~ubuntu-kernel/ubuntu/+source/linux/+git/bionic:master-next

Branch merges

Propose for merging

1 branch proposed for merging into this one.

Related source package recipes

1 recipe using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

7c71510... by Mauricio Faria de Oliveira on 2023-03-30

loop: fix I/O error on fsync() in detached loop devices

BugLink: https://bugs.launchpad.net/bugs/1856871

There's an I/O error on fsync() in a detached loop device
if it has been previously attached.

The issue is write cache is enabled in the attach path in
loop_configure() but it isn't disabled in the detach path;
thus it remains enabled in the block device regardless of
whether it is attached or not.

Now fsync() can get an I/O request that will just be failed
later in loop_queue_rq() as device's state is not 'Lo_bound'.

So, disable write cache in the detach path.

Do so based on the queue flag, not the loop device flag for
read-only (used to enable) as the queue flag can be changed
via sysfs even on read-only loop devices (e.g., losetup -r.)

Test-case:

    # DEV=/dev/loop7

    # IMG=/tmp/image
    # truncate --size 1M $IMG

    # losetup $DEV $IMG
    # losetup -d $DEV

Before:

    # strace -e fsync parted -s $DEV print 2>&1 | grep fsync
    fsync(3) = -1 EIO (Input/output error)
    Warning: Error fsyncing/closing /dev/loop7: Input/output error
    [ 982.529929] blk_update_request: I/O error, dev loop7, sector 0 op 0x1:(WRITE) flags 0x800 phys_seg 0 prio class 0

After:

    # strace -e fsync parted -s $DEV print 2>&1 | grep fsync
    fsync(3) = 0

Co-developed-by: Eric Desrochers <email address hidden>
Signed-off-by: Eric Desrochers <email address hidden>
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>
Tested-by: Gabriel Krisman Bertazi <email address hidden>
Reviewed-by: Ming Lei <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
(backported from commit 4ceddce55eb35d15b0f87f5dcf6f0058fd15d3a4)
[Jorge Merlino: move patch to loop_clr_fd function]
Signed-off-by: Jorge Merlino <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Cory Todd <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>

ead0b36... by Zheng Wang <zyytlz.wz@163.com> on 2023-04-18

9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition

In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring
to init priv->rings and bound &ring->work with p9_xen_response.

When it calls xen_9pfs_front_event_handler to handle IRQ requests,
it will finally call schedule_work to start the work.

When we call xen_9pfs_front_remove to remove the driver, there
may be a sequence as follows:

Fix it by finishing the work before cleanup in xen_9pfs_front_free.

Note that, this bug is found by static analysis, which might be
false positive.

CPU0 CPU1

                     |p9_xen_response
xen_9pfs_front_remove|
  xen_9pfs_front_free|
kfree(priv) |
//free priv |
                     |p9_tag_lookup
                     |//use priv->client

Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Michal Swiatkowski <email address hidden>
Signed-off-by: Eric Van Hensbergen <email address hidden>

CVE-2023-1859
(cherry picked from commit ea4f1009408efb4989a0f139b70fb338e7f687d0)
Signed-off-by: John Cabaj <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: John Cabaj <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

3c83db8... by Zheng Wang <zyytlz.wz@163.com> on 2023-04-19

xirc2ps_cs: Fix use after free bug in xirc2ps_detach

In xirc2ps_probe, the local->tx_timeout_task was bounded
with xirc2ps_tx_timeout_task. When timeout occurs,
it will call xirc_tx_timeout->schedule_work to start the
work.

When we call xirc2ps_detach to remove the driver, there
may be a sequence as follows:

Stop responding to timeout tasks and complete scheduled
tasks before cleanup in xirc2ps_detach, which will fix
the problem.

CPU0 CPU1

                    |xirc2ps_tx_timeout_task
xirc2ps_detach |
  free_netdev |
    kfree(dev); |
                    |
                    | do_reset
                    | //use dev

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: David S. Miller <email address hidden>

CVE-2023-1670
(cherry picked from commit e8d20c3ded59a092532513c9bd030d1ea66f5f44)
Signed-off-by: Yuxuan Luo <email address hidden>
Acked-by: John Cabaj <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

fb46445... by Thadeu Lima de Souza Cascardo on 2023-05-23

UBUNTU: Ubuntu-4.15.0-212.223

Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

32d8bd2... by Thadeu Lima de Souza Cascardo on 2023-05-23

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/2019708
Properties: no-test-build
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

b07afbf... by Thadeu Lima de Souza Cascardo on 2023-05-23

UBUNTU: [Packaging] update helper scripts

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

d756c00... by Thadeu Lima de Souza Cascardo on 2023-05-23

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

fab948a... by Pablo Neira Ayuso <email address hidden> on 2023-05-19

netfilter: nf_tables: deactivate anonymous set from preparation phase

Toggle deleted anonymous sets as inactive in the next generation, so
users cannot perform any update on it. Clear the generation bitmask
in case the transaction is aborted.

The following KASAN splat shows a set element deletion for a bound
anonymous set that has been already removed in the same transaction.

[ 64.921510] ==================================================================
[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890
[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253
[ 64.931120] Call Trace:
[ 64.932699] <TASK>
[ 64.934292] dump_stack_lvl+0x33/0x50
[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.937551] kasan_report+0xda/0x120
[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60
[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
[ 64.945710] ? kasan_set_track+0x21/0x30
[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]

Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit c1592a89942e9678f7d9c8030efa777c0d57edab)
CVE-2023-32233
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Cory Todd <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

f732c2c... by Pablo Neira Ayuso <email address hidden> on 2023-05-19

netfilter: nf_tables: use-after-free in failing rule with bound set

If a rule that has already a bound anonymous set fails to be added, the
preparation phase releases the rule and the bound set. However, the
transaction object from the abort path still has a reference to the set
object that is stale, leading to a use-after-free when checking for the
set->bound field. Add a new field to the transaction that specifies if
the set is bound, so the abort path can skip releasing it since the rule
command owns it and it takes care of releasing it. After this update,
the set->bound field is removed.

[ 24.649883] Unable to handle kernel paging request at virtual address 0000000000040434
[ 24.657858] Mem abort info:
[ 24.660686] ESR = 0x96000004
[ 24.663769] Exception class = DABT (current EL), IL = 32 bits
[ 24.669725] SET = 0, FnV = 0
[ 24.672804] EA = 0, S1PTW = 0
[ 24.675975] Data abort info:
[ 24.678880] ISV = 0, ISS = 0x00000004
[ 24.682743] CM = 0, WnR = 0
[ 24.685723] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000428952000
[ 24.692207] [0000000000040434] pgd=0000000000000000
[ 24.697119] Internal error: Oops: 96000004 [#1] SMP
[...]
[ 24.889414] Call trace:
[ 24.891870] __nf_tables_abort+0x3f0/0x7a0
[ 24.895984] nf_tables_abort+0x20/0x40
[ 24.899750] nfnetlink_rcv_batch+0x17c/0x588
[ 24.904037] nfnetlink_rcv+0x13c/0x190
[ 24.907803] netlink_unicast+0x18c/0x208
[ 24.911742] netlink_sendmsg+0x1b0/0x350
[ 24.915682] sock_sendmsg+0x4c/0x68
[ 24.919185] ___sys_sendmsg+0x288/0x2c8
[ 24.923037] __sys_sendmsg+0x7c/0xd0
[ 24.926628] __arm64_sys_sendmsg+0x2c/0x38
[ 24.930744] el0_svc_common.constprop.0+0x94/0x158
[ 24.935556] el0_svc_handler+0x34/0x90
[ 24.939322] el0_svc+0x8/0xc
[ 24.942216] Code: 37280300 f9404023 91014262 aa1703e0 (f9401863)
[ 24.948336] ---[ end trace cebbb9dcbed3b56f ]---

Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit 6a0a8d10a3661a036b55af695542a714c429ab7c)
CVE-2023-32233
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Cory Todd <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

97cb26e... by Pablo Neira Ayuso <email address hidden> on 2023-05-19

netfilter: nf_tables: bogus EBUSY when deleting set after flush

Set deletion after flush coming in the same batch results in EBUSY. Add
set use counter to track the number of references to this set from
rules. We cannot rely on the list of bindings for this since such list
is still populated from the preparation phase.

Reported-by: Václav Zindulka <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(backported from commit 273fe3f1006ea5ebc63d6729e43e8e45e32b256a)
[cascardo: small conflict due to missing extended ACKs (NL_SET_BAD_ATTR)]
CVE-2023-32233
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>

Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Cory Todd <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>