DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747 #37
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: [email protected] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: [email protected] Fixes: e1eaea4 ("tty: n_gsm line discipline") Cc: [email protected] Signed-off-by: Daniel Starke <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> CVE-2024-36016 (cherry picked from commit f126ce7305fe88f49cdabc6db4168b9318898ea3 linux-6.8.y) Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Andrei Gherzan <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Compare the opcode bytes at rIP for each #VC exit reason to verify the instruction which raised the #VC exception is actually the right one. Signed-off-by: Borislav Petkov (AMD) <[email protected]> Acked-by: Tom Lendacky <[email protected]> Link: https://lore.kernel.org/r/[email protected] CVE-2024-25742 (backported from commit e3ef461af35a8c74f2f4ce6616491ddb355a208f) [yuxuan.luo: manually applied three chunks for sev-shared.c.] Signed-off-by: Yuxuan Luo <[email protected]> Acked-by: Andrei Gherzan <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
The MWAITX and MONITORX instructions generate the same #VC error code as
the MWAIT and MONITOR instructions, respectively. Update the #VC handler
opcode checking to also support the MWAITX and MONITORX opcodes.
Fixes: e3ef461af35a ("x86/sev: Harden #VC instruction emulation somewhat")
Signed-off-by: Tom Lendacky <[email protected]>
Signed-off-by: Borislav Petkov (AMD) <[email protected]>
Link: https://lore.kernel.org/r/453d5a7cfb4b9fe818b6fb67f93ae25468bc9e23.1713793161.git.thomas.lendacky@amd.com
CVE-2024-25742
(cherry picked from commit e70316d17f6ab49a6038ffd115397fd68f8c7be8)
Signed-off-by: Yuxuan Luo <[email protected]>
Acked-by: Andrei Gherzan <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @SES. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: [email protected] Signed-off-by: Paulo Alcantara (SUSE) <[email protected]> Signed-off-by: Steve French <[email protected]> CVE-2023-52752 (backported from commit d328c09) [yuxuan.luo: substitute the if statement with (ses->status == CifsExiting) since backporting dd3cd87 (“cifs: use new enum for ses_status”) is too hard. Also replace ses->ses_lock with GlobalMid_Lock as well for same reason for d7d7a66 (“cifs: avoid use of global locks for high contention data”).] Signed-off-by: Yuxuan Luo <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:
INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__schedule+0x37d/0xa00
schedule+0x32/0xe0
__lock_sock+0x68/0xa0
? __pfx_autoremove_wake_function+0x10/0x10
lock_sock_nested+0x43/0x50
l2cap_sock_recv_cb+0x21/0xa0
l2cap_recv_frame+0x55b/0x30a0
? psi_task_switch+0xeb/0x270
? finish_task_switch.isra.0+0x93/0x2a0
hci_rx_work+0x33a/0x3f0
process_one_work+0x13a/0x2f0
worker_thread+0x2f0/0x410
? __pfx_worker_thread+0x10/0x10
kthread+0xe0/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 2e07e83 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
CVE-2024-26886
(backported from commit f7b94bdc1ec107c92262716b073b3e816d4784fb)
[magalilemes: upstream commit f4b41f0 ("net: remove noblock
parameter from skb_recv_datagram()") does not exist in Jammy, so
skb_recv_datagram with an extra parameter provokes a small context
conflict.]
Signed-off-by: Magali Lemes <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Thibault Ferrante <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> CVE-2024-26952 (backported from commit c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da) [bjamison: unrelated context conflicts in neighboring lines, I applied fix changes as given] Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Those get called from packet path, content must not be modified. No functional changes intended. Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> CVE-2024-27017 (cherry picked from commit f04df573faf90bb828a2241b650598c02c074323) Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal. Fixes: 2b84e21 ("netfilter: nft_set_pipapo: .walk does not deal with generations") Signed-off-by: Pablo Neira Ayuso <[email protected]> CVE-2024-27017 (backported from commit 29b359cf6d95fd60730533f7f10464e95bd17c73) [bjamison: context conflict with neighboring function defined in h file, fix change applied as given] Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Add missing decorator type to lookup expression and tighten WARN_ON_ONCE
check in pipapo to spot earlier that this is unset.
Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
Signed-off-by: Pablo Neira Ayuso <[email protected]>
CVE-2024-27017
(cherry picked from commit efefd4f00c967d00ad7abe092554ffbb70c1a793)
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Kuba Pawlak <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes Signed-off-by: Manuel Diewald <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072059 Properties: no-test-build Signed-off-by: Manuel Diewald <[email protected]>
Signed-off-by: Manuel Diewald <[email protected]>
Initial packaging/config files imported from Ubuntu-hwe-5.13-5.13.0-25.26_20.04.1. Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1958962 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1960408 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1964906 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Now that we have a separate lowlatency derivative we can drop lowlatency references in debian.hwe-5.15. Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1967509 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2071602 Properties: no-test-build Signed-off-by: Stefan Bader <[email protected]>
…el-versions (main/2024.06.10) BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes Signed-off-by: Stefan Bader <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072057 Properties: no-test-build Signed-off-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
This is a placeholder commit to separate the Ubuntu kernel source and our patches. Used by kernel_merge_with_upstream() in the linux-pkg repo.
Reworked jwk404's merge from DLPX-91747 into a separate commit
manoj-joseph
changed the title
pcd1193182
approved these changes
Jul 30, 2024
|
#38 is the one! |
delphix-devops-bot
pushed a commit
that referenced
this pull request
Sep 14, 2024
BugLink: https://bugs.launchpad.net/bugs/2072617 [ Upstream commit 1ff05e723f7ca30644b8ec3fb093f16312e408ad ] While validating node ids in map_benchmark_ioctl(), node_possible() may be provided with invalid argument outside of [0,MAX_NUMNODES-1] range leading to: BUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) Read of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971 CPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) kasan_report (mm/kasan/report.c:603) kasan_check_range (mm/kasan/generic.c:189) variable_test_bit (arch/x86/include/asm/bitops.h:227) [inline] arch_test_bit (arch/x86/include/asm/bitops.h:239) [inline] _test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline] node_state (include/linux/nodemask.h:423) [inline] map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Compare node ids with sane bounds first. NUMA_NO_NODE is considered a special valid case meaning that benchmarking kthreads won't be bound to a cpuset of a given node. Found by Linux Verification Center (linuxtesting.org). Fixes: 65789da ("dma-mapping: add benchmark support for streaming DMA APIs") Signed-off-by: Fedor Pchelkin <[email protected]> Reviewed-by: Robin Murphy <[email protected]> Signed-off-by: Christoph Hellwig <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Seb: I think we have a problem with the kernel repos this morning (all except the gcp repo, which wasn't touched). It looks like upstream was merged into develop instead of having had our patch sets rebased on top of upstream (starting with the @@DELPHIX_PATCHSET_START@@ commit).
Solution
Here is what I did:
Ubuntu-hwe-5.15-5.15.0-116.126_20.04.1from upstreams.origin/developto get the changes @jwk404 made in PR 36 and added that as a new commit.Testing Done