Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device

Next message: Tejun Heo: "Re: [PATCH v3] blk-iocost: fix busy_level reset when no IOs complete"
Previous message: Han Gao: "Re: [PATCH 0/2] PCI: Allow disabling port services on broken root ports"
In reply to: Prathamesh Deshpande: "Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device"
Next in thread: Prathamesh Deshpande: "Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Tue Mar 31 2026 - 15:08:27 EST

On Tue, Mar 31, 2026 at 07:25:56PM +0100, Prathamesh Deshpande wrote:
> On Tue, Mar 31, 2026 at 04:49:55PM +0300, Leon Romanovsky wrote:
> > On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> > > Smatch reported an inconsistent NULL check for 'uhw' in
> > > mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> > > the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> > > checked for NULL earlier in the same function.
> > >
> > > If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> > > ib_copy_to_udata() will attempt to dereference 'uhw',
> >
> > How is it possible?
>
> Hi Leon,
>
> You are right that in the current uverbs paths, 'uhw_outlen' and 'uhw'
> should stay in sync.
>
> However, Smatch flags this as an inconsistency because 'uhw' is explicitly
> checked for NULL earlier in this same function (at line 968). If the code
> assumes 'uhw' could be NULL there, it is safer and more consistent to
> check the pointer directly before passing it to ib_copy_to_udata() at
> line 1357.
>
> This prevents any future refactoring or unconventional kernel-space
> callers from accidentally triggering a NULL dereference.

Kernel-space callers don't use uverbs path. It is solely for the
user-space access.

Thanks

>
> What do you think?
>
> Thanks,
> Prathamesh