Ubuntu
linux package

The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()

Bug #1775326 reported by Gavin Guo on 2018-06-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Gavin Guo
	Xenial	Fix Released	Undecided	Unassigned

Bug Description

[Impact]

In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member CPU of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.

void cpuacct_charge(struct task_struct *tsk, u64 cputime)
{
struct cpuacct *ca;
int cpu;

cpu = task_cpu(tsk);

rcu_read_lock();

ca = task_ca(tsk);

        while (true) {
                u64 *cpuusage = per_cpu_ptr(ca->cpuusage, cpu);
                *cpuusage += cputime;

                ca = parent_ca(ca);
                if (!ca)
                        break;
        }

rcu_read_unlock();
}

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff810c3ff4>] cpuacct_charge+0x14/0x40
PGD 0
Oops: 0000 [#1] SMP
CPU: 10 PID: 148614 Comm: qemu-system-x86 Tainted: P W OE 4.4.0-45-generic #66~14.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.7 06/16/2016
task: ffff881ff0f01b80 ti: ffff88018fd70000 task.ti: ffff88018fd70000
RIP: 0010:[<ffffffff810c3ff4>] [<ffffffff810c3ff4>] cpuacct_charge+0x14/0x40
RSP: 0018:ffff88018fd73d10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801931e8000 RCX: ffff88010caff200
RDX: ffff880124508000 RSI: 0066f757398831d6 RDI: ffff8801931e7fa0
RBP: ffff88018fd73d10 R08: ffffffffc04b8320 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0066f757398831d6
R13: 0066f757398b8997 R14: ffff8801931e7fa0 R15: 0000000000000001
FS: 00007f162aaf7700(0000) GS:ffff881ffe740000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000011d86e000 CR4: 00000000003426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff88018fd73d28 ffffffff810b1a9f ffff8801931e8000 ffff88018fd73d40
ffffffffc069df72 ffff8801931e8000 ffff88018fd73da8 ffffffffc069f121
ffff881ff0f01b80 0000000000000000 ffff881ff0f01b80 ffffffff810bddc0
Call Trace:
[<ffffffff810b1a9f>] update_curr+0xdf/0x170
[<ffffffffc069df72>] kvm_vcpu_check_block+0x12/0x60 [kvm]
[<ffffffffc069f121>] kvm_vcpu_block+0x191/0x2d0 [kvm]
[<ffffffff810bddc0>] ? prepare_to_wait_event+0xf0/0xf0
[<ffffffffc06bb9ee>] kvm_arch_vcpu_ioctl_run+0x17e/0x3d0 [kvm]
[<ffffffffc06a1f8b>] kvm_vcpu_ioctl+0x2ab/0x640 [kvm]
[<ffffffff81174517>] ? perf_event_context_sched_in+0x87/0xa0
[<ffffffff81210d6d>] do_vfs_ioctl+0x2dd/0x4c0
[<ffffffff8111fa1f>] ? __audit_syscall_entry+0xaf/0x100
[<ffffffff81003176>] ? do_audit_syscall_entry+0x66/0x70
[<ffffffff81210fc9>] SyS_ioctl+0x79/0x90
[<ffffffff817fa4f6>] entry_SYSCALL_64_fastpath+0x16/0x75
Code: 9a 11 00 5b 48 c7 c0 f4 ff ff ff 5d eb df 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 08 48 8b 97 78 07 00 00 48 89 e5 <48> 63 48 10 48 8b 52 60 48 8b 82 b8 00 00 00 48 03 04 cd c0 7a
RIP [<ffffffff810c3ff4>] cpuacct_charge+0x14/0x40
RSP <ffff88018fd73d10>
CR2: 0000000000000010
---[ end trace 419a30375d0e4622 ]---

[Fix]

The patch uses this_cpu_ptr() instead of getting the CPU number by
task_cpu() and proceeds to get the cpu_usage by per_cpu_ptr(). And
that can avoid accessing the thread_info inside the stack.

commit 73e6aafd9ea81498d31361f01db84a0118da2d1c
Author: Zhao Lei <email address hidden>
Date: Thu Mar 17 12:19:43 2016 +0800

sched/cpuacct: Simplify the cpuacct code

- Use for() instead of while() loop in some functions
to make the code simpler.

