~timg-tpi/ubuntu/+source/linux/+git/focal:hwe-5.8

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

f39e877... by Jason Gunthorpe <email address hidden> on 2021-10-11

RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

ucma_destroy_id() assumes that all things accessing the ctx will do so via
the xarray. This assumption violated only in the case the FD is being
closed, then the ctx is reached via the ctx_list. Normally this is OK
since ucma_destroy_id() cannot run concurrenty with release(), however
with ucma_migrate_id() is involved this can violated as the close of the
2nd FD can run concurrently with destroy on the first:

                CPU0 CPU1
        ucma_destroy_id(fda)
                                  ucma_migrate_id(fda -> fdb)
                                       ucma_get_ctx()
        xa_lock()
         _ucma_find_context()
         xa_erase()
        xa_unlock()
                                       xa_lock()
                                        ctx->file = new_file
                                        list_move()
                                       xa_unlock()
                                      ucma_put_ctx()

                                   ucma_close(fdb)
                                      _destroy_id()
                                      kfree(ctx)

        _destroy_id()
          wait_for_completion()
          // boom, ctx was freed

The ctx->file must be modified under the handler and xa_lock, and prior to
modification the ID must be rechecked that it is still reachable from
cur_file, ie there is no parallel destroy or migrate.

To make this work remove the double locking and streamline the control
flow. The double locking was obsoleted by the handler lock now directly
preventing new uevents from being created, and the ctx_list cannot be read
while holding fgets on both files. Removing the double locking also
removes the need to check for the same file.

Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()")
Link: https://<email address hidden>
Reported-and-tested-by: <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
(cherry picked from commit f5449e74802c1112dea984aec8af7a33c4516af1)
CVE-2020-36385
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

db62a32... by Jason Gunthorpe <email address hidden> on 2021-10-11

RDMA/ucma: Fix the locking of ctx->file

ctx->file is changed under the file->mut lock by ucma_migrate_id(), which
is impossible to lock correctly. Instead change ctx->file under the
handler_lock and ctx_table lock and revise all places touching ctx->file
to use this locking when reading ctx->file.

Link: https://<email address hidden>
Signed-off-by: Leon Romanovsky <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
(backported from commit 09e328e47a695b0d346598f5d6593ee598e64885)
[cascardo: commit 95fe51096b7adf1d1e7315c49c75e2f75f162584 moved the
 file locks from ucma_cleanup_mc_events callers to inside it, keep it
 out of the function]
CVE-2020-36385
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

bec74dc... by Jason Gunthorpe <email address hidden> on 2021-10-11

RDMA/cma: Add missing locking to rdma_accept()

In almost all cases rdma_accept() is called under the handler_mutex by
ULPs from their handler callbacks. The one exception was ucma which did
not get the handler_mutex.

To improve the understand-ability of the locking scheme obtain the mutex
for ucma as well.

This improves how ucma works by allowing it to directly use handler_mutex
for some of its internal locking against the handler callbacks intead of
the global file->mut lock.

There does not seem to be a serious bug here, other than a DISCONNECT event
can be delivered concurrently with accept succeeding.

Link: https://<email address hidden>
Signed-off-by: Leon Romanovsky <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
(cherry picked from commit d114c6feedfe0600c19b9f9479a4026354d1f7fd)
CVE-2020-36385
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

1e8e663... by Stefan Bader on 2021-10-05

UBUNTU: Ubuntu-hwe-5.8-5.8.0-66.74

Signed-off-by: Stefan Bader <email address hidden>

39ab9b8... by Stefan Bader on 2021-10-04

UBUNTU: debian/dkms-versions -- update from kernel-versions (main/2021.09.27)

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Stefan Bader <email address hidden>

83b1186... by Stefan Bader on 2021-10-04

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1944903
Properties: no-test-build
Signed-off-by: Stefan Bader <email address hidden>

6360cad... by Qu Wenruo <email address hidden> on 2021-10-04

btrfs: fix NULL pointer dereference when deleting device by invalid id

BugLink: https://bugs.launchpad.net/bugs/1945987

[BUG]
It's easy to trigger NULL pointer dereference, just by removing a
non-existing device id:

 # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \
         /dev/test/scratch2
 # mount /dev/test/scratch1 /mnt/btrfs
 # btrfs device remove 3 /mnt/btrfs

Then we have the following kernel NULL pointer dereference:

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
 RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs]
  btrfs_ioctl+0x18bb/0x3190 [btrfs]
  ? lock_is_held_type+0xa5/0x120
  ? find_held_lock.constprop.0+0x2b/0x80
  ? do_user_addr_fault+0x201/0x6a0
  ? lock_release+0xd2/0x2d0
  ? __x64_sys_ioctl+0x83/0xb0
  __x64_sys_ioctl+0x83/0xb0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

[CAUSE]
Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return
btrfs_device directly") moves the "missing" device path check into
btrfs_rm_device().

But btrfs_rm_device() itself can have case where it only receives
@devid, with NULL as @device_path.

In that case, calling strcmp() on NULL will trigger the NULL pointer
dereference.

Before that commit, we handle the "missing" case inside
btrfs_find_device_by_devspec(), which will not check @device_path at all
if @devid is provided, thus no way to trigger the bug.

[FIX]
Before calling strcmp(), also make sure @device_path is not NULL.

Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly")
CC: <email address hidden> # 5.4+
Reported-by: butt3rflyh4ck <email address hidden>
Reviewed-by: Anand Jain <email address hidden>
Signed-off-by: Qu Wenruo <email address hidden>
Reviewed-by: David Sterba <email address hidden>
Signed-off-by: David Sterba <email address hidden>

(cherry picked from commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091)
Signed-off-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

ce1631d... by Trond Myklebust <email address hidden> on 2021-09-27

NFSv4: Initialise connection to the server in nfs4_alloc_client()

Set up the connection to the NFSv4 server in nfs4_alloc_client(), before
we've added the struct nfs_client to the net-namespace's nfs_client_list
so that a downed server won't cause other mounts to hang in the trunking
detection code.

Reported-by: Michael Wakabayashi <email address hidden>
Fixes: 5c6e5b60aae4 ("NFS: Fix an Oops in the pNFS files and flexfiles connection setup to the DS")
Signed-off-by: Trond Myklebust <email address hidden>
(cherry picked from commit dd99e9f98fbf423ff6d365b37a98e8879170f17c)
CVE-2021-38199
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

8fb787b... by Adrian Bunk on 2021-10-01

bnx2x: Fix enabling network interfaces without VFs

BugLink: https://bugs.launchpad.net/bugs/1945707

This function is called to enable SR-IOV when available,
not enabling interfaces without VFs was a regression.

Fixes: 65161c35554f ("bnx2x: Fix missing error code in bnx2x_iov_init_one()")
Signed-off-by: Adrian Bunk <email address hidden>
Reported-by: YunQiang Su <email address hidden>
Tested-by: YunQiang Su <email address hidden>
Cc: <email address hidden>
Acked-by: Shai Malin <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jakub Kicinski <email address hidden>
(cherry picked from commit 52ce14c134a003fee03d8fc57442c05a55b53715)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

80533ca... by Vasily Averin on 2021-09-28

memcg: enable accounting of ipc resources

When user creates IPC objects it forces kernel to allocate memory for
these long-living objects.

It makes sense to account them to restrict the host's memory consumption
from inside the memcg-limited container.

This patch enables accounting for IPC shared memory segments, messages
semaphores and semaphore's undo lists.

Link: https://<email address hidden>
Signed-off-by: Vasily Averin <email address hidden>
Reviewed-by: Shakeel Butt <email address hidden>
Cc: Alexander Viro <email address hidden>
Cc: Alexey Dobriyan <email address hidden>
Cc: Andrei Vagin <email address hidden>
Cc: Borislav Petkov <email address hidden>
Cc: Borislav Petkov <email address hidden>
Cc: Christian Brauner <email address hidden>
Cc: Dmitry Safonov <email address hidden>
Cc: "Eric W. Biederman" <email address hidden>
Cc: Greg Kroah-Hartman <email address hidden>
Cc: "H. Peter Anvin" <email address hidden>
Cc: Ingo Molnar <email address hidden>
Cc: "J. Bruce Fields" <email address hidden>
Cc: Jeff Layton <email address hidden>
Cc: Jens Axboe <email address hidden>
Cc: Jiri Slaby <email address hidden>
Cc: Johannes Weiner <email address hidden>
Cc: Kirill Tkhai <email address hidden>
Cc: Michal Hocko <email address hidden>
Cc: Oleg Nesterov <email address hidden>
Cc: Roman Gushchin <email address hidden>
Cc: Serge Hallyn <email address hidden>
Cc: Tejun Heo <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Cc: Vladimir Davydov <email address hidden>
Cc: Yutian Yang <email address hidden>
Cc: Zefan Li <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
(backported from commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f)
[cascardo: some kvmalloc were replaced by kmalloc]
CVE-2021-3759
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>