From: Kalesh AP kalesh-anakkur.purayil@broadcom.com
[ Upstream commit 09d231ab569ca97478445ccc1ad44ab026de39b1 ]
Since both "length" and "offset" are of type u32, there is no functional issue here.
Reviewed-by: Saravanan Vajravel saravanan.vajravel@broadcom.com Signed-off-by: Shravya KN shravya.k-n@broadcom.com Signed-off-by: Kalesh AP kalesh-anakkur.purayil@broadcom.com Link: https://patch.msgid.link/20250704043857.19158-2-kalesh-anakkur.purayil@broad... Signed-off-by: Leon Romanovsky leon@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**Backport Status: YES**
This commit should be backported to stable kernel trees for the following reasons:
1. **Clear Bug Fix**: The commit fixes a genuine copy-paste error where `sizeof(length)` was incorrectly used instead of `sizeof(offset)` when copying the offset value to userspace in line 4749. This bug has been present since the code was introduced in commit 9b0a7a2cb87d9 (December 2023).
2. **Potential Functional Impact**: While the commit message states "no functional issue" because both `length` and `offset` are u32 types (and thus have the same size), this is still a correctness issue that should be fixed. The bug could become problematic if: - The types are changed in the future - Compiler optimizations or static analysis tools get confused - It sets a bad precedent for similar code patterns
3. **Small and Contained Fix**: This is a one-line change that simply corrects the sizeof() argument from `sizeof(length)` to `sizeof(offset)`. The change is minimal, easy to verify, and has zero risk of introducing regressions.
4. **Affects User-Kernel Interface**: The buggy code is in the `uverbs_copy_to()` function which copies data to userspace through the RDMA uverbs interface. This is part of the user-kernel ABI for the Broadcom NetXtreme-E RoCE driver, making correctness particularly important.
5. **Recently Introduced Bug**: The bug was introduced relatively recently (December 2023), meaning it could affect stable kernels from 6.8 onwards. Backporting ensures all affected stable versions get the fix.
6. **No Architecture Changes**: This is purely a bug fix with no feature additions or architectural changes. It simply corrects an obvious typo in the sizeof() operator usage.
The commit meets all the stable tree criteria: it fixes a real bug (even if currently benign), is minimal in scope, has no side effects, and carries essentially zero risk of regression.
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index 063801384b2b..3a627acb82ce 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -4738,7 +4738,7 @@ static int UVERBS_HANDLER(BNXT_RE_METHOD_GET_TOGGLE_MEM)(struct uverbs_attr_bund return err;
err = uverbs_copy_to(attrs, BNXT_RE_TOGGLE_MEM_MMAP_OFFSET, - &offset, sizeof(length)); + &offset, sizeof(offset)); if (err) return err;