* [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers
@ 2026-02-16 15:02 Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr() Jason Gunthorpe
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-16 15:02 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Michael Margolin, Yossi Leybovich, Tatyana Nikolova
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
While converting drivers to use
ib_copy_validate_udata_in()/ib_respond_udata()/etc these issues were
found, mostly by AI scanners.
Jason Gunthorpe (4):
RDMA/efa: Fix typo in efa_alloc_mr()
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
drivers/infiniband/hw/ionic/ionic_controlpath.c | 2 +-
drivers/infiniband/hw/irdma/verbs.c | 2 +-
drivers/infiniband/hw/mthca/mthca_provider.c | 2 ++
4 files changed, 5 insertions(+), 3 deletions(-)
base-commit: d6c58f4eb3d00a695f5a610ea780cad322ec714e
--
2.43.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr()
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
@ 2026-02-16 15:02 ` Jason Gunthorpe
2026-02-16 15:30 ` Michael Margolin
2026-02-16 15:02 ` [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Jason Gunthorpe
` (3 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-16 15:02 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Michael Margolin, Yossi Leybovich, Tatyana Nikolova
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
The pattern is to check the entire driver request space, not just
sizeof something unrelated.
Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
index 22d3e25c3b9d11..c066cd84aa6407 100644
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -1667,7 +1667,7 @@ static struct efa_mr *efa_alloc_mr(struct ib_pd *ibpd, int access_flags,
struct efa_mr *mr;
if (udata && udata->inlen &&
- !ib_is_udata_cleared(udata, 0, sizeof(udata->inlen))) {
+ !ib_is_udata_cleared(udata, 0, udata->inlen)) {
ibdev_dbg(&dev->ibdev,
"Incompatible ABI params, udata not cleared\n");
return ERR_PTR(-EINVAL);
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr() Jason Gunthorpe
@ 2026-02-16 15:02 ` Jason Gunthorpe
2026-02-17 13:23 ` Leon Romanovsky
2026-02-16 15:02 ` [PATCH rc 3/4] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Jason Gunthorpe
` (2 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-16 15:02 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Michael Margolin, Yossi Leybovich, Tatyana Nikolova
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
Fix a user triggerable leak on the system call failure path.
Cc: stable@vger.kernel.org
Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/infiniband/hw/mthca/mthca_provider.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
index dd572d76866c2e..ae0c8024ad2310 100644
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_srq *ibsrq,
if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
mthca_free_srq(to_mdev(ibsrq->device), srq);
+ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
+ context->db_tab, ucmd.db_index);
return -EFAULT;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH rc 3/4] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr() Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Jason Gunthorpe
@ 2026-02-16 15:02 ` Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq() Jason Gunthorpe
2026-02-24 10:03 ` [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Leon Romanovsky
4 siblings, 0 replies; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-16 15:02 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Michael Margolin, Yossi Leybovich, Tatyana Nikolova
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
struct irdma_create_ah_resp { // 8 bytes, no padding
__u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
__u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
};
rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().
The reserved members of the structure were not zeroed.
Cc: stable@vger.kernel.org
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/infiniband/hw/irdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index cf8d1915057402..afc41619a0abc4 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -5212,7 +5212,7 @@ static int irdma_create_user_ah(struct ib_ah *ibah,
#define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
- struct irdma_create_ah_resp uresp;
+ struct irdma_create_ah_resp uresp = {};
struct irdma_ah *parent_ah;
int err;
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
` (2 preceding siblings ...)
2026-02-16 15:02 ` [PATCH rc 3/4] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Jason Gunthorpe
@ 2026-02-16 15:02 ` Jason Gunthorpe
2026-02-23 12:07 ` Abhijit Gangurde
2026-02-24 10:03 ` [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Leon Romanovsky
4 siblings, 1 reply; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-16 15:02 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Michael Margolin, Yossi Leybovich, Tatyana Nikolova
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
struct ionic_cq_resp resp {
__u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)
__u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
__u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK
};
rsvd[7]: 7 bytes of stack memory leaked unconditionally.
cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
udma_count could be 1, meaning cqid[1] might never be written via
ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
bytes) is also leaked. So potentially 11 bytes leaked.
Cc: stable@vger.kernel.org
Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/infiniband/hw/ionic/ionic_controlpath.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/ionic/ionic_controlpath.c b/drivers/infiniband/hw/ionic/ionic_controlpath.c
index ea12d9b8e125fe..83573721af2c08 100644
--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c
+++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c
@@ -1218,7 +1218,7 @@ int ionic_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
rdma_udata_to_drv_context(udata, struct ionic_ctx, ibctx);
struct ionic_vcq *vcq = to_ionic_vcq(ibcq);
struct ionic_tbl_buf buf = {};
- struct ionic_cq_resp resp;
+ struct ionic_cq_resp resp = {};
struct ionic_cq_req req;
int udma_idx = 0, rc;
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr()
2026-02-16 15:02 ` [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr() Jason Gunthorpe
@ 2026-02-16 15:30 ` Michael Margolin
0 siblings, 0 replies; 11+ messages in thread
From: Michael Margolin @ 2026-02-16 15:30 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: Gal Pressman, Krzysztof Czurylo, Leon Romanovsky, linux-rdma,
Yossi Leybovich, Tatyana Nikolova, Abhijit Gangurde, Allen Hubbe,
Andrew Boyer, Gal Pressman, Mustafa Ismail, patches,
Roland Dreier, Shiraz Saleem, stable, Steve Wise
On Mon, Feb 16, 2026 at 11:02:47AM -0400, Jason Gunthorpe wrote:w3esq23
> The pattern is to check the entire driver request space, not just
> sizeof something unrelated.
>
> Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
> index 22d3e25c3b9d11..c066cd84aa6407 100644
> --- a/drivers/infiniband/hw/efa/efa_verbs.c
> +++ b/drivers/infiniband/hw/efa/efa_verbs.c
> @@ -1667,7 +1667,7 @@ static struct efa_mr *efa_alloc_mr(struct ib_pd *ibpd, int access_flags,
> struct efa_mr *mr;
>
> if (udata && udata->inlen &&
> - !ib_is_udata_cleared(udata, 0, sizeof(udata->inlen))) {
> + !ib_is_udata_cleared(udata, 0, udata->inlen)) {
> ibdev_dbg(&dev->ibdev,
> "Incompatible ABI params, udata not cleared\n");
> return ERR_PTR(-EINVAL);
> --
> 2.43.0
>
Thanks!
Acked-by: Michael Margolin <mrgolin@amazon.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-02-16 15:02 ` [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Jason Gunthorpe
@ 2026-02-17 13:23 ` Leon Romanovsky
2026-02-17 23:46 ` Jason Gunthorpe
0 siblings, 1 reply; 11+ messages in thread
From: Leon Romanovsky @ 2026-02-17 13:23 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: Gal Pressman, Krzysztof Czurylo, linux-rdma, Michael Margolin,
Yossi Leybovich, Tatyana Nikolova, Abhijit Gangurde, Allen Hubbe,
Andrew Boyer, Gal Pressman, Mustafa Ismail, patches,
Roland Dreier, Shiraz Saleem, stable, Steve Wise
On Mon, Feb 16, 2026 at 11:02:48AM -0400, Jason Gunthorpe wrote:
> Fix a user triggerable leak on the system call failure path.
>
> Cc: stable@vger.kernel.org
> Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation")
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/infiniband/hw/mthca/mthca_provider.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
> index dd572d76866c2e..ae0c8024ad2310 100644
> --- a/drivers/infiniband/hw/mthca/mthca_provider.c
> +++ b/drivers/infiniband/hw/mthca/mthca_provider.c
> @@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_srq *ibsrq,
>
> if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
> mthca_free_srq(to_mdev(ibsrq->device), srq);
> + mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
> + context->db_tab, ucmd.db_index);
> return -EFAULT;
> }
The `mthca_destroy_srq()` implementation needs to be corrected as well.
Its resource release order is currently reversed.
Thanks
>
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-02-17 13:23 ` Leon Romanovsky
@ 2026-02-17 23:46 ` Jason Gunthorpe
2026-02-18 9:06 ` Leon Romanovsky
0 siblings, 1 reply; 11+ messages in thread
From: Jason Gunthorpe @ 2026-02-17 23:46 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Gal Pressman, Krzysztof Czurylo, linux-rdma, Michael Margolin,
Yossi Leybovich, Tatyana Nikolova, Abhijit Gangurde, Allen Hubbe,
Andrew Boyer, Gal Pressman, Mustafa Ismail, patches,
Roland Dreier, Shiraz Saleem, stable, Steve Wise
On Tue, Feb 17, 2026 at 03:23:56PM +0200, Leon Romanovsky wrote:
> > @@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_srq *ibsrq,
> >
> > if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
> > mthca_free_srq(to_mdev(ibsrq->device), srq);
> > + mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
> > + context->db_tab, ucmd.db_index);
> > return -EFAULT;
> > }
>
> The `mthca_destroy_srq()` implementation needs to be corrected as well.
> Its resource release order is currently reversed.
Er, that looks OK, this is probably in the wrong order, let's should swap
it, though I'm not sure it is even order sensitive..
Jason
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
2026-02-17 23:46 ` Jason Gunthorpe
@ 2026-02-18 9:06 ` Leon Romanovsky
0 siblings, 0 replies; 11+ messages in thread
From: Leon Romanovsky @ 2026-02-18 9:06 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: Gal Pressman, Krzysztof Czurylo, linux-rdma, Michael Margolin,
Yossi Leybovich, Tatyana Nikolova, Abhijit Gangurde, Allen Hubbe,
Andrew Boyer, Gal Pressman, Mustafa Ismail, patches,
Roland Dreier, Shiraz Saleem, stable, Steve Wise
On Tue, Feb 17, 2026 at 07:46:27PM -0400, Jason Gunthorpe wrote:
> On Tue, Feb 17, 2026 at 03:23:56PM +0200, Leon Romanovsky wrote:
> > > @@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_srq *ibsrq,
> > >
> > > if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) {
> > > mthca_free_srq(to_mdev(ibsrq->device), srq);
> > > + mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar,
> > > + context->db_tab, ucmd.db_index);
> > > return -EFAULT;
> > > }
> >
> > The `mthca_destroy_srq()` implementation needs to be corrected as well.
> > Its resource release order is currently reversed.
>
> Er, that looks OK, this is probably in the wrong order, let's should swap
> it, though I'm not sure it is even order sensitive..
Yes, mthca_destroy_srq() in the wrong order.
Thanks
>
> Jason
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
2026-02-16 15:02 ` [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq() Jason Gunthorpe
@ 2026-02-23 12:07 ` Abhijit Gangurde
0 siblings, 0 replies; 11+ messages in thread
From: Abhijit Gangurde @ 2026-02-23 12:07 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: Allen Hubbe, Andrew Boyer, Gal Pressman, Mustafa Ismail, patches,
Roland Dreier, Shiraz Saleem, stable, Steve Wise, Gal Pressman,
Krzysztof Czurylo, Leon Romanovsky, linux-rdma, Michael Margolin,
Yossi Leybovich, Tatyana Nikolova
Thanks!
Acked-by: Abhijit Gangurde <abhijit.gangurde@amd.com>
On 2/16/26 20:32, Jason Gunthorpe wrote:
> struct ionic_cq_resp resp {
> __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)
> __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
> __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK
> };
>
> rsvd[7]: 7 bytes of stack memory leaked unconditionally.
>
> cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
> where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
> udma_count could be 1, meaning cqid[1] might never be written via
> ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
> bytes) is also leaked. So potentially 11 bytes leaked.
>
> Cc: stable@vger.kernel.org
> Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path")
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/infiniband/hw/ionic/ionic_controlpath.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/ionic/ionic_controlpath.c b/drivers/infiniband/hw/ionic/ionic_controlpath.c
> index ea12d9b8e125fe..83573721af2c08 100644
> --- a/drivers/infiniband/hw/ionic/ionic_controlpath.c
> +++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c
> @@ -1218,7 +1218,7 @@ int ionic_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
> rdma_udata_to_drv_context(udata, struct ionic_ctx, ibctx);
> struct ionic_vcq *vcq = to_ionic_vcq(ibcq);
> struct ionic_tbl_buf buf = {};
> - struct ionic_cq_resp resp;
> + struct ionic_cq_resp resp = {};
> struct ionic_cq_req req;
> int udma_idx = 0, rc;
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
` (3 preceding siblings ...)
2026-02-16 15:02 ` [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq() Jason Gunthorpe
@ 2026-02-24 10:03 ` Leon Romanovsky
4 siblings, 0 replies; 11+ messages in thread
From: Leon Romanovsky @ 2026-02-24 10:03 UTC (permalink / raw)
To: Gal Pressman, Krzysztof Czurylo, linux-rdma, Michael Margolin,
Yossi Leybovich, Tatyana Nikolova, Jason Gunthorpe
Cc: Abhijit Gangurde, Allen Hubbe, Andrew Boyer, Gal Pressman,
Mustafa Ismail, patches, Roland Dreier, Shiraz Saleem, stable,
Steve Wise
On Mon, 16 Feb 2026 11:02:46 -0400, Jason Gunthorpe wrote:
> While converting drivers to use
> ib_copy_validate_udata_in()/ib_respond_udata()/etc these issues were
> found, mostly by AI scanners.
>
> Jason Gunthorpe (4):
> RDMA/efa: Fix typo in efa_alloc_mr()
> IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
> RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
> RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
>
> [...]
Applied, thanks!
[1/4] RDMA/efa: Fix typo in efa_alloc_mr()
https://git.kernel.org/rdma/rdma/c/f22c77ce49db05
[2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
https://git.kernel.org/rdma/rdma/c/117942ca43e2e3
[3/4] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
https://git.kernel.org/rdma/rdma/c/74586c6da9ea22
[4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
https://git.kernel.org/rdma/rdma/c/faa72102b178c7
Best regards,
--
Leon Romanovsky <leon@kernel.org>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2026-02-24 10:03 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-16 15:02 [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 1/4] RDMA/efa: Fix typo in efa_alloc_mr() Jason Gunthorpe
2026-02-16 15:30 ` Michael Margolin
2026-02-16 15:02 ` [PATCH rc 2/4] IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Jason Gunthorpe
2026-02-17 13:23 ` Leon Romanovsky
2026-02-17 23:46 ` Jason Gunthorpe
2026-02-18 9:06 ` Leon Romanovsky
2026-02-16 15:02 ` [PATCH rc 3/4] RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() Jason Gunthorpe
2026-02-16 15:02 ` [PATCH rc 4/4] RDMA/ionic: Fix kernel stack leak in ionic_create_cq() Jason Gunthorpe
2026-02-23 12:07 ` Abhijit Gangurde
2026-02-24 10:03 ` [PATCH rc 0/4] Fix several serious mistakes on the udata path in drivers Leon Romanovsky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox