← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1874444] Re: Bionic ubuntu ethtool doesn't check ring parameters boundaries

 

This bug was fixed in the package linux - 4.15.0-106.107

---------------
linux (4.15.0-106.107) bionic; urgency=medium

  * CVE-2020-0543
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

linux (4.15.0-103.104) bionic; urgency=medium

  * bionic/linux: 4.15.0-103.104 -proposed tracker (LP: #1881272)

  * "BUG: unable to handle kernel paging request" when testing
    ubuntu_kvm_smoke_test.kvm_smoke_test with B-KVM in proposed (LP: #1881072)
    - KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs
    - KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob

linux (4.15.0-102.103) bionic; urgency=medium

  * bionic/linux: 4.15.0-102.103 -proposed tracker (LP: #1878856)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * debian/scripts/file-downloader does not handle positive failures correctly
    (LP: #1878897)
    - [Packaging] file-downloader not handling positive failures correctly

  * Kernel log flood "ceph: Failed to find inode for 1" (LP: #1875884)
    - ceph: don't check quota for snap inode
    - ceph: quota: cache inode pointer in ceph_snap_realm

  * [UBUNTU 18.04] zpcictl --reset - contribution for kernel (LP: #1870320)
    - s390/pci: Recover handle in clp_set_pci_fn()
    - s390/pci: Fix possible deadlock in recover_store()

  * Bionic update: upstream stable patchset 2020-05-12 (LP: #1878256)
    - drm/edid: Fix off-by-one in DispID DTD pixel clock
    - drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
    - drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
    - drm/qxl: qxl_release use after free
    - btrfs: fix block group leak when removing fails
    - btrfs: fix partial loss of prealloc extent past i_size after fsync
    - mmc: sdhci-xenon: fix annoying 1.8V regulator warning
    - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers
    - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter
    - ALSA: hda/hdmi: fix without unlocked before return
    - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
    - PM: ACPI: Output correct message on target power state
    - PM: hibernate: Freeze kernel threads in software_resume()
    - dm verity fec: fix hash block number in verity_fec_decode
    - RDMA/mlx5: Set GRH fields in query QP on RoCE
    - RDMA/mlx4: Initialize ib_spec on the stack
    - vfio: avoid possible overflow in vfio_iommu_type1_pin_pages
    - vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
    - iommu/qcom: Fix local_base status check
    - scsi: target/iblock: fix WRITE SAME zeroing
    - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system
    - ALSA: opti9xx: shut up gcc-10 range warning
    - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
    - dmaengine: dmatest: Fix iteration non-stop logic
    - selinux: properly handle multiple messages in selinux_netlink_send()
    - ASoC: tas571x: disable regulators on failed probe
    - ASoC: wm8960: Fix wrong clock after suspend & resume
    - rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket
    - xfs: acquire superblock freeze protection on eofblocks scans
    - cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled
    - net: fec: set GPR bit on suspend by DT configuration.
    - ALSA: hda: Keep the controller initialization even if no codecs found
    - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported
    - ALSA: hda: call runtime_allow() for all hda controllers
    - scsi: qla2xxx: check UNLOADING before posting async work
    - RDMA/core: Fix race between destroy and release FD object
    - btrfs: transaction: Avoid deadlock due to bad initialization timing of
      fs_info::journal_info
    - mmc: sdhci-msm: Enable host capabilities pertains to R1b response
    - mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY
    - mmc: meson-mx-sdio: remove the broken ->card_busy() op

  * Bionic update: upstream stable patchset 2020-05-07 (LP: #1877461)
    - ext4: fix extent_status fragmentation for plain files
    - net: ipv4: avoid unused variable warning for sysctl
    - crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash'
      static
    - vti4: removed duplicate log message.
    - watchdog: reset last_hw_keepalive time at start
    - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login
    - ceph: return ceph_mdsc_do_request() errors from __get_parent()
    - ceph: don't skip updating wanted caps when cap is stale
    - pwm: rcar: Fix late Runtime PM enablement
    - scsi: iscsi: Report unbind session event when the target has been removed
    - ASoC: Intel: atom: Take the drv->lock mutex before calling
      sst_send_slot_map()
    - kernel/gcov/fs.c: gcov_seq_next() should increase position index
    - selftests: kmod: fix handling test numbers above 9
    - ipc/util.c: sysvipc_find_ipc() should increase position index
    - s390/cio: avoid duplicated 'ADD' uevents
    - pwm: renesas-tpu: Fix late Runtime PM enablement
    - pwm: bcm2835: Dynamically allocate base
    - perf/core: Disable page faults when getting phys address
    - PCI/ASPM: Allow re-enabling Clock PM
    - mm, slub: restore the original intention of prefetch_freepointer()
    - cxgb4: fix large delays in PTP synchronization
    - ipv6: fix restrict IPV6_ADDRFORM operation
    - macsec: avoid to set wrong mtu
    - macvlan: fix null dereference in macvlan_device_event()
    - net: bcmgenet: correct per TX/RX ring statistics
    - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
    - net/x25: Fix x25_neigh refcnt leak when receiving frame
    - tcp: cache line align MAX_TCP_HEADER
    - team: fix hang in team_mode_get()
    - net: dsa: b53: Fix ARL register definitions
    - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish
    - vrf: Check skb for XFRM_TRANSFORMED flag
    - KEYS: Avoid false positive ENOMEM error on key read
    - ALSA: hda: Remove ASUS ROG Zenith from the blacklist
    - iio: adc: stm32-adc: fix sleep in atomic context
    - iio: xilinx-xadc: Fix ADC-B powerdown
    - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger
    - iio: xilinx-xadc: Fix sequencer configuration for aux channels in
      simultaneous mode
    - fs/namespace.c: fix mountpoint reference counter race
    - USB: sisusbvga: Change port variable from signed to unsigned
    - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70
      RGB RAPIDFIRE
    - USB: early: Handle AMD's spec-compliant identifiers, too
    - USB: core: Fix free-while-in-use bug in the USB S-Glibrary
    - USB: hub: Fix handling of connect changes during sleep
    - overflow.h: Add arithmetic shift helper
    - vmalloc: fix remap_vmalloc_range() bounds checks
    - mm/hugetlb: fix a addressing exception caused by huge_pte_offset
    - mm/ksm: fix NULL pointer dereference when KSM zero page is enabled
    - tools/vm: fix cross-compile build
    - ALSA: usx2y: Fix potential NULL dereference
    - ALSA: hda/realtek - Add new codec supported for ALC245
    - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif
    - ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices
    - tpm/tpm_tis: Free IRQ if probing fails
    - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send()
    - KVM: Check validity of resolved slot when searching memslots
    - KVM: VMX: Enable machine check support for 32bit targets
    - tty: hvc: fix buffer overflow during hvc_alloc().
    - tty: rocket, avoid OOB access
    - usb-storage: Add unusual_devs entry for JMicron JMS566
    - audit: check the length of userspace generated audit records
    - ASoC: dapm: fixup dapm kcontrol widget
    - iwlwifi: pcie: actually release queue memory in TVQM
    - ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y
    - powerpc/setup_64: Set cache-line-size based on cache-block-size
    - staging: comedi: dt2815: fix writing hi byte of analog output
