7.0-stable patches

added patches:
	rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch

diff --git a/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
new file mode 100644 (file)
index 0000000..9709bdc
--- /dev/null
+++ b/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
@@ -0,0 +1,54 @@
+From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Date: Sat, 9 May 2026 10:40:11 +0200
+Subject: RDMA/bnxt_re: zero shared page before exposing to userspace
+
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+
+commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream.
+
+bnxt_re_alloc_ucontext() allocates uctx->shpg via
+__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
+without __GFP_ZERO, so the page contains stale kernel data from
+whatever object most recently freed it.
+
+The page is then mapped into userspace via vm_insert_page() under
+BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
+4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
+bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
+to userspace unsanitised, leaking kernel memory contents.
+
+Any user with access to /dev/infiniband/uverbsX on a host with a
+bnxt_re device (typically rdma group membership) can read this data
+via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
+
+Other shared pages in the same file already use get_zeroed_page()
+correctly:
+
+  drivers/infiniband/hw/bnxt_re/ib_verbs.c
+      srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
+      cq->uctx_cq_page  = (void *)get_zeroed_page(GFP_KERNEL);
+
+uctx->shpg is the only outlier. Bring it in line with the existing
+convention by switching to get_zeroed_page().
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -4375,7 +4375,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco
+ 
+       uctx->rdev = rdev;
+ 
+-      uctx->shpg = (void *)__get_free_page(GFP_KERNEL);
++      uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL);
+       if (!uctx->shpg) {
+               rc = -ENOMEM;
+               goto fail;

diff --git a/queue-7.0/series b/queue-7.0/series
index 91ed4f54201ea40eaf0dba81471aa9f39fd0f4c0..098900599bf68ec20b0fa508eb25fd2ac7a6b4f5 100644 (file)
--- a/queue-7.0/series
+++ b/queue-7.0/series
@@ -8,3 +8,4 @@ firmware-samsung-acpm-fix-false-timeouts-and-use-after-free-in-polling.patch
 firmware-samsung-acpm-fix-missing-lkmm-barriers-in-sequence-allocator.patch
 fuse-re-lock-request-before-replacing-page-cache-folio.patch
 revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch
+rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch