From bbdd26022b16cf2156110b2da8d3ec71435ea268 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Jun 2026 08:23:12 +0200
Subject: [PATCH] 6.1-stable patches

added patches:
	rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
---
 ...ed-page-before-exposing-to-userspace.patch | 54 +++++++++++++++++++
 queue-6.1/series                              |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 queue-6.1/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch

diff --git a/queue-6.1/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch b/queue-6.1/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
new file mode 100644
index 0000000000..041db579f0
--- /dev/null
+++ b/queue-6.1/rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
@@ -0,0 +1,54 @@
+From f6b079629becfa977f9c51fe53ad2e6dcc55ef44 Mon Sep 17 00:00:00 2001
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Date: Sat, 9 May 2026 10:40:11 +0200
+Subject: RDMA/bnxt_re: zero shared page before exposing to userspace
+
+From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+
+commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44 upstream.
+
+bnxt_re_alloc_ucontext() allocates uctx->shpg via
+__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
+without __GFP_ZERO, so the page contains stale kernel data from
+whatever object most recently freed it.
+
+The page is then mapped into userspace via vm_insert_page() under
+BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
+4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
+bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
+to userspace unsanitised, leaking kernel memory contents.
+
+Any user with access to /dev/infiniband/uverbsX on a host with a
+bnxt_re device (typically rdma group membership) can read this data
+via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
+
+Other shared pages in the same file already use get_zeroed_page()
+correctly:
+
+  drivers/infiniband/hw/bnxt_re/ib_verbs.c
+      srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
+      cq->uctx_cq_page  = (void *)get_zeroed_page(GFP_KERNEL);
+
+uctx->shpg is the only outlier. Bring it in line with the existing
+convention by switching to get_zeroed_page().
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
+Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -3870,7 +3870,7 @@ int bnxt_re_alloc_ucontext(struct ib_uco
+ 
+ 	uctx->rdev = rdev;
+ 
+-	uctx->shpg = (void *)__get_free_page(GFP_KERNEL);
++	uctx->shpg = (void *)get_zeroed_page(GFP_KERNEL);
+ 	if (!uctx->shpg) {
+ 		rc = -ENOMEM;
+ 		goto fail;
diff --git a/queue-6.1/series b/queue-6.1/series
index 7ad6497664..6a82278603 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -28,3 +28,4 @@ arm-group-is_permission_fault-with-is_translation_fa.patch
 arm-allow-__do_kernel_fault-to-report-execution-of-m.patch
 arm-fix-hash_name-fault.patch
 arm-fix-branch-predictor-hardening.patch
+rdma-bnxt_re-zero-shared-page-before-exposing-to-userspace.patch
-- 
2.47.3