From: Kalesh AP <kalesh-anakkur.purayil@xxxxxxxxxxxx> [ Upstream commit 09d231ab569ca97478445ccc1ad44ab026de39b1 ] Since both "length" and "offset" are of type u32, there is no functional issue here. Reviewed-by: Saravanan Vajravel <saravanan.vajravel@xxxxxxxxxxxx> Signed-off-by: Shravya KN <shravya.k-n@xxxxxxxxxxxx> Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@xxxxxxxxxxxx> Link: https://patch.msgid.link/20250704043857.19158-2-kalesh-anakkur.purayil@xxxxxxxxxxxx Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- LLM Generated explanations, may be completely bogus: **Backport Status: YES** This commit should be backported to stable kernel trees for the following reasons: 1. **Clear Bug Fix**: The commit fixes a genuine copy-paste error where `sizeof(length)` was incorrectly used instead of `sizeof(offset)` when copying the offset value to userspace in line 4749. This bug has been present since the code was introduced in commit 9b0a7a2cb87d9 (December 2023). 2. **Potential Functional Impact**: While the commit message states "no functional issue" because both `length` and `offset` are u32 types (and thus have the same size), this is still a correctness issue that should be fixed. The bug could become problematic if: - The types are changed in the future - Compiler optimizations or static analysis tools get confused - It sets a bad precedent for similar code patterns 3. **Small and Contained Fix**: This is a one-line change that simply corrects the sizeof() argument from `sizeof(length)` to `sizeof(offset)`. The change is minimal, easy to verify, and has zero risk of introducing regressions. 4. **Affects User-Kernel Interface**: The buggy code is in the `uverbs_copy_to()` function which copies data to userspace through the RDMA uverbs interface. This is part of the user-kernel ABI for the Broadcom NetXtreme-E RoCE driver, making correctness particularly important. 5. **Recently Introduced Bug**: The bug was introduced relatively recently (December 2023), meaning it could affect stable kernels from 6.8 onwards. Backporting ensures all affected stable versions get the fix. 6. **No Architecture Changes**: This is purely a bug fix with no feature additions or architectural changes. It simply corrects an obvious typo in the sizeof() operator usage. The commit meets all the stable tree criteria: it fixes a real bug (even if currently benign), is minimal in scope, has no side effects, and carries essentially zero risk of regression. drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index 063801384b2b..3a627acb82ce 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -4738,7 +4738,7 @@ static int UVERBS_HANDLER(BNXT_RE_METHOD_GET_TOGGLE_MEM)(struct uverbs_attr_bund return err; err = uverbs_copy_to(attrs, BNXT_RE_TOGGLE_MEM_MMAP_OFFSET, - &offset, sizeof(length)); + &offset, sizeof(offset)); if (err) return err; -- 2.39.5
