Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747 #38

Closed
wants to merge 232 commits into from

Conversation

manoj-joseph
Copy link

Problem

Seb: I think we have a problem with the kernel repos this morning (all except the gcp repo, which wasn't touched). It looks like upstream was merged into develop instead of having had our patch sets rebased on top of upstream (starting with the @@DELPHIX_PATCHSET_START@@ commit).

Solution

Here is what I did:

delphix@mj-build:~/linux-kernel-generic$ git fetch ; git rebase -i origin/upstreams/develop
hint: Waiting for your editor to close the file...
pick da43deffedd3 @@DELPHIX_PATCHSET_START@@
pick 5b56a8fff289 DLPX-71852 iSCSI: journal flooded with "Unable to locate Target IQN" messages (#2)
# pick 2dfe3de3360c54e1be812450c4dca2064a50bd80 DLPX-74216 nfs-server restarts fail when order-5 allocations are exhausted (#3)
pick e250aadf6b45 DLPX-72065 Aborted iSCSI command never completes after LUN reset (#4)
# pick 6fd01c342513fee1575f43fb81bac090ae074d2d DLPX-82827 Fix for Solaris NFSv4 client mounts (#12)
pick 863b0b3f07c9 DLPX-83442 Disable various kernel modules which we don't use (#13)
pick e10a0f9d7d93 DLPX-83697 iscsi target login should wait until tx/rx threads have properly started
pick 8c1767065dd4 DLPX-83701 Make function mnt_add_count() traceable (#16)
pick 5373dda3bb18 DLPX-84608 Remove merge commit from linux-kernel-generic
pick 3adc74ec2628 DLPX-84907 CVE-2022-3628 (#21)
pick 0dafc63c902b DLPX-84985 target: iscsi: fix deadlock in the iSCSI login code (#22)
# pick 999dc9d49e671a7f8734c62214d77ef604de28f8 DLPX-84995 NFSD: Never call nfsd_file_gc() in foreground paths (#24)
pick 2296b7b5c57e DLPX-84906 Disable frame buffer drivers (#25)
pick 4ec8d1196be5 DLPX-86177 Azure Accelerated networking broken because Mellanox drivers absent in kernel (#26)
pick 4fbc97ad2886 DLPX-86675 Disk quota exceeded when unpacking an upgrade image (#27)
pick 7a27234f85c9 DLPX-87344 Fix kernel merge conflict with upstream
pick 85de4f669c70 DLPX-87710 upgrade from 6.0.16.0 to 15.0.0.0 failed because disk quota error (#29)
pick 3c4066dc1a34 DLPX-87970 Move Delphix annotations to linux-pkg to reduce merge conflicts (#31)
pick e78ec567268a DLPX-91747 Merge conflict in linux-kernel-generic (#36)
[snip]
~                                                                                                                                                                                                                                                    
~                                                                                                                                                                                                                                                    
".git/rebase-merge/git-rebase-todo" 45L, 2812C written
Successfully rebased and updated refs/heads/merge.
delphix@mj-build:~/linux-kernel-generic$ 

delphix@mj-build:~/linux-kernel-generic$ git log -20 --pretty=short origin/test/manoj-joseph/DLPX-91779-2 
commit 7f1eb4bf018f509c89a131a31e3054fb83a767e8 (HEAD -> merge, origin/test/manoj-joseph/DLPX-91779-2)
Author: Manoj Joseph <[email protected]>

    DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747
    Reworked jwk404's merge from DLPX-91747 into a separate commit

commit 170c462e68f8955db97b682258c0fdfad39e6794
Author: Palash Gandhi <[email protected]>

    DLPX-87970 Move Delphix annotations to linux-pkg to reduce merge conflicts (#31)

commit 4f93c2b5f1134bc57622001724fab685a7323cd8
Author: Palash Gandhi <[email protected]>

    DLPX-87710 upgrade from 6.0.16.0 to 15.0.0.0 failed because disk quota error (#29)

commit 466d50691f0b5e7893c30cc4dd22368f763584dc
Author: Prakash Surya <[email protected]>

    DLPX-87344 Fix kernel merge conflict with upstream

commit 46ef691688bf036eff8fb7359d861ab8436d1946
Author: Prakash Surya <[email protected]>

    DLPX-86675 Disk quota exceeded when unpacking an upgrade image (#27)

commit f0a598c70acf266fb61d1a7a009ded1d8d540cbe
Author: Palash Gandhi <[email protected]>

    DLPX-86177 Azure Accelerated networking broken because Mellanox drivers absent in kernel (#26)

commit 4b1aec347c41d706b0cb0f363f27c39dcf160535
Author: sumedhbala-delphix <[email protected]>

    DLPX-84906 Disable frame buffer drivers (#25)

commit 35c0a9c6f8f1f77ba58a89fc6a984182ade60575
Author: Serapheim Dimitropoulos <[email protected]>

    DLPX-84985 target: iscsi: fix deadlock in the iSCSI login code (#22)

commit 5bd0b1fcb9bbccaaa242950a7ca6295e3dd283e6
Author: Prakash Surya <[email protected]>

    DLPX-84907 CVE-2022-3628 (#21)

commit e70a2f035ad8e1c5fd8aa6e5a314454bc02302de
Author: John Wren Kennedy <[email protected]>

    DLPX-84608 Remove merge commit from linux-kernel-generic

commit 9be61ff5b92e9998cf155c8ae22dab6502befb3f
Author: Don Brady <[email protected]>

    DLPX-83701 Make function mnt_add_count() traceable (#16)

commit e24508096cb786811f465f5099cd2bd9c25a5a6f
Author: Paul Dagnelie <[email protected]>

    DLPX-83697 iscsi target login should wait until tx/rx threads have properly started

commit 11525a8610a6a4aa16db287e14c5709e32a3de8e
Author: Prakash Surya <[email protected]>

    DLPX-83442 Disable various kernel modules which we don't use (#13)
                                                                                                                                                                                                                                                     |
commit f6dd041389a9879a39701695fd88475dbf539129
Author: Pavel Zakharov <[email protected]>

    DLPX-72065 Aborted iSCSI command never completes after LUN reset (#4)

commit b27fb4ba0f709faa84622bb68a93943b59743f3b
Author: Pavel Zakharov <[email protected]>

    DLPX-71852 iSCSI: journal flooded with "Unable to locate Target IQN" messages (#2)

commit b96b3c8cd8bb6b81bb4662e5ca52d04aa51df824
Author: John Wren Kennedy <[email protected]>

    @@DELPHIX_PATCHSET_START@@

commit cfaa3572bcacb26682b8d881f130995d49e71260 (tag: Ubuntu-hwe-5.15-5.15.0-117.127_20.04.1, origin/upstreams/develop)
Author: Stefan Bader <[email protected]>

    UBUNTU: Ubuntu-hwe-5.15-5.15.0-117.127~20.04.1

commit 80327015f92df50d1e4473427e2d0d0eeea41631
Author: Stefan Bader <[email protected]>

    UBUNTU: link-to-tracker: update tracking bug

commit 1bd40b9a74879ce9caae793ebf9cdc99a5d08dcc
Author: Stefan Bader <[email protected]>

    UBUNTU: Start new release

commit a2525e312a39abe05c2785b4cc9c188f6d150c5f
Author: Stefan Bader <[email protected]>

    UBUNTU: Ubuntu-hwe-5.15-5.15.0-116.126~20.04.1

Testing Done

dstarke-siemens and others added 30 commits July 4, 2024 20:53
commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream.

Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
  Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
  Reason: Neither gsm->state nor gsm->len have been reset after
  reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Reported-by: [email protected]
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708
Tested-by: [email protected]
Fixes: e1eaea4 ("tty: n_gsm line discipline")
Cc: [email protected]
Signed-off-by: Daniel Starke <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

CVE-2024-36016
(cherry picked from commit f126ce7305fe88f49cdabc6db4168b9318898ea3 linux-6.8.y)
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Andrei Gherzan <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Compare the opcode bytes at rIP for each #VC exit reason to verify the
instruction which raised the #VC exception is actually the right one.

