This bug was fixed in the package linux - 5.4.0-122.138
---------------
linux (5.4.0-122.138) focal; urgency=medium
* focal/linux: 5.4.0-122.138 -proposed tracker (LP: #1979489)
* Remove SAUCE patches from test_vxlan_under_vrf.sh in net of
ubuntu_kernel_selftests (LP: #1975691)
- Revert "UBUNTU: SAUCE: selftests: net: Don't fail test_vxlan_under_vrf on
xfail"
- Revert "UBUNTU: SAUCE: selftests: net: Make test for VXLAN underlay in
non-
default VRF an expected failure"
* Enable Asus USB-BT500 Bluetooth dongle(0b05:190e) (LP: #1976613)
- Bluetooth: btusb: Add flag to define wideband speech capability
- Bluetooth: btrtl: Add support for RTL8761B
- Bluetooth: btusb: Add 0x0b05:0x190e Realtek 8761BU (ASUS BT500) device.
* [UBUNTU 20.04] rcu stalls with many storage key guests (LP: #1975582)
- s390/gmap: voluntarily schedule during key setting
- s390/mm: use non-quiescing sske for KVM switch to keyed guest
* Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer
dereference, address: 0000000000000034 (LP: #1978719)
- mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
* Focal update: upstream stable patchset v5.4.192 (LP: #1979014)
- floppy: disable FDRAWCMD by default
- [Config] updateconfigs for BLK_DEV_FD_RAWCMD
- hamradio: defer 6pack kfree after unregister_netdev
- hamradio: remove needs_free_netdev to avoid UAF
- lightnvm: disable the subsystem
- [Config] updateconfigs for NVM, NVM_PBLK
- usb: mtu3: fix USB 3.0 dual-role-switch from device to host
- USB: quirks: add a Realtek card reader
- USB: quirks: add STRING quirk for VCOM device
- USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
- USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
- USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
- USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
- xhci: stop polling roothubs after shutdown
- xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
- iio: dac: ad5592r: Fix the missing return value.
- iio: dac: ad5446: Fix read_raw not returning set value
- iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
- usb: misc: fix improper handling of refcount in uss720_probe()
- usb: typec: ucsi: Fix role swapping
- usb: gadget: uvc: Fix crash when encoding data for usb request
- usb: gadget: configfs: clear deactivation flag in
configfs_composite_unbind()
- usb: dwc3: core: Fix tx/rx threshold settings
- usb: dwc3: gadget: Return proper request status
- serial: imx: fix overrun interrupts in DMA mode
- serial: 8250: Also set sticky MCR bits in console restoration
- serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
- arch_topology: Do not set llc_sibling if llc_id is invalid
- hex2bin: make the function hex_to_bin constant-time
- hex2bin: fix access beyond string end
- video: fbdev: udlfb: properly check endpoint type
- arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
- arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
- mtd: rawnand: fix ecc parameters for mt7622
- USB: Fix xhci event ring dequeue pointer ERDP update issue
- ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
- phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
- phy: samsung: exynos5250-sata: fix missing device put in probe error paths
- ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
- phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
- ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
- phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
- phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
- ARM: dts: Fix mmc order for omap3-gta04
- ARM: dts: am3517-evm: Fix misc pinmuxing
- ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
- ipvs: correctly print the memory size of ip_vs_conn_tab
- mtd: rawnand: Fix return value check of wait_for_completion_timeout
- bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt
hook
- tcp: md5: incorrect tcp_header_len for incoming connections
- tcp: ensure to use the most recently sent skb when filling the rate sample
- sctp: check asoc strreset_chunk in sctp_generate_reconf_event
- ARM: dts: imx6ull-colibri: fix vqmmc regulator
- arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
- pinctrl: pistachio: fix use of irq_of_parse_and_map()
- cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
- net: hns3: add validity check for message data length
- net/smc: sync err code when tcp connection was refused
- ip_gre: Make o_seqno start from 0 in native mode
- tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
- bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
