From: Greg Kroah-Hartman Date: Wed, 24 Jun 2026 06:32:46 +0000 (+0200) Subject: 7.0-stable patches X-Git-Tag: v6.18.37~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e935a9978fb9ede474aed66cc8ac18e52994f53;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch --- diff --git a/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch new file mode 100644 index 0000000000..9709bdc504 --- /dev/null +++ b/queue-7.0/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch @@ -0,0 +1,54 @@ +From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001 +From: Lord Ulf Henrik Holmberg +Date: Sat, 9 May 2026 10:40:11 +0200 +Subject: RDMA/bnxt_re: zero shared page before exposing to userspace + +From: Lord Ulf Henrik Holmberg + +commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream. + +bnxt_re_alloc_ucontext() allocates uctx->shpg via +__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages +without __GFP_ZERO, so the page contains stale kernel data from +whatever object most recently freed it. + +The page is then mapped into userspace via vm_insert_page() under +BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes +4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside +bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed +to userspace unsanitised, leaking kernel memory contents. + +Any user with access to /dev/infiniband/uverbsX on a host with a +bnxt_re device (typically rdma group membership) can read this data +via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT. + +Other shared pages in the same file already use get_zeroed_page() +correctly: + + drivers/infiniband/hw/bnxt_re/ib_verbs.c + srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL); + cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL); + +uctx->shpg is the only outlier. Bring it in line with the existing +convention by switching to get_zeroed_page(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Lord Ulf Henrik Holmberg +Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -4375,7 +4375,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco + + uctx->rdev = rdev; + +- uctx->shpg = (void *)__get_free_page(GFP_KERNEL); ++ uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL); + if (!uctx->shpg) { + rc = -ENOMEM; + goto fail; diff --git a/queue-7.0/series b/queue-7.0/series index 91ed4f5420..098900599b 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -8,3 +8,4 @@ firmware-samsung-acpm-fix-false-timeouts-and-use-after-free-in-polling.patch firmware-samsung-acpm-fix-missing-lkmm-barriers-in-sequence-allocator.patch fuse-re-lock-request-before-replacing-page-cache-folio.patch revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch +rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch