Bug #1839912 “test_map in ubuntu_bpf failed with “Allowed update...” : Bugs : ubuntu-kernel-tests

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2019-08-13:

#1

CRDA.txt Edit (454 bytes, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (418 bytes, text/plain; charset="utf-8")
Dependencies.txt Edit (2.7 KiB, text/plain; charset="utf-8")
Lspci.txt Edit (11.1 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (429 bytes, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (9.4 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.2 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (270 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (4.5 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (4.2 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (140.4 KiB, text/plain; charset="utf-8")
WifiSyslog.txt Edit (84.5 KiB, text/plain; charset="utf-8")

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-08-13: Status changed to Confirmed

#2

This change was made by a bot.

Changed in linux (Ubuntu):
status:	New → Confirmed

Po-Hsu Lin (cypressyew) on 2019-08-13

tags:

added: ubuntu-bpf

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2019-08-30:

#3

It's
Allowed update sockmap '0:8' not in ESTABLISHED

in this cycle.

tags:

added: sru-20190812

Po-Hsu Lin (cypressyew) on 2019-09-28

tags:

added: sru-20190902

Sean Feole (sfeole) on 2020-01-27

tags:	added: sru20191202
tags:	added: sru-20191202 removed: sru20191202

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2020-03-30:

#4

Found on 4.15.0-1037.41-oracle

tags:

added: sru-20200316

Po-Hsu Lin (cypressyew) on 2020-04-16

tags:

added: sru-20200406

Po-Hsu Lin (cypressyew) on 2020-05-29

tags:

added: sru-20200518

Po-Hsu Lin (cypressyew) on 2020-06-18

tags:

added: sru-20200608

Kelsey Steele (kelsey-steele) on 2020-10-02

tags:

added: sru-20200921

Kelsey Steele (kelsey-steele) on 2020-10-09

tags:

added: azure focal

Kelsey Steele (kelsey-steele) on 2020-10-09

tags:

removed: focal

Kelsey Steele (kelsey-steele) on 2020-10-09

tags:

added: 4.15

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2020-11-18:

#5

Still visible 4.15.0-1059.65 - oracle

tags:	added: sru-20201109
tags:	added: oracle

Kelsey Steele (kelsey-steele) on 2020-12-18

tags:

added: sru

Kelsey Steele (kelsey-steele) on 2021-01-28

tags:

added: sru-20210104

Revision history for this message

Francis Ginther (fginther) wrote on 2021-02-16:

#6

Still seen with linux-oracle 4.15.0-1065.73.

tags:

added: sru-20210125

Kelsey Steele (kelsey-steele) on 2021-02-23

tags:

added: fips

Kelsey Steele (kelsey-steele) on 2021-03-24

tags:	added: aws
tags:	added: sru-20210222

Revision history for this message

Marcelo Cerri (mhcerri) wrote on 2021-04-09:

#7

Still happening with linux-azure-4.15 4.15.0-1112.125

tags:

added: sru-20210315

Revision history for this message

Marcelo Cerri (mhcerri) wrote on 2021-04-09:

#8

Also seen in bionic linux-azure-fips 4.15.0-2024.27 for sru-20210315

Revision history for this message

Marcelo Cerri (mhcerri) wrote on 2021-04-09:

#9

Also seen in bionic linux-gcp-fips 4.15.0-2007.8 for sru-20210315

tags:

added: gcp-fips

Revision history for this message

Ian May (ian-may) wrote on 2021-05-04:

#10

bionic/linux-azure-fips: 4.15.0-2026.29

tags:

added: sru-20210412

Revision history for this message

Ian May (ian-may) wrote on 2021-05-04:

#11

bionic/linux-azure-4.15: 4.15.0-1114.127

Revision history for this message

Ian May (ian-may) wrote on 2021-05-04:

#12

bionic/linux-gcp-fips: 4.15.0-2009.10

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2021-05-07:

#13

Found with bionic/linux-aws-fips 4.15.0-2044.46.

tags:

added: aws-fips

Revision history for this message

Ian May (ian-may) wrote on 2021-05-07:

#14

bionic/linux-oracle: 4.15.0-1071.79

Revision history for this message

Ian May (ian-may) wrote on 2021-05-26:

#15

bionic/linux-aws: 4.15.0-1103.110

tags:

added: sru-20210510

Revision history for this message

Ian May (ian-may) wrote on 2021-05-31:

#16

Found on bionic/linux-azure-fips: 4.15.0-2027.30

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2021-06-02:

#17

The problem on 4.15 kernels is due to the backport of:

5028027844cf bpf: test_maps, only support ESTABLISHED socks

that only touches the test, without the respective fixes in the kernel.

Here is the list of Fixes for 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks"):

5028027844cf bpf: test_maps, only support ESTABLISHED socks
b05545e15e1f bpf: sockmap, fix transition through disconnect without close
5607fff30363 bpf: sockmap only allow ESTABLISHED sock state
90545cdc3f2b tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach
7ebc14d507b4 bpf: sockmap, consume_skb in close path
952fad8e3239 bpf: fix sock_map_alloc() error path

Bionic has only backported the selftests one and the icsk_ulp one.