- clk: sunxi: sun9i-mmc: check return value after calling
platform_get_resource()
- net: bcmgenet: hide status block before TX timestamping
- net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
- drm/amd/display: Fix memory leak in dcn21_clock_source_create
- tls: Skip tls_append_frag on zero copy size
- bnx2x: fix napi API usage sequence
- ixgbe: ensure IPsec VF<->PF compatibility
- tcp: fix F-RTO may not work correctly when receiving DSACK
- ASoC: wm8731: Disable the regulator when probing fails
- ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit()
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
- cifs: destage any unwritten data to the server before calling
copychunk_write
- drivers: net: hippi: Fix deadlock in rr_close()
- net: ethernet: stmmac: fix write to sgmii_adapter_base
- x86/cpu: Load microcode during restore_processor_state()
- tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
- tty: n_gsm: fix malformed counter for out of frame data
- netfilter: nft_socket: only do sk lookups when indev is available
- tty: n_gsm: fix insufficient txframe size
- tty: n_gsm: fix missing explicit ldisc flush
- tty: n_gsm: fix wrong command retry handling
- tty: n_gsm: fix wrong command frame length field encoding
- tty: n_gsm: fix incorrect UA handling
- hugetlbfs: get unmapped area below TASK_UNMAPPED_BASE for hugetlbfs
- mm, hugetlb: allow for "high" userspace addresses
- Linux 5.4.192
* CVE-2022-1789
- KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
* Focal update: v5.4.191 upstream stable release (LP: #1976116)
- etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
- mm: page_alloc: fix building error on -Werror=array-compare
- tracing: Dump stacktrace trigger to the corresponding instance
- gfs2: assign rgrp glock before compute_bitstructs
- tcp: fix race condition when creating child sockets from syncookies
- tcp: Fix potential use-after-free due to double kfree()
- ALSA: usb-audio: Clear MIDI port active flag after draining
- ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
- ASoC: msm8916-wcd-digital: Check failure for
devm_snd_soc_register_component
- dmaengine: imx-sdma: Fix error checking in sdma_event_remap
- dmaengine: mediatek:Fix PM usage reference leak of
mtk_uart_apdma_alloc_chan_resources
- igc: Fix infinite loop in release_swfw_sync
- igc: Fix BUG: scheduling while atomic
- rxrpc: Restore removed timer deletion
- net/smc: Fix sock leak when release after smc_shutdown()
- net/packet: fix packet_sock xmit return value checking
- net/sched: cls_u32: fix possible leak in u32_init_knode()
- l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using
netdev_master_upper_dev_get_rcu
- netlink: reset network and mac headers in netlink_dump()
- selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets
- ARM: vexpress/spc: Avoid negative array index when !SMP
- reset: tegra-bpmp: Restore Handle errors in BPMP response
- platform/x86: samsung-laptop: Fix an unsigned comparison which can never
be
negative
- ALSA: usb-audio: Fix undefined behavior due to shift overflowing the
constant
- vxlan: fix error return code in vxlan_fdb_append
- cifs: Check the IOCB_DIRECT flag, not O_DIRECT
- mt76: Fix undefined behavior due to shift overflowing the constant
- brcmfmac: sdio: Fix undefined behavior due to shift overflowing the
constant
- dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
- drm/msm/mdp5: check the return of kzalloc()
- net: macb: Restart tx only if queue pointer is lagging
- scsi: qedi: Fix failed disconnect handling
- stat: fix inconsistency between struct stat and struct compat_stat
- EDAC/synopsys: Read the error count from the correct register
- oom_kill.c: futex: delay the OOM reaper to allow time for proper futex
cleanup
- ata: pata_marvell: Check the 'bmdma_addr' beforing reading
- dma: at_xdmac: fix a missing check on list iterator
- drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
- drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
- KVM: PPC: Fix TCE handling for VFIO
- drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage
- powerpc/perf: Fix power9 event alternatives
- xtensa: patch_text: Fixup last cpu should be master
- xtensa: fix a7 clobbering in coprocessor context load/store
- openvswitch: fix OOB access in reserve_sfa_size()
- ASoC: soc-dapm: fix two incorrect uses of list iterator
- e1000e: Fix possible overflow in LTR decoding
- ARC: entry: fix syscall_trace_exit argument
- arm_pmu: Validate single/group leader events
- ext4: fix symlink file size not match to file content
- ext4: fix use-after-free in ext4_search_dir
