← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1939915] Re: memory leaking when removing a profile

 

This bug was fixed in the package linux - 4.15.0-159.167

---------------
linux (4.15.0-159.167) bionic; urgency=medium

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.06)

  * dell300x: rsi wifi and bluetooth crash after suspend and resume
    (LP: #1940488)
    - Revert "rsi: Use resume_noirq for SDIO"

  *  LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

  * kvm_unit_tests: emulator test fails on 4.4 / 4.15 kernel, timeout
    (LP: #1932966)
    - kvm: Add emulation for movups/movupd

  * memory leaking when removing a profile (LP: #1939915)
    - security/apparmor/label.c: Clean code by removing redundant instructions
    - apparmor: Fix memory leak of profile proxy

  * ubunut_kernel_selftests: memory-hotplug: avoid spamming logs with
    dump_page() (LP: #1941829)
    - selftests: memory-hotplug: avoid spamming logs with dump_page(), ratio limit
      hot-remove error test

  * Bionic update: upstream stable patchset 2021-08-27 (LP: #1941916)
    - btrfs: mark compressed range uptodate only if all bio succeed
    - regulator: rt5033: Fix n_voltages settings for BUCK and LDO
    - r8152: Fix potential PM refcount imbalance
    - qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union()
    - net: Fix zero-copy head len calculation.
    - Revert "Bluetooth: Shutdown controller after workqueues are flushed or
      cancelled"
    - KVM: do not allow mapping valid but non-reference-counted pages
    - Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
    - spi: mediatek: Fix fifo transfer
    - padata: validate cpumask without removed CPU during offline
    - Revert "ACPICA: Fix memory leak caused by _CID repair function"
    - ALSA: seq: Fix racy deletion of subscriber
    - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
    - omap5-board-common: remove not physically existing vdds_1v8_main fixed-
      regulator
    - scsi: sr: Return correct event when media event code is 3
    - media: videobuf2-core: dequeue if start_streaming fails
    - net: natsemi: Fix missing pci_disable_device() in probe and remove
    - nfp: update ethtool reporting of pauseframe control
    - mips: Fix non-POSIX regexp
    - bnx2x: fix an error code in bnx2x_nic_load()
    - net: pegasus: fix uninit-value in get_interrupt_interval
    - net: fec: fix use-after-free in fec_drv_remove
    - net: vxge: fix use-after-free in vxge_device_unregister
    - Bluetooth: defer cleanup of resources in hci_unregister_dev()
    - USB: usbtmc: Fix RCU stall warning
    - USB: serial: option: add Telit FD980 composition 0x1056
    - USB: serial: ch341: fix character loss at high transfer rates
    - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
    - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers
    - usb: gadget: f_hid: fixed NULL pointer dereference
    - usb: gadget: f_hid: idle uses the highest byte for duration
    - usb: otg-fsm: Fix hrtimer list corruption
    - scripts/tracing: fix the bug that can't parse raw_trace_func
    - staging: rtl8723bs: Fix a resource leak in sd_int_dpc
    - media: rtl28xxu: fix zero-length control request
    - pipe: increase minimum default pipe size to 2 pages
    - ext4: fix potential htree corruption when growing large_dir directories
    - serial: 8250: Mask out floating 16/32-bit bus bits
    - MIPS: Malta: Do not byte-swap accesses to the CBUS UART
    - pcmcia: i82092: fix a null pointer dereference bug
    - spi: meson-spicc: fix memory leak in meson_spicc_remove
    - perf/x86/amd: Don't touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest
    - qmi_wwan: add network device usage statistics for qmimux devices
    - libata: fix ata_pio_sector for CONFIG_HIGHMEM
    - reiserfs: add check for root_inode in reiserfs_fill_super
    - reiserfs: check directory items on read from disk
    - alpha: Send stop IPI to send to online CPUs
    - net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and
      ql_adapter_reset
    - USB:ehci:fix Kunpeng920 ehci hardware problem
    - ppp: Fix generating ppp unit id when ifname is not specified
    - ovl: prevent private clone if bind mount is not allowed
    - net: xilinx_emaclite: Do not print real IOMEM pointer
    - KVM: x86: accept userspace interrupt only if no event is injected
    - KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds

  * Bionic update: upstream stable patchset 2021-08-17 (LP: #1940315)
    - selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c
    - KVM: x86: determine if an exception has an error code only when injecting
      it.
    - net: split out functions related to registering inflight socket files
    - [Config] updateconfigs for UNIX_SCM
    - af_unix: fix garbage collect vs MSG_PEEK
    - net/802/mrp: fix memleak in mrp_request_join()
    - net/802/garp: fix memleak in garp_request_join()
    - net: annotate data race around sk_ll_usec
    - sctp: move 198 addresses from unusable to private scope
    - hfs: add missing clean-up in hfs_fill_super
    - hfs: fix high memory mapping in hfs_bnode_read
    - hfs: add lock nesting notation to hfs_find_init
    - ARM: dts: versatile: Fix up interrupt controller node names
    - virtio_net: Do not pull payload in skb->head
    - gro: ensure frag0 meets IP header alignment
    - x86/kvm: fix vcpu-id indexed array sizes
    - ocfs2: fix zero out valid data
    - ocfs2: issue zeroout to EOF blocks
    - can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
    - can: mcba_usb_start(): add missing urb->transfer_dma initialization
    - can: usb_8dev: fix memory leak
    - can: ems_usb: fix memory leak
    - can: esd_usb2: fix memory leak
    - NIU: fix incorrect error return, missed in previous revert
    - nfc: nfcsim: fix use after free during module unload
    - x86/asm: Ensure asm/proto.h can be included stand-alone
    - cfg80211: Fix possible memory leak in function cfg80211_bss_update
    - netfilter: conntrack: adjust stop timestamp to real expiry value
    - netfilter: nft_nat: allow to specify layer 4 protocol NAT only
    - tipc: fix sleeping in tipc accept routine
    - mlx4: Fix missing error code in mlx4_load_one()
    - net: llc: fix skb_over_panic
    - net/mlx5: Fix flow table chaining
    - sctp: fix return value check in __sctp_rcv_asconf_lookup
    - tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
    - sis900: Fix missing pci_disable_device() in probe and remove
    - can: hi311x: fix a signedness bug in hi3110_cmd()
    - i40e: Fix log TC creation failure when max num of queues is exceeded
    - i40e: Add additional info to PHY type error

  * Bionic update: upstream stable patchset 2021-08-13 (LP: #1939913)
    - ARM: dts: gemini: add device_type on pci
    - ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288
    - arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi
    - ARM: dts: rockchip: Fix the timer clocks order
    - ARM: dts: rockchip: Fix power-controller node names for rk3288
    - arm64: dts: rockchip: Fix power-controller node names for rk3328
    - reset: ti-syscon: fix to_ti_syscon_reset_data macro
    - ARM: brcmstb: dts: fix NAND nodes names
    - ARM: Cygnus: dts: fix NAND nodes names
    - ARM: NSP: dts: fix NAND nodes names
    - ARM: dts: BCM63xx: Fix NAND nodes names
    - ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
    - ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
    - ARM: dts: stm32: fix RCC node name on stm32f429 MCU
    - arm64: dts: juno: Update SCPI nodes as per the YAML schema
    - arm64: dts: ls208xa: remove bus-num from dspi node
    - thermal/core: Correct function name thermal_zone_device_unregister()
    - kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
    - rtc: max77686: Do not enforce (incorrect) interrupt trigger type
    - scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
    - scsi: libfc: Fix array index out of bound exception
    - sched/fair: Fix CFS bandwidth hrtimer expiry type
    - net: ipv6: fix return value of ip6_skb_dst_mtu
    - netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
    - net: bridge: sync fdb to new unicast-filtering ports
    - net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
    - net: moxa: fix UAF in moxart_mac_probe
    - net: qcom/emac: fix UAF in emac_remove
    - net: ti: fix UAF in tlan_remove_one
    - net: send SYNACK packet with accepted fwmark
    - net: validate lwtstate->data before returning from skb_tunnel_info()
    - dma-buf/sync_file: Don't leak fences on merge failure
    - tcp: annotate data races around tp->mtu_info
    - ipv6: tcp: drop silly ICMPv6 packet too big messages
    - igb: Fix use-after-free error during reset
    - ixgbe: Fix an error handling path in 'ixgbe_probe()'
    - igb: Fix an error handling path in 'igb_probe()'
    - fm10k: Fix an error handling path in 'fm10k_probe()'
    - e1000e: Fix an error handling path in 'e1000_probe()'
    - iavf: Fix an error handling path in 'iavf_probe()'
    - igb: Check if num of q_vectors is smaller than max before array access
    - perf probe: Fix dso->nsinfo refcounting
    - perf lzma: Close lzma stream on exit
    - perf test bpf: Free obj_buf
    - perf probe-file: Delete namelist in del_events() on the error path
    - spi: mediatek: fix fifo rx mode
    - liquidio: Fix unintentional sign extension issue on left shift of u16
    - s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1]
    - net: fix uninit-value in caif_seqpkt_sendmsg
    - net: decnet: Fix sleeping inside in af_decnet
    - netrom: Decrease sock refcount when sock timers expire
    - scsi: iscsi: Fix iface sysfs attr detection
    - scsi: target: Fix protect handling in WRITE SAME(32)
    - spi: cadence: Correct initialisation of runtime PM again
    - Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
    - proc: Avoid mixing integer types in mem_rw()
    - s390/ftrace: fix ftrace_update_ftrace_func implementation
    - ALSA: sb: Fix potential ABBA deadlock in CSP driver
    - xhci: Fix lost USB 2 remote wake
    - KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
    - usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
    - USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS
    - usb: max-3421: Prevent corruption of freed memory
    - usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop()
    - USB: serial: option: add support for u-blox LARA-R6 family
    - USB: serial: cp210x: fix comments for GE CS1000
    - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
    - usb: dwc2: gadget: Fix sending zero length packet in DDMA mode.
    - tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.
    - media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
    - ixgbe: Fix packet corruption due to missing DMA sync
    - selftest: use mmap instead of posix_memalign to allocate memory
    - drm: Return -ENOTTY for non-drm ioctls
    - net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
    - iio: accel: bma180: Use explicit member assignment
    - iio: accel: bma180: Fix BMA25x bandwidth register values
    - btrfs: compression: don't try to compress if we don't have enough pages
    - spi: spi-fsl-dspi: Fix a resource leak in an error handling path
    - xhci: add xhci_get_virt_ep() helper
    - bpftool: Properly close va_list 'ap' by va_end() on error
    - net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
    - nvme-pci: do not call nvme_dev_remove_admin from nvme_remove
    - perf dso: Fix memory leak in dso__new_map()
    - net/tcp_fastopen: fix data races around tfo_active_disable_stamp
    - nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not RESETTING
    - drm/panel: raspberrypi-touchscreen: Prevent double-free
    - KVM: do not assume PTE is writable after follow_pfn
    - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()
    - net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz
    - workqueue: fix UAF in pwq_unbound_release_workfn()
    - upstream stable to v4.14.241, v4.19.200

 -- Kelsey Skunberg <kelsey.skunberg@xxxxxxxxxxxxx>  Mon, 20 Sep 2021
16:11:14 -0600

** Changed in: linux (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1939915

Title:
  memory leaking when removing a profile

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Focal:
  Fix Released

Bug description:
  There's a memory leak in the kernel when removing a profile.
  A simple reproducible example:

  root@ubuntu:~# echo "profile foo {}" > profile
  root@ubuntu:~# apparmor_parser profile
  root@ubuntu:~# apparmor_parser -R profile
  root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
  root@ubuntu:~# cat /sys/kernel/debug/kmemleak
  unreferenced object 0xffff99bcf5128bb0 (size 16):
    comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
    hex dump (first 16 bytes):
      01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff  ................
    backtrace:
      [<00000000b1f68969>] kmem_cache_alloc_trace+0xd8/0x1e0
      [<0000000086ca7bd9>] aa_alloc_proxy+0x30/0x60
      [<000000000e34f34c>] aa_alloc_profile+0xd4/0x100
      [<00000000c2e34769>] unpack_profile+0x16f/0xe10
      [<0000000019033e2b>] aa_unpack+0x119/0x500
      [<00000000a97520b2>] aa_replace_profiles+0x94/0xca0
      [<000000001833f520>] policy_update+0x124/0x1e0
      [<00000000992f950e>] profile_load+0x7d/0xa0
      [<00000000db7852ce>] __vfs_write+0x1b/0x40
      [<000000004e709f5d>] vfs_write+0xb9/0x1a0
      [<00000000280db840>] SyS_write+0x5e/0xe0
      [<0000000014c5ab5d>] do_syscall_64+0x79/0x130
      [<00000000e962a389>] entry_SYSCALL_64_after_hwframe+0x41/0xa6
      [<000000009d368497>] 0xffffffffffffffff

  This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
  It still needs to be applied on xenial, bionic and focal.

  This issue could lead to a OOM and eventually DoS. We could see this
  issue happening during a test in which snaps were disconnected and
  reconnected, causing the leak every time the profile was removed.
  Since it is a refcount issue, there could be a lot of memory involved
  because the whole profile would be leaked.
  Note that only privileged users can remove a profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1939915/+subscriptions