Signed-off-by: Borislav Petkov (AMD) <[email protected]>
Acked-by: Tom Lendacky <[email protected]>
Link: https://lore.kernel.org/r/[email protected]

CVE-2024-25742
(backported from commit e3ef461af35a8c74f2f4ce6616491ddb355a208f)
[yuxuan.luo: manually applied three chunks for sev-shared.c.]
Signed-off-by: Yuxuan Luo <[email protected]>
Acked-by: Andrei Gherzan <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
The MWAITX and MONITORX instructions generate the same #VC error code as
the MWAIT and MONITOR instructions, respectively. Update the #VC handler
opcode checking to also support the MWAITX and MONITORX opcodes.

Fixes: e3ef461af35a ("x86/sev: Harden #VC instruction emulation somewhat")
Signed-off-by: Tom Lendacky <[email protected]>
Signed-off-by: Borislav Petkov (AMD) <[email protected]>
Link: https://lore.kernel.org/r/453d5a7cfb4b9fe818b6fb67f93ae25468bc9e23.1713793161.git.thomas.lendacky@amd.com

CVE-2024-25742
(cherry picked from commit e70316d17f6ab49a6038ffd115397fd68f8c7be8)
Signed-off-by: Yuxuan Luo <[email protected]>
Acked-by: Andrei Gherzan <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Skip SMB sessions that are being teared down
(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()
to avoid use-after-free in @SES.

This fixes the following GPF when reading from /proc/fs/cifs/DebugData
while mounting and umounting

  [ 816.251274] general protection fault, probably for non-canonical
  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI
  ...
  [  816.260138] Call Trace:
  [  816.260329]  <TASK>
  [  816.260499]  ? die_addr+0x36/0x90
  [  816.260762]  ? exc_general_protection+0x1b3/0x410
  [  816.261126]  ? asm_exc_general_protection+0x26/0x30
  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]
  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]
  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]
  [  816.262689]  ? seq_read_iter+0x379/0x470
  [  816.262995]  seq_read_iter+0x118/0x470
  [  816.263291]  proc_reg_read_iter+0x53/0x90
  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f
  [  816.263945]  vfs_read+0x201/0x350
  [  816.264211]  ksys_read+0x75/0x100
  [  816.264472]  do_syscall_64+0x3f/0x90
  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
  [  816.265135] RIP: 0033:0x7fd5e669d381

Cc: [email protected]
Signed-off-by: Paulo Alcantara (SUSE) <[email protected]>
Signed-off-by: Steve French <[email protected]>

CVE-2023-52752
(backported from commit d328c09)
[yuxuan.luo: substitute the if statement with (ses->status == CifsExiting)
 since backporting dd3cd87 (“cifs: use new enum for ses_status”) is
 too hard.
 Also replace ses->ses_lock with GlobalMid_Lock as well for same reason
 for d7d7a66 (“cifs: avoid use of global locks for high contention
 data”).]
Signed-off-by: Yuxuan Luo <[email protected]>
Acked-by: Kuba Pawlak <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:

INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
      Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __schedule+0x37d/0xa00
 schedule+0x32/0xe0
 __lock_sock+0x68/0xa0
 ? __pfx_autoremove_wake_function+0x10/0x10
 lock_sock_nested+0x43/0x50
 l2cap_sock_recv_cb+0x21/0xa0
 l2cap_recv_frame+0x55b/0x30a0
 ? psi_task_switch+0xeb/0x270
 ? finish_task_switch.isra.0+0x93/0x2a0
 hci_rx_work+0x33a/0x3f0
 process_one_work+0x13a/0x2f0
 worker_thread+0x2f0/0x410
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe0/0x110
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2c/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>

Fixes: 2e07e83 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>

CVE-2024-26886
(backported from commit f7b94bdc1ec107c92262716b073b3e816d4784fb)
[magalilemes: upstream commit f4b41f0 ("net: remove noblock
 parameter from skb_recv_datagram()") does not exist in Jammy, so
 skb_recv_datagram with an extra parameter provokes a small context
 conflict.]
Signed-off-by: Magali Lemes <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Thibault Ferrante <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
I found potencial out-of-bounds when buffer offset fields of a few requests
is invalid. This patch set the minimum value of buffer offset field to
->Buffer offset to validate buffer length.

Cc: [email protected]
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>

CVE-2024-26952
(backported from commit c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da)
[bjamison: unrelated context conflicts in neighboring lines, I applied
 fix changes as given]
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Those get called from packet path, content must not be modified.
No functional changes intended.

Reviewed-by: Stefano Brivio <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>

CVE-2024-27017
(cherry picked from commit f04df573faf90bb828a2241b650598c02c074323)
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Kuba Pawlak <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
The generation mask can be updated while netlink dump is in progress.
The pipapo set backend walk iterator cannot rely on it to infer what
view of the datastructure is to be used. Add notation to specify if user
wants to read/update the set.

Based on patch from Florian Westphal.

Fixes: 2b84e21 ("netfilter: nft_set_pipapo: .walk does not deal with generations")
Signed-off-by: Pablo Neira Ayuso <[email protected]>

CVE-2024-27017
(backported from commit 29b359cf6d95fd60730533f7f10464e95bd17c73)
[bjamison: context conflict with neighboring function defined in h file,
 fix change applied as given]
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Kuba Pawlak <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Add missing decorator type to lookup expression and tighten WARN_ON_ONCE
check in pipapo to spot earlier that this is unset.

Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
Signed-off-by: Pablo Neira Ayuso <[email protected]>

CVE-2024-27017
(cherry picked from commit efefd4f00c967d00ad7abe092554ffbb70c1a793)
Signed-off-by: Bethany Jamison <[email protected]>
Acked-by: Manuel Diewald <[email protected]>
Acked-by: Kuba Pawlak <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes
Signed-off-by: Manuel Diewald <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072059
Properties: no-test-build
Signed-off-by: Manuel Diewald <[email protected]>
Signed-off-by: Manuel Diewald <[email protected]>
Initial packaging/config files imported from
Ubuntu-hwe-5.13-5.13.0-25.26_20.04.1.

Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes
Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1958962
Properties: no-test-build
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes
Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1960408
Properties: no-test-build
Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes
Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1964906
Properties: no-test-build
Signed-off-by: Andrea Righi <[email protected]>
Now that we have a separate lowlatency derivative we can drop lowlatency
references in debian.hwe-5.15.

Signed-off-by: Andrea Righi <[email protected]>
Ignore: yes
Signed-off-by: Andrea Righi <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/1967509
Properties: no-test-build
Signed-off-by: Andrea Righi <[email protected]>
smb49 and others added 23 commits July 11, 2024 15:09
Ignore: yes
Signed-off-by: Stefan Bader <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2071602
Properties: no-test-build
Signed-off-by: Stefan Bader <[email protected]>
Ignore: yes
Signed-off-by: Stefan Bader <[email protected]>
BugLink: https://bugs.launchpad.net/bugs/2072057
Properties: no-test-build
Signed-off-by: Stefan Bader <[email protected]>
This is a placeholder commit to separate the Ubuntu kernel source and
our patches. Used by kernel_merge_with_upstream() in the linux-pkg repo.
Reworked jwk404's merge from DLPX-91747 into a separate commit

PR URL: https://www.github.com/delphix/linux-kernel-generic/pull/37

Reworked jwk404's merge into a separate commit
@manoj-joseph manoj-joseph changed the title Test/manoj joseph/dlpx 91779 2 DLPX-91779 Merge failures in linux-kernel-generic after DLPX-91747 Jul 30, 2024
@manoj-joseph
Copy link
Author

#39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.