- Use this_cpu_ptr() instead of per_cpu_ptr() to make the code
cleaner and a bit faster.

    Suggested-by: Peter Zijlstra <email address hidden>
    Signed-off-by: Zhao Lei <email address hidden>
    Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
    Cc: Linus Torvalds <email address hidden>
    Cc: Tejun Heo <email address hidden>
    Cc: Thomas Gleixner <email address hidden>
    Link: http://lkml.kernel.org/r<email address hidden>
    Signed-off-by: Ingo Molnar <email address hidden>

[Test]
The test kernel has been tested by the Qemu and cannot be reproduced.

Tags:

CVE References

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-06-06: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1775326

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: xenial

Gavin Guo (mimi0213kimo) on 2018-06-06

summary:

- The kernel NULL pointer dereference happens when accessing the task by
- task_cpu() in function cpuacct_charge()
+ The kernel NULL pointer dereference happens when accessing the
+ task_struct by task_cpu() in function cpuacct_charge()

Kleber Sacilotto de Souza (kleber-souza) on 2018-06-07

Changed in linux (Ubuntu Xenial):
status:	New → In Progress

Khaled El Mously (kmously) on 2018-06-08

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-06-13:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2018-06-20:

Hello Gavin,

Could you please verify the fix(es) with the Xenial kernel currently in -proposed?

Thank you.

Gavin Guo (mimi0213kimo) on 2018-06-21

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-02:

Download full text (29.8 KiB)

This bug was fixed in the package linux - 4.4.0-130.156

---------------
linux (4.4.0-130.156) xenial; urgency=medium

* linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

  * CVE-2018-3665 (x86)
    - x86/fpu: Fix early FPU command-line parsing
    - x86/fpu: Fix 'no387' regression
    - x86/fpu: Disable MPX when eagerfpu is off
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix FNSAVE usage in eagerfpu mode
    - x86/fpu: Fix math emulation in eager fpu mode
    - x86/fpu: Fix eager-FPU handling on legacy FPU machines

linux (4.4.0-129.155) xenial; urgency=medium

* linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

This bug was fixed in the package linux - 4.4.0-130.156

---------------
linux (4.4.0-130.156) xenial; urgency=medium

* linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

linux (4.4.0-129.155) xenial; urgency=medium

* linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

* Xenial update to 4.4.134 stable release (LP: #1775771)
    - MIPS: ptrace: Expose FIR register through FP regset
    - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
    - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
    - affs_lookup(): close a race with affs_remove_link()
    - aio: fix io_destroy(2) vs. lookup_ioctx() race
    - ALSA: timer: Fix pause event notification
    - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
    - libata: Blacklist some Sandisk SSDs for NCQ
    - libata: blacklist Micron 500IT SSD with MU01 firmware
    - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
    - ipc/shm: fix shmat() nil address after round-down when remapping
    - kasan: fix memory hotplug during boot
    - kernel/sys.c: fix potential Spectre v1 issue
    - kernel/signal.c: avoid undefined behaviour in kill_something_info
    - xfs: remove racy hasattr check from attr ops
    - do d_instantiate/unlock_new_inode combinations safely
    - firewire-ohci: work around oversized DMA reads on JMicron controllers
    - NFSv4: always set NFS_LOCK_LOST when a lock is lost.
    - ALSA: hda - Use IS_REACHABLE() for dependency on input
    - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
    - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
    - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
      account
    - PCI: Add function 1 DMA alias quirk for Marvell 9128
    - tools lib traceevent: Simplify pointer print logic and fix %pF
    - perf callchain: Fix attr.sample_max_stack setting
    - tools lib traceevent: Fix get_field_str() for dynamic strings
    - dm thin: fix documentation relative to low water mark threshold
    - nfs: Do not convert nfs_idmap_cache_timeout to jiffies
    - watchdog: sp5100_tco: Fix watchdog disable bit
    - kconfig: Don't leak main menus during parsing
    - kconfig: Fix automatic menu creation mem leak
    - kconfig: Fix expr_free() E_NOT leak
    - ipmi/powernv: Fix error return code in ipmi_powernv_probe()
    - Btrfs: set plug for fsync
    - btrfs: Fix out of bounds access in btrfs_search_slot
    - Btrfs: fix scrub to repair raid6 corruption
    - scsi: fas216: fix sense buffer initialization
    - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
    - powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes
    - powerpc/numa: Ensure nodes initialized for hotplug
    - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
    - ntb_transport: Fix bug with max_mw_size parameter
    - ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid
    - ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute
    - ocfs2: return error when we attempt to access a dirty bh in jbd2
    - mm/mempolicy: fix the check of nodemask from user
    - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages
    - asm-generic: provide generic_pmdp_establish()
    - mm: pin address_space before dereferencing it while isolating an LRU page
    - IB/ipoib: Fix for potential no-carrier state
    - x86/power: Fix swsusp_arch_resume prototype
    - firmware: dmi_scan: Fix handling of empty DMI strings
    - ACPI: processor_perflib: Do not send _PPC change notification if not ready
    - MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS
    - xen-netfront: Fix race between device setup and open
    - xen/grant-table: Use put_page instead of free_page
    - RDS: IB: Fix null pointer issue
    - arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics
    - proc: fix /proc/*/map_files lookup
    - cifs: silence compiler warnings showing up with gcc-8.0.0
    - bcache: properly set task state in bch_writeback_thread()
    - bcache: fix for allocator and register thread race
    - bcache: fix for data collapse after re-attaching an attached device
    - bcache: return attach error when no cache set exist
    - tools/libbpf: handle issues with bpf ELF objects containing .eh_frames
    - locking/qspinlock: Ensure node->count is updated before initialising node
    - irqchip/gic-v3: Change pr_debug message to pr_devel
    - scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
    - scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
    - scsi: sym53c8xx_2: iterator underflow in sym_getsync()
    - scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
    - scsi: qla2xxx: Avoid triggering undefined behavior in
      qla2x00_mbx_completion()
    - ARC: Fix malformed ARC_EMUL_UNALIGNED default
    - usb: gadget: f_uac2: fix bFirstInterface in composite gadget
    - usb: gadget: fsl_udc_core: fix ep valid checks
    - usb: dwc2: Fix dwc2_hsotg_core_init_disconnected()
    - selftests: memfd: add config fragment for fuse
    - scsi: storvsc: Increase cmd_per_lun for higher speed devices
    - scsi: aacraid: fix shutdown crash when init fails
    - scsi: qla4xxx: skip error recovery in case of register disconnect.
    - ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt
    - ARM: OMAP3: Fix prm wake interrupt for resume
    - ARM: OMAP1: clock: Fix debugfs_create_*() usage
    - NFC: llcp: Limit size of SDP URI
    - mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4
    - md raid10: fix NULL deference in handle_write_completed()
    - drm/exynos: fix comparison to bitshift when dealing with a mask
    - usb: musb: fix enumeration after resume
    - locking/xchg/alpha: Add unconditional memory barrier to cmpxchg()
    - md: raid5: avoid string overflow warning
    - kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
    - powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access
    - s390/cio: fix return code after missing interrupt
    - s390/cio: clear timer when terminating driver I/O
    - ARM: OMAP: Fix dmtimer init for omap1
    - smsc75xx: fix smsc75xx_set_features()
    - regulatory: add NUL to request alpha2
    - locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs
    - x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across
      CPU hotplug operations
    - media: dmxdev: fix error code for invalid ioctls
    - md/raid1: fix NULL pointer dereference
    - batman-adv: fix packet checksum in receive path
    - batman-adv: invalidate checksum on fragment reassembly
    - netfilter: ebtables: convert BUG_ONs to WARN_ONs
    - nvme-pci: Fix nvme queue cleanup if IRQ setup fails
    - clocksource/drivers/fsl_ftm_timer: Fix error return checking
    - r8152: fix tx packets accounting
    - virtio-gpu: fix ioctl and expose the fixed status to userspace.
    - dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3
    - bcache: fix kcrashes with fio in RAID5 backend dev
    - sit: fix IFLA_MTU ignored on NEWLINK
    - gianfar: Fix Rx byte accounting for ndev stats
    - net/tcp/illinois: replace broken algorithm reference link
    - xen/pirq: fix error path cleanup when binding MSIs
    - Btrfs: send, fix issuing write op when processing hole in no data mode
    - selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable
    - KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing
    - watchdog: f71808e_wdt: Fix magic close handling
    - e1000e: Fix check_for_link return value with autoneg off
    - e1000e: allocate ring descriptors with dma_zalloc_coherent
    - usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers
    - scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM
    - scsi: sd: Keep disk read-only when re-reading partition
    - fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
      sbusfb_ioctl_helper().
    - xen: xenbus: use put_device() instead of kfree()
    - USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
    - netfilter: ebtables: fix erroneous reject of last rule
    - bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa().
    - workqueue: use put_device() instead of kfree()
    - ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu
    - sunvnet: does not support GSO for sctp
    - net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
    - batman-adv: fix header size check in batadv_dbg_arp()
    - vti4: Don't count header length twice on tunnel setup
    - vti4: Don't override MTU passed on link creation via IFLA_MTU
    - perf/cgroup: Fix child event counting bug
    - RDMA/ucma: Correct option size check using optlen
    - mm/mempolicy.c: avoid use uninitialized preferred_node
    - selftests: ftrace: Add probe event argument syntax testcase
    - selftests: ftrace: Add a testcase for string type with kprobe_event
    - selftests: ftrace: Add a testcase for probepoint
    - batman-adv: fix multicast-via-unicast transmission with AP isolation
    - batman-adv: fix packet loss for broadcasted DHCP packets to a server
    - ARM: 8748/1: mm: Define vdso_start, vdso_end as array
    - net: qmi_wwan: add BroadMobi BM806U 2020:2033
    - net/usb/qmi_wwan.c: Add USB id for lt4120 modem
    - net-usb: add qmi_wwan if on lte modem wistron neweb d18q1
    - llc: properly handle dev_queue_xmit() return value
    - mm/kmemleak.c: wait for scan completion before disabling free
    - net: Fix untag for vlan packets without ethernet header
    - net: mvneta: fix enable of all initialized RXQs
    - sh: fix debug trap failure to process signals before return to user
    - x86/pgtable: Don't set huge PUD/PMD on non-leaf entries
    - fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl
      table
    - swap: divide-by-zero when zero length swap file on ssd
    - sr: get/drop reference to device in revalidate and check_events
    - Force log to disk before reading the AGF during a fstrim
    - cpufreq: CPPC: Initialize shared perf capabilities of CPUs
    - scsi: aacraid: Insure command thread is not recursively stopped
    - dp83640: Ensure against premature access to PHY registers after reset
    - mm/ksm: fix interaction with THP
    - mm: fix races between address_space dereference and free in page_evicatable
    - Btrfs: bail out on error during replay_dir_deletes
    - Btrfs: fix NULL pointer dereference in log_dir_items
    - btrfs: Fix possible softlock on single core machines
    - ocfs2/dlm: don't handle migrate lockres if already in shutdown
    - sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning
    - KVM: VMX: raise internal error for exception during invalid protected mode
      state
    - fscache: Fix hanging wait on page discarded by writeback
    - sparc64: Make atomic_xchg() an inline function rather than a macro.
    - rtc: snvs: Fix usage of snvs_rtc_enable
    - net: bgmac: Fix endian access in bgmac_dma_tx_ring_free()
    - Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
    - btrfs: tests/qgroup: Fix wrong tree backref level
    - Btrfs: fix copy_items() return value when logging an inode
    - btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers
    - xen/acpi: off by one in read_acpi_id()
    - ACPI: acpi_pad: Fix memory leak in power saving threads
    - powerpc/mpic: Check if cpu_possible() in mpic_physmask()
    - m68k: set dma and coherent masks for platform FEC ethernets
    - parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode
    - hwmon: (nct6775) Fix writing pwmX_mode
    - rtc: hctosys: Ensure system time doesn't overflow time_t
    - powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer
    - powerpc/perf: Fix kernel address leak via sampling registers
    - tools/thermal: tmon: fix for segfault
    - selftests: Print the test we're running to /dev/kmsg
    - net/mlx5: Protect from command bit overflow
    - ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
    - ima: Fix Kconfig to select TPM 2.0 CRB interface
    - [Config] CONFIG_TCG_CRB=y
    - ima: Fallback to the builtin hash algorithm
    - arm: dts: socfpga: fix GIC PPI warning
    - usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
    - cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path
    - clk: Don't show the incorrect clock phase
    - zorro: Set up z->dev.dma_mask for the DMA API
    - bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set
    - ACPICA: Events: add a return on failure from acpi_hw_register_read
    - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c
    - i2c: mv64xxx: Apply errata delay only in standard mode
    - KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
    - xhci: zero usb device slot_id member when disabling and freeing a xhci slot
    - MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset
    - PCI: Restore config space on runtime resume despite being unbound
    - ipmi_ssif: Fix kernel panic at msg_done_handler
    - usb: dwc2: Fix interval type issue
    - usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
    - usb: gadget: ffs: Execute copy_to_user() with USER_DS set
    - powerpc: Add missing prototype for arch_irq_work_raise()
    - ASoC: topology: create TLV data for dapm widgets
    - perf/core: Fix perf_output_read_group()
    - hwmon: (pmbus/max8688) Accept negative page register values
    - hwmon: (pmbus/adm1275) Accept negative page register values
    - cdrom: do not call check_disk_change() inside cdrom_open()
    - gfs2: Fix fallocate chunk size
    - usb: gadget: udc: change comparison to bitshift when dealing with a mask
    - usb: gadget: composite: fix incorrect handling of OS desc requests
    - x86/devicetree: Initialize device tree before using it
    - x86/devicetree: Fix device IRQ settings in DT
    - ALSA: vmaster: Propagate slave error
    - media: cx23885: Override 888 ImpactVCBe crystal frequency
    - media: cx23885: Set subdev host data to clk_freq pointer
    - media: s3c-camif: fix out-of-bounds array access
    - dmaengine: pl330: fix a race condition in case of threaded irqs
    - media: em28xx: USB bulk packet size fix
    - clk: rockchip: Prevent calculating mmc phase if clock rate is zero
    - enic: enable rq before updating rq descriptors
    - hwrng: stm32 - add reset during probe
    - staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
    - rtc: tx4939: avoid unintended sign extension on a 24 bit shift
    - serial: xuartps: Fix out-of-bounds access through DT alias
    - serial: samsung: Fix out-of-bounds access through serial port index
    - serial: mxs-auart: Fix out-of-bounds access through serial port index
    - serial: imx: Fix out-of-bounds access through serial port index
    - serial: fsl_lpuart: Fix out-of-bounds access through DT alias
    - serial: arc_uart: Fix out-of-bounds access through DT alias
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9220
    - udf: Provide saner default for invalid uid / gid
    - media: cx25821: prevent out-of-bounds read on array card
    - clk: samsung: s3c2410: Fix PLL rates
    - clk: samsung: exynos5260: Fix PLL rates
    - clk: samsung: exynos5433: Fix PLL rates
    - clk: samsung: exynos5250: Fix PLL rates
    - clk: samsung: exynos3250: Fix PLL rates
    - crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
    - audit: return on memory error to avoid null pointer dereference
    - MIPS: Octeon: Fix logging messages with spurious periods after newlines
    - drm/rockchip: Respect page offset for PRIME mmap calls
    - x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic'
      specified
    - perf tests: Use arch__compare_symbol_names to compare symbols
    - perf report: Fix memory corruption in --branch-history mode --branch-history
    - selftests/net: fixes psock_fanout eBPF test case
    - netlabel: If PF_INET6, check sk_buff ip header version
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - regulator: of: Add a missing 'of_node_put()' in an error handling path of
      'of_regulator_match()'
    - ASoC: samsung: i2s: Ensure the RCLK rate is properly determined
    - Bluetooth: btusb: Add device ID for RTL8822BE
    - kdb: make "mdr" command repeat
    - s390/ftrace: use expoline for indirect branches
    - Linux 4.4.134

* Support SocketCAN over USB on Dell IoT 300x Gateways (LP: #1774563)
    - [Config] CONFIG_CAN_HMS_USB=m
    - SAUCE: (no-up) Support IXXAT USB SocketCAN device
    - i386/amd64 -- Add new module ixx_usb

* Ubuntu 16.04 (4.4.0-127) hangs on boot with virtio-scsi MQ enabled
    (LP: #1775235)
    - SAUCE: (no-up) virtio-scsi: Increment reqs counter.

* register on binfmt_misc may overflow and crash the system (LP: #1775856)
    - fs/binfmt_misc.c: do not allow offset overflow

* The kernel NULL pointer dereference happens when accessing the task_struct
    by task_cpu() in function cpuacct_charge() (LP: #1775326)
    - sched/cpuacct: Simplify the cpuacct code

* Xenial update to 4.4.133 stable release (LP: #1775477)
    - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
    - bridge: check iface upper dev when setting master via ioctl
    - dccp: fix tasklet usage
    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
    - llc: better deal with too small mtu
    - net: ethernet: sun: niu set correct packet size in skb
    - net/mlx4_en: Verify coalescing parameters are in range
    - net_sched: fq: take care of throttled flows before reuse
    - net: support compat 64-bit time in {s,g}etsockopt
    - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
    - qmi_wwan: do not steal interfaces from class drivers
    - r8169: fix powering up RTL8168h
    - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
    - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
    - bonding: do not allow rlb updates to invalid mac
    - tcp: ignore Fast Open on repair mode
    - sctp: fix the issue that the cookie-ack with auth can't get processed
    - sctp: delay the authentication for the duplicated cookie-echo chunk
    - ALSA: timer: Call notifier in the same spinlock
    - audit: move calcs after alloc and check when logging set loginuid
    - arm64: introduce mov_q macro to move a constant into a 64-bit register
    - [Config] Add CONFIG_ARM64_ERRATUM_1024718=y
    - arm64: Add work around for Arm Cortex-A55 Erratum 1024718
    - futex: Remove unnecessary warning from get_futex_key
    - futex: Remove duplicated code and fix undefined behaviour
    - xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM)
    - lockd: lost rollback of set_grace_period() in lockd_down_net()
    - Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap"
    - l2tp: revert "l2tp: fix missing print session offset info"
    - pipe: cap initial pipe capacity according to pipe-max-size limit
    - futex: futex_wake_op, fix sign_extend32 sign bits
    - kernel/exit.c: avoid undefined behaviour when calling wait4()
    - usbip: usbip_host: refine probe and disconnect debug msgs to be useful
    - usbip: usbip_host: delete device from busid_table after rebind
    - usbip: usbip_host: run rebind from exit when module is removed
    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
    - usbip: usbip_host: fix bad unlock balance during stub_probe()
    - ALSA: usb: mixer: volume quirk for CM102-A+/102S+
    - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
    - ALSA: control: fix a redundant-copy issue
    - spi: pxa2xx: Allow 64-bit DMA
    - powerpc/powernv: panic() on OPAL < V3
    - powerpc/powernv: Remove OPALv2 firmware define and references
    - powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL
    - cpuidle: coupled: remove unused define cpuidle_coupled_lock
    - powerpc: Don't preempt_disable() in show_cpuinfo()
    - vmscan: do not force-scan file lru if its absolute size is small
    - mm: filemap: remove redundant code in do_read_cache_page
    - mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to
      complete during a read
    - signals: avoid unnecessary taking of sighand->siglock
    - tracing/x86/xen: Remove zero data size trace events
      trace_xen_mmu_flush_tlb{_all}
    - proc read mm's {arg,env}_{start,end} with mmap semaphore taken.
    - powerpc/powernv: Fix NVRAM sleep in invalid context when crashing
    - mm: don't allow deferred pages with NEED_PER_CPU_KM
    - s390/qdio: fix access to uninitialized qdio_q fields
    - s390/qdio: don't release memory in qdio_setup_irq()
    - s390: remove indirect branch from do_softirq_own_stack
    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
      definition for mixed mode
    - ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
    - tick/broadcast: Use for_each_cpu() specially on UP kernels
    - ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
    - ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
    - ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
    - Btrfs: fix xattr loss after power failure
    - btrfs: fix crash when trying to resume balance without the resume flag
    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
    - net: test tailroom before appending to linear skb
    - packet: in packet_snd start writing at link layer allocation
    - sock_diag: fix use-after-free read in __sk_free
    - tcp: purge write queue in tcp_connect_init()
    - ext2: fix a block leak
    - s390: add assembler macros for CPU alternatives
    - s390: move expoline assembler macros to a header
    - s390/lib: use expoline for indirect branches
    - s390/kernel: use expoline for indirect branches
    - s390: move spectre sysfs attribute code
    - s390: extend expoline to BC instructions
    - s390: use expoline thunks in the BPF JIT
    - scsi: libsas: defer ata device eh commands to libata
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
    - scsi: zfcp: fix infinite iteration on ERP ready list
    - dmaengine: ensure dmaengine helpers check valid callback
    - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
    - gpio: rcar: Add Runtime PM handling for interrupts
    - cfg80211: limit wiphy names to 128 bytes
    - hfsplus: stop workqueue when fill_super() failed
    - x86/kexec: Avoid double free_page() upon do_kexec_load() failure
    - Linux 4.4.133

* vmxnet3: update to latest ToT (LP: #1768143)
    - vmxnet3: avoid xmit reset due to a race in vmxnet3
    - vmxnet3: use correct flag to indicate LRO feature
    - vmxnet3: fix incorrect dereference when rxvlan is disabled

* Prevent speculation on user controlled pointer (LP: #1775137)
    - x86: reorganize SMAP handling in user space accesses
    - x86: fix SMAP in 32-bit environments
    - x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
    - x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
    - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec

* Xenial update to 4.4.132 stable release (LP: #1774173)
    - perf/core: Fix the perf_cpu_time_max_percent check
    - bpf: map_get_next_key to return first key on NULL
    - percpu: include linux/sched.h for cond_resched()
    - mac80211: allow not sending MIC up from driver for HW crypto
    - mac80211: allow same PN for AMSDU sub-frames
    - mac80211: Add RX flag to indicate ICV stripped
    - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
    - ath10k: rebuild crypto header in rx data frames
    - gpmi-nand: Handle ECC Errors in erased pages
    - USB: serial: option: Add support for Quectel EP06
    - ALSA: pcm: Check PCM state at xfern compat ioctl
    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
    - ALSA: aloop: Mark paused device as inactive
    - ALSA: aloop: Add missing cable lock to ctl API callbacks
    - tracepoint: Do not warn on ENOMEM
    - Input: leds - fix out of bound access
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
    - xfs: prevent creating negative-sized file via INSERT_RANGE
    - RDMA/ucma: Allow resolving address w/o specifying source address
    - RDMA/mlx5: Protect from shift operand overflow
    - NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
    - IB/mlx5: Use unlimited rate when static rate is not supported
    - drm/vmwgfx: Fix a buffer object leak
    - test_firmware: fix setting old custom fw path back on exit, second try
    - USB: serial: visor: handle potential invalid device configuration
    - USB: Accept bulk endpoints with 1024-byte maxpacket
    - USB: serial: option: reimplement interface masking
    - USB: serial: option: adding support for ublox R410M
    - usb: musb: host: fix potential NULL pointer dereference
    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
    - crypto: af_alg - fix possible uninit-value in alg_bind()
    - netlink: fix uninit-value in netlink_sendmsg
    - net: fix rtnh_ok()
    - net: initialize skb->peeked when cloning
    - net: fix uninit-value in __hw_addr_add_ex()
    - dccp: initialize ireq->ir_mark
    - soreuseport: initialise timewait reuseport field
    - perf: Remove superfluous allocation error check
    - tcp: fix TCP_REPAIR_QUEUE bound checking
    - bdi: Fix oops in wb_workfn()
    - f2fs: fix a dead loop in f2fs_fiemap()
    - xfrm_user: fix return value from xfrm_user_rcv_msg
    - rfkill: gpio: fix memory leak in probe error path
    - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    - tracing: Fix regex_match_front() to not over compare the test string
    - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    - net: atm: Fix potential Spectre v1
    - atm: zatm: Fix potential Spectre v1
    - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    - tracing/uprobe_event: Fix strncpy corner case
    - perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    - perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    - perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    - perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    - Linux 4.4.132

* Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
    - Documentation: Document array_index_nospec
    - array_index_nospec: Sanitize speculative array de-references
    - x86: Implement array_index_mask_nospec
    - x86: Introduce barrier_nospec
    - x86/get_user: Use pointer masking to limit speculation
    - x86/syscall: Sanitize syscall table de-references under speculation
    - vfs, fdtable: Prevent bounds-check bypass via speculative execution
    - nl80211: Sanitize array index in parse_txq_params
    - x86/spectre: Report get_user mitigation for spectre_v1
    - x86/kvm: Update spectre-v1 mitigation
    - nospec: Allow index argument to have const-qualified type
    - x86/syscall: Sanitize syscall table de-references under speculation fix
    - mpls, nospec: Sanitize array index in mpls_label_ok()
    - nospec: Include <asm/barrier.h> dependency
    - nospec: Move array_index_nospec() parameter checking into separate macro
    - nospec: Kill array_index_nospec_mask_check()
    - ALSA: seq: oss: Hardening for potential Spectre v1
    - ALSA: hda: Hardening for potential Spectre v1
    - SAUCE: Replace osb() calls with array_index_nospec()
    - SAUCE: Rename osb() to barrier_nospec()
    - SAUCE: bpf: Use barrier_nospec() instead of osb()

* CVE-2018-3639 (x86)
    - KVM: x86: remove magic number with enum cpuid_leafs
    - SAUCE: x86/cpufeatures: Move CPUID_7_EDX CPUID bits to word 18
    - SAUCE: x86: Remove double include
    - SAUCE: x86/pti: Evaluate X86_BUG_CPU_MELTDOWN when pti=auto
    - SAUCE: x86/speculation: Query individual feature flags when reloading
      microcode

* cpum_sf: ensure sample freq is non-zero (LP: #1772593)
    - s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero

* ELANPAD ELAN0612 does not work, patch available (LP: #1773509)
    - SAUCE: Input: elan_i2c - add ELAN0612 to the ACPI table

* FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336)
    - SAUCE: CacheFiles: fix a read_waiter/read_copier race

* Kernel 4.4 NBD size overflow with image size exceeding 1TB (LP: #1772575)
    - nbd: use loff_t for blocksize and nbd_set_size args
    - nbd: fix 64-bit division

* 4.4.0-127.153 generates many "sit: non-ECT" messages (LP: #1772775)
    - Revert "sit: reload iphdr in ipip6_rcv"

* Creation of IMA file hashes fails when appraisal is enabled (LP: #1771826)
    - Revert "ima: limit file hash setting by user to fix and log modes"

* Setting ipv6.disable=1 prevents both IPv4 and IPv6 socket opening for VXLAN
    tunnels (LP: #1771301)
    - vxlan: correctly handle ipv6.disable module parameter

* CVE-2018-7755
    - SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

* Support UVC1.5 Camera for Xenial (LP: #1773905)
    - uvcvideo: Enable UVC 1.5 device detection

* Kernel produces empty lines in /proc/PID/status (LP: #1772671)
    - SAUCE: seccomp: Remove double newline sequence in /proc/PID/status

* rfi-flush: Switch to new linear fallback flush (LP: #1744173)
    - powerpc/64s: Improve RFI L1-D cache flush fallback
    - SAUCE: rfi-flush: Make it possible to call setup_rfi_flush() again

-- Stefan Bader <stefan.bader@canonical.com>  Thu, 14 Jun 2018 06:53:41 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Guilherme G. Piccoli (gpiccoli) on 2020-07-15

Changed in linux (Ubuntu):
status:	Incomplete → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

The kernel NULL pointer dereference happens when accessing the task_struct by task_cpu() in function cpuacct_charge()

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package