On Tue, Apr 21, 2026 at 06:50:21PM +0800, Junrui Luo wrote:
> mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
> directly to mana_ib_cfg_vport_steering(), which uses it as the length
> argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).
>
> A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
> from the kernel stack and an out-of-bounds write past req->hashkey
> within the kzalloc'd struct mana_cfg_rx_steer_req_v2.
>
> Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.
>
> Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network
> Adapter")
> Reported-by: Yuhao Jiang <[email protected]>
> Cc: [email protected]
> Signed-off-by: Junrui Luo <[email protected]>
> ---
> drivers/infiniband/hw/mana/qp.c | 7 +++++++
> 1 file changed, 7 insertions(+)
I have a fix for this in my pile of sashiko patches that I prefer, it
is better to put the check in mana_ib_cfg_vport_steering() and not
print.
Jason
