Smatch reported an inconsistent NULL check for 'uhw' in
mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
the function before calling ib_copy_to_udata(), 'uhw' is explicitly
checked for NULL earlier in the same function.

If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
ib_copy_to_udata() will attempt to dereference 'uhw', leading to a
kernel panic. Fix this by checking the 'uhw' pointer directly.

Fixes: 4835709176e8 ("RDMA/mlx5: Don't fake udata for kernel path")

Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
---
 drivers/infiniband/hw/mlx5/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 635002e684a5..471dc8df4a52 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -1353,7 +1353,7 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
 			fill_esw_mgr_reg_c0(mdev, &resp);
 	}
 
-	if (uhw_outlen) {
+	if (uhw) {
 		err = ib_copy_to_udata(uhw, &resp, resp.response_length);
 
 		if (err)
-- 
2.43.0

On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> Smatch reported an inconsistent NULL check for 'uhw' in
> mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> checked for NULL earlier in the same function.
> 
> If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> ib_copy_to_udata() will attempt to dereference 'uhw',

How is it possible?

On Tue, Mar 31, 2026 at 04:49:55PM +0300, Leon Romanovsky wrote:
> On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> > Smatch reported an inconsistent NULL check for 'uhw' in
> > mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> > the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> > checked for NULL earlier in the same function.
> >
> > If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> > ib_copy_to_udata() will attempt to dereference 'uhw',
>
> How is it possible?

Hi Leon,

You are right that in the current uverbs paths, 'uhw_outlen' and 'uhw'
should stay in sync.

However, Smatch flags this as an inconsistency because 'uhw' is explicitly
checked for NULL earlier in this same function (at line 968). If the code
assumes 'uhw' could be NULL there, it is safer and more consistent to
check the pointer directly before passing it to ib_copy_to_udata() at
line 1357.

This prevents any future refactoring or unconventional kernel-space
callers from accidentally triggering a NULL dereference.

What do you think?

Thanks,
Prathamesh

On Tue, Mar 31, 2026 at 07:25:56PM +0100, Prathamesh Deshpande wrote:
> On Tue, Mar 31, 2026 at 04:49:55PM +0300, Leon Romanovsky wrote:
> > On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> > > Smatch reported an inconsistent NULL check for 'uhw' in
> > > mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> > > the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> > > checked for NULL earlier in the same function.
> > >
> > > If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> > > ib_copy_to_udata() will attempt to dereference 'uhw',
> >
> > How is it possible?
> 
> Hi Leon,
> 
> You are right that in the current uverbs paths, 'uhw_outlen' and 'uhw'
> should stay in sync.
> 
> However, Smatch flags this as an inconsistency because 'uhw' is explicitly
> checked for NULL earlier in this same function (at line 968). If the code
> assumes 'uhw' could be NULL there, it is safer and more consistent to
> check the pointer directly before passing it to ib_copy_to_udata() at
> line 1357.
> 
> This prevents any future refactoring or unconventional kernel-space
> callers from accidentally triggering a NULL dereference.

Kernel-space callers don't use uverbs path. It is solely for the
user-space access.

Thanks

> 
> What do you think?
> 
> Thanks,
> Prathamesh