6.6-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)
diff --git a/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch

new file mode 100644 (file)

index 0000000..9b83f67
--- /dev/null
+++ b/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
@@ -0,0 +1,54 @@
+From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Date: Sat, 9 May 2026 10:40:11 +0200
+Subject: RDMA/bnxt_re: zero shared page before exposing to userspace
+
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+
+commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream.
+
+bnxt_re_alloc_ucontext() allocates uctx->shpg via
+__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
+without __GFP_ZERO, so the page contains stale kernel data from
+whatever object most recently freed it.
+
+The page is then mapped into userspace via vm_insert_page() under
+BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
+4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
+bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
+to userspace unsanitised, leaking kernel memory contents.
+
+Any user with access to /dev/infiniband/uverbsX on a host with a
+bnxt_re device (typically rdma group membership) can read this data
+via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
+
+Other shared pages in the same file already use get_zeroed_page()
+correctly:
+
+  drivers/infiniband/hw/bnxt_re/ib_verbs.c
+      srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
+      cq->uctx_cq_page  = (void *)get_zeroed_page(GFP_KERNEL);
+
+uctx->shpg is the only outlier. Bring it in line with the existing
+convention by switching to get_zeroed_page().
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -4146,7 +4146,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco
+ 
+       uctx->rdev = rdev;
+ 
+-      uctx->shpg = (void *)__get_free_page(GFP_KERNEL);
++      uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL);
+       if (!uctx->shpg) {
+               rc = -ENOMEM;
+               goto fail;
diff --git a/queue-6.6/series b/queue-6.6/series

index 3ec1959530c9e41440b704d2d7445ef00559ad35..ef99d92faa9965c12578b3a159f185871d5e5907 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -14,3 +14,4 @@ arm-allow-__do_kernel_fault-to-report-execution-of-m.patch
  arm-fix-hash_name-fault.patch
  arm-fix-branch-predictor-hardening.patch
  kvm-vmx-update-svi-during-runtime-apicv-activation.patch
+rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 Jun 2026 06:25:36 +0000 (08:25 +0200)
queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch	[new file with mode: 0644]	patch \| blob
queue-6.6/series		patch \| blob \| blame \| history