From e81c69b6b611ed32ae5dd3dde28860d3f0d996fd Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Feb 2026 07:54:24 +0100
Subject: [PATCH] 6.12-stable patches

added patches:
	rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch
	rdma-umad-reject-negative-data_len-in-ib_umad_write.patch
	series
---
 ...ter-dereference-in-header-processing.patch | 41 +++++++++++++
 ...t-negative-data_len-in-ib_umad_write.patch | 57 +++++++++++++++++++
 queue-6.12/series                             |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 queue-6.12/rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch
 create mode 100644 queue-6.12/rdma-umad-reject-negative-data_len-in-ib_umad_write.patch
 create mode 100644 queue-6.12/series

diff --git a/queue-6.12/rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch b/queue-6.12/rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch
new file mode 100644
index 0000000000..dacc89511a
--- /dev/null
+++ b/queue-6.12/rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch
@@ -0,0 +1,41 @@
+From 14ab3da122bd18920ad57428f6cf4fade8385142 Mon Sep 17 00:00:00 2001
+From: YunJe Shin <yjshin0438@gmail.com>
+Date: Wed, 4 Feb 2026 18:24:57 +0900
+Subject: RDMA/siw: Fix potential NULL pointer dereference in header processing
+
+From: YunJe Shin <yjshin0438@gmail.com>
+
+commit 14ab3da122bd18920ad57428f6cf4fade8385142 upstream.
+
+If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),
+qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data()
+dereferences qp->rx_fpdu->more_ddp_segs without checking, which
+may lead to a NULL pointer deref. Only check more_ddp_segs when
+rx_fpdu is present.
+
+KASAN splat:
+[  101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
+[  101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
+
+Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
+Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
+Link: https://patch.msgid.link/20260204092546.489842-1-ioerts@kookmin.ac.kr
+Acked-by: Bernard Metzler <bernard.metzler@linux.dev>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_rx.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
+@@ -1436,7 +1436,8 @@ int siw_tcp_rx_data(read_descriptor_t *r
+ 		}
+ 		if (unlikely(rv != 0 && rv != -EAGAIN)) {
+ 			if ((srx->state > SIW_GET_HDR ||
+-			     qp->rx_fpdu->more_ddp_segs) && run_completion)
++			     (qp->rx_fpdu && qp->rx_fpdu->more_ddp_segs)) &&
++			    run_completion)
+ 				siw_rdmap_complete(qp, rv);
+ 
+ 			siw_dbg_qp(qp, "rx error %d, rx state %d\n", rv,
diff --git a/queue-6.12/rdma-umad-reject-negative-data_len-in-ib_umad_write.patch b/queue-6.12/rdma-umad-reject-negative-data_len-in-ib_umad_write.patch
new file mode 100644
index 0000000000..18d1fdcce4
--- /dev/null
+++ b/queue-6.12/rdma-umad-reject-negative-data_len-in-ib_umad_write.patch
@@ -0,0 +1,57 @@
+From 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 Mon Sep 17 00:00:00 2001
+From: YunJe Shin <yjshin0438@gmail.com>
+Date: Tue, 3 Feb 2026 19:06:21 +0900
+Subject: RDMA/umad: Reject negative data_len in ib_umad_write
+
+From: YunJe Shin <yjshin0438@gmail.com>
+
+commit 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 upstream.
+
+ib_umad_write computes data_len from user-controlled count and the
+MAD header sizes. With a mismatched user MAD header size and RMPP
+header length, data_len can become negative and reach ib_create_send_mad().
+This can make the padding calculation exceed the segment size and trigger
+an out-of-bounds memset in alloc_send_rmpp_list().
+
+Add an explicit check to reject negative data_len before creating the
+send buffer.
+
+KASAN splat:
+[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
+[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
+[  211.365867] ib_create_send_mad+0xa01/0x11b0
+[  211.365887] ib_umad_write+0x853/0x1c80
+
+Fixes: 2be8e3ee8efd ("IB/umad: Add P_Key index support")
+Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
+Link: https://patch.msgid.link/20260203100628.1215408-1-ioerts@kookmin.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/user_mad.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -514,7 +514,8 @@ static ssize_t ib_umad_write(struct file
+ 	struct rdma_ah_attr ah_attr;
+ 	struct ib_ah *ah;
+ 	__be64 *tid;
+-	int ret, data_len, hdr_len, copy_offset, rmpp_active;
++	int ret, hdr_len, copy_offset, rmpp_active;
++	size_t data_len;
+ 	u8 base_version;
+ 
+ 	if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
+@@ -588,7 +589,10 @@ static ssize_t ib_umad_write(struct file
+ 	}
+ 
+ 	base_version = ((struct ib_mad_hdr *)&packet->mad.data)->base_version;
+-	data_len = count - hdr_size(file) - hdr_len;
++	if (check_sub_overflow(count, hdr_size(file) + hdr_len, &data_len)) {
++		ret = -EINVAL;
++		goto err_ah;
++	}
+ 	packet->msg = ib_create_send_mad(agent,
+ 					 be32_to_cpu(packet->mad.hdr.qpn),
+ 					 packet->mad.hdr.pkey_index, rmpp_active,
diff --git a/queue-6.12/series b/queue-6.12/series
new file mode 100644
index 0000000000..0b63edc9fd
--- /dev/null
+++ b/queue-6.12/series
@@ -0,0 +1,2 @@
+rdma-siw-fix-potential-null-pointer-dereference-in-header-processing.patch
+rdma-umad-reject-negative-data_len-in-ib_umad_write.patch
-- 
2.47.3