group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #27376
[Bug 1801878] Re: NULL pointer dereference at 0000000000000020 when access dst_orig->ops->family in function xfrm_lookup_with_ifid()
This bug was fixed in the package linux - 4.4.0-140.166
---------------
linux (4.4.0-140.166) xenial; urgency=medium
* linux: 4.4.0-140.166 -proposed tracker (LP: #1802776)
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
* crash in ENA driver on removing an interface (LP: #1802341)
- SAUCE: net: ena: fix crash during ena_remove()
* xenial guest on arm64 drops to busybox under openstack bionic-rocky
(LP: #1797092)
- [Config] CONFIG_PCI_ECAM=y
- PCI: Provide common functions for ECAM mapping
- PCI: generic, thunder: Use generic ECAM API
- PCI, of: Move PCI I/O space management to PCI core code
- PCI: Move ecam.h to linux/include/pci-ecam.h
- PCI: Add parent device field to ECAM struct pci_config_window
- PCI: Add pci_unmap_iospace() to unmap I/O resources
- PCI/ACPI: Support I/O resources when parsing host bridge resources
- [Config] CONFIG_ACPI_MCFG=y
- PCI/ACPI: Add generic MCFG table handling
- PCI: Refactor pci_bus_assign_domain_nr() for CONFIG_PCI_DOMAINS_GENERIC
- PCI: Factor DT-specific pci_bus_find_domain_nr() code out
- ARM64: PCI: Add acpi_pci_bus_find_domain_nr()
- ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT
code
- ARM64: PCI: Support ACPI-based PCI host controller
* [GLK/CLX] Enhanced IBRS (LP: #1786139)
- x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
- x86/speculation: Support Enhanced IBRS on future CPUs
* Update ENA driver to version 2.0.1K (LP: #1798182)
- net: ena: remove ndo_poll_controller
- net: ena: fix warning in rmmod caused by double iounmap
- net: ena: fix rare bug when failed restart/resume is followed by driver
removal
- net: ena: fix NULL dereference due to untimely napi initialization
- net: ena: fix auto casting to boolean
- net: ena: minor performance improvement
- net: ena: complete host info to match latest ENA spec
- net: ena: introduce Low Latency Queues data structures according to ENA spec
- net: ena: add functions for handling Low Latency Queues in ena_com
- net: ena: add functions for handling Low Latency Queues in ena_netdev
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status
- net: ena: explicit casting and initialization, and clearer error handling
- net: ena: limit refill Rx threshold to 256 to avoid latency issues
- net: ena: change rx copybreak default to reduce kernel memory pressure
- net: ena: remove redundant parameter in ena_com_admin_init()
- net: ena: update driver version to 2.0.1
- net: ena: fix indentations in ena_defs for better readability
- net: ena: Fix Kconfig dependency on X86
- net: ena: enable Low Latency Queues
- net: ena: fix compilation error in xtensa architecture
* Xenial update: 4.4.162 upstream stable release (LP: #1801900)
- ASoC: wm8804: Add ACPI support
- ASoC: sigmadsp: safeload should not have lower byte limit
- selftests/efivarfs: add required kernel configs
- mfd: omap-usb-host: Fix dts probe of children
- sound: enable interrupt after dma buffer initialization
- stmmac: fix valid numbers of unicast filter entries
- net: macb: disable scatter-gather for macb on sama5d3
- ARM: dts: at91: add new compatibility string for macb on sama5d3
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
- ext4: add corruption check in ext4_xattr_set_entry()
- mm/vmstat.c: fix outdated vmstat_text
- mach64: detect the dot clock divider correctly on sparc
- perf script python: Fix export-to-postgresql.py occasional failure
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data
- xhci: Don't print a warning when setting link state for disabled ports
- jffs2: return -ERANGE when xattr buffer is too small
- bnxt_en: Fix TX timeout during netpoll.
- bonding: avoid possible dead-lock
- ip6_tunnel: be careful when accessing the inner header
- ip_tunnel: be careful when accessing the inner header
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
- net: ipv4: update fnhe_pmtu when first hop's MTU changes
- net/ipv6: Display all addresses in output of /proc/net/if_inet6
- netlabel: check for IPV4MASK in addrinfo_get
- net/usb: cancel pending work when unbinding smsc75xx
- qlcnic: fix Tx descriptor corruption on 82xx devices
- team: Forbid enslaving team device to itself
- net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
- net: systemport: Fix wake-up interrupt race during resume
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
- KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch
- x86/fpu: Remove use_eager_fpu()
- x86/fpu: Remove struct fpu::counter
- x86/fpu: Finish excising 'eagerfpu'
- media: af9035: prevent buffer overflow on write
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-
am43 SoCs
- Input: atakbd - fix Atari keymap
- Input: atakbd - fix Atari CapsLock behaviour
- net/mlx4: Use cpumask_available for eq->affinity_mask
- powerpc/tm: Fix userspace r13 corruption
- powerpc/tm: Avoid possible userspace r1 corruption on reclaim
- ARC: build: Get rid of toolchain check
- usb: gadget: serial: fix oops when data rx'd after close
- HV: properly delay KVP packets when negotiation is in progress
- Linux 4.4.162
* Xenial update: 4.4.161 upstream stable release (LP: #1801893)
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
- fbdev/omapfb: fix omapfb_memory_read infoleak
- x86/vdso: Fix asm constraints on vDSO syscall fallbacks
- x86/vdso: Fix vDSO syscall fallback asm constraint regression
- PCI: Reprogram bridge prefetch registers on resume
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
- PM / core: Clear the direct_complete flag on errors
- dm cache: fix resize crash if user doesn't reload cache table
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
- USB: serial: simple: add Motorola Tetra MTP6550 id
- of: unittest: Disable interrupt node tests for old world MAC systems
- ext4: always verify the magic number in xattr blocks
- cgroup: Fix deadlock in cpu hotplug path
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
- ARC: clone syscall to setp r25 as thread pointer
- ucma: fix a use-after-free in ucma_resolve_ip()
- ubifs: Check for name being NULL while mounting
- tcp: increment sk_drops for dropped rx packets
- tcp: use an RB tree for ooo receive queue
- tcp: fix a stale ooo_last_skb after a replace
- tcp: free batches of packets in tcp_prune_ofo_queue()
- tcp: call tcp_drop() from tcp_data_queue_ofo()
- tcp: add tcp_ooo_try_coalesce() helper
- ath10k: fix scan crash due to incorrect length calculation
- ebtables: arpreply: Add the standard target sanity check
- Linux 4.4.161
* mlock203 test in ubuntu_ltp_syscalls failed with Xenial kernel
(LP: #1793451)
- mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,
MLOCK_ONFAULT)
* execveat03 in ubuntu_ltp_syscalls failed on X/B (LP: #1786729)
- cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
* [Ubuntu] net/af_iucv: fix skb leaks for HiperTransport (LP: #1800639)
- net/af_iucv: drop inbound packets with invalid flags
- net/af_iucv: fix skb handling on HiperTransport xmit error
* NULL pointer dereference at 0000000000000020 when access
dst_orig->ops->family in function xfrm_lookup_with_ifid() (LP: #1801878)
- xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
* [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup (LP: #1800641)
- s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function
- s390: qeth: Fix potential array overrun in cmd/rc lookup
* Packaging resync (LP: #1786013)
- [Package] add support for specifying the primary makefile
-- Khalid Elmously <khalid.elmously@xxxxxxxxxxxxx> Tue, 13 Nov 2018
16:55:46 -0500
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1801878
Title:
NULL pointer dereference at 0000000000000020 when access
dst_orig->ops->family in function xfrm_lookup_with_ifid()
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Bug description:
[Impact]
NULL pointer access happens when trying to access dst_orig->ops.
The function xfrm_lookup() calls xfrm_lookup_with_ifid() and there is
a line inside trying to access dst_orig->ops and it's exactly where the
panicing happens:
u16 family = dst_orig->ops->family;
As you can see that the symbol offset of ops is about 32(0x20) which
definitely is the error message shows in the kern.log:
[267265.140511] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000020
struct dst_entry {
struct callback_head callback_head; /* 0 16 */
struct dst_entry * child; /* 16 8 */
struct net_device * dev; /* 24 8 */
struct dst_ops * ops; <-- /* 32 8 */
The oops:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: xfrm_lookup+0x31/0x870
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.15.0-36-generic #39~16.04.1-Ubuntu
Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006
RIP: 0010:xfrm_lookup+0x31/0x870
RSP: 0018:ffff98b542343a48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff98b542343ac8 RCX: 0000000000000000
RDX: ffff98b542343ac8 RSI: 0000000000000000 RDI: ffffffffb39e4380
RBP: ffff98b542343ab8 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000020 R11: 000000007fb56465 R12: 0000000000000000
R13: ffffffffb39e4380 R14: 0000000000000002 R15: ffffffffb39e4380
FS: 0000000000000000(0000) GS:ffff98b542340000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 00000004ed40a001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
? __xfrm_policy_check+0x41d/0x630
__xfrm_route_forward+0xa3/0x110
ip_forward+0x38c/0x470
? ip_route_input_noref+0x28/0x40
ip_rcv_finish+0x124/0x410
ip_rcv+0x28e/0x3b0
? inet_del_offload+0x40/0x40
__netif_receive_skb_core+0x879/0xba0
? __skb_checksum+0x188/0x2c0
__netif_receive_skb+0x18/0x60
? __netif_receive_skb+0x18/0x60
netif_receive_skb_internal+0x37/0xe0
? tcp4_gro_complete+0x86/0x90
napi_gro_complete+0x73/0x90
dev_gro_receive+0x2ee/0x5c0
napi_gro_frags+0xa3/0x230
ena_clean_rx_irq+0x486/0x7c0 [ena]
ena_io_poll+0x41d/0x770 [ena]
net_rx_action+0x265/0x3b0
__do_softirq+0xf5/0x28f
irq_exit+0xb8/0xc0
xen_evtchn_do_upcall+0x30/0x40
xen_hvm_callback_vector+0x84/0x90
[Fix]
The patch tries to avoid the NULL pointer access before the line
mentioned "dst_orig->ops->family" in function __xfrm_route_forward.
And the function calling sequence is:
__xfrm_route_forward -> xfrm_lookup -> xfrm_lookup_with_ifid
It definitely avoids the NULL pointer access in the
xfrm_lookup_with_ifid.
commit c5e39ef174ad34cd4d26af3a83bdbccddd2ad9d6
Author: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Date: Tue Sep 11 10:31:15 2018 +0200
xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code don't expect this to happen, so we crash with
a NULL pointer dereference in this case. Fix it by checking
skb_dst(skb) for NULL after skb_dst_force() and drop the packet
in cast the dst_entry was cleared.
[Test]
The fix has been tested in the production system with the IPSec enabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1801878/+subscriptions
