[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux-hwe - 4.15.0-115.116~16.04.1
---
linux-hwe (4.15.0-115.116~16.04.1) xenial; urgency=medium
* xenial/linux-hwe: 4.15.0-115.116~16.04.1 -proposed tracker (LP:
#1893057)
[ Ubuntu: 4.15.0-115.116 ]
* bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux-hwe (4.15.0-114.115~16.04.1) xenial; urgency=medium
* xenial/linux-hwe: 4.15.0-114.115~16.04.1 -proposed tracker (LP:
#1890704)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
- [Packaging] update update.conf
[ Ubuntu: 4.15.0-114.115 ]
* bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
[ Ubuntu: 4.15.0-113.114 ]
* bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
- usb: handle warm-reset port requests on hub resume
* Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
- xtensa: update *pos in cpuinfo_op.next
- drivers/net/wan/lapbether: Fixed the value of hard_header_len
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
- irqdomain/treewide: Keep firmware node unconditionally allocated
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
- IB/umem: fix reference count leak in ib_umem_odp_get()
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to
fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- btrfs: fix mount failure caused by race with umount
- btrfs: fix page leaks after failure to lock page for delalloc
- bnxt_en: Fix race when modifying pause settings.
- hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- drm: sun4i: hdmi: Fix inverted HPD result
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- bonding: check error value of register_netdevice() immediately
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
- ipvs: fix the connection sync failed in some cases
- i2c: rcar: always clear ICSAR to avoid side effects
- bonding: check return value of register_netdevice() in bond_newlink()
- serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
- scripts/decode_stacktrace: strip basepath from all paths
- HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
- HID: apple: Disable Fn-key key-re-mapping on clone keyboards
- dmaengine: tegra210-adma: Fix runtime PM imbalance on error
- Input: add `SW_MACHINE_COVER`
- spi: mediatek: use correct SPI_CFG2_REG MACRO
- regmap: dev_get_regmap_match(): fix string comparison
- hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
- dmaengine: ioat setting ioat timeout as module parameter
- Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
- usb: gadget: udc: gr_udc: fix memleak on error handling path in
gr_ep_init()
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
- x86: math-emu: Fix up 'cmp' insn for clang ias
- binder: Don't use mmput() from shrinker function.
- usb: xhci-mtk: fix the failure of bandwidth allocation
- usb: xhci: Fix ASM2142/ASM3142 DMA addressing
- Revert "cifs: Fix the target file was deleted when rename failed."
- staging: wlan-ng: properly check endpoint types
- staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
- staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
- serial: 8250_mtk: Fix high-speed baud rates
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux - 4.15.0-115.116
---
linux (4.15.0-115.116) bionic; urgency=medium
* bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (4.15.0-114.115) bionic; urgency=medium
* bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (4.15.0-113.114) bionic; urgency=medium
* bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
- usb: handle warm-reset port requests on hub resume
* Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
- xtensa: update *pos in cpuinfo_op.next
- drivers/net/wan/lapbether: Fixed the value of hard_header_len
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
- irqdomain/treewide: Keep firmware node unconditionally allocated
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
- IB/umem: fix reference count leak in ib_umem_odp_get()
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to
fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- btrfs: fix mount failure caused by race with umount
- btrfs: fix page leaks after failure to lock page for delalloc
- bnxt_en: Fix race when modifying pause settings.
- hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- drm: sun4i: hdmi: Fix inverted HPD result
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- bonding: check error value of register_netdevice() immediately
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
- ipvs: fix the connection sync failed in some cases
- i2c: rcar: always clear ICSAR to avoid side effects
- bonding: check return value of register_netdevice() in bond_newlink()
- serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
- scripts/decode_stacktrace: strip basepath from all paths
- HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
- HID: apple: Disable Fn-key key-re-mapping on clone keyboards
- dmaengine: tegra210-adma: Fix runtime PM imbalance on error
- Input: add `SW_MACHINE_COVER`
- spi: mediatek: use correct SPI_CFG2_REG MACRO
- regmap: dev_get_regmap_match(): fix string comparison
- hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
- dmaengine: ioat setting ioat timeout as module parameter
- Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
- usb: gadget: udc: gr_udc: fix memleak on error handling path in
gr_ep_init()
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
- x86: math-emu: Fix up 'cmp' insn for clang ias
- binder: Don't use mmput() from shrinker function.
- usb: xhci-mtk: fix the failure of bandwidth allocation
- usb: xhci: Fix ASM2142/ASM3142 DMA addressing
- Revert "cifs: Fix the target file was deleted when rename failed."
- staging: wlan-ng: properly check endpoint types
- staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
- staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
- serial: 8250_mtk: Fix high-speed baud rates clamping
- fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
- vt: Reject zero-sized screen buffer size.
- Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
- mm/memcg: fix refcount error while moving and swapping
- io-mapping: indicate mapping failure
- parisc: Add atomic64_set_release()
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux - 5.4.0-45.49
---
linux (5.4.0-45.49) focal; urgency=medium
* focal/linux: 5.4.0-45.49 -proposed tracker (LP: #1893050)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (5.4.0-44.48) focal; urgency=medium
* focal/linux: 5.4.0-44.48 -proposed tracker (LP: #1891049)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (5.4.0-43.47) focal; urgency=medium
* focal/linux: 5.4.0-43.47 -proposed tracker (LP: #1890746)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Devlink - add RoCE disable kernel support (LP: #1877270)
- devlink: Add new "enable_roce" generic device param
- net/mlx5: Document flow_steering_mode devlink param
- net/mlx5: Handle "enable_roce" devlink param
- IB/mlx5: Rename profile and init methods
- IB/mlx5: Load profile according to RoCE enablement state
- net/mlx5: Remove unneeded variable in mlx5_unload_one
- net/mlx5: Add devlink reload
- IB/mlx5: Do reverse sequence during device removal
* msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
- selftests/net: relax cpu affinity requirement in msg_zerocopy test
* Enlarge hisi_sec2 capability (LP: #1890222)
- Revert "UBUNTU: [Config] Disable hisi_sec2 temporarily"
- crypto: hisilicon - update SEC driver module parameter
* Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
- ALSA: hda/hdmi: Add quirk to force connectivity
* Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
- PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken
* ASoC:amd:renoir: the dmic can't record sound after suspend and resume
(LP: #1890220)
- SAUCE: ASoC: amd: renoir: restore two more registers during resume
* No sound, Dummy output on Acer Swift 3 SF314-57G with Ice Lake core-i7 CPU
(LP: #1877757)
- ASoC: SOF: Intel: hda: fix generic hda codec support
* Fix right speaker of HP laptop (LP: #1889375)
- SAUCE: hda/realtek: Fix right speaker of HP laptop
* blk_update_request error when mount nvme partition (LP: #1872383)
- SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command
* soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
- ASoC: amd: add logic to check dmic hardware runtime
- ASoC: amd: add ACPI dependency check
- ASoC: amd: fixed kernel warnings
* soc/amd/renoir: change the module name to make it work with ucm3
(LP: #1888166)
- AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
module
- SAUCE: remove a kernel module since its name is changed
* Focal update: v5.4.55 upstream stable release (LP: #1890343)
- AX.25: Fix out-of-bounds read in ax25_connect()
- AX.25: Prevent out-of-bounds read in ax25_sendmsg()
- dev: Defer free of skbs in flush_backlog
- drivers/net/wan/x25_asy: Fix to make it work
- ip6_gre: fix null-ptr-deref in ip6gre_init_net()
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs
- net: udp: Fix wrong clean up for IS_UDPLITE macro
- qrtr: orphan socket in qrtr_release()
- rtnetlink: Fix memory(net_device) leak when ->newlink fails
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
- tcp: allow at most one TLP probe per flight
- AX.25: Prevent integer overflows in connect and sendmsg
- sctp: shrink stream outq only when new outcnt < old outcnt
- sctp: shrink stream outq when fails to do addstream reconf
- udp: Copy has_conns in reuseport_grow().
- udp: Improve load balancing for SO_REUSEPORT.
- regmap: debugfs: check count when read regmap file
- PM: wakeup: Show statistics for deleted wakeup sources again
- Revert "dpaa_eth: fix usage as DSA master, try 3"
- Linux 5.4.55
* Add support for Atlantic NIC firmware v4 (LP: #1886908)
- net: atlantic: simplify hw_get_fw_version() usage
- net: atlantic: align return value of ver_match function with function name
- net: atlantic: add support for FW 4.x
* perf vendor events s390: Add new deflate counters for IBM z15 (LP: #1888551)
- perf vendor events s390: Add new deflate counters for IBM z15
* Focal update: v5.4.54 upstream stable release (LP: #1889669)
- soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux-hwe - 5.3.0-66.60
---
linux-hwe (5.3.0-66.60) bionic; urgency=medium
* bionic/linux-hwe: 5.3.0-66.60 -proposed tracker (LP: #1891053)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
- cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
- cgroup: Fix sock_cgroup_data on big-endian.
-- Stefan Bader Tue, 11 Aug 2020 09:22:54
+0200
** Changed in: linux-hwe (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Released
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Released
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Fix Released
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux-oem-5.6 - 5.6.0-1023.23
---
linux-oem-5.6 (5.6.0-1023.23) focal; urgency=medium
* focal/linux-oem-5.6: 5.6.0-1023.23 -proposed tracker (LP: #1892465)
* CVE-2020-15852
- x86/ioperm: Fix io bitmap invalidation on Xen PV
* Fix non-working USB devices plugged during system sleep (LP: #1892678)
- xhci: Do warm-reset when both CAS and XDEV_RESUME are set
* ASPM not enabled on child devices behind VMD controller (LP: #1889384)
- SAUCE: PCI/ASPM: Enable ASPM for links under VMD domain
* Fix non-working Goodix touchpad after system sleep (LP: #1891998)
- HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands
* [SRU] Fix acpi backlight issue on some thinkpads (LP: #1892010)
- platform/x86: thinkpad_acpi: not loading brightness_init when _BCL invalid
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
-- Timo Aaltonen Tue, 25 Aug 2020
08:46:08 +0300
** Changed in: linux-oem-5.6 (Ubuntu Focal)
Status: Confirmed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15852
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Fix Released
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug was fixed in the package linux - 4.4.0-189.219
---
linux (4.4.0-189.219) xenial; urgency=medium
* xenial/linux: 4.4.0-189.219 -proposed tracker (LP: #1891057)
* Build and ship a signed wireguard.ko (LP: #1861284)
- [Packaging] autoreconstruct -- manage executable debian files
- [Packaging] dkms -- dkms package build packaging support
- [Packaging] wireguard -- add support for building signed .ko
- [Packaging] ignore wireguard modules when wireguard is disabled
- [Config] update dkms package versions
- [Config] wireguard -- enable for all architectures
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (4.4.0-188.218) xenial; urgency=medium
* xenial/linux: 4.4.0-188.218 -proposed tracker (LP: #1890670)
* Xenial update: v4.4.232 upstream stable release (LP: #1889928)
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
- xtensa: update *pos in cpuinfo_op.next
- drivers/net/wan/lapbether: Fixed the value of hard_header_len
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- perf/core: Fix locking for children siblings group read
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to
fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- x86/fpu: Disable bottom halves while loading FPU registers
- btrfs: fix mount failure caused by race with umount
- hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- scripts/decode_stacktrace: strip basepath from all paths
- regmap: dev_get_regmap_match(): fix string comparison
- usb: gadget: udc: gr_udc: fix memleak on error handling path in
gr_ep_init()
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
- x86: math-emu: Fix up 'cmp' insn for clang ias
- Revert "cifs: Fix the target file was deleted when rename failed."
- staging: wlan-ng: properly check endpoint types
- staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
- staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
- serial: 8250_mtk: Fix high-speed baud rates clamping
- mm/memcg: fix refcount error while moving and swapping
- parisc: Add atomic64_set_release() define to avoid CPU soft lockups
- ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
- ath9k: Fix regression with Atheros 9271
- AX.25: Fix out-of-bounds read in ax25_connect()
- AX.25: Prevent out-of-bounds read in ax25_sendmsg()
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs
- net: udp: Fix wrong clean up for IS_UDPLITE macro
- AX.25: Prevent integer overflows in connect and sendmsg
- tcp: allow at most one TLP probe per flight
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
- ip6_gre: fix null-ptr-deref in ip6gre_init_net()
- drivers/net/wan/x25_asy: Fix to make it work
- Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
- regmap: debugfs: check count when read regmap file
- xfs: set format back to extents if xfs_bmap_extents_to_btree
- tools/lib/subcmd/pager.c: do not alias select() params
- perf: Make perf able to build with latest libbfd
- perf tools: Fix snprint warnings for gcc 8
- perf annotate: Use asprintf when formatting objdump command line
- perf probe: Fix to check blacklist address correctly
- Linux 4.4.232
* Xenial update: v4.4.231 upstream stable release (LP: #1888690)
- KVM: s390: reduce number of IO pins to 1
- spi: spidev: fix a race between spidev_release and spidev_remove
- spi: spidev: fix a potential use-after-free in spidev_release()
- scsi: mptscsih: Fix read sense data size
- net: cxgb4: fix return error value in t4_prep_fw
- smsc95xx: check return value of smsc95xx_reset
- smsc95xx: avoid memory leak in smsc95xx_bind
- ALSA: compress: fix partial_drain completion state
- arm64: kgdb: Fix single-step exception
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
I don't understand which kernel should be tested on xenial. The kernel
4.15.0-112-generic does not have the bug.
** Tags removed: verification-needed-bionic verification-needed-focal
** Tags added: verification-done-bionic verification-done-focal
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
focal' to 'verification-done-focal'. If the problem still exists, change
the tag 'verification-needed-focal' to 'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-focal
** Tags added: verification-needed-bionic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
bionic' to 'verification-done-bionic'. If the problem still exists,
change the tag 'verification-needed-bionic' to 'verification-failed-
bionic'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
if not already checked: hwe-5.4 needs the change.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
** Changed in: linux (Ubuntu Bionic)
Status: Triaged => Fix Committed
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => Fix Committed
** Changed in: linux-oem-5.6 (Ubuntu Focal)
Importance: Undecided => High
** Changed in: linux-oem-5.6 (Ubuntu Focal)
Status: New => Confirmed
** Changed in: linux-oem-5.6 (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Fix Committed
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
Confirmed
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
** Also affects: linux-oem-5.6 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-oem-5.6 (Ubuntu Xenial)
Status: New => Invalid
** Changed in: linux-oem-5.6 (Ubuntu Bionic)
Status: New => Invalid
** Changed in: linux-oem-5.6 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-5.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux-oem-5.6 package in Ubuntu:
Confirmed
Status in linux source package in Xenial:
Triaged
Status in linux-hwe source package in Xenial:
Invalid
Status in linux-oem-5.6 source package in Xenial:
Invalid
Status in linux source package in Bionic:
Triaged
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux-oem-5.6 source package in Bionic:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Status in linux-oem-5.6 source package in Focal:
New
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
** Changed in: linux (Ubuntu Focal)
Status: Triaged => Fix Committed
** Changed in: linux-hwe (Ubuntu Bionic)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Triaged
Status in linux-hwe source package in Xenial:
Invalid
Status in linux source package in Bionic:
Triaged
Status in linux-hwe source package in Bionic:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux-hwe source package in Focal:
Invalid
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
The same offending patch was already released with Xenial and is applied
to the current SRU cycle for Bionic. Those would also need to be fixed.
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux-hwe (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Bionic)
Status: Invalid => Triaged
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Xenial)
Status: New => Triaged
** Changed in: linux (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: linux-hwe (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux source package in Xenial:
Triaged
Status in linux-hwe source package in Xenial:
Invalid
Status in linux source package in Bionic:
Triaged
Status in linux-hwe source package in Bionic:
Triaged
Status in linux source package in Focal:
Triaged
Status in linux-hwe source package in Focal:
Invalid
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
** Changed in: linux (Ubuntu)
Status: Incomplete => Fix Released
** Changed in: linux (Ubuntu Eoan)
Status: New => Triaged
** Changed in: linux (Ubuntu Focal)
Status: New => Triaged
** Also affects: linux-hwe (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: linux (Ubuntu Eoan)
** No longer affects: linux-hwe (Ubuntu Eoan)
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux-hwe (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Bionic)
Status: New => Invalid
** Changed in: linux-hwe (Ubuntu Focal)
Status: New => Invalid
** Changed in: linux-hwe (Ubuntu)
Status: New => Invalid
** Changed in: linux-hwe (Ubuntu Bionic)
Status: New => Triaged
** Changed in: linux-hwe (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Focal)
Importance: Undecided => High
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Fix Released
Status in linux-hwe package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Invalid
Status in linux-hwe source package in Bionic:
Triaged
Status in linux source package in Focal:
Triaged
Status in linux-hwe source package in Focal:
Invalid
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890796] Re: ipsec: policy priority management is broken
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Eoan:
New
Status in linux source package in Focal:
New
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
