From: Greg Kroah-Hartman Date: Wed, 24 Jun 2026 06:27:59 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.18.37~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37cdfa35cada6be899164d401ca85b7757f53872;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch --- diff --git a/queue-6.12/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-6.12/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch new file mode 100644 index 0000000000..0dd18d23b7 --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch @@ -0,0 +1,54 @@ +From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001 +From: Lord Ulf Henrik Holmberg +Date: Sat, 9 May 2026 10:40:11 +0200 +Subject: RDMA/bnxt_re: zero shared page before exposing to userspace + +From: Lord Ulf Henrik Holmberg + +commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream. + +bnxt_re_alloc_ucontext() allocates uctx->shpg via +__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages +without __GFP_ZERO, so the page contains stale kernel data from +whatever object most recently freed it. + +The page is then mapped into userspace via vm_insert_page() under +BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes +4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside +bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed +to userspace unsanitised, leaking kernel memory contents. + +Any user with access to /dev/infiniband/uverbsX on a host with a +bnxt_re device (typically rdma group membership) can read this data +via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT. + +Other shared pages in the same file already use get_zeroed_page() +correctly: + + drivers/infiniband/hw/bnxt_re/ib_verbs.c + srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL); + cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL); + +uctx->shpg is the only outlier. Bring it in line with the existing +convention by switching to get_zeroed_page(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Lord Ulf Henrik Holmberg +Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -4231,7 +4231,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco + + uctx->rdev = rdev; + +- uctx->shpg = (void *)__get_free_page(GFP_KERNEL); ++ uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL); + if (!uctx->shpg) { + rc = -ENOMEM; + goto fail; diff --git a/queue-6.12/series b/queue-6.12/series index 9cdb097658..ca9948c2fb 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -24,3 +24,4 @@ debugobjects-allow-to-refill-the-pool-before-system_.patch debugobjects-use-ld_wait_config-instead-of-ld_wait_s.patch debugobjects-do-not-fill_pool-if-pi_blocked_on.patch debugobjects-dont-call-fill_pool-in-early-boot-hardi.patch +rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch