[Kernel-packages] [Bug 1889735] Re: tap: use after free
This bug was fixed in the package linux - 4.15.0-115.116
---
linux (4.15.0-115.116) bionic; urgency=medium
* bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (4.15.0-114.115) bionic; urgency=medium
* bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (4.15.0-113.114) bionic; urgency=medium
* bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
- usb: handle warm-reset port requests on hub resume
* Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
- xtensa: update *pos in cpuinfo_op.next
- drivers/net/wan/lapbether: Fixed the value of hard_header_len
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
- irqdomain/treewide: Keep firmware node unconditionally allocated
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
- IB/umem: fix reference count leak in ib_umem_odp_get()
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to
fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- btrfs: fix mount failure caused by race with umount
- btrfs: fix page leaks after failure to lock page for delalloc
- bnxt_en: Fix race when modifying pause settings.
- hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- drm: sun4i: hdmi: Fix inverted HPD result
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- bonding: check error value of register_netdevice() immediately
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
- ipvs: fix the connection sync failed in some cases
- i2c: rcar: always clear ICSAR to avoid side effects
- bonding: check return value of register_netdevice() in bond_newlink()
- serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
- scripts/decode_stacktrace: strip basepath from all paths
- HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
- HID: apple: Disable Fn-key key-re-mapping on clone keyboards
- dmaengine: tegra210-adma: Fix runtime PM imbalance on error
- Input: add `SW_MACHINE_COVER`
- spi: mediatek: use correct SPI_CFG2_REG MACRO
- regmap: dev_get_regmap_match(): fix string comparison
- hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
- dmaengine: ioat setting ioat timeout as module parameter
- Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
- usb: gadget: udc: gr_udc: fix memleak on error handling path in
gr_ep_init()
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
- x86: math-emu: Fix up 'cmp' insn for clang ias
- binder: Don't use mmput() from shrinker function.
- usb: xhci-mtk: fix the failure of bandwidth allocation
- usb: xhci: Fix ASM2142/ASM3142 DMA addressing
- Revert "cifs: Fix the target file was deleted when rename failed."
- staging: wlan-ng: properly check endpoint types
- staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
- staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
- serial: 8250_mtk: Fix high-speed baud rates clamping
- fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
- vt: Reject zero-sized screen buffer size.
- Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
- mm/memcg: fix refcount error while moving and swapping
- io-mapping: indicate mapping failure
- parisc: Add atomic64_set_release()
[Kernel-packages] [Bug 1889735] Re: tap: use after free
This is an upstream fix for a change that was released in v4.8. So we can treat that as part of stable. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1889735 Title: tap: use after free Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Bug description: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the full (ring) buffer, overwriting the oldest frame in the buffer. So we'd end up with frame/packet loss. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1889735] Re: tap: use after free
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1889735 Title: tap: use after free Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Bug description: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the full (ring) buffer, overwriting the oldest frame in the buffer. So we'd end up with frame/packet loss. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1889735] Re: tap: use after free
** Changed in: linux (Ubuntu Bionic) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1889735 Title: tap: use after free Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Bug description: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the full (ring) buffer, overwriting the oldest frame in the buffer. So we'd end up with frame/packet loss. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1889735] Re: tap: use after free
** Description changed: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped - for whatever reason and inserted into the (ring) buffer, overwriting the - oldest frame in the buffer. + for whatever reason and inserted into the full (ring) buffer, + overwriting the oldest frame in the buffer. So we'd end up with + frame/packet loss. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1889735 Title: tap: use after free Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Confirmed Bug description: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the full (ring) buffer, overwriting the oldest frame in the buffer. So we'd end up with frame/packet loss. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1889735] Re: tap: use after free
** Description changed: - TBD + [Impact] + + If the socket buffer array of a tap queue is full, a received package + needs to be dropped. Currently, the check for the array being full is + performed lockless, which might lead to use-after-free errors if the + socket buffer array has been resized. + + [Test Case] + + TBD. + + [Regression Potential] + + The check for the array being full is simply dropped. In case the array + is full, subsequent frame handling will fail and the frame is eventually + dropped. A regression would manifest itself if the frame is not dropped + for whatever reason and inserted into the (ring) buffer, overwriting the + oldest frame in the buffer. ** Changed in: linux (Ubuntu) Status: Incomplete => Invalid ** Changed in: linux (Ubuntu Bionic) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1889735 Title: tap: use after free Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Confirmed Bug description: [Impact] If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized. [Test Case] TBD. [Regression Potential] The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the (ring) buffer, overwriting the oldest frame in the buffer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1889735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
