Skip to content

[LTS 9.2-RT] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 23, 2025
Merged

[LTS 9.2-RT] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm #65

merged 1 commit into from
Jan 23, 2025

Conversation

pvts-mat
Copy link
Contributor

CVE-2022-42896, VULN-210 (RT variant)

Solution

The bug fix in the mainline is provided in two commits:

  • f937b758a188d6fd328a81367087eddbb2fce50f
  • 711f8c3fb3db61897080468586b970c87c61d9e4

Of these the 711f8c3 is already applied on ciqlts9_2-rt (commit af424ab54ea3c8a9acce353dd51faf68075c1ce1).

(Same situation as in #41)

Build

Kernel built on virtual machine instantiated on physical Rocky 9 machine with

./ninja.sh _run_build-ciqlts9_2

from the https://gitlab.conclusive.pl/devices/rocky-patching project. Installed on a testing machine created with

CVE=CVE-2022-42896 ./ninja.sh _run_test-ciqlts9_2-rt-CVE-2022-42896

Logs: build.log

kABI check: failed (passed relative)

kABI check ran on the build machine with

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts9_2-rt-CVE-2022-42896/Module.symvers

for the /mnt/code/kernel-dist-git repo in the state of

On branch el-9.2
Your branch is up to date with 'origin/el-9.2'.

commit hash d55abe03912e1cf92944e3aaaefc89402923eda3.

Logs: kabi-patch.log

The same check ran for the reference version ciqlts9_2-rt (da2d199f93545e2d9b8c355c9d4dadc7c7aef1e6) with

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts9_2-rt/Module.symvers

Logs: kabi-reference.log

The patched and reference ABI breakage are identical.

Boot test: passed

boot-test.log

Kselftests: passed relative

Kselftests ran using kernel-rt-selftests-internal package on a test machine prepared with

modprobe bluetooth

Results:
kselftests-patch.zip
Flat text file form:
kselftests-patch.log

Reference results of the tests ran on ciqlts9_2-rt (da2d199f93545e2d9b8c355c9d4dadc7c7aef1e6):

kselftests-reference.zip
Flat text file form:
kselftests-reference.log

Comparison:
comparison-patch-reference.csv

Summary: all test cases for the patched version have the same result as the reference. Tests

  • bpf:test_kmod.sh
  • bpf:test_verifier
  • net:fib_nexthops.sh
  • net:fib_tests.sh
  • net:icmp.sh
  • net:rps_default_mask.sh
  • net:test_blackhole_dev.sh
  • net:vrf_route_leaking.sh
  • netfilter:conntrack_tcp_unreplied.sh
  • netfilter:conntrack_vrf.sh
  • netfilter:nft_concat_range.sh
  • netfilter:nft_flowtable.sh
  • netfilter:nft_nat.sh
  • tc-testing:tdc.sh

fail in both reference and patched kernel version. Tests

  • bpf:test_tcpnotify_user
  • net/mptcp:mptcp_join.sh

were "flappy" and needed to be re-run one time. Tests

  • bpf:test_progs
  • bpf:test_progs-no_alu32

were omitted due to them hanging the testing machine on the reference ciqlts9_2-rt version (patched version not tested). To investigate and re-run on request.

Additional tests: none

Following the guidelines from the precedent #41.

@PlaidCat PlaidCat changed the title Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm [LTS 9.2-RT] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm Jan 15, 2025
gvrose8192
gvrose8192 approved these changes Jan 21, 2025
View reviewed changes
Copy link

@gvrose8192 gvrose8192 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems the same as previous PRs in this series. LGTM.

@pvts-mat
Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
173f938 
jira VULN-210
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <[email protected]>
commit f937b75

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
	Reviewed-by: Tedd Ho-Jeong An <[email protected]>
(cherry picked from commit f937b75)
	Signed-off-by: Marcin Wcisło <[email protected]>
@pvts-mat pvts-mat force-pushed the ciqlts9_2-rt-CVE-2022-42896 branch from d247834 to 173f938 Compare January 21, 2025 23:33
bmastbergen
bmastbergen approved these changes Jan 22, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@PlaidCat PlaidCat merged commit a40f468 into ctrliq:ciqlts9_2-rt Jan 23, 2025
2 checks passed
github-actions bot pushed a commit that referenced this pull request May 15, 2025
RDMA/rxe: Fix the qp flush warnings in req
7dd34a8 
JIRA: https://issues.redhat.com/browse/RHEL-72373
CVE: CVE-2024-53229

commit ea4c990
Author: Zhu Yanjun <[email protected]>
Date:   Fri Oct 25 17:20:36 2024 +0200

    RDMA/rxe: Fix the qp flush warnings in req

    When the qp is in error state, the status of WQEs in the queue should be
    set to error. Or else the following will appear.

