Ubuntu
linux package

~cbrauner/ubuntu/+source/linux/+git/disco:master-next

  1. Git
  2. lp:~cbrauner/ubuntu/+source/linux/+git/disco
  3. master-next
Last commit made on 2019-05-07
Get this branch:
git clone -b master-next https://git.launchpad.net/~cbrauner/ubuntu/+source/linux/+git/disco
Only Christian Brauner can upload to this branch. If you are Christian Brauner please log in for upload directions.

Branch merges

Branch information

Name:
master-next
Repository:
lp:~cbrauner/ubuntu/+source/linux/+git/disco

Recent commits

3ea20ef... by Christian Brauner

UBUNTU: SAUCE: shiftfs: support copy_file_range on btrfs through ioctl()

Unprivileged user can use FICLONE so we need to support it in btrfs as
well to prevent workload regression.
FICLONE first appeared in Linux 4.5. It was previously known as
BTRFS_IOC_CLONE, and were private to Btrfs.

Signed-off-by: Christian Brauner <email address hidden>

88b3883... by Christian Brauner

UBUNTU: SAUCE: shiftfs: allow changing ro/rw for subvolumes

Unprivileged users can already toggle whether a subvolume will be ro or
rw. To enable this with shiftfs we need to whitelist BTRFS_IOC_FS_INFO,
BTRFS_IOC_SUBVOL_GETFLAGS, BTRFS_IOC_SUBVOL_SETFLAGS. All of them should
be safe for unprivileged users.

Signed-off-by: Christian Brauner <email address hidden>

6a75be4... by Andrea Righi

UBUNTU: SAUCE: integrity: downgrade error to warning

BugLink: https://bugs.launchpad.net/bugs/1766201

In 58441dc86d7b the error "Unable to open file: ..." has been downgraded
to warning in the integrity/ima subsystem. Do the same for a similar
error message in the generic integrity subsystem.

Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Acked-by: Khalid Elmously <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

437f747... by Po-Hsu Lin

selftests/net: correct the return value for run_netsocktests

BugLink: https://bugs.launchpad.net/bugs/1825777

The run_netsocktests will be marked as passed regardless the actual test
result from the ./socket:

    selftests: net: run_netsocktests
    ========================================
    --------------------
    running socket test
    --------------------
    [FAIL]
    ok 1..6 selftests: net: run_netsocktests [PASS]

This is because the test script itself has been successfully executed.
Fix this by exit 1 when the test failed.

Signed-off-by: Po-Hsu Lin <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 30c04d796b693e22405c38e9b78e9a364e4c77e6)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Khalid Elmously <email address hidden>
Acked-by: Kleber Souza <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

dd8c4fa... by Eric Dumazet <email address hidden>

udp: fix GRO packet of death

syzbot was able to crash host by sending UDP packets with a 0 payload.

TCP does not have this issue since we do not aggregate packets without
payload.

Since dev_gro_receive() sets gso_size based on skb_gro_len(skb)
it seems not worth trying to cope with padded packets.

BUG: KASAN: slab-out-of-bounds in skb_gro_receive+0xf5f/0x10e0 net/core/skbuff.c:3826
Read of size 16 at addr ffff88808893fff0 by task syz-executor612/7889

CPU: 0 PID: 7889 Comm: syz-executor612 Not tainted 5.1.0-rc7+ #96
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load16_noabort+0x14/0x20 mm/kasan/generic_report.c:133
 skb_gro_receive+0xf5f/0x10e0 net/core/skbuff.c:3826
 udp_gro_receive_segment net/ipv4/udp_offload.c:382 [inline]
 call_gro_receive include/linux/netdevice.h:2349 [inline]
 udp_gro_receive+0xb61/0xfd0 net/ipv4/udp_offload.c:414
 udp4_gro_receive+0x763/0xeb0 net/ipv4/udp_offload.c:478
 inet_gro_receive+0xe72/0x1110 net/ipv4/af_inet.c:1510
 dev_gro_receive+0x1cd0/0x23c0 net/core/dev.c:5581
 napi_gro_frags+0x36b/0xd10 net/core/dev.c:5843
 tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027
 call_write_iter include/linux/fs.h:1866 [inline]
 do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:938
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002
 do_writev+0x15e/0x370 fs/read_write.c:1037
 __do_sys_writev fs/read_write.c:1110 [inline]
 __se_sys_writev fs/read_write.c:1107 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441cc0
Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
RSP: 002b:00007ffe8c716118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007ffe8c716150 RCX: 0000000000441cc0
RDX: 0000000000000001 RSI: 00007ffe8c716170 RDI: 00000000000000f0
RBP: 0000000000000000 R08: 000000000000ffff R09: 0000000000a64668
R10: 0000000020000040 R11: 0000000000000246 R12: 000000000000c2d9
R13: 0000000000402b50 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 5143:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3393 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
 mm_alloc+0x1d/0xd0 kernel/fork.c:1030
 bprm_mm_init fs/exec.c:363 [inline]
 __do_execve_file.isra.0+0xaa3/0x23f0 fs/exec.c:1791
 do_execveat_common fs/exec.c:1865 [inline]
 do_execve fs/exec.c:1882 [inline]
 __do_sys_execve fs/exec.c:1958 [inline]
 __se_sys_execve fs/exec.c:1953 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:1953
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 5351:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3499 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3765
 __mmdrop+0x238/0x320 kernel/fork.c:677
 mmdrop include/linux/sched/mm.h:49 [inline]
 finish_task_switch+0x47b/0x780 kernel/sched/core.c:2746
 context_switch kernel/sched/core.c:2880 [inline]
 __schedule+0x81b/0x1cc0 kernel/sched/core.c:3518
 preempt_schedule_irq+0xb5/0x140 kernel/sched/core.c:3745
 retint_kernel+0x1b/0x2d
 arch_local_irq_restore arch/x86/include/asm/paravirt.h:767 [inline]
 kmem_cache_free+0xab/0x260 mm/slab.c:3766
 anon_vma_chain_free mm/rmap.c:134 [inline]
 unlink_anon_vmas+0x2ba/0x870 mm/rmap.c:401
 free_pgtables+0x1af/0x2f0 mm/memory.c:394
 exit_mmap+0x2d1/0x530 mm/mmap.c:3144
 __mmput kernel/fork.c:1046 [inline]
 mmput+0x15f/0x4c0 kernel/fork.c:1067
 exec_mmap fs/exec.c:1046 [inline]
 flush_old_exec+0x8d9/0x1c20 fs/exec.c:1279
 load_elf_binary+0x9bc/0x53f0 fs/binfmt_elf.c:864
 search_binary_handler fs/exec.c:1656 [inline]
 search_binary_handler+0x17f/0x570 fs/exec.c:1634
 exec_binprm fs/exec.c:1698 [inline]
 __do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818
 do_execveat_common fs/exec.c:1865 [inline]
 do_execve fs/exec.c:1882 [inline]
 __do_sys_execve fs/exec.c:1958 [inline]
 __se_sys_execve fs/exec.c:1953 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:1953
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808893f7c0
 which belongs to the cache mm_struct of size 1496
The buggy address is located 600 bytes to the right of
 1496-byte region [ffff88808893f7c0, ffff88808893fd98)
The buggy address belongs to the page:
page:ffffea0002224f80 count:1 mapcount:0 mapping:ffff88821bc40ac0 index:0xffff88808893f7c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025b4f08 ffffea00027b9d08 ffff88821bc40ac0
raw: ffff88808893f7c0 ffff88808893e440 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808893fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88808893ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808893ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                             ^
 ffff888088940000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888088940080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
Signed-off-by: Eric Dumazet <email address hidden>
Cc: Paolo Abeni <email address hidden>
Reported-by: syzbot <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

CVE-2019-11683

(cherry picked from commit 4dd2b82d5adfbe0b1587ccad7a8f76d826120f37)
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Steve Beattie <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

f898617... by Paolo Abeni <email address hidden>

udp: fix GRO reception in case of length mismatch

Currently, the UDP GRO code path does bad things on some edge
conditions - Aggregation can happen even on packet with different
lengths.

Fix the above by rewriting the 'complete' condition for GRO
packets. While at it, note explicitly that we allow merging the
first packet per burst below gso_size.

Reported-by: Sean Tong <email address hidden>
Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
Signed-off-by: Paolo Abeni <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

CVE-2019-11683

(cherry picked from commit 21f1b8a6636c4dbde4aa1ec0343f42eaf653ffcc)
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Steve Beattie <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

dab891b... by Stefan Bader

UBUNTU: Ubuntu-5.0.0-14.15

Signed-off-by: Stefan Bader <email address hidden>

cefe15b... by Stefan Bader

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1826150
Signed-off-by: Stefan Bader <email address hidden>

a4cf89e... by Seth Forshee

UBUNTU: ubuntu: vbox -- update to 6.0.6-dfsg-1

BugLink: https://bugs.launchpad.net/bugs/1825210

Signed-off-by: Seth Forshee <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Khaled Elmously <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

890b956... by Seth Forshee

UBUNTU: vbox-update: updates for renamed makefiles

BugLink: https://bugs.launchpad.net/bugs/1825210

Some shuffling of makefiles is causing our KERN_DIR fixup to
fail. Update vbox-update to use the new file names.

Signed-off-by: Seth Forshee <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Khaled Elmously <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>