[LTP] [PATCH 0/2] Add infiniband testing suite

[LTP] [PATCH 0/2] Add infiniband testing suite

[Andrea Cervesato]

This patch series introduces a test for infiniband testing, based on
https://marc.info/?l=linux-kernel&m=152625244101970&w=2.

Consider this as a snapshot for a possible test. I sent it to the ML
just to have some feedbacks.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Andrea Cervesato (2):
      lapi: Add fallback rdma_user_cm.h definitions
      device-drivers/rdma: Add ucma_uaf01 test

 configure.ac                                      |   1 +
 include/lapi/rdma_user_cm.h                       |  72 ++++++++
 runtest/kernel_misc                               |   1 +
 testcases/kernel/device-drivers/Makefile          |   1 +
 testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
 testcases/kernel/device-drivers/rdma/Makefile     |   7 +
 testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
 7 files changed, 291 insertions(+)
---
base-commit: b874b6a264cf4f343c17d543ebe4ff91fbb89042
change-id: 20260325-infiniband_rdma-c94a1f4f7255

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 1/2] lapi: Add fallback rdma_user_cm.h definitions

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Add LAPI header with fallback definitions for RDMA user CM structures
and command enums, used when <rdma/rdma_user_cm.h> is not available.

Add the corresponding configure check for rdma/rdma_user_cm.h.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 configure.ac                |  1 +
 include/lapi/rdma_user_cm.h | 72 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)

diff --git a/configure.ac b/configure.ac
index 9d6ec7f13ad421aa35840ebc65745c962b11e1db..8f67018dc692685d88acfb51232446659c1eeb3d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -85,6 +85,7 @@ AC_CHECK_HEADERS_ONCE([ \
     linux/userfaultfd.h \
     netinet/sctp.h \
     pthread.h \
+    rdma/rdma_user_cm.h \
     sys/epoll.h \
     sys/fanotify.h \
     sys/inotify.h \
diff --git a/include/lapi/rdma_user_cm.h b/include/lapi/rdma_user_cm.h
new file mode 100644
index 0000000000000000000000000000000000000000..801dd83ec0df215901a86855bc51ad2b416d9855
--- /dev/null
+++ b/include/lapi/rdma_user_cm.h
@@ -0,0 +1,72 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2026 Linux Test Project
+ */
+
+#ifndef LAPI_RDMA_USER_CM_H__
+#define LAPI_RDMA_USER_CM_H__
+
+#include "config.h"
+
+#ifdef HAVE_RDMA_RDMA_USER_CM_H
+# include <rdma/rdma_user_cm.h>
+#endif
+
+#include <netinet/in.h>
+#include <stdint.h>
+
+#ifndef RDMA_USER_CM_ABI_VERSION
+
+enum {
+	RDMA_USER_CM_CMD_CREATE_ID,
+	RDMA_USER_CM_CMD_DESTROY_ID,
+	RDMA_USER_CM_CMD_BIND_IP,
+	RDMA_USER_CM_CMD_RESOLVE_IP,
+	RDMA_USER_CM_CMD_RESOLVE_ROUTE,
+	RDMA_USER_CM_CMD_QUERY_ROUTE,
+	RDMA_USER_CM_CMD_CONNECT,
+	RDMA_USER_CM_CMD_LISTEN,
+};
+
+enum rdma_ucm_port_space {
+	RDMA_PS_IPOIB = 0x0002,
+};
+
+struct rdma_ucm_cmd_hdr {
+	uint32_t cmd;
+	uint16_t in;
+	uint16_t out;
+};
+
+struct rdma_ucm_create_id {
+	uint64_t uid;
+	uint64_t response;
+	uint16_t ps;
+	uint8_t  qp_type;
+	uint8_t  reserved[5];
+};
+
+struct rdma_ucm_create_id_resp {
+	uint32_t id;
+};
+
+struct rdma_ucm_destroy_id {
+	uint64_t response;
+	uint32_t id;
+	uint32_t reserved;
+};
+
+struct rdma_ucm_bind_ip {
+	uint64_t response;
+	struct sockaddr_in6 addr;
+	uint32_t id;
+};
+
+struct rdma_ucm_listen {
+	uint32_t id;
+	uint32_t backlog;
+};
+
+#endif /* RDMA_USER_CM_ABI_VERSION */
+
+#endif /* LAPI_RDMA_USER_CM_H__ */

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
BIND_IP, and LISTEN operations. Three threads concurrently issue
these commands to /dev/infiniband/rdma_cm and the test checks for
kernel taint (KASAN use-after-free detection).

The bug was fixed by kernel commit 5fe23f262e05
("ucma: fix a use-after-free in ucma_resolve_ip()").

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/kernel_misc                               |   1 +
 testcases/kernel/device-drivers/Makefile          |   1 +
 testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
 testcases/kernel/device-drivers/rdma/Makefile     |   7 +
 testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
 5 files changed, 218 insertions(+)

diff --git a/runtest/kernel_misc b/runtest/kernel_misc
index 78f00d305fea10367fb4fd2845f25dd151a833ea..dcc3c0a44fb52a968f91a52758dbd43a3ce7a9ec 100644
--- a/runtest/kernel_misc
+++ b/runtest/kernel_misc
@@ -3,6 +3,7 @@ kmsg01 kmsg01
 fw_load fw_load
 rtc01 rtc01
 rtc02 rtc02
+ucma_uaf01 ucma_uaf01
 block_dev block_dev
 tpci tpci
 tbio tbio
diff --git a/testcases/kernel/device-drivers/Makefile b/testcases/kernel/device-drivers/Makefile
index 229a50683f5f629904ff591daa6fcd4f1c35fdf1..538df555395bf21062906ffa4125da4c767c1e24 100644
--- a/testcases/kernel/device-drivers/Makefile
+++ b/testcases/kernel/device-drivers/Makefile
@@ -11,6 +11,7 @@ SUBDIRS		:= acpi \
 		   locking \
 		   pci \
 		   rcu \
+		   rdma \
 		   rtc \
 		   tbio \
 		   uaccess \
diff --git a/testcases/kernel/device-drivers/rdma/.gitignore b/testcases/kernel/device-drivers/rdma/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..399ea290e4f9abd6b66800b21f4aea3eb33d3799
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/.gitignore
@@ -0,0 +1 @@
+/ucma_uaf01
diff --git a/testcases/kernel/device-drivers/rdma/Makefile b/testcases/kernel/device-drivers/rdma/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..5df01972aeab257b6ef24a928204b6b722c1cdef
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/Makefile
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2026 Linux Test Project
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/device-drivers/rdma/ucma_uaf01.c b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
new file mode 100644
index 0000000000000000000000000000000000000000..313e2aee0ea0114ce37f006eca93ea66d86ddeea
--- /dev/null
+++ b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
@@ -0,0 +1,208 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2026 Linux Test Project
+ */
+
+/*\
+ * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
+ * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
+ *
+ * Requires root to open /dev/infiniband/rdma_cm.
+ *
+ * Three threads race to create, bind, and listen on RDMA connection manager
+ * IDs. On vulnerable kernels, this triggers a use-after-free in
+ * cma_listen_on_all() detected by KASAN.
+ *
+ * Based on a syzbot reproducer:
+ * syzbot+db1c219466daac1083df@syzkaller.appspotmail.com
+ *
+ * Fixed in:
+ *
+ *  commit 5fe23f262e05
+ *  ucma: fix a use-after-free in ucma_resolve_ip()
+ */
+
+#include "tst_test.h"
+#include "tst_safe_pthread.h"
+#include "lapi/rdma_user_cm.h"
+
+#define RDMA_CM_DEV "/dev/infiniband/rdma_cm"
+
+static int cmfd = -1;
+static volatile uint32_t shared_id;
+static volatile int stop_threads;
+
+static void destroy_id(uint32_t id)
+{
+	ssize_t ret;
+
+	struct {
+		struct rdma_ucm_cmd_hdr hdr;
+		struct rdma_ucm_destroy_id destroy;
+	} msg = {
+		.hdr = {
+			.cmd = RDMA_USER_CM_CMD_DESTROY_ID,
+			.out = sizeof(struct rdma_ucm_create_id_resp),
+		},
+		.destroy = {
+			.id = id,
+		},
+	};
+	struct rdma_ucm_create_id_resp resp;
+
+	msg.destroy.response = (uintptr_t)&resp;
+
+	/* Errors expected due to racing with stale IDs */
+	ret = write(cmfd, &msg, sizeof(msg));
+	(void)ret;
+}
+
+static void *thread_create(void *arg)
+{
+	uint32_t id, prev_id = 0;
+	int has_prev = 0;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_create_id create;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_CREATE_ID,
+				.out = sizeof(id),
+			},
+			.create = {
+				.response = (uintptr_t)&id,
+				.ps = RDMA_PS_IPOIB,
+			},
+		};
+
+		if (write(cmfd, &msg, sizeof(msg)) > 0) {
+			if (has_prev)
+				destroy_id(prev_id);
+			prev_id = id;
+			has_prev = 1;
+			shared_id = id;
+		}
+	}
+
+	if (has_prev)
+		destroy_id(prev_id);
+
+	return arg;
+}
+
+static void *thread_bind(void *arg)
+{
+	ssize_t ret;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_bind_ip bind;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_BIND_IP,
+			},
+			.bind = {
+				.addr = {
+					.sin6_family = AF_INET6,
+					.sin6_addr = {
+						.s6_addr = { 0xff },
+					},
+				},
+				.id = shared_id,
+			},
+		};
+
+		/* Errors expected due to racing with stale IDs */
+		ret = write(cmfd, &msg, sizeof(msg));
+		(void)ret;
+	}
+
+	return arg;
+}
+
+static void *thread_listen(void *arg)
+{
+	ssize_t ret;
+
+	while (!stop_threads) {
+		struct {
+			struct rdma_ucm_cmd_hdr hdr;
+			struct rdma_ucm_listen listen;
+		} msg = {
+			.hdr = {
+				.cmd = RDMA_USER_CM_CMD_LISTEN,
+			},
+			.listen = {
+				.id = shared_id,
+			},
+		};
+
+		/* Errors expected due to racing with stale IDs */
+		ret = write(cmfd, &msg, sizeof(msg));
+		(void)ret;
+	}
+
+	return arg;
+}
+
+static void setup(void)
+{
+	cmfd = open(RDMA_CM_DEV, O_WRONLY);
+	if (cmfd < 0) {
+		if (errno == ENOENT || errno == ENXIO)
+			tst_brk(TCONF, RDMA_CM_DEV " not available");
+		tst_brk(TBROK | TERRNO, "open(" RDMA_CM_DEV ")");
+	}
+}
+
+static void cleanup(void)
+{
+	if (cmfd != -1)
+		SAFE_CLOSE(cmfd);
+}
+
+static void run(void)
+{
+	pthread_t threads[3];
+
+	stop_threads = 0;
+
+	SAFE_PTHREAD_CREATE(&threads[0], NULL, thread_create, NULL);
+	SAFE_PTHREAD_CREATE(&threads[1], NULL, thread_bind, NULL);
+	SAFE_PTHREAD_CREATE(&threads[2], NULL, thread_listen, NULL);
+
+	while (tst_remaining_runtime())
+		sleep(1);
+
+	stop_threads = 1;
+
+	SAFE_PTHREAD_JOIN(threads[0], NULL);
+	SAFE_PTHREAD_JOIN(threads[1], NULL);
+	SAFE_PTHREAD_JOIN(threads[2], NULL);
+
+	if (tst_taint_check())
+		tst_res(TFAIL, "Kernel is vulnerable (use-after-free in UCMA)");
+	else
+		tst_res(TPASS, "No kernel taint detected");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.runtime = 300,
+	.needs_root = 1,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_INFINIBAND",
+		"CONFIG_INFINIBAND_USER_ACCESS",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "5fe23f262e05"},
+		{}
+	},
+};

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 0/2] Add infiniband testing suite

[Petr Vorel]

> This patch series introduces a test for infiniband testing, based on
> https://marc.info/?l=linux-kernel&m=152625244101970&w=2.
https://lore.kernel.org/lkml/20180513230237.GG677@sol.localdomain/

Thanks for pointing out the C source.  I was looking at the original syzkaller
reproducer [1] which IMHO did more things, simplified C source is quite similar
to what you do in LTP test.

Have you verified if it actually reproduce the bug on affected kernel? Does it
reproduce the bug?

I tried it only on too new kernel (6.12 based SLE16 kernel, required to install
rdma-core, rdma_cm kernel module, which creates /dev/infiniband/rdma_cm, was
loaded by default).

Kind regards,
Petr

[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=1686969e400000

> Consider this as a snapshot for a possible test. I sent it to the ML
> just to have some feedbacks.

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> Andrea Cervesato (2):
>       lapi: Add fallback rdma_user_cm.h definitions
>       device-drivers/rdma: Add ucma_uaf01 test

>  configure.ac                                      |   1 +
>  include/lapi/rdma_user_cm.h                       |  72 ++++++++
>  runtest/kernel_misc                               |   1 +
>  testcases/kernel/device-drivers/Makefile          |   1 +
>  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
>  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
>  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
>  7 files changed, 291 insertions(+)
> ---
> base-commit: b874b6a264cf4f343c17d543ebe4ff91fbb89042
> change-id: 20260325-infiniband_rdma-c94a1f4f7255

> Best regards,

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Petr Vorel]

Hi Andrea,

it's been long time since this use-after-free was fixed, but IMHO still useful
to have a test (it's also kind of smoke test for rdma_cm).
Anyway, LGTM, but it'd be nice to reproduce the bug.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

> Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
> BIND_IP, and LISTEN operations. Three threads concurrently issue
> these commands to /dev/infiniband/rdma_cm and the test checks for
> kernel taint (KASAN use-after-free detection).

> The bug was fixed by kernel commit 5fe23f262e05
> ("ucma: fix a use-after-free in ucma_resolve_ip()").

> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/kernel_misc                               |   1 +
>  testcases/kernel/device-drivers/Makefile          |   1 +
>  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
>  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
>  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
>  5 files changed, 218 insertions(+)

> diff --git a/runtest/kernel_misc b/runtest/kernel_misc
> index 78f00d305fea10367fb4fd2845f25dd151a833ea..dcc3c0a44fb52a968f91a52758dbd43a3ce7a9ec 100644
> --- a/runtest/kernel_misc
> +++ b/runtest/kernel_misc
> @@ -3,6 +3,7 @@ kmsg01 kmsg01
>  fw_load fw_load
>  rtc01 rtc01
>  rtc02 rtc02
> +ucma_uaf01 ucma_uaf01
>  block_dev block_dev
>  tpci tpci
>  tbio tbio
> diff --git a/testcases/kernel/device-drivers/Makefile b/testcases/kernel/device-drivers/Makefile
> index 229a50683f5f629904ff591daa6fcd4f1c35fdf1..538df555395bf21062906ffa4125da4c767c1e24 100644
> --- a/testcases/kernel/device-drivers/Makefile
> +++ b/testcases/kernel/device-drivers/Makefile
> @@ -11,6 +11,7 @@ SUBDIRS		:= acpi \
>  		   locking \
>  		   pci \
>  		   rcu \
> +		   rdma \
>  		   rtc \
>  		   tbio \
>  		   uaccess \
> diff --git a/testcases/kernel/device-drivers/rdma/.gitignore b/testcases/kernel/device-drivers/rdma/.gitignore
> new file mode 100644
> index 0000000000000000000000000000000000000000..399ea290e4f9abd6b66800b21f4aea3eb33d3799
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/.gitignore
> @@ -0,0 +1 @@
> +/ucma_uaf01
> diff --git a/testcases/kernel/device-drivers/rdma/Makefile b/testcases/kernel/device-drivers/rdma/Makefile
> new file mode 100644
> index 0000000000000000000000000000000000000000..5df01972aeab257b6ef24a928204b6b722c1cdef
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/Makefile
> @@ -0,0 +1,7 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (c) 2026 Linux Test Project
> +
> +top_srcdir		?= ../../../..
> +
> +include $(top_srcdir)/include/mk/testcases.mk
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/device-drivers/rdma/ucma_uaf01.c b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..313e2aee0ea0114ce37f006eca93ea66d86ddeea
> --- /dev/null
> +++ b/testcases/kernel/device-drivers/rdma/ucma_uaf01.c
> @@ -0,0 +1,208 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2026 Linux Test Project
> + */
> +
> +/*\
> + * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
> + * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
> + *
> + * Requires root to open /dev/infiniband/rdma_cm.
> + *
> + * Three threads race to create, bind, and listen on RDMA connection manager
> + * IDs. On vulnerable kernels, this triggers a use-after-free in
> + * cma_listen_on_all() detected by KASAN.
> + *
> + * Based on a syzbot reproducer:
> + * syzbot+db1c219466daac1083df@syzkaller.appspotmail.com

Maybe link simplified C source from Eric on which you base LTP test (according
to the cover letter)?
https://lore.kernel.org/lkml/20180513230237.GG677@sol.localdomain/

NOTE C reproducer [1] on db1c219466daac1083df page [2] is more complicated than
the one From Eric.

[1] https://syzkaller.appspot.com/text?tag=ReproC&x=1258d593800000
[2] https://syzkaller.appspot.com/bug?extid=db1c219466daac1083df

