apparmor reference leak causes refcount_t overflow with af_alg_accept()

Bug #1883962 reported by Mauricio Faria de Oliveira on 2020-06-17
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Mauricio Faria de Oliveira
Bionic
Medium
Mauricio Faria de Oliveira
Eoan
Medium
Mauricio Faria de Oliveira
Focal
Medium
Mauricio Faria de Oliveira
Groovy
Undecided
Unassigned

Bug Description

[Impact]

 * Users of the Crypto (user-space) API (i.e., AF_ALG)
   can trigger refcount errors in AppArmor under high
   load (might lead to memory leak or use after free.)

 * There is a reference leak in AppArmor when af_alg_accept()
   calls security_sock_graft() and then security_sk_clone().

 * Both acquire a reference to a label, to assign it to the
   same pointer, but the latter does not release the former's
   acquired reference (before overwriting the pointer value.)

 * This reference leak builds up over time, and under high
   load can eventually overflow/underflow/saturate refcount,
   depending on which value it has when a program hits that.

 * The fix just checks if the pointer has an assigned label,
   then releases its acquired reference.

[Test Case]

 * See comment #1 for the test-case 'aa-refcnt-af_alg.c'.

 * Exercise that code path indefinitely until it hits
   the refcount_t overflow/underflow/saturate message
   (or not, with the patch.) (see comment #4)

 * It's possible to monitor refcount values with kprobes,
   to confirm whether or not the problem is happening.
   (see comments #2 and #3)

[Other Info]

 * Patch applied upstream on v5.8-rc1 [1]
 * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
 * Not required on Groovy (still 5.4; should sync from Unstable)
 * Not required on Eoan (EOL date before SRU cycle release date)
 * Required on Bionic and Focal.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8

Changed in linux (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu Groovy):
status: New → Won't Fix
Changed in linux (Ubuntu Eoan):
status: New → Won't Fix
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Groovy):
importance: Medium → Undecided
assignee: Mauricio Faria de Oliveira (mfo) → nobody
Changed in linux (Ubuntu Focal):
importance: Undecided → Medium
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu Bionic):
importance: Undecided → Medium
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu):
status: New → Fix Committed

Test Case:
---------

$ cat aa-refcnt-af_alg.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/if_alg.h>

int main() {
    int sockfd;
    struct sockaddr_alg sa;

    /* Setup the crypto API socket */
    sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
    if (sockfd < 0) {
            perror("socket");
            return 1;
    }

    memset(&sa, 0, sizeof(sa));
    sa.salg_family = AF_ALG;
    strcpy((char *) sa.salg_type, "rng");
    strcpy((char *) sa.salg_name, "stdrng");

    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
            perror("bind");
            return 1;
    }

    /* Accept a "connection" and close it; repeat. */
    while (!close(accept(sockfd, NULL, 0)));

    return 0;
}

$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c

$ ./aa-refcnt-af_alg
<a few hours later>

[ 9928.475953] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in aa-refcnt-af_alg[1322], uid/euid: 1000/1000
...
[ 9928.507443] RIP: 0010:apparmor_sk_clone_security+0x37/0x70
...
[ 9928.514286] security_sk_clone+0x33/0x50
[ 9928.514807] af_alg_accept+0x81/0x1c0 [af_alg]
[ 9928.516091] alg_accept+0x15/0x20 [af_alg]
[ 9928.516682] SYSC_accept4+0xff/0x210
[ 9928.519609] SyS_accept+0x10/0x20
[ 9928.520190] do_syscall_64+0x73/0x130
[ 9928.520808] entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Note that other messages may be seen, not just overflow, depending on
the value being incremented by kref_get(); on another run:

[ 7273.182666] refcount_t: saturated; leaking memory.
...
[ 7273.185789] refcount_t: underflow; use-after-free.

description: updated

kprobes module to monitor the apparmor label reference count.

Download full text (3.3 KiB)

Monitoring the label reference count with the kprobes module:

- original kernel: the counter keeps increasing on every pair of accept()/release() syscalls.
- modified kernel: the counter keeps stable.

Focal:
-----

original)

$ uname -rv
5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 4739.811403] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e0
[ 4739.813677] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2
[ 4739.815994] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e1
[ 4739.818274] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e3
[ 4739.820555] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2
[ 4739.822833] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e4
...
$ sudo rmmod kmod

modified)

$ uname -rv
5.4.0-38-generic #42+test20200617b1 SMP Wed Jun 17 16:31:24 -03 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 185.657133] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649
[ 185.660720] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a
[ 185.664321] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649
[ 185.668981] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a
[ 185.672648] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x629
[ 185.676299] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x62a
...
$ sudo rmmod kmod

Bionic:
------

original)

$ uname -rv
4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 4333.136581] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e85
[ 4333.139131] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87
[ 4333.141650] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e86
[ 4333.144142] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e88
[ 4333.146675] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87
[ 4333.149199] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e89
...
$ sudo rmmod kmod

modified)

$ uname -rv
4.15.0-107-generic #108+test20200617b1 SMP Wed Jun 17 16:33:16 -03 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 245.921217] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608
[ 245.923456] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609
[ 245.925718] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608
[ 245.927954] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609
[ 245.930221] accept() :: comm = aa-refcnt-af_...

Read more...

Download full text (3.4 KiB)

After a few hours with the reproducer running on the original kernel,
the kernel errors about the reference count are observed:

Focal:
-----

$ uname -rv
5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020

$ ./aa-refcnt-af_alg
<a few hours later>

[ 9581.048189] ------------[ cut here ]------------
[ 9581.049497] refcount_t overflow at apparmor_sk_clone_security+0x35/0x70 in aa-refcnt-af_al[1023], uid/euid: 1000/1000
[ 9581.052125] WARNING: CPU: 1 PID: 1023 at kernel/panic.c:677 refcount_error_report+0x9b/0xab
[ 9581.054428] Modules linked in: ...
[ 9581.063137] CPU: 1 PID: 1023 Comm: aa-refcnt-af_al Tainted: G OE 5.4.0-38-generic #42-Ubuntu
[ 9581.065494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9581.067693] RIP: 0010:refcount_error_report+0x9b/0xab
...
[ 9581.088358] Call Trace:
[ 9581.089083] ex_handler_refcount+0x50/0x70
[ 9581.090147] fixup_exception+0x4a/0x61
[ 9581.091142] do_trap+0x4e/0xf0
[ 9581.091998] do_error_trap+0x7c/0xc0
[ 9581.092958] ? csum_partial_copy_generic+0x1687/0x3a10
[ 9581.094250] do_invalid_op+0x3c/0x50
[ 9581.095210] ? csum_partial_copy_generic+0x1687/0x3a10
[ 9581.096505] invalid_op+0x1e/0x30
[ 9581.097413] RIP: 0010:apparmor_sk_clone_security+0x35/0x70
...
[ 9581.113048] security_sk_clone+0x2f/0x40
[ 9581.114078] af_alg_accept+0x7e/0x190 [af_alg]
[ 9581.115456] alg_accept+0x15/0x20 [af_alg]
[ 9581.116549] __sys_accept4+0x109/0x210
[ 9581.117549] ? _cond_resched+0x19/0x30
[ 9581.118545] __x64_sys_accept+0x1c/0x20
[ 9581.119573] do_syscall_64+0x57/0x190
[ 9581.120551] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 9581.121821] RIP: 0033:0x7efc1bc390a7
...

Bionic:
------

$ uname -rv
4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020

$ ./aa-refcnt-af_alg
<a few hours later>

[ 8460.359291] ------------[ cut here ]------------
[ 8460.360638] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in aa-refcnt-af_al[1243], uid/euid: 1000/1000
[ 8460.363332] WARNING: CPU: 1 PID: 1243 at /build/linux-oHXYZI/linux-4.15.0/kernel/panic.c:662 refcount_error_report+0x9c/0xac
[ 8460.366556] Modules linked in: ...
[ 8460.375936] CPU: 1 PID: 1243 Comm: aa-refcnt-af_al Tainted: G OE 4.15.0-107-generic #108-Ubuntu
[ 8460.378352] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 8460.380598] RIP: 0010:refcount_error_report+0x9c/0xac
...
[ 8460.397294] Call Trace:
[ 8460.398331] ex_handler_refcount+0x52/0x80
[ 8460.399432] fixup_exception+0x3a/0x50
[ 8460.400462] do_trap+0x8a/0x140
[ 8460.401346] do_error_trap+0xa6/0x140
[ 8460.402355] ? csum_partial_copy_generic+0xcfb/0x27a0
[ 8460.403671] ? ___slab_alloc+0x204/0x4f0
[ 8460.404730] ? ___slab_alloc+0x204/0x4f0
[ 8460.405786] ? get_empty_filp+0x5c/0x1c0
[ 8460.406840] do_invalid_op+0x20/0x30
[ 8460.407830] invalid_op+0x1b/0x40
[ 8460.408755] RIP: 0010:apparmor_sk_clone_security+0x37/0x70
...
[ 8460.420262] security_sk_clone+0x33/0x50
[ 8460.421314] af_alg_accept+0x81/0x1c0 [af_alg]
[ 8460.422484] ? aa_sock_accept_perm+0x25/0x30
[ 8460.423623] alg_accept+0x15/0x20 [af_alg]
[ 8460.424725] SYSC_accept4+0xff/0x210
[ 84...

Read more...

description: updated
description: updated

[B][PATCH 0/1] Fix apparmor reference leak via AF_ALG
https://lists.ubuntu.com/archives/kernel-team/2020-June/111136.html

[B][PATCH 1/1] apparmor: check/put label on apparmor_sk_clone_security()
https://lists.ubuntu.com/archives/kernel-team/2020-June/111137.html

[F][PATCH 1/1] apparmor: check/put label on apparmor_sk_clone_security()
https://lists.ubuntu.com/archives/kernel-team/2020-June/111138.html

tags: added: sts
Changed in linux (Ubuntu Groovy):
status: Won't Fix → Invalid

It turns out that the 5.0 and 5.3 kernels should still be supported
on some custom kernels, thus sending the patch for Disco and Eoan.

[D/E][PATCH 0/1] Fix apparmor reference leak via AF_ALG
https://lists.ubuntu.com/archives/kernel-team/2020-June/111585.html

Changed in linux (Ubuntu Eoan):
status: Won't Fix → In Progress
importance: Undecided → Medium
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan

Verification done on Eoan.
The apparmor label refcnt inc/dec-rements properly on accept()/release(), no leaks.

$ lsb_release -cs
eoan

$ uname -rv
5.3.0-63-generic #57-Ubuntu SMP Thu Jul 2 10:38:35 UTC 2020

$ apt-cache policy linux-image-$(uname -r)
linux-image-5.3.0-63-generic:
...
 *** 5.3.0-63.57 500
        500 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages
...

$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg &

$ make
$ sudo insmod kmod.ko &

$ dmesg
...
[ 254.940413] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4
[ 254.941665] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5
[ 254.942932] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4
[ 254.944187] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5
[ 254.945484] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4
[ 254.946741] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5
[ 254.948023] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4
[ 254.949282] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5
[ 254.950572] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4
[ 254.952526] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5
...

$ sudo rmmod kmod

tags: added: verification-done-eoan
removed: verification-needed-eoan

All autopkgtests for the newly accepted linux-hwe-5.0 (5.0.0-57.61~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-hwe-5.0/5.0.0-57.61~18.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-hwe-5.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted linux-azure-5.3 (5.3.0-1034.35~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-azure-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted linux-aws-5.3 (5.3.0-1032.34~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (arm64, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-aws-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1032.34~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Verification done on "Disco" (linux-hwe-5.0)
---

# uname -rv
5.0.0-58-generic #62~18.04.1-Ubuntu SMP Tue Jul 14 03:37:30 UTC 2020

For some other reason the kprobes module is not picking up on accept,
only on release. This is unrelated to this patchset.

I used kprobe events instead, which is working, and reveals the ref
counter does not leak (stable increase/decrease on accept/release.)

On the example below, it varies between 0x64b and 0x64c, correctly.

# ./aa-refcnt-af_alg &

# echo 'p af_alg_accept sk=%di count=+0x0(+0x0(+0x278(%di))):x32' > /sys/kernel/debug/tracing/kprobe_events
# echo 'p af_alg_release_parent sk=%di count=+0x0(+0x0(+0x278(%di))):x32' >> /sys/kernel/debug/tracing/kprobe_events

# echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable

# cat /sys/kernel/debug/tracing/trace_pipe
...
 aa-refcnt-af_al-21362 [002] .... 77023.869615: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0xffff9138b54c2400 count=0x64b
 aa-refcnt-af_al-21362 [002] .... 77023.869619: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0xffff9138b5e27800 count=0x64c
 aa-refcnt-af_al-21362 [002] .... 77023.869623: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0xffff9138b54c2400 count=0x64b
 aa-refcnt-af_al-21362 [002] .... 77023.869626: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0xffff9138b5e27800 count=0x64c
 aa-refcnt-af_al-21362 [002] .... 77023.869630: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0xffff9138b54c2400 count=0x64b
 aa-refcnt-af_al-21362 [002] .... 77023.869633: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0xffff9138b5e27800 count=0x64c
...
ctrl-c

# echo 0 > /sys/kernel/debug/tracing/events/kprobes/enable
# echo > /sys/kernel/debug/tracing/kprobe_events
# killall aa-refcnt-af_alg

Details:
-------

We want this value from 'struct sock *sk': kref_read(&SK_CTX(sk)->label->count)

With:

 #define SK_CTX(X) apparmor_sock(X)

 static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk)
 ...
  return sk->sk_security + apparmor_blob_sizes->lbs_sock;
 ...

Checking the value for lbs_sock w/ a kernel module:

 [76604.268403] apparmor_blob_sizes->lbs_sock: 0

And struct member offsets:

 $ pahole --hex -C sock usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep sk_security
  void * sk_security; /* 0x278 0x8 */

 $ pahole --hex -C aa_sk_ctx usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep -w label
  struct aa_label * label; /* 0 0x8 */

 $ pahole --hex -C aa_label usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep -w count
  struct kref count; /* 0 0x4 */

Launchpad Janitor (janitor) wrote :
Download full text (30.5 KiB)

This bug was fixed in the package linux - 5.3.0-64.58

---------------
linux (5.3.0-64.58) eoan; urgency=medium

  * eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)

  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.3.0-63.57) eoan; urgency=medium

  * eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)

  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * The thread level parallelism would be a bottleneck when searching for the
    shared pmd by using hugetlbfs (LP: #1882039)
    - hugetlbfs: take read_lock on i_mmap for PMD sharing

  * Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - net_failover: fixed rollback in net_failover_open()
    - bridge: Avoid infinite loop when suppressing NS messages with invalid
      options
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - tun: correct header offsets in napi frags mode
    - Input: mms114 - fix handling of mms345l
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - Input: synaptics - add a second working PNP_ID for Lenovo T470s
    - drivers/net/ibmvnic: Update VNIC protocol version reporting
    - powerpc/xive: Clear the page tables for the ESB IO mapping
    - ath9k_htc: Silence undersized packet warnings
    - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
    - x86/cpu/amd: Make erratum #1054 a legacy erratum
    - perf probe: Accept the instance number of kretprobe event
    - mm: add kvfree_sensitive() for freeing sensitive data objects
    - aio: fix async fsync creds
    - x86_64: Fix jiffies ODR violation
    - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
      Dock
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
    - ACPI: GED: add support for _Exx / _Lxx handler methods
    - ACPI: PM: Avoid using power resources if there are none for D0
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: dw: Fix controller unregister order
    - spi: bcm2835aux: Fix controller unregister order
    - spi: bcm-qspi: when tx/rx buffer is NULL set to 0
    - PM: runtime: clk: Fix clk_pm_runtime_get() error path
    - crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
      fully iterated
    - ALSA: pcm: disallow linking stream to itself
    - x86/{mce,mm}: Unmap the entire page if the who...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

Verification done for Bionic.

$ uname -rv
4.15.0-113-generic #114-Ubuntu SMP Sun Aug 9 07:27:58 UTC 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 335.387236] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582
[ 335.388370] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x581
[ 335.389376] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582
[ 335.390558] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x581
[ 335.391521] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582

tags: added: verification-done-bionic
removed: verification-needed-bionic

Verification done for Focal.

$ uname -rv
5.4.0-43-generic #47-Ubuntu SMP Sat Aug 8 06:34:35 UTC 2020

$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 171.672847] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583
[ 171.674249] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584
[ 171.675676] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583
[ 171.676932] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584
[ 171.678154] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583
[ 171.679617] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584

tags: added: verification-done-focal
removed: verification-needed-focal
Launchpad Janitor (janitor) wrote :
Download full text (97.9 KiB)

This bug was fixed in the package linux - 5.4.0-45.49

---------------
linux (5.4.0-45.49) focal; urgency=medium

  * focal/linux: 5.4.0-45.49 -proposed tracker (LP: #1893050)

  * [Potential Regression] dscr_inherit_exec_test from powerpc in
    ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
    - powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()

linux (5.4.0-44.48) focal; urgency=medium

  * focal/linux: 5.4.0-44.48 -proposed tracker (LP: #1891049)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (5.4.0-43.47) focal; urgency=medium

  * focal/linux: 5.4.0-43.47 -proposed tracker (LP: #1890746)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * Devlink - add RoCE disable kernel support (LP: #1877270)
    - devlink: Add new "enable_roce" generic device param
    - net/mlx5: Document flow_steering_mode devlink param
    - net/mlx5: Handle "enable_roce" devlink param
    - IB/mlx5: Rename profile and init methods
    - IB/mlx5: Load profile according to RoCE enablement state
    - net/mlx5: Remove unneeded variable in mlx5_unload_one
    - net/mlx5: Add devlink reload
    - IB/mlx5: Do reverse sequence during device removal

  * msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test

  * Enlarge hisi_sec2 capability (LP: #1890222)
    - Revert "UBUNTU: [Config] Disable hisi_sec2 temporarily"
    - crypto: hisilicon - update SEC driver module parameter

  * Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
    - ALSA: hda/hdmi: Add quirk to force connectivity

  * Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
    - PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken

  * ASoC:amd:renoir: the dmic can't record sound after suspend and resume
    (LP: #1890220)
    - SAUCE: ASoC: amd: renoir: restore two more registers during resume

  * No sound, Dummy output on Acer Swift 3 SF314-57G with Ice Lake core-i7 CPU
    (LP: #1877757)
    - ASoC: SOF: Intel: hda: fix generic hda codec support

  * Fix right speaker of HP laptop (LP: #1889375)
    - SAUCE: hda/realtek: Fix right speaker of HP laptop

  * blk_update_request error when mount nvme partition (LP: #1872383)
    - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command

  * soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
    - ASoC: amd: add logic to check dmic hardware runtime
    - ASoC: amd: add ACPI dependency check
    - ASoC: amd: fixed kernel warnings

  * soc/amd/renoir: change the module name to make it work with ucm3
    (LP: #1888166)
    - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
      module
    - SAUCE: remove a kernel module since its name is changed

  * Focal update: v5.4.55 upstream stable release (LP: #1890343)
    - AX.25: Fix out-of-bounds read in ax25_connect()
    - AX.25: Prevent out-of-bounds read in ax25_sendmsg()
    - dev: Defer free of skbs in flush_backlog
    - drivers/net/wan/x25_asy: Fix to make i...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (55.0 KiB)

This bug was fixed in the package linux - 4.15.0-115.116

---------------
linux (4.15.0-115.116) bionic; urgency=medium

  * bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)

  * [Potential Regression] dscr_inherit_exec_test from powerpc in
    ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
    - powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()

linux (4.15.0-114.115) bionic; urgency=medium

  * bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)

  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

linux (4.15.0-113.114) bionic; urgency=medium

  * bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
    - usb: handle warm-reset port requests on hub resume

  * Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
    - gpio: arizona: handle pm_runtime_get_sync failure case
    - gpio: arizona: put pm_runtime in case of failure
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - irqdomain/treewide: Keep firmware node unconditionally allocated
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - IB/umem: fix reference count leak in ib_umem_odp_get()
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - btrfs: fix mount failure caused by race with umount
    - btrfs: fix page leaks after failure to lock page for delalloc
    - bnxt_en: Fix race when modifying pause settings.
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - drm: sun4i: hdmi: Fix inverted HPD result
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - bonding: check error value of register_netdevice() immediately
    - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
    - ipvs: fix the connection sync failed in some cases
    - i2c: rcar: always clear ICSAR to avoid side effects
    - bonding: check return value of register_netdevice() in bond_newlink()
    - serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
    - scripts/decode_stacktrace: strip basepath from all paths
    - HID: i...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments