Ubuntu
linux package

linux 4.15.0-109-generic network DoS regression vs -108

Groovy (20.10)
Bug #1886668

Bug #1886668 reported by Steve Beattie on 2020-07-07

304

This bug affects 8 people

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Thadeu Lima de Souza Cascardo
Bionic	Fix Released	Critical	Thadeu Lima de Souza Cascardo
Eoan	Fix Released	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned
Groovy	Fix Released	Undecided	Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
On systems using cgroups and sockets extensively, like docker, kubernetes, lxd, libvirt, a crash might happen when using linux 4.15.0-109-generic.

[Fix]
Revert the patch that disables sk_alloc cgroup refcounting when tasks are added to net_prio cgroup.

[Test case]
Test that such environments where the issue is reproduced survive some hours of uptime. A different bug was reproduced with a work-in-progress code and was not reproduced with the culprit reverted.

[Regression potential]
The reverted commit fix a memory leak on similar scenarios. But a leak is better than a crash. Two other bugs have been opened to track a real fix for this issue and the leak.

----------------------------------------------------------

Reported from a user:

Several of our infrastructure VMs recently started crashing (oops
attached), after they upgraded to -109. -108 appears to be stable.

Analysing the crash, it appears to be a wild pointer access in a BPF
filter, which makes this (probably) a network-traffic triggered crash.

[ 696.396831] general protection fault: 0000 [#1] SMP PTI
[ 696.396843] Modules linked in: iscsi_target_mod target_core_mod ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge nfsv3 cmac arc4 md4 rpcsec_gss_krb5 nfsv4 nls_utf8 cifs nfs aufs ccm fscache binfmt_misc overlay xfs libcrc32c intel_rapl crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ppdev pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd input_leds joydev intel_rapl_perf serio_raw parport_pc parport mac_hid sch_fq_codel nfsd 8021q auth_rpcgss garp nfs_acl mrp lockd stp llc grace xenfs sunrpc xen_privcmd ip_tables x_tables autofs4 hid_generic usbhid hid psmouse i2c_piix4 pata_acpi floppy
[ 696.396966] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 4.15.0-109-generic #110-Ubuntu
[ 696.396979] Hardware name: Xen HVM domU, BIOS 4.7.6-1.26 12/03/2018
[ 696.396993] RIP: 0010:__cgroup_bpf_run_filter_skb+0xbb/0x1e0
[ 696.397005] RSP: 0018:ffff893fdcb83a70 EFLAGS: 00010292
[ 696.397015] RAX: 6d69546e6f697469 RBX: 0000000000000000 RCX: 0000000000000014
[ 696.397028] RDX: 0000000000000000 RSI: ffff893fd0360000 RDI: ffff893fb5154800
[ 696.397041] RBP: ffff893fdcb83ad0 R08: 0000000000000001 R09: 0000000000000000
[ 696.397058] R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000014
[ 696.397075] R13: ffff893fb5154800 R14: 0000000000000020 R15: ffff893fc6ba4d00
[ 696.397091] FS: 0000000000000000(0000) GS:ffff893fdcb80000(0000) knlGS:0000000000000000
[ 696.397107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 696.397119] CR2: 000000c0001b4000 CR3: 00000006dce0a004 CR4: 00000000003606e0
[ 696.397135] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 696.397152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 696.397169] Call Trace:
[ 696.397175] <IRQ>
[ 696.397183] sk_filter_trim_cap+0xd0/0x1b0
[ 696.397191] tcp_v4_rcv+0x8b7/0xa80
[ 696.397199] ip_local_deliver_finish+0x66/0x210
[ 696.397208] ip_local_deliver+0x7e/0xe0
[ 696.397215] ? ip_rcv_finish+0x430/0x430
[ 696.397223] ip_rcv_finish+0x129/0x430
[ 696.397230] ip_rcv+0x296/0x360
[ 696.397238] ? inet_del_offload+0x40/0x40
[ 696.397249] __netif_receive_skb_core+0x432/0xb80
[ 696.397261] ? skb_send_sock+0x50/0x50
[ 696.397271] ? tcp4_gro_receive+0x137/0x1a0
[ 696.397280] __netif_receive_skb+0x18/0x60
[ 696.397290] ? __netif_receive_skb+0x18/0x60
[ 696.397300] netif_receive_skb_internal+0x45/0xe0
[ 696.397309] napi_gro_receive+0xc5/0xf0
[ 696.397317] xennet_poll+0x9ca/0xbc0
[ 696.397325] net_rx_action+0x140/0x3a0
[ 696.397334] __do_softirq+0xe4/0x2d4
[ 696.397344] irq_exit+0xc5/0xd0
[ 696.397352] xen_evtchn_do_upcall+0x30/0x50
[ 696.397361] xen_hvm_callback_vector+0x90/0xa0
[ 696.397371] </IRQ>
[ 696.397378] RIP: 0010:native_safe_halt+0x12/0x20
[ 696.397390] RSP: 0018:ffff94c4862cbe80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff0c
[ 696.397405] RAX: ffffffff8efc1800 RBX: 0000000000000006 RCX: 0000000000000000
[ 696.397419] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 696.397435] RBP: ffff94c4862cbe80 R08: 0000000000000002 R09: 0000000000000001
[ 696.397449] R10: 0000000000100000 R11: 0000000000000397 R12: 0000000000000006
[ 696.397462] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 696.397479] ? __sched_text_end+0x1/0x1
[ 696.397489] default_idle+0x20/0x100
[ 696.397499] arch_cpu_idle+0x15/0x20
[ 696.397507] default_idle_call+0x23/0x30
[ 696.397515] do_idle+0x172/0x1f0
[ 696.397522] cpu_startup_entry+0x73/0x80
[ 696.397530] start_secondary+0x1ab/0x200
[ 696.397538] secondary_startup_64+0xa5/0xb0
[ 696.397545] Code: 89 5d b0 49 29 cc 45 01 a7 80 00 00 00 44 89 e1 48 29 c8 48 89 4d a8 49 89 87 d8 00 00 00 89 d2 48 8d 84 d6 38 03 00 00 48 8b 00 <4c> 8b 70 10 4c 8d 68 10 4d 85 f6 0f 84 f6 00 00 00 49 8d 47 30
[ 696.397584] RIP: __cgroup_bpf_run_filter_skb+0xbb/0x1e0 RSP: ffff893fdcb83a70
[ 696.397607] ---[ end trace ec5c84424d511a6f ]---
[ 696.397616] Kernel panic - not syncing: Fatal exception in interrupt
[ 696.397876] Kernel Offset: 0xd600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

We've correlated some of the other crashes, and the ASCII was a bit of a
red herring. All the others are a NULL pointer deference in the same
place, so the problem is likely OoB memory read (possibly
use-after-free) of a piece of memory which is usually zero, but not always.

It is actually the control VM's for our test farms which were impacted,
one of which was reliably crashing every 5 minutes or so, and others on
more sporadic intervals up to about a day. In all cases, reverting to
the -108 kernel has resolved the crashes.

Unfortunately, attempts to repro this off our production environment
with a packet trace aren't going quite so well. We're still experimenting.

See original description

Tags:

CVE References

Steve Beattie (sbeattie) on 2020-07-07

summary:	- placeholder + linux 4.15.0-109-generic network DoS regression vs -108
description:	updated

Thadeu Lima de Souza Cascardo (cascardo) on 2020-07-07

Changed in linux (Ubuntu):
assignee:	nobody → Thadeu Lima de Souza Cascardo (cascardo)

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-08:

So, sock_cgroup_data is overloaded with net_prio prioidx and net_cls classid. There are two small patches for those two subsystems in 4.15.0-109 compared with 4.15.0-108. At first look, they appear harmless, but we have little information on the workload that generates this crash.

I tried manipulating net_prio and net_cls while running a socket with a cgroup bpf program attached on ingress, but with little luck reproducint. It seems the workload is more complicated than that.

It might be worth asking the reporter to try with a test kernel with those two commits reverted. On bionic tree, they are:

5eebba2159d707ae9533a52839e1ba71754c4426
a3e9313430937c4ce9ac4c1036403b0a6d391f7c

Cascardo.

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-08:

Crash report:
https://<email address hidden>/

Potential fix discussion:
https://<email address hidden>/

Bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=208003

So, my hunch about net_prio was right, and the issue has a lot of public visibility too. We might consider lifting the private bit here.

Cascardo.

Steve Beattie (sbeattie) on 2020-07-08

information type:

Private Security → Public Security

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-07-08: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1886668

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: bionic

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-08:

0001-UBUNTU-SAUCE-Revert-netprio_cgroup-Fix-unlimited-mem.patch Edit (5.2 KiB, text/plain)

This is caused by net_cls and net_prio cgroups disabling cgroup BPF and
causing it to stop refcounting when allocating new sockets. Releasing those
sockets will cause the refcount to go negative, leading to the potential
use-after-free.

Though this revert won't prevent the issue from happening as it could still
theoretically be caused by setting net_cls.classid or net_prio.ifpriomap,
this will prevent it from happening on default system configurations. A
combination of systemd use of cgroup BPF and extensive cgroup use including
net_prio will cause this. Reports usually involve using lxd, libvirt,
docker or kubernetes and some systemd service with IPAddressDeny or
IPAddressAllow.

And though this patch has been introduced to avoid some potential memory
leaks, the cure is worse than the disease. We will need to revisit both
issues later on and reapply this patch when we have a real fix for the
crash.

Cascardo.

Changed in linux (Ubuntu):
status:	Incomplete → Invalid
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
assignee:	nobody → Thadeu Lima de Souza Cascardo (cascardo)
importance:	Undecided → Critical

Thadeu Lima de Souza Cascardo (cascardo) on 2020-07-08

description:

updated

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-08:

Bugs are LP#1886860 and LP#1886859.

Thadeu Lima de Souza Cascardo (cascardo) on 2020-07-08

description:

updated

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-08:

Test kernels at https://people.canonical.com/~cascardo/lp1886668/.

Khaled El Mously (kmously) on 2020-07-08

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Thadeu Lima de Souza Cascardo (cascardo) on 2020-07-09

Changed in linux (Ubuntu Groovy):
status:	Invalid → In Progress
Changed in linux (Ubuntu Focal):
status:	New → In Progress
Changed in linux (Ubuntu Eoan):
status:	New → In Progress

Ubuntu Foundations Team Bug Bot (crichton) on 2020-07-09

tags:

added: patch

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2020-07-09:

https://launchpad.net/~cascardo/+archive/ubuntu/ppa/+sourcepub/11419106/+listing-archive-extra

So, this package on my ppa is built for bionic, but should work on other series too.

It has a service that will call a wrapper that will start the reproducer and reboot. The reason for the reboot is because once we add a task to net_prio cgroup, it will disable cgroup bpf and we can't call the reproducer again. And the reproducer, though it can cause the refcount to go below 0 every time, it won't always cause the exact crash from this bug.

Once you want to disable the reproducer, you should add to the kernel cmdline the parameter "systemd.mask=cgroup-bpf-net-prio-crash.service". Then, you need to remove the package and can get your system back.

You may be running some service that will add a task to net_prio or net_cls cgroup, thus preventing the reproducer to run at all (but not stop it from rebooting your system over and over again). lxd comes to mind here.

You may check that it's the case (before installing the reproducer) by looking at dmesg and searching for:
cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation

The following WARN is the demonstration that the refcount underflow has happened (though not the crash):
[ 12.581125] ------------[ cut here ]------------
[ 12.585021] percpu ref (cgroup_bpf_release_fn) <= 0 (-357) after switching to atomic
[ 12.585092] WARNING: CPU: 2 PID: 665 at lib/percpu-refcount.c:160 percpu_ref_switch_to_atomic_rcu+0x12e/0x140

The crash will cause a panic and likely prevent the system from rebooting, showing you have reproduced the issue.

If you never see the WARN, the bug has been mitigated, though it can still happen if we modify the reproducer slightly to also change net_cls.classid.

Cascardo.

Khaled El Mously (kmously) on 2020-07-09

Changed in linux (Ubuntu Eoan):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-07-10:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-07-11:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-07-12:

#10

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-eoan

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2020-07-13:

#11

I confirm that I can't reproduce the bug with the reproducer from comment #7 with bionic/linux 4.15.0-111.

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Sean Groarke (sgroarke) wrote on 2020-07-13:

#12

Concur. Previously in bionic 4.15.0-109 I would get this within 5 or 6 hours *max* (often much less) with 4.15.0-111 I'm at about 24 hours so far and no sign. Looks good.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-13:

#13

This bug was fixed in the package linux - 4.15.0-111.112

---------------
linux (4.15.0-111.112) bionic; urgency=medium

* bionic/linux: 4.15.0-111.112 -proposed tracker (LP: #1886999)

* Bionic update: upstream stable patchset 2020-05-07 (LP: #1877461)
- SAUCE: mlxsw: Add missmerged ERR_PTR hunk

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

-- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 16:03:14 -0400

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-07-14: Autopkgtest regression report (linux-gcp-5.4/5.4.0-1021.21~18.04.1)

#14

All autopkgtests for the newly accepted linux-gcp-5.4 (5.4.0-1021.21~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-07-14: Autopkgtest regression report (linux-azure-5.3/5.3.0-1034.35~18.04.1)

#15

All autopkgtests for the newly accepted linux-azure-5.3 (5.3.0-1034.35~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-azure-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-07-15: Autopkgtest regression report (linux-aws-5.3/5.3.0-1032.34~18.04.1)

#16

All autopkgtests for the newly accepted linux-aws-5.3 (5.3.0-1032.34~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (arm64, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-aws-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-07-15: Autopkgtest regression report (linux-aws-5.4/5.4.0-1020.20~18.04.2)

#17

All autopkgtests for the newly accepted linux-aws-5.4 (5.4.0-1020.20~18.04.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-aws-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-07-16: Autopkgtest regression report (linux-gcp-5.3/5.3.0-1032.34~18.04.1)

#18

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1032.34~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/0.7.5-1ubuntu16.9 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-20:

#19

This bug was fixed in the package linux - 5.4.0-42.46

---------------
linux (5.4.0-42.46) focal; urgency=medium

* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

* Packaging resync (LP: #1786013)
- update dkms package versions

* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open

* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start

* CVE-2020-11935
- aufs: do not call i_readcount_inc()

  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down

* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

-- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 19:50:26 -0400

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Janåke Rönnblom (jan-ake) wrote on 2020-07-23:

#20

I think this is needed in linux-generic-hwe-18.04.

We get similar crashes with 5.3.0.62

Revision history for this message

Matthias Köhne (mattone) wrote on 2020-07-23:

#21

I was also affected in bionic (linux-image-5.3.0-62-generic), but (since today?) there is an update available: linux-image-5.4.0-42-generic (5.4.0-42.46~18.04.1)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-27:

#22

Download full text (30.5 KiB)

This bug was fixed in the package linux - 5.3.0-64.58

---------------
linux (5.3.0-64.58) eoan; urgency=medium

* eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.3.0-63.57) eoan; urgency=medium

* eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)

* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * The thread level parallelism would be a bottleneck when searching for the
    shared pmd by using hugetlbfs (LP: #1882039)
    - hugetlbfs: take read_lock on i_mmap for PMD sharing

This bug was fixed in the package linux - 5.3.0-64.58

---------------
linux (5.3.0-64.58) eoan; urgency=medium

* eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.3.0-63.57) eoan; urgency=medium

* eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)

* seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

* The thread level parallelism would be a bottleneck when searching for the
    shared pmd by using hugetlbfs (LP: #1882039)
    - hugetlbfs: take read_lock on i_mmap for PMD sharing

* Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - net_failover: fixed rollback in net_failover_open()
    - bridge: Avoid infinite loop when suppressing NS messages with invalid
      options
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - tun: correct header offsets in napi frags mode
    - Input: mms114 - fix handling of mms345l
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - Input: synaptics - add a second working PNP_ID for Lenovo T470s
    - drivers/net/ibmvnic: Update VNIC protocol version reporting
    - powerpc/xive: Clear the page tables for the ESB IO mapping
    - ath9k_htc: Silence undersized packet warnings
    - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
    - x86/cpu/amd: Make erratum #1054 a legacy erratum
    - perf probe: Accept the instance number of kretprobe event
    - mm: add kvfree_sensitive() for freeing sensitive data objects
    - aio: fix async fsync creds
    - x86_64: Fix jiffies ODR violation
    - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
      Dock
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
    - ACPI: GED: add support for _Exx / _Lxx handler methods
    - ACPI: PM: Avoid using power resources if there are none for D0
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: dw: Fix controller unregister order
    - spi: bcm2835aux: Fix controller unregister order
    - spi: bcm-qspi: when tx/rx buffer is NULL set to 0
    - PM: runtime: clk: Fix clk_pm_runtime_get() error path
    - crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
      fully iterated
    - ALSA: pcm: disallow linking stream to itself
    - x86/{mce,mm}: Unmap the entire page if the whole page is affected and
      poisoned
    - KVM: x86: Fix APIC page invalidation race
    - KVM: x86/mmu: Consolidate "is MMIO SPTE" code
    - KVM: x86: only do L1TF workaround on affected processors
    - x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
      IBRS.
    - x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
    - spi: Fix controller unregister order
    - spi: pxa2xx: Fix controller unregister order
    - spi: bcm2835: Fix controller unregister order
    - spi: pxa2xx: Fix runtime PM ref imbalance on probe error
    - crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req()
    - crypto: virtio: Fix src/dst scatterlist calculation in
      __virtio_crypto_skcipher_do_req()
    - crypto: virtio: Fix dest length calculation in
      __virtio_crypto_skcipher_do_req()
    - selftests/net: in rxtimestamp getopt_long needs terminating null entry
    - ovl: initialize error in ovl_copy_xattr
    - proc: Use new_inode not new_inode_pseudo
    - video: fbdev: w100fb: Fix a potential double free.
    - KVM: nSVM: fix condition for filtering async PF
    - KVM: nSVM: leave ASID aside in copy_vmcb_control_area
    - KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
    - KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
    - KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
    - KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
    - scsi: megaraid_sas: TM command refire leads to controller firmware crash
    - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
    - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
    - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
    - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
    - Smack: slab-out-of-bounds in vsscanf
    - drm/vkms: Hold gem object while still in-use
    - mm/slub: fix a memory leak in sysfs_slab_add()
    - fat: don't allow to mount if the FAT length == 0
    - perf: Add cond_resched() to task_function_call()
    - agp/intel: Reinforce the barrier after GTT updates
    - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning
    - ARM: dts: at91: sama5d2_ptc_ek: fix sdmmc0 node description
    - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card()
    - xen/pvcalls-back: test for errors when calling backend_connect()
    - KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception
    - ACPI: GED: use correct trigger type field in _Exx / _Lxx handling
    - drm: bridge: adv7511: Extend list of audio sample rates
    - crypto: ccp -- don't "select" CONFIG_DMADEVICES
    - media: si2157: Better check for running tuner in init
    - objtool: Ignore empty alternatives
    - spi: pxa2xx: Apply CS clk quirk to BXT
    - net: atlantic: make hw_get_regs optional
    - net: ena: fix error returning in ena_com_get_hash_function()
    - efi/libstub/x86: Work around LLVM ELF quirk build regression
    - arm64: cacheflush: Fix KGDB trap detection
    - spi: dw: Zero DMA Tx and Rx configurations on stack
    - arm64: insn: Fix two bugs in encoding 32-bit logical immediates
    - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
    - MIPS: Loongson: Build ATI Radeon GPU driver as module
    - Bluetooth: Add SCO fallback for invalid LMP parameters error
    - kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb
    - kgdb: Prevent infinite recursive entries to the debugger
    - spi: dw: Enable interrupts in accordance with DMA xfer mode
    - clocksource: dw_apb_timer: Make CPU-affiliation being optional
    - clocksource: dw_apb_timer_of: Fix missing clockevent timers
    - btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
    - ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
    - batman-adv: Revert "disable ethtool link speed detection when auto
      negotiation off"
    - mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
    - spi: dw: Fix Rx-only DMA transfers
    - x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
    - net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
      vmxnet3_get_rss()
    - staging: android: ion: use vmap instead of vm_map_ram
    - brcmfmac: fix wrong location to get firmware feature
    - tools api fs: Make xxx__mountpoint() more scalable
    - e1000: Distribute switch variables for initialization
    - dt-bindings: display: mediatek: control dpi pins mode to avoid leakage
    - audit: fix a net reference leak in audit_send_reply()
    - media: dvb: return -EREMOTEIO on i2c transfer failure.
    - media: platform: fcp: Set appropriate DMA parameters
    - MIPS: Make sparse_init() using top-down allocation
    - Bluetooth: btbcm: Add 2 missing models to subver tables
    - audit: fix a net reference leak in audit_list_rules_send()
    - netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
    - selftests/bpf: Fix memory leak in extract_build_id()
    - net: bcmgenet: set Rx mode before starting netif
    - lib/mpi: Fix 64-bit MIPS build with Clang
    - exit: Move preemption fixup up, move blocking operations down
    - sched/core: Fix illegal RCU from offline CPUs
    - drivers/perf: hisi: Fix typo in events attribute array
    - net: lpc-enet: fix error return code in lpc_mii_init()
    - media: cec: silence shift wrapping warning in __cec_s_log_addrs()
    - net: allwinner: Fix use correct return type for ndo_start_xmit()
    - powerpc/spufs: fix copy_to_user while atomic
    - xfs: clean up the error handling in xfs_swap_extents
    - Crypto/chcr: fix for ccm(aes) failed test
    - MIPS: Truncate link address into 32bit for 32bit kernel
    - mips: cm: Fix an invalid error code of INTVN_*_ERR
    - kgdb: Fix spurious true from in_dbg_master()
    - xfs: reset buffer write failure state on successful completion
    - xfs: fix duplicate verification from xfs_qm_dqflush()
    - platform/x86: intel-vbtn: Use acpi_evaluate_integer()
    - platform/x86: intel-vbtn: Split keymap into buttons and switches parts
    - platform/x86: intel-vbtn: Do not advertise switches to userspace if they are
      not there
    - platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and
      "Portable" chassis-types
    - nvme: refine the Qemu Identify CNS quirk
    - ath10k: Remove msdu from idr when management pkt send fails
    - wcn36xx: Fix error handling path in 'wcn36xx_probe()'
    - net: qed*: Reduce RX and TX default ring count when running inside kdump
      kernel
    - mt76: avoid rx reorder buffer overflow
    - md: don't flush workqueue unconditionally in md_open
    - veth: Adjust hard_start offset on redirect XDP frames
    - net/mlx5e: IPoIB, Drop multicast packets that this interface sent
    - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
    - mwifiex: Fix memory corruption in dump_station
    - x86/boot: Correct relocation destination on old linkers
    - mips: MAAR: Use more precise address mask
    - mips: Add udelay lpj numbers adjustment
    - crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
    - crypto: stm32/crc32 - fix run-time self test issue.
    - crypto: stm32/crc32 - fix multi-instance
    - x86/mm: Stop printing BRK addresses
    - m68k: mac: Don't call via_flush_cache() on Mac IIfx
    - btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new
      qgroup
    - macvlan: Skip loopback packets in RX handler
    - PCI: Don't disable decoding when mmio_always_on is set
    - MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
    - bcache: fix refcount underflow in bcache_device_free()
    - mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
    - staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core
    - mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
    - ixgbe: fix signed-integer-overflow warning
    - mmc: sdhci-esdhc-imx: fix the mask for tuning start point
    - spi: dw: Return any value retrieved from the dma_transfer callback
    - cpuidle: Fix three reference count leaks
    - platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
    - platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015)
    - platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop"
      chasis-type
    - string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
    - btrfs: include non-missing as a qualifier for the latest_bdev
    - btrfs: send: emit file capabilities after chown
    - mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()
    - mm: initialize deferred pages with interrupts enabled
    - ima: Fix ima digest hash table key calculation
    - ima: Directly assign the ima_default_policy pointer to ima_rules
    - evm: Fix possible memory leak in evm_calc_hmac_or_hash()
    - ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
    - ext4: fix error pointer dereference
    - ext4: fix race between ext4_sync_parent() and rename()
    - PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect
    - PCI: Add ACS quirk for iProc PAXB
    - PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
    - PCI: mediatek: Add controller support for MT7629
    - ALSA: lx6464es - add support for LX6464ESe pci express variant
    - PCI: Add Genesys Logic, Inc. Vendor ID
    - PCI: Add Amazon's Annapurna Labs vendor ID
    - PCI: vmd: Add device id for VMD device 8086:9A0B
    - x86/amd_nb: Add Family 19h PCI IDs
    - PCI: Add Loongson vendor ID
    - serial: 8250_pci: Move Pericom IDs to pci_ids.h
    - btrfs: fix error handling when submitting direct I/O bio
    - btrfs: fix wrong file range cleanup after an error filling dealloc range
    - ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
    - PCI: Program MPS for RCiEP devices
    - e1000e: Relax condition to trigger reset for ME workaround
    - carl9170: remove P2P_GO support
    - media: go7007: fix a miss of snd_card_free
    - Bluetooth: hci_bcm: fix freeing not-requested IRQ
    - b43legacy: Fix case where channel status is corrupted
    - b43: Fix connection problem with WPA3
    - b43_legacy: Fix connection problem with WPA3
    - media: ov5640: fix use of destroyed mutex
    - igb: Report speed and duplex as unknown when device is runtime suspended
    - power: vexpress: add suppress_bind_attrs to true
    - pinctrl: samsung: Correct setting of eint wakeup mask on s5pv210
    - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs
    - gnss: sirf: fix error return code in sirf_probe()
    - sparc32: fix register window handling in genregs32_[gs]et()
    - sparc64: fix misuses of access_process_vm() in genregs32_[sg]et()
    - dm crypt: avoid truncating the logical block size
    - alpha: fix memory barriers so that they conform to the specification
    - kernel/cpu_pm: Fix uninitted local in cpu_pm
    - ARM: tegra: Correct PL310 Auxiliary Control Register initialization
    - ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensor's bus
    - ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin
    - ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries
    - drivers/macintosh: Fix memleak in windfarm_pm112 driver
    - powerpc/64s: Don't let DT CPU features set FSCR_DSCR
    - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
    - kbuild: force to build vmlinux if CONFIG_MODVERSION=y
    - sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate
      registrations.
    - sunrpc: clean up properly in gss_mech_unregister()
    - mtd: rawnand: brcmnand: fix hamming oob layout
    - mtd: rawnand: pasemi: Fix the probe error path
    - w1: omap-hdq: cleanup to add missing newline for some dev_dbg
    - perf probe: Do not show the skipped events
    - perf probe: Fix to check blacklist address correctly
    - perf probe: Check address correctness by map instead of _etext
    - perf symbols: Fix debuginfo search for Ubuntu
    - mlxsw: core: Use different get_trend() callbacks for different thermal zones
    - elfnote: mark all .note sections SHF_ALLOC
    - csky: Fixup abiv2 syscall_trace break a4 & a5
    - gfs2: Even more gfs2_find_jhead fixes
    - spi: dw: Fix native CS being unset
    - s390/pci: Log new handle in clp_disable_fh()
    - PCI/PM: Adjust pcie_wait_for_link_delay() for caller delay
    - selftests: fix flower parent qdisc
    - fanotify: fix ignore mask logic for events on child and on dir
    - perf/x86/intel: Add more available bits for OFFCORE_RESPONSE of Intel
      Tremont
    - KVM: x86: respect singlestep when emulating instruction
    - powerpc/ptdump: Properly handle non standard page size
    - ASoC: max9867: fix volume controls
    - io_uring: use kvfree() in io_sqe_buffer_register()
    - smb3: fix incorrect number of credits when ioctl MaxOutputResponse > 64K
    - smb3: add indatalen that can be a non-zero value to calculation of credit
      charge in smb2 ioctl
    - watchdog: imx_sc_wdt: Fix reboot on crash
    - ALSA: fireface: fix configuration error for nominal sampling transfer
      frequency
    - ALSA: pcm: fix snd_pcm_link() lockdep splat
    - arm64: acpi: fix UBSAN warning
    - lib/lzo: fix ambiguous encoding bug in lzo-rle
    - spi: bcm-qspi: Handle clock probe deferral
    - gup: document and work around "COW can break either way" issue
    - crypto: algapi - Avoid spurious modprobe on LOADED
    - crypto: drbg - fix error return code in drbg_alloc_state()
    - firmware: imx: warn on unexpected RX
    - firmware: imx-scu: Support one TX and one RX
    - firmware: imx: scu: Fix corruption of header
    - dccp: Fix possible memleak in dccp_init and dccp_fini
    - net/mlx5: drain health workqueue in case of driver load error
    - net/mlx5: Fix fatal error handling during device load
    - net/mlx5e: Fix repeated XSK usage on one channel
    - remoteproc: Fall back to using parent memory pool if no dedicated available
    - remoteproc: Fix and restore the parenting hierarchy for vdev
    - cpufreq: Fix up cpufreq_boost_set_sw()
    - EDAC/skx: Use the mcmtr register to retrieve close_pg/bank_xor_enable
    - video: vt8500lcdfb: fix fallthrough warning
    - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02
    - KVM: arm64: Stop writing aarch32's CSSELR into ACTLR
    - selftests/ftrace: Return unsupported if no error_log file
    - mmc: mmci_sdmmc: fix DMA API warning overlapping mappings
    - mmc: tmio: Further fixup runtime PM management at remove
    - mmc: uniphier-sd: call devm_request_irq() after tmio_mmc_host_probe()
    - mmc: sdio: Fix several potential memory leaks in mmc_sdio_init_card()
    - block/floppy: fix contended case in floppy_queue_rq()
    - KVM: arm64: Save the host's PtrAuth keys in non-preemptible context

* Eoan update: upstream stable patchset 2020-06-24 (LP: #1885011)
    - devinet: fix memleak in inetdev_init()
    - l2tp: add sk_family checks to l2tp_validate_socket
    - l2tp: do not use inet_hash()/inet_unhash()
    - net: usb: qmi_wwan: add Telit LE910C1-EUX composition
    - NFC: st21nfca: add missed kfree_skb() in an error path
    - vsock: fix timeout in vsock_accept()
    - net: check untrusted gso_size at kernel entry
    - USB: serial: qcserial: add DW5816e QDL support
    - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
    - USB: serial: option: add Telit LE910C1-EUX compositions
    - iio: vcnl4000: Fix i2c swapped word reading.
    - usb: musb: start session in resume for host port
    - usb: musb: Fix runtime PM imbalance on error
    - vt: keyboard: avoid signed integer overflow in k_ascii
    - tty: hvc_console, fix crashes on parallel open/close
    - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
    - CDC-ACM: heed quirk also in error handling
    - nvmem: qfprom: remove incorrect write support
    - uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly
      aligned
    - Revert "net/mlx5: Annotate mutex destroy for root ns"
    - net/mlx5: Fix crash upon suspend/resume
    - net: stmmac: enable timestamp snapshot for required PTP packets in dwmac
      v5.10a
    - nfp: flower: fix used time of merge flow statistics
    - net: be more gentle about silly gso requests coming from user
    - USB: serial: ch341: add basis for quirk detection
    - iio:chemical:sps30: Fix timestamp alignment
    - iio:chemical:pms7003: Fix timestamp alignment and prevent data leak.
    - iio: adc: stm32-adc: fix a wrong error message when probing interrupts

* Eoan update: upstream stable patchset 2020-06-19 (LP: #1884296)
    - Revert "cgroup: Add memory barriers to plug cgroup_rstat_updated() race
      window"
    - HID: sony: Fix for broken buttons on DS3 USB dongles
    - HID: i2c-hid: add Schneider SCL142ALM to descriptor override
    - p54usb: add AirVasT USB stick device-id
    - mmc: fix compilation of user API
    - scsi: ufs: Release clock if DMA map fails
    - net: dsa: mt7530: set CPU port to fallback mode
    - airo: Fix read overflows sending packets
    - powerpc/powernv: Avoid re-registration of imc debugfs directory
    - s390/ftrace: save traced function caller
    - ARC: Fix ICCM & DCCM runtime size checks
    - ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT
    - evm: Fix RCU list related warnings
    - i2c: altera: Fix race between xfer_msg and isr thread
    - x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
    - net: bmac: Fix read of MAC address from ROM
    - drm/edid: Add Oculus Rift S to non-desktop list
    - s390/mm: fix set_huge_pte_at() for empty ptes
    - null_blk: return error for invalid zone size
    - net/ethernet/freescale: rework quiesce/activate for ucc_geth
    - net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x
    - net: smsc911x: Fix runtime PM imbalance on error
    - HID: multitouch: add support for the Smart Tech panel
    - HID: multitouch: enable multi-input as a quirk for some devices
    - mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter
    - media: Revert "staging: imgu: Address a compiler warning on alignment"
    - media: staging: ipu3-imgu: Move alignment attribute to field
    - ASoC: intel - fix the card names
    - RDMA/qedr: Fix qpids xarray api used
    - RDMA/qedr: Fix synchronization methods and memory leaks in qedr
    - io_uring: initialize ctx->sqo_wait earlier
    - selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer

* Eoan update: upstream stable patchset 2020-06-09 (LP: #1882831)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: dsa: mt7530: fix roaming from DSA user ports
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Don't add the shutdown timer if its already been added
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - net/mlx5e: Update netdev txq on completions during closure
    - net/mlx5: Annotate mutex destroy for root ns
    - net: sun: fix missing release regions in cas_init_one().
    - net/mlx4_core: fix a memory leak bug.
    - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload
      fails
    - ARM: dts: rockchip: fix phy nodename for rk3228-evb
    - arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
    - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
    - ARM: dts: rockchip: swap clock-names of gpu nodes
    - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
    - gpio: tegra: mask GPIO IRQs during IRQ shutdown
    - ALSA: usb-audio: add mapping for ASRock TRX40 Creator
    - net: microchip: encx24j600: add missed kthread_stop
    - gfs2: move privileged user check to gfs2_quota_lock_check
    - cachefiles: Fix race between read_waiter and read_copier involving op->to_do
    - usb: dwc3: pci: Enable extcon driver for Intel Merrifield
    - usb: gadget: legacy: fix redundant initialization warnings
    - net: freescale: select CONFIG_FIXED_PHY where needed
    - IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
    - riscv: stacktrace: Fix undefined reference to `walk_stackframe'
    - cifs: Fix null pointer check in cifs_read
    - samples: bpf: Fix build error
    - Input: usbtouchscreen - add support for BonXeon TP
    - Input: evdev - call input_flush_device() on release(), not flush()
    - Input: xpad - add custom init packet for Xbox One S controllers
    - Input: dlink-dir685-touchkeys - fix a typo in driver name
    - Input: i8042 - add ThinkPad S230u to i8042 reset list
    - Input: synaptics-rmi4 - really fix attn_data use-after-free
    - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
    - ARM: 8970/1: decompressor: increase tag size
    - ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
    - ARM: uaccess: integrate uaccess_save and uaccess_restore
    - ARM: uaccess: fix DACR mismatch with nested exceptions
    - gpio: exar: Fix bad handling for ida_simple_get error path
    - IB/qib: Call kobject_put() when kobject_init_and_add() fails
    - ARM: dts/imx6q-bx50v3: Set display interface clock parents
    - ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
    - ARM: dts: bcm: HR2: Fix PPI interrupt types
    - mmc: block: Fix use-after-free issue for rpmb
    - RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
    - ALSA: hwdep: fix a left shifting 1 by 31 UB bug
    - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
    - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
    - exec: Always set cap_ambient in cap_bprm_set_creds
    - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
    - ALSA: hda/realtek - Add new codec supported for ALC287
    - libceph: ignore pool overlay and cache logic on redirects
    - IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
    - mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
    - fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
    - include/asm-generic/topology.h: guard cpumask_of_node() macro argument
    - iommu: Fix reference count leak in iommu_group_alloc.
    - parisc: Fix kernel panic in mem_init()
    - RDMA/core: Fix double destruction of uobject
    - mac80211: mesh: fix discovery timer re-arming issue / crash
    - x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
    - copy_xstate_to_kernel(): don't leave parts of destination uninitialized
    - xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
    - xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
    - xfrm interface: fix oops when deleting a x-netns interface
    - xfrm: fix a warning in xfrm_policy_insert_list
    - xfrm: fix a NULL-ptr deref in xfrm_local_error
    - xfrm: fix error in comment
    - ip_vti: receive ipip packet by calling ip_tunnel_rcv
    - netfilter: nft_reject_bridge: enable reject with bridge vlan
    - netfilter: ipset: Fix subcounter update skip
    - netfilter: nfnetlink_cthelper: unbreak userspace helper support
    - netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
    - esp6: get the right proto for transport mode in esp6_gso_encap
    - bnxt_en: Fix accumulation of bp->net_stats_prev.
    - xsk: Add overflow check for u64 division, stored into u32
    - qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
    - crypto: chelsio/chtls: properly set tp->lsndtime
    - bonding: Fix reference count leak in bond_sysfs_slave_add.
    - netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net/tls: fix race condition causing kernel panic
    - nexthop: Fix attribute checking for groups
    - tipc: block BH before using dst_cache
    - net/mlx5e: kTLS, Destroy key object after destroying the TIS
    - net/mlx5e: Fix inner tirs handling
    - net/mlx5: Fix memory leak in mlx5_events_init
    - net/mlx5: Fix error flow in case of function_setup failure
    - net/tls: fix encryption error checking
    - net/tls: free record only on encryption error
    - gfs2: Grab glock reference sooner in gfs2_add_revoke
    - drm/amd/powerplay: perform PG ungate prior to CG ungate
    - usb: phy: twl6030-usb: Fix a resource leak in an error handling path in
      'twl6030_usb_probe()'
    - clk: ti: am33xx: fix RTC clock parent
    - csky: Fixup msa highest 3 bits mask
    - csky: Fixup perf callchain unwind
    - csky: Fixup remove duplicate irq_disable
    - csky: Fixup raw_copy_from_user()
    - arm64: dts: mt8173: fix vcodec-enc clock
    - soc: mediatek: cmdq: return send msg error code
    - gpu/drm: Ingenic: Fix opaque pointer casted to wrong type
    - gpio: pxa: Fix return value of pxa_gpio_probe()
    - gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe()
    - ceph: flush release queue when handling caps for unknown inode
    - drm/amd/display: drop cursor position check in atomic test
    - Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and
      REQ_NOWAIT"
    - gpio: fix locking open drain IRQ lines
    - xfrm: do pskb_pull properly in __xfrm_transport_prep
    - xfrm: remove the xfrm_state_put call becofe going to out_reset
    - netfilter: conntrack: make conntrack userspace helpers work again
    - ieee80211: Fix incorrect mask for default PE duration
    - nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry
    - nexthops: don't modify published nexthop groups
    - nexthop: Expand nexthop_is_multipath in a few places
    - ipv4: nexthop version of fib_info_nh_uses_dev
    - netfilter: conntrack: comparison of unsigned in cthelper confirmation
    - netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update
    - perf: Make perf able to build with latest libbfd

* shiftfs: O_TMPFILE reports ESTALE (LP: #1872757)
    - SAUCE: shiftfs: prevent ESTALE for LOOKUP_JUMP lookups

* shiftfs: fix btrfs regression (LP: #1884767)
    - SAUCE: Revert "UBUNTU: SAUCE: shiftfs: fix dentry revalidation"

* Update lockdown patches (LP: #1884159)
    - efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
    - efi: Restrict efivar_ssdt_load when the kernel is locked down
    - powerpc/xmon: Restrict when kernel is locked down
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down

* ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - SAUCE: selftests: net: ip_defrag: limit packet to 1000 fragments
    - selftests: net: ip_defrag: ignore EPERM

* CVE-2020-10757
    - mm: Fix mremap not considering huge pmd devmap

* CVE-2020-11935
    - SAUCE: aufs: do not call i_readcount_inc()
    - SAUCE: aufs: bugfix, IMA i_readcount

* apparmor reference leak causes refcount_t overflow with af_alg_accept()
    (LP: #1883962)
    - apparmor: check/put label on apparmor_sk_clone_security()

* CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start

* CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open

-- Khalid Elmously <khalid.elmously@canonical.com>  Fri, 10 Jul 2020 15:22:34 -0400

Changed in linux (Ubuntu Eoan):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-28:

#23

This bug was fixed in the package linux - 5.4.0-42.46

---------------
linux (5.4.0-42.46) focal; urgency=medium

* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

* Packaging resync (LP: #1786013)
- update dkms package versions

* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open

* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start

* CVE-2020-11935
- aufs: do not call i_readcount_inc()

  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down

* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc

-- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 19:50:26 -0400

Changed in linux (Ubuntu Groovy):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-UBUNTU-SAUCE-Revert-netprio_cgroup-Fix-unlimited-mem.patch Edit

Add patch

Remote bug watches

linux-kernel-bugs #208003
[RESOLVED CODE_FIX] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

linux 4.15.0-109-generic network DoS regression vs -108

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux package