09:00:01 <masashi910> #startmeeting CIP IRC weekly meeting
09:00:01 <brlogger> Meeting started Thu Apr 22 09:00:01 2021 UTC and is due to finish in 60 minutes.  The chair is masashi910. Information about MeetBot at http://wiki.debian.org/MeetBot.
09:00:01 <brlogger> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
09:00:01 <brlogger> The meeting name has been set to 'cip_irc_weekly_meeting'
09:00:04 <masashi910> #topic rollcall
09:00:10 <masashi910> please say hi if you're around
09:00:23 <wens> hi
09:00:32 <patersonc> hi
09:00:38 <pave11> hi
09:00:48 <masashi910> Let's get started.
09:00:54 <masashi910> #topic AI review
09:01:04 <masashi910> 1. Combine root filesystem with kselftest binary - iwamatsu
09:01:09 <masashi910> == Quote from iwamatsu  ==
09:01:17 <masashi910> It is progressing little by little. This is discussed on ML and gitlab.
09:01:24 <masashi910> Simple operation has been tested and I have confirmed that it works with QEMU.
09:01:29 <masashi910> ====
09:01:40 <masashi910> 2. Do some experiment to lower burdens on CI - patersonc
09:01:46 <patersonc> No updates :)
09:01:55 <masashi910> patersonc: Sure. Thanks.
09:02:04 <masashi910> 3. Monitor the status of CVE-2021-3444 and CVE-2021-20292 (3/25) - Kernel Team
09:02:11 <masashi910> 4. Monitor the status of CVE-2021-29650 (4/1) - Kernel Team
09:02:22 <wens> No updates for the first two.
09:02:52 <wens> As mentioned in this week's report, pave11's backport fix for CVE-2021-29650 didn't hit the stable ML
09:03:23 <pave11> wens: Ok, I'll make a note to resend and cc you this time.
09:03:26 <wens> Guenter Rock did a separate backport, but there were some issues and the series has been put on hold # https://lore.kernel.org/stable/1780f159-140b-231f-8af5-ccec049dc8b0@roeck-us.net/
09:04:06 <wens> pave11: I think you used the wrong address for stable? I did get the patch you sent out last week after the meeting, but it's not on the list.
09:05:32 <pave11> wens: I'll need to take a look... and also review the on-list discussion.
09:05:56 <wens> OK.
09:06:01 <masashi910> wens, pavel1: Thanks. So, for the moment, I will keep both AIs open.
09:06:31 <masashi910> 5. Update Testing table below with 5.10 info - patersonc
09:06:38 <masashi910> https://wiki.linuxfoundation.org/civilinfrastructureplatform/ciptesting/centalisedtesting/cioverview
09:06:52 <patersonc> I haven't done this yet
09:07:09 <masashi910> patersonc: Ok, I will keep this open.
09:07:25 <masashi910> any other topics?
09:07:30 <masashi910> 3
09:07:35 <masashi910> 2
09:07:40 <masashi910> 1
09:07:43 <masashi910> #topic Kernel maintenance updates
09:07:49 <masashi910> == Quote from iwamatsu  ==
09:07:55 <masashi910> I reviewed 4.9.267 and 	5.10.32.
09:08:00 <masashi910> ====
09:08:33 <wens> This week's report: https://lore.kernel.org/cip-dev/CAGb2v662tfa68d6areLEJV=RA3Gwn751-uT7t99uvRe3PN6KKg@mail.gmail.com/
09:08:34 <pave11> I have reviewed patches queued for 5.10.32 & corresponding 4.19 queue.
09:09:21 <wens> Seven CVEs this week: 3 ignored, 3 fixed, of them 1 needs backporting (CVE-2021-23133 [net/sctp: race in sctp_destroy_sock]), and last one has fixed queued for -next.
09:10:52 <wens> also for CVE-2021-29155, of all the fix commits, only 1 has a fixes tag.
09:11:14 <masashi910> wens, pave11: Thanks for your works.
09:12:02 <wens> seems CVE-2021-29155 only affects v5.8+
09:12:14 <wens> though I am not 100% certain
09:12:45 <masashi910> Do we need time to check it?
09:12:56 <pave11> wens: If you could push cip-kernel-sec changes, it would be easier to look the information up.
09:13:17 <wens> pave11: right, now pushed
09:13:35 <pave11> wens: Thank yoU!
09:15:03 <masashi910> wens, pave11: For now, should both CVE-2021-23133 and CVE-2021-29155 be monitored?
09:16:23 <wens> CVE-2021-29155 is bpf related, probably not worth the effort
09:16:48 <masashi910> wens: Ok, thanks for your comment.
09:17:03 <wens> and CVE-2021-23133 is SCTP related. Not sure who uses SCTP for what, but IIRC it's pretty niche.
09:17:59 <pave11> Agreed about bpf.
09:18:16 <pave11> We should really make sure untrusted users are not using BPF on our boxes.
09:18:37 <pave11> SCTP seems to be enabled by at least ./4.19.y-cip/x86/plathome_obsvx2.config
09:18:48 <pave11> Which does not mean they are using it...
09:19:33 <masashi910> wens, pave11: Thanks for your comments. I will ask Minda-san@PlatHome about SCTP.
09:20:17 <pave11> masashi910: It is in Siemens configurations, too.
09:20:53 <masashi910> pave11: Then, I will ask Jan-san as well. Thanks!
09:21:07 <pave11> Thank you!
09:21:16 <masashi910> Any other topics?
09:21:29 <masashi910> 3
09:21:30 <wens> so before v5.8, bpf needed CAP_SYS_ADMIN, or root privs.. After v5.8, it changed to CAP_BPF, allowing non-root users to run bpf.
09:22:13 <masashi910> wens: I see. Thanks for this background.
09:22:20 <wens> I think that means we can ignore CVE-2021-29155. If the user is root they already can look at kernel memory.
09:22:50 <pave11> wens: I'd say so.
09:23:09 <wens> :)
09:23:35 <masashi910> wens, pave11: So, we decided to ignore CVE-2021-29155. Thanks.
09:23:44 <masashi910> 2
09:23:49 <masashi910> 1
09:23:54 <masashi910> #topic Kernel testing
09:24:02 <masashi910> patersonc: The floor is yours.
09:24:15 <patersonc> Sorry I had a Q for the Kernel team
09:24:20 <patersonc> Do we need to do anything with regards to the UMN reverts? (https://lwn.net/SubscriberLink/853717/333c1087131ab995/) Have any of the patches made it into CIP? Or do we just depend on stable reverting the relevant patches?
09:25:13 <pave11> patersonc: We need to revert everything from Greg :-).
09:25:20 <patersonc> ha :P
09:25:41 <pave11> He's wrong here.
09:25:50 <pave11> Let me dig an explanation.
09:26:05 <pave11> 00~https://lore.kernel.org/lkml/20210422083850.GA5316@amd/01~
09:26:14 <pave11> https://lore.kernel.org/lkml/20210422083850.GA5316@amd/01
09:27:45 <masashi910> patersonc: BTW, revert patches are arriving:
09:27:46 <masashi910> https://lore.kernel.org/stable/YIEVGXEoeizx6O1p@debian/T/#t
09:28:23 <masashi910> patersonc: BTW do you have any updates?
09:28:27 <patersonc> From the emails I've seen, a lot of the UDM patches do actually seem to fix issues
09:28:49 <pave11> patersonc: Please speak up when you see that.
09:28:56 <patersonc> I don't have anything particular to add, it's just a surprising story I just started reading on
09:29:09 <pave11> patersonc: Because Greg is pushing revert without without proper review.
09:29:42 <pave11> If that actually hits the stable, we may want to avoid those stable kernels for a while.
09:29:51 <pave11> And yes, it is a big story.
09:30:12 <patersonc> pave11: positive commits example: https://www.spinics.net/lists/kernel/msg3914800.html
09:31:22 <pave11> UMN are not the bad guyes, see the email for explanation.
09:31:27 <masashi910> patersonc, pave11: Thanks. If we need to discuss this issue, let's do that after the IRC.
09:31:38 <patersonc> Sure
09:31:43 <patersonc> Onto the testing report...
09:32:23 <patersonc> Work has resumed on getting kselftest working with CIP testing
09:32:38 <patersonc> Our LAVA infrastructure has been behaving for a change
09:32:50 <patersonc> That's probably about it
09:33:07 <pave11> Yes, so... Testing seems to be better now.
09:33:08 <masashi910> patersonc: Thanks for your works.
09:33:11 <masashi910> any other topics?
09:33:18 <pave11> But I still got timeout.
09:33:36 <patersonc> pave11: Dohs. For LAVA jobs? Or for gitlab runners?
09:33:37 <pave11> When three kernels hit testing at the same time (4.4, 4.19, 5.10)... is 2 hours for a job enough?
09:34:03 <pave11> I see it in gitlab. I'm not sure about the background.
09:34:20 <pave11> It is easy to just hit retry, but I guess you should know :-).
09:35:02 <patersonc> I can increase the timeout if you want. Now that we're only using "small" AWS instances for those test jobs the cost impact would be minimal
09:35:22 <patersonc> Are the jobs timing out waiting for the LAVA jobs to run?
09:35:25 <patersonc> Or is there another issue?
09:35:40 <pave11> I'll grab the debug info next time it happens, ok?
09:36:36 <masashi910> pave11: Thanks, yes please.
09:36:44 <masashi910> Any other topics?
09:36:50 <masashi910> 3
09:36:55 <masashi910> 2
09:36:58 <masashi910> 1
09:37:01 <masashi910> #topic CIP Security
09:37:19 <masashi910> Yoshida-san, are you here?
09:37:28 <masashi910> Yoshida-san does not seem to be here, so let's skip.
09:37:33 <masashi910> #topic AOB
09:37:39 <masashi910> 1. Next IRC meeting
09:37:44 <masashi910> I cannot host the IRC meeting next week. Can we skip it?
09:38:07 <pave11> I believe that makes sense.
09:38:28 <patersonc> pave11: Thank you Pavel
09:39:03 <masashi910> pave11: Thanks. Then, let's meet on May 6.
09:39:04 <wens> masashi910: happy golden week holidays :)
09:39:17 <masashi910> wens: Exactly. :)
09:39:26 <masashi910> Are there any business to discuss?
09:39:37 <masashi910> 5
09:39:38 <patersonc> Enjoy the holiday!
09:40:13 <masashi910> patersonc: Oh, Thanks!! But I cannot go anywhere due to COVID19. :(
09:40:23 <masashi910> 4
09:40:28 <masashi910> 3
09:40:31 <masashi910> 2
09:40:34 <masashi910> 1
09:40:37 <masashi910> So, let's close today's meeting.
09:40:42 <masashi910> #endmeeting