To make the test pass, I believe at least 5607fff30363 would be necessary.

But it seems worth to also investigate the need for the other 3 (they seem worthy from a first look).

Cascardo.

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2021-06-02:

#18

So, while looking further, I found out that 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") is not even present on our 4.15 kernels. Not sure why the two commits were backported. The tcp,ulp one seems fine to keep.

Even 952fad8e3239 ("bpf: fix sock_map_alloc() error path") is not necessary if we are not setting err right before, which we do with 1aa12bdf1bfb. Other patches do not even apply, they are really dependent on 1aa12bdf1bfb.

1aa12bdf1bfb, on the other hand, would be necessary, because I was able to reproduce a BPF program leak. But that requires the use of sockmap, which is restricted to root userns CAP_NET_ADMIN.

So, we need to pick 1aa12bdf1bfb and all of those fixes, or simply revert 5028027844cf ("bpf: test_maps, only support ESTABLISHED socks").

Stefan Bader (smb) on 2021-06-07

Changed in linux (Ubuntu Bionic):
importance:	Undecided → Medium
status:	New → In Progress

Thadeu Lima de Souza Cascardo (cascardo) on 2021-06-07

description:

updated

Stefan Bader (smb) on 2021-06-10

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-06-24:

#19

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2021-07-16:

#20

Manually tested with 4.15.0-150-generic on node glameow. This test-map test can pass without any issue.

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-07-20:

#21

Download full text (33.0 KiB)

This bug was fixed in the package linux - 4.15.0-151.157

---------------
linux (4.15.0-151.157) bionic; urgency=medium

* CVE-2021-33909
- SAUCE: seq_file: Disallow extremely large seq buffer allocations

linux (4.15.0-150.155) bionic; urgency=medium

* bionic/linux: 4.15.0-150.155 -proposed tracker (LP: #1934374)

* lxd exec fails (LP: #1934187)
- SAUCE: Revert "proc: Check /proc/$pid/attr/ writes against file opener"

linux (4.15.0-149.153) bionic; urgency=medium

* bionic/linux: 4.15.0-149.153 -proposed tracker (LP: #1933434)

  * selftests: bpf: test_verifier fixes (LP: #1933385)
    - bpf: Update selftests to reflect new error states
    - bpf, selftests: Adjust few selftest result_unpriv outcomes

* CVE-2021-33200
- bpf: Fix mask direction swap upon off reg sign change

linux (4.15.0-148.152) bionic; urgency=medium

* bionic/linux: 4.15.0-148.152 -proposed tracker (LP: #1932515)

* Packaging resync (LP: #1786013)
- update dkms package versions

  * Upstream v5.9 introduced 'module' patches that removed exported symbols
    (LP: #1932065)
    - SAUCE: Revert "modules: inherit TAINT_PROPRIETARY_MODULE"
    - SAUCE: Revert "modules: return licensing information from find_symbol"
    - SAUCE: Revert "modules: rename the licence field in struct symsearch to
      license"
    - SAUCE: Revert "modules: unexport __module_address"
    - SAUCE: Revert "modules: unexport __module_text_address"
    - SAUCE: Revert "modules: mark each_symbol_section static"
    - SAUCE: Revert "modules: mark find_symbol static"
    - SAUCE: Revert "modules: mark ref_module static"

* Disable hv-kvp-daemon.service on certain instance types (LP: #1932081)
- [Packaging]: Add kernel command line condition to hv-kvp-daemon service

  * Bionic update: upstream stable patchset 2021-06-11 (LP: #1931740)
    - openrisc: Fix a memory leak
    - RDMA/rxe: Clear all QP fields if creation failed
    - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword()
    - ptrace: make ptrace() fail if the tracee changed its pid unexpectedly
    - cifs: fix memory leak in smb2_copychunk_range
    - ALSA: line6: Fix racy initialization of LINE6 MIDI
    - ALSA: usb-audio: Validate MS endpoint descriptors
    - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro
    - Revert "ALSA: sb8: add a check for request_region"
    - Revert "rapidio: fix a NULL pointer dereference when create_workqueue()
      fails"
    - rapidio: handle create_workqueue() failure
    - xen-pciback: reconfigure also from backend watch handler
    - dm snapshot: fix crash with transient storage and zero chunk size
    - Revert "video: hgafb: fix potential NULL pointer dereference"
    - Revert "net: stmicro: fix a missing check of clk_prepare"
    - Revert "leds: lp5523: fix a missing check of return value of lp55xx_read"
    - Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe"
    - Revert "video: imsttfb: fix potential NULL pointer dereferences"
    - Revert "ecryptfs: replace BUG_ON with error handling code"
    - Revert "gdrom: fix a memory leak bug"
    - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom
    - cdrom: gdrom: ini...

This bug was fixed in the package linux - 4.15.0-151.157

---------------
linux (4.15.0-151.157) bionic; urgency=medium

* CVE-2021-33909
    - SAUCE: seq_file: Disallow extremely large seq buffer allocations

linux (4.15.0-150.155) bionic; urgency=medium

* bionic/linux: 4.15.0-150.155 -proposed tracker (LP: #1934374)

* lxd exec fails (LP: #1934187)
    - SAUCE: Revert "proc: Check /proc/$pid/attr/ writes against file opener"

linux (4.15.0-149.153) bionic; urgency=medium

* bionic/linux: 4.15.0-149.153 -proposed tracker (LP: #1933434)

* selftests: bpf: test_verifier fixes (LP: #1933385)
    - bpf: Update selftests to reflect new error states
    - bpf, selftests: Adjust few selftest result_unpriv outcomes

* CVE-2021-33200
    - bpf: Fix mask direction swap upon off reg sign change

linux (4.15.0-148.152) bionic; urgency=medium

* bionic/linux: 4.15.0-148.152 -proposed tracker (LP: #1932515)

* Packaging resync (LP: #1786013)
    - update dkms package versions

* Upstream v5.9 introduced 'module' patches that removed exported symbols
    (LP: #1932065)
    - SAUCE: Revert "modules: inherit TAINT_PROPRIETARY_MODULE"
    - SAUCE: Revert "modules: return licensing information from find_symbol"
    - SAUCE: Revert "modules: rename the licence field in struct symsearch to
      license"
    - SAUCE: Revert "modules: unexport __module_address"
    - SAUCE: Revert "modules: unexport __module_text_address"
    - SAUCE: Revert "modules: mark each_symbol_section static"
    - SAUCE: Revert "modules: mark find_symbol static"
    - SAUCE: Revert "modules: mark ref_module static"

* Disable hv-kvp-daemon.service on certain instance types (LP: #1932081)
    - [Packaging]: Add kernel command line condition to hv-kvp-daemon service

* Bionic update: upstream stable patchset 2021-06-11 (LP: #1931740)
    - openrisc: Fix a memory leak
    - RDMA/rxe: Clear all QP fields if creation failed
    - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword()
    - ptrace: make ptrace() fail if the tracee changed its pid unexpectedly
    - cifs: fix memory leak in smb2_copychunk_range
    - ALSA: line6: Fix racy initialization of LINE6 MIDI
    - ALSA: usb-audio: Validate MS endpoint descriptors
    - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro
    - Revert "ALSA: sb8: add a check for request_region"
    - Revert "rapidio: fix a NULL pointer dereference when create_workqueue()
      fails"
    - rapidio: handle create_workqueue() failure
    - xen-pciback: reconfigure also from backend watch handler
    - dm snapshot: fix crash with transient storage and zero chunk size
    - Revert "video: hgafb: fix potential NULL pointer dereference"
    - Revert "net: stmicro: fix a missing check of clk_prepare"
    - Revert "leds: lp5523: fix a missing check of return value of lp55xx_read"
    - Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe"
    - Revert "video: imsttfb: fix potential NULL pointer dereferences"
    - Revert "ecryptfs: replace BUG_ON with error handling code"
    - Revert "gdrom: fix a memory leak bug"
    - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom
    - cdrom: gdrom: initialize global variable at init time
    - Revert "media: rcar_drif: fix a memory disclosure"
    - Revert "rtlwifi: fix a potential NULL pointer dereference"
    - Revert "qlcnic: Avoid potential NULL pointer dereference"
    - Revert "niu: fix missing checks of niu_pci_eeprom_read"
    - ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read()
    - net: stmicro: handle clk_prepare() failure during init
    - net: rtlwifi: properly check for alloc_workqueue() failure
    - leds: lp5523: check return value of lp5xx_read and jump to cleanup code
    - qlcnic: Add null check after calling netdev_alloc_skb
    - video: hgafb: fix potential NULL pointer dereference
    - vgacon: Record video mode changes with VT_RESIZEX
    - vt: Fix character height handling with VT_RESIZEX
    - tty: vt: always invoke vc->vc_sw->con_resize callback
    - video: hgafb: correctly handle card detect failure during probe
    - Bluetooth: SMP: Fail if remote and local public keys are identical
    - firmware: arm_scpi: Prevent the ternary sign expansion bug
    - platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
    - locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal
    - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293
    - Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer
      dereference"
    - mm, vmstat: drop zone->lock in /proc/pagetypeinfo
    - usb: dwc3: gadget: Enable suspend events
    - NFC: nci: fix memory leak in nci_allocate_device
    - NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
    - iommu/vt-d: Fix sysfs leak in alloc_iommu()
    - perf intel-pt: Fix sample instruction bytes
    - perf intel-pt: Fix transaction abort handling
    - proc: Check /proc/$pid/attr/ writes against file opener
    - net: hso: fix control-request directions
    - mac80211: assure all fragments are encrypted
    - mac80211: prevent mixed key and fragment cache attacks
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header
    - cfg80211: mitigate A-MSDU aggregation attacks
    - mac80211: drop A-MSDUs on old ciphers
    - mac80211: add fragment cache to sta_info
    - mac80211: check defrag PN against current frame
    - mac80211: prevent attacks on TKIP/WEP as well
    - mac80211: do not accept/forward invalid EAPOL frames
    - ath10k: Validate first subframe of A-MSDU before processing the list
    - dm snapshot: properly fix a crash when an origin has no snapshots
    - kgdb: fix gcc-11 warnings harder
    - misc/uss720: fix memory leak in uss720_probe
    - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue
    - mei: request autosuspend after sending rx flow control
    - staging: iio: cdc: ad7746: avoid overwrite of num_channels
    - iio: adc: ad7793: Add missing error code in ad7793_setup()
    - USB: trancevibrator: fix control-request direction
    - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting
    - serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'
    - USB: serial: ti_usb_3410_5052: add startech.com device id
    - USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011
    - USB: serial: ftdi_sio: add IDs for IDS GmbH Products
    - USB: serial: pl2303: add device id for ADLINK ND-6530 GC
    - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen()
    - net: usb: fix memory leak in smsc75xx_bind
    - Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
    - NFS: fix an incorrect limit in filelayout_decode_layout()
    - NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
    - NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
    - drm/meson: fix shutdown crash when component not probed
    - net/mlx4: Fix EEPROM dump support
    - Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
    - tipc: skb_linearize the head skb when reassembling msgs
    - i2c: s3c2410: fix possible NULL pointer deref on read message after write
    - i2c: i801: Don't generate an interrupt on bus reset
    - perf jevents: Fix getting maximum number of fds
    - platform/x86: hp_accel: Avoid invoking _INI to speed up resume
    - serial: max310x: unregister uart driver in case of failure and abort
    - net: fujitsu: fix potential null-ptr-deref
    - net: caif: remove BUG_ON(dev == NULL) in caif_xmit
    - char: hpet: add checks after calling ioremap
    - isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io
    - dmaengine: qcom_hidma: comment platform_driver_register call
    - libertas: register sysfs groups properly
    - media: dvb: Add check on sp8870_readreg return
    - media: gspca: properly check for errors in po1030_probe()
    - scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic
    - openrisc: Define memory barrier mb
    - btrfs: do not BUG_ON in link_to_fixup_dir
    - platform/x86: hp-wireless: add AMD's hardware id to the supported list
    - platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI
    - SMB3: incorrect file id in requests compounded with open
    - drm/amdgpu: Fix a use-after-free
    - net: netcp: Fix an error message
    - net: mdio: thunder: Fix a double free issue in the .remove function
    - net: mdio: octeon: Fix some double free issues
    - net: bnx2: Fix error return code in bnx2_init_board()
    - mld: fix panic in mld_newpack()
    - staging: emxx_udc: fix loop in _nbu2ss_nuke()
    - ASoC: cs35l33: fix an error code in probe()
    - bpf: Set mac_len in bpf_skb_change_head
    - ixgbe: fix large MTU request from VF
    - scsi: libsas: Use _safe() loop in sas_resume_port()
    - ipv6: record frag_max_size in atomic fragments in input path
    - sch_dsmark: fix a NULL deref in qdisc_reset()
    - MIPS: alchemy: xxs1500: add gpio-au1000.h header file
    - MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c
    - hugetlbfs: hugetlb_fault_mutex_hash() cleanup
    - drivers/net/ethernet: clean up unused assignments
    - usb: core: reduce power-on-good delay time of root hub
    - USB: usbfs: Don't WARN about excessively large memory allocations
    - bpf: extend is_branch_taken to registers
    - bpf: Move off_reg into sanitize_ptr_alu
    - bpf: Ensure off_reg has no mixed signed bounds for all types
    - bpf: Rework ptr_limit into alu_limit and add common error path
    - bpf: Improve verifier error messages for users
    - bpf: Refactor and streamline bounds check into helper
    - bpf: Move sanitize_val_alu out of op switch
    - bpf: Tighten speculative pointer arithmetic mask
    - bpf: Fix leakage of uninitialized bpf stack under speculation
    - bpf: Wrap aux data inside bpf_sanitize_info container
    - bpf: No need to simulate speculative domain for immediates
    - net: dsa: fix a crash if ->get_sset_count() fails
    - drm/amd/amdgpu: fix refcount leak
    - net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count
    - openvswitch: meter: fix race when getting now_ms.
    - net: hns3: check the return of skb_checksum_help()

* Bionic update: upstream stable patchset 2021-06-11 (LP: #1931740) //
    CVE-2020-24587 for such cases.
    - mac80211: extend protection against mixed key and fragment cache attacks

