Re: [PATCH] RDMA/bnxt_re: zero shared page before exposing to userspace

[Leon Romanovsky]

On Sat, 09 May 2026 10:40:11 +0200, pomzm67@xxxxxxxxx wrote:
> bnxt_re_alloc_ucontext() allocates uctx->shpg via
> __get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
> without __GFP_ZERO, so the page contains stale kernel data from
> whatever object most recently freed it.
> 
> The page is then mapped into userspace via vm_insert_page() under
> BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
> 4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
> bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
> to userspace unsanitised, leaking kernel memory contents.
> 
> [...]

Applied, thanks!

[1/1] RDMA/bnxt_re: zero shared page before exposing to userspace
      (no commit info)

Best regards,
-- 
Leon Romanovsky <leon@xxxxxxxxxx>