[PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss

Next message: Joonwon Kang: "[PATCH v4] mailbox: Make mbox_send_message() return error code when tx fails"
Previous message: Joonwon Kang: "[PATCH] mailbox: Clarify multi-thread is not supported in blocking mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Tue Apr 21 2026 - 06:51:14 EST

mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
directly to mana_ib_cfg_vport_steering(), which uses it as the length
argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).

A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
from the kernel stack and an out-of-bounds write past req->hashkey
within the kzalloc'd struct mana_cfg_rx_steer_req_v2.

Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.

Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/infiniband/hw/mana/qp.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
index 82f84f7ad37a..f5ab545cfd74 100644
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -151,6 +151,13 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd,
return -EINVAL;
}

+ if (ucmd.rx_hash_key_len > MANA_HASH_KEY_SIZE) {
+ ibdev_dbg(&mdev->ib_dev,
+ "RX Hash key length %u exceeds maximum %u\n",
+ ucmd.rx_hash_key_len, MANA_HASH_KEY_SIZE);
+ return -EINVAL;
+ }
+
/* IB ports start with 1, MANA start with 0 */
port = ucmd.port;
ndev = mana_ib_get_netdev(pd->device, port);

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260421-fixes-9402b9f92e0f

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>