From: Greg Kroah-Hartman Date: Wed, 24 Jun 2026 06:25:36 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.18.37~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b156346c590221c249e30018fda63fc78eb6fc9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch --- diff --git a/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch new file mode 100644 index 0000000000..9b83f6727c --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch @@ -0,0 +1,54 @@ +From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001 +From: Lord Ulf Henrik Holmberg +Date: Sat, 9 May 2026 10:40:11 +0200 +Subject: RDMA/bnxt_re: zero shared page before exposing to userspace + +From: Lord Ulf Henrik Holmberg + +commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream. + +bnxt_re_alloc_ucontext() allocates uctx->shpg via +__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages +without __GFP_ZERO, so the page contains stale kernel data from +whatever object most recently freed it. + +The page is then mapped into userspace via vm_insert_page() under +BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes +4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside +bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed +to userspace unsanitised, leaking kernel memory contents. + +Any user with access to /dev/infiniband/uverbsX on a host with a +bnxt_re device (typically rdma group membership) can read this data +via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT. + +Other shared pages in the same file already use get_zeroed_page() +correctly: + + drivers/infiniband/hw/bnxt_re/ib_verbs.c + srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL); + cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL); + +uctx->shpg is the only outlier. Bring it in line with the existing +convention by switching to get_zeroed_page(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Lord Ulf Henrik Holmberg +Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -4146,7 +4146,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco + + uctx->rdev = rdev; + +- uctx->shpg = (void *)__get_free_page(GFP_KERNEL); ++ uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL); + if (!uctx->shpg) { + rc = -ENOMEM; + goto fail; diff --git a/queue-6.6/series b/queue-6.6/series index 3ec1959530..ef99d92faa 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -14,3 +14,4 @@ arm-allow-__do_kernel_fault-to-report-execution-of-m.patch arm-fix-hash_name-fault.patch arm-fix-branch-predictor-hardening.patch kvm-vmx-update-svi-during-runtime-apicv-activation.patch +rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch