ACK: [SRU][Jammy][PATCH 0/1] idxd: fix NULL pointer dereference reading wq op_config attribute

Agathe Porte agathe.porte at canonical.com
Wed Jun 12 08:22:28 UTC 2024 

2024-06-11 21:00 CEST, Jacob Martin:
> BugLink: https://bugs.launchpad.net/bugs/2069081
> 
> SRU Justification
> 
> [Impact]
> Systems that use the Intel Data Accelerator Driver (IDXD) may see a kernel NULL pointer dereference when reading the op_config attribute of an idxd WQ, if WQs do not offer the op_config capability.
> 
> On a DGXH100 system, this can be reproduced by running:
> $ cat /sys/devices/pci0000\:e7/0000\:e7\:02.0/iax3/wq3.7/op_config
> 
> This affects 5.15.0-112-generic, and derivative kernels based on that generic version.
> 
> [Fix]
> 
> Author: Jacob Martin <jacob.martin at canonical.com>
> Date: Tue Jun 11 11:48:32 2024 -0500
> 
>     UBUNTU: SAUCE: dmaengine: idxd: set is_visible member of idxd_wq_attribute_group
> 
>     BugLink: ...
> 
>     The backport of commit b0325aefd398 ("dmaengine: idxd: add WQ operation
>     cap restriction support") for K5.15 omitted a line setting the
>     is_visible callback of idxd_wq_attribute_group to the
>     idxd_wq_attr_visible function introduced in the same commit.
> 
>     This results in the op_config attribute being accessible from userspace
>     when the underlying wq->opcap_bmap pointer used to service reads from it
>     is uninitialized, leading to a NULL pointer dereference when the
>     op_config attribute is read. Resolve this by setting the is_visible
>     callback as the upstream commit does.
> 
>     Signed-off-by: Jacob Martin <jacob.martin at canonical.com>
> 
> This patch adds a line setting the is_visible callback of idxd_wq_attribute_group to the function introduced by the Jammy K5.15 backport of commit b0325aefd398 ("dmaengine: idxd: add WQ operation cap restriction support"). The backport does not set this callback, but the upstream version does, so this fix is just bringing us in sync with the upstream commit.
> 
> [Test Case]
> Verified that the patch "UBUNTU: SAUCE: dmaengine: idxd: set is_visible member of idxd_wq_attribute_group" resolves the issue on DGXH100. No instances of op_config are present under /sys, and thus the attribute cannot be read when it is invalid to do so on this system.
> 
> [Regression Potential]
> There is a low risk of regression:
> * this is specific to systems using IDXD.
> * this patch brings us closer in-line with the upstream change.
> 
> [Other]
> The Mantic 6.5 and Noble 6.8 kernels already have the upstream version of patch b0325aefd398 ("dmaengine: idxd: add WQ operation cap restriction support") as it was introduced in v6.1. These kernels set the is_visible attribute, so they are unaffected by this issue. Only Jammy K5.15 needs this fix.
> 
> Jacob Martin (1):
>   UBUNTU: SAUCE: dmaengine: idxd: set is_visible member of
>     idxd_wq_attribute_group
> 
>  drivers/dma/idxd/sysfs.c | 1 +
>  1 file changed, 1 insertion(+)

Acked-by: Agathe Porte <agathe.porte at canonical.com>

More information about the kernel-team mailing list