lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260207022453.4017863-1-kuba@kernel.org>
Date: Fri,  6 Feb 2026 18:24:53 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: illusion.wang@...ula-matrix.com
Cc: Jakub Kicinski <kuba@...nel.org>,
	sam.chen@...ula-matrix.com,
	lukas.bulwahn@...hat.com,
	dimon.zhao@...ula-matrix.com,
	netdev@...r.kernel.org,
	vadim.fedorenko@...ux.dev,
	linux-kernel@...r.kernel.org (open list),
	corbet@....net,
	lorenzo@...nel.org,
	alvin.wang@...ula-matrix.com,
	andrew+netdev@...n.ch,
	linux-doc@...r.kernel.org,
	pabeni@...hat.com,
	edumazet@...gle.com,
	horms@...nel.org
Subject: Re: [v4,net-next,05/11] net/nebula-matrix: add channel layer

This is an AI-generated review of your patch. The human sending this
email says "This is an automated AI code reviewer, please treat what
it says with a grain of salt."

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
Commit: cd2f89c6d9811cbe52e9e20513431e156bba29be
Author: illusion.wang <illusion.wang@...ula-matrix.com>
Subject: net/nebula-matrix: add channel layer

This commit adds a channel management layer for communication between PFs
including message handling framework, queue management, and hardware
abstraction.

================================================================================
HIGH SEVERITY ISSUES
================================================================================

1. Buffer overflow risk in nbl_chan_recv_ack_msg
   File: drivers/net/ethernet/nebula-matrix/nbl/nbl_channel/nbl_channel.c
   Function: nbl_chan_recv_ack_msg

   The ack_msgid.info.loc field is a 10-bit value with range 0-1023, but
   it's used directly as an array index into wait[] which only has 256
   entries (NBL_CHAN_QUEUE_LEN). Can you add bounds checking before using
   this value as an array index?

>	wait_head = &chan_info->wait[ack_msgid.info.loc];

   Consider adding:
   if (ack_msgid.info.loc >= NBL_CHAN_QUEUE_LEN) {
       /* handle error */
       return;
   }


2. Use-after-free in nbl_chan_delete_msg_handler
   File: drivers/net/ethernet/nebula-matrix/nbl/nbl_channel/nbl_channel.c
   Function: nbl_chan_delete_msg_handler

   The hash node is freed before calling flush_work(), but the work
   function (chan_info->clean_task) may still be accessing this memory.
   Should the flush_work() call be moved before freeing the hash node?

>	nbl_common_free_hash_node(chan_mgt->handle_hash_tbl, &msg_type);
>	[ ... ]
>	flush_work(chan_info->clean_task);

   The work function could be reading from the freed hash node, causing
   a use-after-free condition.


================================================================================
MEDIUM SEVERITY ISSUES
================================================================================

3. Inconsistent error handling in nbl_chan_send_msg
   File: drivers/net/ethernet/nebula-matrix/nbl/nbl_channel/nbl_channel.c
   Function: nbl_chan_send_msg

   In polling mode, when a timeout occurs, the function sets the status
   to NBL_MBX_STATUS_TIMEOUT, logs an error, but returns 0 (success).
   This is inconsistent with interrupt mode which returns -EFAULT on
   timeout. Should polling mode also return an error code?

>	wait_head->status = NBL_MBX_STATUS_TIMEOUT;
>	dev_err(dev, "Channel polling ack failed...");
>	return 0;

   Consider returning -ETIMEDOUT or -EFAULT instead of 0.


4. Resource leak in nbl_common_alloc_hash_node
   File: drivers/net/ethernet/nebula-matrix/nbl/nbl_common/nbl_common.c
   Function: nbl_common_alloc_hash_node

   On error paths, the function uses devm_kzalloc but doesn't free the
   allocated memory before returning. While devm_kzalloc memory is freed
   on device removal, this can cause memory to accumulate if this function
   fails repeatedly. Should the error paths explicitly free the allocated
   memory?

>alloc_data_failed:
>alloc_key_failed:
>	return -1;

   Consider using devm_kfree() or switching to regular kzalloc/kfree if
   early cleanup is needed.


================================================================================
LOW SEVERITY ISSUES
================================================================================

5. Comment inaccuracy in nbl_common_calc_hash_key
   File: drivers/net/ethernet/nebula-matrix/nbl/nbl_common/nbl_common.c
   Function: nbl_common_calc_hash_key

   The comment states "if bucket size little than 1" but the code checks
   for equality to 1, not less than 1. Should the comment be updated to
   match the actual check?

>	/* if bucket size little than 1, the hash value always 0 */
>	if (bucket_size == NBL_HASH_TBL_LIST_BUCKET_SIZE)

   Perhaps the comment should read "if bucket size equals 1" or the check
   should be "bucket_size < 1" if that was the intent?


================================================================================
END OF REVIEW
================================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