Kind regards,
Petr

> + *
> + * Fixed in:
> + *
> + *  commit 5fe23f262e05
> + *  ucma: fix a use-after-free in ucma_resolve_ip()
> + */
> +
> +#include "tst_test.h"
> +#include "tst_safe_pthread.h"
> +#include "lapi/rdma_user_cm.h"
> +
> +#define RDMA_CM_DEV "/dev/infiniband/rdma_cm"
> +
> +static int cmfd = -1;
> +static volatile uint32_t shared_id;
> +static volatile int stop_threads;
> +
> +static void destroy_id(uint32_t id)
> +{
> +	ssize_t ret;
> +
> +	struct {
> +		struct rdma_ucm_cmd_hdr hdr;
> +		struct rdma_ucm_destroy_id destroy;
> +	} msg = {
> +		.hdr = {
> +			.cmd = RDMA_USER_CM_CMD_DESTROY_ID,
> +			.out = sizeof(struct rdma_ucm_create_id_resp),
> +		},
> +		.destroy = {
> +			.id = id,
> +		},
> +	};
> +	struct rdma_ucm_create_id_resp resp;
> +
> +	msg.destroy.response = (uintptr_t)&resp;
> +
> +	/* Errors expected due to racing with stale IDs */
> +	ret = write(cmfd, &msg, sizeof(msg));
> +	(void)ret;
> +}
> +
> +static void *thread_create(void *arg)
> +{
> +	uint32_t id, prev_id = 0;
> +	int has_prev = 0;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_create_id create;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_CREATE_ID,
> +				.out = sizeof(id),
> +			},
> +			.create = {
> +				.response = (uintptr_t)&id,
> +				.ps = RDMA_PS_IPOIB,
> +			},
> +		};
> +
> +		if (write(cmfd, &msg, sizeof(msg)) > 0) {
> +			if (has_prev)
> +				destroy_id(prev_id);
> +			prev_id = id;
> +			has_prev = 1;
> +			shared_id = id;
> +		}
> +	}
> +
> +	if (has_prev)
> +		destroy_id(prev_id);
> +
> +	return arg;
> +}
> +
> +static void *thread_bind(void *arg)
> +{
> +	ssize_t ret;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_bind_ip bind;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_BIND_IP,
> +			},
> +			.bind = {
> +				.addr = {
> +					.sin6_family = AF_INET6,
> +					.sin6_addr = {
> +						.s6_addr = { 0xff },
> +					},
> +				},
> +				.id = shared_id,
> +			},
> +		};
> +
> +		/* Errors expected due to racing with stale IDs */
> +		ret = write(cmfd, &msg, sizeof(msg));
> +		(void)ret;
> +	}
> +
> +	return arg;
> +}
> +
> +static void *thread_listen(void *arg)
> +{
> +	ssize_t ret;
> +
> +	while (!stop_threads) {
> +		struct {
> +			struct rdma_ucm_cmd_hdr hdr;
> +			struct rdma_ucm_listen listen;
> +		} msg = {
> +			.hdr = {
> +				.cmd = RDMA_USER_CM_CMD_LISTEN,
> +			},
> +			.listen = {
> +				.id = shared_id,
> +			},
> +		};
> +
> +		/* Errors expected due to racing with stale IDs */
> +		ret = write(cmfd, &msg, sizeof(msg));
> +		(void)ret;
> +	}
> +
> +	return arg;
> +}
> +
> +static void setup(void)
> +{
> +	cmfd = open(RDMA_CM_DEV, O_WRONLY);
> +	if (cmfd < 0) {
> +		if (errno == ENOENT || errno == ENXIO)
> +			tst_brk(TCONF, RDMA_CM_DEV " not available");
> +		tst_brk(TBROK | TERRNO, "open(" RDMA_CM_DEV ")");
> +	}
> +}
> +
> +static void cleanup(void)
> +{
> +	if (cmfd != -1)
> +		SAFE_CLOSE(cmfd);
> +}
> +
> +static void run(void)
> +{
> +	pthread_t threads[3];
> +
> +	stop_threads = 0;
> +
> +	SAFE_PTHREAD_CREATE(&threads[0], NULL, thread_create, NULL);
> +	SAFE_PTHREAD_CREATE(&threads[1], NULL, thread_bind, NULL);
> +	SAFE_PTHREAD_CREATE(&threads[2], NULL, thread_listen, NULL);
> +
> +	while (tst_remaining_runtime())
> +		sleep(1);
> +
> +	stop_threads = 1;
> +
> +	SAFE_PTHREAD_JOIN(threads[0], NULL);
> +	SAFE_PTHREAD_JOIN(threads[1], NULL);
> +	SAFE_PTHREAD_JOIN(threads[2], NULL);
> +
> +	if (tst_taint_check())
> +		tst_res(TFAIL, "Kernel is vulnerable (use-after-free in UCMA)");
> +	else
> +		tst_res(TPASS, "No kernel taint detected");
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.runtime = 300,
> +	.needs_root = 1,
> +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_INFINIBAND",
> +		"CONFIG_INFINIBAND_USER_ACCESS",
> +		NULL
> +	},
> +	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "5fe23f262e05"},
> +		{}
> +	},
> +};

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Petr Vorel]

Hi Andrea,

...
> +/*\
> + * Test for use-after-free in RDMA UCMA triggered by concurrent CREATE_ID,
> + * BIND_IP, and LISTEN operations via /dev/infiniband/rdma_cm.
> + *
> + * Requires root to open /dev/infiniband/rdma_cm.
...
> + * Fixed in:
> + *
> + *  commit 5fe23f262e05
> + *  ucma: fix a use-after-free in ucma_resolve_ip()
nit: I'd use standard git commit reference used in Fixes: tag:
5fe23f262e054 ("ucma: fix a use-after-free in ucma_resolve_ip()")

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Leon Romanovsky via ltp]

On Tue, Apr 07, 2026 at 03:24:26PM +0200, Petr Vorel wrote:
> Hi Andrea,
> 
> it's been long time since this use-after-free was fixed, but IMHO still useful
> to have a test (it's also kind of smoke test for rdma_cm).
> Anyway, LGTM, but it'd be nice to reproduce the bug.
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> 
> > Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
> > BIND_IP, and LISTEN operations. Three threads concurrently issue
> > these commands to /dev/infiniband/rdma_cm and the test checks for
> > kernel taint (KASAN use-after-free detection).
> 
> > The bug was fixed by kernel commit 5fe23f262e05
> > ("ucma: fix a use-after-free in ucma_resolve_ip()").
> 
> > Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> > ---
> >  runtest/kernel_misc                               |   1 +
> >  testcases/kernel/device-drivers/Makefile          |   1 +
> >  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
> >  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
> >  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
> >  5 files changed, 218 insertions(+)

<...>

> > +static struct tst_test test = {
> > +	.test_all = run,
> > +	.setup = setup,
> > +	.cleanup = cleanup,
> > +	.runtime = 300,
> > +	.needs_root = 1,
> > +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> > +	.needs_kconfigs = (const char *[]) {
> > +		"CONFIG_INFINIBAND",
> > +		"CONFIG_INFINIBAND_USER_ACCESS",

I’m not familiar with the LTP tests, but I wanted to point out that these
config options are insufficient. You need an actual or virtual RDMA device
connected to rdma-cm for the tests to work correctly.

Thanks

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Petr Vorel]

Hi Leon, all,

> On Tue, Apr 07, 2026 at 03:24:26PM +0200, Petr Vorel wrote:
> > Hi Andrea,

> > it's been long time since this use-after-free was fixed, but IMHO still useful
> > to have a test (it's also kind of smoke test for rdma_cm).
> > Anyway, LGTM, but it'd be nice to reproduce the bug.

> > Reviewed-by: Petr Vorel <pvorel@suse.cz>

> > > Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
> > > BIND_IP, and LISTEN operations. Three threads concurrently issue
> > > these commands to /dev/infiniband/rdma_cm and the test checks for
> > > kernel taint (KASAN use-after-free detection).

> > > The bug was fixed by kernel commit 5fe23f262e05
> > > ("ucma: fix a use-after-free in ucma_resolve_ip()").

> > > Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> > > ---
> > >  runtest/kernel_misc                               |   1 +
> > >  testcases/kernel/device-drivers/Makefile          |   1 +
> > >  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
> > >  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
> > >  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
> > >  5 files changed, 218 insertions(+)

> <...>

> > > +static struct tst_test test = {
> > > +	.test_all = run,
> > > +	.setup = setup,
> > > +	.cleanup = cleanup,
> > > +	.runtime = 300,
> > > +	.needs_root = 1,
> > > +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> > > +	.needs_kconfigs = (const char *[]) {
> > > +		"CONFIG_INFINIBAND",
> > > +		"CONFIG_INFINIBAND_USER_ACCESS",

> I’m not familiar with the LTP tests, but I wanted to point out that these
> config options are insufficient. You need an actual or virtual RDMA device
> connected to rdma-cm for the tests to work correctly.

Leon, thanks for looking into it. FYI these are just config options to skip
kernels without required kernel modules. 

So using /dev/infiniband/rdma_cm (via RDMA_CM_DEV) is not enough, we need
another device?

