Public bug reported: == Comment: #0 - Haren Myneni <[email protected]> - 2026-05-09 19:31:07 == ---Problem Description--- HVPIPE ioctl generates trace and returns failure ---Steps to Reproduce--- - Open HVPIPE (/dev/papr-hvpipe) - ioctl to get FD for the specific HMC : It should cause oops. ---Debugger--- A debugger is not configured Contact Information = [email protected] Machine Type = pseries ---uname output--- Ubuntu 26.04 Stack trace output: -- GPR12: 0000000000000000 c00000027fff7f00 0000000000000000 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR24: 0000000000000000 0000000000000007 c000000003de93a8 c000000040aba200 GPR28: 0000000000000007 c00000000395d8b0 0000000002000006 c0000000079c6540 [ 14.466430] NIP [c0000000001f64a0] papr_hvpipe_dev_create_handle+0x280/0x360 [ 14.466437] LR [c0000000001f635c] papr_hvpipe_dev_create_handle+0x13c/0x360 [ 14.466442] Call Trace: [ 14.466444] [c00000004e87fad0] [c0000000001f6338] papr_hvpipe_dev_create_handle+0x118/0x360 (unreliable) [ 14.466450] [c00000004e87fb70] [c0000000001f6638] papr_hvpipe_dev_ioctl+0xb8/0x1c8 [ 14.466455] [c00000004e87fbb0] [c000000000919a14] sys_ioctl+0x174/0x1d0 [ 14.466459] [c00000004e87fc10] [c000000000035e50] system_call_exception+0xf0/0x2d0 [ 14.466464] [c00000004e87fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec [ 14.466470] ---- interrupt: 3000 at 0x7edb1af6776c [ 14.466474] NIP: 00007edb1af6776c LR: 00007edb1af6776c CTR: 0000000000000000 [ 14.466477] REGS: c00000004e87fe80 TRAP: 3000 Not tainted (7.0.0-14-generic) [ 14.466480] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002404 XER: 00000000 [ 14.466490] IRQMASK: 0 GPR00: 0000000000000036 00007edb18dbe020 00007edb1b077000 0000000000000006 GPR04: 000000008004b209 00007edb18dbe124 0600000000000000 00007edb19781190 Oops output: no System Dump Info: The system is not configured to capture a system dump. *Additional Instructions for [email protected]: -Attach sysctl -a output output to the bug.
== Comment: #1 - Haren Myneni <[email protected]> - 2026-05-09 19:40:33 == This issue is caused by the upstream commit in 7.0 kernel - so inbandRMC use should affect on Ubuntu 26.04. commit 6d3789d347a7af5c4b0b2da3af47b8d9da607ab2 Author: Christian Brauner <[email protected]> Date: Sun Nov 23 17:33:51 2025 +0100 papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE() Fixes a UAF for src_info as well. Link: https://patch.msgid.link/[email protected] Signed-off-by: Christian Brauner <[email protected]> Ritesh submitted fix upstream and should be expecting in upstream 7.1. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) Status: New ** Tags: architecture-ppc64le bugnameltc-218892 severity-critical targetmilestone-inin2610 ** Tags added: architecture-ppc64le bugnameltc-218892 severity-critical targetmilestone-inin2610 ** Changed in: ubuntu Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) ** Package changed: ubuntu => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152161 Title: Ubuntu26.04 - HVPIPE ioctl generates trace and returns failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2152161/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
