ACK: [SRU][Jammy][PATCH 0/1] idxd: fix NULL pointer dereference reading wq op_config attribute

Philip Cox philip.cox at canonical.com
Wed Jun 12 12:30:22 UTC 2024 

On Tue, 2024-06-11 at 13:59 -0500, Jacob Martin wrote:
> BugLink: https://bugs.launchpad.net/bugs/2069081
> 
> SRU Justification
> 
> [Impact]
> Systems that use the Intel Data Accelerator Driver (IDXD) may see a
> kernel NULL pointer dereference when reading the op_config attribute
> of an idxd WQ, if WQs do not offer the op_config capability.
> 
> On a DGXH100 system, this can be reproduced by running:
> $ cat /sys/devices/pci0000\:e7/0000\:e7\:02.0/iax3/wq3.7/op_config
> 
> This affects 5.15.0-112-generic, and derivative kernels based on that
> generic version.
> 
> [Fix]
> 
> Author: Jacob Martin <jacob.martin at canonical.com>
> Date: Tue Jun 11 11:48:32 2024 -0500
> 
>     UBUNTU: SAUCE: dmaengine: idxd: set is_visible member of
> idxd_wq_attribute_group
> 
>     BugLink: ...
> 
>     The backport of commit b0325aefd398 ("dmaengine: idxd: add WQ
> operation
>     cap restriction support") for K5.15 omitted a line setting the
>     is_visible callback of idxd_wq_attribute_group to the
>     idxd_wq_attr_visible function introduced in the same commit.
> 
>     This results in the op_config attribute being accessible from
> userspace
>     when the underlying wq->opcap_bmap pointer used to service reads
> from it
>     is uninitialized, leading to a NULL pointer dereference when the
>     op_config attribute is read. Resolve this by setting the
> is_visible
>     callback as the upstream commit does.
> 
>     Signed-off-by: Jacob Martin <jacob.martin at canonical.com>
> 
> This patch adds a line setting the is_visible callback of
> idxd_wq_attribute_group to the function introduced by the Jammy K5.15
> backport of commit b0325aefd398 ("dmaengine: idxd: add WQ operation
> cap restriction support"). The backport does not set this callback,
> but the upstream version does, so this fix is just bringing us in
> sync with the upstream commit.
> 
> [Test Case]
> Verified that the patch "UBUNTU: SAUCE: dmaengine: idxd: set
> is_visible member of idxd_wq_attribute_group" resolves the issue on
> DGXH100. No instances of op_config are present under /sys, and thus
> the attribute cannot be read when it is invalid to do so on this
> system.
> 
> [Regression Potential]
> There is a low risk of regression:
> * this is specific to systems using IDXD.
> * this patch brings us closer in-line with the upstream change.
> 
> [Other]
> The Mantic 6.5 and Noble 6.8 kernels already have the upstream
> version of patch b0325aefd398 ("dmaengine: idxd: add WQ operation cap
> restriction support") as it was introduced in v6.1. These kernels set
> the is_visible attribute, so they are unaffected by this issue. Only
> Jammy K5.15 needs this fix.
> 
> Jacob Martin (1):
>   UBUNTU: SAUCE: dmaengine: idxd: set is_visible member of
>     idxd_wq_attribute_group
> 
>  drivers/dma/idxd/sysfs.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> -- 
> 2.43.0
> 
> 

-- 
Acked-by: Philip Cox <philip.cox at canonical.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240612/1bedabb6/attachment.html>

More information about the kernel-team mailing list