Please backport f6b079629bec ("RDMA/bnxt_re: zero shared page before exposing to userspace") to stable

Next message: Marcel Busch: "Re: [PATCH v2 2/3] x86/mm: simplify calculation of max_pfn_mapped"
Previous message: Marcel Busch: "Re: [PATCH v2 3/3] x86/mm: drop unused returns from direct map setup functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: pomzm67

Date: Tue Jun 23 2026 - 10:19:20 EST

From: Lord Ulf Henrik Holmberg <henrik.holmberg@xxxxxxxxxxxx>

Hi,

Could the following upstream commit be queued for the active stable
trees? It does not carry a Cc: stable tag and does not appear to have
been picked up by AUTOSEL.

commit f6b079629becfa977f9c51fe53ad2e6dcc55ef44
("RDMA/bnxt_re: zero shared page before exposing to userspace")

It fixes a kernel-memory information leak: bnxt_re_alloc_ucontext()
allocates uctx->shpg with __get_free_page() (no __GFP_ZERO) and then
maps the whole page into userspace via vm_insert_page() under
BNXT_RE_MMAP_SH_PAGE. The driver writes only 4 bytes (a u32 AVID) to
the page, so the remaining 4092 bytes of stale kernel memory are
exposed to any user with access to /dev/infiniband/uverbsX (typically
rdma group membership).

It carries:

Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")

so every kernel from 4.10 onwards is affected. Please apply to the
6.6, 6.12 and 7.0 stable trees (and any other active trees you deem
appropriate).

Thanks,
Lord Ulf Henrik Holmberg (Defensify)