← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1730596] Re: s390/mm: fix write access check in gup_huge_pmd()

 

This bug was fixed in the package linux - 4.4.0-101.124

---------------
linux (4.4.0-101.124) xenial; urgency=low

  * linux: 4.4.0-101.124 -proposed tracker (LP: #1731264)

  * s390/mm: fix write access check in gup_huge_pmd() (LP: #1730596)
    - s390/mm: fix write access check in gup_huge_pmd()

linux (4.4.0-100.123) xenial; urgency=low

  * linux: 4.4.0-100.123 -proposed tracker (LP: #1729273)

  * Xenial update to 4.4.95 stable release (LP: #1729107)
    - USB: devio: Revert "USB: devio: Don't corrupt user memory"
    - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
    - USB: serial: metro-usb: add MS7820 device id
    - usb: cdc_acm: Add quirk for Elatec TWN3
    - usb: quirks: add quirk for WORLDE MINI MIDI keyboard
    - usb: hub: Allow reset retry for USB2 devices on connect bounce
    - ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
    - can: gs_usb: fix busy loop if no more TX context is available
    - usb: musb: sunxi: Explicitly release USB PHY on exit
    - usb: musb: Check for host-mode using is_host_active() on reset interrupt
    - can: esd_usb2: Fix can_dlc value for received RTR, frames
    - drm/nouveau/bsp/g92: disable by default
    - drm/nouveau/mmu: flush tlbs before deleting page tables
    - ALSA: seq: Enable 'use' locking in all configurations
    - ALSA: hda: Remove superfluous '-' added by printk conversion
    - i2c: ismt: Separate I2C block read from SMBus block read
    - brcmsmac: make some local variables 'static const' to reduce stack size
    - bus: mbus: fix window size calculation for 4GB windows
    - clockevents/drivers/cs5535: Improve resilience to spurious interrupts
    - rtlwifi: rtl8821ae: Fix connection lost problem
    - KEYS: encrypted: fix dereference of NULL user_key_payload
    - lib/digsig: fix dereference of NULL user_key_payload
    - KEYS: don't let add_key() update an uninstantiated key
    - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
    - parisc: Avoid trashing sr2 and sr3 in LWS code
    - parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
    - sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
    - f2fs crypto: replace some BUG_ON()'s with error checks
    - f2fs crypto: add missing locking for keyring_key access
    - fscrypt: fix dereference of NULL user_key_payload
    - KEYS: Fix race between updating and finding a negative key
    - fscrypto: require write access to mount to set encryption policy
    - FS-Cache: fix dereference of NULL user_key_payload
    - Linux 4.4.95

  * Xenial update to 4.4.94 stable release (LP: #1729105)
    - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
    - drm/dp/mst: save vcpi with payloads
    - MIPS: Fix minimum alignment requirement of IRQ stack
    - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
    - bpf/verifier: reject BPF_ALU64|BPF_END
    - udpv6: Fix the checksum computation when HW checksum does not apply
    - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
    - net: emac: Fix napi poll list corruption
    - packet: hold bind lock when rebinding to fanout hook
    - bpf: one perf event close won't free bpf program attached by another perf
      event
    - isdn/i4l: fetch the ppp_write buffer in one shot
    - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
    - l2tp: Avoid schedule while atomic in exit_net
    - l2tp: fix race condition in l2tp_tunnel_delete
    - tun: bail out from tun_get_user() if the skb is empty
    - packet: in packet_do_bind, test fanout with bind_lock held
    - packet: only test po->has_vnet_hdr once in packet_snd
    - net: Set sk_prot_creator when cloning sockets to the right proto
    - tipc: use only positive error codes in messages
    - Revert "bsg-lib: don't free job in bsg_prepare_job"
    - locking/lockdep: Add nest_lock integrity test
    - watchdog: kempld: fix gcc-4.3 build
    - irqchip/crossbar: Fix incorrect type of local variables
    - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length
    - mac80211: fix power saving clients handling in iwlwifi
    - net/mlx4_en: fix overflow in mlx4_en_init_timestamp()
    - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
    - iio: adc: xilinx: Fix error handling
    - Btrfs: send, fix failure to rename top level inode due to name collision
    - f2fs: do not wait for writeback in write_begin
    - md/linear: shutup lockdep warnning
    - sparc64: Migrate hvcons irq to panicked cpu
    - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new
      probed PFs
    - crypto: xts - Add ECB dependency
    - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
    - slub: do not merge cache if slub_debug contains a never-merge flag
    - scsi: scsi_dh_emc: return success in clariion_std_inquiry()
    - net: mvpp2: release reference to txq_cpu[] entry after unmapping
    - i2c: at91: ensure state is restored after suspending
    - ceph: clean up unsafe d_parent accesses in build_dentry_path
    - uapi: fix linux/rds.h userspace compilation errors
    - uapi: fix linux/mroute6.h userspace compilation errors
    - target/iscsi: Fix unsolicited data seq_end_offset calculation
    - nfsd/callback: Cleanup callback cred on shutdown
    - cpufreq: CPPC: add ACPI_PROCESSOR dependency
    - Revert "tty: goldfish: Fix a parameter of a call to free_irq"
    - Linux 4.4.94

linux (4.4.0-99.122) xenial; urgency=low

  * linux: 4.4.0-99.122 -proposed tracker (LP: #1728945)

  * Remove vmbus-rdma driver from Xenial kernel (LP: #1721538)
    - SAUCE: remove hv_network_direct driver
    - [Config]: Remove hv_network_direct driver

  * usb 3-1: 2:1: cannot get freq at ep 0x1 (LP: #1708499)
    - ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M

  * Plantronics Blackwire C520-M - Cannot get freq at ep 0x1, 0x81
    (LP: #1709282)
    - ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M

  * wait-for-root fails to detect nbd root (LP: #696435)
    - nbd: Create size change events for userspace

  * Fix OpenNSL GPL bugs found by CoverityScan static analysis (LP: #1718388)
    - SAUCE: opennsl: bcm-knet: check for null sinfo to avoid a null pointer
      dereference
    - SAUCE: opennsl: bcm-knet: remove redundant null checks on dev->name
    - SAUCE: opennsl: bde: check for out-of-bounds index io.dev

  * HID: multitouch: Correct ALPS PTP Stick and Touchpad devices ID
    (LP: #1722719)
    - Revert "HID: multitouch: Support ALPS PTP stick with pid 0x120A"

  * Xenial update to 4.4.93 stable release (LP: #1724836)
    - brcmfmac: add length check in brcmf_cfg80211_escan_handler()
    - ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
    - CIFS: Reconnect expired SMB sessions
    - nl80211: Define policy for packet pattern attributes
    - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
    - rcu: Allow for page faults in NMI handlers
    - USB: dummy-hcd: Fix deadlock caused by disconnect detection
    - MIPS: math-emu: Remove pr_err() calls from fpu_emu()
    - dmaengine: edma: Align the memcpy acnt array size with the transfer
    - HID: usbhid: fix out-of-bounds bug
    - crypto: shash - Fix zero-length shash ahash digest crash
    - KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
    - usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
    - iommu/amd: Finish TLB flush in amd_iommu_unmap()
    - ALSA: usb-audio: Kill stray URB at exiting
    - ALSA: seq: Fix use-after-free at creating a port
    - ALSA: seq: Fix copy_from_user() call inside lock
    - ALSA: caiaq: Fix stray URB at probe error path
    - ALSA: line6: Fix leftover URB at error-path during probe
    - usb: gadget: composite: Fix use-after-free in
      usb_composite_overwrite_options
    - direct-io: Prevent NULL pointer access in submit_page_section
    - fix unbalanced page refcounting in bio_map_user_iov
    - USB: serial: ftdi_sio: add id for Cypress WICED dev board
    - USB: serial: cp210x: add support for ELV TFD500
    - USB: serial: option: add support for TP-Link LTE module
    - Revert "UBUNTU: SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819"
    - USB: serial: qcserial: add Dell DW5818, DW5819
    - USB: serial: console: fix use-after-free after failed setup
    - x86/alternatives: Fix alt_max_short macro to really be a max()
    - Linux 4.4.93

  * NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
    (LP: #1721065)
    - tty: Prepare for destroying line discipline on hangup

  * Xenial update to 4.4.92 stable release (LP: #1724783)
    - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write
    - USB: gadgetfs: Fix crash caused by inadequate synchronization
    - USB: gadgetfs: fix copy_to_user while holding spinlock
    - usb: gadget: udc: atmel: set vbus irqflags explicitly
    - usb-storage: unusual_devs entry to fix write-access regression for Seagate
      external drives
    - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
    - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
    - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
    - usb: pci-quirks.c: Corrected timeout values used in handshake
    - USB: dummy-hcd: fix connection failures (wrong speed)
    - USB: dummy-hcd: fix infinite-loop resubmission bug
    - USB: dummy-hcd: Fix erroneous synchronization change
    - USB: devio: Don't corrupt user memory
    - usb: gadget: mass_storage: set msg_registered after msg registered
    - USB: g_mass_storage: Fix deadlock when driver is unbound
    - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
    - ALSA: compress: Remove unused variable
    - ALSA: usx2y: Suppress kernel warning at page allocation failures
    - driver core: platform: Don't read past the end of "driver_override" buffer
    - Drivers: hv: fcopy: restore correct transfer length
    - stm class: Fix a use-after-free
    - ftrace: Fix kmemleak in unregister_ftrace_graph
    - HID: i2c-hid: allocate hid buffers for real worst case
    - iwlwifi: add workaround to disable wide channels in 5GHz
    - scsi: sd: Do not override max_sectors_kb sysfs setting
    - USB: uas: fix bug in handling of alternate settings
    - USB: core: harden cdc_parse_cdc_header
    - usb: Increase quirk delay for USB devices
    - USB: fix out-of-bounds in usb_set_configuration
    - xhci: fix finding correct bus_state structure for USB 3.1 hosts
    - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
    - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path
      of 'twl4030_madc_probe()'
    - iio: ad_sigma_delta: Implement a dedicated reset function
    - staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma
      from stack.
    - iio: core: Return error for failed read_reg
    - iio: ad7793: Fix the serial interface reset
    - iio: adc: mcp320x: Fix readout of negative voltages
    - iio: adc: mcp320x: Fix oops on module unload
    - uwb: properly check kthread_run return value
    - uwb: ensure that endpoint is interrupt
    - brcmfmac: setup passive scan if requested by user-space
    - drm/i915/bios: ignore HDMI on port A
    - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
    - ext4: fix data corruption for mmap writes
    - ext4: Don't clear SGID when inheriting ACLs
    - ext4: don't allow encrypted operations without keys
    - Linux 4.4.92

  * Xenial update to 4.4.91 stable release (LP: #1724772)
    - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
    - drm: bridge: add DT bindings for TI ths8135
    - GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
    - RDS: RDMA: Fix the composite message user notification
    - ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
    - MIPS: Ensure bss section ends on a long-aligned address
    - MIPS: ralink: Fix incorrect assignment on ralink_soc
    - igb: re-assign hw address pointer on reset after PCI error
    - extcon: axp288: Use vbus-valid instead of -present to determine cable
      presence
    - sh_eth: use correct name for ECMR_MPDE bit
    - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit
      attributes
    - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
    - iio: adc: hx711: Add DT binding for avia,hx711
    - ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
    - tty: goldfish: Fix a parameter of a call to free_irq
    - IB/ipoib: Fix deadlock over vlan_mutex
    - IB/ipoib: rtnl_unlock can not come after free_netdev
    - IB/ipoib: Replace list_del of the neigh->list with list_del_init
    - drm/amdkfd: fix improper return value on error
    - USB: serial: mos7720: fix control-message error handling
    - USB: serial: mos7840: fix control-message error handling
    - partitions/efi: Fix integer overflow in GPT size calculation
    - ASoC: dapm: handle probe deferrals
    - audit: log 32-bit socketcalls
    - usb: chipidea: vbus event may exist before starting gadget
    - ASoC: dapm: fix some pointer error handling
    - MIPS: Lantiq: Fix another request_mem_region() return code check
    - net: core: Prevent from dereferencing null pointer when releasing SKB
    - net/packet: check length in getsockopt() called with PACKET_HDRLEN
    - team: fix memory leaks
    - usb: plusb: Add support for PL-27A1
    - mmc: sdio: fix alignment issue in struct sdio_func
    - bridge: netlink: register netdevice before executing changelink
    - netfilter: invoke synchronize_rcu after set the _hook_ to NULL
    - MIPS: IRQ Stack: Unwind IRQ stack onto task stack
    - exynos-gsc: Do not swap cb/cr for semi planar formats
    - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
    - parisc: perf: Fix potential NULL pointer dereference
    - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
    - rds: ib: add error handle
    - md/raid10: submit bio directly to replacement disk
    - i2c: meson: fix wrong variable usage in meson_i2c_put_data
    - xfs: remove kmem_zalloc_greedy
    - libata: transport: Remove circular dependency at free time
    - drivers: firmware: psci: drop duplicate const from psci_of_match
    - IB/qib: fix false-postive maybe-uninitialized warning
    - ARM: remove duplicate 'const' annotations'
    - ALSA: au88x0: avoid theoretical uninitialized access
    - ttpci: address stringop overflow warning
    - Linux 4.4.91

 -- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>  Fri, 10 Nov
2017 08:24:10 -0200

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1730596

Title:
  s390/mm: fix write access check in gup_huge_pmd()

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Zesty:
  Fix Released
Status in linux source package in Artful:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed

Bug description:
  == SRU Justification ==
  The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
  wrong way around. It must not be set for write==1, and not be checked for
  write==0. Fix this similar to how it was fixed for ptes long time ago in
  commit 25591b0 ("[S390] fix get_user_pages_fast").

  One impact of this bug would be unnecessarily using the gup slow path for
  write==0 on r/w mappings. A potentially more severe impact would be that
  gup_huge_pmd() will succeed for write==1 on r/o mappings.

  This bug is fixed by mainline commit ba385c0594, which is in mainline
  as of v4.14-rc2.  It was also cc'd to upstream stable.  It has already
  been accepted in upstream v4.13.y, so Artful and Bionic have the fix
  via the 4.13.5 stable updates.

  == Fix ==
  commit ba385c0594e723d41790ecfb12c610e6f90c7785
  Author: Gerald Schaefer <gerald.schaefer@xxxxxxxxxx>
  Date:   Mon Sep 18 16:51:51 2017 +0200

      s390/mm: fix write access check in gup_huge_pmd()

  
  == Regression Potential ==
  This patch is specific to s390.  It has also been accepted by upstream stable, so additional upstream review has been done.


  
  Addl information

  Problem: The check for the _SEGMENT_ENTRY_PROTECT bit in
                gup_huge_pmd() is the wrong way around. It must not be set
                for write==1, and not be checked for write==0. Allowing
                write==1 with protection bit set, instead of breaking out
                to the slow path, will result in a missing faultin_page()
                to clear the protection bit (for valid writable mappings),
                and the async I/O write operation will fail to write to
                such a mapping.
  Solution:     Fix it by correctly checking the protection bit like it is
                also done in gup_pte_range() and gup_huge_pud().
  Reproduction: Async I/O workload on buffers that are mapped as transparent
                hugepages.
  Upstream-ID:  ba385c0594e723d41790ecfb12c610e6f90c7785

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1730596/+subscriptions