RDMA/core: Do not read wild stack memory in uverbs_get_handler_fn()

Sashiko points out the legacy write path in ib_uverbs_write() does allocate a struct uverbs_attr_bundle, but it doesn't wrap it in a bundle_priv so downcasting here isn't safe. Instead lift the method_elm out of the bundle_priv and use it for the debug function. The legacy write path will leave it set as NULL since the write method_elm uses a different type. Cc: stable@vger.kernel.org Fixes: 1de9287ece44 ("RDMA: Add ib_copy_validate_udata_in()") Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
author: Jason Gunthorpe <jgg@nvidia.com> 2026-05-13 12:00:16 -0300
committer: Leon Romanovsky <leon@kernel.org> 2026-05-19 19:32:48 -0300
commit: 7122ff96068a03595bde2fbafaca82ca2ed8084e (patch)
tree: af830826e2a4e70913593f07cdd2238a9df8cc0f /include
parent: 01f99f8c4a0adec6875f192702a57c5e88978af5 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/rdma/uverbs_ioctl.h b/include/rdma/uverbs_ioctl.h
index e2af17da3e32..c89428030d61 100644
--- a/include/rdma/uverbs_ioctl.h
+++ b/include/rdma/uverbs_ioctl.h
@@ -635,6 +635,7 @@ struct uverbs_attr_bundle {
 		struct ib_uverbs_file *ufile;
 		struct ib_ucontext *context;
 		struct ib_uobject *uobject;
+		const struct uverbs_api_ioctl_method *method_elm;
 		DECLARE_BITMAP(attr_present, UVERBS_API_ATTR_BKEY_LEN);
 	);
 	struct uverbs_attr attrs[];
author	Jason Gunthorpe <jgg@nvidia.com>	2026-05-13 12:00:16 -0300
committer	Leon Romanovsky <leon@kernel.org>	2026-05-19 19:32:48 -0300
commit	7122ff96068a03595bde2fbafaca82ca2ed8084e (patch)
tree	af830826e2a4e70913593f07cdd2238a9df8cc0f /include
parent	01f99f8c4a0adec6875f192702a57c5e88978af5 (diff)