[PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

[PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

[Patrick Williams]

Some mctp configurations result in the userspace application
`mctp addr show`, which triggers an `mctp_dump_addrinfo`, to
be given infinite data.  This was introduced by commit 2d20773aec14.

In `mctp_dump_addrinfo`, when the userspace buffer doesn't hold
enough space for all of the addresses, the function keeps the current
index in the netlink_callback so that it can resume on subsequent
calls.  There are two indexes held: interface and address.  When a
all the addresses for an interface has been sent, the code reset
the address to zero and relies on `for_each_netdev_dump` for
incrementing the index.  However, `for_each_netdev_dump` (which is
using `xa_for_each_start`) does not set the index for the last
entry[1].  This can lead to the subsequent userspace request re-sending
the entire last interface.

Fix this by explicitly setting the index to ULONG_MAX[2] when all of
the interfaces and addresses have been successfully sent.  This will
cause subsequent userspace request to be past the last interface in the
next `for_each_netdev_dump` call.

The previous failure could be aggravated by on a system using
aspeed-bmc-facebook-harma.dts by running:
```
    mctp addr add 8 dev mctpi2c1
    mctp addr show
```

[1]: https://github.com/torvalds/linux/blob/e271ed52b344ac02d4581286961d0c40acc54c03/lib/xarray.c#L2261
[2]: https://github.com/torvalds/linux/blob/e271ed52b344ac02d4581286961d0c40acc54c03/include/linux/xarray.h#L481

Fixes: 2d20773aec14 ("mctp: no longer rely on net->dev_index_head[]")
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
---
 net/mctp/device.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mctp/device.c b/net/mctp/device.c
index 4d404edd7446..a865445234af 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -140,9 +140,11 @@ static int mctp_dump_addrinfo(struct sk_buff *skb, struct netlink_callback *cb)
 		rc = mctp_dump_dev_addrinfo(mdev, skb, cb);
 		mctp_dev_put(mdev);
 		if (rc < 0)
-			break;
+			goto out;
 		mcb->a_idx = 0;
 	}
+	mcb->ifindex = ULONG_MAX;
+out:
 	rcu_read_unlock();
 
 	return skb->len;
-- 
2.49.0

Re: [PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

[Jeremy Kerr]

Hi Patrick,

[+CC Peter Yin, who has reported a similar thing]

Thanks for the report and patch. I've been staring at the
for_each_netdev_dump() behaviour, and I'm not (yet) certain that the fix
is sufficient:

> When all the addresses for an interface has been sent, the code reset
> the address to zero and relies on `for_each_netdev_dump` for
> incrementing the index.  However, `for_each_netdev_dump` (which is
> using `xa_for_each_start`) does not set the index for the last
> entry[1].

but that still seems to be acceptable:

 - if entry there is null (and so we're not updating *indexp), then
   xa_find() will be returning NULL

 - if xa_find returns NULL, we're not iterating the for-loop

 - therefore the original indexp value is sufficient to act as the
   loop terminator

If an xa_find() of the index *does* yield a device, we'll increment
index as part of the for_each_netdev_dump() macro (unless we're still
working through the address array, in which case we do want to use the
same index at the next call).

FWIW, I'm not able to reproduce the issue here on v6.15, even when
forcing various combinations of netlink-message splits, but we do have
other reports of it happening. Are you able to share a trace of the
recvfrom() calls for `mctp addr`? That may help to understand the
breakage.

So, it seems like there's something more subtle happening here - or I
have misunderstood something about the fix (I'm unsure of the reference
to xa_for_each_start; for_each_netdev_dump only calls xa_start?). I'll
continue with the debug and update shortly.

Cheers,


Jeremy

Re: [PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

[Jeremy Kerr]

Hi Patrick,

[+CC Andrew, for openbmc kernel reasons]

> So, it seems like there's something more subtle happening here - or I
> have misunderstood something about the fix (I'm unsure of the
> reference to xa_for_each_start; for_each_netdev_dump only calls xa_start?).

Ah! Are you on the openbmc 6.6 backport perhaps?

It look the xa_for_each_start()-implementation of netdev_for_each_dump()
would not be compatible with a direct backport of 2d20773aec14 ("mctp: no
longer rely on net->dev_index_head[]").

This was the update for the for_each_netdev_dump() macro:

commit f22b4b55edb507a2b30981e133b66b642be4d13f
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Thu Jun 13 14:33:16 2024 -0700

    net: make for_each_netdev_dump() a little more bug-proof
    
    I find the behavior of xa_for_each_start() slightly counter-intuitive.
    It doesn't end the iteration by making the index point after the last
    element. IOW calling xa_for_each_start() again after it "finished"
    will run the body of the loop for the last valid element, instead
    of doing nothing.

... which sounds like what's happening here.

Cheers,


Jeremy

Re: [PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 1453 bytes --]

On Sat, Jun 07, 2025 at 03:47:09PM +0800, Jeremy Kerr wrote:
> Hi Patrick,
> 
> [+CC Andrew, for openbmc kernel reasons]
> 
> > So, it seems like there's something more subtle happening here - or I
> > have misunderstood something about the fix (I'm unsure of the
> > reference to xa_for_each_start; for_each_netdev_dump only calls xa_start?).
> 
> Ah! Are you on the openbmc 6.6 backport perhaps?
> 
> It look the xa_for_each_start()-implementation of netdev_for_each_dump()
> would not be compatible with a direct backport of 2d20773aec14 ("mctp: no
> longer rely on net->dev_index_head[]").
> 
> This was the update for the for_each_netdev_dump() macro:
> 
> commit f22b4b55edb507a2b30981e133b66b642be4d13f
> Author: Jakub Kicinski <kuba@kernel.org>
> Date:   Thu Jun 13 14:33:16 2024 -0700
> 
>     net: make for_each_netdev_dump() a little more bug-proof
>     
>     I find the behavior of xa_for_each_start() slightly counter-intuitive.
>     It doesn't end the iteration by making the index point after the last
>     element. IOW calling xa_for_each_start() again after it "finished"
>     will run the body of the loop for the last valid element, instead
>     of doing nothing.
> 
> ... which sounds like what's happening here.

Ah, yep.  That's exactly what is going on here.  I guess this change
isn't needed for master and it looks like you've already requested a
revert for 6.6?

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]