    - staging: comedi: Fix comedi_device refcnt leak in comedi_open
    - vt: don't hardcode the mem allocation upper bound
    - staging: vt6656: Don't set RCR_MULTICAST or RCR_BROADCAST by default.
    - staging: vt6656: Fix calling conditions of vnt_set_bss_mode
    - staging: vt6656: Fix drivers TBTT timing counter.
    - staging: vt6656: Fix pairwise key entry save.
    - staging: vt6656: Power save stop wake_up_count wrap around.
    - cdc-acm: close race betrween suspend() and acm_softint
    - cdc-acm: introduce a cool down
    - UAS: no use logging any details in case of ENODEV
    - UAS: fix deadlock in error handling and PM flushing work
    - usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset()
    - serial: sh-sci: Make sure status register SCxSR is read in correct sequence
    - xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT
    - remoteproc: Fix wrong rvring index computation
    - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
    - binder: take read mode of mmap_sem in binder_alloc_free_page()
    - usb: dwc3: gadget: Do link recovery for SS and SSP
    - usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete
    - iio:ad7797: Use correct attribute_group
    - nfsd: memory corruption in nfsd4_lock()
    - i2c: altera: use proper variable to hold errno
    - net/cxgb4: Check the return from t4_query_params properly
    - ARM: dts: bcm283x: Disable dsi0 node
    - perf/core: fix parent pid/tid in task exit events
    - mm: shmem: disable interrupt when acquiring info->lock in userfaultfd_copy
      path
    - bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B
    - x86: hyperv: report value of misc_features
    - xfs: fix partially uninitialized structure in xfs_reflink_remap_extent
    - scsi: target: fix PR IN / READ FULL STATUS for FC
    - objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings
    - objtool: Support Clang non-section symbols in ORC dump
    - xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status
    - arm64: Delete the space separator in __emit_inst
    - ext4: use matching invalidatepage in ext4_writepage
    - ext4: increase wait time needed before reuse of deleted inode numbers
    - ext4: convert BUG_ON's to WARN_ON's in mballoc.c
    - hwmon: (jc42) Fix name to have no illegal characters
    - qed: Fix use after free in qed_chain_free
    - ext4: check for non-zero journal inum in ext4_calculate_overhead
    - propagate_one(): mnt_set_mountpoint() needs mount_lock
    - kconfig: qconf: Fix a few alignment issues
    - loop: Better discard support for block devices
    - drm/amd/display: Not doing optimize bandwidth if flip pending.
    - virtio-blk: improve virtqueue error to BLK_STS
    - scsi: smartpqi: fix call trace in device discovery
    - net: ipv6: add net argument to ip6_dst_lookup_flow
    - net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
    - f2fs: fix to avoid memory leakage in f2fs_listxattr
    - KVM: VMX: Zero out *all* general purpose registers after VM-Exit
    - KVM: Introduce a new guest mapping API
    - kvm: fix compilation on aarch64
    - kvm: fix compilation on s390
    - kvm: fix compile on s390 part 2
    - KVM: Properly check if "page" is valid in kvm_vcpu_unmap
    - x86/kvm: Introduce kvm_(un)map_gfn()
    - x86/kvm: Cache gfn to pfn translation
    - vrf: Fix IPv6 with qdisc and xfrm
    - net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled
    - net: dsa: b53: Rework ARL bin logic
    - net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL
    - mlxsw: Fix some IS_ERR() vs NULL bugs
    - iio: core: remove extra semi-colon from devm_iio_device_register() macro
    - iio: st_sensors: rely on odr mask to know if odr can be set
    - iio: xilinx-xadc: Make sure not exceed maximum samplerate
    - iwlwifi: mvm: beacon statistics shouldn't go backwards
    - xhci: prevent bus suspend if a roothub port detected a over-current
      condition

  * Bionic update: upstream stable patchset 2020-04-27 (LP: #1875506)
    - KVM: VMX: fix crash cleanup when KVM wasn't used
    - amd-xgbe: Use __napi_schedule() in BH context
    - hsr: check protocol version in hsr_newlink()
    - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin
    - net: ipv6: do not consider routes via gateways for anycast address check
    - net: qrtr: send msgs from local of same id as broadcast
    - net: revert default NAPI poll timeout to 2 jiffies
    - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes
    - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic
    - jbd2: improve comments about freeing data buffers whose page mapping is NULL
    - pwm: pca9685: Fix PWM/GPIO inter-operation
    - ext4: fix incorrect group count in ext4_fill_super error message
    - ext4: fix incorrect inodes per group in error message
    - ASoC: Intel: mrfld: fix incorrect check on p->sink
    - ASoC: Intel: mrfld: return error codes when an error occurs
    - ALSA: usb-audio: Don't override ignore_ctl_error value from the map
    - tracing: Fix the race between registering 'snapshot' event trigger and
      triggering 'snapshot' operation
    - btrfs: check commit root generation in should_ignore_root
    - mac80211_hwsim: Use kstrndup() in place of kasprintf()
    - ext4: do not zeroout extents beyond i_disksize
    - dm flakey: check for null arg_name in parse_features()
    - kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD
    - x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE
    - x86/intel_rdt: Add two new resources for L2 Code and Data Prioritization
      (CDP)
    - x86/intel_rdt: Enable L2 CDP in MSR IA32_L2_QOS_CFG
    - x86/resctrl: Preserve CDP enable over CPU hotplug
    - x86/resctrl: Fix invalid attempt at removing the default resource group
    - mm/vmalloc.c: move 'area->pages' after if statement
    - objtool: Fix switch table detection in .text.unlikely
    - scsi: sg: add sg_remove_request in sg_common_write
    - ext4: use non-movable memory for superblock readahead
    - arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0
    - netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type
    - irqchip/mbigen: Free msi_desc on device teardown
    - ALSA: hda: Don't release card at firmware loading error
    - lib/raid6: use vdupq_n_u8 to avoid endianness warnings
    - video: fbdev: sis: Remove unnecessary parentheses and commented code
    - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem
    - clk: Fix debugfs_create_*() usage
    - Revert "gpio: set up initial state from .get_direction()"
    - wil6210: increase firmware ready timeout
    - wil6210: fix temperature debugfs
    - scsi: ufs: make sure all interrupts are processed
    - scsi: ufs: ufs-qcom: remove broken hci version quirk
    - wil6210: rate limit wil_rx_refill error
    - rpmsg: glink: use put_device() if device_register fail
    - rtc: pm8xxx: Fix issue in RTC write path
    - rpmsg: glink: Fix missing mutex_init() in qcom_glink_alloc_channel()
    - rpmsg: glink: smem: Ensure ordering during tx
    - wil6210: fix PCIe bus mastering in case of interface down
    - wil6210: add block size checks during FW load
    - wil6210: fix length check in __wmi_send
    - wil6210: abort properly in cfg suspend
    - rbd: avoid a deadlock on header_rwsem when flushing notifies
    - rbd: call rbd_dev_unprobe() after unwatching and flushing notifies
    - of: unittest: kmemleak in of_unittest_platform_populate()
    - clk: at91: usb: continue if clk_hw_round_rate() return zero
    - power: supply: bq27xxx_battery: Silence deferred-probe error
    - clk: tegra: Fix Tegra PMC clock out parents
    - soc: imx: gpc: fix power up sequencing
    - rtc: 88pm860x: fix possible race condition
    - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid()
    - NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails
    - s390/cpuinfo: fix wrong output when CPU0 is offline
    - powerpc/maple: Fix declaration made after definition
    - ext4: do not commit super on read-only bdev
    - include/linux/swapops.h: correct guards for non_swap_entry()
    - percpu_counter: fix a data race at vm_committed_as
    - compiler.h: fix error in BUILD_BUG_ON() reporting
    - KVM: s390: vsie: Fix possible race when shadowing region 3 tables
    - x86: ACPI: fix CPU hotplug deadlock
    - drm/amdkfd: kfree the wrong pointer
    - NFS: Fix memory leaks in nfs_pageio_stop_mirroring()
    - iommu/vt-d: Fix mm reference leak
    - ext2: fix empty body warnings when -Wextra is used
    - ext2: fix debug reference to ext2_xattr_cache
    - libnvdimm: Out of bounds read in __nd_ioctl()
    - iommu/amd: Fix the configuration of GCR3 table root pointer
    - net: dsa: bcm_sf2: Fix overflow checks
    - fbdev: potential information leak in do_fb_ioctl()
    - tty: evh_bytechan: Fix out of bounds accesses
    - locktorture: Print ratio of acquisitions, not failures
    - mtd: lpddr: Fix a double free in probe()
    - mtd: phram: fix a double free issue in error path
    - KEYS: Use individual pages in big_key for crypto buffers
    - KEYS: Don't write out to userspace while holding key semaphore
    - keys: Fix proc_keys_next to increase position index
    - wil6210: ignore HALP ICR if already handled
    - wil6210: remove reset file from debugfs
    - ARM: dts: imx6: Use gpc for FEC interrupt controller to fix wake on LAN.
    - of: unittest: kmemleak on changeset destroy
    - of: overlay: kmemleak in dup_and_fixup_symbol_prop()
    - s390/cpum_sf: Fix wrong page count in error message
    - f2fs: fix NULL pointer dereference in f2fs_write_begin()

  * psock_tpacket from the net test in ubuntu_kernel_selftests failed on KVM
    kernels (LP: #1812176)
    - selftests/net: skip psock_tpacket test if KALLSYMS was not enabled

  * Bionic ubuntu ethtool doesn't check ring parameters boundaries
    (LP: #1874444)
    - ethtool: Ensure new ring parameters are within bounds during SRINGPARAM

  * Improve TSC refinement (and calibration) reliability (LP: #1877858)
    - x86/tsc: Make calibration refinement more robust
    - x86/tsc: Use CPUID.0x16 to calculate missing crystal frequency

  * Do not treat unresolved test case in ftrace from ubuntu_kernel_selftests as
    failure (LP: #1877958)
    - ftrace/selftest: make unresolved cases cause failure if --fail-unresolved
      set

  * Add support for Ambiq micro AM1805 RTC chip (LP: #1876667)
    - SAUCE: rtc: add am-1805 RTC driver

  * 'Elan touchpad' not detected on 'Lenovo ThinkBook 15 IIL' (LP: #1861610)
    - SAUCE: Input: elan_i2c - add more hardware ID for Lenovo laptop

  * Kdump broken since 4.15.0-65 on secureboot - purgatory cannot load
    (LP: #1869672)
    - SAUCE: x86/purgatory: Fix Makefile to prevent undefined symbols

 -- Kleber Sacilotto de Souza <kleber.souza@xxxxxxxxxxxxx>  Thu, 04 Jun
2020 12:16:05 +0200

** Changed in: linux (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-0543

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1874444

Title:
  Bionic ubuntu ethtool doesn't check ring parameters boundaries

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  * There's a bad behavior in the ena driver ringparam setting on kernels 4.4 and 4.15, if an invalid ringparam is provided to ethtool.

  * Upstream Linux kernel implemented ring parameter boundaries check in commit: 37e2d99b59c4 ("ethtool: Ensure new ring parameters are within bounds during SRINGPARAM") [ git.kernel.org/linus/37e2d99b59c4 ].
  Due to this commit, the community doesn't usually allow ring parameter boundary checks in driver code.

  * Xenial/Bionic kernels don't include this patch, and some network
  drivers (like ena) rely on this patch for boundary checking of ring
  params. So, we are hereby requesting the commit inclusion in these
  kernel versions.

  [Test case]
  1. In AWS, create a new c5.4xlarge instance with the Ubuntu 18.04 official ami (uses the ENA network driver) and update to latest kernel/reboot.

  2. Run ethtool -g ens5
  output:
  Ring parameters for ens5:
  Pre-set maximums:
  RX:		16384
  RX Mini:	0
  RX Jumbo:	0
  TX:		1024
  Current hardware settings:
  RX:		1024
  RX Mini:	0
  RX Jumbo:	0
  TX:		1024

  3. Change the TX/RX ring size to a legal number within boundaries -
  works!

  4. Change the TX/RX ring size to an illegal number (such as 2048 for
  TX) with the command - "sudo ethtool -G ens5 tx 2048".

  Expected behavior - "Cannot set device ring parameters: Invalid argument"
  Actual behavior - causes a driver hang since boundaries are not checked by ethtool, effectively hanging the instance (given that AWS has no console to allow system manipulation).

  [Regression Potential]

  Since that the commit is present in kernels v4.16+ (including Ubuntu)
  and is quite small and self-contained, the regression risk is very
  reduced.

  One potential "regression" would be if some driver has bugs and
  provide bad values on get_ringparams, then the validation would be
  broken (allowing illegal values or refusing legal ones), but this
  wouldn't be a regression in the hereby proposed patch itself, it'd be
  only exposed by the patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1874444/+subscriptions