* [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss
@ 2026-04-21 10:50 Junrui Luo
2026-04-28 16:02 ` Jason Gunthorpe
0 siblings, 1 reply; 2+ messages in thread
From: Junrui Luo @ 2026-04-21 10:50 UTC (permalink / raw)
To: Long Li, Konstantin Taranov, Jason Gunthorpe, Leon Romanovsky,
Dexuan Cui, Ajay Sharma
Cc: linux-rdma, linux-hyperv, linux-kernel, Yuhao Jiang, stable,
Junrui Luo
mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
directly to mana_ib_cfg_vport_steering(), which uses it as the length
argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).
A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
from the kernel stack and an out-of-bounds write past req->hashkey
within the kzalloc'd struct mana_cfg_rx_steer_req_v2.
Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
drivers/infiniband/hw/mana/qp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
index 82f84f7ad37a..f5ab545cfd74 100644
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -151,6 +151,13 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd,
return -EINVAL;
}
+ if (ucmd.rx_hash_key_len > MANA_HASH_KEY_SIZE) {
+ ibdev_dbg(&mdev->ib_dev,
+ "RX Hash key length %u exceeds maximum %u\n",
+ ucmd.rx_hash_key_len, MANA_HASH_KEY_SIZE);
+ return -EINVAL;
+ }
+
/* IB ports start with 1, MANA start with 0 */
port = ucmd.port;
ndev = mana_ib_get_netdev(pd->device, port);
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260421-fixes-9402b9f92e0f
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss
2026-04-21 10:50 [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss Junrui Luo
@ 2026-04-28 16:02 ` Jason Gunthorpe
0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2026-04-28 16:02 UTC (permalink / raw)
To: Junrui Luo
Cc: Long Li, Konstantin Taranov, Leon Romanovsky, Dexuan Cui,
Ajay Sharma, linux-rdma, linux-hyperv, linux-kernel, Yuhao Jiang,
stable
On Tue, Apr 21, 2026 at 06:50:21PM +0800, Junrui Luo wrote:
> mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
> directly to mana_ib_cfg_vport_steering(), which uses it as the length
> argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).
>
> A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
> from the kernel stack and an out-of-bounds write past req->hashkey
> within the kzalloc'd struct mana_cfg_rx_steer_req_v2.
>
> Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.
>
> Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> drivers/infiniband/hw/mana/qp.c | 7 +++++++
> 1 file changed, 7 insertions(+)
I have a fix for this in my pile of sashiko patches that I prefer, it
is better to put the check in mana_ib_cfg_vport_steering() and not
print.
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-28 16:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 10:50 [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss Junrui Luo
2026-04-28 16:02 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox