[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
This bug was fixed in the package linux - 4.15.0-118.119
---
linux (4.15.0-118.119) bionic; urgency=medium
* bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
- [packaging] add signed modules for nvidia 450 and 450-server
* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
- cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
* CVE-2020-12888
- vfio/type1: Support faulting PFNMAP vmas
- vfio-pci: Fault mmaps to enable vma tracking
- vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
* [Hyper-V] VSS and File Copy daemons intermittently fails to start
(LP: #1891224)
- [Packaging] Bind hv_vss_daemon startup to hv_vss device
- [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device
* KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
host (LP: #1837810)
- KVM: fix overflow of zero page refcount with ksm running
* Fix false-negative return value for rtnetlink.sh in kselftests/net
(LP: #1890136)
- selftests: rtnetlink: correct the final return value for the test
- selftests: rtnetlink: make kci_test_encap() return sub-test result
* Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
- USB: serial: qcserial: add EM7305 QDL product ID
- USB: iowarrior: fix up report size handling for some devices
- usb: xhci: define IDs for various ASMedia host controllers
- usb: xhci: Fix ASMedia ASM1142 DMA addressing
- Revert "ALSA: hda: call runtime_allow() for all hda controllers"
- ALSA: seq: oss: Serialize ioctls
- staging: android: ashmem: Fix lockdep warning for write operation
- Bluetooth: Fix slab-out-of-bounds read in
hci_extended_inquiry_result_evt()
- Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
- Bluetooth: Prevent out-of-bounds read in
hci_inquiry_result_with_rssi_evt()
- omapfb: dss: Fix max fclk divider for omap36xx
- binder: Prevent context manager from incrementing ref 0
- vgacon: Fix for missing check in scrollback handling
- mtd: properly check all write ioctls for permissions
- leds: wm831x-status: fix use-after-free on unbind
- leds: da903x: fix use-after-free on unbind
- leds: lm3533: fix use-after-free on unbind
- leds: 88pm860x: fix use-after-free on unbind
- net/9p: validate fds in p9_fd_open
- drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
reason
- drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
- i2c: slave: improve sanity check when registering
- i2c: slave: add sanity check when unregistering
- usb: hso: check for return value in hso_serial_common_create()
- firmware: Fix a reference count leak.
- cfg80211: check vendor command doit pointer before use
- igb: reinit_locked() should be called with rtnl_lock
- atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
- tools lib traceevent: Fix memory leak in process_dynamic_array_len
- Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
- xattr: break delegations in {set,remove}xattr
- ipv4: Silence suspicious RCU usage warning
- ipv6: fix memory leaks on IPV6_ADDRFORM path
- net: ethernet: mtk_eth_soc: fix MTU warnings
- vxlan: Ensure FDB dump is performed under RCU
- net: lan78xx: replace bogus endpoint lookup
- hv_netvsc: do not use VF device if link is down
- net: gre: recompute gre csum for sctp over gre tunnels
- openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
- Revert "vxlan: fix tos value before xmit"
- selftests/net: relax cpu affinity requirement in msg_zerocopy test
- rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
- i40e: add num_vectors checker in iwarp handler
- i40e: Wrong truncation from u16 to u8
- i40e: Memory leak in i40e_config_iwarp_qvlist
- Smack: fix use-after-free in smk_write_relabel_self()
* Bionic update: upstream stable patchset 2020-08-11 (LP: #1891228)
- AX.25: Fix out-of-bounds read in ax25_connect()
- AX.25: Prevent out-of-bounds read in ax25_sendmsg()
- dev: Defer free of skbs in flush_backlog
- drivers/net/wan/x25_asy: Fix to make it work
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs
- net: udp: Fix wrong clean up for IS_UDPLITE macro
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
- AX.25: Prevent integer overflows in connect and sendmsg
- ip6_gre: fix null-ptr-deref in ip6gre_init_net()
- rtnetlink: Fix memory(net_device) leak when ->newlink fails
- tcp: allow at most one TLP probe per flight
- regmap: debugfs: check count when read regmap file
- qrtr: orphan socket in qrtr_release()
- sctp:
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
Confirmed verification is done on Bionic. Switched status. Conversation from Mattermost: kmously @cascardo Does LP#1886860 need verification? I'm trying to verify it myself, but I'm getting some strange behaviour on bionic. With the -updates kernel, your reproducer reboots the machine in an infinite loop (it reboots as soon as you install the .deb, and then again basically as soon as the login prompt is shown) With the -proposed -118 kernel, your reproducer simply crashes the machine -- no reboots. It immediately hangs the kernel upon installation of the .deb, and any (hard) reboots also boot to a hung machine I'm testing these kernels in KVM vms cascardo 2:31 AM @kmously, then it's verified. The reboot is needed because the crash may not happen every time And once it changes to disabling cgroup2 behavior, we need a reboot to retry kelsey 10:20 AM @cascardo @kmously for LP#1886860, just to clarify, I'm clear to switch verification for Bionic to done? Should Focal be switched to done as well? smb 10:23 AM Focal already is vt done. IIRC there above thing was only for bionic cascardo 10:24 AM @kelsey so switch to verified on bionic. we did this issue as a respin. it came up again on bionic, because the stable version, which was backported with an error, got picked up instead of my proper backport -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Won't Fix Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: Fix Released Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Won't Fix Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: Fix Released Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
This bug was fixed in the package linux-oem-5.6 - 5.6.0-1021.21+20.10.2 --- linux-oem-5.6 (5.6.0-1021.21+20.10.2) groovy; urgency=medium * dkms artifacts may expire from the pool (LP: #1850958) - [Packaging] autoreconstruct -- manage executable debian files linux-oem-5.6 (5.6.0-1021.21+20.10.1) groovy; urgency=medium * dkms artifacts may expire from the pool (LP: #1850958) - [packaging] handle downloads from the librarian better * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] update update.conf - update dkms package versions * Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674) - [Packaging] NVIDIA -- Add signed modules for 450 * Miscellaneous upstream changes - usbip: tools: fix build error for multiple definition - libtraceevent: Fix build with binutils 2.35 - perf cs-etm: Move definition of 'traceid_list' global variable from header file linux-oem-5.6 (5.6.0-1021.21) groovy; urgency=medium * Emtpy entry. linux-oem-5.6 (5.6.0-1021.21) focal; urgency=medium * focal/linux-oem-5.6: 5.6.0-1021.21 -proposed tracker (LP: #1889371) * Fix right speaker of HP laptop (LP: #1889375) - SAUCE: hda/realtek: Fix right speaker of HP laptop * blk_update_request error when mount nvme partition (LP: #1872383) - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860) - cgroup: fix cgroup_sk_alloc() for sk_clone_lock() - cgroup: Fix sock_cgroup_data on big-endian. * Add support for Atlantic NIC firmware v4 (LP: #1886908) - net: atlantic: simplify hw_get_fw_version() usage - net: atlantic: align return value of ver_match function with function name - net: atlantic: add support for FW 4.x * Restart the machine successfully after suspend (LP: #1888375) - SAUCE: iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu - iommu/vt-d: Don't apply gfx quirks to untrusted devices * Wakeup the system by touching the touchpad (LP: #1888331) - gpio: gpiolib: Allow GPIO IRQs to lazy disable - HID: i2c-hid: Enable wakeup capability from Suspend-to-Idle * soc/amd/renoir: detect dmic from acpi table (LP: #1887734) - ASoC: amd: add logic to check dmic hardware runtime - ASoC: amd: add ACPI dependency check - ASoC: amd: fixed kernel warnings * [SRU][PATCH 0/1][oem-5.6] fix amd RENOIR screen backlight issue. (LP: #1886785) - Revert "drm/amd/display: disable dcn20 abm feature for bring up" * Enable Quectel EG95 LTE modem [2c7c:0195] (LP: #1886744) - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem - USB: serial: option: add Quectel EG95 LTE modem * soc/amd/renoir: change the module name to make it work with ucm3 (LP: #1888166) - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel module - remove a kernel module since its name is changed * System stops responding while entering S3 with SD card installed (LP: #1880519) - xhci: Return if xHCI doesn't support LPM - xhci: Poll for U0 after disabling USB2 LPM * [SRU][F/OEM-5.6] add a new OLED panel support for brightness control (LP: #1887909) - drm/dp: Lenovo X13 Yoga OLED panel brightness fix -- Seth Forshee Mon, 24 Aug 2020 13:18:25 -0500 ** Changed in: linux-oem-5.6 (Ubuntu Groovy) Status: New => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Won't Fix Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: Fix Released Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to :
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
The Eoan Ermine has reached end of life, so this bug will not be fixed for that release ** Changed in: linux (Ubuntu Eoan) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Won't Fix Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Fix Committed Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
This bug was fixed in the package linux-oem-5.6 - 5.6.0-1021.21 --- linux-oem-5.6 (5.6.0-1021.21) focal; urgency=medium * focal/linux-oem-5.6: 5.6.0-1021.21 -proposed tracker (LP: #1889371) * Fix right speaker of HP laptop (LP: #1889375) - SAUCE: hda/realtek: Fix right speaker of HP laptop * blk_update_request error when mount nvme partition (LP: #1872383) - SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860) - cgroup: fix cgroup_sk_alloc() for sk_clone_lock() - cgroup: Fix sock_cgroup_data on big-endian. * Add support for Atlantic NIC firmware v4 (LP: #1886908) - net: atlantic: simplify hw_get_fw_version() usage - net: atlantic: align return value of ver_match function with function name - net: atlantic: add support for FW 4.x * Restart the machine successfully after suspend (LP: #1888375) - SAUCE: iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu - iommu/vt-d: Don't apply gfx quirks to untrusted devices * Wakeup the system by touching the touchpad (LP: #1888331) - gpio: gpiolib: Allow GPIO IRQs to lazy disable - HID: i2c-hid: Enable wakeup capability from Suspend-to-Idle * soc/amd/renoir: detect dmic from acpi table (LP: #1887734) - ASoC: amd: add logic to check dmic hardware runtime - ASoC: amd: add ACPI dependency check - ASoC: amd: fixed kernel warnings * [SRU][PATCH 0/1][oem-5.6] fix amd RENOIR screen backlight issue. (LP: #1886785) - Revert "drm/amd/display: disable dcn20 abm feature for bring up" * Enable Quectel EG95 LTE modem [2c7c:0195] (LP: #1886744) - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem - USB: serial: option: add Quectel EG95 LTE modem * soc/amd/renoir: change the module name to make it work with ucm3 (LP: #1888166) - AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel module - remove a kernel module since its name is changed * System stops responding while entering S3 with SD card installed (LP: #1880519) - xhci: Return if xHCI doesn't support LPM - xhci: Poll for U0 after disabling USB2 LPM * [SRU][F/OEM-5.6] add a new OLED panel support for brightness control (LP: #1887909) - drm/dp: Lenovo X13 Yoga OLED panel brightness fix -- Timo Aaltonen Wed, 29 Jul 2020 21:08:56 +0300 ** Changed in: linux-oem-5.6 (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Fix Committed Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
acelan: did you mean to verify this for oem-5.6? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Fix Committed Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Eoan) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: Fix Committed Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: Fix Committed Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: Fix Committed Status in linux-oem-5.6 source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: In Progress Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: In Progress Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: In Progress Status in linux-oem-5.6 source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
** Also affects: linux-oem-5.6 (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-oem-5.6 (Ubuntu Focal) Status: New => Fix Committed ** Changed in: linux-oem-5.6 (Ubuntu Bionic) Status: New => Invalid ** Changed in: linux-oem-5.6 (Ubuntu Eoan) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux-oem-5.6 package in Ubuntu: New Status in linux source package in Bionic: In Progress Status in linux-oem-5.6 source package in Bionic: Invalid Status in linux source package in Eoan: In Progress Status in linux-oem-5.6 source package in Eoan: Invalid Status in linux source package in Focal: In Progress Status in linux-oem-5.6 source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Status in linux-oem-5.6 source package in Groovy: New Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
** Changed in: linux (Ubuntu Groovy) Status: In Progress => Invalid ** Description changed: - When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as - it's not incremented anymore, but decremented when sockets are closed. + [Impact] + When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. - Cascardo. + [Test case] + Ran reproducer from comment #2. + + [Regression potential] + We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Invalid Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
** Changed in: linux (Ubuntu Groovy) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Focal) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Groovy) Assignee: (unassigned) => Thadeu Lima de Souza Cascardo (cascardo) ** Changed in: linux (Ubuntu Focal) Assignee: (unassigned) => Thadeu Lima de Souza Cascardo (cascardo) ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Thadeu Lima de Souza Cascardo (cascardo) ** Changed in: linux (Ubuntu Eoan) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Bionic) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Invalid Bug description: [Impact] When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. [Test case] Ran reproducer from comment #2. [Regression potential] We could break the use of cgroup bpf. The use of cgroup bpf looks to still be working from the reproducer. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1886860] Re: cgroup refcount is bogus when cgroup_sk_alloc is disabled
Reproducer is here. https://launchpad.net/~cascardo/+archive/ubuntu/ppa/+sourcepub/11445138 /+listing-archive-extra -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1886860 Title: cgroup refcount is bogus when cgroup_sk_alloc is disabled Status in linux package in Ubuntu: Incomplete Status in linux source package in Bionic: Confirmed Status in linux source package in Eoan: Incomplete Status in linux source package in Focal: Incomplete Status in linux source package in Groovy: Incomplete Bug description: When net_prio and net_cls cgroups are used, cgroup refcount is bogus, as it's not incremented anymore, but decremented when sockets are closed. This might lead to crashes possibly because of use-after-free when packets are received as shown in LP #1886668. Cascardo. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886860/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
