--- /dev/null
+From 14ab3da122bd18920ad57428f6cf4fade8385142 Mon Sep 17 00:00:00 2001
+From: YunJe Shin <yjshin0438@gmail.com>
+Date: Wed, 4 Feb 2026 18:24:57 +0900
+Subject: RDMA/siw: Fix potential NULL pointer dereference in header processing
+
+From: YunJe Shin <yjshin0438@gmail.com>
+
+commit 14ab3da122bd18920ad57428f6cf4fade8385142 upstream.
+
+If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),
+qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()
+dereferences qp->rx_fpdu->more_ddp_segs without checking, which
+may lead to a NULL pointer deref. Only check more_ddp_segs when
+rx_fpdu is present.
+
+KASAN splat:
+[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
+[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
+
+Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
+Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
+Link: https://patch.msgid.link/20260204092546.489842-1-ioerts@kookmin.ac.kr
+Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
+@@ -1456,7 +1456,8 @@ int siw_tcp_rx_data(read_descriptor_t *r
+ }
+ if (unlikely(rv != 0 && rv != -EAGAIN)) {
+ if ((srx->state > SIW_GET_HDR ||
+- qp->rx_fpdu->more_ddp_segs) && run_completion)
++ (qp->rx_fpdu && qp->rx_fpdu->more_ddp_segs)) &&
++ run_completion)
+ siw_rdmap_complete(qp, rv);
+
+ siw_dbg_qp(qp, "rx error %d, rx state %d\n", rv,
--- /dev/null
+From 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 Mon Sep 17 00:00:00 2001
+From: YunJe Shin <yjshin0438@gmail.com>
+Date: Tue, 3 Feb 2026 19:06:21 +0900
+Subject: RDMA/umad: Reject negative data_len in ib_umad_write
+
+From: YunJe Shin <yjshin0438@gmail.com>
+
+commit 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 upstream.
+
+ib_umad_write computes data_len from user-controlled count and the
+MAD header sizes. With a mismatched user MAD header size and RMPP
+header length, data_len can become negative and reach ib_create_send_mad().
+This can make the padding calculation exceed the segment size and trigger
+an out-of-bounds memset in alloc_send_rmpp_list().
+
+Add an explicit check to reject negative data_len before creating the
+send buffer.
+
+KASAN splat:
+[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
+[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
+[ 211.365867] ib_create_send_mad+0xa01/0x11b0
+[ 211.365887] ib_umad_write+0x853/0x1c80
+
+Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
+Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
+Link: https://patch.msgid.link/20260203100628.1215408-1-ioerts@kookmin.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/user_mad.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -514,7 +514,8 @@ static ssize_t ib_umad_write(struct file
+ struct rdma_ah_attr ah_attr;
+ struct ib_ah *ah;
+ __be64 *tid;
+- int ret, data_len, hdr_len, copy_offset, rmpp_active;
++ int ret, hdr_len, copy_offset, rmpp_active;
++ size_t data_len;
+ u8 base_version;
+
+ if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
+@@ -588,7 +589,10 @@ static ssize_t ib_umad_write(struct file
+ }
+
+ base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
+- data_len = count - hdr_size(file) - hdr_len;
++ if (check_sub_overflow(count, hdr_size(file) + hdr_len, &data_len)) {
++ ret = -EINVAL;
++ goto err_ah;
++ }
+ packet->msg = ib_create_send_mad(agent,
+ be32_to_cpu(packet->mad.hdr.qpn),
+ packet->mad.hdr.pkey_index, rmpp_active,
projects / thirdparty / kernel / stable-queue.git / commitdiff
