* [pve-devel] [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs
@ 2024-08-05 10:31 Fiona Ebner
2024-08-05 10:31 ` [pve-devel] [PATCH kernel 2/2] cherry-pick fix for bnxt_re driver Fiona Ebner
2024-08-05 16:52 ` [pve-devel] applied: [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Thomas Lamprecht
0 siblings, 2 replies; 4+ messages in thread
From: Fiona Ebner @ 2024-08-05 10:31 UTC (permalink / raw)
To: pve-devel
Reported in the community forum:
https://forum.proxmox.com/threads/145760/post-690328
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...ix-possible-NULL-pointer-dereference.patch | 101 ++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 patches/kernel/0023-apparmor-fix-possible-NULL-pointer-dereference.patch
diff --git a/patches/kernel/0023-apparmor-fix-possible-NULL-pointer-dereference.patch b/patches/kernel/0023-apparmor-fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000..36d4297
--- /dev/null
+++ b/patches/kernel/0023-apparmor-fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leesoo Ahn <lsahn@ooseel.net>
+Date: Wed, 8 May 2024 01:12:29 +0900
+Subject: [PATCH] apparmor: fix possible NULL pointer dereference
+
+profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made
+from __create_missing_ancestors(..) and 'ent->old' is NULL in
+aa_replace_profiles(..).
+In that case, it must return an error code and the code, -ENOENT represents
+its state that the path of its parent is not existed yet.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000030
+PGD 0 P4D 0
+PREEMPT SMP PTI
+CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ ? show_regs+0x6d/0x80
+ ? __die+0x24/0x80
+ ? page_fault_oops+0x99/0x1b0
+ ? kernelmode_fixup_or_oops+0xb2/0x140
+ ? __bad_area_nosemaphore+0x1a5/0x2c0
+ ? find_vma+0x34/0x60
+ ? bad_area_nosemaphore+0x16/0x30
+ ? do_user_addr_fault+0x2a2/0x6b0
+ ? exc_page_fault+0x83/0x1b0
+ ? asm_exc_page_fault+0x27/0x30
+ ? aafs_create.constprop.0+0x7f/0x130
+ ? aafs_create.constprop.0+0x51/0x130
+ __aafs_profile_mkdir+0x3d6/0x480
+ aa_replace_profiles+0x83f/0x1270
+ policy_update+0xe3/0x180
+ profile_load+0xbc/0x150
+ ? rw_verify_area+0x47/0x140
+ vfs_write+0x100/0x480
+ ? __x64_sys_openat+0x55/0xa0
+ ? syscall_exit_to_user_mode+0x86/0x260
+ ksys_write+0x73/0x100
+ __x64_sys_write+0x19/0x30
+ x64_sys_call+0x7e/0x25c0
+ do_syscall_64+0x7f/0x180
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+RIP: 0033:0x7be9f211c574
+Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
+RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574
+RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004
+RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80
+R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30
+ </TASK>
+Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas
+CR2: 0000000000000030
+---[ end trace 0000000000000000 ]---
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+
+Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+(cherry picked from commit 3dd384108d53834002be5630132ad5c3f32166ad)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ security/apparmor/apparmorfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index be6c3293c9e0..822f2e6a96a7 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -1921,6 +1921,10 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
+ struct aa_profile *p;
+ p = aa_deref_parent(profile);
+ dent = prof_dir(p);
++ if (!dent) {
++ error = -ENOENT;
++ goto fail2;
++ }
+ /* adding to parent that previously didn't have children */
+ dent = aafs_create_dir("profiles", dent);
+ if (IS_ERR(dent))
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [PATCH kernel 2/2] cherry-pick fix for bnxt_re driver
2024-08-05 10:31 [pve-devel] [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Fiona Ebner
@ 2024-08-05 10:31 ` Fiona Ebner
2024-08-05 10:40 ` Fiona Ebner
2024-08-05 16:52 ` [pve-devel] applied: [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Thomas Lamprecht
1 sibling, 1 reply; 4+ messages in thread
From: Fiona Ebner @ 2024-08-05 10:31 UTC (permalink / raw)
To: pve-devel
Reported in the community forum:
https://forum.proxmox.com/threads/144557/post-689148
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Cherry-picked from the Ubuntu-6.8.0-43.43 tag, so not required if
updating to that.
...ift-undefined-behavior-in-bnxt_qplib.patch | 124 ++++++++++++++++++
1 file changed, 124 insertions(+)
create mode 100644 patches/kernel/0024-bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch
diff --git a/patches/kernel/0024-bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch b/patches/kernel/0024-bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch
new file mode 100644
index 0000000..75bc01a
--- /dev/null
+++ b/patches/kernel/0024-bnxt_re-avoid-shift-undefined-behavior-in-bnxt_qplib.patch
@@ -0,0 +1,124 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Tue, 7 May 2024 12:39:28 +0200
+Subject: [PATCH] bnxt_re: avoid shift undefined behavior in
+ bnxt_qplib_alloc_init_hwq
+
+BugLink: https://bugs.launchpad.net/bugs/2071621
+
+[ Upstream commit 78cfd17142ef70599d6409cbd709d94b3da58659 ]
+
+Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
+with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
+In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
+roundup_pow_of_two is documented as undefined for 0.
+
+Fix it in the one caller that had this combination.
+
+The undefined behavior was detected by UBSAN:
+ UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+ shift exponent 64 is too large for 64-bit type 'long unsigned int'
+ CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
+ Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5d/0x80
+ ubsan_epilogue+0x5/0x30
+ __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
+ __roundup_pow_of_two+0x25/0x35 [bnxt_re]
+ bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
+ bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
+ bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __kmalloc+0x1b6/0x4f0
+ ? create_qp.part.0+0x128/0x1c0 [ib_core]
+ ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
+ create_qp.part.0+0x128/0x1c0 [ib_core]
+ ib_create_qp_kernel+0x50/0xd0 [ib_core]
+ create_mad_qp+0x8e/0xe0 [ib_core]
+ ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
+ ib_mad_init_device+0x2be/0x680 [ib_core]
+ add_client_context+0x10d/0x1a0 [ib_core]
+ enable_device_and_get+0xe0/0x1d0 [ib_core]
+ ib_register_device+0x53c/0x630 [ib_core]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
+ ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
+ auxiliary_bus_probe+0x49/0x80
+ ? driver_sysfs_add+0x57/0xc0
+ really_probe+0xde/0x340
+ ? pm_runtime_barrier+0x54/0x90
+ ? __pfx___driver_attach+0x10/0x10
+ __driver_probe_device+0x78/0x110
+ driver_probe_device+0x1f/0xa0
+ __driver_attach+0xba/0x1c0
+ bus_for_each_dev+0x8f/0xe0
+ bus_add_driver+0x146/0x220
+ driver_register+0x72/0xd0
+ __auxiliary_driver_register+0x6e/0xd0
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
+ ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
+ do_one_initcall+0x5b/0x310
+ do_init_module+0x90/0x250
+ init_module_from_file+0x86/0xc0
+ idempotent_init_module+0x121/0x2b0
+ __x64_sys_finit_module+0x5e/0xb0
+ do_syscall_64+0x82/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode_prepare+0x149/0x170
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? syscall_exit_to_user_mode+0x75/0x230
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_syscall_64+0x8e/0x160
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __count_memcg_events+0x69/0x100
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? count_memcg_events.constprop.0+0x1a/0x30
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? handle_mm_fault+0x1f0/0x300
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? do_user_addr_fault+0x34e/0x640
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f4e5132821d
+ Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+ RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
+ RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
+ RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
+ R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
+ R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
+ </TASK>
+ ---[ end trace ]---
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+(cherry picked from commit 949beca2d9ddb69c2ccd39e5fd5d062c81fe0db0)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 439d0c7c5d0c..04258676d072 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -1013,7 +1013,8 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
+ hwq_attr.stride = sizeof(struct sq_sge);
+ hwq_attr.depth = bnxt_qplib_get_depth(sq);
+ hwq_attr.aux_stride = psn_sz;
+- hwq_attr.aux_depth = bnxt_qplib_set_sq_size(sq, qp->wqe_mode);
++ hwq_attr.aux_depth = psn_sz ? bnxt_qplib_set_sq_size(sq, qp->wqe_mode)
++ : 0;
+ /* Update msn tbl size */
+ if (BNXT_RE_HW_RETX(qp->dev_cap_flags) && psn_sz) {
+ hwq_attr.aux_depth = roundup_pow_of_two(bnxt_qplib_set_sq_size(sq, qp->wqe_mode));
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] applied: [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs
2024-08-05 10:31 [pve-devel] [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Fiona Ebner
2024-08-05 10:31 ` [pve-devel] [PATCH kernel 2/2] cherry-pick fix for bnxt_re driver Fiona Ebner
@ 2024-08-05 16:52 ` Thomas Lamprecht
1 sibling, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2024-08-05 16:52 UTC (permalink / raw)
To: Proxmox VE development discussion, Fiona Ebner
On 05/08/2024 12:31, Fiona Ebner wrote:
> Reported in the community forum:
> https://forum.proxmox.com/threads/145760/post-690328
>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> ...ix-possible-NULL-pointer-dereference.patch | 101 ++++++++++++++++++
> 1 file changed, 101 insertions(+)
> create mode 100644 patches/kernel/0023-apparmor-fix-possible-NULL-pointer-dereference.patch
>
>
applied, thanks!
> Saw it only after already sending the patches, but in bug #5103 a user
> reports that reverting, AFAICT commit 565736048bd5 ("ixgbe: Manual AN-37
> for troublesome link partners for X550 SFI"), fixes that issue. That is
> also part of the Ubuntu-6.8.0-43.43 tag as eb5551d4a4b7 ("Revert "ixgbe:
> Manual AN-37 for troublesome link partners for X550 SFI"") and would
> also be worth picking up.
>
Ack, I will update to the latest ubuntu tag for the next build.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-08-05 16:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-08-05 10:31 [pve-devel] [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Fiona Ebner
2024-08-05 10:31 ` [pve-devel] [PATCH kernel 2/2] cherry-pick fix for bnxt_re driver Fiona Ebner
2024-08-05 10:40 ` Fiona Ebner
2024-08-05 16:52 ` [pve-devel] applied: [PATCH kernel 1/2] cherry-pick fix for NULL pointer dereference in apparmorfs Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.