This bug was fixed in the package linux-azure - 5.4.0-1009.9
---------------
linux-azure (5.4.0-1009.9) focal; urgency=medium
* focal/linux-azure: 5.4.0-1009.9 -proposed tracker (LP: #1870498)
* Focal update: v5.4.29 upstream stable release (LP: #1870142)
- [Config] azure: Update config for NET_REDIRECT
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* [linux-azure] overlayfs regression - internal getxattr operations without
sepolicy checking (LP: #1864669)
- SAUCE: overlayfs: internal getxattr operations without sepolicy checking
[ Ubuntu: 5.4.0-22.26 ]
* focal/linux: 5.4.0-22.26 -proposed tracker (LP: #1870502)
* Packaging resync (LP: #1786013)
- [Packaging] update variants
- [Packaging] update helper scripts
- update dkms package versions
* [SFC-0316]sync mainline kernel 5.7rc1 SFC patchset into ubuntu HWE kernel
branch (LP: #1867588)
- spi: Allow SPI controller override device buswidth
- spi: HiSilicon v3xx: Properly set CMD_CONFIG for Dual/Quad modes
- spi: HiSilicon v3xx: Use DMI quirk to set controller buswidth override
bits
* [hns3-0316]sync mainline kernel 5.6rc4 hns3 patchset into ubuntu HWE kernel
branch (LP: #1867586)
- net: hns3: fix VF VLAN table entries inconsistent issue
- net: hns3: fix RMW issue for VLAN filter switch
- net: hns3: clear port base VLAN when unload PF
* [sas-0316]sync mainline kernel 5.6rc1 roce patchset into ubuntu HWE kernel
branch (LP: #1867587)
- scsi: hisi_sas: use threaded irq to process CQ interrupts
- scsi: hisi_sas: replace spin_lock_irqsave/spin_unlock_restore with
spin_lock/spin_unlock
- scsi: hisi_sas: Replace magic number when handle channel interrupt
- scsi: hisi_sas: Modify the file permissions of trigger_dump to write only
- scsi: hisi_sas: Add prints for v3 hw interrupt converge and automatic
affinity
- scsi: hisi_sas: Rename hisi_sas_cq.pci_irq_mask
* Revert "nvme_fc: add module to ops template to allow module references"
(LP: #1869947)
- SAUCE: Revert "nvme_fc: add module to ops template to allow module
references"
* suspend only works once on ThinkPad X1 Carbon gen 7 (LP: #1865570)
- Revert "UBUNTU: SAUCE: e1000e: Disable s0ix flow for X1 Carbon 7th"
- SAUCE: e1000e: bump up timeout to wait when ME un-configure ULP mode
* Focal update: v5.4.29 upstream stable release (LP: #1870142)
- mmc: core: Allow host controllers to require R1B for CMD6
- mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard
- mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command
- mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
- mmc: sdhci-tegra: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
- ACPI: PM: s2idle: Rework ACPI events synchronization
- cxgb4: fix throughput drop during Tx backpressure
- cxgb4: fix Txq restart check during backpressure
- geneve: move debug check after netdev unregister
- hsr: fix general protection fault in hsr_addr_is_self()
- ipv4: fix a RCU-list lock in inet_dump_fib()
- macsec: restrict to ethernet devices
- mlxsw: pci: Only issue reset when system is ready
- mlxsw: spectrum_mr: Fix list iteration in error path
- net/bpfilter: fix dprintf usage for /dev/kmsg
- net: cbs: Fix software cbs to consider packet sending time
- net: dsa: Fix duplicate frames flooded by learning
- net: dsa: mt7530: Change the LINK bit to reflect the link status
- net: dsa: tag_8021q: replace dsa_8021q_remove_header with __skb_vlan_pop
- net: ena: Add PCI shutdown handler to allow safe kexec
- net: mvneta: Fix the case where the last poll did not process all rx
- net/packet: tpacket_rcv: avoid a producer race condition
- net: phy: dp83867: w/a for fld detect threshold bootstrapping issue
- net: phy: mdio-bcm-unimac: Fix clock handling
- net: phy: mdio-mux-bcm-iproc: check clk_prepare_enable() return value
- net: qmi_wwan: add support for ASKEY WWHC050
- net/sched: act_ct: Fix leak of ct zone template on replace
- net_sched: cls_route: remove the right filter from hashtable
- net_sched: hold rtnl lock in tcindex_partial_destroy_work()
- net_sched: keep alloc_hash updated after hash allocation
- net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
- NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
- r8169: re-enable MSI on RTL8168c
- slcan: not call free_netdev before rtnl_unlock in slcan_open
- tcp: also NULL skb->dev when copy was needed
- tcp: ensure skb->dev is NULL before leaving TCP stack
- tcp: repair: fix TCP_QUEUE_SEQ implementation
- vxlan: check return value of gro_cells_init()
- bnxt_en: Fix Priority Bytes and Packets counters in ethtool -S.
- bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
- bnxt_en: Return error if bnxt_alloc_ctx_mem() fails.
- bnxt_en: Free context memory after disabling PCI in probe error path.
- bnxt_en: Reset rings if ring reservation fails during open()
- net: ip_gre: Separate ERSPAN newlink / changelink callbacks
- net: ip_gre: Accept IFLA_INFO_DATA-less configuration
- hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
- hsr: add restart routine into hsr_get_node_list()
- hsr: set .netnsok flag
- net/mlx5: DR, Fix postsend actions write length
- net/mlx5e: Enhance ICOSQ WQE info fields
- net/mlx5e: Fix missing reset of SW metadata in Striding RQ reset
- net/mlx5e: Fix ICOSQ recovery flow with Striding RQ
- net/mlx5e: Do not recover from a non-fatal syndrome
- cgroup-v1: cgroup_pidlist_next should update position index
- nfs: add minor version to nfs_server_key for fscache
- cpupower: avoid multiple definition with gcc -fno-common
- drivers/of/of_mdio.c:fix of_mdiobus_register()
- cgroup1: don't call release_agent when it is ""
- [Config] updateconfigs for DPAA_ERRATUM_A050385
- dt-bindings: net: FMan erratum A050385
- arm64: dts: ls1043a: FMan erratum A050385
- fsl/fman: detect FMan erratum A050385
- drm/amd/display: update soc bb for nv14
- drm/amdgpu: correct ROM_INDEX/DATA offset for VEGA20
- drm/exynos: Fix cleanup of IOMMU related objects
- iommu/vt-d: Silence RCU-list debugging warnings
- s390/qeth: don't reset default_out_queue
- s390/qeth: handle error when backing RX buffer
- scsi: ipr: Fix softlockup when rescanning devices in petitboot
- mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
- dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom
- sxgbe: Fix off by one in samsung driver strncpy size arg
- net: hns3: fix "tc qdisc del" failed issue
- iommu/vt-d: Fix debugfs register reads
- iommu/vt-d: Populate debugfs if IOMMUs are detected
- iwlwifi: mvm: fix non-ACPI function
- i2c: hix5hd2: add missed clk_disable_unprepare in remove
- Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
- Input: fix stale timestamp on key autorepeat events
- Input: synaptics - enable RMI on HP Envy 13-ad105ng
- Input: avoid BIT() macro usage in the serio.h UAPI header
- IB/rdmavt: Free kernel completion queue when done
- RDMA/core: Fix missing error check on dev_set_name()
- gpiolib: Fix irq_disable() semantics
- RDMA/nl: Do not permit empty devices names during
RDMA_NLDEV_CMD_NEWLINK/SET
- RDMA/mad: Do not crash if the rdma device does not have a umad interface
- ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL
- ceph: fix memory leak in ceph_cleanup_snapid_map()
- ARM: dts: dra7: Add bus_dma_limit for L3 bus
- ARM: dts: omap5: Add bus_dma_limit for L3 bus
- x86/ioremap: Fix CONFIG_EFI=n build
- perf probe: Fix to delete multiple probe event
- perf probe: Do not depend on dwfl_module_addrsym()
- rtlwifi: rtl8188ee: Fix regression due to commit d1d1a96bdb44
- tools: Let O= makes handle a relative path with -C option
- scripts/dtc: Remove redundant YYLOC global declaration
- scsi: sd: Fix optimal I/O size for devices that change reported values
- nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type
- mac80211: drop data frames without key on encrypted links
- mac80211: mark station unauthorized before key removal
- mm/swapfile.c: move inode_lock out of claim_swapfile
- drivers/base/memory.c: indicate all memory blocks as removable
- mm/sparse: fix kernel crash with pfn_section_valid check
- mm: fork: fix kernel_stack memcg stats for various stack implementations
- gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
- gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
- gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288
model
- bpf: Fix cgroup ref leak in cgroup_bpf_inherit on out-of-memory
- RDMA/core: Ensure security pkey modify is not lost
- afs: Fix handling of an abort from a service handler
- genirq: Fix reference leaks on irq affinity notifiers
- xfrm: handle NETDEV_UNREGISTER for xfrm device
- vti[6]: fix packet tx through bpf_redirect() in XinY cases
- RDMA/mlx5: Fix the number of hwcounters of a dynamic counter
- RDMA/mlx5: Fix access to wrong pointer while performing flush due to error
- RDMA/mlx5: Block delay drop to unprivileged users
- xfrm: fix uctx len check in verify_sec_ctx_len
- xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
- xfrm: policy: Fix doulbe free in xfrm_policy_timer
- afs: Fix client call Rx-phase signal handling
- afs: Fix some tracing details
- afs: Fix unpinned address list during probing
- ieee80211: fix HE SPR size calculation
- mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX
- netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6}
- netfilter: nft_fwd_netdev: validate family and chain type
- netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
- i2c: nvidia-gpu: Handle timeout correctly in gpu_i2c_check_status()
- bpf, x32: Fix bug with JMP32 JSET BPF_X checking upper bits
- bpf: Initialize storage pointers to NULL to prevent freeing garbage
pointer
- bpf/btf: Fix BTF verification of enum members in struct/union
- bpf, sockmap: Remove bucket->lock from sock_{hash|map}_free
- ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection
- vti6: Fix memory leak of skb if input policy check fails
- r8169: fix PHY driver check on platforms w/o module softdeps
- clocksource/drivers/hyper-v: Untangle stimers and timesync from
clocksources
- USB: serial: option: add support for ASKEY WWHC050
- USB: serial: option: add BroadMobi BM806U
- USB: serial: option: add Wistron Neweb D19Q1
- USB: cdc-acm: restore capability check order
- USB: serial: io_edgeport: fix slab-out-of-bounds read in
edge_interrupt_callback
- usb: musb: fix crash with highmen PIO and usbmon
- media: flexcop-usb: fix endpoint sanity check
- media: usbtv: fix control-message timeouts
- staging: kpc2000: prevent underflow in cpld_reconfigure()
- staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table
- staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb
- staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
- ahci: Add Intel Comet Lake H RAID PCI ID
- libfs: fix infoleak in simple_attr_read()
- media: ov519: add missing endpoint sanity checks
- media: dib0700: fix rc endpoint lookup
- media: stv06xx: add missing descriptor sanity checks
- media: xirlink_cit: add missing descriptor sanity checks
- media: v4l2-core: fix a use-after-free bug of sd->devnode
- update wireguard dkms package version
- [Config] updateconfigs for NET_REDIRECT
- net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
- Linux 5.4.29
* Restore kernel control of PCIe DPC via option (LP: #1869423)
- PCI/DPC: Add "pcie_ports=dpc-native" to allow DPC without AER control
* swap storms kills interactive use (LP: #1861359)
- SAUCE: mm/page_alloc.c: disable memory reclaim watermark boosting by
default
* sysfs: incorrect network device permissions on network namespace change
(LP: #1865359)
- sysfs: add sysfs_file_change_owner()
- sysfs: add sysfs_link_change_owner()
- sysfs: add sysfs_group{s}_change_owner()
- sysfs: add sysfs_change_owner()
- device: add device_change_owner()
- drivers/base/power: add dpm_sysfs_change_owner()
- net-sysfs: add netdev_change_owner()
- net-sysfs: add queue_change_owner()
- net: fix sysfs permssions when device changes network namespace
- sysfs: fix static inline declaration of sysfs_groups_change_owner()
* Kernel Oops - general protection fault: 0000 [#1] SMP PTI after
disconnecting thunderbolt docking station (LP: #1864754)
- SAUCE: ptp: free ptp clock properly
* [Selftests] Apply various fixes and improvements (LP: #1870543)
- SAUCE: selftests: net: ip_defrag: limit packet to 1000 fragments
- SAUCE: kselftest/runner: avoid using timeout if timeout is disabled
- SAUCE: selftests/seccomp -- Disable timeout for seccomp tests
* Focal update: v5.4.28 upstream stable release (LP: #1869061)
- locks: fix a potential use-after-free problem when wakeup a waiter
- locks: reinstate locks_delete_block optimization
- spi: spi-omap2-mcspi: Support probe deferral for DMA channels
- drm/mediatek: Find the cursor plane instead of hard coding it
- phy: ti: gmii-sel: fix set of copy-paste errors
- phy: ti: gmii-sel: do not fail in case of gmii
- ARM: dts: dra7-l4: mark timer13-16 as pwm capable
- spi: qup: call spi_qup_pm_resume_runtime before suspending
- powerpc: Include .BTF section
- cifs: fix potential mismatch of UNC paths
- cifs: add missing mount option to /proc/mounts
- ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
- spi: pxa2xx: Add CS control clock quirk
- spi/zynqmp: remove entry that causes a cs glitch
- drm/exynos: dsi: propagate error value and silence meaningless warning
- drm/exynos: dsi: fix workaround for the legacy clock name
- drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails
- drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
- drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
- altera-stapl: altera_get_note: prevent write beyond end of 'key'
- dm bio record: save/restore bi_end_io and bi_integrity
- dm integrity: use dm_bio_record and dm_bio_restore
- riscv: avoid the PIC offset of static percpu data in module beyond 2G
limits
- ASoC: stm32: sai: manage rebind issue
- spi: spi_register_controller(): free bus id on error paths
- riscv: Force flat memory model with no-mmu
- riscv: Fix range looking for kernel image memblock
- drm/amdgpu: clean wptr on wb when gpu recovery
- drm/amd/display: Clear link settings on MST disable connector
- drm/amd/display: fix dcc swath size calculations on dcn1
- xenbus: req->body should be updated before req->state
- xenbus: req->err should be updated before req->state
- block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
- parse-maintainers: Mark as executable
- binderfs: use refcount for binder control devices too
- Revert "drm/fbdev: Fallback to non tiled mode if all tiles not present"
- usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
- USB: serial: option: add ME910G1 ECM composition 0x110b
- usb: host: xhci-plat: add a shutdown
- USB: serial: pl2303: add device-id for HP LD381
- usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
- usb: typec: ucsi: displayport: Fix NULL pointer dereference
- usb: typec: ucsi: displayport: Fix a potential race during registration
- USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
- USB: cdc-acm: fix rounding error in TIOCSSERIAL
- ALSA: line6: Fix endless MIDI read loop
- ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662
- ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662
- ALSA: seq: virmidi: Fix running status after receiving sysex
- ALSA: seq: oss: Fix running status after receiving sysex
- ALSA: pcm: oss: Avoid plugin buffer overflow
- ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
- tty: fix compat TIOCGSERIAL leaking uninitialized memory
- tty: fix compat TIOCGSERIAL checking wrong function ptr
- iio: chemical: sps30: fix missing triggered buffer dependency
- iio: st_sensors: remap SMO8840 to LIS2DH12
- iio: trigger: stm32-timer: disable master mode when stopping
- iio: accel: adxl372: Set iio_chan BE
- iio: magnetometer: ak8974: Fix negative raw values in sysfs
- iio: adc: stm32-dfsdm: fix sleep in atomic context
- iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode
- iio: light: vcnl4000: update sampling periods for vcnl4200
- iio: light: vcnl4000: update sampling periods for vcnl4040
- mmc: rtsx_pci: Fix support for speed-modes that relies on tuning
- mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2
- mmc: sdhci-cadence: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN for UniPhier
- CIFS: fiemap: do not return EINVAL if get nothing
- kbuild: Disable -Wpointer-to-enum-cast
- staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
- staging: greybus: loopback_test: fix poll-mask build breakage
- staging/speakup: fix get_word non-space look-ahead
- intel_th: msu: Fix the unexpected state warning
- intel_th: Fix user-visible error codes
- intel_th: pci: Add Elkhart Lake CPU support
- modpost: move the namespace field in Module.symvers last
- rtc: max8907: add missing select REGMAP_IRQ
- arm64: compat: Fix syscall number of compat_clock_getres
- xhci: Do not open code __print_symbolic() in xhci trace events
- btrfs: fix log context list corruption after rename whiteout error
- drm/amd/amdgpu: Fix GPR read from debugfs (v2)
- drm/lease: fix WARNING in idr_destroy
- stm class: sys-t: Fix the use of time_after()
- memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
- mm, memcg: fix corruption on 64-bit divisor in memory.high throttling
- mm, memcg: throttle allocators based on ancestral memory.high
- mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case
- mm: do not allow MADV_PAGEOUT for CoW pages
- epoll: fix possible lost wakeup on epoll_ctl() path
- mm: slub: be more careful about the double cmpxchg of freelist
- mm, slub: prevent kmalloc_node crashes and memory leaks
- page-flags: fix a crash at SetPageError(THP_SWAP)
- x86/mm: split vmalloc_sync_all()
- futex: Fix inode life-time issue
- futex: Unbreak futex hashing
- arm64: smp: fix smp_send_stop() behaviour
- arm64: smp: fix crash_smp_send_stop() behaviour
- nvmet-tcp: set MSG_MORE only if we actually have more to send
- drm/bridge: dw-hdmi: fix AVI frame colorimetry
- staging: greybus: loopback_test: fix potential path truncation
- staging: greybus: loopback_test: fix potential path truncations
- Linux 5.4.28
* Pop sound from build-in speaker during cold boot and resume from S3
(LP: #1866357) // Focal update: v5.4.28 upstream stable release
(LP: #1869061)
- ALSA: hda/realtek: Fix pop noise on ALC225
* Focal update: v5.4.28 upstream stable release (LP: #1869061)
- perf/x86/amd: Add support for Large Increment per Cycle Events
- EDAC/amd64: Add family ops for Family 19h Models 00h-0Fh
- x86/MCE/AMD, EDAC/mce_amd: Add new Load Store unit McaType
- EDAC/mce_amd: Always load on SMCA systems
- x86/amd_nb: Add Family 19h PCI IDs
- EDAC/amd64: Drop some family checks for newer systems
* Update mpt3sas Driver to 33.100.00.00 for Ubuntu 20.04 (LP: #1863574)
- scsi: mpt3sas: Register trace buffer based on NVDATA settings
- scsi: mpt3sas: Display message before releasing diag buffer
- scsi: mpt3sas: Free diag buffer without any status check
- scsi: mpt3sas: Maintain owner of buffer through UniqueID
- scsi: mpt3sas: clear release bit when buffer reregistered
- scsi: mpt3sas: Reuse diag buffer allocated at load time
- scsi: mpt3sas: Add app owned flag support for diag buffer
- scsi: mpt3sas: Fail release cmnd if diag buffer is released
- scsi: mpt3sas: Use Component img header to get Package ver
- scsi: mpt3sas: Fix module parameter max_msix_vectors
- scsi: mpt3sas: Bump mpt3sas driver version to 32.100.00.00
- scsi: mpt3sas: Clean up some indenting
- scsi: mpt3sas: change allocation option
- scsi: mpt3sas: Update MPI Headers to v02.00.57
- scsi: mpt3sas: Add support for NVMe shutdown
- scsi: mpt3sas: renamed _base_after_reset_handler function
- scsi: mpt3sas: Add support IOCs new state named COREDUMP
- scsi: mpt3sas: Handle CoreDump state from watchdog thread
- scsi: mpt3sas: print in which path firmware fault occurred
- scsi: mpt3sas: Optimize mpt3sas driver logging
- scsi: mpt3sas: Print function name in which cmd timed out
- scsi: mpt3sas: Remove usage of device_busy counter
- scsi: mpt3sas: Update drive version to 33.100.00.00
* Ubuntu 20.04: megaraid_sas driver update to version 07.713.01.00-rc1
(LP: #1863581)
- scsi: megaraid_sas: Unique names for MSI-X vectors
- scsi: megaraid_sas: remove unused variables 'debugBlk','fusion'
- compat_ioctl: use correct compat_ptr() translation in drivers
- scsi: megaraid_sas: Make poll_aen_lock static
- scsi: megaraid_sas: Reset adapter if FW is not in READY state after device
resume
- scsi: megaraid_sas: Set no_write_same only for Virtual Disk
- scsi: megaraid_sas: Update optimal queue depth for SAS and NVMe devices
- scsi: megaraid_sas: Do not kill host bus adapter, if adapter is already
dead
- scsi: megaraid_sas: Do not kill HBA if JBOD Seqence map or RAID map is
disabled
- scsi: megaraid_sas: Do not set HBA Operational if FW is not in operational
state
- scsi: megaraid_sas: Re-Define enum DCMD_RETURN_STATUS
- scsi: megaraid_sas: Limit the number of retries for the IOCTLs causing
firmware fault
- scsi: megaraid_sas: Use Block layer API to check SCSI device in-flight IO
requests
- scsi: megaraid_sas: Update driver version to 07.713.01.00-rc1
- scsi: megaraid_sas: fixup MSIx interrupt setup during resume
-- Stefan Bader <stefan.ba...@canonical.com> Fri, 03 Apr 2020 18:52:00
+0200
** Changed in: linux-azure (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure in Ubuntu.
https://bugs.launchpad.net/bugs/1864669
Title:
[linux-azure] overlayfs regression - internal getxattr operations
without sepolicy checking
Status in linux-azure package in Ubuntu:
Fix Released
Bug description:
Bug description and repro:
Run the following commands on host instances:
Prepare the overlayfs directories:
$ cd /tmp
$ mkdir -p base/dir1/dir2 upper olwork merged
$ touch base/dir1/dir2/file
$ chown -R 100000:100000 base upper olwork merged
Verify that the directory is owned by user 100000:
$ ls -al merged/
total 8
drwxr-xr-x 2 100000 100000 4096 Nov 1 07:08 .
drwxrwxrwt 16 root root 4096 Nov 1 07:08 ..
We use lxc-usernsexec to start a new shell as user 100000.
$ lxc-usernsexec -m b:0:100000:1 -- /bin/bash
$$ ls -al merged/
total 8
drwxr-xr-x 2 root root 4096 Nov 1 07:08 .
drwxrwxrwt 16 nobody nogroup 4096 Nov 1 07:08 ..
Notice that the ownership of . and .. has changed because the new shell is
running as the remapped user.
Now, mount the overlayfs as an unprivileged user in the new shell. This is
the key to trigger the bug.
$$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
$$ ls -al merged/dir1/dir2/file
-rw-r--r-- 1 root root 0 Nov 1 07:09 merged/dir1/dir2/file
We can see the file in the base layer from the mount directory. Now trigger
the bug:
$$ rm -rf merged/dir1/dir2/
$$ mkdir merged/dir1/dir2
$$ ls -al merged/dir1/dir2
total 12
drwxr-xr-x 2 root root 4096 Nov 1 07:10 .
drwxr-xr-x 1 root root 4096 Nov 1 07:10 ..
File does not show up in the newly created dir2 as expected. But it will
reappear after we remount the filesystem (or any other means that might evict
the cached dentry, such as attempt to delete the parent directory):
$$ umount merged
$$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
$$ ls -al merged/dir1/dir2
total 12
drwxr-xr-x 1 root root 4096 Nov 1 07:10 .
drwxr-xr-x 1 root root 4096 Nov 1 07:10 ..
-rw-r--r-- 1 root root 0 Nov 1 07:09 file
$$ exit
$
This is a recent kernel regression. I tried the above step on an old
kernel (4.4.0-1072-aws) but cannot reproduce.
I looked up linux source code and figured out where the "regression" is
coming from. The issue lies in how overlayfs checks the "opaque" flag from the
underlying upper-level filesystem. It checks the "trusted.overlay.opaque"
extended attribute to decide whether to hide the directory content from the
lower level. The logic are different in 4.4 and 4.15 kernel.
In 4.4: https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L255
static bool ovl_is_opaquedir(struct dentry *dentry)
{
int res;
char val;
struct inode *inode = dentry->d_inode;
if (!S_ISDIR(inode->i_mode) || !inode->i_op->getxattr)
return false;
res = inode->i_op->getxattr(dentry, OVL_XATTR_OPAQUE, &val, 1);
if (res == 1 && val == 'y')
return true;
return false;
}
In 4.15:
https://elixir.bootlin.com/linux/v4.15/source/fs/overlayfs/util.c#L349
static bool ovl_is_opaquedir(struct dentry *dentry)
{
return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
}
bool ovl_check_dir_xattr(struct dentry *dentry, const char *name)
{
int res;
char val;
if (!d_is_dir(dentry))
return false;
res = vfs_getxattr(dentry, name, &val, 1);
if (res == 1 && val == 'y')
return true;
return false;
}
The 4.4 version simply uses the internal i_node callback
inode->i_op->getxattr from the host filesystem, which doesn't perform any
permission check. While the 4.15 version calls the VFS interface vfs_getxattr
that performs bunch of permission checks before the calling the internal
insecure callback __vfs_getxattr:
See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L317
ssize_t
vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t
size)
{
struct inode *inode = dentry->d_inode;
int error;
error = xattr_permission(inode, name, MAY_READ);
if (error)
return error;
error = security_inode_getxattr(dentry, name);
if (error)
return error;
if (!strncmp(name, XATTR_SECURITY_PREFIX,
XATTR_SECURITY_PREFIX_LEN)) {
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
int ret = xattr_getsecurity(inode, suffix, value, size);
/*
* Only overwrite the return value if a security module
* is actually active.
*/
if (ret == -EOPNOTSUPP)
goto nolsm;
return ret;
}
nolsm:
return __vfs_getxattr(dentry, inode, name, value, size);
}
In 4.15, ovl_is_opaquedir is called by the following caller:
ovl_is_opaquedir <-
ovl_lookup_single() <-
ovl_lookup_layer <-
ovl_lookup,
ovl_lookup is the entry point for directory listing in overlayfs.
Importantly, it assumes the filesystem mounter's credential to perform all
internal lookup operations:
struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
unsigned int flags)
{
old_cred = ovl_override_creds(dentry->d_sb);
// perform lookups
// ....
revert_creds(old_cred);
}
The "credential switching" logic also does not exist in the 4.4 kernel:
https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L397
That means, on 4.15, overlayfs uses the file system mounter's credential to
fetch the "trusted.overlay.opaque" xattr from the underlying filesystem. This
can fail the permission check if the overlayfs is mounted by a remapped user,
who doesn't have CAP_SYS_ADMIN capability
See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L115:
static int xattr_permission(struct inode *inode, const char *name, int mask)
{
....
/*
* The trusted.* namespace can only be accessed by privileged users.
*/
if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
if (!capable(CAP_SYS_ADMIN))
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
return 0;
}
....
}
When this call fails, overlayfs assumes the upper directory is not
"opaque" and combines the content from the lower directory in the
result.
There's a proposed patch to fix this issue:
https://lkml.org/lkml/2019/7/30/787
The patch calls the insecure __vfs_getxattr to fetch the opaque flag so that
it can bypass the permission check even if the other lookup operation is done
under the mounter's credential.
However, the patch hasn't been merged to the upstream linux kernel as of
today (see
https://elixir.bootlin.com/linux/v5.4-rc5/source/fs/overlayfs/util.c#L551).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1864669/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
