~bromer/ubuntu/+source/linux/+git/trusty:master-next

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

8882377... by Kamal Mostafa on 2017-01-24

UBUNTU: [debian] derive indep_hdrs_pkg_name from src_pkg_name

This long-standing oversight in our debian rules hardcodes the string "linux"
instead of using the $(src_pkg_name) for just one of the generated .deb package
names: linux-headers-x.x.x-x. Lets fix it in the generic branches
(T,X,Y,Z,unstable) so that we won't have to keep applying this patch to each of
the derivative/custom kernels.

-----8<-----

Ignore: yes

Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Benjamin M Romer <email address hidden>

16b30ba... by pravin shelar <email address hidden> on 2017-01-11

UBUNTU: SAUCE: openvswitch: gre: filter gre packets

BugLink: http://bugs.launchpad.net/bugs/1655683

https://patchwork.ozlabs.org/patch/712373/

OVS can only process L2 packets. But OVS GRE receive handler
can accept IP-GRE packets. When such packet is processed by
OVS datapath it can trigger following assert failure due
to insufficient linear data in skb. Following patch filters
received packets to avoid this issue.

[68240.441681] ------------[ cut here ]------------
[68240.496918] kernel BUG at /build/linux-lts-trusty-D60X6T/linux-lts-trusty-3.13.0/include/linux/skbuff.h:1486!
[68240.615520] invalid opcode: 0000 [#1] SMP
[68241.953939] RIP: [<ffffffffa052b4fe>] __skb_pull.part.7+0x4/0x6 [openvswitch]
[68243.099945] Call Trace:
[68243.129188] <IRQ>
[68243.152204] [<ffffffffa0524e64>] ovs_flow_extract+0x664/0x720 [openvswitch]
[68243.314912] [<ffffffffa0523a80>] ovs_dp_process_received_packet+0x60/0x130 [openvswitch]
[68243.481559] [<ffffffffa0529e3a>] ovs_vport_receive+0x2a/0x30 [openvswitch]
[68243.564884] [<ffffffffa052b374>] gre_rcv+0xa4/0xb8 [openvswitch]
[68243.637802] [<ffffffffa03e2795>] gre_cisco_rcv+0x75/0xbc [gre]
[68243.708621] [<ffffffffa03e22f5>] gre_rcv+0x65/0x90 [gre]
[68243.773214] [<ffffffff816941d8>] ip_local_deliver_finish+0xa8/0x220
[68243.849244] [<ffffffff816944db>] ip_local_deliver+0x4b/0x90
[68243.916951] [<ffffffff81693ed1>] ip_rcv_finish+0x121/0x380
[68243.983627] [<ffffffff816947a6>] ip_rcv+0x286/0x380
[68244.043023] [<ffffffff8165b80a>] __netif_receive_skb_core+0x61a/0x760
[68244.121122] [<ffffffff8165b971>] __netif_receive_skb+0x21/0x70
[68244.191942] [<ffffffff8165c131>] process_backlog+0xb1/0x190
[68244.259642] [<ffffffff8165ca09>] net_rx_action+0x139/0x280
[68244.326305] [<ffffffff8107367d>] __do_softirq+0xed/0x360
[68244.390887] [<ffffffff81073c8e>] irq_exit+0x11e/0x140
[68244.452358] [<ffffffff8177d873>] do_IRQ+0x63/0xe0
[68244.509674] [<ffffffff817728ad>] common_interrupt+0x6d/0x6d
[68245.392237] RIP [<ffffffffa052b4fe>] __skb_pull.part.7+0x4/0x6 [openvswitch]
[68245.520082] ---[ end trace 383bac9f3e676970 ]---

Fixes: aa310701e7 ("openvswitch: Add gre tunnel support.")
Reported-by: Uri Foox <email address hidden>
CC: Joe Stringer <email address hidden>
Signed-off-by: Pravin B Shelar <email address hidden>
Acked-by: Joe Stringer <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Brad Figg <email address hidden>
Signed-off-by: Benjamin M Romer <email address hidden>

34640b2... by Omar Sandoval <email address hidden> on 2017-01-23

block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
 pid_t pid, child;
 long nproc, i;

 /* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
 syscall(SYS_ioprio_set, 1, 0, 0x6000);

 nproc = sysconf(_SC_NPROCESSORS_ONLN);

 for (i = 0; i < nproc; i++) {
  pid = fork();
  assert(pid != -1);
  if (pid == 0) {
   for (;;) {
    pid = fork();
    assert(pid != -1);
    if (pid == 0) {
     _exit(0);
    } else {
     child = wait(NULL);
     assert(child == pid);
    }
   }
  }

  pid = fork();
  assert(pid != -1);
  if (pid == 0) {
   for (;;) {
    /* ioprio_get(IOPRIO_WHO_PGRP, 0); */
    syscall(SYS_ioprio_get, 2, 0);
   }
  }
 }

 for (;;) {
  /* ioprio_get(IOPRIO_WHO_PGRP, 0); */
  syscall(SYS_ioprio_get, 2, 0);
 }

 return 0;
}

This gets us KASAN dumps like this:

[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------

[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Cc: <email address hidden>
Reported-by: Dmitry Vyukov <email address hidden>
Signed-off-by: Omar Sandoval <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
CVE-2016-7911
(backported from commit 8ba8682107ee2ca3347354e018865d8e1967c5f4)
[ luis: file renamed: block/ioprio.c -> fs/ioprio.c ]
Acked-by: Colin Ian King <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Luis Henriques <email address hidden>

cbf7fa0... by Vegard Nossum on 2017-01-23

block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Cc: <email address hidden>
Signed-off-by: Vegard Nossum <email address hidden>
Acked-by: Tejun Heo <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
CVE-2016-7910
(cherry picked from commit 77da160530dd1dc94f6ae15a981f24e5f0021e84)
Acked-by: Colin Ian King <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Luis Henriques <email address hidden>

a94daf7... by Dan Streetman on 2017-01-13

UBUNTU: SAUCE: xen: do not re-use pirq number cached in pci device msi msg data

BugLink: http://bugs.launchpad.net/bugs/1656381

Revert the main part of commit:
af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests")

That commit introduced reading the pci device's msi message data to see
if a pirq was previously configured for the device's msi/msix, and re-use
that pirq. At the time, that was the correct behavior. However, a
later change to Qemu caused it to call into the Xen hypervisor to unmap
all pirqs for a pci device, when the pci device disables its MSI/MSIX
vectors; specifically the Qemu commit:
c976437c7dba9c7444fb41df45468968aaa326ad
("qemu-xen: free all the pirqs for msi/msix when driver unload")

Once Qemu added this pirq unmapping, it was no longer correct for the
kernel to re-use the pirq number cached in the pci device msi message
data. All Qemu releases since 2.1.0 contain the patch that unmaps the
pirqs when the pci device disables its MSI/MSIX vectors.

This bug is causing failures to initialize multiple NVMe controllers
under Xen, because the NVMe driver sets up a single MSIX vector for
each controller (concurrently), and then after using that to talk to
the controller for some configuration data, it disables the single MSIX
vector and re-configures all the MSIX vectors it needs. So the MSIX
setup code tries to re-use the cached pirq from the first vector
for each controller, but the hypervisor has already given away that
pirq to another controller, and its initialization fails.

This is discussed in more detail at:
https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html

Fixes: af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests")
Signed-off-by: Dan Streetman <email address hidden>
(backported from X/Y/Z patch for context/function name changes only)
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Luis Henriques <email address hidden>

529d36c... by Luis Henriques on 2017-01-20

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Luis Henriques <email address hidden>

9d2c631... by John Donnelly on 2017-01-10

UBUNTU: Ubuntu-3.13.0-108.155

Signed-off-by: John Donnelly <email address hidden>

fa1b1d9... by Marcelo Ricardo Leitner <email address hidden> on 2016-10-25

sctp: validate chunk len before actually using it

Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Reported-by: Andrey Konovalov <email address hidden>
Tested-by: Andrey Konovalov <email address hidden>
Signed-off-by: Marcelo Ricardo Leitner <email address hidden>
Reviewed-by: Xin Long <email address hidden>
Acked-by: Neil Horman <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from commit bf911e985d6bbaa328c20c3e05f4eb03de11fdd6)
CVE-2016-9555
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Luis Henriques <email address hidden>

cffba99... by Luis Henriques on 2017-01-02

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Luis Henriques <email address hidden>

fb59a96... by Luis Henriques on 2016-12-19

UBUNTU: Ubuntu-3.13.0-107.154

Signed-off-by: Luis Henriques <email address hidden>