git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jason Gunthorpe <jgg@nvidia.com>
	Wed, 13 May 2026 15:00:16 +0000 (12:00 -0300)
committer	Leon Romanovsky <leon@kernel.org>
	Tue, 19 May 2026 22:32:48 +0000 (19:32 -0300)
commit	7122ff96068a03595bde2fbafaca82ca2ed8084e
tree	af830826e2a4e70913593f07cdd2238a9df8cc0f	tree \| snapshot
parent	01f99f8c4a0adec6875f192702a57c5e88978af5	commit \| diff

RDMA/core: Do not read wild stack memory in uverbs_get_handler_fn()

Sashiko points out the legacy write path in ib_uverbs_write() does
allocate a struct uverbs_attr_bundle, but it doesn't wrap it in a
bundle_priv so downcasting here isn't safe.

Instead lift the method_elm out of the bundle_priv and use it for the
debug function. The legacy write path will leave it set as NULL since the
write method_elm uses a different type.

Cc: stable@vger.kernel.org
Fixes: 1de9287ece44 ("RDMA: Add ib_copy_validate_udata_in()")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>

drivers/infiniband/core/ib_core_uverbs.c		diff \| blob \| blame \| history
drivers/infiniband/core/uverbs.h		diff \| blob \| blame \| history
drivers/infiniband/core/uverbs_ioctl.c		diff \| blob \| blame \| history
include/rdma/uverbs_ioctl.h		diff \| blob \| blame \| history