Ubuntu
linux-bluefield package

oob_net0 file transfers can crash kernel

Bug #1928852 reported by David Thompson on 2021-05-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux-bluefield (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Undecided	Unassigned

Bug Description

SRU Justification:

[Impact]
* Certain file transfers over the oob_net0 interface, which is
  managed by the mlxbf_gige driver, can fail in one of these ways:
  1) Transfer fails due to lost connection, e.g. SCP of a large (~1GB)
     file from a server into the BlueField-2 OOB interface can fail
     and return "lost connection" status
  2) Transfer fails due to kernel crash, e.g. issuing SCP on BlueField-2
     platform to retrieve a file from a server and copy it into an NFS
     mounted directory on the BlueField-2 platform can fail and crash the
     Linux kernel with a page fault and issues this message:
     "Unable to handle kernel paging request at virtual address XXX"

[Fix]
* This delivery provides a set of changes to add stability to
the mlxbf_gige driver transmit and receive processing:

Changes to mlxbf_gige_rx_packet()
---------------------------------
1) Changed logic to remove the assumption that there's at
   least one packet to process. Instead, at the start of
   routine check the RX CQE polarity bit, and if it is not
   the expected value then exit.

2) Moved call to "dma_unmap_single()" to within the path
   where packet status is OK. Otherwise if an errored
   packet is received, the SKB is unmapped but no SKB is
   allocated to fill that same index.

3) Defer call to "netif_receive_skb()" to end of routine
since this call can trigger more processing, even
packet transmissions, in the networking stack.

Changes to mlxbf_gige_start_xmit()
----------------------------------
1) Added logic to drop oversized packets

2) Added logic to use a spin lock when access priv->tx_pi
since this index is also accessed by the transmit
completion logic.

Changes to mlxbf_gige_handle_tx_complete
----------------------------------------
1) Added call to "mb()" to flush prev_tx_ci updates

[Test Case]
* #1 After booting platform, verify that file transfers of large files (~1GB) from a
  server into the BlueField-2 platform's /tmp directory over the oob_net0 interface succeed
* #2 Configure an NFS mounted directory on BlueField-2 platform and transfer
  large files over the oob_net0 interface into this directory. It is important to
  ensure that the oob_net0 is used for the NFS mount, and no other active interface
  will be involved. In the below example, the <peer-ip> is the IP address of the
  server interface that is the peer to the BlueField-2 OOB.
   1) Configure NFS server on a remote server
   2) Configure NFS client on BlueField-2 platform
      a) mkdir /mnt/share
      b) mount -t nfs <peer-ip>:<nfs-server-mount> /mnt/share
   3) Exercise file transfers over oob_net0 interface
      a) cd /mnt/share
      b) scp <user>@<peer-ip>:/tmp/<large-file> <local-file>

[Regression Potential]
* These changes have been well tested, but there's a chance that certain file
transfers could still experience problems (hung transfer, lost connection)

[Other]
* The mlxbf_gige driver will display v1.22 in modinfo after these changes.

Tags:

CVE References

Tim Gardner (timg-tpi) on 2021-06-03

Changed in linux-bluefield (Ubuntu):
status:	New → Invalid

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-06-05:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

Meriton Tuli (meriton) wrote on 2021-06-09:

Using Kernel 5.4.0-1013-bluefield this Issue has been fixed.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-06-24:

Download full text (34.5 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1013.16

---------------
linux-bluefield (5.4.0-1013.16) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1013.16 -proposed tracker (LP: #1930009)

* Automate soft reset of BlueField ARM via GPIO7 (LP: #1929736)
- SAUCE: Automate soft reset of BlueField ARM via GPIO7

  * Remove dependency between module and driver (LP: #1927246)
    - net/sched: act_ct: Make tcf_ct_flow_table_restore_skb inline
    - netfilter: flowtable: Make nf_flow_table_offload_add/del_cb inline

  * Increase flow insertion rate by using rw lock instead of mutex on the flow
    block. (LP: #1927251)
    - netfilter: flowtable: Use rw sem as flow block lock
    - netfilter: flowtable: Free block_cb when being deleted

* oob_net0 file transfers can crash kernel (LP: #1928852)
- SAUCE: mlxbf_gige: syncup with v1.23 content

* CT: Fix CT template allocation for zone 0 (LP: #1929460)
- SAUCE: net/sched: act_ct: Fix ct template allocation for zone 0

* CT: Offload connections with commit action (LP: #1929459)
- SAUCE: net/sched: act_ct: Offload connections with commit action

* CT: check offload bit on table dump (LP: #1929458)
- SAUCE: netfilter: conntrack: Check offload bit on table dump

* Memleak on restore flow when offloading conntrack. (LP: #1929844)
- SAUCE: skbuff: Release nfct refcount on napi stolen or re-used skbs

[ Ubuntu: 5.4.0-75.84 ]

This bug was fixed in the package linux-bluefield - 5.4.0-1013.16

---------------
linux-bluefield (5.4.0-1013.16) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1013.16 -proposed tracker (LP: #1930009)

* Automate soft reset of BlueField ARM via GPIO7 (LP: #1929736)
    - SAUCE: Automate soft reset of BlueField ARM via GPIO7

* oob_net0 file transfers can crash kernel (LP: #1928852)
    - SAUCE: mlxbf_gige: syncup with v1.23 content

* CT: Fix CT template allocation for zone 0 (LP: #1929460)
    - SAUCE: net/sched: act_ct: Fix ct template allocation for zone 0

* CT: Offload connections with commit action (LP: #1929459)
    - SAUCE: net/sched: act_ct: Offload connections with commit action

* CT: check offload bit on table dump (LP: #1929458)
    - SAUCE: netfilter: conntrack: Check offload bit on table dump

* Memleak on restore flow when offloading conntrack. (LP: #1929844)
    - SAUCE: skbuff: Release nfct refcount on napi stolen or re-used skbs

[ Ubuntu: 5.4.0-75.84 ]

* focal/linux: 5.4.0-75.84 -proposed tracker (LP: #1930032)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * CVE-2021-33200
    - bpf: Wrap aux data inside bpf_sanitize_info container
    - bpf: Fix mask direction swap upon off reg sign change
    - bpf: No need to simulate speculative domain for immediates
  * Realtek USB hubs in Dell WD19SC/DC/TB fail to work after exiting s2idle
    (LP: #1928242)
    - USB: Verify the port status when timeout happens during port suspend
  * CVE-2020-26145
    - ath10k: drop fragments with multicast DA for SDIO
    - ath10k: add CCMP PN replay protection for fragmented frames for PCIe
    - ath10k: drop fragments with multicast DA for PCIe
  * CVE-2020-26141
    - ath10k: Fix TKIP Michael MIC verification for PCIe
  * CVE-2020-24588
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header
    - cfg80211: mitigate A-MSDU aggregation attacks
    - mac80211: drop A-MSDUs on old ciphers
    - ath10k: drop MPDU which has discard flag set by firmware for SDIO
  * CVE-2020-26139
    - mac80211: do not accept/forward invalid EAPOL frames
  * CVE-2020-24586 // CVE-2020-24587 // CVE-2020-24587 for such cases.
    - mac80211: extend protection against mixed key and fragment cache attacks
  * CVE-2020-24586 // CVE-2020-24587
    - mac80211: prevent mixed key and fragment cache attacks
    - mac80211: add fragment cache to sta_info
    - mac80211: check defrag PN against current frame
    - mac80211: prevent attacks on TKIP/WEP as well
  * CVE-2020-26147
    - mac80211: assure all fragments are encrypted
  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull the code that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout
    - dm raid: remove unnecessary discard limits for raid0 and raid10
  * [SRU] mpt3sas: only one vSES is handy even IOC has multi vSES (LP: #1926517)
    - scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES
  * kvm: properly tear down PV features on hibernate (LP: #1920944)
    - x86/kvm: Fix pr_info() for async PF setup/teardown
    - x86/kvm: Teardown PV features on boot CPU as well
    - x86/kvm: Disable kvmclock on all CPUs on shutdown
    - x86/kvm: Disable all PV features on crash
    - x86/kvm: Unify kvm_pv_guest_cpu_reboot() with kvm_guest_cpu_offline()
  * Focal update: v5.4.119 upstream stable release (LP: #1929615)
    - Bluetooth: verify AMP hci_chan before amp_destroy
    - hsr: use netdev_err() instead of WARN_ONCE()
    - bluetooth: eliminate the potential race condition when removing the HCI
      controller
    - net/nfc: fix use-after-free llcp_sock_bind/connect
    - Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
    - tty: moxa: fix TIOCSSERIAL jiffies conversions
    - tty: amiserial: fix TIOCSSERIAL permission check
    - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
    - staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
    - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
    - staging: fwserial: fix TIOCSSERIAL jiffies conversions
    - tty: moxa: fix TIOCSSERIAL permission check
    - staging: fwserial: fix TIOCSSERIAL permission check
    - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply
    - usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply
    - usb: typec: tcpm: update power supply once partner accepts
    - usb: xhci-mtk: remove or operator for setting schedule parameters
    - usb: xhci-mtk: improve bandwidth scheduling with TT
    - ASoC: samsung: tm2_wm5110: check of of_parse return value
    - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function
    - MIPS: pci-mt7620: fix PLL lock check
    - MIPS: pci-rt2880: fix slot 0 configuration
    - FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR
    - PCI: Allow VPD access for QLogic ISP2722
    - iio:accel:adis16201: Fix wrong axis assignment that prevents loading
    - misc: lis3lv02d: Fix false-positive WARN on various HP models
    - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
    - misc: vmw_vmci: explicitly initialize vmci_datagram payload
    - md/bitmap: wait for external bitmap writes to complete during tear down
    - md-cluster: fix use-after-free issue when removing rdev
    - md: split mddev_find
    - md: factor out a mddev_find_locked helper from mddev_find
    - md: md_open returns -EBUSY when entering racing area
    - md: Fix missing unused status line of /proc/mdstat
    - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
    - cfg80211: scan: drop entry from hidden_list on overflow
    - rtw88: Fix array overrun in rtw_get_tx_power_params()
    - drm/panfrost: Clear MMU irqs before handling the fault
    - drm/panfrost: Don't try to map pages that are already mapped
    - drm/radeon: fix copy of uninitialized variable back to userspace
    - drm/amd/display: Reject non-zero src_y and src_x for video planes
    - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries
    - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries
    - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries
    - ALSA: hda/realtek: Re-order ALC662 quirk table entries
    - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices
    - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable
    - KVM: s390: split kvm_s390_logical_to_effective
    - KVM: s390: fix guarded storage control register handling
    - s390: fix detection of vector enhancements facility 1 vs. vector packed
      decimal facility
    - KVM: s390: split kvm_s390_real_to_abs
    - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit
    - KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
    - Revert "i3c master: fix missing destroy_workqueue() on error in
      i3c_master_register"
    - ovl: fix missing revert_creds() on error path
    - usb: gadget: pch_udc: Revert d3cb25a12138 completely
    - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[]
    - ARM: dts: exynos: correct fuel gauge interrupt trigger level on Midas family
    - ARM: dts: exynos: correct MUIC interrupt trigger level on Midas family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Midas family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Snow
    - serial: stm32: fix incorrect characters on console
    - serial: stm32: fix tx_empty condition
    - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS
    - regmap: set debugfs_name to NULL after it is freed
    - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe()
    - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC
    - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions()
    - mtd: rawnand: qcom: Return actual error code instead of -ENODEV
    - arm64: dts: qcom: sm8150: fix number of pins in 'gpio-ranges'
    - spi: stm32: drop devres version of spi_register_master
    - arm64: dts: renesas: r8a77980: Fix vin4-7 endpoint binding
    - x86/microcode: Check for offline CPUs before requesting new microcode
    - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()
    - usb: gadget: pch_udc: Check if driver is present before calling ->setup()
    - usb: gadget: pch_udc: Check for DMA mapping error
    - crypto: qat - don't release uninitialized resources
    - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
    - fotg210-udc: Fix DMA on EP0 for length > max packet size
    - fotg210-udc: Fix EP0 IN requests bigger than two packets
    - fotg210-udc: Remove a dubious condition leading to fotg210_done
    - fotg210-udc: Mask GRP2 interrupts we don't handle
    - fotg210-udc: Don't DMA more than the buffer can take
    - fotg210-udc: Complete OUT requests on short packets
    - mtd: require write permissions for locking and badblock ioctls
    - bus: qcom: Put child node before return
    - soundwire: bus: Fix device found flag correctly
    - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y,
      unconditionally
    - crypto: qat - fix error path in adf_isr_resource_alloc()
    - usb: gadget: aspeed: fix dma map failure
    - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR()
    - memory: pl353: fix mask of ECC page_size config register
    - soundwire: stream: fix memory leak in stream config error path
    - m68k: mvme147,mvme16x: Don't wipe PCC timer config bits
    - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init
    - irqchip/gic-v3: Fix OF_BAD_ADDR error handling
    - staging: rtl8192u: Fix potential infinite loop
    - staging: greybus: uart: fix unprivileged TIOCCSERIAL
    - PM / devfreq: Use more accurate returned new_freq as resume_freq
    - spi: Fix use-after-free with devm_spi_alloc_*
    - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
    - soc: qcom: mdt_loader: Detect truncated read of segments
    - ACPI: CPPC: Replace cppc_attr with kobj_attribute
    - crypto: qat - Fix a double free in adf_create_ring
    - cpufreq: armada-37xx: Fix setting TBG parent for load levels
    - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock
    - cpufreq: armada-37xx: Fix the AVS value for load L1
    - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz
    - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0
    - cpufreq: armada-37xx: Fix driver cleanup when registration failed
    - cpufreq: armada-37xx: Fix determining base CPU frequency
    - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()
    - usb: gadget: r8a66597: Add missing null check on return from
      platform_get_resource
    - USB: cdc-acm: fix unprivileged TIOCCSERIAL
    - USB: cdc-acm: fix TIOCGSERIAL implementation
    - tty: fix return value for unsupported ioctls
    - serial: core: return early on unsupported ioctls
    - firmware: qcom-scm: Fix QCOM_SCM configuration
    - node: fix device cleanups in error handling code
    - usbip: vudc: fix missing unlock on error in usbip_sockfd_store()
    - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with
      critclk_systems DMI table
    - x86/platform/uv: Fix !KEXEC build failure
    - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow.
    - usb: dwc2: Fix hibernation between host and device modes.
    - ttyprintk: Add TTY hangup callback.
    - xen-blkback: fix compatibility bug with single page rings
    - soc: aspeed: fix a ternary sign expansion bug
    - media: vivid: fix assignment of dev->fbuf_out_flags
    - media: omap4iss: return error code when omap4iss_get() failed
    - media: aspeed: fix clock handling logic
    - media: platform: sunxi: sun6i-csi: fix error return code of
      sun6i_video_start_streaming()
    - media: m88rs6000t: avoid potential out-of-bounds reads on arrays
    - drm/amdkfd: fix build error with AMD_IOMMU_V2=m
    - x86/kprobes: Fix to check non boostable prefixes correctly
    - pata_arasan_cf: fix IRQ check
    - pata_ipx4xx_cf: fix IRQ check
    - sata_mv: add IRQ checks
    - ata: libahci_platform: fix IRQ check
    - nvme-tcp: block BH in sk state_change sk callback
    - nvmet-tcp: fix incorrect locking in state_change sk callback
    - nvme: retrigger ANA log update if group descriptor isn't found
    - media: v4l2-ctrls.c: fix race condition in hdl->requests list
    - vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer
    - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback
    - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE
    - clk: uniphier: Fix potential infinite loop
    - scsi: hisi_sas: Fix IRQ checks
    - scsi: jazz_esp: Add IRQ check
    - scsi: sun3x_esp: Add IRQ check
    - scsi: sni_53c710: Add IRQ check
    - scsi: ibmvfc: Fix invalid state machine BUG_ON()
    - mfd: stm32-timers: Avoid clearing auto reload register
    - nvme-pci: don't simple map sgl when sgls are disabled
    - HSI: core: fix resource leaks in hsi_add_client_from_dt()
    - x86/events/amd/iommu: Fix sysfs type mismatch
    - sched/debug: Fix cgroup_path[] serialization
    - drivers/block/null_blk/main: Fix a double free in null_init.
    - HID: plantronics: Workaround for double volume key presses
    - perf symbols: Fix dso__fprintf_symbols_by_name() to return the number of
      printed chars
    - net: lapbether: Prevent racing when checking whether the netif is running
    - powerpc/fadump: Mark fadump_calculate_reserve_size as __init
    - powerpc/prom: Mark identical_pvr_fixup as __init
    - inet: use bigger hash table for IP ID generation
    - powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration
    - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
    - bug: Remove redundant condition check in report_bug
    - nfc: pn533: prevent potential memory corruption
    - net: hns3: Limiting the scope of vector_ring_chain variable
    - mips: bmips: fix syscon-reboot nodes
    - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls
    - ASoC: simple-card: fix possible uninitialized single_cpu local variable
    - liquidio: Fix unintented sign extension of a left shift of a u16
    - powerpc/64s: Fix pte update for kernel memory on radix
    - powerpc/perf: Fix PMU constraint check for EBB events
    - powerpc: iommu: fix build when neither PCI or IBMVIO is set
    - mac80211: bail out if cipher schemes are invalid
    - mt7601u: fix always true expression
    - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit
    - RDMA/qedr: Fix error return code in qedr_iw_connect()
    - IB/hfi1: Fix error return code in parse_platform_config()
    - cxgb4: Fix unintentional sign extension issues
    - net: thunderx: Fix unintentional sign extension issue
    - RDMA/srpt: Fix error return code in srpt_cm_req_recv()
    - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
    - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails
    - i2c: omap: fix reference leak when pm_runtime_get_sync fails
    - i2c: sprd: fix reference leak when pm_runtime_get_sync fails
    - i2c: cadence: add IRQ check
    - i2c: emev2: add IRQ check
    - i2c: jz4780: add IRQ check
    - i2c: sh7760: add IRQ check
    - powerpc/xive: Fix xmon command "dxi"
    - ASoC: ak5558: correct reset polarity
    - drm/i915/gvt: Fix error code in intel_gvt_init_device()
    - perf beauty: Fix fsconfig generator
    - MIPS: pci-legacy: stop using of_pci_range_to_resource
    - powerpc/pseries: extract host bridge from pci_bus prior to bus removal
    - rtlwifi: 8821ae: upgrade PHY and RF parameters
    - i2c: sh7760: fix IRQ error path
    - mwl8k: Fix a double Free in mwl8k_probe_hw
    - vsock/vmci: log once the failed queue pair allocation
    - gro: fix napi_gro_frags() Fast GRO breakage due to IP alignment check
    - RDMA/cxgb4: add missing qpid increment
    - RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails
    - ALSA: usb: midi: don't return -ENOMEM when usb_urb_ep_type_check fails
    - net: davinci_emac: Fix incorrect masking of tx and rx error channel
    - net: renesas: ravb: Fix a stuck issue when a lot of frames are received
    - net: phy: intel-xway: enable integrated led functions
    - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
    - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock
    - powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of 'add')
    - bnxt_en: fix ternary sign extension bug in bnxt_show_temp()
    - ARM: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for
      RTL8211E
    - arm64: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for
      RTL8211E
    - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb
    - selftests: net: mirror_gre_vlan_bridge_1q: Make an FDB entry static
    - bnxt_en: Fix RX consumer index logic in the error path.
    - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
    - RDMA/siw: Fix a use after free in siw_alloc_mr
    - RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res
    - net: bridge: mcast: fix broken length + header check for MRDv6 Adv.
    - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
    - kfifo: fix ternary sign extension bugs
    - mm/sparse: add the missing sparse_buffer_fini() in error branch
    - mm/memory-failure: unnecessary amount of unmapping
    - net: Only allow init netns to set default tcp cong to a restricted algo
    - smp: Fix smp_call_function_single_async prototype
    - Revert "net/sctp: fix race condition in sctp_destroy_sock"
    - sctp: delay auto_asconf init until binding the first addr
    - Revert "of/fdt: Make sure no-map does not remove already reserved regions"
    - Revert "fdt: Properly handle "no-map" field in the memory region"
    - Linux 5.4.119
  * seccomp_bpf:syscall_faked from kselftests fail on s390x (LP: #1928522)
    - selftests/seccomp: s390 shares the syscall and return value register
  * Can't detect intel wifi 6235 (LP: #1920180)
    - SAUCE: iwlwifi: add new pci id for 6235
  * Mark kprobe_args_user.tc in kselftest/ftrace as unsupported (LP: #1929527)
    - selftests/ftrace: Return unsupported for the unconfigured features
  * pmtu.sh from net in ubuntu_kernel_selftests failed with no error message
    (LP: #1887661)
    - selftests: pmtu.sh: use $ksft_skip for skipped return code
  * alsa/sof: make sof driver work in the case of without i915 (focal kernel)
    (LP: #1927672)
    - SAUCE: ASoC: SOF: Intel: hda: move the probe_bus ahead of creation of mach
      device
  * Fix kdump failures (LP: #1927518)
    - video: hyperv_fb: Add ratelimit on error message
    - Drivers: hv: vmbus: Increase wait time for VMbus unload
    - Drivers: hv: vmbus: Initialize unload_event statically
  * Ubuntu 20.04 - 'Support flow counters offset for bulk counters'
    (LP: #1922494)
    - IB/mlx5: Support flow counters offset for bulk counters
  * Focal update: v5.4.118 upstream stable release (LP: #1928825)
    - s390/disassembler: increase ebpf disasm buffer size
    - ACPI: custom_method: fix potential use-after-free issue
    - ACPI: custom_method: fix a possible memory leak
    - ftrace: Handle commands when closing set_ftrace_filter file
    - ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld
    - arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node
    - arm64: dts: mt8173: fix property typo of 'phys' in dsi node
    - ecryptfs: fix kernel panic with null dev_name
    - mtd: spinand: core: add missing MODULE_DEVICE_TABLE()
    - mtd: rawnand: atmel: Update ecc_stats.corrected counter
    - erofs: add unsupported inode i_format check
    - spi: spi-ti-qspi: Free DMA resources
    - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()
    - scsi: mpt3sas: Block PCI config access from userspace during reset
    - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe()
    - mmc: uniphier-sd: Fix a resource leak in the remove function
    - mmc: sdhci: Check for reset prior to DMA address unmap
    - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based
      controllers
    - mmc: block: Update ext_csd.cache_ctrl if it was written
    - mmc: block: Issue a cache flush only when it's enabled
    - mmc: core: Do a power cycle when the CMD11 fails
    - mmc: core: Set read only for SD cards with permanent write protect bit
    - mmc: core: Fix hanging on I/O during system suspend for removable cards
    - modules: mark ref_module static
    - modules: mark find_symbol static
    - modules: mark each_symbol_section static
    - modules: unexport __module_text_address
    - modules: unexport __module_address
    - modules: rename the licence field in struct symsearch to license
    - modules: return licensing information from find_symbol
    - modules: inherit TAINT_PROPRIETARY_MODULE
    - irqchip/gic-v3: Do not enable irqs when handling spurious interrups
    - cifs: Return correct error code from smb2_get_enc_key
    - btrfs: fix metadata extent leak after failure to create subvolume
    - intel_th: pci: Add Rocket Lake CPU support
    - posix-timers: Preserve return value in clock_adjtime32()
    - fbdev: zero-fill colormap in fbcmap.c
    - bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first
    - staging: wimax/i2400m: fix byte-order issue
    - spi: ath79: always call chipselect function
    - spi: ath79: remove spi-master setup and cleanup assignment
    - crypto: api - check for ERR pointers in crypto_destroy_tfm()
    - crypto: qat - fix unmap invalid dma address
    - usb: gadget: uvc: add bInterval checking for HS mode
    - usb: webcam: Invalid size of Processing Unit Descriptor
    - genirq/matrix: Prevent allocation counter corruption
    - usb: gadget: f_uac2: validate input parameters
    - usb: gadget: f_uac1: validate input parameters
    - usb: dwc3: gadget: Ignore EP queue requests during bus reset
    - usb: xhci: Fix port minor revision
    - PCI: PM: Do not read power state in pci_enable_device_flags()
    - x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
    - tee: optee: do not check memref size on return from Secure World
    - perf/arm_pmu_platform: Fix error handling
    - usb: xhci-mtk: support quirk to disable usb2 lpm
    - xhci: check control context is valid before dereferencing it.
    - xhci: fix potential array out of bounds with several interrupters
    - spi: dln2: Fix reference leak to master
    - spi: omap-100k: Fix reference leak to master
    - spi: qup: fix PM reference leak in spi_qup_remove()
    - usb: musb: fix PM reference leak in musb_irq_work()
    - usb: core: hub: Fix PM reference leak in usb_port_resume()
    - tty: n_gsm: check error while registering tty devices
    - intel_th: Consistency and off-by-one fix
    - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove()
    - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c
    - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c
    - crypto: omap-aes - Fix PM reference leak on omap-aes.c
    - platform/x86: intel_pmc_core: Don't use global pmcdev in quirks
    - btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
    - drm: Added orientation quirk for OneGX1 Pro
    - drm/qxl: release shadow on shutdown
    - drm/amd/display: Check for DSC support instead of ASIC revision
    - drm/amd/display: Don't optimize bandwidth before disabling planes
    - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe
    - scsi: lpfc: Fix pt2pt connection does not recover after LOGO
    - scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
    - media: ite-cir: check for receive overflow
    - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB
    - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt()
    - power: supply: bq27xxx: fix power_avg for newer ICs
    - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has
      been unplugged
    - extcon: arizona: Fix various races on driver unbind
    - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
    - media: gspca/sq905.c: fix uninitialized variable
    - power: supply: Use IRQF_ONESHOT
    - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd
    - drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
    - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f
    - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool'
    - drm/amd/display: fix dml prefetch validation
    - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats()
    - drm/vkms: fix misuse of WARN_ON
    - scsi: qla2xxx: Fix use after free in bsg
    - mmc: sdhci-pci: Add PCI IDs for Intel LKF
    - ata: ahci: Disable SXS for Hisilicon Kunpeng920
    - scsi: smartpqi: Correct request leakage during reset operations
    - scsi: smartpqi: Add new PCI IDs
    - scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
    - media: em28xx: fix memory leak
    - media: vivid: update EDID
    - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
    - power: supply: generic-adc-battery: fix possible use-after-free in
      gab_remove()
    - power: supply: s3c_adc_battery: fix possible use-after-free in
      s3c_adc_bat_remove()
    - media: tc358743: fix possible use-after-free in tc358743_remove()
    - media: adv7604: fix possible use-after-free in adv76xx_remove()
    - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove()
    - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove()
    - media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
    - media: platform: sti: Fix runtime PM imbalance in regs_show
    - media: dvb-usb: fix memory leak in dvb_usb_adapter_init
    - media: gscpa/stv06xx: fix memory leak
    - sched/fair: Ignore percpu threads for imbalance pulls
    - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
    - drm/msm/mdp5: Do not multiply vclk line count by 100
    - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug
    - amdgpu: avoid incorrect %hu format string
    - drm/amdgpu: fix NULL pointer dereference
    - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
      response
    - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode
    - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
    - mfd: arizona: Fix rumtime PM imbalance on error
    - scsi: libfc: Fix a format specifier
    - s390/archrandom: add parameter check for s390_arch_random_generate
    - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer
    - ALSA: hda/conexant: Re-order CX5066 quirk table entries
    - ALSA: sb: Fix two use after free in snd_sb_qsound_build
    - ALSA: usb-audio: Explicitly set up the clock selector
    - ALSA: usb-audio: More constifications
    - ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset
      PC 8
    - ALSA: hda/realtek: GA503 use same quirks as GA401
    - ALSA: hda/realtek: fix mic boost on Intel NUC 8
    - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops
    - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx
    - btrfs: fix race when picking most recent mod log operation for an old root
    - arm64/vdso: Discard .note.gnu.property sections in vDSO
    - Makefile: Move -Wno-unused-but-set-variable out of GCC only block
    - virtiofs: fix memory leak in virtio_fs_probe()
    - ubifs: Only check replay with inode type to judge if inode linked
    - f2fs: fix to avoid out-of-bounds memory access
    - mlxsw: spectrum_mr: Update egress RIF list before route's action
    - openvswitch: fix stack OOB read while fragmenting IPv4 packets
    - ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure
    - NFS: Don't discard pNFS layout segments that are marked for return
    - NFSv4: Don't discard segments marked for return in _pnfs_return_layout()
    - Input: ili210x - add missing negation for touch indication on ili210x
    - jffs2: Fix kasan slab-out-of-bounds problem
    - powerpc/eeh: Fix EEH handling for hugepages in ioremap space.
    - powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h
    - intel_th: pci: Add Alder Lake-M support
    - tpm: efi: Use local variable for calculating final log size
    - tpm: vtpm_proxy: Avoid reading host log when using a virtual device
    - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS
    - md/raid1: properly indicate failure when ending a failed write request
    - dm raid: fix inconclusive reshape layout on fast raid4/5/6 table reload
      sequences
    - fuse: fix write deadlock
    - security: commoncap: fix -Wstringop-overread warning
    - Fix misc new gcc warnings
    - jffs2: check the validity of dstlen in jffs2_zlib_compress()
    - Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op")
    - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported
    - kbuild: update config_data.gz only when the content of .config is changed
    - ext4: fix check to prevent false positive report of incorrect used inodes
    - ext4: do not set SB_ACTIVE in ext4_orphan_cleanup()
    - ext4: fix error code in ext4_commit_super
    - media: dvbdev: Fix memory leak in dvb_media_device_free()
    - media: dvb-usb: Fix use-after-free access
    - media: dvb-usb: Fix memory leak at error in dvb_usb_device_init()
    - media: staging/intel-ipu3: Fix memory leak in imu_fmt
    - media: staging/intel-ipu3: Fix set_fmt error handling
    - media: staging/intel-ipu3: Fix race condition during set_fmt
    - usb: gadget: dummy_hcd: fix gpf in gadget_setup
    - usb: gadget: Fix double free of device descriptor pointers
    - usb: gadget/function/f_fs string table fix for multiple languages
    - usb: dwc3: gadget: Fix START_TRANSFER link state check
    - usb: dwc2: Fix session request interrupt handler
    - tty: fix memory leak in vc_deallocate
    - rsi: Use resume_noirq for SDIO
    - tracing: Map all PIDs to command lines
    - tracing: Restructure trace_clock_global() to never block
    - dm persistent data: packed struct should have an aligned() attribute too
    - dm space map common: fix division bug in sm_ll_find_free_block()
    - dm integrity: fix missing goto in bitmap_flush_interval error handling
    - dm rq: fix double free of blk_mq_tag_set in dev remove after table load
      fails
    - Linux 5.4.118
  * Focal update: v5.4.117 upstream stable release (LP: #1928823)
    - mips: Do not include hi and lo in clobber list for R6
    - ACPI: tables: x86: Reserve memory occupied by ACPI tables
    - ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
    - net: usb: ax88179_178a: initialize local variables before use
    - igb: Enable RSS for Intel I211 Ethernet Controller
    - iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd()
    - bpf: Fix masking negation logic upon negative dst register
    - bpf: Fix leakage of uninitialized bpf stack under speculation
    - avoid __memcat_p link failure
    - iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd()
    - perf data: Fix error return code in perf_data__create_dir()
    - perf ftrace: Fix access to pid in array when setting a pid filter
    - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX
    - USB: Add reset-resume quirk for WD19's Realtek Hub
    - platform/x86: thinkpad_acpi: Correct thermal sensor allocation
    - scsi: ufs: Unlock on a couple error paths
    - ovl: allow upperdir inside lowerdir
    - perf/core: Fix unconditional security_locked_down() call
    - vfio: Depend on MMU
    - Linux 5.4.117
  * r8152 tx status -71 (LP: #1922651) // Focal update: v5.4.117 upstream stable
    release (LP: #1928823)
    - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet
  * Focal update: v5.4.116 upstream stable release (LP: #1928821)
    - bpf: Move off_reg into sanitize_ptr_alu
    - bpf: Ensure off_reg has no mixed signed bounds for all types
    - bpf: Rework ptr_limit into alu_limit and add common error path
    - bpf: Improve verifier error messages for users
    - bpf: Refactor and streamline bounds check into helper
    - bpf: Move sanitize_val_alu out of op switch
    - bpf: Tighten speculative pointer arithmetic mask
    - bpf: Update selftests to reflect new error states
    - Linux 5.4.116
  * Focal update: v5.4.115 upstream stable release (LP: #1927997)
    - gpio: omap: Save and restore sysconfig
    - pinctrl: lewisburg: Update number of pins in community
    - arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS
    - perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3
    - perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[]
    - perf auxtrace: Fix potential NULL pointer dereference
    - HID: google: add don USB id
    - HID: alps: fix error return code in alps_input_configured()
    - HID: wacom: Assign boolean values to a bool variable
    - ARM: dts: Fix swapped mmc order for omap3
    - net: geneve: check skb is large enough for IPv4/IPv6 header
    - s390/entry: save the caller of psw_idle
    - xen-netback: Check for hotplug-status existence before watching
    - cavium/liquidio: Fix duplicate argument
    - csky: change a Kconfig symbol name to fix e1000 build error
    - ia64: fix discontig.c section mismatches
    - ia64: tools: remove duplicate definition of ia64_mf() on ia64
    - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access
    - net: hso: fix NULL-deref on disconnect regression
    - USB: CDC-ACM: fix poison/unpoison imbalance
    - Linux 5.4.115

-- Tim Gardner <tim.gardner@canonical.com>  Thu, 03 Jun 2021 08:37:16 -0600

Changed in linux-bluefield (Ubuntu Focal):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-bluefield package

oob_net0 file transfers can crash kernel

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux-bluefield package