, it is safer and more consistent to
check the pointer directly before passing it to ib_copy_to_udata() at
line 1357.

This prevents any future refactoring or unconventional kernel-space
callers from accidentally triggering a NULL dereference.

What do you think?

Thanks,
Prathamesh

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device
  2026-03-31 18:25   ` Prathamesh Deshpande
@ 2026-03-31 19:04     ` Leon Romanovsky
  0 siblings, 0 replies; 5+ messages in thread
From: Leon Romanovsky @ 2026-03-31 19:04 UTC (permalink / raw)
  To: Prathamesh Deshpande; +Cc: dledford, haggaie, jgg, linux-kernel, linux-rdma

On Tue, Mar 31, 2026 at 07:25:56PM +0100, Prathamesh Deshpande wrote:
> On Tue, Mar 31, 2026 at 04:49:55PM +0300, Leon Romanovsky wrote:
> > On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> > > Smatch reported an inconsistent NULL check for 'uhw' in
> > > mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> > > the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> > > checked for NULL earlier in the same function.
> > >
> > > If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> > > ib_copy_to_udata() will attempt to dereference 'uhw',
> >
> > How is it possible?
> 
> Hi Leon,
> 
> You are right that in the current uverbs paths, 'uhw_outlen' and 'uhw'
> should stay in sync.
> 
> However, Smatch flags this as an inconsistency because 'uhw' is explicitly
> checked for NULL earlier in this same function (at line 968). If the code
> assumes 'uhw' could be NULL there, it is safer and more consistent to
> check the pointer directly before passing it to ib_copy_to_udata() at
> line 1357.
> 
> This prevents any future refactoring or unconventional kernel-space
> callers from accidentally triggering a NULL dereference.

Kernel-space callers don't use uverbs path. It is solely for the
user-space access.

Thanks

> 
> What do you think?
> 
> Thanks,
> Prathamesh

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device
       [not found] <202603311604.GD814676@unreal>
@ 2026-03-31 21:57 ` Prathamesh Deshpande
  0 siblings, 0 replies; 5+ messages in thread
From: Prathamesh Deshpande @ 2026-03-31 21:57 UTC (permalink / raw)
  To: Leon Romanovsky; +Cc: jgg, linux-rdma, linux-kernel, prathameshdeshpande7

On Tue, Mar 31, 2026 at 10:04:00PM +0300, Leon Romanovsky wrote:
> Kernel-space callers don't use uverbs path. It is solely for the
> user-space access.

Hi Leon,

Understood. Smatch flags this as an "inconsistent NULL check" because
'uhw' is explicitly checked at line 967 (if (uhw && ...)).

If 'uhw' is guaranteed to be non-NULL in this path, would you prefer
a patch removing the redundant check at line 967 instead? This would
align the logic and silence the static analysis warning.

Thanks,
Prathamesh

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-03-31 21:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-31  1:44 [PATCH] IB/mlx5: Fix potential NULL dereference in query_device Prathamesh Deshpande
2026-03-31 13:49 ` Leon Romanovsky
2026-03-31 18:25   ` Prathamesh Deshpande
2026-03-31 19:04     ` Leon Romanovsky
     [not found] <202603311604.GD814676@unreal>
2026-03-31 21:57 ` Prathamesh Deshpande

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox