Re: [PATCH v2] IB/mad: cap RMPP reassembly window size

Next message: Al Viro: "Re: [PATCH] fhandle: fix UAF due to unlocked -&gt;mnt_ns read in may_decode_fh()"
Previous message: Andrew Morton: "Re: [PATCH] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard"
In reply to: Jason Gunthorpe: "Re: [PATCH v2] IB/mad: cap RMPP reassembly window size"
Next in thread: Jason Gunthorpe: "Re: [PATCH v2] IB/mad: cap RMPP reassembly window size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Wed Jun 03 2026 - 14:24:30 EST

On Wed, Jun 3, 2026 at 1:55 PM Jason Gunthorpe <jgg@xxxxxxxxxx> wrote:
> Why do you think it is OK to only search back 64? Where do these
> numbers come from?

512 >> 3 from IB_MAD_QP_RECV_SIZE in mad_priv.h and max_active.

> Is this a real issue? It looks to me like all this code is gated by
> IB_USER_MAD_USER_RMPP and no in-kernel user makes use of RMPP.

I originally found these issues looking for reachable quadratic
runtimes with libclang+Claude, and these are in my notes on
reachability.
<CLAUDE>
- sa_query.c:2436: the in-kernel SA client registers its GSI agent
with rmpp_version = IB_MGMT_RMPP_VERSION and flags = 0. So
ib_mad_kernel_rmpp_agent() (mad.c:856) is true for it, and
ib_process_rmpp_recv_wc()
→ find_seg_location runs on its receive path. ib_sa is always
loaded. Not a umad-only path.
</CLAUDE>

So I think the reachability is wider than you expect. Perhaps that's
the real fix you'd prefer.

> So I don't see why we should be changing this and risking regressions
> with the window reduction?

It's obviously your choice as maintainers, but I'd encourage you to
test the pathological worst case from an unprivileged peer to see the
impact before totally writing it off.

Thanks,
Mike