group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #32616
[Bug 1840619] Re: skb_warn_bad_offload kernel splat due to CHECKSUM target not compatible with GSO skbs
This bug was fixed in the package linux - 4.4.0-165.193
---------------
linux (4.4.0-165.193) xenial; urgency=medium
* xenial/linux: 4.4.0-165.193 -proposed tracker (LP: #1844416)
* Xenial update: 4.4.187 upstream stable release (LP: #1840081)
- MIPS: ath79: fix ar933x uart parity mode
- MIPS: fix build on non-linux hosts
- dmaengine: imx-sdma: fix use-after-free on probe error path
- ath10k: Do not send probe response template for mesh
- ath9k: Check for errors when reading SREV register
- ath6kl: add some bounds checking
- ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
- batman-adv: fix for leaked TVLV handler.
- media: dvb: usb: fix use after free in dvb_usb_device_exit
- crypto: talitos - fix skcipher failure due to wrong output IV
- media: marvell-ccic: fix DMA s/g desc number calculation
- media: vpss: fix a potential NULL pointer dereference
- net: stmmac: dwmac1000: Clear unused address entries
- signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
- af_key: fix leaks in key_pol_get_resp and dump_sp.
- xfrm: Fix xfrm sel prefix length validation
- media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
initialization fails.
- net: phy: Check against net_device being NULL
- tua6100: Avoid build warnings.
- locking/lockdep: Fix merging of hlocks with non-zero references
- media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
- cpupower : frequency-set -r option misses the last cpu in related cpu list
- net: fec: Do not use netdev messages too early
- net: axienet: Fix race condition causing TX hang
- s390/qdio: handle PENDING state for QEBSM devices
- perf test 6: Fix missing kvm module load for s390
- gpio: omap: fix lack of irqstatus_raw0 for OMAP4
- gpio: omap: ensure irq is enabled before wakeup
- regmap: fix bulk writes on paged registers
- bpf: silence warning messages in core
- rcu: Force inlining of rcu_read_lock()
- xfrm: fix sa selector validation
- perf evsel: Make perf_evsel__name() accept a NULL argument
- vhost_net: disable zerocopy by default
- EDAC/sysfs: Fix memory leak when creating a csrow object
- media: i2c: fix warning same module names
- ntp: Limit TAI-UTC offset
- timer_list: Guard procfs specific code
- acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
- media: coda: fix mpeg2 sequence number handling
- media: coda: increment sequence offset for the last returned frame
- mt7601u: do not schedule rx_tasklet when the device has been disconnected
- x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
- mt7601u: fix possible memory leak when the device is disconnected
- ath10k: fix PCIE device wake up failed
- rslib: Fix decoding of shortened codes
- rslib: Fix handling of of caller provided syndrome
- ixgbe: Check DDM existence in transceiver before access
- EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
- bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
- Bluetooth: hci_bcsp: Fix memory leak in rx_skb
- Bluetooth: 6lowpan: search for destination address in all peers
- Bluetooth: Check state in l2cap_disconnect_rsp
- Bluetooth: validate BLE connection interval updates
- crypto: ghash - fix unaligned memory access in ghash_setkey()
- crypto: arm64/sha1-ce - correct digest for empty data in finup
- crypto: arm64/sha2-ce - correct digest for empty data in finup
- Input: gtco - bounds check collection indent level
- regulator: s2mps11: Fix buck7 and buck8 wrong voltages
- tracing/snapshot: Resize spare buffer if size changed
- NFSv4: Handle the special Linux file open access mode
- lib/scatterlist: Fix mapping iterator when sg->offset is greater than
PAGE_SIZE
- ALSA: seq: Break too long mutex context in the write loop
- media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
- media: coda: Remove unbalanced and unneeded mutex unlock
- KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
- drm/nouveau/i2c: Enable i2c pads & busses during preinit
- padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
- 9p/virtio: Add cleanup path in p9_virtio_init
- PCI: Do not poll for PME if the device is in D3cold
- take floppy compat ioctls to sodding floppy.c
- floppy: fix out-of-bounds read in next_valid_format
- floppy: fix invalid pointer dereference in drive_name
- coda: pass the host file in vma->vm_file on mmap
- gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
- parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
- powerpc/32s: fix suspend/resume when IBATs 4-7 are used
- powerpc/watchpoint: Restore NV GPRs while returning from exception
- eCryptfs: fix a couple type promotion bugs
- intel_th: msu: Fix single mode with disabled IOMMU
- Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
- usb: Handle USB3 remote wakeup for LPM enabled devices correctly
- dm bufio: fix deadlock with loop device
- bnx2x: Prevent load reordering in tx completion processing
- caif-hsi: fix possible deadlock in cfhsi_exit_module()
- ipv4: don't set IPv6 only flags to IPv4 addresses
- net: bcmgenet: use promisc for unsupported filters
- net: neigh: fix multiple neigh timer scheduling
- nfc: fix potential illegal memory access
- sky2: Disable MSI on ASUS P6T
- netrom: fix a memory leak in nr_rx_frame()
- netrom: hold sock when setting skb->destructor
- tcp: Reset bytes_acked and bytes_received when disconnecting
- bonding: validate ip header before check IPPROTO_IGMP
- net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
- net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
- net: bridge: stp: don't cache eth dest pointer before skb pull
- elevator: fix truncation of icq_cache_name
- NFSv4: Fix open create exclusive when the server reboots
- nfsd: increase DRC cache limit
- nfsd: give out fewer session slots as limit approaches
- nfsd: fix performance-limiting session calculation
- nfsd: Fix overflow causing non-working mounts on 1 TB machines
- drm/panel: simple: Fix panel_simple_dsi_probe
- usb: core: hub: Disable hub-initiated U1/U2
- tty: max310x: Fix invalid baudrate divisors calculator
- pinctrl: rockchip: fix leaked of_node references
- tty: serial: cpm_uart - fix init when SMC is relocated
- memstick: Fix error cleanup path of memstick_init
- tty/serial: digicolor: Fix digicolor-usart already registered warning
- tty: serial: msm_serial: avoid system lockup condition
- drm/virtio: Add memory barriers for capset cache.
- phy: renesas: rcar-gen2: Fix memory leak at error paths
- usb: gadget: Zero ffs_io_data
- powerpc/pci/of: Fix OF flags parsing for 64bit BARs
- PCI: sysfs: Ignore lockdep for remove attribute
- iio: iio-utils: Fix possible incorrect mask calculation
- recordmcount: Fix spurious mcount entries on powerpc
- mfd: core: Set fwnode for created devices
- mfd: arizona: Fix undefined behavior
- um: Silence lockdep complaint about mmap_sem
- powerpc/4xx/uic: clear pending interrupt after irq type/pol change
- serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
- kallsyms: exclude kasan local symbols on s390
- perf test mmap-thread-lookup: Initialize variable to suppress memory
sanitizer warning
- f2fs: avoid out-of-range memory access
- mailbox: handle failed named mailbox channel request
- powerpc/eeh: Handle hugepages in ioremap space
- sh: prevent warnings when using iounmap
- mm/kmemleak.c: fix check for softirq context
- 9p: pass the correct prototype to read_cache_page
- mm/mmu_notifier: use hlist_add_head_rcu()
- locking/lockdep: Fix lock used or unused stats error
- locking/lockdep: Hide unused 'class' variable
- usb: wusbcore: fix unbalanced get/put cluster_id
- usb: pci-quirks: Correct AMD PLL quirk detection
- x86/sysfb_efi: Add quirks for some devices with swapped width and height
- x86/speculation/mds: Apply more accurate check on hypervisor platform
- hpet: Fix division by zero in hpet_time_div()
- ALSA: hda - Add a conexant codec entry to let mute led work
- access: avoid the RCU grace period for the temporary subjective credentials
- vmstat: Remove BUG_ON from vmstat_update
- mm, vmstat: make quiet_vmstat lighter
- ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
- tcp: reset sk_send_head in tcp_write_queue_purge
- ISDN: hfcsusb: checking idx of ep configuration
- media: cpia2_usb: first wake up, then free in disconnect
- media: radio-raremono: change devm_k*alloc to k*alloc
- Bluetooth: hci_uart: check for missing tty operations
- sched/fair: Don't free p->numa_faults with concurrent readers
- drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
- ceph: hold i_ceph_lock when removing caps for freeing inode
- Linux 4.4.187
- perf tests: Add valid callback for parse-events test
- SAUCE: Fix perf test 6: Fix missing kvm module load for s390
* CVE-2018-20976
- xfs: clear sb->s_fs_info on mount failure
* Xenial update: 4.4.189 upstream stable release (LP: #1840335)
- arm64: cpufeature: Fix CTR_EL0 field definitions
- arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
- netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
- HID: Add quirk for HP X1200 PIXART OEM mouse
- tcp: be more careful in tcp_fragment()
- atm: iphase: Fix Spectre v1 vulnerability
- net: bridge: delete local fdb on device init failure
- net: fix ifindex collision during namespace removal
- tipc: compat: allow tipc commands without arguments
- net: sched: Fix a possible null-pointer dereference in dequeue_func()
- net/mlx5: Use reversed order when unregister devices
- bnx2x: Disable multi-cos feature.
- compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
- spi: bcm2835: Fix 3-wire mode if DMA is enabled
- x86: cpufeatures: Sort feature word 7
- x86/entry/64: Fix context tracking state warning when load_gs_index fails
- Linux 4.4.189
* CVE-2019-0136
- mac80211: handle deauthentication/disassociation from TDLS peer
* skb_warn_bad_offload kernel splat due to CHECKSUM target not compatible with
GSO skbs (LP: #1840619)
- netfilter: xt_checksum: ignore gso skbs
* CVE-2018-20961
- usb: gadget: f_midi: fail if set_alt fails to allocate requests
- USB: gadget: f_midi: fixing a possible double-free in f_midi
* CVE-2019-11487
- pipe: add pipe_buf_get() helper
- mm: add 'try_get_page()' helper function
- fs: prevent page refcount overflow in pipe_buf_get
- mm: make page ref count overflow check tighter and more explicit
- mm, gup: ensure real head page is ref-counted when using hugepages
- mm: prevent get_user_pages() from overflowing page refcount
* Xenial update: 4.4.188 upstream stable release (LP: #1840289)
- ARM: riscpc: fix DMA
- ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
- kernel/module.c: Only return -EEXIST for modules that have finished loading
- MIPS: lantiq: Fix bitfield masking
- dmaengine: rcar-dmac: Reject zero-length slave DMA requests
- fs/adfs: super: fix use-after-free bug
- btrfs: fix minimum number of chunk errors for DUP
- ceph: fix improper use of smp_mb__before_atomic()
- scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
- ACPI: fix false-positive -Wuninitialized warning
- be2net: Signal that the device cannot transmit during reconfiguration
- x86/apic: Silence -Wtype-limits compiler warnings
- x86: math-emu: Hide clang warnings for 16-bit overflow
- mm/cma.c: fail if fixed declaration can't be honored
- coda: add error handling for fget
- coda: fix build using bare-metal toolchain
- uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side
headers
- ipc/mqueue.c: only perform resource calculation if user valid
- x86/kvm: Don't call kvm_spurious_fault() from .fixup
- selinux: fix memory leak in policydb_init()
- s390/dasd: fix endless loop after read unit address configuration
- xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
- Linux 4.4.188
* Line 6 POD HD500 driver fault (LP: #1790595) // Xenial update: 4.4.187
upstream stable release (LP: #1840081)
- ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
* CVE-2016-10905
- GFS2: don't set rgrp gl_object until it's inserted into rgrp tree
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Tue, 17 Sep 2019 18:24:13
+0200
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10905
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20961
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20976
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0136
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11487
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1840619
Title:
skb_warn_bad_offload kernel splat due to CHECKSUM target not
compatible with GSO skbs
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/1840619
[Impact]
In environments which have CHECKSUM iptables rules set, the following
kernel call trace will be created when a GSO skb is processed by the
CHECKSUM target:
WARNING: CPU: 34 PID: 806048 at /build/linux-zdslHp/linux-4.4.0/net/core/dev.c:2456 skb_warn_bad_offload+0xcf/0x110()
qr-f78bfdf7-fe: caps=(0x000000000fdb58e9, 0x000000000fdb58e9) len=1955 data_len=479 gso_size=1448 gso_type=1 ip_summed=3
CPU: 34 PID: 806048 Comm: haproxy Tainted: G W OE 4.4.0-138-generic #164-Ubuntu
Call Trace:
dump_stack+0x63/0x90
warn_slowpath_common+0x82/0xc0
warn_slowpath_fmt+0x5c/0x80
? ___ratelimit+0xa2/0xe0
skb_warn_bad_offload+0xcf/0x110
skb_checksum_help+0x185/0x1a0
checksum_tg+0x22/0x29 [xt_CHECKSUM]
ipt_do_table+0x301/0x730 [ip_tables]
? ipt_do_table+0x349/0x730 [ip_tables]
iptable_mangle_hook+0x39/0x107 [iptable_mangle]
nf_iterate+0x68/0x80
nf_hook_slow+0x73/0xd0
ip_output+0xcf/0xe0
? __ip_flush_pending_frames.isra.43+0x90/0x90
ip_local_out+0x3b/0x50
ip_queue_xmit+0x154/0x390
__tcp_transmit_skb+0x52b/0x9b0
tcp_write_xmit+0x1dd/0xf50
__tcp_push_pending_frames+0x31/0xd0
tcp_push+0xec/0x110
tcp_sendmsg+0x749/0xba0
inet_sendmsg+0x6b/0xa0
sock_sendmsg+0x3e/0x50
SYSC_sendto+0x101/0x190
? __sys_sendmsg+0x51/0x90
SyS_sendto+0xe/0x10
entry_SYSCALL_64_fastpath+0x22/0xc1
The CHECKSUM target does not support GSO skbs, and when a GSO skb is
passed to skb_checksum_help(), it errors out and
skb_warn_bad_offload() is called.
The above call trace was found in a customer environment which has an
Openstack deployment, with the following sorts of iptables rules set:
-A neutron-l3-agent-POSTROUTING -o qr-+ -p tcp -m tcp --sport 9697 -j CHECKSUM --checksum-fill
-A neutron-dhcp-age-POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
This was causing haproxy running on the node to crash and restart
every time a GSO skb was processed by the CHECKSUM target.
I recommend reading the netdev mailing list thread for more details:
https://www.spinics.net/lists/netdev/msg517366.html
[Fix]
This was fixed in 4.19 upstream with the below commit:
commit 10568f6c5761db24249c610c94d6e44d5505a0ba
Author: Florian Westphal <fw@xxxxxxxxx>
Date: Wed Aug 22 11:33:27 2018 +0200
Subject: netfilter: xt_checksum: ignore gso skbs
This commit adds a check to see if the current skb is a gso skb, and
if it is, skips skb_checksum_help(). It then continues on to check if
the packet uses udp, and if it does, exits early. Otherwise it prints
a single warning that CHECKSUM should be avoided, and if really
needed, only for use with outbound udp.
Note, 10568f6c5761db24249c610c94d6e44d5505a0ba was included in
upstream stable version 4.18.13, and was backported to bionic in
4.15.0-58.64 by LP #1836426.
This patch required minor backporting for 4.4, by slightly adjusting
the context in the final patch hunk.
[Testcase]
You can reproduce this by adding the following iptables rule to the
mangle table:
-t mangle -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
--checksum-fill
and running traffic over port 80 with incorrect checksums in the ip
header.
I built a test kernel, which is available here:
https://launchpad.net/~mruffell/+archive/ubuntu/sf216537-test
For unpatched kernels, this causes the process which was handling the
socket to crash, as seen by haproxy crashing on a node in production
which hits this issue.
On patched kernels you see the below warning printed to dmesg and no
crashes occur.
xt_CHECKSUM: CHECKSUM should be avoided. If really needed, restrict
with "-p udp" and only use in OUTPUT
[Regression Potential]
The changes are limited only to users which have CHECKSUM rules
enabled in their iptables configs. Openstack commonly configures such
rules on deployment, even though they are not necessary, as almost all
packets have their checksum calculated by NICs these days, and
CHECKSUM is only around to service old dhcp clients which would
discard UDP packets with empty checksums.
This commit was selected for upstream -stable 4.18.13, and has made
its way into bionic 4.15.0-58.64 by LP #1836426. There have been no
reported problems and those kernels would have had sufficient testing
with Openstack and its configured iptables rules.
If any users are affected by regression, then they can simply delete
any CHECKSUM entries in their iptables configs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1840619/+subscriptions
References