* [82A1, Realtek ALC287, Speaker, Internal] Underruns, dropouts or crackling
    sound (LP: #1925057) // Bionic update: upstream stable patchset 2021-06-11
    (LP: #1931740)
    - ALSA: hda/realtek: reset eapd coeff to default value for alc287

* test_map in ubuntu_bpf failed with "Allowed update sockmap '0:3' not in
    ESTABLISHED" (LP: #1839912)
    - SAUCE: Revert "bpf: test_maps, only support ESTABLISHED socks"

* Bionic update: upstream stable patchset 2021-06-01 (LP: #1930472)
    - MIPS: Introduce isa-rev.h to define MIPS_ISA_REV
    - MIPS: cpu-features.h: Replace __mips_isa_rev with MIPS_ISA_REV
    - s390/disassembler: increase ebpf disasm buffer size
    - ACPI: custom_method: fix potential use-after-free issue
    - ACPI: custom_method: fix a possible memory leak
    - arm64: dts: mt8173: fix property typo of 'phys' in dsi node
    - ecryptfs: fix kernel panic with null dev_name
    - spi: spi-ti-qspi: Free DMA resources
    - mmc: block: Update ext_csd.cache_ctrl if it was written
    - mmc: core: Do a power cycle when the CMD11 fails
    - mmc: core: Set read only for SD cards with permanent write protect bit
    - cifs: Return correct error code from smb2_get_enc_key
    - btrfs: fix metadata extent leak after failure to create subvolume
    - intel_th: pci: Add Rocket Lake CPU support
    - fbdev: zero-fill colormap in fbcmap.c
    - staging: wimax/i2400m: fix byte-order issue
    - crypto: api - check for ERR pointers in crypto_destroy_tfm()
    - usb: gadget: uvc: add bInterval checking for HS mode
    - usb: gadget: f_uac1: validate input parameters
    - usb: dwc3: gadget: Ignore EP queue requests during bus reset
    - usb: xhci: Fix port minor revision
    - PCI: PM: Do not read power state in pci_enable_device_flags()
    - x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
    - tee: optee: do not check memref size on return from Secure World
    - perf/arm_pmu_platform: Fix error handling
    - spi: dln2: Fix reference leak to master
    - spi: omap-100k: Fix reference leak to master
    - intel_th: Consistency and off-by-one fix
    - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove()
    - btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
    - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe
    - scsi: lpfc: Fix pt2pt connection does not recover after LOGO
    - scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
    - media: ite-cir: check for receive overflow
    - power: supply: bq27xxx: fix power_avg for newer ICs
    - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has
      been unplugged
    - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
    - media: gspca/sq905.c: fix uninitialized variable
    - power: supply: Use IRQF_ONESHOT
    - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f
    - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats()
    - scsi: qla2xxx: Fix use after free in bsg
    - scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
    - media: em28xx: fix memory leak
    - media: vivid: update EDID
    - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
    - power: supply: generic-adc-battery: fix possible use-after-free in
      gab_remove()
    - power: supply: s3c_adc_battery: fix possible use-after-free in
      s3c_adc_bat_remove()
    - media: adv7604: fix possible use-after-free in adv76xx_remove()
    - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove()
    - media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
    - media: dvb-usb: fix memory leak in dvb_usb_adapter_init
    - media: gscpa/stv06xx: fix memory leak
    - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
    - drm/amdgpu: fix NULL pointer dereference
    - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
      response
    - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
    - scsi: libfc: Fix a format specifier
    - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer
    - ALSA: hda/conexant: Re-order CX5066 quirk table entries
    - ALSA: sb: Fix two use after free in snd_sb_qsound_build
    - btrfs: fix race when picking most recent mod log operation for an old root
    - arm64/vdso: Discard .note.gnu.property sections in vDSO
    - openvswitch: fix stack OOB read while fragmenting IPv4 packets
    - ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure
    - NFSv4: Don't discard segments marked for return in _pnfs_return_layout()
    - jffs2: Fix kasan slab-out-of-bounds problem
    - powerpc/eeh: Fix EEH handling for hugepages in ioremap space.
    - powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h
    - intel_th: pci: Add Alder Lake-M support
    - md/raid1: properly indicate failure when ending a failed write request
    - security: commoncap: fix -Wstringop-overread warning
    - Fix misc new gcc warnings
    - jffs2: check the validity of dstlen in jffs2_zlib_compress()
    - Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op")
    - posix-timers: Preserve return value in clock_adjtime32()
    - ftrace: Handle commands when closing set_ftrace_filter file
    - ext4: fix check to prevent false positive report of incorrect used inodes
    - ext4: fix error code in ext4_commit_super
    - media: dvbdev: Fix memory leak in dvb_media_device_free()
    - usb: gadget: dummy_hcd: fix gpf in gadget_setup
    - usb: gadget: Fix double free of device descriptor pointers
    - usb: gadget/function/f_fs string table fix for multiple languages
    - usb: dwc3: gadget: Fix START_TRANSFER link state check
    - tracing: Map all PIDs to command lines
    - dm persistent data: packed struct should have an aligned() attribute too
    - dm space map common: fix division bug in sm_ll_find_free_block()
    - dm rq: fix double free of blk_mq_tag_set in dev remove after table load
      fails
    - modules: mark ref_module static
    - modules: mark find_symbol static
    - modules: mark each_symbol_section static
    - modules: unexport __module_text_address
    - modules: unexport __module_address
    - modules: rename the licence field in struct symsearch to license
    - modules: return licensing information from find_symbol
    - modules: inherit TAINT_PROPRIETARY_MODULE
    - Bluetooth: verify AMP hci_chan before amp_destroy
    - hsr: use netdev_err() instead of WARN_ONCE()
    - bluetooth: eliminate the potential race condition when removing the HCI
      controller
    - net/nfc: fix use-after-free llcp_sock_bind/connect
    - MIPS: pci-rt2880: fix slot 0 configuration
    - FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR
    - misc: lis3lv02d: Fix false-positive WARN on various HP models
    - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
    - misc: vmw_vmci: explicitly initialize vmci_datagram payload
    - tracing: Restructure trace_clock_global() to never block
    - md-cluster: fix use-after-free issue when removing rdev
    - md: split mddev_find
    - md: factor out a mddev_find_locked helper from mddev_find
    - md: md_open returns -EBUSY when entering racing area
    - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
    - cfg80211: scan: drop entry from hidden_list on overflow
    - drm/radeon: fix copy of uninitialized variable back to userspace
    - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries
    - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries
    - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices
    - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported
    - KVM: s390: split kvm_s390_logical_to_effective
    - KVM: s390: fix guarded storage control register handling
    - KVM: s390: split kvm_s390_real_to_abs
    - usb: gadget: pch_udc: Revert d3cb25a12138 completely
    - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[]
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Snow
    - serial: stm32: fix incorrect characters on console
    - serial: stm32: fix tx_empty condition
    - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS
    - x86/microcode: Check for offline CPUs before requesting new microcode
    - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()
    - usb: gadget: pch_udc: Check if driver is present before calling ->setup()
    - usb: gadget: pch_udc: Check for DMA mapping error
    - crypto: qat - don't release uninitialized resources
    - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
    - fotg210-udc: Fix DMA on EP0 for length > max packet size
    - fotg210-udc: Fix EP0 IN requests bigger than two packets
    - fotg210-udc: Remove a dubious condition leading to fotg210_done
    - fotg210-udc: Mask GRP2 interrupts we don't handle
    - fotg210-udc: Don't DMA more than the buffer can take
    - fotg210-udc: Complete OUT requests on short packets
    - mtd: require write permissions for locking and badblock ioctls
    - bus: qcom: Put child node before return
    - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y,
      unconditionally
    - crypto: qat - fix error path in adf_isr_resource_alloc()
    - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR()
    - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init
    - staging: rtl8192u: Fix potential infinite loop
    - staging: greybus: uart: fix unprivileged TIOCCSERIAL
    - spi: Fix use-after-free with devm_spi_alloc_*
    - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
    - soc: qcom: mdt_loader: Detect truncated read of segments
    - ACPI: CPPC: Replace cppc_attr with kobj_attribute
    - crypto: qat - Fix a double free in adf_create_ring
    - usb: gadget: r8a66597: Add missing null check on return from
      platform_get_resource
    - USB: cdc-acm: fix unprivileged TIOCCSERIAL
    - tty: fix return value for unsupported ioctls
    - firmware: qcom-scm: Fix QCOM_SCM configuration
    - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with
      critclk_systems DMI table
    - x86/platform/uv: Fix !KEXEC build failure
    - ttyprintk: Add TTY hangup callback.
    - media: vivid: fix assignment of dev->fbuf_out_flags
    - media: omap4iss: return error code when omap4iss_get() failed
    - media: m88rs6000t: avoid potential out-of-bounds reads on arrays
    - x86/kprobes: Fix to check non boostable prefixes correctly
    - pata_arasan_cf: fix IRQ check
    - pata_ipx4xx_cf: fix IRQ check
    - sata_mv: add IRQ checks
    - ata: libahci_platform: fix IRQ check
    - vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer
    - clk: uniphier: Fix potential infinite loop
    - scsi: jazz_esp: Add IRQ check
    - scsi: sun3x_esp: Add IRQ check
    - scsi: sni_53c710: Add IRQ check
    - mfd: stm32-timers: Avoid clearing auto reload register
    - HSI: core: fix resource leaks in hsi_add_client_from_dt()
    - x86/events/amd/iommu: Fix sysfs type mismatch
    - HID: plantronics: Workaround for double volume key presses
    - perf symbols: Fix dso__fprintf_symbols_by_name() to return the number of
      printed chars
    - net: lapbether: Prevent racing when checking whether the netif is running
    - powerpc/prom: Mark identical_pvr_fixup as __init
    - powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration
    - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
    - bug: Remove redundant condition check in report_bug
    - nfc: pn533: prevent potential memory corruption
    - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls
    - liquidio: Fix unintented sign extension of a left shift of a u16
    - powerpc/perf: Fix PMU constraint check for EBB events
    - powerpc: iommu: fix build when neither PCI or IBMVIO is set
    - mac80211: bail out if cipher schemes are invalid
    - mt7601u: fix always true expression
    - IB/hfi1: Fix error return code in parse_platform_config()
    - net: thunderx: Fix unintentional sign extension issue
    - i2c: cadence: add IRQ check
    - i2c: emev2: add IRQ check
    - i2c: jz4780: add IRQ check
    - i2c: sh7760: add IRQ check
    - MIPS: pci-legacy: stop using of_pci_range_to_resource
    - powerpc/pseries: extract host bridge from pci_bus prior to bus removal
    - rtlwifi: 8821ae: upgrade PHY and RF parameters
    - i2c: sh7760: fix IRQ error path
    - mwl8k: Fix a double Free in mwl8k_probe_hw
    - vsock/vmci: log once the failed queue pair allocation
    - RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails
    - net: davinci_emac: Fix incorrect masking of tx and rx error channel
    - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
    - powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of 'add')
    - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
    - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
    - kfifo: fix ternary sign extension bugs
    - smp: Fix smp_call_function_single_async prototype
    - Revert "of/fdt: Make sure no-map does not remove already reserved regions"
    - Revert "fdt: Properly handle "no-map" field in the memory region"
    - tpm: fix error return code in tpm2_get_cc_attrs_tbl()
    - fs: dlm: fix debugfs dump
    - tipc: convert dest node's address to network order
    - net: stmmac: Set FIFO sizes for ipq806x
    - ALSA: hdsp: don't disable if not enabled
    - ALSA: hdspm: don't disable if not enabled
    - ALSA: rme9652: don't disable if not enabled
    - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
    - Bluetooth: initialize skb_queue_head at l2cap_chan_create()
    - Bluetooth: check for zapped sk before connecting
    - ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
    - mac80211: clear the beacon's CRC after channel switch
    - pinctrl: samsung: use 'int' for register masks in Exynos
    - cuse: prevent clone
    - selftests: Set CC to clang in lib.mk if LLVM is set
    - kconfig: nconf: stop endless search loops
    - sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
    - powerpc/smp: Set numa node before updating mask
    - ASoC: rt286: Generalize support for ALC3263 codec
    - samples/bpf: Fix broken tracex1 due to kprobe argument change
    - powerpc/pseries: Stop calling printk in rtas_stop_self()
    - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
    - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
    - powerpc/iommu: Annotate nested lock for lockdep
    - net: ethernet: mtk_eth_soc: fix RX VLAN offload
    - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
    - f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
    - PCI: Release OF node in pci_scan_device()'s error path
    - ARM: 9064/1: hw_breakpoint: Do not directly check the event's
      overflow_handler hook
    - rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data()
    - NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
    - NFS: Deal correctly with attribute generation counter overflow
    - pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
    - NFSv4.2 fix handling of sr_eof in SEEK's reply
    - rtc: ds1307: Fix wday settings for rx8130
    - sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
    - drm/radeon: Fix off-by-one power_state index heap overwrite
    - khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate()
    - mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
    - ksm: fix potential missing rmap_item for stable_node
    - net: fix nla_strcmp to handle more then one trailing null character
    - kernel: kexec_file: fix error return code of kexec_calculate_store_digests()
    - netfilter: nftables: avoid overflows in nft_hash_buckets()
    - ARC: entry: fix off-by-one error in syscall number validation
    - powerpc/64s: Fix crashes when toggling stf barrier
    - powerpc/64s: Fix crashes when toggling entry flush barrier
    - squashfs: fix divide error in calculate_skip()
    - userfaultfd: release page in error path to avoid BUG_ON
    - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors
      are connected
    - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error
    - usb: fotg210-hcd: Fix an error message
    - ACPI: scan: Fix a memory leak in an error handling path
    - blk-mq: Swap two calls in blk_mq_exit_queue()
    - usb: dwc3: omap: improve extcon initialization
    - usb: xhci: Increase timeout for HC halt
    - usb: dwc2: Fix gadget DMA unmap direction
    - usb: core: hub: fix race condition about TRSMRCY of resume
    - iio: gyro: mpu3050: Fix reported temperature value
    - iio: tsl2583: Fix division by a zero lux_val
    - KVM: x86: Cancel pvclock_gtod_work on module removal
    - FDDI: defxx: Make MMIO the configuration default except for EISA
    - MIPS: Reinstate platform `__div64_32' handler
    - MIPS: Avoid DIVU in `__div64_32' is result would be zero
    - MIPS: Avoid handcoded DIVU in `__div64_32' altogether
    - thermal/core/fair share: Lock the thermal zone while looping over instances
    - RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint
    - kobject_uevent: remove warning in init_uevent_argv()
    - netfilter: conntrack: Make global sysctls readonly in non-init netns
    - clk: exynos7: Mark aclk_fsys1_200 as critical
    - x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes
    - kgdb: fix gcc-11 warning on indentation
    - usb: sl811-hcd: improve misleading indentation
    - cxgb4: Fix the -Wmisleading-indentation warning
    - isdn: capi: fix mismatched prototypes
    - PCI: thunder: Fix compile testing
    - ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend()
    - ACPI / hotplug / PCI: Fix reference count leak in enable_slot()
    - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated
      devices
    - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a
      stuck state
    - um: Mark all kernel symbols as local
    - ceph: fix fscache invalidation
    - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055
    - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP
    - block: reexpand iov_iter after read/write
    - lib: stackdepot: turn depot_lock spinlock to raw_spinlock
    - sit: proper dev_{hold|put} in ndo_[un]init methods
    - ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods
    - xhci: Do not use GFP_KERNEL in (potentially) atomic context
    - ipv6: remove extra dev_hold() for fallback tunnels
    - ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld
    - arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node
    - mtd: rawnand: atmel: Update ecc_stats.corrected counter
    - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based
      controllers
    - genirq/matrix: Prevent allocation counter corruption
    - usb: xhci-mtk: support quirk to disable usb2 lpm
    - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB
    - media: tc358743: fix possible use-after-free in tc358743_remove()
    - amdgpu: avoid incorrect %hu format string
    - s390/archrandom: add parameter check for s390_arch_random_generate
    - ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset
      PC 8
    - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx
    - ubifs: Only check replay with inode type to judge if inode linked
    - mlxsw: spectrum_mr: Update egress RIF list before route's action
    - NFS: Don't discard pNFS layout segments that are marked for return
    - tpm: vtpm_proxy: Avoid reading host log when using a virtual device
    - dm raid: fix inconclusive reshape layout on fast raid4/5/6 table reload
      sequences
    - arm64: vdso: remove commas between macro name and arguments
    - ext4: do not set SB_ACTIVE in ext4_orphan_cleanup()
    - tty: fix memory leak in vc_deallocate
    - rsi: Use resume_noirq for SDIO
    - MIPS: pci-mt7620: fix PLL lock check
    - md: Fix missing unused status line of /proc/mdstat
    - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries
    - ARM: dts: exynos: correct fuel gauge interrupt trigger level on Midas family
    - ARM: dts: exynos: correct MUIC interrupt trigger level on Midas family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Midas family
    - regmap: set debugfs_name to NULL after it is freed
    - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe()
    - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC
    - mtd: rawnand: qcom: Return actual error code instead of -ENODEV
    - usbip: vudc: fix missing unlock on error in usbip_sockfd_store()
    - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE
    - scsi: ibmvfc: Fix invalid state machine BUG_ON()
    - sched/debug: Fix cgroup_path[] serialization
    - net: hns3: Limiting the scope of vector_ring_chain variable
    - ALSA: usb: midi: don't return -ENOMEM when usb_urb_ep_type_check fails
    - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb
    - RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res
    - net: Only allow init netns to set default tcp cong to a restricted algo
    - i2c: bail out early when RDWR parameters are wrong
    - net: bridge: when suppression is enabled exclude RARP packets
    - i2c: Add I2C_AQ_NO_REP_START adapter quirk
    - ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user()
    - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc()
    - PCI: endpoint: Fix missing destroy_workqueue()
    - net: hns3: disable phy loopback setting in hclge_mac_start_phy
    - sctp: do asoc update earlier in sctp_sf_do_dupcook_a
    - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
    - netfilter: xt_SECMARK: add new revision to fix structure layout
    - drm/radeon: Avoid power table parsing memory leaks
    - sched/fair: Fix unfairness caused by missing load decay
    - xhci: Add reset resume quirk for AMD xhci controller.
    - cdc-wdm: untangle a circular dependency between callback and softint
    - nvme: do not try to reconfigure APST when the controller is not live
    - pinctrl: ingenic: Improve unreachable code generation
    - ARM: 9075/1: kernel: Fix interrupted SMC calls
    - scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not
      found
    - tweewide: Fix most Shebang lines
    - scripts: switch explicitly to Python 3

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Fri, 09 Jul 2021 17:19:20 -0300

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Po-Hsu Lin (cypressyew) on 2022-01-27

tags:

removed: sru

ubuntu-kernel-tests

test_map in ubuntu_bpf failed with "Allowed update sockmap '0:3' not in ESTABLISHED"

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
ubuntu-kernel-tests	New	Undecided	Unassigned
linux (Ubuntu)	Confirmed	Undecided	Unassigned
Bionic	Fix Released	Medium	Unassigned