aufs: kernel bug with apparmor and fuseblk

Bug #1948470 reported by Mauricio Faria de Oliveira
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Jammy
Bionic
Low
Mauricio Faria de Oliveira
Focal
Low
Mauricio Faria de Oliveira
Hirsute
Low
Mauricio Faria de Oliveira
Impish
Undecided
Unassigned
Jammy
Undecided
Unassigned

Bug Description

[Impact]

 * AppArmor-enabled applications on the aufs filesystem
   might hit a kernel bug when getting file attributes.

 * The aufs filesystem explicitly assigns a NULL pointer
   to `struct path.mnt` for `vfs_getattr()`, which calls
   into AppArmor that checks `struct path.mnt->mnt_flags`,
   triggering a kernel NULL pointer dereference.

 * This is almost 10 years old [1,2], reproducible w/ the
   Linux v3.2 kernel, but it's rare as apparently it needs
   a fuseblk mount as an aufs branch, and file creation/
   open (O_CREAT), with a filename that exists only in a
   lower aufs branch. On Linux v5.15-rc* it doesn't need
   AppArmor anymore.

[Fix]

 * The patch fixing this issue does set `struct path.mnt`
   properly, by taking `struct path` as parameter instead
   of just `struct dentry` (and making up an incomplete
   `struct path` w/ that `dentry` and `mnt = NULL`.)

 * Since it changes the signature of a key, leaf function
   with several callers, the patch is a bit long/refactor,
   but it has been tested by the upstream aufs maintainer
   with a private test-suite.

[Test Plan]

 * Synthetic reproducer available in [1] and comment #1.

[Regression Potential]

 * Regressions would probably manifest as kernel errors
   mostly in the lookup and open paths, but more subtle
   manifestations would be possible as well.

 * The patch modifies a fair number of functions, even if
   doing so in simple ways. The synthetic reproducer only
   covers one of those functions.

 * The other code paths have been tested by the maintainer
   w/ the mainline kernel, and should be equivalent to our
   kernel as none of such changed for cherry-pick/backport.

 * The upstream aufs maintainer runs a private test suite
   that covers several features and use cases of aufs, so
   hopefully that provides some relief to take this patch.

[Other Info]

 * Impish no longer ships aufs; no fix needed.
 * Hirsute/Focal/Bionic do/need it. (H only for backports)
 * Hirsute/Focal are clean cherry-picks.
 * Bionic is a trivial backport.

[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic

[Kernel Traces]

BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa

CVE References

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Steps to Reproduce:

1) test app

 # cat openat.c
 #include <stdio.h>
 #include <fcntl.h>

 int main() {
  int rc;
  rc = openat(AT_FDCWD, "test", O_RDWR | O_CREAT | S_IRWXU);
  if (rc < 0) {
          perror("openat");
          return 1;
  }
  return 0;
 }

 # gcc -o openat openat.c

2) ntfs-3g mount (fuseblk)

 # truncate -s 1g ntfs.img
 # DEV=$(losetup -f --show ntfs.img)
 # mkfs.ntfs --fast $DEV

 # mkdir ntfs
 # mount -t ntfs-3g $DEV ntfs

 # mount | grep ntfs | grep fuseblk
 /dev/loop6 on /home/ubuntu/ntfs type fuseblk (rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096)

3) aufs mount (with 'test' file in the read-only branch)

 # mkdir ro aufs
 # touch ro/test
 # mount -t aufs -o br=ntfs:ro none aufs

4) enable apparmor for the test app (even in complain mode with aa-genprof)

 # aa-genprof ./openat &
 ...
 Please start the application to be profiled in
 another window and exercise its functionality now.
 ...
 <press enter>
 [1]+ Stopped aa-genprof ./openat

5) remove 'test' file from read-write branch (still exists in read-only branch)

 # cd aufs
 # rm test

6) run the test app

 # ../openat
 Killed

7) check kernel logs

 # dmesg

Changed in linux (Ubuntu Jammy):
status: New → Invalid
Changed in linux (Ubuntu Impish):
status: New → Invalid
Changed in linux (Ubuntu Hirsute):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Mauricio Faria de Oliveira (mfo)
Changed in linux (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Mauricio Faria de Oliveira (mfo)
description: updated
Changed in linux (Ubuntu Hirsute):
status: In Progress → Invalid
status: Invalid → In Progress
description: updated
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Test with focal-proposed (5.4.0-90.101)
---

Original:

# ../openat
Killed

[ 286.989830] BUG: kernel NULL pointer dereference, address: 0000000000000010
...
[ 286.996507] CPU: 2 PID: 5529 Comm: openat Not tainted 5.4.0-90-generic #101-Ubuntu
[ 286.997358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 286.998397] RIP: 0010:d_namespace_path.constprop.0+0x48/0x300
...
[ 287.008418] Call Trace:
[ 287.016112] aa_path_name+0x42/0xb0
[ 287.016616] path_name.isra.0+0x5f/0xe0
[ 287.017153] profile_path_perm.part.0+0x58/0xa0
[ 287.017768] aa_path_perm+0xdd/0x130
[ 287.018293] common_perm+0x96/0x110
[ 287.018795] common_perm_cond+0x4c/0x70
[ 287.019353] apparmor_inode_getattr+0x1d/0x20
[ 287.019948] security_inode_getattr+0x35/0x50
[ 287.020542] vfs_getattr+0x22/0x50
[ 287.021042] vfsub_update_h_iattr+0x95/0xb0 [aufs]
[ 287.021687] ? lookup_dcache+0x46/0x70
[ 287.022216] ? lookup_one_len+0x68/0x90
[ 287.022755] vfsub_lookup_one_len+0x61/0x70 [aufs]
[ 287.023413] au_wh_test+0x26/0xa0 [aufs]
[ 287.023978] au_lkup_dentry+0x1ba/0x670 [aufs]
[ 287.024598] aufs_lookup.part.0+0x119/0x200 [aufs]
[ 287.025250] aufs_atomic_open+0x19d/0x400 [aufs]
[ 287.025881] ? aufs_permission+0x1a9/0x2f0 [aufs]
[ 287.026536] ? security_path_mknod+0x4c/0x70
[ 287.027130] lookup_open+0x364/0x6e0
[ 287.027658] do_last+0x2cb/0x900
[ 287.028141] ? __alloc_file+0x94/0x110
[ 287.028678] path_openat+0x8d/0x290
[ 287.029184] ? do_async_page_fault+0x39/0x70
[ 287.029773] do_filp_open+0x91/0x100
[ 287.030292] ? strncpy_from_user+0xbd/0x150
[ 287.030879] ? __alloc_fd+0xb8/0x150
[ 287.031402] do_sys_open+0x17e/0x290
[ 287.031920] __x64_sys_openat+0x20/0x30
[ 287.032469] do_syscall_64+0x57/0x190
[ 287.032997] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 287.033682] RIP: 0033:0x7f299dccf026

Patched:

# ../openat
# echo $?
0

# uname -rv
5.4.0-90-generic #101+test20211022b2 SMP Fri Oct 22 10:34:51 -03 2021

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Test with bionic-proposed (4.15.0-162.170)
---

Original:

# ../openat
Killed

[ 442.526300] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
...
[ 442.539854] CPU: 1 PID: 5644 Comm: openat Not tainted 4.15.0-162-generic #170-Ubuntu
[ 442.540733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 442.541755] RIP: 0010:aa_path_name+0x55/0x370
...
[ 442.549808] Call Trace:
[ 442.550211] path_name+0x60/0xe0
[ 442.550687] profile_path_perm.part.7+0x57/0xa0
[ 442.551293] aa_path_perm+0xe2/0x130
[ 442.551819] common_perm+0x59/0x130
[ 442.552323] common_perm_cond+0x4c/0x70
[ 442.552856] apparmor_inode_getattr+0x1d/0x20
[ 442.553444] security_inode_getattr+0x47/0x60
[ 442.554038] vfs_getattr+0x21/0x40
[ 442.554538] vfsub_update_h_iattr+0x95/0xb0 [aufs]
[ 442.555172] ? __lookup_hash+0x22/0xa0
[ 442.555697] ? lookup_one_len+0x113/0x120
[ 442.556323] vfsub_lookup_one_len+0x50/0x70 [aufs]
[ 442.557065] au_wh_test+0x25/0xe0 [aufs]
[ 442.557615] au_lkup_dentry+0x484/0x620 [aufs]
[ 442.558225] aufs_lookup.part.33+0x11c/0x210 [aufs]
[ 442.562787] aufs_atomic_open+0x102/0x3b0 [aufs]
[ 442.563427] ? aufs_permission+0x190/0x2d0 [aufs]
[ 442.564098] ? __inode_permission+0x5b/0x160
[ 442.564689] path_openat+0xde1/0x18b0
[ 442.565214] ? path_openat+0xde1/0x18b0
[ 442.565756] do_filp_open+0x9b/0x110
[ 442.566266] ? __check_object_size+0xc8/0x1b0
[ 442.566862] ? __alloc_fd+0xb2/0x170
[ 442.567376] do_sys_open+0x1ba/0x2c0
[ 442.567908] ? do_sys_open+0x1ba/0x2c0
[ 442.568453] SyS_openat+0x14/0x20
[ 442.568939] do_syscall_64+0x73/0x130
[ 442.569458] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[ 442.570117] RIP: 0033:0x7f079564af83

Patched:

# ../openat
# echo $?
0

# uname -rv
4.15.0-162-generic #170+test20211022b1 SMP Fri Oct 22 10:59:39 -03 2021

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Hirsute doesn't ship aufs anymore; no testing needed, just patching.

commit 4fb9ce7538c89f81e3fa5bfae881c9b49e7137e0
Author: Seth Forshee <email address hidden>
Date: Fri Feb 19 14:46:24 2021 -0600

    UBUNTU: [Config] CONFIG_AUFS_FS=n

    We're keeping aufs in the source tree for backports but disabling
    it starting in hirsute. Update the configs and annotations
    accordingly.

    Signed-off-by: Seth Forshee <email address hidden>

tags: added: sts
Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

[H/F/B][PATCH 0/1] aufs: fix kernel bug with apparmor and fuseblk
https://lists.ubuntu.com/archives/kernel-team/2021-October/125163.html

Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Hirsute):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.11.0-41.45 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-hirsute
tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-91.102 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/4.15.0-163.171 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Verified bionic, focal, and hirsute (hwe kernel in focal) with steps in comment #1.

The kernel packages in -updates hit the issue.
The kernel packages in -proposed don't hit it.

ubuntu@mfo-aufs-bionic:~/aufs$ uname -rv
4.15.0-163-generic #171-Ubuntu SMP Fri Nov 5 11:55:11 UTC 2021

ubuntu@mfo-aufs-focal:~$ uname -rv
5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021

ubuntu@mfo-aufs-focal:~/aufs$ uname -rv
5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021

tags: added: verification-done-bionic verification-done-focal verification-done-hirsute
removed: verification-needed-bionic verification-needed-focal verification-needed-hirsute
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.3 KiB)

This bug was fixed in the package linux - 4.15.0-163.171

---------------
linux (4.15.0-163.171) bionic; urgency=medium

  * bionic/linux: 4.15.0-163.171 -proposed tracker (LP: #1949874)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * Unable to build net/reuseport_bpf and other tests in ubuntu_kernel_selftests
    on Bionic with make command (LP: #1949889)
    - selftests: Fix loss of test output in run_kselftests.sh
    - selftests: Makefile set KSFT_TAP_LEVEL to prevent nested TAP headers
    - selftests: fix headers_install circular dependency
    - selftests: fix bpf build/test workflow regression when KBUILD_OUTPUT is set
    - selftests: vm: Fix test build failure when built by itself

  * KVM emulation failure when booting into VM crash kernel with multiple CPUs
    (LP: #1948862)
    - KVM: x86: Properly reset MMU context at vCPU RESET/INIT

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * ACL updates on OCFS2 are not revalidated (LP: #1947161)
    - ocfs2: fix remounting needed after setfacl command

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"
    - cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is
      active

  * Some test in ubuntu_bpf test_verifier failed on i386 Bionic kernel
    (LP: #1788578)
    - bpf: fix context access in tracing progs on 32 bit archs

  * test_bpf.sh from ubuntu_kernel_selftests.net from linux ADT test failure
    with linux/4.15.0-149.153 i386 (Segmentation fault) (LP: #1934414)
    - selftests/bpf: make test_verifier run most programs
    - bpf: add couple of test cases for div/mod by zero
    - bpf: add further test cases around div/mod and others

  * Bionic update: upstream stable patchset 2021-11-02 (LP: #1949512)
    - usb: gadget: r8a66597: fix a loop in set_feature()
    - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
    - cifs: fix incorrect check for null pointer in header_assemble
    - xen/x86: fix PV trap handling on secondary processors
    - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
    - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
    - staging: greybus: uart: fix tty use after free
    - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
    - USB: serial: mos7840: remove duplicated 0xac24 device ID
    - USB: serial: option: add Telit LN920 compositions
    - USB: serial: option: remove duplicate USB device ID
    - USB: serial: option: add device id for Foxco...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.1 KiB)

This bug was fixed in the package linux - 5.4.0-91.102

---------------
linux (5.4.0-91.102) focal; urgency=medium

  * focal/linux: 5.4.0-91.102 -proposed tracker (LP: #1949840)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * KVM emulation failure when booting into VM crash kernel with multiple CPUs
    (LP: #1948862)
    - KVM: x86: Properly reset MMU context at vCPU RESET/INIT

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * ACL updates on OCFS2 are not revalidated (LP: #1947161)
    - ocfs2: fix remounting needed after setfacl command

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"

  * Reassign I/O Path of ConnectX-5 Port 1 before Port 2 causes NULL dereference
    (LP: #1943464)
    - s390/pci: fix leak of PCI device structure
    - s390/pci: fix use after free of zpci_dev
    - s390/pci: fix zpci_zdev_put() on reserve

  * [SRU][F] USB: serial: pl2303: add support for PL2303HXN (LP: #1948377)
    - USB: serial: pl2303: add support for PL2303HXN
    - USB: serial: pl2303: fix line-speed handling on newer chips

  * Focal update: v5.4.151 upstream stable release (LP: #1947888)
    - tty: Fix out-of-bound vmalloc access in imageblit
    - cpufreq: schedutil: Use kobject release() method to free sugov_tunables
    - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
    - usb: cdns3: fix race condition before setting doorbell
    - fs-verity: fix signed integer overflow with i_size near S64_MAX
    - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - scsi: ufs: Fix illegal offset in UPIU event trace
    - mac80211: fix use-after-free in CCMP/GCMP RX
    - x86/kvmclock: Move this_cpu_pvti into kvmclock.h
    - drm/amd/display: Pass PCI deviceid into DC
    - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
    - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced
      from sysfs
    - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
    - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
    - mac80211: mesh: fix potentially unaligned access
    - mac80211-hwsim: fix late beacon hrtimer handling
    - sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
    - hwmon: (tmp421) report /P...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (40.7 KiB)

This bug was fixed in the package linux - 5.11.0-41.45

---------------
linux (5.11.0-41.45) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-41.45 -proposed tracker (LP: #1949801)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * CVE-2021-3744 // CVE-2021-3764
    - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Fix Screen freeze after resume from suspend with iGPU [1002:6987]
    (LP: #1949050)
    - drm/amdgpu: reenable BACO support for 699F:C7 polaris12 SKU
    - drm/amdgpu: add missing cleanups for Polaris12 UVD/VCE on suspend
    - drm/amdgpu: Fix crash on device remove/driver unload

  * Intel I225-IT ethernet controller: igc: probe of 0000:02:00.0 failed with
    error -1 (LP: #1945576)
    - igc: Remove _I_PHY_ID checking
    - igc: Remove phy->type checking

  * Fail to detect audio output from external monitor (LP: #1948767)
    - ALSA: hda: intel: Allow repeatedly probing on codec configuration errors

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"

  * Hirsute update: upstream stable patchset 2021-11-03 (LP: #1949640)
    - mm: fix uninitialized use in overcommit_policy_handler
    - usb: gadget: r8a66597: fix a loop in set_feature()
    - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave
    - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA
    - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
    - cifs: fix incorrect check for null pointer in header_assemble
    - xen/x86: fix PV trap handling on secondary processors
    - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
    - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
    - USB: cdc-acm: fix minor-number release
    - Revert "USB: bcma: Add a check for devm_gpiod_get"
    - binder: make sure fd closes complete
    - staging: greybus: uart: fix tty use after free
    - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
    - usb: dwc3: core: balance phy init and exit
    - USB: serial: mos7840: remove duplicated 0xac24 device ID
    - USB: serial: option: add Telit LN920 compositions
    - USB: serial: option: remove duplicate USB device ID
    - USB: serial: option: add device id for Foxconn T99W265
    - mcb: fix error handling in mcb_alloc_bus()
    - erofs: fix up erofs_lookup tracepoint
    - btrfs: prevent __btrfs_dump_space_info() to underflow its free space
    - serial: 8250: 8250_omap: Fix RX_LVL re...

Changed in linux (Ubuntu Hirsute):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers