From paolo.pisati at canonical.com Thu Aug 1 07:51:37 2024 From: paolo.pisati at canonical.com (Paolo Pisati) Date: Thu, 1 Aug 2024 09:51:37 +0200 Subject: APPLIED[O]: Re: [PATCH][oracular] UBUNTU: [Packaging] add linux-bpf-dev package In-Reply-To: <20240729092741.2570288-1-luca.boccassi@gmail.com> References: <20240729092741.2570288-1-luca.boccassi@gmail.com> Message-ID: On Mon, Jul 29, 2024 at 10:27:41AM +0100, luca.boccassi at gmail.com wrote: > From: Luca Boccassi > > BugLink: https://bugs.launchpad.net/bugs/2050083 Applied. -- bye, p. From paolo.pisati at canonical.com Thu Aug 1 07:53:31 2024 From: paolo.pisati at canonical.com (Paolo Pisati) Date: Thu, 1 Aug 2024 09:53:31 +0200 Subject: NAK/CMT[O]: Re: [SRU][F, J, N, O][PATCH 0/1] bnx2x: Fix multiple UBSAN array-index-out-of-bounds In-Reply-To: <20240729103539.35608-1-ghadi.rahme@canonical.com> References: <20240729103539.35608-1-ghadi.rahme@canonical.com> Message-ID: On Mon, Jul 29, 2024 at 01:35:38PM +0300, Ghadi Elie Rahme wrote: > Buglink: https://bugs.launchpad.net/bugs/2074215 Already applied via upstream v6.10. -- bye, p. From paolo.pisati at canonical.com Thu Aug 1 07:54:57 2024 From: paolo.pisati at canonical.com (Paolo Pisati) Date: Thu, 1 Aug 2024 09:54:57 +0200 Subject: ACK: Re: [SRU][N][PATCH 0/2] Turbostat support for Arrow Lake H In-Reply-To: <20240729123152.2506438-1-thibault.ferrante@canonical.com> References: <20240729123152.2506438-1-thibault.ferrante@canonical.com> Message-ID: On Mon, Jul 29, 2024 at 02:31:50PM +0200, Thibault Ferrante wrote: > BugLink: https://bugs.launchpad.net/bugs/2074372 Acked-by: Paolo Pisati -- bye, p. From paolo.pisati at canonical.com Thu Aug 1 07:58:58 2024 From: paolo.pisati at canonical.com (Paolo Pisati) Date: Thu, 1 Aug 2024 09:58:58 +0200 Subject: APPLIED[O]: Re: [U/O][PATCH 0/1] UBUNTU: [Config] enable LZMA and ZSTD file compressions in EROFS In-Reply-To: <20240730062521.26298-1-en-wei.wu@canonical.com> References: <20240730062521.26298-1-en-wei.wu@canonical.com> Message-ID: On Tue, Jul 30, 2024 at 02:25:20PM +0800, En-Wei Wu wrote: > BugLink: https://bugs.launchpad.net/bugs/2074049 Applied. -- bye, p. From frank.heimes at canonical.com Thu Aug 1 10:53:53 2024 From: frank.heimes at canonical.com (frank.heimes at canonical.com) Date: Thu, 1 Aug 2024 12:53:53 +0200 Subject: [SRU][N][J][PATCH 0/1] s390/cpum_cf: make crypto counters upward compatible (LP: 2074380) Message-ID: <20240801105355.547635-1-frank.heimes@canonical.com> BugLink: https://bugs.launchpad.net/bugs/2074380 SRU Justification: [ Impact ] * The CPU Measurement Facility (CPU MF) crypto counter set is not listed in the device sysfs tree - it's not exported in the sysfs directory /sys/devices/cpum_cf/events. * The attribute files for each CPU-MF counter defined in the crypto counter set is missing. * This is caused by the counter second version number of CPU MF hardware being incremented on new machines. * This causes a sanity check to fail, but the counters are supported by hardware. * The solution is to remove the upper limit in counter second version number check. [ Fix ] * f10933cbd2df f10933cbd2dfddf6273698a45f76db9bafd8150f "s390/cpum_cf: make crypto counters upward compatible across machine types" * The fix was upstream accepted with kernel v6.10(-rc1). * Upstream commit applies cleanly on noble master-next, but needed to be backported to jammy master-next due to different code and context in kernel 5.15. [ Test Plan ] * Run the following commands on a new machine generation: (hence only doable by IBM) # ls -l /sys/devices/cpum_cf/events/ | grep AES * If the output is empty than this patch is required. * With a patched kernel the output should be like: # ls /sys/devices/cpum_cf/events/ | grep AES AES_BLOCKED_CYCLES AES_BLOCKED_FUNCTIONS AES_CYCLES AES_FUNCTIONS [ Where problems could occur ] * This affects s390x only - CPU MF is s390-specific, and only s390 specific code is modified. * And it furthermore is limited to the crypto counter set of CPU MF. * So any impact is likely limited to hardware crypto counters on s390x only. * In s390/kernel/perf_cpum_cf.c the else if case got changed from explicitly checking for 6 or 7 to >= 6 which seems to require attention for future 8 and more cases. * In s390/kernel/perf_cpum_cf_events.c the switch (ci.csvn) statement was changed to an if / else if with similar logic. Again attentioin for any potential future cases >= 8. * It does not look like currently used cases (1..5 and 6..7) are affected by the modification, just >7. * Test build of patched jammy and noble s390x kernels were build and are avaiable here: https://launchpad.net/~fheimes/+archive/ubuntu/lp2074380 [ Other Info ] * Since the code/fix was upstream accepted with kernel v6.10(-rc1) it does not affect the current development release oracular. * This SRU can also be seen under the umbrella of new hardware enablement. * Since it requires special hw, the verification needs to be done by IBM. Thomas Richter (1): s390/cpum_cf: make crypto counters upward compatible across machine types arch/s390/kernel/perf_cpum_cf.c | 2 +- arch/s390/kernel/perf_cpum_cf_events.c | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) -- 2.34.1 From frank.heimes at canonical.com Thu Aug 1 10:53:54 2024 From: frank.heimes at canonical.com (frank.heimes at canonical.com) Date: Thu, 1 Aug 2024 12:53:54 +0200 Subject: [SRU][N][PATCH 1/1] s390/cpum_cf: make crypto counters upward compatible across machine types In-Reply-To: <20240801105355.547635-1-frank.heimes@canonical.com> References: <20240801105355.547635-1-frank.heimes@canonical.com> Message-ID: <20240801105355.547635-2-frank.heimes@canonical.com> From: Thomas Richter BugLink: https://bugs.launchpad.net/bugs/2074380 The CPU Measurement facility crypto counter set functionality is defined by the Second Counter Version Number. This number varies between machine types, but is upward compatible. Lessen the checks to reflect this behavior. Signed-off-by: Thomas Richter Acked-by: Sumanth Korikkar Signed-off-by: Alexander Gordeev (cherry picked from commit f10933cbd2dfddf6273698a45f76db9bafd8150f) Signed-off-by: Frank Heimes --- arch/s390/kernel/perf_cpum_cf.c | 2 +- arch/s390/kernel/perf_cpum_cf_events.c | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c index 41ed6e0f0a2a..1434642e9cba 100644 --- a/arch/s390/kernel/perf_cpum_cf.c +++ b/arch/s390/kernel/perf_cpum_cf.c @@ -428,7 +428,7 @@ static void cpum_cf_make_setsize(enum cpumf_ctr_set ctrset) case CPUMF_CTR_SET_CRYPTO: if (cpumf_ctr_info.csvn >= 1 && cpumf_ctr_info.csvn <= 5) ctrset_size = 16; - else if (cpumf_ctr_info.csvn == 6 || cpumf_ctr_info.csvn == 7) + else if (cpumf_ctr_info.csvn >= 6) ctrset_size = 20; break; case CPUMF_CTR_SET_EXT: diff --git a/arch/s390/kernel/perf_cpum_cf_events.c b/arch/s390/kernel/perf_cpum_cf_events.c index 0d64aafd158f..e4a6bfc91080 100644 --- a/arch/s390/kernel/perf_cpum_cf_events.c +++ b/arch/s390/kernel/perf_cpum_cf_events.c @@ -855,16 +855,11 @@ __init const struct attribute_group **cpumf_cf_event_group(void) } /* Determine version specific crypto set */ - switch (ci.csvn) { - case 1 ... 5: + csvn = none; + if (ci.csvn >= 1 && ci.csvn <= 5) csvn = cpumcf_svn_12345_pmu_event_attr; - break; - case 6 ... 7: + else if (ci.csvn >= 6) csvn = cpumcf_svn_67_pmu_event_attr; - break; - default: - csvn = none; - } /* Determine model-specific counter set(s) */ get_cpu_id(&cpu_id); -- 2.34.1 From frank.heimes at canonical.com Thu Aug 1 10:53:55 2024 From: frank.heimes at canonical.com (frank.heimes at canonical.com) Date: Thu, 1 Aug 2024 12:53:55 +0200 Subject: [SRU][J][PATCH 1/1] s390/cpum_cf: make crypto counters upward compatible across machine types In-Reply-To: <20240801105355.547635-1-frank.heimes@canonical.com> References: <20240801105355.547635-1-frank.heimes@canonical.com> Message-ID: <20240801105355.547635-3-frank.heimes@canonical.com> From: Thomas Richter BugLink: https://bugs.launchpad.net/bugs/2074380 The CPU Measurement facility crypto counter set functionality is defined by the Second Counter Version Number. This number varies between machine types, but is upward compatible. Lessen the checks to reflect this behavior. Signed-off-by: Thomas Richter Acked-by: Sumanth Korikkar Signed-off-by: Alexander Gordeev (backported from commit f10933cbd2dfddf6273698a45f76db9bafd8150f) Signed-off-by: Frank Heimes --- arch/s390/kernel/perf_cpum_cf_common.c | 2 +- arch/s390/kernel/perf_cpum_cf_events.c | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/arch/s390/kernel/perf_cpum_cf_common.c b/arch/s390/kernel/perf_cpum_cf_common.c index 8ee48672233f..fb9cdcb16545 100644 --- a/arch/s390/kernel/perf_cpum_cf_common.c +++ b/arch/s390/kernel/perf_cpum_cf_common.c @@ -178,7 +178,7 @@ size_t cpum_cf_ctrset_size(enum cpumf_ctr_set ctrset, case CPUMF_CTR_SET_CRYPTO: if (info->csvn >= 1 && info->csvn <= 5) ctrset_size = 16; - else if (info->csvn == 6 || info->csvn == 7) + else if (info->csvn >= 6) ctrset_size = 20; break; case CPUMF_CTR_SET_EXT: diff --git a/arch/s390/kernel/perf_cpum_cf_events.c b/arch/s390/kernel/perf_cpum_cf_events.c index 0d64aafd158f..e4a6bfc91080 100644 --- a/arch/s390/kernel/perf_cpum_cf_events.c +++ b/arch/s390/kernel/perf_cpum_cf_events.c @@ -855,16 +855,11 @@ __init const struct attribute_group **cpumf_cf_event_group(void) } /* Determine version specific crypto set */ - switch (ci.csvn) { - case 1 ... 5: + csvn = none; + if (ci.csvn >= 1 && ci.csvn <= 5) csvn = cpumcf_svn_12345_pmu_event_attr; - break; - case 6 ... 7: + else if (ci.csvn >= 6) csvn = cpumcf_svn_67_pmu_event_attr; - break; - default: - csvn = none; - } /* Determine model-specific counter set(s) */ get_cpu_id(&cpu_id); -- 2.34.1 From hannah.peuckmann at canonical.com Thu Aug 1 11:03:16 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:03:16 +0200 Subject: [SRU][J/F][PATCH 0/1] CVE-2024-27012 Message-ID: <20240801110317.48224-1-hannah.peuckmann@canonical.com> [Impact] The existing code in nf_tables has an issue where set elements are not properly restored when the delete set operation fails. [Fix] This patch ensures that all set elements are correctly handled during the delete operation, maintaining the integrity of the nf_tables. Noble: done Jammy: applied, fixed context conflicts Focal: applied, fixed context conflicts Bionic: not affected Xenial: not affected Trusty: not affected Focal and Jammy are missing the following commit: 0e1ea651c9717dd ("netfilter: nf_tables: shrink memory consumption of set elements") This introduced context conflicts in net/netfilter/nf_tables_api.c but they aren't related to the fix and are relatively straightforward to resolve. [Test Case] Compiled and booted. [Where problems could occur] This fix affects those who use the nf_tables in netfilter. An issue with this fix could result in unexpected behaviour or inconsistencies in the netfilter tables. Pablo Neira Ayuso (1): netfilter: nf_tables: restore set elements when delete set fails net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 11:03:17 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:03:17 +0200 Subject: [SRU][F][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801110317.48224-1-hannah.peuckmann@canonical.com> References: <20240801110317.48224-1-hannah.peuckmann@canonical.com> Message-ID: <20240801110317.48224-2-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso CVE-2024-27012 (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b3209a856209..10e7d8e9df04 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -426,6 +426,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem); return 0; @@ -4055,6 +4061,8 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, struct nft_set_elem *elem) { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; enum nft_registers dreg; dreg = nft_type_to_reg(set->dtype); @@ -4128,6 +4136,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem); return 0; @@ -4370,6 +4385,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -5228,9 +5246,13 @@ static int nft_flush_set(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem); struct nft_trans *trans; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -7860,6 +7882,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); const struct nft_data *data; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index b0f6b1490e1a..544835080fe2 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -170,7 +170,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static bool nft_bitmap_flush(const struct net *net, @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; elem.priv = be; diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 0581d5499c5a..7f49c6c37c94 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -191,7 +191,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_rhash_flush(const struct net *net, @@ -279,8 +279,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; @@ -573,7 +571,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_hash_flush(const struct net *net, @@ -627,8 +625,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index f44473287079..ec322d818de0 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -529,7 +529,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = elem->priv; - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static bool nft_rbtree_flush(const struct net *net, @@ -598,8 +598,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; elem.priv = rbe; -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 11:04:12 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:04:12 +0200 Subject: [SRU][J][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails Message-ID: <20240801110412.48311-1-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso CVE-2024-27012 (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 44 ++++++++++++++++++++++++++++++---- net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++----- net/netfilter/nft_set_pipapo.c | 5 +--- net/netfilter/nft_set_rbtree.c | 4 +--- 5 files changed, 45 insertions(+), 20 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index a7a34db62ea9..d0c09f899e80 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem_priv); return 0; @@ -617,6 +623,7 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, if (!nft_set_elem_active(ext, genmask)) continue; + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, catchall->elem); break; } @@ -3880,6 +3887,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, const struct nft_data *data; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; @@ -3903,17 +3913,20 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) { - u8 genmask = nft_genmask_next(ctx->net); + struct nft_set_iter dummy_iter = { + .genmask = nft_genmask_next(ctx->net), + }; struct nft_set_elem_catchall *catchall; + struct nft_set_ext *ext; int ret = 0; list_for_each_entry_rcu(catchall, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); - if (!nft_set_elem_active(ext, genmask)) + if (!nft_set_elem_active(ext, dummy_iter.genmask)) continue; - ret = nft_setelem_validate(ctx, set, NULL, catchall->elem); + ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); if (ret < 0) return ret; } @@ -5402,6 +5415,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + return nft_setelem_data_validate(ctx, set, elem_priv); } @@ -5494,6 +5512,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem_priv); return 0; @@ -5511,6 +5536,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, if (!nft_set_elem_active(ext, genmask)) continue; + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, catchall->elem); break; } @@ -5785,6 +5811,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -6635,7 +6664,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set, struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); if (nft_setelem_is_catchall(set, elem_priv)) { - nft_set_elem_change_active(net, set, ext); + nft_clear(net, ext); } else { set->ops->activate(net, set, elem_priv); } @@ -7317,8 +7346,12 @@ static int nft_setelem_flush(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); struct nft_trans *trans; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -10800,6 +10833,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index 32df7a16835d..1caa04619dc6 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -172,7 +172,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static void nft_bitmap_flush(const struct net *net, @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &be->priv); diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 6968a3b34236..daa56dda737a 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -199,7 +199,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static void nft_rhash_flush(const struct net *net, @@ -286,8 +286,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &he->priv); if (iter->err < 0) @@ -599,7 +597,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static void nft_hash_flush(const struct net *net, @@ -652,8 +650,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &he->priv); if (iter->err < 0) diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 0f903d18bbea..187138afac45 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -1847,7 +1847,7 @@ static void nft_pipapo_activate(const struct net *net, { struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &e->ext); + nft_clear(net, &e->ext); } /** @@ -2149,9 +2149,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, e = f->mt[r].e; - if (!nft_set_elem_active(&e->ext, iter->genmask)) - goto cont; - iter->err = iter->fn(ctx, set, iter, &e->priv); if (iter->err < 0) goto out; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 9944fe479e53..b7ea21327549 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -532,7 +532,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static void nft_rbtree_flush(const struct net *net, @@ -600,8 +600,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &rbe->priv); if (iter->err < 0) { -- 2.43.0 From manuel.diewald at canonical.com Thu Aug 1 11:19:03 2024 From: manuel.diewald at canonical.com (Manuel Diewald) Date: Thu, 1 Aug 2024 13:19:03 +0200 Subject: NACK/Cmnt: [SRU][J/F][PATCH 0/1] CVE-2024-27012 In-Reply-To: <20240801110317.48224-1-hannah.peuckmann@canonical.com> References: <20240801110317.48224-1-hannah.peuckmann@canonical.com> Message-ID: <20240801111903.fwgrq2cfmqdq6sdp@wintermute.fritz.box> On Thu, Aug 01, 2024 at 01:03:16PM +0200, Hannah Peuckmann wrote: > [Impact] > The existing code in nf_tables has an issue where set elements are not properly restored when the delete set operation fails. > > [Fix] > This patch ensures that all set elements are correctly handled during the delete operation, maintaining the integrity of the nf_tables. > > Noble: done > Jammy: applied, fixed context conflicts > Focal: applied, fixed context conflicts > Bionic: not affected > Xenial: not affected > Trusty: not affected > > Focal and Jammy are missing the following commit: > 0e1ea651c9717dd ("netfilter: nf_tables: shrink memory consumption of set elements") > > This introduced context conflicts in net/netfilter/nf_tables_api.c but > they aren't related to the fix and are relatively straightforward to resolve. > > [Test Case] > > Compiled and booted. > > [Where problems could occur] > > This fix affects those who use the nf_tables in netfilter. An issue with this fix could result in unexpected behaviour > or inconsistencies in the netfilter tables. > > > Pablo Neira Ayuso (1): > netfilter: nf_tables: restore set elements when delete set fails > > net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ > net/netfilter/nft_set_bitmap.c | 4 +--- > net/netfilter/nft_set_hash.c | 8 ++------ > net/netfilter/nft_set_rbtree.c | 4 +--- > 4 files changed, 29 insertions(+), 12 deletions(-) > > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team at lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team The jammy patch is not in reply to the cover letter and hence not part of this thread. Please re-submit everything as one thread. Some tooling might rely on it to work properly, e.g. mine. :) -- Manuel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From manuel.diewald at canonical.com Thu Aug 1 11:20:19 2024 From: manuel.diewald at canonical.com (Manuel Diewald) Date: Thu, 1 Aug 2024 13:20:19 +0200 Subject: NACK/Cmnt: [SRU][J][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801110412.48311-1-hannah.peuckmann@canonical.com> References: <20240801110412.48311-1-hannah.peuckmann@canonical.com> Message-ID: <20240801112019.tr4grzv3r6jqe2be@wintermute.fritz.box> On Thu, Aug 01, 2024 at 01:04:12PM +0200, Hannah Peuckmann wrote: > From: Pablo Neira Ayuso > > From abort path, nft_mapelem_activate() needs to restore refcounters to > the original state. Currently, it uses the set->ops->walk() to iterate > over these set elements. The existing set iterator skips inactive > elements in the next generation, this does not work from the abort path > to restore the original state since it has to skip active elements > instead (not inactive ones). > > This patch moves the check for inactive elements to the set iterator > callback, then it reverses the logic for the .activate case which > needs to skip active elements. > > Toggle next generation bit for elements when delete set command is > invoked and call nft_clear() from .activate (abort) path to restore the > next generation bit. > > The splat below shows an object in mappings memleak: > > [43929.457523] ------------[ cut here ]------------ > [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [...] > [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 > [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 > [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 > [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 > [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f > [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 > [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 > [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 > [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 > [43929.458114] Call Trace: > [43929.458118] > [43929.458121] ? __warn+0x9f/0x1a0 > [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458188] ? report_bug+0x1b1/0x1e0 > [43929.458196] ? handle_bug+0x3c/0x70 > [43929.458200] ? exc_invalid_op+0x17/0x40 > [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] > [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] > [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] > [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] > [43929.458512] ? rb_insert_color+0x2e/0x280 > [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] > [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] > [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] > [43929.458701] ? __rcu_read_unlock+0x46/0x70 > [43929.458709] nft_delset+0xff/0x110 [nf_tables] > [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] > [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] > > Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") > Signed-off-by: Pablo Neira Ayuso > > CVE-2024-27012 > (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) > Signed-off-by: Hannah Peuckmann > --- > net/netfilter/nf_tables_api.c | 44 ++++++++++++++++++++++++++++++---- > net/netfilter/nft_set_bitmap.c | 4 +--- > net/netfilter/nft_set_hash.c | 8 ++----- > net/netfilter/nft_set_pipapo.c | 5 +--- > net/netfilter/nft_set_rbtree.c | 4 +--- > 5 files changed, 45 insertions(+), 20 deletions(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index a7a34db62ea9..d0c09f899e80 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > + nft_set_elem_change_active(ctx->net, set, ext); > nft_setelem_data_deactivate(ctx->net, set, elem_priv); > > return 0; > @@ -617,6 +623,7 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, > if (!nft_set_elem_active(ext, genmask)) > continue; > > + nft_set_elem_change_active(ctx->net, set, ext); > nft_setelem_data_deactivate(ctx->net, set, catchall->elem); > break; > } > @@ -3880,6 +3887,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, > const struct nft_data *data; > int err; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && > *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) > return 0; > @@ -3903,17 +3913,20 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, > > int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) > { > - u8 genmask = nft_genmask_next(ctx->net); > + struct nft_set_iter dummy_iter = { > + .genmask = nft_genmask_next(ctx->net), > + }; > struct nft_set_elem_catchall *catchall; > + > struct nft_set_ext *ext; > int ret = 0; > > list_for_each_entry_rcu(catchall, &set->catchall_list, list) { > ext = nft_set_elem_ext(set, catchall->elem); > - if (!nft_set_elem_active(ext, genmask)) > + if (!nft_set_elem_active(ext, dummy_iter.genmask)) > continue; > > - ret = nft_setelem_validate(ctx, set, NULL, catchall->elem); > + ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); > if (ret < 0) > return ret; > } > @@ -5402,6 +5415,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > return nft_setelem_data_validate(ctx, set, elem_priv); > } > > @@ -5494,6 +5512,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + /* called from abort path, reverse check to undo changes. */ > + if (nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > + nft_clear(ctx->net, ext); > nft_setelem_data_activate(ctx->net, set, elem_priv); > > return 0; > @@ -5511,6 +5536,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, > if (!nft_set_elem_active(ext, genmask)) > continue; > > + nft_clear(ctx->net, ext); > nft_setelem_data_activate(ctx->net, set, catchall->elem); > break; > } > @@ -5785,6 +5811,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, > const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > struct nft_set_dump_args *args; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) > return 0; > > @@ -6635,7 +6664,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set, > struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > > if (nft_setelem_is_catchall(set, elem_priv)) { > - nft_set_elem_change_active(net, set, ext); > + nft_clear(net, ext); > } else { > set->ops->activate(net, set, elem_priv); > } > @@ -7317,8 +7346,12 @@ static int nft_setelem_flush(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > struct nft_trans *trans; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, > sizeof(struct nft_trans_elem), GFP_ATOMIC); > if (!trans) > @@ -10800,6 +10833,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, > { > const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && > *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) > return 0; > diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c > index 32df7a16835d..1caa04619dc6 100644 > --- a/net/netfilter/nft_set_bitmap.c > +++ b/net/netfilter/nft_set_bitmap.c > @@ -172,7 +172,7 @@ static void nft_bitmap_activate(const struct net *net, > nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); > /* Enter 11 state. */ > priv->bitmap[idx] |= (genmask << off); > - nft_set_elem_change_active(net, set, &be->ext); > + nft_clear(net, &be->ext); > } > > static void nft_bitmap_flush(const struct net *net, > @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, > list_for_each_entry_rcu(be, &priv->list, head) { > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&be->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &be->priv); > > diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c > index 6968a3b34236..daa56dda737a 100644 > --- a/net/netfilter/nft_set_hash.c > +++ b/net/netfilter/nft_set_hash.c > @@ -199,7 +199,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, > { > struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &he->ext); > + nft_clear(net, &he->ext); > } > > static void nft_rhash_flush(const struct net *net, > @@ -286,8 +286,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, > > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&he->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &he->priv); > if (iter->err < 0) > @@ -599,7 +597,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, > { > struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &he->ext); > + nft_clear(net, &he->ext); > } > > static void nft_hash_flush(const struct net *net, > @@ -652,8 +650,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, > hlist_for_each_entry_rcu(he, &priv->table[i], node) { > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&he->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &he->priv); > if (iter->err < 0) > diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c > index 0f903d18bbea..187138afac45 100644 > --- a/net/netfilter/nft_set_pipapo.c > +++ b/net/netfilter/nft_set_pipapo.c > @@ -1847,7 +1847,7 @@ static void nft_pipapo_activate(const struct net *net, > { > struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &e->ext); > + nft_clear(net, &e->ext); > } > > /** > @@ -2149,9 +2149,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, > > e = f->mt[r].e; > > - if (!nft_set_elem_active(&e->ext, iter->genmask)) > - goto cont; > - > iter->err = iter->fn(ctx, set, iter, &e->priv); > if (iter->err < 0) > goto out; > diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c > index 9944fe479e53..b7ea21327549 100644 > --- a/net/netfilter/nft_set_rbtree.c > +++ b/net/netfilter/nft_set_rbtree.c > @@ -532,7 +532,7 @@ static void nft_rbtree_activate(const struct net *net, > { > struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &rbe->ext); > + nft_clear(net, &rbe->ext); > } > > static void nft_rbtree_flush(const struct net *net, > @@ -600,8 +600,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, > > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &rbe->priv); > if (iter->err < 0) { > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team at lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team This patch should be in reply to: [SRU][J/F][PATCH 0/1] CVE-2024-27012 -- Manuel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From hannah.peuckmann at canonical.com Thu Aug 1 11:47:55 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:47:55 +0200 Subject: [SRU][J/F][PATCH 0/1] CVE-2024-27012 Message-ID: <20240801114757.50429-1-hannah.peuckmann@canonical.com> [Impact] The existing code in nf_tables has an issue where set elements are not properly restored when the delete set operation fails. [Fix] This patch ensures that all set elements are correctly handled during the delete operation, maintaining the integrity of the nf_tables. Noble: done Jammy: applied, fixed context conflicts Focal: applied, fixed context conflicts Bionic: not affected Xenial: not affected Trusty: not affected Focal and Jammy are missing the following commit: 0e1ea651c9717dd ("netfilter: nf_tables: shrink memory consumption of set elements") This introduced context conflicts in net/netfilter/nf_tables_api.c but they aren't related to the fix and are relatively straightforward to resolve. [Test Case] Compiled and booted. [Where problems could occur] This fix affects those who use the nf_tables in netfilter. An issue with this fix could result in unexpected behaviour or inconsistencies in the netfilter tables. Pablo Neira Ayuso (1): netfilter: nf_tables: restore set elements when delete set fails net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 11:47:56 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:47:56 +0200 Subject: [SRU][F][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801114757.50429-1-hannah.peuckmann@canonical.com> References: <20240801114757.50429-1-hannah.peuckmann@canonical.com> Message-ID: <20240801114757.50429-2-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso CVE-2024-27012 (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b3209a856209..10e7d8e9df04 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -426,6 +426,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem); return 0; @@ -4055,6 +4061,8 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, struct nft_set_elem *elem) { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; enum nft_registers dreg; dreg = nft_type_to_reg(set->dtype); @@ -4128,6 +4136,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem); return 0; @@ -4370,6 +4385,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -5228,9 +5246,13 @@ static int nft_flush_set(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem); struct nft_trans *trans; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -7860,6 +7882,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); const struct nft_data *data; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index b0f6b1490e1a..544835080fe2 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -170,7 +170,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static bool nft_bitmap_flush(const struct net *net, @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; elem.priv = be; diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 0581d5499c5a..7f49c6c37c94 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -191,7 +191,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_rhash_flush(const struct net *net, @@ -279,8 +279,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; @@ -573,7 +571,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_hash_flush(const struct net *net, @@ -627,8 +625,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index f44473287079..ec322d818de0 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -529,7 +529,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = elem->priv; - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static bool nft_rbtree_flush(const struct net *net, @@ -598,8 +598,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; elem.priv = rbe; -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 11:47:57 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 13:47:57 +0200 Subject: [SRU][J][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801114757.50429-1-hannah.peuckmann@canonical.com> References: <20240801114757.50429-1-hannah.peuckmann@canonical.com> Message-ID: <20240801114757.50429-3-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso CVE-2024-27012 (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 44 ++++++++++++++++++++++++++++++---- net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++----- net/netfilter/nft_set_pipapo.c | 5 +--- net/netfilter/nft_set_rbtree.c | 4 +--- 5 files changed, 45 insertions(+), 20 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index a7a34db62ea9..d0c09f899e80 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem_priv); return 0; @@ -617,6 +623,7 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, if (!nft_set_elem_active(ext, genmask)) continue; + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, catchall->elem); break; } @@ -3880,6 +3887,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, const struct nft_data *data; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; @@ -3903,17 +3913,20 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) { - u8 genmask = nft_genmask_next(ctx->net); + struct nft_set_iter dummy_iter = { + .genmask = nft_genmask_next(ctx->net), + }; struct nft_set_elem_catchall *catchall; + struct nft_set_ext *ext; int ret = 0; list_for_each_entry_rcu(catchall, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); - if (!nft_set_elem_active(ext, genmask)) + if (!nft_set_elem_active(ext, dummy_iter.genmask)) continue; - ret = nft_setelem_validate(ctx, set, NULL, catchall->elem); + ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); if (ret < 0) return ret; } @@ -5402,6 +5415,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + return nft_setelem_data_validate(ctx, set, elem_priv); } @@ -5494,6 +5512,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem_priv); return 0; @@ -5511,6 +5536,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, if (!nft_set_elem_active(ext, genmask)) continue; + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, catchall->elem); break; } @@ -5785,6 +5811,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -6635,7 +6664,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set, struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); if (nft_setelem_is_catchall(set, elem_priv)) { - nft_set_elem_change_active(net, set, ext); + nft_clear(net, ext); } else { set->ops->activate(net, set, elem_priv); } @@ -7317,8 +7346,12 @@ static int nft_setelem_flush(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_elem_priv *elem_priv) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); struct nft_trans *trans; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -10800,6 +10833,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index 32df7a16835d..1caa04619dc6 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -172,7 +172,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static void nft_bitmap_flush(const struct net *net, @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &be->priv); diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 6968a3b34236..daa56dda737a 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -199,7 +199,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static void nft_rhash_flush(const struct net *net, @@ -286,8 +286,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &he->priv); if (iter->err < 0) @@ -599,7 +597,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static void nft_hash_flush(const struct net *net, @@ -652,8 +650,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &he->priv); if (iter->err < 0) diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 0f903d18bbea..187138afac45 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -1847,7 +1847,7 @@ static void nft_pipapo_activate(const struct net *net, { struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &e->ext); + nft_clear(net, &e->ext); } /** @@ -2149,9 +2149,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, e = f->mt[r].e; - if (!nft_set_elem_active(&e->ext, iter->genmask)) - goto cont; - iter->err = iter->fn(ctx, set, iter, &e->priv); if (iter->err < 0) goto out; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 9944fe479e53..b7ea21327549 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -532,7 +532,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv); - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static void nft_rbtree_flush(const struct net *net, @@ -600,8 +600,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; iter->err = iter->fn(ctx, set, iter, &rbe->priv); if (iter->err < 0) { -- 2.43.0 From roxana.nicolescu at canonical.com Thu Aug 1 13:45:48 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 15:45:48 +0200 Subject: [SRU][J:linux/J:hwe-6.8][PATCH 0/1] Fix virtualbox regression Message-ID: <20240801134549.91291-1-roxana.nicolescu@canonical.com> BugLink: https://bugs.launchpad.net/bugs/2073267 SRU Justification: [Impact] Commit "randomize_kstack: Improve entropy diffusion" changed the kernel stack for entropy to 1KiB, limiting the thread kernel stack to 15Kib. This impacts virtualbox 6.1.50 on jammy, that is no longer maintained upstream. The issue does not persist on version 7.0.20 due to a code refactoring that probably resulted in less stack usage. Fixing it on the jammy virtualbox package side is not straightfoward because the fix is not easy to backport to 6.x and upgrading the jammy package to 7.x breaks current users machines that run Windows, but not only. Users need to uninstall the Guest additions drivers, migrate the virtualbox package to 7.x, boot each VMs and install the Guest additions drivers in each VM. This impacts: 1. jammy:linux 2. jammy:linux-hwe-6.8 3. focal:linux-hwe-5.15 [Fix] Revert commit "randomize_kstack: Improve entropy diffusion" [Test Plan] Without this fix, a VM would crash, showing with "VCPU0: Guru Meditation -2708 (VERR_VMM_SET_JMP_ABORTED_RESUME)". After the kernel upgrade, all VMs should run with no problem. [Where problems could occur] This may have an impact on security. The commit is a fix to improve the stack entropy. [Other info] This is a temporary fix. More investigation is required. Roxana Nicolescu (1): UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" include/linux/randomize_kstack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.34.1 From roxana.nicolescu at canonical.com Thu Aug 1 13:45:49 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 15:45:49 +0200 Subject: [SRU][J:linux/J:hwe-6.8][PATCH 1/1] UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" In-Reply-To: <20240801134549.91291-1-roxana.nicolescu@canonical.com> References: <20240801134549.91291-1-roxana.nicolescu@canonical.com> Message-ID: <20240801134549.91291-2-roxana.nicolescu@canonical.com> BugLink: https://bugs.launchpad.net/bugs/2073267 This reverts "randomize_kstack: Improve entropy diffusion" that changed the kernel stack for entropy to 1KiB, limitting the thread kernel stack to 15KiB. This impacts virtualbox 6.1.50 on jammy, that is no longer maintained upstream. The issue does not persist on version 7.0.20 due to a code refactoring that probably resulted in less stack usage. Fixing it on the jammy virtualbox package side is not straightfoward because the fix is not easy to backport to 6.x and upgrading the jammy package to 7.x breaks current users machines. This is a temporary solution needed due to the impact, more investigation is required. Signed-off-by: Roxana Nicolescu --- include/linux/randomize_kstack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h index 5d52d15faee0c..d373f1bcbf7ca 100644 --- a/include/linux/randomize_kstack.h +++ b/include/linux/randomize_kstack.h @@ -58,7 +58,7 @@ DECLARE_PER_CPU(u32, kstack_offset); if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ &randomize_kstack_offset)) { \ u32 offset = raw_cpu_read(kstack_offset); \ - offset = ror32(offset, 5) ^ (rand); \ + offset ^= (rand); \ raw_cpu_write(kstack_offset, offset); \ } \ } while (0) -- 2.34.1 From stefan.bader at canonical.com Thu Aug 1 13:50:04 2024 From: stefan.bader at canonical.com (Stefan Bader) Date: Thu, 1 Aug 2024 15:50:04 +0200 Subject: ACK: [SRU][J:linux/J:hwe-6.8][PATCH 0/1] Fix virtualbox regression In-Reply-To: <20240801134549.91291-1-roxana.nicolescu@canonical.com> References: <20240801134549.91291-1-roxana.nicolescu@canonical.com> Message-ID: <1e6b5e6e-d928-4442-b7cc-593c81cc1dbc@canonical.com> On 01.08.24 15:45, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2073267 > > SRU Justification: > > [Impact] > > Commit "randomize_kstack: Improve entropy diffusion" changed the > kernel stack for entropy to 1KiB, limiting the thread kernel stack to > 15Kib. This impacts virtualbox 6.1.50 on jammy, that is no longer > maintained upstream. The issue does not persist on version 7.0.20 due to a > code refactoring that probably resulted in less stack usage. Fixing it on > the jammy virtualbox package side is not straightfoward because the fix is > not easy to backport to 6.x and upgrading the jammy package to 7.x breaks > current users machines that run Windows, but not only. > Users need to uninstall the Guest additions drivers, migrate the > virtualbox package to 7.x, boot each VMs and install the Guest additions > drivers in each VM. > > This impacts: > 1. jammy:linux > 2. jammy:linux-hwe-6.8 > 3. focal:linux-hwe-5.15 > > [Fix] > > Revert commit "randomize_kstack: Improve entropy diffusion" > > [Test Plan] > > Without this fix, a VM would crash, showing with "VCPU0: Guru > Meditation -2708 (VERR_VMM_SET_JMP_ABORTED_RESUME)". > After the kernel upgrade, all VMs should run with no problem. > > [Where problems could occur] > This may have an impact on security. The commit is a fix to improve the > stack entropy. > > [Other info] > This is a temporary fix. More investigation is required. > > Roxana Nicolescu (1): > UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" > > include/linux/randomize_kstack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Acked-by: Stefan Bader -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE8675DEECBEECEA3.asc Type: application/pgp-keys Size: 48643 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From thibault.ferrante at canonical.com Thu Aug 1 14:06:24 2024 From: thibault.ferrante at canonical.com (Thibault Ferrante) Date: Thu, 1 Aug 2024 16:06:24 +0200 Subject: ACK: [SRU][J:linux/J:hwe-6.8][PATCH 0/1] Fix virtualbox regression In-Reply-To: <20240801134549.91291-1-roxana.nicolescu@canonical.com> References: <20240801134549.91291-1-roxana.nicolescu@canonical.com> Message-ID: On 01-08-2024 15:45, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2073267 > > SRU Justification: > > [Impact] > > Commit "randomize_kstack: Improve entropy diffusion" changed the > kernel stack for entropy to 1KiB, limiting the thread kernel stack to > 15Kib. This impacts virtualbox 6.1.50 on jammy, that is no longer > maintained upstream. The issue does not persist on version 7.0.20 due to a > code refactoring that probably resulted in less stack usage. Fixing it on > the jammy virtualbox package side is not straightfoward because the fix is > not easy to backport to 6.x and upgrading the jammy package to 7.x breaks > current users machines that run Windows, but not only. > Users need to uninstall the Guest additions drivers, migrate the > virtualbox package to 7.x, boot each VMs and install the Guest additions > drivers in each VM. > > This impacts: > 1. jammy:linux > 2. jammy:linux-hwe-6.8 > 3. focal:linux-hwe-5.15 > > [Fix] > > Revert commit "randomize_kstack: Improve entropy diffusion" > > [Test Plan] > > Without this fix, a VM would crash, showing with "VCPU0: Guru > Meditation -2708 (VERR_VMM_SET_JMP_ABORTED_RESUME)". > After the kernel upgrade, all VMs should run with no problem. > > [Where problems could occur] > This may have an impact on security. The commit is a fix to improve the > stack entropy. > > [Other info] > This is a temporary fix. More investigation is required. > > Roxana Nicolescu (1): > UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" > > include/linux/randomize_kstack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Acked-by: Thibault Ferrante -- Thibault From manuel.diewald at canonical.com Thu Aug 1 14:20:34 2024 From: manuel.diewald at canonical.com (Manuel Diewald) Date: Thu, 1 Aug 2024 16:20:34 +0200 Subject: NACK/Cmnt: [SRU][J][PATCH 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801114757.50429-3-hannah.peuckmann@canonical.com> References: <20240801114757.50429-1-hannah.peuckmann@canonical.com> <20240801114757.50429-3-hannah.peuckmann@canonical.com> Message-ID: <20240801142034.sh5q4c75brfwmher@wintermute.fritz.box> On Thu, Aug 01, 2024 at 01:47:57PM +0200, Hannah Peuckmann wrote: > From: Pablo Neira Ayuso > > From abort path, nft_mapelem_activate() needs to restore refcounters to > the original state. Currently, it uses the set->ops->walk() to iterate > over these set elements. The existing set iterator skips inactive > elements in the next generation, this does not work from the abort path > to restore the original state since it has to skip active elements > instead (not inactive ones). > > This patch moves the check for inactive elements to the set iterator > callback, then it reverses the logic for the .activate case which > needs to skip active elements. > > Toggle next generation bit for elements when delete set command is > invoked and call nft_clear() from .activate (abort) path to restore the > next generation bit. > > The splat below shows an object in mappings memleak: > > [43929.457523] ------------[ cut here ]------------ > [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [...] > [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 > [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 > [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 > [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 > [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f > [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 > [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 > [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 > [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 > [43929.458114] Call Trace: > [43929.458118] > [43929.458121] ? __warn+0x9f/0x1a0 > [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458188] ? report_bug+0x1b1/0x1e0 > [43929.458196] ? handle_bug+0x3c/0x70 > [43929.458200] ? exc_invalid_op+0x17/0x40 > [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] > [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] > [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] > [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] > [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] > [43929.458512] ? rb_insert_color+0x2e/0x280 > [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] > [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] > [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] > [43929.458701] ? __rcu_read_unlock+0x46/0x70 > [43929.458709] nft_delset+0xff/0x110 [nf_tables] > [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] > [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] > > Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") > Signed-off-by: Pablo Neira Ayuso > > CVE-2024-27012 Nitpick: We usually place the CVE number right before your sign-off line, so as the second to last line of the commit message. > (cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) Since you had to adjust context manually, this is not a clean cherry-pick. In that case we usually replace 'cherry picked from' with 'backported from' to make it clear that manual intervention was necessary. Whenever the patch is a backport and not a clean cherry-pick, we follow up the '(backported from commit ...)' line with a comment describing the adjustments we had to make, in this case I would for example leave a similar note to this: [diewald: context adjustments in nf_tables_api.c and nft_set_pipapo] Feel free to include a more detailed description, of course. Please also fix this in the focal patch. > Signed-off-by: Hannah Peuckmann > --- > net/netfilter/nf_tables_api.c | 44 ++++++++++++++++++++++++++++++---- > net/netfilter/nft_set_bitmap.c | 4 +--- > net/netfilter/nft_set_hash.c | 8 ++----- > net/netfilter/nft_set_pipapo.c | 5 +--- > net/netfilter/nft_set_rbtree.c | 4 +--- > 5 files changed, 45 insertions(+), 20 deletions(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index a7a34db62ea9..d0c09f899e80 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > + nft_set_elem_change_active(ctx->net, set, ext); > nft_setelem_data_deactivate(ctx->net, set, elem_priv); > > return 0; > @@ -617,6 +623,7 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, > if (!nft_set_elem_active(ext, genmask)) > continue; > > + nft_set_elem_change_active(ctx->net, set, ext); > nft_setelem_data_deactivate(ctx->net, set, catchall->elem); > break; > } > @@ -3880,6 +3887,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, > const struct nft_data *data; > int err; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && > *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) > return 0; > @@ -3903,17 +3913,20 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, > > int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) > { > - u8 genmask = nft_genmask_next(ctx->net); > + struct nft_set_iter dummy_iter = { > + .genmask = nft_genmask_next(ctx->net), > + }; > struct nft_set_elem_catchall *catchall; > + > struct nft_set_ext *ext; > int ret = 0; > > list_for_each_entry_rcu(catchall, &set->catchall_list, list) { > ext = nft_set_elem_ext(set, catchall->elem); > - if (!nft_set_elem_active(ext, genmask)) > + if (!nft_set_elem_active(ext, dummy_iter.genmask)) > continue; > > - ret = nft_setelem_validate(ctx, set, NULL, catchall->elem); > + ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem); > if (ret < 0) > return ret; > } > @@ -5402,6 +5415,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > return nft_setelem_data_validate(ctx, set, elem_priv); > } > > @@ -5494,6 +5512,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > + > + /* called from abort path, reverse check to undo changes. */ > + if (nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > + nft_clear(ctx->net, ext); > nft_setelem_data_activate(ctx->net, set, elem_priv); > > return 0; > @@ -5511,6 +5536,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, > if (!nft_set_elem_active(ext, genmask)) > continue; > > + nft_clear(ctx->net, ext); > nft_setelem_data_activate(ctx->net, set, catchall->elem); > break; > } > @@ -5785,6 +5811,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, > const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > struct nft_set_dump_args *args; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) > return 0; > > @@ -6635,7 +6664,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set, > struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > > if (nft_setelem_is_catchall(set, elem_priv)) { > - nft_set_elem_change_active(net, set, ext); > + nft_clear(net, ext); > } else { > set->ops->activate(net, set, elem_priv); > } > @@ -7317,8 +7346,12 @@ static int nft_setelem_flush(const struct nft_ctx *ctx, > const struct nft_set_iter *iter, > struct nft_elem_priv *elem_priv) > { > + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > struct nft_trans *trans; > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, > sizeof(struct nft_trans_elem), GFP_ATOMIC); > if (!trans) > @@ -10800,6 +10833,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, > { > const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv); > > + if (!nft_set_elem_active(ext, iter->genmask)) > + return 0; > + > if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && > *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) > return 0; > diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c > index 32df7a16835d..1caa04619dc6 100644 > --- a/net/netfilter/nft_set_bitmap.c > +++ b/net/netfilter/nft_set_bitmap.c > @@ -172,7 +172,7 @@ static void nft_bitmap_activate(const struct net *net, > nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); > /* Enter 11 state. */ > priv->bitmap[idx] |= (genmask << off); > - nft_set_elem_change_active(net, set, &be->ext); > + nft_clear(net, &be->ext); > } > > static void nft_bitmap_flush(const struct net *net, > @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, > list_for_each_entry_rcu(be, &priv->list, head) { > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&be->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &be->priv); > > diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c > index 6968a3b34236..daa56dda737a 100644 > --- a/net/netfilter/nft_set_hash.c > +++ b/net/netfilter/nft_set_hash.c > @@ -199,7 +199,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, > { > struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &he->ext); > + nft_clear(net, &he->ext); > } > > static void nft_rhash_flush(const struct net *net, > @@ -286,8 +286,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, > > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&he->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &he->priv); > if (iter->err < 0) > @@ -599,7 +597,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, > { > struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &he->ext); > + nft_clear(net, &he->ext); > } > > static void nft_hash_flush(const struct net *net, > @@ -652,8 +650,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, > hlist_for_each_entry_rcu(he, &priv->table[i], node) { > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&he->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &he->priv); > if (iter->err < 0) > diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c > index 0f903d18bbea..187138afac45 100644 > --- a/net/netfilter/nft_set_pipapo.c > +++ b/net/netfilter/nft_set_pipapo.c > @@ -1847,7 +1847,7 @@ static void nft_pipapo_activate(const struct net *net, > { > struct nft_pipapo_elem *e = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &e->ext); > + nft_clear(net, &e->ext); > } > > /** > @@ -2149,9 +2149,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, > > e = f->mt[r].e; > > - if (!nft_set_elem_active(&e->ext, iter->genmask)) > - goto cont; > - > iter->err = iter->fn(ctx, set, iter, &e->priv); > if (iter->err < 0) > goto out; > diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c > index 9944fe479e53..b7ea21327549 100644 > --- a/net/netfilter/nft_set_rbtree.c > +++ b/net/netfilter/nft_set_rbtree.c > @@ -532,7 +532,7 @@ static void nft_rbtree_activate(const struct net *net, > { > struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv); > > - nft_set_elem_change_active(net, set, &rbe->ext); > + nft_clear(net, &rbe->ext); > } > > static void nft_rbtree_flush(const struct net *net, > @@ -600,8 +600,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, > > if (iter->count < iter->skip) > goto cont; > - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) > - goto cont; > > iter->err = iter->fn(ctx, set, iter, &rbe->priv); > if (iter->err < 0) { > -- > 2.43.0 > > > -- > kernel-team mailing list > kernel-team at lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team The jammy patch did not apply to jammy:linux/master-next for me. When comparing to the upstream commit, it looks like the patch is identical. Did you accidentally submit a version without your context adjustments? More comments inline. -- Manuel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From manuel.diewald at canonical.com Thu Aug 1 14:23:47 2024 From: manuel.diewald at canonical.com (Manuel Diewald) Date: Thu, 1 Aug 2024 16:23:47 +0200 Subject: ACK: [SRU][J:linux/J:hwe-6.8][PATCH 0/1] Fix virtualbox regression In-Reply-To: <20240801134549.91291-1-roxana.nicolescu@canonical.com> References: <20240801134549.91291-1-roxana.nicolescu@canonical.com> Message-ID: <20240801142347.ggilicluivb4m4s5@wintermute.fritz.box> On Thu, Aug 01, 2024 at 03:45:48PM +0200, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2073267 > > SRU Justification: > > [Impact] > > Commit "randomize_kstack: Improve entropy diffusion" changed the > kernel stack for entropy to 1KiB, limiting the thread kernel stack to > 15Kib. This impacts virtualbox 6.1.50 on jammy, that is no longer > maintained upstream. The issue does not persist on version 7.0.20 due to a > code refactoring that probably resulted in less stack usage. Fixing it on > the jammy virtualbox package side is not straightfoward because the fix is > not easy to backport to 6.x and upgrading the jammy package to 7.x breaks > current users machines that run Windows, but not only. > Users need to uninstall the Guest additions drivers, migrate the > virtualbox package to 7.x, boot each VMs and install the Guest additions > drivers in each VM. > > This impacts: > 1. jammy:linux > 2. jammy:linux-hwe-6.8 > 3. focal:linux-hwe-5.15 > > [Fix] > > Revert commit "randomize_kstack: Improve entropy diffusion" > > [Test Plan] > > Without this fix, a VM would crash, showing with "VCPU0: Guru > Meditation -2708 (VERR_VMM_SET_JMP_ABORTED_RESUME)". > After the kernel upgrade, all VMs should run with no problem. > > [Where problems could occur] > This may have an impact on security. The commit is a fix to improve the > stack entropy. > > [Other info] > This is a temporary fix. More investigation is required. > > Roxana Nicolescu (1): > UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" > > include/linux/randomize_kstack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team at lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald -- Manuel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From stefan.bader at canonical.com Thu Aug 1 14:35:39 2024 From: stefan.bader at canonical.com (Stefan Bader) Date: Thu, 1 Aug 2024 16:35:39 +0200 Subject: APPLIED: [SRU][J:linux/J:hwe-6.8][PATCH 0/1] Fix virtualbox regression In-Reply-To: <20240801134549.91291-1-roxana.nicolescu@canonical.com> References: <20240801134549.91291-1-roxana.nicolescu@canonical.com> Message-ID: On 01.08.24 15:45, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2073267 > > SRU Justification: > > [Impact] > > Commit "randomize_kstack: Improve entropy diffusion" changed the > kernel stack for entropy to 1KiB, limiting the thread kernel stack to > 15Kib. This impacts virtualbox 6.1.50 on jammy, that is no longer > maintained upstream. The issue does not persist on version 7.0.20 due to a > code refactoring that probably resulted in less stack usage. Fixing it on > the jammy virtualbox package side is not straightfoward because the fix is > not easy to backport to 6.x and upgrading the jammy package to 7.x breaks > current users machines that run Windows, but not only. > Users need to uninstall the Guest additions drivers, migrate the > virtualbox package to 7.x, boot each VMs and install the Guest additions > drivers in each VM. > > This impacts: > 1. jammy:linux > 2. jammy:linux-hwe-6.8 > 3. focal:linux-hwe-5.15 > > [Fix] > > Revert commit "randomize_kstack: Improve entropy diffusion" > > [Test Plan] > > Without this fix, a VM would crash, showing with "VCPU0: Guru > Meditation -2708 (VERR_VMM_SET_JMP_ABORTED_RESUME)". > After the kernel upgrade, all VMs should run with no problem. > > [Where problems could occur] > This may have an impact on security. The commit is a fix to improve the > stack entropy. > > [Other info] > This is a temporary fix. More investigation is required. > > Roxana Nicolescu (1): > UBUNTU SAUCE: Revert "randomize_kstack: Improve entropy diffusion" > > include/linux/randomize_kstack.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Applied to jammy:linux/master-next and jammy:linux-hwe-6.8/hwe-6.8-next. Thanks. -Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE8675DEECBEECEA3.asc Type: application/pgp-keys Size: 48643 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From roxana.nicolescu at canonical.com Thu Aug 1 14:54:07 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 16:54:07 +0200 Subject: [SRU][N/O/U][PATCH 0/1] Disable PCI_DYNAMIC_OF_NODES Message-ID: <20240801145408.113645-1-roxana.nicolescu@canonical.com> BugLink: https://bugs.launchpad.net/bugs/2074376 This came in via KTML from upstream. It is part of a discussion between upstream and IBM reporting a bug which occurs in KVM: Rob Herring writes: >> On 2024/07/11 06:20 AM, Rob Herring wrote: >>> On Wed, Jul 3, 2024 at 8:17 AM Amit Machhiwal wrote: >>>> >>>> With CONFIG_PCI_DYNAMIC_OF_NODES [1], a hot-plug and hot-unplug sequence >>>> of a PCI device attached to a PCI-bridge causes following kernel Oops on >>>> a pseries KVM guest: >>> >>> Can I ask why you have this option on in the first place? Do you have >>> a use for it or it's just a case of distros turn on every kconfig >>> option. >> >> Yes, this option is turned on in Ubuntu's distro kernel config where the issue >> was originally reported, while Fedora is keeping this turned off. >> >> root at ubuntu:~# cat /boot/config-6.8.0-38-generic | grep PCI_DYN >> CONFIG_PCI_DYNAMIC_OF_NODES=y > > Ubuntu should turn off this option. For starters, it is not complete > to be usable. Eventually, it should get removed in favor of some TBD > runtime option. > > (And we should fix the crash too) This option is described in the config system as: This option enables support for generating device tree nodes for some PCI devices. Thus, the driver of this kind can load and overlay flattened device tree for its downstream devices. . Once this option is selected, the device tree nodes will be generated for all PCI bridges. Open Firmware (OF) would be used for KVM for UEFI mode. The reported bug was related to hot-unplugging PCI devices. My guess would be that this probably is not of much use to the majority of users and might even go away. So it should really be disabled in Ubuntu, too. Roxana Nicolescu (1): UBUNTU: [Config] Disable PCI_DYNAMIC_OF_NODES debian.master/config/annotations | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.34.1 From roxana.nicolescu at canonical.com Thu Aug 1 14:54:08 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 16:54:08 +0200 Subject: [SRU][N/O/U][PATCH 1/1] UBUNTU: [Config] Disable PCI_DYNAMIC_OF_NODES In-Reply-To: <20240801145408.113645-1-roxana.nicolescu@canonical.com> References: <20240801145408.113645-1-roxana.nicolescu@canonical.com> Message-ID: <20240801145408.113645-2-roxana.nicolescu@canonical.com> BugLink: https://bugs.launchpad.net/bugs/2074376 Upstream recommends to disable this option. Discussion started around a bug reported by IBM in KVM that happens when this option is enabled related to hot-unplugging PCI devices. Signed-off-by: Roxana Nicolescu --- debian.master/config/annotations | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index a6306ad13229..dd55e3991ceb 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -516,6 +516,9 @@ CONFIG_PCIEASPM_DEFAULT note<'LP: #1398544'> CONFIG_PCIEPORTBUS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'n', 'riscv64': 'y', 's390x': 'y'}> CONFIG_PCIEPORTBUS note<'LP: #1665404'> +CONFIG_PCI_DYNAMIC_OF_NODES policy<{'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 'riscv64': 'n'}> +CONFIG_PCI_DYNAMIC_OF_NODES note<'LP: #2074376'> + CONFIG_PCI_MESON policy<{'amd64': 'n', 'arm64': 'm', 'armhf': 'n', 'ppc64el': 'n', 'riscv64': 'n', 's390x': 'n'}> CONFIG_PCI_MESON note<'LP: #2007745'> @@ -9623,7 +9626,6 @@ CONFIG_PCI_DOMAINS_GENERIC policy<{'arm64': 'y', 'armhf': ' CONFIG_PCI_DRA7XX policy<{'armhf': 'm'}> CONFIG_PCI_DRA7XX_EP policy<{'armhf': 'm'}> CONFIG_PCI_DRA7XX_HOST policy<{'armhf': 'm'}> -CONFIG_PCI_DYNAMIC_OF_NODES policy<{'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y'}> CONFIG_PCI_ECAM policy<{'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y'}> CONFIG_PCI_ENDPOINT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}> CONFIG_PCI_ENDPOINT_CONFIGFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}> -- 2.34.1 From stefan.bader at canonical.com Thu Aug 1 15:04:23 2024 From: stefan.bader at canonical.com (Stefan Bader) Date: Thu, 1 Aug 2024 17:04:23 +0200 Subject: ACK/Cmnt: [SRU][N/O/U][PATCH 0/1] Disable PCI_DYNAMIC_OF_NODES In-Reply-To: <20240801145408.113645-1-roxana.nicolescu@canonical.com> References: <20240801145408.113645-1-roxana.nicolescu@canonical.com> Message-ID: <0d15f66c-10b6-4285-adc1-b3480d7d1a33@canonical.com> On 01.08.24 16:54, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2074376 > > This came in via KTML from upstream. It is part of a discussion between > upstream and IBM reporting a bug which occurs in KVM: > > Rob Herring writes: > >>> On 2024/07/11 06:20 AM, Rob Herring wrote: >>>> On Wed, Jul 3, 2024 at 8:17 AM Amit Machhiwal wrote: >>>>> >>>>> With CONFIG_PCI_DYNAMIC_OF_NODES [1], a hot-plug and hot-unplug sequence >>>>> of a PCI device attached to a PCI-bridge causes following kernel Oops on >>>>> a pseries KVM guest: >>>> >>>> Can I ask why you have this option on in the first place? Do you have >>>> a use for it or it's just a case of distros turn on every kconfig >>>> option. >>> >>> Yes, this option is turned on in Ubuntu's distro kernel config where the issue >>> was originally reported, while Fedora is keeping this turned off. >>> >>> root at ubuntu:~# cat /boot/config-6.8.0-38-generic | grep PCI_DYN >>> CONFIG_PCI_DYNAMIC_OF_NODES=y >> >> Ubuntu should turn off this option. For starters, it is not complete >> to be usable. Eventually, it should get removed in favor of some TBD >> runtime option. >> >> (And we should fix the crash too) > > This option is described in the config system as: > > This option enables support for generating device tree nodes for some > PCI devices. Thus, the driver of this kind can load and overlay > flattened device tree for its downstream devices. > . > Once this option is selected, the device tree nodes will be generated > for all PCI bridges. > > Open Firmware (OF) would be used for KVM for UEFI mode. The reported bug > was related to hot-unplugging PCI devices. My guess would be that this > probably is not of much use to the majority of users and might even go > away. So it should really be disabled in Ubuntu, too. > > Roxana Nicolescu (1): > UBUNTU: [Config] Disable PCI_DYNAMIC_OF_NODES > > debian.master/config/annotations | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > The change looks good, just wondering whether it might "move" within the annotations file during final check time... just as a heads up Acked-by: Stefan Bader -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xE8675DEECBEECEA3.asc Type: application/pgp-keys Size: 48643 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From kevin.becker at canonical.com Thu Aug 1 15:07:33 2024 From: kevin.becker at canonical.com (Kevin Becker) Date: Thu, 1 Aug 2024 11:07:33 -0400 Subject: ACK: [SRU][N/O/U][PATCH 0/1] Disable PCI_DYNAMIC_OF_NODES In-Reply-To: <20240801145408.113645-1-roxana.nicolescu@canonical.com> References: <20240801145408.113645-1-roxana.nicolescu@canonical.com> Message-ID: On Thu, Aug 1, 2024 at 10:55 AM Roxana Nicolescu wrote: > > BugLink: https://bugs.launchpad.net/bugs/2074376 > > This came in via KTML from upstream. It is part of a discussion between > upstream and IBM reporting a bug which occurs in KVM: > > Rob Herring writes: > > >> On 2024/07/11 06:20 AM, Rob Herring wrote: > >>> On Wed, Jul 3, 2024 at 8:17 AM Amit Machhiwal wrote: > >>>> > >>>> With CONFIG_PCI_DYNAMIC_OF_NODES [1], a hot-plug and hot-unplug sequence > >>>> of a PCI device attached to a PCI-bridge causes following kernel Oops on > >>>> a pseries KVM guest: > >>> > >>> Can I ask why you have this option on in the first place? Do you have > >>> a use for it or it's just a case of distros turn on every kconfig > >>> option. > >> > >> Yes, this option is turned on in Ubuntu's distro kernel config where the issue > >> was originally reported, while Fedora is keeping this turned off. > >> > >> root at ubuntu:~# cat /boot/config-6.8.0-38-generic | grep PCI_DYN > >> CONFIG_PCI_DYNAMIC_OF_NODES=y > > > > Ubuntu should turn off this option. For starters, it is not complete > > to be usable. Eventually, it should get removed in favor of some TBD > > runtime option. > > > > (And we should fix the crash too) > > This option is described in the config system as: > > This option enables support for generating device tree nodes for some > PCI devices. Thus, the driver of this kind can load and overlay > flattened device tree for its downstream devices. > . > Once this option is selected, the device tree nodes will be generated > for all PCI bridges. > > Open Firmware (OF) would be used for KVM for UEFI mode. The reported bug > was related to hot-unplugging PCI devices. My guess would be that this > probably is not of much use to the majority of users and might even go > away. So it should really be disabled in Ubuntu, too. > > Roxana Nicolescu (1): > UBUNTU: [Config] Disable PCI_DYNAMIC_OF_NODES > > debian.master/config/annotations | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > -- Acked-by: Kevin Becker From kevin.becker at canonical.com Thu Aug 1 15:13:26 2024 From: kevin.becker at canonical.com (Kevin Becker) Date: Thu, 1 Aug 2024 11:13:26 -0400 Subject: ACK: [SRU][N][J][PATCH 0/1] s390/cpum_cf: make crypto counters upward compatible (LP: 2074380) In-Reply-To: <20240801105355.547635-1-frank.heimes@canonical.com> References: <20240801105355.547635-1-frank.heimes@canonical.com> Message-ID: On Thu, Aug 1, 2024 at 6:54 AM wrote: > > BugLink: https://bugs.launchpad.net/bugs/2074380 > > SRU Justification: > > [ Impact ] > > * The CPU Measurement Facility (CPU MF) crypto counter set > is not listed in the device sysfs tree - it's not exported > in the sysfs directory /sys/devices/cpum_cf/events. > > * The attribute files for each CPU-MF counter defined > in the crypto counter set is missing. > > * This is caused by the counter second version number of CPU MF > hardware being incremented on new machines. > > * This causes a sanity check to fail, > but the counters are supported by hardware. > > * The solution is to remove the upper limit in counter second > version number check. > > [ Fix ] > > * f10933cbd2df f10933cbd2dfddf6273698a45f76db9bafd8150f > "s390/cpum_cf: make crypto counters upward compatible across machine types" > > * The fix was upstream accepted with kernel v6.10(-rc1). > > * Upstream commit applies cleanly on noble master-next, > but needed to be backported to jammy master-next due to different code > and context in kernel 5.15. > > [ Test Plan ] > > * Run the following commands on a new machine generation: > (hence only doable by IBM) > # ls -l /sys/devices/cpum_cf/events/ | grep AES > > * If the output is empty than this patch is required. > > * With a patched kernel the output should be like: > # ls /sys/devices/cpum_cf/events/ | grep AES > AES_BLOCKED_CYCLES > AES_BLOCKED_FUNCTIONS > AES_CYCLES > AES_FUNCTIONS > > [ Where problems could occur ] > > * This affects s390x only - CPU MF is s390-specific, > and only s390 specific code is modified. > > * And it furthermore is limited to the crypto counter set > of CPU MF. > > * So any impact is likely limited to hardware crypto counters > on s390x only. > > * In s390/kernel/perf_cpum_cf.c the else if case got changed from > explicitly checking for 6 or 7 to >= 6 which seems to require > attention for future 8 and more cases. > > * In s390/kernel/perf_cpum_cf_events.c the switch (ci.csvn) statement > was changed to an if / else if with similar logic. > Again attentioin for any potential future cases >= 8. > > * It does not look like currently used cases (1..5 and 6..7) > are affected by the modification, just >7. > > * Test build of patched jammy and noble s390x kernels were build > and are avaiable here: > https://launchpad.net/~fheimes/+archive/ubuntu/lp2074380 > > [ Other Info ] > > * Since the code/fix was upstream accepted with kernel v6.10(-rc1) > it does not affect the current development release oracular. > > * This SRU can also be seen under the umbrella of new > hardware enablement. > > * Since it requires special hw, the verification needs to be > done by IBM. > > Thomas Richter (1): > s390/cpum_cf: make crypto counters upward