Skip to content

[LTS 8.8-RT] Ooops all breaks#85

Closed
PlaidCat wants to merge 2 commits into
ctrliq:{jmaple}_ciqlts8_8-rtfrom
PlaidCat:{jmaple}_test_ciqlts8_8-rt
Closed

[LTS 8.8-RT] Ooops all breaks#85
PlaidCat wants to merge 2 commits into
ctrliq:{jmaple}_ciqlts8_8-rtfrom
PlaidCat:{jmaple}_test_ciqlts8_8-rt

Conversation

@PlaidCat

Copy link
Copy Markdown
Collaborator

No description provided.

@PlaidCat PlaidCat force-pushed the {jmaple}_ciqlts8_8-rt branch from ebc1cda to 257c6c0 Compare January 23, 2025 00:43
@PlaidCat PlaidCat force-pushed the {jmaple}_test_ciqlts8_8-rt branch from 67748dd to 68436c2 Compare January 23, 2025 00:49
@PlaidCat PlaidCat force-pushed the {jmaple}_ciqlts8_8-rt branch from 257c6c0 to 759ab0a Compare January 24, 2025 22:31
@PlaidCat PlaidCat force-pushed the {jmaple}_test_ciqlts8_8-rt branch from 900270c to 10f06fb Compare January 24, 2025 22:33
@PlaidCat PlaidCat deleted the branch ctrliq:{jmaple}_ciqlts8_8-rt January 27, 2025 16:14
@PlaidCat PlaidCat closed this Jan 27, 2025
PlaidCat added a commit that referenced this pull request Jun 18, 2025
jira LE-3201
cve CVE-2024-41065
Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
commit-author Anjali K <anjalik@linux.ibm.com>
commit 1a14150

Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*
results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as
shown below.

    kernel BUG at mm/usercopy.c:102!
    Oops: Exception in kernel mode, sig: 5 [#1]
    LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
    Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc
    scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse
    CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85
    Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries
    NIP:  c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8
    REGS: c000000120c078c0 TRAP: 0700   Not tainted  (6.10.0-rc3)
    MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 2828220f  XER: 0000000
    CFAR: c0000000001fdc80 IRQMASK: 0
    [ ... GPRs omitted ... ]
    NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0
    LR [c0000000005d23d0] usercopy_abort+0x74/0xb0
    Call Trace:
     usercopy_abort+0x74/0xb0 (unreliable)
     __check_heap_object+0xf8/0x120
     check_heap_object+0x218/0x240
     __check_object_size+0x84/0x1a4
     dtl_file_read+0x17c/0x2c4
     full_proxy_read+0x8c/0x110
     vfs_read+0xdc/0x3a0
     ksys_read+0x84/0x144
     system_call_exception+0x124/0x330
     system_call_vectored_common+0x15c/0x2ec
    --- interrupt: 3000 at 0x7fff81f3ab34

Commit 6d07d1c ("usercopy: Restrict non-usercopy caches to size 0")
requires that only whitelisted areas in slab/slub objects can be copied to
userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.
Dtl contains hypervisor dispatch events which are expected to be read by
privileged users. Hence mark this safe for user access.
Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the
entire object.

Co-developed-by: Vishal Chourasia <vishalc@linux.ibm.com>
	Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
	Signed-off-by: Anjali K <anjalik@linux.ibm.com>
	Reviewed-by: Srikar Dronamraju <srikar@linux.ibm.com>
	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240614173844.746818-1-anjalik@linux.ibm.com

(cherry picked from commit 1a14150)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
github-actions Bot pushed a commit that referenced this pull request Jun 20, 2025
[ Upstream commit 7af317f ]

ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),
in the case the codec dai_name will be null.

Avoid a crash if the device tree is not assigning a codec
to these links.

[    1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    1.181065] Mem abort info:
[    1.181420]   ESR = 0x0000000096000004
[    1.181892]   EC = 0x25: DABT (current EL), IL = 32 bits
[    1.182576]   SET = 0, FnV = 0
[    1.182964]   EA = 0, S1PTW = 0
[    1.183367]   FSC = 0x04: level 0 translation fault
[    1.183983] Data abort info:
[    1.184406]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    1.185097]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    1.185766]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    1.186439] [0000000000000000] user address but active_mm is swapper
[    1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    1.188029] Modules linked in:
[    1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85
[    1.189515] Hardware name: Radxa NIO 12L (DT)
[    1.190065] Workqueue: events_unbound deferred_probe_work_func
[    1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    1.191683] pc : __pi_strcmp+0x24/0x140
[    1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0
[    1.192854] sp : ffff800083473970
[    1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002
[    1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88
[    1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8
[    1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff
[    1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006
[    1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374
[    1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018
[    1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
[    1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d
[    1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000
[    1.202236] Call trace:
[    1.202545]  __pi_strcmp+0x24/0x140 (P)
[    1.203029]  mtk_soundcard_common_probe+0x3bc/0x5b8
[    1.203644]  platform_probe+0x70/0xe8
[    1.204106]  really_probe+0xc8/0x3a0
[    1.204556]  __driver_probe_device+0x84/0x160
[    1.205104]  driver_probe_device+0x44/0x130
[    1.205630]  __device_attach_driver+0xc4/0x170
[    1.206189]  bus_for_each_drv+0x8c/0xf8
[    1.206672]  __device_attach+0xa8/0x1c8
[    1.207155]  device_initial_probe+0x1c/0x30
[    1.207681]  bus_probe_device+0xb0/0xc0
[    1.208165]  deferred_probe_work_func+0xa4/0x100
[    1.208747]  process_one_work+0x158/0x3e0
[    1.209254]  worker_thread+0x2c4/0x3e8
[    1.209727]  kthread+0x134/0x1f0
[    1.210136]  ret_from_fork+0x10/0x20
[    1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402)
[    1.211355] ---[ end trace 0000000000000000 ]---

Signed-off-by: Julien Massot <julien.massot@collabora.com>
Fixes: e70b8dd ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20250417-mt8395-audio-sof-v1-2-30587426e5dd@collabora.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
github-actions Bot pushed a commit that referenced this pull request Aug 16, 2025
JIRA: https://issues.redhat.com/browse/RHEL-101626

CVE: CVE-2025-38299

commit 7af317f
Author: Julien Massot <julien.massot@collabora.com>
Date: Thu Apr 17 10:44:33 2025 +0200

    ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()

    ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),
    in the case the codec dai_name will be null.

    Avoid a crash if the device tree is not assigning a codec
    to these links.

    [    1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
    [    1.181065] Mem abort info:
    [    1.181420]   ESR = 0x0000000096000004
    [    1.181892]   EC = 0x25: DABT (current EL), IL = 32 bits
    [    1.182576]   SET = 0, FnV = 0
    [    1.182964]   EA = 0, S1PTW = 0
    [    1.183367]   FSC = 0x04: level 0 translation fault
    [    1.183983] Data abort info:
    [    1.184406]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    [    1.185097]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    [    1.185766]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
    [    1.186439] [0000000000000000] user address but active_mm is swapper
    [    1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
    [    1.188029] Modules linked in:
    [    1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85
    [    1.189515] Hardware name: Radxa NIO 12L (DT)
    [    1.190065] Workqueue: events_unbound deferred_probe_work_func
    [    1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [    1.191683] pc : __pi_strcmp+0x24/0x140
    [    1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0
    [    1.192854] sp : ffff800083473970
    [    1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002
    [    1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88
    [    1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8
    [    1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff
    [    1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006
    [    1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374
    [    1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018
    [    1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
    [    1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d
    [    1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000
    [    1.202236] Call trace:
    [    1.202545]  __pi_strcmp+0x24/0x140 (P)
    [    1.203029]  mtk_soundcard_common_probe+0x3bc/0x5b8
    [    1.203644]  platform_probe+0x70/0xe8
    [    1.204106]  really_probe+0xc8/0x3a0
    [    1.204556]  __driver_probe_device+0x84/0x160
    [    1.205104]  driver_probe_device+0x44/0x130
    [    1.205630]  __device_attach_driver+0xc4/0x170
    [    1.206189]  bus_for_each_drv+0x8c/0xf8
    [    1.206672]  __device_attach+0xa8/0x1c8
    [    1.207155]  device_initial_probe+0x1c/0x30
    [    1.207681]  bus_probe_device+0xb0/0xc0
    [    1.208165]  deferred_probe_work_func+0xa4/0x100
    [    1.208747]  process_one_work+0x158/0x3e0
    [    1.209254]  worker_thread+0x2c4/0x3e8
    [    1.209727]  kthread+0x134/0x1f0
    [    1.210136]  ret_from_fork+0x10/0x20
    [    1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402)
    [    1.211355] ---[ end trace 0000000000000000 ]---

    Signed-off-by: Julien Massot <julien.massot@collabora.com>
    Fixes: e70b8dd ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link")
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Link: https://patch.msgid.link/20250417-mt8395-audio-sof-v1-2-30587426e5dd@collabora.com
    Signed-off-by: Mark Brown <broonie@kernel.org>

Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>
github-actions Bot pushed a commit that referenced this pull request Mar 28, 2026
…NFIG_NET_NS=n.

JIRA: https://issues.redhat.com/browse/RHEL-150155
Upstream Status: linux.git

commit f0cc377
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Apr 18 14:50:20 2025 -0700

    net: Fix wild-memory-access in __register_pernet_operations() when CONFIG_NET_NS=n.

    kernel test robot reported the splat below. [0]

    Before commit fed176b ("net: Add ops_undo_single for module
    load/unload."), if CONFIG_NET_NS=n, ops was linked to pernet_list
    only when init_net had not been initialised, and ops was unlinked
    from pernet_list only under the same condition.

    Let's say an ops is loaded before the init_net setup but unloaded
    after that.  Then, the ops remains in pernet_list, which seems odd.

    The cited commit added ops_undo_single(), which calls list_add() for
    ops to link it to a temporary list, so a minor change was added to
    __register_pernet_operations() and __unregister_pernet_operations()
    under CONFIG_NET_NS=n to avoid the pernet_list corruption.

    However, the corruption must have been left as is.

    When CONFIG_NET_NS=n, pernet_list was used to keep ops registered
    before the init_net setup, and after that, pernet_list was not used
    at all.

    This was because some ops annotated with __net_initdata are cleared
    out of memory at some point during boot.

    Then, such ops is initialised by POISON_FREE_INITMEM (0xcc), resulting
    in that ops->list.{next,prev} suddenly switches from a valid pointer
    to a weird value, 0xcccccccccccccccc.

    To avoid such wild memory access, let's allow the pernet_list
    corruption for CONFIG_NET_NS=n.

    [0]:
    Oops: general protection fault, probably for non-canonical address 0xf999959999999999: 0000 [#1] SMP KASAN NOPTI
    KASAN: maybe wild-memory-access in range [0xccccccccccccccc8-0xcccccccccccccccf]
    CPU: 2 UID: 0 PID: 346 Comm: modprobe Not tainted 6.15.0-rc1-00294-ga4cba7e98e35 #85 PREEMPT(voluntary)
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    RIP: 0010:__list_add_valid_or_report (lib/list_debug.c:32)
    Code: 48 c1 ea 03 80 3c 02 00 0f 85 5a 01 00 00 49 39 74 24 08 0f 85 83 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 1f 01 00 00 4c 39 26 0f 85 ab 00 00 00 4c 39 ee
    RSP: 0018:ff11000135b87830 EFLAGS: 00010a07
    RAX: dffffc0000000000 RBX: ffffffffc02223c0 RCX: ffffffff8406fcc2
    RDX: 1999999999999999 RSI: cccccccccccccccc RDI: ffffffffc02223c0
    RBP: ffffffff86064e40 R08: 0000000000000001 R09: fffffbfff0a9f5b5
    R10: ffffffff854fadaf R11: 676552203a54454e R12: ffffffff86064e40
    R13: ffffffffc02223c0 R14: ffffffff86064e48 R15: 0000000000000021
    FS:  00007f6fb0d9e1c0(0000) GS:ff11000858ea0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f6fb0eda580 CR3: 0000000122fec005 CR4: 0000000000771ef0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     register_pernet_operations (./include/linux/list.h:150 (discriminator 5) ./include/linux/list.h:183 (discriminator 5) net/core/net_namespace.c:1315 (discriminator 5) net/core/net_namespace.c:1359 (discriminator 5))
     register_pernet_subsys (net/core/net_namespace.c:1401)
     inet6_init (net/ipv6/af_inet6.c:535) ipv6
     do_one_initcall (init/main.c:1257)
     do_init_module (kernel/module/main.c:2942)
     load_module (kernel/module/main.c:3409)
     init_module_from_file (kernel/module/main.c:3599)
     idempotent_init_module (kernel/module/main.c:3611)
     __x64_sys_finit_module (./include/linux/file.h:62 ./include/linux/file.h:83 kernel/module/main.c:3634 kernel/module/main.c:3621 kernel/module/main.c:3621)
     do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
     RIP: 0033:0x7f6fb0df7e5d
    Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
    RSP: 002b:00007fffdc6a8968 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
    RAX: ffffffffffffffda RBX: 000055b535721b70 RCX: 00007f6fb0df7e5d
    RDX: 0000000000000000 RSI: 000055b51e44aa2a RDI: 0000000000000004
    RBP: 0000000000040000 R08: 0000000000000000 R09: 000055b535721b30
    R10: 0000000000000004 R11: 0000000000000246 R12: 000055b51e44aa2a
    R13: 000055b535721bf0 R14: 000055b5357220b0 R15: 0000000000000000
     </TASK>
    Modules linked in: ipv6(+) crc_ccitt

    Fixes: fed176b ("net: Add ops_undo_single for module load/unload.")
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Closes: https://lore.kernel.org/oe-lkp/202504181511.1c3f23e4-lkp@intel.com
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20250418215025.87871-1-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Antoine Tenart <atenart@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant