generated from delphix/.github
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747 #38
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: [email protected] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: [email protected] Fixes: e1eaea4 ("tty: n_gsm line discipline") Cc: [email protected] Signed-off-by: Daniel Starke <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> CVE-2024-36016 (cherry picked from commit f126ce7305fe88f49cdabc6db4168b9318898ea3 linux-6.8.y) Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Andrei Gherzan <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Compare the opcode bytes at rIP for each #VC exit reason to verify the instruction which raised the #VC exception is actually the right one. Signed-off-by: Borislav Petkov (AMD) <[email protected]> Acked-by: Tom Lendacky <[email protected]> Link: https://lore.kernel.org/r/[email protected] CVE-2024-25742 (backported from commit e3ef461af35a8c74f2f4ce6616491ddb355a208f) [yuxuan.luo: manually applied three chunks for sev-shared.c.] Signed-off-by: Yuxuan Luo <[email protected]> Acked-by: Andrei Gherzan <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
The MWAITX and MONITORX instructions generate the same #VC error code as the MWAIT and MONITOR instructions, respectively. Update the #VC handler opcode checking to also support the MWAITX and MONITORX opcodes. Fixes: e3ef461af35a ("x86/sev: Harden #VC instruction emulation somewhat") Signed-off-by: Tom Lendacky <[email protected]> Signed-off-by: Borislav Petkov (AMD) <[email protected]> Link: https://lore.kernel.org/r/453d5a7cfb4b9fe818b6fb67f93ae25468bc9e23.1713793161.git.thomas.lendacky@amd.com CVE-2024-25742 (cherry picked from commit e70316d17f6ab49a6038ffd115397fd68f8c7be8) Signed-off-by: Yuxuan Luo <[email protected]> Acked-by: Andrei Gherzan <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @SES. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: [email protected] Signed-off-by: Paulo Alcantara (SUSE) <[email protected]> Signed-off-by: Steve French <[email protected]> CVE-2023-52752 (backported from commit d328c09) [yuxuan.luo: substitute the if statement with (ses->status == CifsExiting) since backporting dd3cd87 (“cifs: use new enum for ses_status”) is too hard. Also replace ses->ses_lock with GlobalMid_Lock as well for same reason for d7d7a66 (“cifs: avoid use of global locks for high contention data”).] Signed-off-by: Yuxuan Luo <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: <TASK> __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Fixes: 2e07e83 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg") Signed-off-by: Luiz Augusto von Dentz <[email protected]> CVE-2024-26886 (backported from commit f7b94bdc1ec107c92262716b073b3e816d4784fb) [magalilemes: upstream commit f4b41f0 ("net: remove noblock parameter from skb_recv_datagram()") does not exist in Jammy, so skb_recv_datagram with an extra parameter provokes a small context conflict.] Signed-off-by: Magali Lemes <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Thibault Ferrante <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length. Cc: [email protected] Signed-off-by: Namjae Jeon <[email protected]> Signed-off-by: Steve French <[email protected]> CVE-2024-26952 (backported from commit c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da) [bjamison: unrelated context conflicts in neighboring lines, I applied fix changes as given] Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Stefan Bader <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Those get called from packet path, content must not be modified. No functional changes intended. Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Florian Westphal <[email protected]> CVE-2024-27017 (cherry picked from commit f04df573faf90bb828a2241b650598c02c074323) Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal. Fixes: 2b84e21 ("netfilter: nft_set_pipapo: .walk does not deal with generations") Signed-off-by: Pablo Neira Ayuso <[email protected]> CVE-2024-27017 (backported from commit 29b359cf6d95fd60730533f7f10464e95bd17c73) [bjamison: context conflict with neighboring function defined in h file, fix change applied as given] Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Add missing decorator type to lookup expression and tighten WARN_ON_ONCE check in pipapo to spot earlier that this is unset. Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") Signed-off-by: Pablo Neira Ayuso <[email protected]> CVE-2024-27017 (cherry picked from commit efefd4f00c967d00ad7abe092554ffbb70c1a793) Signed-off-by: Bethany Jamison <[email protected]> Acked-by: Manuel Diewald <[email protected]> Acked-by: Kuba Pawlak <[email protected]> Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes Signed-off-by: Manuel Diewald <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072059 Properties: no-test-build Signed-off-by: Manuel Diewald <[email protected]>
Signed-off-by: Manuel Diewald <[email protected]>
Initial packaging/config files imported from Ubuntu-hwe-5.13-5.13.0-25.26_20.04.1. Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1958962 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1960408 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1964906 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Signed-off-by: Andrea Righi <[email protected]>
Now that we have a separate lowlatency derivative we can drop lowlatency references in debian.hwe-5.15. Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1967509 Properties: no-test-build Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes Signed-off-by: Stefan Bader <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2071602 Properties: no-test-build Signed-off-by: Stefan Bader <[email protected]>
…el-versions (main/2024.06.10) BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes Signed-off-by: Stefan Bader <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072057 Properties: no-test-build Signed-off-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
This is a placeholder commit to separate the Ubuntu kernel source and our patches. Used by kernel_merge_with_upstream() in the linux-pkg repo.
Reworked jwk404's merge from DLPX-91747 into a separate commit PR URL: https://www.github.com/delphix/linux-kernel-generic/pull/37 Reworked jwk404's merge into a separate commit
manoj-joseph
changed the title
Test/manoj joseph/dlpx 91779 2
DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747
Jul 30, 2024
pcd1193182
approved these changes
Jul 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Seb: I think we have a problem with the kernel repos this morning (all except the gcp repo, which wasn't touched). It looks like upstream was merged into develop instead of having had our patch sets rebased on top of upstream (starting with the @@DELPHIX_PATCHSET_START@@ commit).
Solution
Here is what I did:
Ubuntu-hwe-5.15-5.15.0-116.126_20.04.1
from upstreams.origin/develop
to get the changes @jwk404 made in PR 36 and added that as a new commit.Testing Done