compatible across machine > types > > arch/s390/kernel/perf_cpum_cf.c | 2 +- > arch/s390/kernel/perf_cpum_cf_events.c | 11 +++-------- > 2 files changed, 4 insertions(+), 9 deletions(-) > > -- Acked-by: Kevin Becker From roxana.nicolescu at canonical.com Thu Aug 1 15:24:02 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 17:24:02 +0200 Subject: Cmt: [SRU][N][PATCH 0/2] Turbostat support for Arrow Lake H In-Reply-To: <20240729123152.2506438-1-thibault.ferrante@canonical.com> References: <20240729123152.2506438-1-thibault.ferrante@canonical.com> Message-ID: On 29/07/2024 14:31, Thibault Ferrante wrote: > BugLink: https://bugs.launchpad.net/bugs/2074372 > > [ Impact ] > > Enable Turbostat on Arrow Lake H platform. > > [ Fix ] > > Cherry pick two commits from upstream: > 196eca020600 - tools/power turbostat: Enhance ARL/LNL support > f04fcc7ac8ce - tools/power turbostat: Add ARL-H support > > [ Test Plan ] > > Compiled. > > [ Where problems could occur ] > > Regression for Arrow lake on Turbostat. > > > Zhang Rui (2): > tools/power turbostat: Enhance ARL/LNL support > tools/power turbostat: Add ARL-H support > > tools/power/x86/turbostat/turbostat.c | 23 +++++++++++++++++++++-- > 1 file changed, 21 insertions(+), 2 deletions(-) > This requires the commit "x86/cpu: Add model number for another Intel Arrow Lake mobile processor" to define `INTEL_FAM6_ARROWLAKE_U`, otherwise the build fails. I fixed it, no need to do anything. From roxana.nicolescu at canonical.com Thu Aug 1 15:27:53 2024 From: roxana.nicolescu at canonical.com (Roxana Nicolescu) Date: Thu, 1 Aug 2024 17:27:53 +0200 Subject: APPLIED[N]: [SRU][N/O/U][PATCH 0/1] Disable PCI_DYNAMIC_OF_NODES In-Reply-To: <20240801145408.113645-1-roxana.nicolescu@canonical.com> References: <20240801145408.113645-1-roxana.nicolescu@canonical.com> Message-ID: <1d959816-8394-4d85-8950-ffdeb49a5456@canonical.com> On 01/08/2024 16:54, Roxana Nicolescu wrote: > BugLink: https://bugs.launchpad.net/bugs/2074376 > > This came in via KTML from upstream. It is part of a discussion between > upstream and IBM reporting a bug which occurs in KVM: > > Rob Herring writes: > >>> On 2024/07/11 06:20 AM, Rob Herring wrote: >>>> On Wed, Jul 3, 2024 at 8:17 AM Amit Machhiwal wrote: >>>>> With CONFIG_PCI_DYNAMIC_OF_NODES [1], a hot-plug and hot-unplug sequence >>>>> of a PCI device attached to a PCI-bridge causes following kernel Oops on >>>>> a pseries KVM guest: >>>> Can I ask why you have this option on in the first place? Do you have >>>> a use for it or it's just a case of distros turn on every kconfig >>>> option. >>> Yes, this option is turned on in Ubuntu's distro kernel config where the issue >>> was originally reported, while Fedora is keeping this turned off. >>> >>> root at ubuntu:~# cat /boot/config-6.8.0-38-generic | grep PCI_DYN >>> CONFIG_PCI_DYNAMIC_OF_NODES=y >> Ubuntu should turn off this option. For starters, it is not complete >> to be usable. Eventually, it should get removed in favor of some TBD >> runtime option. >> >> (And we should fix the crash too) > This option is described in the config system as: > > This option enables support for generating device tree nodes for some > PCI devices. Thus, the driver of this kind can load and overlay > flattened device tree for its downstream devices. > . > Once this option is selected, the device tree nodes will be generated > for all PCI bridges. > > Open Firmware (OF) would be used for KVM for UEFI mode. The reported bug > was related to hot-unplugging PCI devices. My guess would be that this > probably is not of much use to the majority of users and might even go > away. So it should really be disabled in Ubuntu, too. > > Roxana Nicolescu (1): > UBUNTU: [Config] Disable PCI_DYNAMIC_OF_NODES > > debian.master/config/annotations | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > Applied to noble:linux master-next branch. Thanks! From hannah.peuckmann at canonical.com Thu Aug 1 15:38:11 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 17:38:11 +0200 Subject: [SRU][J/F][PATCH v2 0/1] CVE-2024-27012 Message-ID: <20240801153813.61841-1-hannah.peuckmann@canonical.com> [Impact] The existing code in nf_tables has an issue where set elements are not properly restored when the delete set operation fails. [Fix] This patch ensures that all set elements are correctly handled during the delete operation, maintaining the integrity of the nf_tables. Noble: done Jammy: applied, fixed context conflicts Focal: applied, fixed context conflicts Bionic: not affected Xenial: not affected Trusty: not affected Focal and Jammy are missing the following commit: 0e1ea651c9717dd ("netfilter: nf_tables: shrink memory consumption of set elements") This introduced context conflicts in nf_tables_api.c and for jammy also in nft_set_pipapo.c, but they aren't related to the fix and are relatively straightforward to resolve. [Test Case] Compiled and booted. [Where problems could occur] This fix affects those who use the nf_tables in netfilter. An issue with this fix could result in unexpected behaviour or inconsistencies in the netfilter tables. Pablo Neira Ayuso (1): netfilter: nf_tables: restore set elements when delete set fails net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 15:38:12 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 17:38:12 +0200 Subject: [SRU][F][PATCH v2 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801153813.61841-1-hannah.peuckmann@canonical.com> References: <20240801153813.61841-1-hannah.peuckmann@canonical.com> Message-ID: <20240801153813.61841-2-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso (backported from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) [hannsofie: context adjustments in nf_tables_api.c] CVE-2024-27012 Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++++++++ net/netfilter/nft_set_bitmap.c | 4 +--- net/netfilter/nft_set_hash.c | 8 ++------ net/netfilter/nft_set_rbtree.c | 4 +--- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b3209a856209..10e7d8e9df04 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -426,6 +426,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem); return 0; @@ -4055,6 +4061,8 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, struct nft_set_elem *elem) { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; enum nft_registers dreg; dreg = nft_type_to_reg(set->dtype); @@ -4128,6 +4136,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem); return 0; @@ -4370,6 +4385,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -5228,9 +5246,13 @@ static int nft_flush_set(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem); struct nft_trans *trans; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -7860,6 +7882,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); const struct nft_data *data; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index b0f6b1490e1a..544835080fe2 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -170,7 +170,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static bool nft_bitmap_flush(const struct net *net, @@ -222,8 +222,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; elem.priv = be; diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 0581d5499c5a..7f49c6c37c94 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -191,7 +191,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_rhash_flush(const struct net *net, @@ -279,8 +279,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; @@ -573,7 +571,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_hash_flush(const struct net *net, @@ -627,8 +625,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index f44473287079..ec322d818de0 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -529,7 +529,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = elem->priv; - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static bool nft_rbtree_flush(const struct net *net, @@ -598,8 +598,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; elem.priv = rbe; -- 2.43.0 From hannah.peuckmann at canonical.com Thu Aug 1 15:38:13 2024 From: hannah.peuckmann at canonical.com (Hannah Peuckmann) Date: Thu, 1 Aug 2024 17:38:13 +0200 Subject: [SRU][J][PATCH v2 1/1] netfilter: nf_tables: restore set elements when delete set fails In-Reply-To: <20240801153813.61841-1-hannah.peuckmann@canonical.com> References: <20240801153813.61841-1-hannah.peuckmann@canonical.com> Message-ID: <20240801153813.61841-3-hannah.peuckmann@canonical.com> From: Pablo Neira Ayuso >From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") Signed-off-by: Pablo Neira Ayuso (backported from commit e79b47a8615d42c68aaeb68971593333667382ed linux-6.9.y) [hannsofie: context adjustments in nf_tables_api.c and nft_set_pipapo.c] CVE-2024-27012 Signed-off-by: Hannah Peuckmann --- net/netfilter/nf_tables_api.c | 46 +++++++++++++++++++++++++++++----- net/netfilter/nft_set_bitmap.c | 4 +-- net/netfilter/nft_set_hash.c | 8 ++---- net/netfilter/nft_set_pipapo.c | 4 +-- net/netfilter/nft_set_rbtree.c | 4 +-- 5 files changed, 45 insertions(+), 21 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 0ba358207006..67b2dfb25f29 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_set_elem_change_active(ctx->net, set, ext); nft_setelem_data_deactivate(ctx->net, set, elem); return 0; @@ -618,8 +624,8 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, if (!nft_set_elem_active(ext, genmask)) continue; - elem.priv = catchall->elem; - nft_setelem_data_deactivate(ctx->net, set, &elem); + nft_set_elem_change_active(ctx->net, set, ext); + nft_setelem_data_deactivate(ctx->net, set, catchall->elem); break; } } @@ -3508,6 +3514,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, const struct nft_data *data; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; @@ -3531,7 +3540,9 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) { - u8 genmask = nft_genmask_next(ctx->net); + struct nft_set_iter dummy_iter = { + .genmask = nft_genmask_next(ctx->net), + }; struct nft_set_elem_catchall *catchall; struct nft_set_elem elem; struct nft_set_ext *ext; @@ -3539,11 +3550,11 @@ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set) list_for_each_entry_rcu(catchall, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); - if (!nft_set_elem_active(ext, genmask)) + if (!nft_set_elem_active(ext, dummy_iter.genmask)) continue; elem.priv = catchall->elem; - ret = nft_setelem_validate(ctx, set, NULL, &elem); + ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem); if (ret < 0) return ret; } @@ -5017,6 +5028,11 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + return nft_setelem_data_validate(ctx, set, elem); } @@ -5111,6 +5127,13 @@ static int nft_mapelem_activate(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + + /* called from abort path, reverse check to undo changes. */ + if (nft_set_elem_active(ext, iter->genmask)) + return 0; + + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, elem); return 0; @@ -5130,6 +5153,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, continue; elem.priv = catchall->elem; + nft_clear(ctx->net, ext); nft_setelem_data_activate(ctx->net, set, &elem); break; } @@ -5400,6 +5424,9 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext)) return 0; @@ -6084,7 +6111,7 @@ static void nft_setelem_activate(struct net *net, struct nft_set *set, struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); if (nft_setelem_is_catchall(set, elem)) { - nft_set_elem_change_active(net, set, ext); + nft_clear(net, ext); } else { set->ops->activate(net, set, elem); } @@ -6750,9 +6777,13 @@ static int nft_setelem_flush(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem); struct nft_trans *trans; int err; + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, sizeof(struct nft_trans_elem), GFP_ATOMIC); if (!trans) @@ -10036,6 +10067,9 @@ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + if (!nft_set_elem_active(ext, iter->genmask)) + return 0; + if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) return 0; diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index 60122539fee6..028955a9cb09 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -171,7 +171,7 @@ static void nft_bitmap_activate(const struct net *net, nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off); /* Enter 11 state. */ priv->bitmap[idx] |= (genmask << off); - nft_set_elem_change_active(net, set, &be->ext); + nft_clear(net, &be->ext); } static bool nft_bitmap_flush(const struct net *net, @@ -223,8 +223,6 @@ static void nft_bitmap_walk(const struct nft_ctx *ctx, list_for_each_entry_rcu(be, &priv->list, head) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&be->ext, iter->genmask)) - goto cont; elem.priv = be; diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 2013de934cef..3a96d4a77a22 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -189,7 +189,7 @@ static void nft_rhash_activate(const struct net *net, const struct nft_set *set, { struct nft_rhash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_rhash_flush(const struct net *net, @@ -277,8 +277,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; @@ -587,7 +585,7 @@ static void nft_hash_activate(const struct net *net, const struct nft_set *set, { struct nft_hash_elem *he = elem->priv; - nft_set_elem_change_active(net, set, &he->ext); + nft_clear(net, &he->ext); } static bool nft_hash_flush(const struct net *net, @@ -641,8 +639,6 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set, hlist_for_each_entry_rcu(he, &priv->table[i], node) { if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&he->ext, iter->genmask)) - goto cont; elem.priv = he; diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index f2f8d15c9eda..ae81c5af9f71 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -1767,7 +1767,7 @@ static void nft_pipapo_activate(const struct net *net, { struct nft_pipapo_elem *e = elem->priv; - nft_set_elem_change_active(net, set, &e->ext); + nft_clear(net, &e->ext); } /** @@ -2069,8 +2069,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, e = f->mt[r].e; - if (!nft_set_elem_active(&e->ext, iter->genmask)) - goto cont; elem.priv = e; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 5bf5572e945c..afbda7e3fd04 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -527,7 +527,7 @@ static void nft_rbtree_activate(const struct net *net, { struct nft_rbtree_elem *rbe = elem->priv; - nft_set_elem_change_active(net, set, &rbe->ext); + nft_clear(net, &rbe->ext); } static bool nft_rbtree_flush(const struct net *net, @@ -596,8 +596,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (!nft_set_elem_active(&rbe->ext, iter->genmask)) - goto cont; elem.priv = rbe; -- 2.43.0 From manuel.diewald at canonical.com Thu Aug 1 15:51:10 2024 From: manuel.diewald at canonical.com (Manuel Diewald) Date: Thu, 1 Aug 2024 17:51:10 +0200 Subject: ACK: [SRU][N][J][PATCH 0/1] s390/cpum_cf: make crypto counters upward compatible (LP: 2074380) In-Reply-To: <20240801105355.547635-1-frank.heimes@canonical.com> References: <20240801105355.547635-1-frank.heimes@canonical.com> Message-ID: <20240801155110.rurvd2hwtyukai3s@wintermute.fritz.box> On Thu, Aug 01, 2024 at 12:53:53PM +0200, frank.heimes at canonical.com wrote: > BugLink: https://bugs.launchpad.net/bugs/2074380 > > SRU Justification: > > [ Impact ] > > * The CPU Measurement Facility (CPU MF) crypto counter set > is not listed in the device sysfs tree - it's not exported > in the sysfs directory /sys/devices/cpum_cf/events. > > * The attribute files for each CPU-MF counter defined > in the crypto counter set is missing. > > * This is caused by the counter second version number of CPU MF > hardware being incremented on new machines. > > * This causes a sanity check to fail, > but the counters are supported by hardware. > > * The solution is to remove the upper limit in counter second > version number check. > > [ Fix ] > > * f10933cbd2df f10933cbd2dfddf6273698a45f76db9bafd8150f > "s390/cpum_cf: make crypto counters upward compatible across machine types" > > * The fix was upstream accepted with kernel v6.10(-rc1). > > * Upstream commit applies cleanly on noble master-next, > but needed to be backported to jammy master-next due to different code > and context in kernel 5.15. > > [ Test Plan ] > > * Run the following commands on a new machine generation: > (hence only doable by IBM) > # ls -l /sys/devices/cpum_cf/events/ | grep AES > > * If the output is empty than this patch is required. > > * With a patched kernel the output should be like: > # ls /sys/devices/cpum_cf/events/ | grep AES > AES_BLOCKED_CYCLES > AES_BLOCKED_FUNCTIONS > AES_CYCLES > AES_FUNCTIONS > > [ Where problems could occur ] > > * This affects s390x only - CPU MF is s390-specific, > and only s390 specific code is modified. > > * And it furthermore is limited to the crypto counter set > of CPU MF. > > * So any impact is likely limited to hardware crypto counters > on s390x only. > > * In s390/kernel/perf_cpum_cf.c the else if case got changed from > explicitly checking for 6 or 7 to >= 6 which seems to require > attention for future 8 and more cases. > > * In s390/kernel/perf_cpum_cf_events.c the switch (ci.csvn) statement > was changed to an if / else if with similar logic. > Again attentioin for any potential future cases >= 8. > > * It does not look like currently used cases (1..5 and 6..7) > are affected by the modification, just >7. > > * Test build of patched jammy and noble s390x kernels were build > and are avaiable here: > https://launchpad.net/~fheimes/+archive/ubuntu/lp2074380 > > [ Other Info ] > > * Since the code/fix was upstream accepted with kernel v6.10(-rc1) > it does not affect the current development release oracular. > > * This SRU can also be seen under the umbrella of new > hardware enablement. > > * Since it requires special hw, the verification needs to be > done by IBM. > > Thomas Richter (1): > s390/cpum_cf: make crypto counters upward compatible across machine > types > > arch/s390/kernel/perf_cpum_cf.c | 2 +- > arch/s390/kernel/perf_cpum_cf_events.c | 11 +++-------- > 2 files changed, 4 insertions(+), 9 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team at lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald -- Manuel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From thibault.ferrante at canonical.com Thu Aug 1 15:55:37 2024 From: thibault.ferrante at canonical.com (Thibault Ferrante) Date: Thu, 1 Aug 2024 17:55:37 +0200 Subject: Cmt: [SRU][N][PATCH 0/2] Turbostat support for Arrow Lake H In-Reply-To: References: <20240729123152.2506438-1-thibault.ferrante@canonical.com> Message-ID: On 01-08-2024 17:24, Roxana Nicolescu wrote: > > On 29/07/2024 14:31, Thibault Ferrante wrote: >> BugLink: https://bugs.launchpad.net/bugs/2074372 >> >> [ Impact ] >> >> Enable Turbostat on Arrow Lake H platform. >> >> [ Fix ] >> >> Cherry pick two commits from upstream: >> 196eca020600 - tools/power turbostat: Enhance ARL/LNL support >> f04fcc7ac8ce - tools/power turbostat: Add ARL-H support >> >> [ Test Plan ] >> >> Compiled. >> >> [ Where problems could occur ] >> >> Regression for Arrow lake on Turbostat. >> >> >> Zhang Rui (2): >>    tools/power turbostat: Enhance ARL/LNL support >>    tools/power turbostat: Add ARL-H support >> >>   tools/power/x86/turbostat/turbostat.c | 23 +++++++++++++++++++++-- >>   1 file changed, 21 insertions(+), 2 deletions(-) >> > This requires the commit > "x86/cpu: Add model number for another Intel Arrow Lake mobile processor" > to define `INTEL_FAM6_ARROWLAKE_U`, otherwise the build fails. > I fixed it, no need to do anything. I was surprised, as I didn't have such issue when building. However after looking into it, I was using cbd (thibf-noble-3618aed1069a-RFra) which doesn't build the tools. Mistake on my side, lesson learned. Thanks for fixing it. -- Thibault From kernel-team-bot at canonical.com Thu Aug 1 16:12:09 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 16:12:09 -0000 Subject: [noble] linux-riscv 6.8.0-40.40.1 uploaded (ABI bump) Message-ID: A new noble kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/noble/+source/linux-riscv/6.8.0-40.40.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 16:14:51 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 16:14:51 -0000 Subject: [jammy] linux-hwe-6.8 6.8.0-40.40~22.04.3 uploaded (ABI bump) Message-ID: A new jammy kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/jammy/+source/linux-hwe-6.8/6.8.0-40.40~22.04.3 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 18:02:24 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 18:02:24 -0000 Subject: [focal] linux-azure 5.4.0-1135.142 uploaded (ABI bump) Message-ID: A new focal kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/focal/+source/linux-azure/5.4.0-1135.142 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 21:14:05 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 21:14:05 -0000 Subject: [jammy] linux-aws-6.8 6.8.0-1013.14~22.04.1 uploaded (ABI bump) Message-ID: A new jammy kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/jammy/+source/linux-aws-6.8/6.8.0-1013.14~22.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 21:14:10 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 21:14:10 -0000 Subject: [jammy] linux-azure-6.8 6.8.0-1012.14~22.04.1 uploaded (ABI bump) Message-ID: A new jammy kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/jammy/+source/linux-azure-6.8/6.8.0-1012.14~22.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 21:15:36 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 21:15:36 -0000 Subject: [focal] linux-azure-5.15 5.15.0-1070.79~20.04.1 uploaded (ABI bump) Message-ID: A new focal kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/focal/+source/linux-azure-5.15/5.15.0-1070.79~20.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 21:34:47 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 21:34:47 -0000 Subject: [bionic] linux-aws-5.4 5.4.0-1130.140~18.04.1 uploaded (ABI bump) Message-ID: A new bionic kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/bionic/+source/linux-aws-5.4/5.4.0-1130.140~18.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 22:41:52 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 22:41:52 -0000 Subject: [focal] linux-gkeop-5.15 5.15.0-1050.57~20.04.1 uploaded (ABI bump) Message-ID: A new focal kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/focal/+source/linux-gkeop-5.15/5.15.0-1050.57~20.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 22:41:56 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 22:41:56 -0000 Subject: [focal] linux-gcp-5.15 5.15.0-1066.74~20.04.1 uploaded (ABI bump) Message-ID: A new focal kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/focal/+source/linux-gcp-5.15/5.15.0-1066.74~20.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 22:42:12 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 22:42:12 -0000 Subject: [focal] linux-oracle-5.15 5.15.0-1065.71~20.04.1 uploaded (ABI bump) Message-ID: A new focal kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/focal/+source/linux-oracle-5.15/5.15.0-1065.71~20.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team. From kernel-team-bot at canonical.com Thu Aug 1 23:03:01 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Thu, 01 Aug 2024 23:03:01 -0000 Subject: The Daily Bug Report for 2024-08-01 23:00:02.116412+00:00 Message-ID: The linux package acquired 2 new bugs in the last 24 hrs. Bug Title Series Importance Status Assignee ------------ ------------------------------------------------------------ -------- ------------ ------------- --------------------- LP: #2075502 linux kernel bug which is unable to decode the CXL AMEI-G... Undecided New unassigned LP: #2075533 Fix performance regression caused by bad default EPP valu... Undecided New unassigned The linux-hwe-6.8 package acquired 1 new bugs in the last 24 hrs. Bug Title Series Importance Status Assignee ------------ ------------------------------------------------------------ -------- ------------ ------------- --------------------- LP: #2073267 Virtualbox Guru meditation on VM start caused by kernel c... focal Undecided Invalid unassigned From kernel-team-bot at canonical.com Fri Aug 2 01:56:29 2024 From: kernel-team-bot at canonical.com (kernel-team-bot at canonical.com) Date: Fri, 02 Aug 2024 01:56:29 -0000 Subject: [jammy] linux-realtime-6.8 6.8.1-1006.6~22.04.1 uploaded (ABI bump) Message-ID: A new jammy kernel has been uploaded into proposed. Note the ABI bump. The full changelog about all bug fixes contained in this upload can be found at: https://launchpad.net/ubuntu/jammy/+source/linux-realtime-6.8/6.8.1-1006.6~22.04.1 -- This message was created by an automated script, maintained by the Ubuntu Kernel Team.