diff options
| author |   Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se> | 2026-05-09 10:40:11 +0200 |
|---|---|---|
| committer |   Leon Romanovsky <leon@kernel.org> | 2026-05-13 14:40:48 -0400 |
| commit | f6b079629becfa977f9c51fe53ad2e6dcc55ef44 (patch) | |
| tree | e90d23dd300192b78929db85e41948ece4d24bc3 /samples/kobject/ssh:/git@git.zx2c4.com/git: | |
| parent | selftests/rdma: explicitly skip tests when required modules are missing (diff) | |
RDMA/bnxt_re: zero shared page before exposing to userspace
bnxt_re_alloc_ucontext() allocates uctx->shpg via
__get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
without __GFP_ZERO, so the page contains stale kernel data from
whatever object most recently freed it.
The page is then mapped into userspace via vm_insert_page() under
BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
to userspace unsanitised, leaking kernel memory contents.
Any user with access to /dev/infiniband/uverbsX on a host with a
bnxt_re device (typically rdma group membership) can read this data
via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
Other shared pages in the same file already use get_zeroed_page()
correctly:
drivers/infiniband/hw/bnxt_re/ib_verbs.c
srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL);
uctx->shpg is the only outlier. Bring it in line with the existing
convention by switching to get_zeroed_page().
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
Link: https://patch.msgid.link/20260509084011.11971-1-pomzm67@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Diffstat (limited to 'samples/kobject/ssh:/git@git.zx2c4.com/git:')
0 files changed, 0 insertions, 0 deletions