- ext4, doc: fix incorrect h_reserved size
- ext4: fix overhead calculation to account for the reserved gdt blocks
- ext4: force overhead calculation if the s_overhead_cluster makes no sense
- jbd2: fix a potential race while discarding reserved buffers after an
abort
- spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and
controller
- staging: ion: Prevent incorrect reference counting behavour
- block/compat_ioctl: fix range check in BLKGETSIZE
- Linux 5.4.191
* Focal update: v5.4.190 upstream stable release (LP: #1973085)
- memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
- net/sched: flower: fix parsing of ethertype following VLAN header
- veth: Ensure eth header is in skb's linear part
- gpiolib: acpi: use correct format characters
- mlxsw: i2c: Fix initialization error flow
- net/sched: fix initialization order when updating chain 0 head
- net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
- net/sched: taprio: Check if socket flags are valid
- cfg80211: hold bss_lock while updating nontrans_list
- drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
- net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
- sctp: Initialize daddr on peeled off socket
- testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
- nfc: nci: add flush_workqueue to prevent uaf
- cifs: potential buffer overflow in handling symlinks
- drm/amd: Add USBC connector ID
- drm/amd/display: fix audio format not updated after edid updated
- drm/amd/display: Update VTEM Infopacket definition
- drm/amdkfd: Fix Incorrect VMIDs passed to HWS
- drm/amdkfd: Check for potential null return of kmalloc_array()
- Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
- scsi: target: tcmu: Fix possible page UAF
- scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
- ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
- gpu: ipu-v3: Fix dev_dbg frequency output
- regulator: wm8994: Add an off-on delay for WM8994 variant
- arm64: alternatives: mark patch_alternative() as `noinstr`
- tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
- net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
- drm/amd/display: Fix allocate_mst_payload assert on resume
- powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
- scsi: mvsas: Add PCI ID of RocketRaid 2640
- scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
- drivers: net: slip: fix NPD bug in sl_tx_timeout()
- perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
- mm, page_alloc: fix build_zonerefs_node()
- mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
- gcc-plugins: latent_entropy: use /dev/urandom
- ath9k: Properly clear TX status area before reporting to mac80211
- ath9k: Fix usage of driver-private space in tx_info
- btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
- btrfs: mark resumed async balance as writing
- ALSA: hda/realtek: Add quirk for Clevo PD50PNT
- ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
- ipv6: fix panic when forwarding a pkt with no in6 dev
- drm/amd/display: don't ignore alpha property on pre-multiplied mode
- genirq/affinity: Consider that CPUs on nodes can be unbalanced
- tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
- ARM: davinci: da850-evm: Avoid NULL pointer dereference
- dm integrity: fix memory corruption when tag_size is less than digest size
- smp: Fix offline cpu check in flush_smp_call_function_queue()
- i2c: pasemi: Wait for write xfers to finish
- dma-direct: avoid redundant memory sync for swiotlb
- ax25: add refcount in ax25_dev to avoid UAF bugs
- ax25: fix reference count leaks of ax25_dev
- ax25: fix UAF bugs of net_device caused by rebinding operation
- ax25: Fix refcount leaks caused by ax25_cb_del()
- ax25: fix UAF bug in ax25_send_control()
- ax25: fix NPD bug in ax25_disconnect
- ax25: Fix NULL pointer dereferences in ax25 timers
- ax25: Fix UAF bugs in ax25 timers
- Linux 5.4.190
-- Stefan Bader <[email protected]> Wed, 22 Jun 2022 15:00:52
+0200
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1789
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1978719
Title:
Ubuntu 5.4.0-117.132-generic 5.4.189 has BUG: kernel NULL pointer
dereference, address: 0000000000000034
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
Fix Released
Bug description:
The 5.4.0 series of the Ubuntu kernel has missed a patch which
resolves a null dereference:
[104602.951260] BUG: kernel NULL pointer dereference, address:
0000000000000034
[104602.951263] #PF: supervisor write access in kernel mode
[104602.951264] #PF: error_code(0x0002) - not-present page
[104602.951266] PGD 0 P4D 0
[104602.951269] Oops: 0002 [#1] SMP PTI
[104602.951272] CPU: 6 PID: 176572 Comm: ThreadPoolForeg Kdump: loaded
Tainted: P OE 5.4.0-117-generic #132-Ubuntu
[104602.951273] Hardware name: System manufacturer System Product Name/P8P67
LE, BIOS 3801 09/12/2013
[104602.951278] RIP: 0010:unlink_anon_vmas+0x3e/0x1b0
[104602.951280] Code: 54 53 48 83 ec 08 48 8b 47 78 48 89 7d d0 48 8b 30 49
39 c5 0f 84 5e 01 00 00 4c 8d 78 f0 4c 8d 66 f0 31 db eb 21 49 8b 46 38 <83> 68
34 01 49 8b 44 24 10 49 8d 54 24 10 4d 89 e7 48 83 e8 10 49
[104602.951281] RSP: 0018:ffffc00908703bd8 EFLAGS: 00010246
[104602.951283] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[104602.951284] RDX: 0000000000000000 RSI: ffff99e8e5815c48 RDI:
0000000000000000
[104602.951286] RBP: ffffc00908703c08 R08: 0000000000000001 R09:
ffffffffae665f00
[104602.951287] R10: ffff99eb808bd6c0 R11: 0000000000000001 R12:
ffff99eb0fda27b8
[104602.951288] R13: ffff99eb0fda27c8 R14: ffff99e8e5815c08 R15:
ffff99e7ee7af6c0
[104602.951290] FS: 0000000000000000(0000) GS:ffff99eb8eb80000(0000)
knlGS:0000000000000000
[104602.951291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[104602.951293] CR2: 0000000000000034 CR3: 000000037ae0a005 CR4:
00000000000606e0
[104602.951294] Call Trace:
[104602.951299] free_pgtables+0x93/0xf0
[104602.951301] exit_mmap+0xc7/0x1b0
[104602.951304] mmput+0x5d/0x130
[104602.951306] do_exit+0x31a/0xaf0
[104602.951309] do_group_exit+0x47/0xb0
[104602.951312] get_signal+0x169/0x890
[104602.951315] do_signal+0x34/0x6c0
[104602.951318] ? _copy_from_user+0x3e/0x60
[104602.951321] ? __x64_sys_futex+0x13f/0x170
[104602.951324] exit_to_usermode_loop+0xbf/0x160
[104602.951327] do_syscall_64+0x163/0x190
[104602.951330] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[104602.951332] RIP: 0033:0x7f58d1db27d1
[104602.951335] Code: Bad RIP value.
[104602.951336] RSP: 002b:00007f58c6987370 EFLAGS: 00000246 ORIG_RAX:
00000000000000ca
[104602.951338] RAX: fffffffffffffdfc RBX: 00007f58c69875e8 RCX:
00007f58d1db27d1
[104602.951339] RDX: 0000000000000000 RSI: 0000000000000089 RDI:
00007f58c6987600
[104602.951340] RBP: 00007f58c69875d8 R08: 0000000000000000 R09:
00000000ffffffff
[104602.951341] R10: 00007f58c6987460 R11: 0000000000000246 R12:
00007f58c69875fc
[104602.951343] R13: 00007f58c69875b0 R14: 00007f58c6987600 R15:
00007f58c69873c0
The patch was posted back in 2021 the linux kernel mailing lists:
https://lore.kernel.org/linux-
mm/20210224200449.hku5gteih%[email protected]/
The defect is:
Date: Wed, 24 Feb 2021 12:04:49 -0800 [thread overview]
Message-ID: <20210224200449.hku5gteih%[email protected]> (raw)
In-Reply-To: <[email protected]>
From: Li Xinhai <[email protected]>
Subject: mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
In case the vma will continue to be used after unlink its relevant
anon_vma, we need to reset the vma->anon_vma pointer to NULL. So, later
when fault happen within this vma again, a new anon_vma will be prepared.
By this way, the vma will only be checked for reverse mapping of pages
which been fault in after the unlink_anon_vmas call.
Currently, the mremap with MREMAP_DONTUNMAP scenario will continue use the
vma after moved its page table entries to a new vma. For other scenarios,
the vma itself will be freed after call unlink_anon_vmas.
Link:
https://lkml.kernel.org/r/[email protected]
Signed-off-by: Li Xinhai <[email protected]>
Cc: Andrea Arcangeli <[email protected]>
Cc: Brian Geffon <[email protected]>
Cc: Kirill A. Shutemov <[email protected]>
Cc: Lokesh Gidra <[email protected]>
Cc: Minchan Kim <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
---
mm/rmap.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/rmap.c~mm-rmap-explicitly-reset-vma-anon_vma-in-unlink_anon_vmas
+++ a/mm/rmap.c
@@ -413,8 +413,15 @@ void unlink_anon_vmas(struct vm_area_str
list_del(&avc->same_vma);
anon_vma_chain_free(avc);
}
- if (vma->anon_vma)
+ if (vma->anon_vma) {
vma->anon_vma->degree--;
+
+ /*
+ * vma would still be needed after unlink, and anon_vma will be
prepared
+ * when handle fault.
+ */
+ vma->anon_vma = NULL;
+ }
unlock_anon_vma_root(root);
/*
The Linux 5.4 package that Ubuntu is currently running on the latest kernel
has the following code:
if (vma->anon_vma)
vma->anon_vma->degree--;
unlock_anon_vma_root(root);
This is the 3rd time I've encountered the crash.
root@lazarus:/var/crash/202206141315# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1978719/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
