This bug was fixed in the package linux - 5.3.0-64.58
---------------
linux (5.3.0-64.58) eoan; urgency=medium
* eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.3.0-63.57) eoan; urgency=medium
* eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* The thread level parallelism would be a bottleneck when searching for the
shared pmd by using hugetlbfs (LP: #1882039)
- hugetlbfs: take read_lock on i_mmap for PMD sharing
* Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
- ipv6: fix IPV6_ADDRFORM operation logic
- net_failover: fixed rollback in net_failover_open()
- bridge: Avoid infinite loop when suppressing NS messages with invalid
options
- vxlan: Avoid infinite loop when suppressing NS messages with invalid
options
- tun: correct header offsets in napi frags mode
- Input: mms114 - fix handling of mms345l
- ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
- sched/fair: Don't NUMA balance for kthreads
- Input: synaptics - add a second working PNP_ID for Lenovo T470s
- drivers/net/ibmvnic: Update VNIC protocol version reporting
- powerpc/xive: Clear the page tables for the ESB IO mapping
- ath9k_htc: Silence undersized packet warnings
- RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
- x86/cpu/amd: Make erratum #1054 a legacy erratum
- perf probe: Accept the instance number of kretprobe event
- mm: add kvfree_sensitive() for freeing sensitive data objects
- aio: fix async fsync creds
- x86_64: Fix jiffies ODR violation
- x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
- x86/speculation: Prevent rogue cross-process SSBD shutdown
- x86/reboot/quirks: Add MacBook6,1 reboot quirk
- efi/efivars: Add missing kobject_put() in sysfs entry creation error path
- ALSA: es1688: Add the missed snd_card_free()
- ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
- ALSA: usb-audio: Fix inconsistent card PM state after resume
- ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
Dock
- ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
- ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
- ACPI: GED: add support for _Exx / _Lxx handler methods
- ACPI: PM: Avoid using power resources if there are none for D0
- nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
- spi: dw: Fix controller unregister order
- spi: bcm2835aux: Fix controller unregister order
- spi: bcm-qspi: when tx/rx buffer is NULL set to 0
- PM: runtime: clk: Fix clk_pm_runtime_get() error path
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
fully iterated
- ALSA: pcm: disallow linking stream to itself
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and
poisoned
- KVM: x86: Fix APIC page invalidation race
- KVM: x86/mmu: Consolidate "is MMIO SPTE" code
- KVM: x86: only do L1TF workaround on affected processors
- x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
IBRS.
- x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
- spi: Fix controller unregister order
- spi: pxa2xx: Fix controller unregister order
- spi: bcm2835: Fix controller unregister order
- spi: pxa2xx: Fix runtime PM ref imbalance on probe error
- crypto: virtio: Fix use-after-free in
virtio_crypto_skcipher_finalize_req()
- crypto: virtio: Fix src/dst scatterlist calculation in
__virtio_crypto_skcipher_do_req()
- crypto: virtio: Fix dest length calculation in
__virtio_crypto_skcipher_do_req()
- selftests/net: in rxtimestamp getopt_long needs terminating null entry
- ovl: initialize error in ovl_copy_xattr
- proc: Use new_inode not new_inode_pseudo
- video: fbdev: w100fb: Fix a potential double free.
- KVM: nSVM: fix condition for filtering async PF
- KVM: nSVM: leave ASID aside in copy_vmcb_control_area
- KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
- KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
- KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
- KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
- scsi: megaraid_sas: TM command refire leads to controller firmware crash
- ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
- ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
- ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
- ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
- Smack: slab-out-of-bounds in vsscanf
- drm/vkms: Hold gem object while still in-use
- mm/slub: fix a memory leak in sysfs_slab_add()
- fat: don't allow to mount if the FAT length == 0
- perf: Add cond_resched() to task_function_call()
- agp/intel: Reinforce the barrier after GTT updates
- mmc: sdhci-msm: Clear tuning done flag while hs400 tuning
- ARM: dts: at91: sama5d2_ptc_ek: fix sdmmc0 node description
- mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card()
- xen/pvcalls-back: test for errors when calling backend_connect()
- KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception
- ACPI: GED: use correct trigger type field in _Exx / _Lxx handling
- drm: bridge: adv7511: Extend list of audio sample rates
- crypto: ccp -- don't "select" CONFIG_DMADEVICES
- media: si2157: Better check for running tuner in init
- objtool: Ignore empty alternatives
- spi: pxa2xx: Apply CS clk quirk to BXT
- net: atlantic: make hw_get_regs optional
- net: ena: fix error returning in ena_com_get_hash_function()
- efi/libstub/x86: Work around LLVM ELF quirk build regression
- arm64: cacheflush: Fix KGDB trap detection
- spi: dw: Zero DMA Tx and Rx configurations on stack
- arm64: insn: Fix two bugs in encoding 32-bit logical immediates
- ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
- MIPS: Loongson: Build ATI Radeon GPU driver as module
- Bluetooth: Add SCO fallback for invalid LMP parameters error
- kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb
- kgdb: Prevent infinite recursive entries to the debugger
- spi: dw: Enable interrupts in accordance with DMA xfer mode
- clocksource: dw_apb_timer: Make CPU-affiliation being optional
- clocksource: dw_apb_timer_of: Fix missing clockevent timers
- btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
- ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
- batman-adv: Revert "disable ethtool link speed detection when auto
negotiation off"
- mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
- spi: dw: Fix Rx-only DMA transfers
- x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
- net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
vmxnet3_get_rss()
- staging: android: ion: use vmap instead of vm_map_ram
- brcmfmac: fix wrong location to get firmware feature
- tools api fs: Make xxx__mountpoint() more scalable
- e1000: Distribute switch variables for initialization
- dt-bindings: display: mediatek: control dpi pins mode to avoid leakage
- audit: fix a net reference leak in audit_send_reply()
- media: dvb: return -EREMOTEIO on i2c transfer failure.
- media: platform: fcp: Set appropriate DMA parameters
- MIPS: Make sparse_init() using top-down allocation
- Bluetooth: btbcm: Add 2 missing models to subver tables
- audit: fix a net reference leak in audit_list_rules_send()
- netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
- selftests/bpf: Fix memory leak in extract_build_id()
- net: bcmgenet: set Rx mode before starting netif
- lib/mpi: Fix 64-bit MIPS build with Clang
- exit: Move preemption fixup up, move blocking operations down
- sched/core: Fix illegal RCU from offline CPUs
- drivers/perf: hisi: Fix typo in events attribute array
- net: lpc-enet: fix error return code in lpc_mii_init()
- media: cec: silence shift wrapping warning in __cec_s_log_addrs()
- net: allwinner: Fix use correct return type for ndo_start_xmit()
- powerpc/spufs: fix copy_to_user while atomic
- xfs: clean up the error handling in xfs_swap_extents
- Crypto/chcr: fix for ccm(aes) failed test
- MIPS: Truncate link address into 32bit for 32bit kernel
- mips: cm: Fix an invalid error code of INTVN_*_ERR
- kgdb: Fix spurious true from in_dbg_master()
- xfs: reset buffer write failure state on successful completion
- xfs: fix duplicate verification from xfs_qm_dqflush()
- platform/x86: intel-vbtn: Use acpi_evaluate_integer()
- platform/x86: intel-vbtn: Split keymap into buttons and switches parts
- platform/x86: intel-vbtn: Do not advertise switches to userspace if they
are
not there
- platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable"
and
"Portable" chassis-types
- nvme: refine the Qemu Identify CNS quirk
- ath10k: Remove msdu from idr when management pkt send fails
- wcn36xx: Fix error handling path in 'wcn36xx_probe()'
- net: qed*: Reduce RX and TX default ring count when running inside kdump
kernel
- mt76: avoid rx reorder buffer overflow
- md: don't flush workqueue unconditionally in md_open
- veth: Adjust hard_start offset on redirect XDP frames
- net/mlx5e: IPoIB, Drop multicast packets that this interface sent
- rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
- mwifiex: Fix memory corruption in dump_station
- x86/boot: Correct relocation destination on old linkers
- mips: MAAR: Use more precise address mask
- mips: Add udelay lpj numbers adjustment
- crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
- crypto: stm32/crc32 - fix run-time self test issue.
- crypto: stm32/crc32 - fix multi-instance
- x86/mm: Stop printing BRK addresses
- m68k: mac: Don't call via_flush_cache() on Mac IIfx
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a
new
qgroup
- macvlan: Skip loopback packets in RX handler
- PCI: Don't disable decoding when mmio_always_on is set
- MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
- bcache: fix refcount underflow in bcache_device_free()
- mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
- staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core
- mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
- ixgbe: fix signed-integer-overflow warning
- mmc: sdhci-esdhc-imx: fix the mask for tuning start point
- spi: dw: Return any value retrieved from the dma_transfer callback
- cpuidle: Fix three reference count leaks
- platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
- platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015)
- platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 /
"Laptop"
chasis-type
- string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
- btrfs: include non-missing as a qualifier for the latest_bdev
- btrfs: send: emit file capabilities after chown
- mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()
- mm: initialize deferred pages with interrupts enabled
- ima: Fix ima digest hash table key calculation
- ima: Directly assign the ima_default_policy pointer to ima_rules
- evm: Fix possible memory leak in evm_calc_hmac_or_hash()
- ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
- ext4: fix error pointer dereference
- ext4: fix race between ext4_sync_parent() and rename()
- PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect
- PCI: Add ACS quirk for iProc PAXB
- PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
- PCI: mediatek: Add controller support for MT7629
- ALSA: lx6464es - add support for LX6464ESe pci express variant
- PCI: Add Genesys Logic, Inc. Vendor ID
- PCI: Add Amazon's Annapurna Labs vendor ID
- PCI: vmd: Add device id for VMD device 8086:9A0B
- x86/amd_nb: Add Family 19h PCI IDs
- PCI: Add Loongson vendor ID
- serial: 8250_pci: Move Pericom IDs to pci_ids.h
- btrfs: fix error handling when submitting direct I/O bio
- btrfs: fix wrong file range cleanup after an error filling dealloc range
- ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
- PCI: Program MPS for RCiEP devices
- e1000e: Relax condition to trigger reset for ME workaround
- carl9170: remove P2P_GO support
- media: go7007: fix a miss of snd_card_free
- Bluetooth: hci_bcm: fix freeing not-requested IRQ
- b43legacy: Fix case where channel status is corrupted
- b43: Fix connection problem with WPA3
- b43_legacy: Fix connection problem with WPA3
- media: ov5640: fix use of destroyed mutex
- igb: Report speed and duplex as unknown when device is runtime suspended
- power: vexpress: add suppress_bind_attrs to true
- pinctrl: samsung: Correct setting of eint wakeup mask on s5pv210
- pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs
- gnss: sirf: fix error return code in sirf_probe()
- sparc32: fix register window handling in genregs32_[gs]et()
- sparc64: fix misuses of access_process_vm() in genregs32_[sg]et()
- dm crypt: avoid truncating the logical block size
- alpha: fix memory barriers so that they conform to the specification
- kernel/cpu_pm: Fix uninitted local in cpu_pm
- ARM: tegra: Correct PL310 Auxiliary Control Register initialization
- ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensor's bus
- ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin
- ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries
- drivers/macintosh: Fix memleak in windfarm_pm112 driver
- powerpc/64s: Don't let DT CPU features set FSCR_DSCR
- powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
- kbuild: force to build vmlinux if CONFIG_MODVERSION=y
- sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate
registrations.
- sunrpc: clean up properly in gss_mech_unregister()
- mtd: rawnand: brcmnand: fix hamming oob layout
- mtd: rawnand: pasemi: Fix the probe error path
- w1: omap-hdq: cleanup to add missing newline for some dev_dbg
- perf probe: Do not show the skipped events
- perf probe: Fix to check blacklist address correctly
- perf probe: Check address correctness by map instead of _etext
- perf symbols: Fix debuginfo search for Ubuntu
- mlxsw: core: Use different get_trend() callbacks for different thermal
zones
- elfnote: mark all .note sections SHF_ALLOC
- csky: Fixup abiv2 syscall_trace break a4 & a5
- gfs2: Even more gfs2_find_jhead fixes
- spi: dw: Fix native CS being unset
- s390/pci: Log new handle in clp_disable_fh()
- PCI/PM: Adjust pcie_wait_for_link_delay() for caller delay
- selftests: fix flower parent qdisc
- fanotify: fix ignore mask logic for events on child and on dir
- perf/x86/intel: Add more available bits for OFFCORE_RESPONSE of Intel
Tremont
- KVM: x86: respect singlestep when emulating instruction
- powerpc/ptdump: Properly handle non standard page size
- ASoC: max9867: fix volume controls
- io_uring: use kvfree() in io_sqe_buffer_register()
- smb3: fix incorrect number of credits when ioctl MaxOutputResponse > 64K
- smb3: add indatalen that can be a non-zero value to calculation of credit
charge in smb2 ioctl
- watchdog: imx_sc_wdt: Fix reboot on crash
- ALSA: fireface: fix configuration error for nominal sampling transfer
frequency
- ALSA: pcm: fix snd_pcm_link() lockdep splat
- arm64: acpi: fix UBSAN warning
- lib/lzo: fix ambiguous encoding bug in lzo-rle
- spi: bcm-qspi: Handle clock probe deferral
- gup: document and work around "COW can break either way" issue
- crypto: algapi - Avoid spurious modprobe on LOADED
- crypto: drbg - fix error return code in drbg_alloc_state()
- firmware: imx: warn on unexpected RX
- firmware: imx-scu: Support one TX and one RX
- firmware: imx: scu: Fix corruption of header
- dccp: Fix possible memleak in dccp_init and dccp_fini
- net/mlx5: drain health workqueue in case of driver load error
- net/mlx5: Fix fatal error handling during device load
- net/mlx5e: Fix repeated XSK usage on one channel
- remoteproc: Fall back to using parent memory pool if no dedicated
available
- remoteproc: Fix and restore the parenting hierarchy for vdev
- cpufreq: Fix up cpufreq_boost_set_sw()
- EDAC/skx: Use the mcmtr register to retrieve close_pg/bank_xor_enable
- video: vt8500lcdfb: fix fallthrough warning
- KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02
- KVM: arm64: Stop writing aarch32's CSSELR into ACTLR
- selftests/ftrace: Return unsupported if no error_log file
- mmc: mmci_sdmmc: fix DMA API warning overlapping mappings
- mmc: tmio: Further fixup runtime PM management at remove
- mmc: uniphier-sd: call devm_request_irq() after tmio_mmc_host_probe()
- mmc: sdio: Fix several potential memory leaks in mmc_sdio_init_card()
- block/floppy: fix contended case in floppy_queue_rq()
- KVM: arm64: Save the host's PtrAuth keys in non-preemptible context
* Eoan update: upstream stable patchset 2020-06-24 (LP: #1885011)
- devinet: fix memleak in inetdev_init()
- l2tp: add sk_family checks to l2tp_validate_socket
- l2tp: do not use inet_hash()/inet_unhash()
- net: usb: qmi_wwan: add Telit LE910C1-EUX composition
- NFC: st21nfca: add missed kfree_skb() in an error path
- vsock: fix timeout in vsock_accept()
- net: check untrusted gso_size at kernel entry
- USB: serial: qcserial: add DW5816e QDL support
- USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
- USB: serial: option: add Telit LE910C1-EUX compositions
- iio: vcnl4000: Fix i2c swapped word reading.
- usb: musb: start session in resume for host port
- usb: musb: Fix runtime PM imbalance on error
- vt: keyboard: avoid signed integer overflow in k_ascii
- tty: hvc_console, fix crashes on parallel open/close
- staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
- CDC-ACM: heed quirk also in error handling
- nvmem: qfprom: remove incorrect write support
- uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly
aligned
- Revert "net/mlx5: Annotate mutex destroy for root ns"
- net/mlx5: Fix crash upon suspend/resume
- net: stmmac: enable timestamp snapshot for required PTP packets in dwmac
v5.10a
- nfp: flower: fix used time of merge flow statistics
- net: be more gentle about silly gso requests coming from user
- USB: serial: ch341: add basis for quirk detection
- iio:chemical:sps30: Fix timestamp alignment
- iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.
- iio: adc: stm32-adc: fix a wrong error message when probing interrupts
* Eoan update: upstream stable patchset 2020-06-19 (LP: #1884296)
- Revert "cgroup: Add memory barriers to plug cgroup_rstat_updated() race
window"
- HID: sony: Fix for broken buttons on DS3 USB dongles
- HID: i2c-hid: add Schneider SCL142ALM to descriptor override
- p54usb: add AirVasT USB stick device-id
- mmc: fix compilation of user API
- scsi: ufs: Release clock if DMA map fails
- net: dsa: mt7530: set CPU port to fallback mode
- airo: Fix read overflows sending packets
- powerpc/powernv: Avoid re-registration of imc debugfs directory
- s390/ftrace: save traced function caller
- ARC: Fix ICCM & DCCM runtime size checks
- ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT
- evm: Fix RCU list related warnings
- i2c: altera: Fix race between xfer_msg and isr thread
- x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
- net: bmac: Fix read of MAC address from ROM
- drm/edid: Add Oculus Rift S to non-desktop list
- s390/mm: fix set_huge_pte_at() for empty ptes
- null_blk: return error for invalid zone size
- net/ethernet/freescale: rework quiesce/activate for ucc_geth
- net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x
- net: smsc911x: Fix runtime PM imbalance on error
- HID: multitouch: add support for the Smart Tech panel
- HID: multitouch: enable multi-input as a quirk for some devices
- mt76: mt76x02u: Add support for newer versions of the XBox One wifi
adapter
- media: Revert "staging: imgu: Address a compiler warning on alignment"
- media: staging: ipu3-imgu: Move alignment attribute to field
- ASoC: intel - fix the card names
- RDMA/qedr: Fix qpids xarray api used
- RDMA/qedr: Fix synchronization methods and memory leaks in qedr
- io_uring: initialize ctx->sqo_wait earlier
- selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer
* Eoan update: upstream stable patchset 2020-06-09 (LP: #1882831)
- ax25: fix setsockopt(SO_BINDTODEVICE)
- dpaa_eth: fix usage as DSA master, try 3
- net: dsa: mt7530: fix roaming from DSA user ports
- __netif_receive_skb_core: pass skb by reference
- net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
- net: ipip: fix wrong address family in init error path
- net/mlx5: Add command entry handling completion
- net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
- net: revert "net: get rid of an signed integer overflow in
ip_idents_reserve()"
- net sched: fix reporting the first-time use timestamp
- r8152: support additional Microsoft Surface Ethernet Adapter variant
- sctp: Don't add the shutdown timer if its already been added
- sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
socket is closed
- net/mlx5e: Update netdev txq on completions during closure
- net/mlx5: Annotate mutex destroy for root ns
- net: sun: fix missing release regions in cas_init_one().
- net/mlx4_core: fix a memory leak bug.
- mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case
reload
fails
- ARM: dts: rockchip: fix phy nodename for rk3228-evb
- arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
- arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
- ARM: dts: rockchip: swap clock-names of gpu nodes
- ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
- gpio: tegra: mask GPIO IRQs during IRQ shutdown
- ALSA: usb-audio: add mapping for ASRock TRX40 Creator
- net: microchip: encx24j600: add missed kthread_stop
- gfs2: move privileged user check to gfs2_quota_lock_check
- cachefiles: Fix race between read_waiter and read_copier involving
op->to_do
- usb: dwc3: pci: Enable extcon driver for Intel Merrifield
- usb: gadget: legacy: fix redundant initialization warnings
- net: freescale: select CONFIG_FIXED_PHY where needed
- IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
- riscv: stacktrace: Fix undefined reference to `walk_stackframe'
- cifs: Fix null pointer check in cifs_read
- samples: bpf: Fix build error
- Input: usbtouchscreen - add support for BonXeon TP
- Input: evdev - call input_flush_device() on release(), not flush()
- Input: xpad - add custom init packet for Xbox One S controllers
- Input: dlink-dir685-touchkeys - fix a typo in driver name
- Input: i8042 - add ThinkPad S230u to i8042 reset list
- Input: synaptics-rmi4 - really fix attn_data use-after-free
- Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
- ARM: 8970/1: decompressor: increase tag size
- ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
- ARM: uaccess: integrate uaccess_save and uaccess_restore
- ARM: uaccess: fix DACR mismatch with nested exceptions
- gpio: exar: Fix bad handling for ida_simple_get error path
- IB/qib: Call kobject_put() when kobject_init_and_add() fails
- ARM: dts/imx6q-bx50v3: Set display interface clock parents
- ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
- ARM: dts: bcm: HR2: Fix PPI interrupt types
- mmc: block: Fix use-after-free issue for rpmb
- RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
- ALSA: hwdep: fix a left shifting 1 by 31 UB bug
- ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
- ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
- exec: Always set cap_ambient in cap_bprm_set_creds
- ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
- ALSA: hda/realtek - Add new codec supported for ALC287
- libceph: ignore pool overlay and cache logic on redirects
- IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
- mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
- include/asm-generic/topology.h: guard cpumask_of_node() macro argument
- iommu: Fix reference count leak in iommu_group_alloc.
- parisc: Fix kernel panic in mem_init()
- RDMA/core: Fix double destruction of uobject
- mac80211: mesh: fix discovery timer re-arming issue / crash
- x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
- copy_xstate_to_kernel(): don't leave parts of destination uninitialized
- xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
- xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
- xfrm interface: fix oops when deleting a x-netns interface
- xfrm: fix a warning in xfrm_policy_insert_list
- xfrm: fix a NULL-ptr deref in xfrm_local_error
- xfrm: fix error in comment
- ip_vti: receive ipip packet by calling ip_tunnel_rcv
- netfilter: nft_reject_bridge: enable reject with bridge vlan
- netfilter: ipset: Fix subcounter update skip
- netfilter: nfnetlink_cthelper: unbreak userspace helper support
- netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
- esp6: get the right proto for transport mode in esp6_gso_encap
- bnxt_en: Fix accumulation of bp->net_stats_prev.
- xsk: Add overflow check for u64 division, stored into u32
- qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
- crypto: chelsio/chtls: properly set tp->lsndtime
- bonding: Fix reference count leak in bond_sysfs_slave_add.
- netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
- net: don't return invalid table id error when we fall back to PF_UNSPEC
- net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
- net: mvpp2: fix RX hashing for non-10G ports
- net: nlmsg_cancel() if put fails for nhmsg
- net/tls: fix race condition causing kernel panic
- nexthop: Fix attribute checking for groups
- tipc: block BH before using dst_cache
- net/mlx5e: kTLS, Destroy key object after destroying the TIS
- net/mlx5e: Fix inner tirs handling
- net/mlx5: Fix memory leak in mlx5_events_init
- net/mlx5: Fix error flow in case of function_setup failure
- net/tls: fix encryption error checking
- net/tls: free record only on encryption error
- gfs2: Grab glock reference sooner in gfs2_add_revoke
- drm/amd/powerplay: perform PG ungate prior to CG ungate
- usb: phy: twl6030-usb: Fix a resource leak in an error handling path in
'twl6030_usb_probe()'
- clk: ti: am33xx: fix RTC clock parent
- csky: Fixup msa highest 3 bits mask
- csky: Fixup perf callchain unwind
- csky: Fixup remove duplicate irq_disable
- csky: Fixup raw_copy_from_user()
- arm64: dts: mt8173: fix vcodec-enc clock
- soc: mediatek: cmdq: return send msg error code
- gpu/drm: Ingenic: Fix opaque pointer casted to wrong type
- gpio: pxa: Fix return value of pxa_gpio_probe()
- gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe()
- ceph: flush release queue when handling caps for unknown inode
- drm/amd/display: drop cursor position check in atomic test
- Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and
REQ_NOWAIT"
- gpio: fix locking open drain IRQ lines
- xfrm: do pskb_pull properly in __xfrm_transport_prep
- xfrm: remove the xfrm_state_put call becofe going to out_reset
- netfilter: conntrack: make conntrack userspace helpers work again
- ieee80211: Fix incorrect mask for default PE duration
- nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry
- nexthops: don't modify published nexthop groups
- nexthop: Expand nexthop_is_multipath in a few places
- ipv4: nexthop version of fib_info_nh_uses_dev
- netfilter: conntrack: comparison of unsigned in cthelper confirmation
- netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update
- perf: Make perf able to build with latest libbfd
* shiftfs: O_TMPFILE reports ESTALE (LP: #1872757)
- SAUCE: shiftfs: prevent ESTALE for LOOKUP_JUMP lookups
* shiftfs: fix btrfs regression (LP: #1884767)
- SAUCE: Revert "UBUNTU: SAUCE: shiftfs: fix dentry revalidation"
* Update lockdown patches (LP: #1884159)
- efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
- efi: Restrict efivar_ssdt_load when the kernel is locked down
- powerpc/xmon: Restrict when kernel is locked down
- SAUCE: acpi: disallow loading configfs acpi tables when locked down
* ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
kernel (LP: #1826848)
- SAUCE: selftests: net: ip_defrag: limit packet to 1000 fragments
- selftests: net: ip_defrag: ignore EPERM
* CVE-2020-10757
- mm: Fix mremap not considering huge pmd devmap
* CVE-2020-11935
- SAUCE: aufs: do not call i_readcount_inc()
- SAUCE: aufs: bugfix, IMA i_readcount
* apparmor reference leak causes refcount_t overflow with af_alg_accept()
(LP: #1883962)
- apparmor: check/put label on apparmor_sk_clone_security()
* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start
* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open
-- Khalid Elmously <khalid.elmou...@canonical.com> Fri, 10 Jul 2020
15:22:34 -0400
** Changed in: linux (Ubuntu Eoan)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10757
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1886668
Title:
linux 4.15.0-109-generic network DoS regression vs -108
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Eoan:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Groovy:
In Progress
Bug description:
[Impact]
On systems using cgroups and sockets extensively, like docker, kubernetes,
lxd, libvirt, a crash might happen when using linux 4.15.0-109-generic.
[Fix]
Revert the patch that disables sk_alloc cgroup refcounting when tasks are
added to net_prio cgroup.
[Test case]
Test that such environments where the issue is reproduced survive some hours
of uptime. A different bug was reproduced with a work-in-progress code and was
not reproduced with the culprit reverted.
[Regression potential]
The reverted commit fix a memory leak on similar scenarios. But a leak is
better than a crash. Two other bugs have been opened to track a real fix for
this issue and the leak.
----------------------------------------------------------
Reported from a user:
Several of our infrastructure VMs recently started crashing (oops
attached), after they upgraded to -109. -108 appears to be stable.
Analysing the crash, it appears to be a wild pointer access in a BPF
filter, which makes this (probably) a network-traffic triggered crash.
[ 696.396831] general protection fault: 0000 [#1] SMP PTI
[ 696.396843] Modules linked in: iscsi_target_mod target_core_mod
ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user
xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype
iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge nfsv3 cmac
arc4 md4 rpcsec_gss_krb5 nfsv4 nls_utf8 cifs nfs aufs ccm fscache binfmt_misc
overlay xfs libcrc32c intel_rapl crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel ppdev pcbc aesni_intel aes_x86_64 crypto_simd glue_helper
cryptd input_leds joydev intel_rapl_perf serio_raw parport_pc parport mac_hid
sch_fq_codel nfsd 8021q auth_rpcgss garp nfs_acl mrp lockd stp llc grace xenfs
sunrpc xen_privcmd ip_tables x_tables autofs4 hid_generic usbhid hid psmouse
i2c_piix4 pata_acpi floppy
[ 696.396966] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 4.15.0-109-generic
#110-Ubuntu
[ 696.396979] Hardware name: Xen HVM domU, BIOS 4.7.6-1.26 12/03/2018
[ 696.396993] RIP: 0010:__cgroup_bpf_run_filter_skb+0xbb/0x1e0
[ 696.397005] RSP: 0018:ffff893fdcb83a70 EFLAGS: 00010292
[ 696.397015] RAX: 6d69546e6f697469 RBX: 0000000000000000 RCX:
0000000000000014
[ 696.397028] RDX: 0000000000000000 RSI: ffff893fd0360000 RDI:
ffff893fb5154800
[ 696.397041] RBP: ffff893fdcb83ad0 R08: 0000000000000001 R09:
0000000000000000
[ 696.397058] R10: 0000000000000000 R11: 0000000000000003 R12:
0000000000000014
[ 696.397075] R13: ffff893fb5154800 R14: 0000000000000020 R15:
ffff893fc6ba4d00
[ 696.397091] FS: 0000000000000000(0000) GS:ffff893fdcb80000(0000)
knlGS:0000000000000000
[ 696.397107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 696.397119] CR2: 000000c0001b4000 CR3: 00000006dce0a004 CR4:
00000000003606e0
[ 696.397135] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 696.397152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 696.397169] Call Trace:
[ 696.397175] <IRQ>
[ 696.397183] sk_filter_trim_cap+0xd0/0x1b0
[ 696.397191] tcp_v4_rcv+0x8b7/0xa80
[ 696.397199] ip_local_deliver_finish+0x66/0x210
[ 696.397208] ip_local_deliver+0x7e/0xe0
[ 696.397215] ? ip_rcv_finish+0x430/0x430
[ 696.397223] ip_rcv_finish+0x129/0x430
[ 696.397230] ip_rcv+0x296/0x360
[ 696.397238] ? inet_del_offload+0x40/0x40
[ 696.397249] __netif_receive_skb_core+0x432/0xb80
[ 696.397261] ? skb_send_sock+0x50/0x50
[ 696.397271] ? tcp4_gro_receive+0x137/0x1a0
[ 696.397280] __netif_receive_skb+0x18/0x60
[ 696.397290] ? __netif_receive_skb+0x18/0x60
[ 696.397300] netif_receive_skb_internal+0x45/0xe0
[ 696.397309] napi_gro_receive+0xc5/0xf0
[ 696.397317] xennet_poll+0x9ca/0xbc0
[ 696.397325] net_rx_action+0x140/0x3a0
[ 696.397334] __do_softirq+0xe4/0x2d4
[ 696.397344] irq_exit+0xc5/0xd0
[ 696.397352] xen_evtchn_do_upcall+0x30/0x50
[ 696.397361] xen_hvm_callback_vector+0x90/0xa0
[ 696.397371] </IRQ>
[ 696.397378] RIP: 0010:native_safe_halt+0x12/0x20
[ 696.397390] RSP: 0018:ffff94c4862cbe80 EFLAGS: 00000246 ORIG_RAX:
ffffffffffffff0c
[ 696.397405] RAX: ffffffff8efc1800 RBX: 0000000000000006 RCX:
0000000000000000
[ 696.397419] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 696.397435] RBP: ffff94c4862cbe80 R08: 0000000000000002 R09:
0000000000000001
[ 696.397449] R10: 0000000000100000 R11: 0000000000000397 R12:
0000000000000006
[ 696.397462] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 696.397479] ? __sched_text_end+0x1/0x1
[ 696.397489] default_idle+0x20/0x100
[ 696.397499] arch_cpu_idle+0x15/0x20
[ 696.397507] default_idle_call+0x23/0x30
[ 696.397515] do_idle+0x172/0x1f0
[ 696.397522] cpu_startup_entry+0x73/0x80
[ 696.397530] start_secondary+0x1ab/0x200
[ 696.397538] secondary_startup_64+0xa5/0xb0
[ 696.397545] Code: 89 5d b0 49 29 cc 45 01 a7 80 00 00 00 44 89 e1 48 29 c8
48 89 4d a8 49 89 87 d8 00 00 00 89 d2 48 8d 84 d6 38 03 00 00 48 8b 00 <4c> 8b
70 10 4c 8d 68 10 4d 85 f6 0f 84 f6 00 00 00 49 8d 47 30
[ 696.397584] RIP: __cgroup_bpf_run_filter_skb+0xbb/0x1e0 RSP:
ffff893fdcb83a70
[ 696.397607] ---[ end trace ec5c84424d511a6f ]---
[ 696.397616] Kernel panic - not syncing: Fatal exception in interrupt
[ 696.397876] Kernel Offset: 0xd600000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
We've correlated some of the other crashes, and the ASCII was a bit of a
red herring. All the others are a NULL pointer deference in the same
place, so the problem is likely OoB memory read (possibly
use-after-free) of a piece of memory which is usually zero, but not always.
It is actually the control VM's for our test farms which were impacted,
one of which was reliably crashing every 5 minutes or so, and others on
more sporadic intervals up to about a day. In all cases, reverting to
the -108 kernel has resolved the crashes.
Unfortunately, attempts to repro this off our production environment
with a packet trace aren't going quite so well. We're still experimenting.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886668/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