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/2] device-drivers/rdma: Add ucma_uaf01 test

[Leon Romanovsky via ltp]

On Tue, Apr 14, 2026 at 09:30:10AM +0200, Petr Vorel wrote:
> Hi Leon, all,
> 
> > On Tue, Apr 07, 2026 at 03:24:26PM +0200, Petr Vorel wrote:
> > > Hi Andrea,
> 
> > > it's been long time since this use-after-free was fixed, but IMHO still useful
> > > to have a test (it's also kind of smoke test for rdma_cm).
> > > Anyway, LGTM, but it'd be nice to reproduce the bug.
> 
> > > Reviewed-by: Petr Vorel <pvorel@suse.cz>
> 
> > > > Test for use-after-free in RDMA UCMA triggered by racing CREATE_ID,
> > > > BIND_IP, and LISTEN operations. Three threads concurrently issue
> > > > these commands to /dev/infiniband/rdma_cm and the test checks for
> > > > kernel taint (KASAN use-after-free detection).
> 
> > > > The bug was fixed by kernel commit 5fe23f262e05
> > > > ("ucma: fix a use-after-free in ucma_resolve_ip()").
> 
> > > > Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> > > > ---
> > > >  runtest/kernel_misc                               |   1 +
> > > >  testcases/kernel/device-drivers/Makefile          |   1 +
> > > >  testcases/kernel/device-drivers/rdma/.gitignore   |   1 +
> > > >  testcases/kernel/device-drivers/rdma/Makefile     |   7 +
> > > >  testcases/kernel/device-drivers/rdma/ucma_uaf01.c | 208 ++++++++++++++++++++++
> > > >  5 files changed, 218 insertions(+)
> 
> > <...>
> 
> > > > +static struct tst_test test = {
> > > > +	.test_all = run,
> > > > +	.setup = setup,
> > > > +	.cleanup = cleanup,
> > > > +	.runtime = 300,
> > > > +	.needs_root = 1,
> > > > +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> > > > +	.needs_kconfigs = (const char *[]) {
> > > > +		"CONFIG_INFINIBAND",
> > > > +		"CONFIG_INFINIBAND_USER_ACCESS",
> 
> > I’m not familiar with the LTP tests, but I wanted to point out that these
> > config options are insufficient. You need an actual or virtual RDMA device
> > connected to rdma-cm for the tests to work correctly.
> 
> Leon, thanks for looking into it. FYI these are just config options to skip
> kernels without required kernel modules. 
> 
> So using /dev/infiniband/rdma_cm (via RDMA_CM_DEV) is not enough, we need
> another device?

Yes, `rdma-cm` provides an interface for address resolution on
IB/iWARP/RoCE networks without requiring knowledge of the underlying
fabric details.

When an IB device is registered, RDMA/core invokes `cm_add_one()`, which
attaches `rdma-cm` to that device.
https://elixir.bootlin.com/linux/v7.0/source/drivers/infiniband/core/cm.c#L4335

Thanks

> 
> Kind regards,
> Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] lapi: Add fallback rdma_user_cm.h definitions

[linuxtestproject.agent]

Hi Andrea,

On Wed, 25 Mar 2026, Andrea Cervesato wrote:
> lapi: Add fallback rdma_user_cm.h definitions

> +#ifdef HAVE_RDMA_RDMA_USER_CM_H
> +# include <rdma/rdma_user_cm.h>
> +#endif
> +
> +#ifndef RDMA_USER_CM_ABI_VERSION

Correct lapi pattern — configure check + fallback guard under
RDMA_USER_CM_ABI_VERSION.

[...]

> device-drivers/rdma: Add ucma_uaf01 test

> +	while (tst_remaining_runtime())
> +		sleep(1);

Standard runtime-loop idiom, not synchronization — fine.

[...]

> +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_INFINIBAND",
> +		"CONFIG_INFINIBAND_USER_ACCESS",
> +		NULL
> +	},

Good use of needs_kconfigs to skip cleanly on systems without RDMA
support.

Reviewed-by: LTP AI Reviewer <ltp-ai@noreply.github.com>

---
Note:

Our agent completed the review of the patch.

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp