Re: [PATCH v13 net-next 4/9] devlink: Implement devlink param multi attribute nested data values
From: Ratheesh Kannoth
Date: Tue May 12 2026 - 12:29:04 EST
On 2026-05-11 at 09:09:18, Ratheesh Kannoth (rkannoth@xxxxxxxxxxx) wrote:
> From: Saeed Mahameed <saeedm@xxxxxxxxxx>
>
> Devlink param value attribute is not defined since devlink is handling
> the value validating and parsing internally, this allows us to implement
> multi attribute values without breaking any policies.
Jiri,
Sashiko raised below issue.
> diff --git a/net/devlink/param.c b/net/devlink/param.c
> index 1a196d3a843db..4cc479bd019fd 100644
> --- a/net/devlink/param.c
> +++ b/net/devlink/param.c
> @@ -252,6 +252,11 @@ devlink_nl_param_value_put(struct sk_buff *msg, enum devlink_param_type type,
> return -EMSGSIZE;
> }
> break;
> + case DEVLINK_PARAM_TYPE_U64_ARRAY:
> + for (int i = 0; i < val->u64arr.size; i++)
Can this loop read out of bounds of val->u64arr.val[]?
There is no bounds check against __DEVLINK_PARAM_MAX_ARRAY_SIZE. If
val->u64arr.size contains garbage or a maliciously large value, this will read
past the end of the u64arr.val array.
Could this leak adjacent kernel memory to userspace via nla_put_uint()?
> + if (nla_put_uint(msg, nla_type, val->u64arr.val[i]))
> + return -EMSGSIZE;
> + break;
> }
> return 0;
> }
I had modified in v12 as per https://lore.kernel.org/netdev/3pk4hkzgwy3a55zveapgmk23bsevru55xv75vhkzbpmzkfofcx@rlnkrvynofig/
Is it okay to incorperate the sashiko comment and modify as below ?
@@ -252,6 +252,15 @@ devlink_nl_param_value_put(struct sk_buff *msg, enum devlink_param_type type,
return -EMSGSIZE;
}
break;
+ case DEVLINK_PARAM_TYPE_U64_ARRAY:
+ for (int i = 0; i < val->u64arr.size; i++) {
+ if (i >= __DEVLINK_PARAM_MAX_ARRAY_SIZE)
+ return -EINVAL;
+
+ if (nla_put_uint(msg, nla_type, val->u64arr.val[i]))
+ return -EMSGSIZE;
+ }
+ break;
}
>