From: Greg KH <gregkh@linuxfoundation.org>
To: Henrik Holmberg <pomzm67@gmail.com>
Cc: security@kernel.org, selvin.xavier@broadcom.com,
kalesh-anakkur.purayil@broadcom.com, linux-rdma@vger.kernel.org
Subject: Re: [security] RDMA/bnxt_re: kernel infoleak via uninitialised shpg shared page exposed to userspace
Date: Sat, 9 May 2026 06:25:59 +0200 [thread overview]
Message-ID: <2026050945-oversight-carefully-93e0@gregkh> (raw)
In-Reply-To: <CAOOd5egJUS5THB4_Rvkkd-SNyKeox2audsnuEm-mz3NEoPc2Og@mail.gmail.com>
On Fri, May 08, 2026 at 10:24:33PM +0200, Henrik Holmberg wrote:
> Hi Greg,
>
> Reformatted as a real kernel patch per your request. checkpatch.pl --strict
> reports 0 errors, 0 warnings, 0 checks against current torvalds/master.
> get_maintainer.pl was run; full Cc list applied to this thread.
>
> Patch follows inline below.
>
> Best regards,
> Henrik (Lord Ulf Henrik Holmberg)
> Senior IT Security Researcher, Defensify
>
> ----8<--------------------------------------------------------------
>
> From: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
> Date: Fri, 8 May 2026 16:14:57 +0200
> Subject: [PATCH] RDMA/bnxt_re: zero shared page before exposing to userspace
>
> bnxt_re_alloc_ucontext() allocates uctx->shpg via
> __get_free_page(GFP_KERNEL). The buddy allocator does not zero pages
> without __GFP_ZERO, so the page contains stale kernel data from
> whatever object most recently freed it.
>
> The page is then mapped into userspace via vm_insert_page() under
> BNXT_RE_MMAP_SH_PAGE in bnxt_re_mmap(). The driver only ever writes
> 4 bytes (a u32 AVID) at offset BNXT_RE_AVID_OFFT (0x10) inside
> bnxt_re_create_ah(); the remaining 4092 bytes of the page are exposed
> to userspace unsanitised, leaking kernel memory contents.
>
> Any user with access to /dev/infiniband/uverbsX on a host with a
> bnxt_re device (typically rdma group membership) can read this data
> via a single mmap() at pgoff 0 after IB_USER_VERBS_CMD_GET_CONTEXT.
>
> Other shared pages in the same file already use get_zeroed_page()
> correctly:
>
> drivers/infiniband/hw/bnxt_re/ib_verbs.c
> srq->uctx_srq_page = (void *)get_zeroed_page(GFP_KERNEL);
> cq->uctx_cq_page = (void *)get_zeroed_page(GFP_KERNEL);
>
> uctx->shpg is the only outlier. Bring it in line with the existing
> convention by switching to get_zeroed_page().
>
> Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
> Signed-off-by: Lord Ulf Henrik Holmberg <henrik.holmberg@defensify.se>
> ---
> drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
> b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
This is totally corrupted and can not be applied :(
next prev parent reply other threads:[~2026-05-09 4:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 13:45 [security] RDMA/bnxt_re: kernel infoleak via uninitialised shpg shared page exposed to userspace Henrik Holmberg
2026-05-08 13:51 ` Greg KH
2026-05-08 14:23 ` Henrik Holmberg
2026-05-08 20:24 ` Henrik Holmberg
2026-05-09 4:25 ` Greg KH [this message]
2026-05-09 8:40 ` [PATCH] RDMA/bnxt_re: zero shared page before exposing " pomzm67
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026050945-oversight-carefully-93e0@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=kalesh-anakkur.purayil@broadcom.com \
--cc=linux-rdma@vger.kernel.org \
--cc=pomzm67@gmail.com \
--cc=security@kernel.org \
--cc=selvin.xavier@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox