group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #27378
[Bug 1800639] Re: [Ubuntu] net/af_iucv: fix skb leaks for HiperTransport
This bug was fixed in the package linux - 4.4.0-140.166
---------------
linux (4.4.0-140.166) xenial; urgency=medium
* linux: 4.4.0-140.166 -proposed tracker (LP: #1802776)
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
* crash in ENA driver on removing an interface (LP: #1802341)
- SAUCE: net: ena: fix crash during ena_remove()
* xenial guest on arm64 drops to busybox under openstack bionic-rocky
(LP: #1797092)
- [Config] CONFIG_PCI_ECAM=y
- PCI: Provide common functions for ECAM mapping
- PCI: generic, thunder: Use generic ECAM API
- PCI, of: Move PCI I/O space management to PCI core code
- PCI: Move ecam.h to linux/include/pci-ecam.h
- PCI: Add parent device field to ECAM struct pci_config_window
- PCI: Add pci_unmap_iospace() to unmap I/O resources
- PCI/ACPI: Support I/O resources when parsing host bridge resources
- [Config] CONFIG_ACPI_MCFG=y
- PCI/ACPI: Add generic MCFG table handling
- PCI: Refactor pci_bus_assign_domain_nr() for CONFIG_PCI_DOMAINS_GENERIC
- PCI: Factor DT-specific pci_bus_find_domain_nr() code out
- ARM64: PCI: Add acpi_pci_bus_find_domain_nr()
- ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT
code
- ARM64: PCI: Support ACPI-based PCI host controller
* [GLK/CLX] Enhanced IBRS (LP: #1786139)
- x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
- x86/speculation: Support Enhanced IBRS on future CPUs
* Update ENA driver to version 2.0.1K (LP: #1798182)
- net: ena: remove ndo_poll_controller
- net: ena: fix warning in rmmod caused by double iounmap
- net: ena: fix rare bug when failed restart/resume is followed by driver
removal
- net: ena: fix NULL dereference due to untimely napi initialization
- net: ena: fix auto casting to boolean
- net: ena: minor performance improvement
- net: ena: complete host info to match latest ENA spec
- net: ena: introduce Low Latency Queues data structures according to ENA spec
- net: ena: add functions for handling Low Latency Queues in ena_com
- net: ena: add functions for handling Low Latency Queues in ena_netdev
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status
- net: ena: explicit casting and initialization, and clearer error handling
- net: ena: limit refill Rx threshold to 256 to avoid latency issues
- net: ena: change rx copybreak default to reduce kernel memory pressure
- net: ena: remove redundant parameter in ena_com_admin_init()
- net: ena: update driver version to 2.0.1
- net: ena: fix indentations in ena_defs for better readability
- net: ena: Fix Kconfig dependency on X86
- net: ena: enable Low Latency Queues
- net: ena: fix compilation error in xtensa architecture
* Xenial update: 4.4.162 upstream stable release (LP: #1801900)
- ASoC: wm8804: Add ACPI support
- ASoC: sigmadsp: safeload should not have lower byte limit
- selftests/efivarfs: add required kernel configs
- mfd: omap-usb-host: Fix dts probe of children
- sound: enable interrupt after dma buffer initialization
- stmmac: fix valid numbers of unicast filter entries
- net: macb: disable scatter-gather for macb on sama5d3
- ARM: dts: at91: add new compatibility string for macb on sama5d3
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
- ext4: add corruption check in ext4_xattr_set_entry()
- mm/vmstat.c: fix outdated vmstat_text
- mach64: detect the dot clock divider correctly on sparc
- perf script python: Fix export-to-postgresql.py occasional failure
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data
- xhci: Don't print a warning when setting link state for disabled ports
- jffs2: return -ERANGE when xattr buffer is too small
- bnxt_en: Fix TX timeout during netpoll.
- bonding: avoid possible dead-lock
- ip6_tunnel: be careful when accessing the inner header
- ip_tunnel: be careful when accessing the inner header
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
- net: ipv4: update fnhe_pmtu when first hop's MTU changes
- net/ipv6: Display all addresses in output of /proc/net/if_inet6
- netlabel: check for IPV4MASK in addrinfo_get
- net/usb: cancel pending work when unbinding smsc75xx
- qlcnic: fix Tx descriptor corruption on 82xx devices
- team: Forbid enslaving team device to itself
- net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
- net: systemport: Fix wake-up interrupt race during resume
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
- KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch
- x86/fpu: Remove use_eager_fpu()
- x86/fpu: Remove struct fpu::counter
- x86/fpu: Finish excising 'eagerfpu'
- media: af9035: prevent buffer overflow on write
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-
am43 SoCs
- Input: atakbd - fix Atari keymap
- Input: atakbd - fix Atari CapsLock behaviour
- net/mlx4: Use cpumask_available for eq->affinity_mask
- powerpc/tm: Fix userspace r13 corruption
- powerpc/tm: Avoid possible userspace r1 corruption on reclaim
- ARC: build: Get rid of toolchain check
- usb: gadget: serial: fix oops when data rx'd after close
- HV: properly delay KVP packets when negotiation is in progress
- Linux 4.4.162
* Xenial update: 4.4.161 upstream stable release (LP: #1801893)
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
- fbdev/omapfb: fix omapfb_memory_read infoleak
- x86/vdso: Fix asm constraints on vDSO syscall fallbacks
- x86/vdso: Fix vDSO syscall fallback asm constraint regression
- PCI: Reprogram bridge prefetch registers on resume
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
- PM / core: Clear the direct_complete flag on errors
- dm cache: fix resize crash if user doesn't reload cache table
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
- USB: serial: simple: add Motorola Tetra MTP6550 id
- of: unittest: Disable interrupt node tests for old world MAC systems
- ext4: always verify the magic number in xattr blocks
- cgroup: Fix deadlock in cpu hotplug path
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
- ARC: clone syscall to setp r25 as thread pointer
- ucma: fix a use-after-free in ucma_resolve_ip()
- ubifs: Check for name being NULL while mounting
- tcp: increment sk_drops for dropped rx packets
- tcp: use an RB tree for ooo receive queue
- tcp: fix a stale ooo_last_skb after a replace
- tcp: free batches of packets in tcp_prune_ofo_queue()
- tcp: call tcp_drop() from tcp_data_queue_ofo()
- tcp: add tcp_ooo_try_coalesce() helper
- ath10k: fix scan crash due to incorrect length calculation
- ebtables: arpreply: Add the standard target sanity check
- Linux 4.4.161
* mlock203 test in ubuntu_ltp_syscalls failed with Xenial kernel
(LP: #1793451)
- mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,
MLOCK_ONFAULT)
* execveat03 in ubuntu_ltp_syscalls failed on X/B (LP: #1786729)
- cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
* [Ubuntu] net/af_iucv: fix skb leaks for HiperTransport (LP: #1800639)
- net/af_iucv: drop inbound packets with invalid flags
- net/af_iucv: fix skb handling on HiperTransport xmit error
* NULL pointer dereference at 0000000000000020 when access
dst_orig->ops->family in function xfrm_lookup_with_ifid() (LP: #1801878)
- xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
* [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup (LP: #1800641)
- s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function
- s390: qeth: Fix potential array overrun in cmd/rc lookup
* Packaging resync (LP: #1786013)
- [Package] add support for specifying the primary makefile
-- Khalid Elmously <khalid.elmously@xxxxxxxxxxxxx> Tue, 13 Nov 2018
16:55:46 -0500
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1800639
Title:
[Ubuntu] net/af_iucv: fix skb leaks for HiperTransport
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Bug description:
== SRU Justification ==
Fix socket buffer (skb) leaks for HiperTransport
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the skb.
== Fix ==
222440996d6daf635bed6cb35041be22ede3e8a0 ("net/af_iucv: drop inbound packets with invalid flags")
b2f543949acd1ba64313fdad9e672ef47550d773 ("net/af_iucv: fix skb handling on HiperTransport xmit error")
== Patch ==
commit 222440996d6daf635bed6cb35041be22ede3e8a0
Author: Julian Wiedmann <jwi@xxxxxxxxxxxxx>
Date: Wed Sep 5 16:55:10 2018 +0200
net/af_iucv: drop inbound packets with invalid flags
Inbound packets may have any combination of flag bits set in their iucv
header. If we don't know how to handle a specific combination, drop the
skb instead of leaking it.
To clarify what error is returned in this case, replace the hard-coded
0 with the corresponding macro.
Signed-off-by: Julian Wiedmann <jwi@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
==
commit b2f543949acd1ba64313fdad9e672ef47550d773
Author: Julian Wiedmann <jwi@xxxxxxxxxxxxx>
Date: Wed Sep 5 16:55:11 2018 +0200
net/af_iucv: fix skb handling on HiperTransport xmit error
When sending an skb, afiucv_hs_send() bails out on various error
conditions. But currently the caller has no way of telling whether the
skb was freed or not - resulting in potentially either
a) leaked skbs from iucv_send_ctrl(), or
b) double-free's from iucv_sock_sendmsg().
As dev_queue_xmit() will always consume the skb (even on error), be
consistent and also free the skb from all other error paths. This way
callers no longer need to care about managing the skb.
Signed-off-by: Julian Wiedmann <jwi@xxxxxxxxxxxxx>
Reviewed-by: Ursula Braun <ubraun@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
== Regression Potential ==
Low, because:
- IUCV functionality is very special to s390x and is only supported in z/VM environments
(z/VM hypervisor to guest or guest to guest communications)
- So everything is s390x specific.
- Patch is limited to this single file: /net/iucv/af_iucv.c
- Patch was tested by IBM, and fixes an identified problem situation.
== Test Case ==
Set IUCV communication on an Ubuntu s390x system that runs as z/VM guest:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ludd/ludd_r_afiucv_setup.html
Provoke an error situation.
This is btw. hard to do, because the 'Inter-User Communication Vehicle" (IUCV) is a virtual z/VM internal
network that does not use any real media.
To check for regressions one can use a shell over an ssh connection using an IUCV interface
or use an application that utilises AF_IUCV sockets (like ICC).
__________
Description: net/af_iucv: fix skb leaks for HiperTransport
Symptom: Memory leaks and/or double-freed network packets.
Problem: Inbound packets may have any combination of flag bits set in
their iucv header. Current code only handles certain
combinations, and ignores (ie. leaks) all packets with other
flags.
On Transmit, current code is inconsistent about whether the error
paths need to free the skb. Depending on which error path is
taken, it may either get freed twice, or leak.
Solution: On receive, drop any skb with an unexpected combination of iucv
Header flags.
On transmit, be consistent in all error paths about free'ing the
skb.
kerne 4.19
Upstream-ID: 222440996d6daf635bed6cb35041be22ede3e8a0
b2f543949acd1ba64313fdad9e672ef47550d773
Should also be applied, to all other Ubuntu Releases in the field !
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1800639/+subscriptions