    [  920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6
    [  920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G           O       6.1.113-storage+ #65
    [  920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    [  920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24
    [  920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246
    [  920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008
    [  920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac
    [  920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450
    [  920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800
    [  920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000
    [  920.622609] FS:  0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000
    [  920.622979] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0
    [  920.623680] Call Trace:
    [  920.623815]  <TASK>
    [  920.623933]  ? __warn+0x79/0xc0
    [  920.624116]  ? rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.624356]  ? report_bug+0xfb/0x150
    [  920.624594]  ? handle_bug+0x3c/0x60
    [  920.624796]  ? exc_invalid_op+0x14/0x70
    [  920.624976]  ? asm_exc_invalid_op+0x16/0x20
    [  920.625203]  ? rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.625474]  ? rxe_completer+0x329/0xcc0 [rdma_rxe]
    [  920.625749]  rxe_do_task+0x80/0x110 [rdma_rxe]
    [  920.626037]  rxe_requester+0x625/0xde0 [rdma_rxe]
    [  920.626310]  ? rxe_cq_post+0xe2/0x180 [rdma_rxe]
    [  920.626583]  ? do_complete+0x18d/0x220 [rdma_rxe]
    [  920.626812]  ? rxe_completer+0x1a3/0xcc0 [rdma_rxe]
    [  920.627050]  rxe_do_task+0x80/0x110 [rdma_rxe]
    [  920.627285]  tasklet_action_common.constprop.0+0xa4/0x120
    [  920.627522]  handle_softirqs+0xc2/0x250
    [  920.627728]  ? sort_range+0x20/0x20
    [  920.627942]  run_ksoftirqd+0x1f/0x30
    [  920.628158]  smpboot_thread_fn+0xc7/0x1b0
    [  920.628334]  kthread+0xd6/0x100
    [  920.628504]  ? kthread_complete_and_exit+0x20/0x20
    [  920.628709]  ret_from_fork+0x1f/0x30
    [  920.628892]  </TASK>

    Fixes: ae720bd ("RDMA/rxe: Generate error completion for error requester QP state")
    Signed-off-by: Zhu Yanjun <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Leon Romanovsky <[email protected]>

Signed-off-by: CKI Backport Bot <[email protected]>
github-actions bot pushed a commit that referenced this pull request May 15, 2025
@caringi
Merge: CVE-2024-53229: RDMA/rxe: Fix the qp flush warnings in req
e4bb9a4 
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6744

JIRA: https://issues.redhat.com/browse/RHEL-72373
CVE: CVE-2024-53229

```
commit ea4c990
Author: Zhu Yanjun <[email protected]>
Date:   Fri Oct 25 17:20:36 2024 +0200

    RDMA/rxe: Fix the qp flush warnings in req

    When the qp is in error state, the status of WQEs in the queue should be
    set to error. Or else the following will appear.

    [  920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6
    [  920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G           O       6.1.113-storage+ #65
    [  920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    [  920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24
    [  920.620482] RSP: 0018:ffff97b7c00bbc38 EFLAGS: 00010246
    [  920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000008
    [  920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac
    [  920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450
    [  920.621884] R10: ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800
    [  920.622254] R13: ffff960dc4e2f928 R14: ffff97b7c029c580 R15: 0000000000000000
    [  920.622609] FS:  0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000
    [  920.622979] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  920.623245] CR2: 00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0
    [  920.623680] Call Trace:
    [  920.623815]  <TASK>
    [  920.623933]  ? __warn+0x79/0xc0
    [  920.624116]  ? rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.624356]  ? report_bug+0xfb/0x150
    [  920.624594]  ? handle_bug+0x3c/0x60
    [  920.624796]  ? exc_invalid_op+0x14/0x70
    [  920.624976]  ? asm_exc_invalid_op+0x16/0x20
    [  920.625203]  ? rxe_completer+0x989/0xcc0 [rdma_rxe]
    [  920.625474]  ? rxe_completer+0x329/0xcc0 [rdma_rxe]
    [  920.625749]  rxe_do_task+0x80/0x110 [rdma_rxe]
    [  920.626037]  rxe_requester+0x625/0xde0 [rdma_rxe]
    [  920.626310]  ? rxe_cq_post+0xe2/0x180 [rdma_rxe]
    [  920.626583]  ? do_complete+0x18d/0x220 [rdma_rxe]
    [  920.626812]  ? rxe_completer+0x1a3/0xcc0 [rdma_rxe]
    [  920.627050]  rxe_do_task+0x80/0x110 [rdma_rxe]
    [  920.627285]  tasklet_action_common.constprop.0+0xa4/0x120
    [  920.627522]  handle_softirqs+0xc2/0x250
    [  920.627728]  ? sort_range+0x20/0x20
    [  920.627942]  run_ksoftirqd+0x1f/0x30
    [  920.628158]  smpboot_thread_fn+0xc7/0x1b0
    [  920.628334]  kthread+0xd6/0x100
    [  920.628504]  ? kthread_complete_and_exit+0x20/0x20
    [  920.628709]  ret_from_fork+0x1f/0x30
    [  920.628892]  </TASK>

    Fixes: ae720bd ("RDMA/rxe: Generate error completion for error requester QP state")
    Signed-off-by: Zhu Yanjun <[email protected]>
    Link: https://patch.msgid.link/[email protected]
    Signed-off-by: Leon Romanovsky <[email protected]>```

Signed-off-by: CKI Backport Bot <[email protected]>

---

<small>Created 2025-04-16 00:13 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small>

Approved-by: Kamal Heib <[email protected]>
Approved-by: José Ignacio Tornos Martínez <[email protected]>
Approved-by: Michal Schmidt <[email protected]>
Approved-by: CKI KWF Bot <[email protected]>

Merged-by: Augusto Caringi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gvrose8192 gvrose8192 gvrose8192 approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@PlaidCat PlaidCat Awaiting requested review from PlaidCat

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pvts-mat @gvrose8192 @bmastbergen @PlaidCat