** Changed in: linux (Ubuntu)
Status: New => Invalid
** Description changed:
+ [ Impact ]
+
+ A kernel null pointer dereference oops is triggered on IBM pseries machines
+ when a userspace process opens the HVPIPE character device (/dev/papr-hvpipe)
+ and issues an ioctl to obtain a file descriptor for a specific HMC source ID.
+ The root cause is a semantic misuse of a kernel file descriptor preparation
macro
+ (FD_PREPARE / retain_and_null_ptr) introduced by an upstream refactoring
commit,
+ which nullified a pointer that was subsequently reused in a list-insertion
operation,
+ leading to a write to address 0x0.
+
+ [ Fix ]
+
+ Backport the fix commit:
+ - 1b9f7aafa44f pseries/papr-hvpipe: Fix null ptr deref in
papr_hvpipe_dev_create_handle()
+
+ [ Test Plan ]
+
+ Compile tested only.
+
+ [ Regression Potential ]
+
+ The fix affects hvpipe's src_info registration ordering
+ relative to file descriptor creation.
+ An issue with this patch may break HMC communication.
+
+ ---
+
== Comment: #0 - Haren Myneni <[email protected]> - 2026-05-09 19:31:07 ==
---Problem Description---
HVPIPE ioctl generates trace and returns failure
-
+
---Steps to Reproduce---
- - Open HVPIPE (/dev/papr-hvpipe)
+ - Open HVPIPE (/dev/papr-hvpipe)
- ioctl to get FD for the specific HMC : It should cause oops.
-
+
---Debugger---
A debugger is not configured
-
- Contact Information = [email protected]
-
- Machine Type = pseries
-
+
+ Contact Information = [email protected]
+
+ Machine Type = pseries
+
---uname output---
Ubuntu 26.04
-
+
Stack trace output:
- --
- GPR12: 0000000000000000 c00000027fff7f00 0000000000000000
0000000000000000
- GPR16: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
- GPR20: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
- GPR24: 0000000000000000 0000000000000007 c000000003de93a8
c000000040aba200
- GPR28: 0000000000000007 c00000000395d8b0 0000000002000006
c0000000079c6540
+ --
+ GPR12: 0000000000000000 c00000027fff7f00 0000000000000000
0000000000000000
+ GPR16: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
+ GPR20: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
+ GPR24: 0000000000000000 0000000000000007 c000000003de93a8
c000000040aba200
+ GPR28: 0000000000000007 c00000000395d8b0 0000000002000006
c0000000079c6540
[ 14.466430] NIP [c0000000001f64a0]
papr_hvpipe_dev_create_handle+0x280/0x360
[ 14.466437] LR [c0000000001f635c] papr_hvpipe_dev_create_handle+0x13c/0x360
[ 14.466442] Call Trace:
[ 14.466444] [c00000004e87fad0] [c0000000001f6338]
papr_hvpipe_dev_create_handle+0x118/0x360 (unreliable)
[ 14.466450] [c00000004e87fb70] [c0000000001f6638]
papr_hvpipe_dev_ioctl+0xb8/0x1c8
[ 14.466455] [c00000004e87fbb0] [c000000000919a14] sys_ioctl+0x174/0x1d0
[ 14.466459] [c00000004e87fc10] [c000000000035e50]
system_call_exception+0xf0/0x2d0
[ 14.466464] [c00000004e87fe50] [c00000000000d05c]
system_call_vectored_common+0x15c/0x2ec
[ 14.466470] ---- interrupt: 3000 at 0x7edb1af6776c
[ 14.466474] NIP: 00007edb1af6776c LR: 00007edb1af6776c CTR:
0000000000000000
[ 14.466477] REGS: c00000004e87fe80 TRAP: 3000 Not tainted
(7.0.0-14-generic)
[ 14.466480] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>
CR: 44002404 XER: 00000000
[ 14.466490] IRQMASK: 0
- GPR00: 0000000000000036 00007edb18dbe020 00007edb1b077000
0000000000000006
- GPR04: 000000008004b209 00007edb18dbe124 0600000000000000
00007edb19781190
-
+ GPR00: 0000000000000036 00007edb18dbe020 00007edb1b077000
0000000000000006
+ GPR04: 000000008004b209 00007edb18dbe124 0600000000000000
00007edb19781190
+
Oops output:
- no
-
+ no
+
System Dump Info:
- The system is not configured to capture a system dump.
-
- *Additional Instructions for [email protected]:
+ The system is not configured to capture a system dump.
+
+ *Additional Instructions for [email protected]:
-Attach sysctl -a output output to the bug.
== Comment: #1 - Haren Myneni <[email protected]> - 2026-05-09 19:40:33 ==
This issue is caused by the upstream commit in 7.0 kernel - so inbandRMC use
should affect on Ubuntu 26.04.
commit 6d3789d347a7af5c4b0b2da3af47b8d9da607ab2
Author: Christian Brauner <[email protected]>
Date: Sun Nov 23 17:33:51 2025 +0100
- papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()
-
- Fixes a UAF for src_info as well.
-
- Link:
https://patch.msgid.link/[email protected]
- Signed-off-by: Christian Brauner <[email protected]>
+ papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()
+
+ Fixes a UAF for src_info as well.
+
+ Link:
https://patch.msgid.link/[email protected]
+ Signed-off-by: Christian Brauner <[email protected]>
Ritesh submitted fix upstream and should be expecting in upstream 7.1.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2152161
Title:
Ubuntu26.04 - HVPIPE ioctl generates trace and returns failure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2152161/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
