Ubuntu
linux package

~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic:master-next

  1. Git
  2. lp:~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic
  3. master-next
Last commit made on 2019-07-09
Get this branch:
git clone -b master-next https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic
Members of Ubuntu Kernel Repositories can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
master-next
Repository:
lp:~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic

Recent commits

3d605c8... by YueHaibing <email address hidden>

mdio_bus: Fix use-after-free on device_register fails

KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.

KASAN report details as below:

BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524

CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
 fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 ? 0xffffffffc0e40000
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

Allocated by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
 fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3524:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
 slab_free_hook mm/slub.c:1409 [inline]
 slab_free_freelist_hook mm/slub.c:1436 [inline]
 slab_free mm/slub.c:2986 [inline]
 kfree+0xe1/0x270 mm/slub.c:3938
 device_release+0x78/0x200 drivers/base/core.c:919
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 put_device+0x1c/0x30 drivers/base/core.c:2060
 __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
 fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881dc824c80
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
 2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <email address hidden>
Reviewed-by: Andrew Lunn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

(cherry picked from commit 6ff7b060535e87c2ae14dd8548512abfdda528fb)
CVE-2019-12819
Signed-off-by: Benjamin M Romer <email address hidden>
Acked-by: Tyler Hicks <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

077f2c3... by Stefan Bader

UBUNTU: Ubuntu-4.18.0-26.27

Signed-off-by: Stefan Bader <email address hidden>

9220dae... by Stefan Bader

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1834904
Signed-off-by: Stefan Bader <email address hidden>

7782916... by Stefan Bader

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Stefan Bader <email address hidden>

99d73d3... by Kai-Heng Feng

UBUNTU: SAUCE: USB: Disable USB2 LPM at shutdown

BugLink: https://bugs.launchpad.net/bugs/1757218

The QCA Rome USB Bluetooth controller has several issues once LPM gets
enabled:
- Fails to get enumerated in coldboot. [1]
- Drains more power (~ 0.2W) when the system is in S5. [2]
- Disappears after a warmboot. [2]

The issue happens because the device lingers at LPM L1 in S5, so device
can't get enumerated even after a reboot.

Disable LPM at shutdown to solve the issue.

[1] https://bugs.launchpad.net/bugs/1757218
[2] https://patchwork.kernel.org/patch/10607097/

Signed-off-by: Kai-Heng Feng <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

15f1fc4... by Colin Ian King

net: hns: fix unsigned comparison to less than zero

BugLink: https://bugs.launchpad.net/bugs/1833140

Currently mskid is unsigned and hence comparisons with negative
error return values are always false. Fix this by making mskid an
int.

Fixes: f058e46855dc ("net: hns: fix ICMP6 neighbor solicitation messages discard problem")
Addresses-Coverity: ("Operands don't affect result")
Signed-off-by: Colin Ian King <email address hidden>
Reviewed-by: Mukesh Ojha <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit ea401685a20b5d631957f024bda86e1f6118eb20)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

5811c77... by Yonglong Liu <email address hidden>

net: hns: fix ICMP6 neighbor solicitation messages discard problem

BugLink: https://bugs.launchpad.net/bugs/1833140

ICMP6 neighbor solicitation messages will be discard by the Hip06
chips, because of not setting forwarding pool. Enable promisc mode
has the same problem.

This patch fix the wrong forwarding table configs for the multicast
vague matching when enable promisc mode, and add forwarding pool
for the forwarding table.

Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit f058e46855dcbc28edb2ed4736f38a71fd19cadb)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

85196fa... by Yonglong Liu <email address hidden>

net: hns: Fix probabilistic memory overwrite when HNS driver initialized

BugLink: https://bugs.launchpad.net/bugs/1833138

When reboot the system again and again, may cause a memory
overwrite.

[ 15.638922] systemd[1]: Reached target Swap.
[ 15.667561] tun: Universal TUN/TAP device driver, 1.6
[ 15.676756] Bridge firewalling registered
[ 17.344135] Unable to handle kernel paging request at virtual address 0000000200000040
[ 17.352179] Mem abort info:
[ 17.355007] ESR = 0x96000004
[ 17.358105] Exception class = DABT (current EL), IL = 32 bits
[ 17.364112] SET = 0, FnV = 0
[ 17.367209] EA = 0, S1PTW = 0
[ 17.370393] Data abort info:
[ 17.373315] ISV = 0, ISS = 0x00000004
[ 17.377206] CM = 0, WnR = 0
[ 17.380214] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
[ 17.386926] [0000000200000040] pgd=0000000000000000
[ 17.391878] Internal error: Oops: 96000004 [#1] SMP
[ 17.396824] CPU: 23 PID: 95 Comm: kworker/u130:0 Tainted: G E 4.19.25-1.2.78.aarch64 #1
[ 17.414175] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.54 08/16/2018
[ 17.425615] Workqueue: events_unbound async_run_entry_fn
[ 17.435151] pstate: 00000005 (nzcv daif -PAN -UAO)
[ 17.444139] pc : __mutex_lock.isra.1+0x74/0x540
[ 17.453002] lr : __mutex_lock.isra.1+0x3c/0x540
[ 17.461701] sp : ffff000100d9bb60
[ 17.469146] x29: ffff000100d9bb60 x28: 0000000000000000
[ 17.478547] x27: 0000000000000000 x26: ffff802fb8945000
[ 17.488063] x25: 0000000000000000 x24: ffff802fa32081a8
[ 17.497381] x23: 0000000000000002 x22: ffff801fa2b15220
[ 17.506701] x21: ffff000009809000 x20: ffff802fa23a0888
[ 17.515980] x19: ffff801fa2b15220 x18: 0000000000000000
[ 17.525272] x17: 0000000200000000 x16: 0000000200000000
[ 17.534511] x15: 0000000000000000 x14: 0000000000000000
[ 17.543652] x13: ffff000008d95db8 x12: 000000000000000d
[ 17.552780] x11: ffff000008d95d90 x10: 0000000000000b00
[ 17.561819] x9 : ffff000100d9bb90 x8 : ffff802fb89d6560
[ 17.570829] x7 : 0000000000000004 x6 : 00000004a1801d05
[ 17.579839] x5 : 0000000000000000 x4 : 0000000000000000
[ 17.588852] x3 : ffff802fb89d5a00 x2 : 0000000000000000
[ 17.597734] x1 : 0000000200000000 x0 : 0000000200000000
[ 17.606631] Process kworker/u130:0 (pid: 95, stack limit = 0x(____ptrval____))
[ 17.617438] Call trace:
[ 17.623349] __mutex_lock.isra.1+0x74/0x540
[ 17.630927] __mutex_lock_slowpath+0x24/0x30
[ 17.638602] mutex_lock+0x50/0x60
[ 17.645295] drain_workqueue+0x34/0x198
[ 17.652623] __sas_drain_work+0x7c/0x168
[ 17.659903] sas_drain_work+0x60/0x68
[ 17.666947] hisi_sas_scan_finished+0x30/0x40 [hisi_sas_main]
[ 17.676129] do_scsi_scan_host+0x70/0xb0
[ 17.683534] do_scan_async+0x20/0x228
[ 17.690586] async_run_entry_fn+0x4c/0x1d0
[ 17.697997] process_one_work+0x1b4/0x3f8
[ 17.705296] worker_thread+0x54/0x470

Every time the call trace is not the same, but the overwrite address
is always the same:
Unable to handle kernel paging request at virtual address 0000000200000040

The root cause is, when write the reg XGMAC_MAC_TX_LF_RF_CONTROL_REG,
didn't use the io_base offset.

Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit c0b0984426814f3a9251873b689e67d34d8ccd84)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

e511e38... by Liubin Shu <email address hidden>

net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()

BugLink: https://bugs.launchpad.net/bugs/1833136

This patch is trying to fix the issue due to:
[27237.844750] BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x708/0xa18[hns_enet_drv]

After hnae_queue_xmit() in hns_nic_net_xmit_hw(), can be
interrupted by interruptions, and than call hns_nic_tx_poll_one()
to handle the new packets, and free the skb. So, when turn back to
hns_nic_net_xmit_hw(), calling skb->len will cause use-after-free.

This patch update tx ring statistics in hns_nic_tx_poll_one() to
fix the bug.

Signed-off-by: Liubin Shu <email address hidden>
Signed-off-by: Zhen Lei <email address hidden>
Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: Peng Li <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 3a39a12ad364a9acd1038ba8da67cd8430f30de4)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

d955d90... by Yonglong Liu <email address hidden>

net: hns: Restart autoneg need return failed when autoneg off

BugLink: https://bugs.launchpad.net/bugs/1833147

The hns driver of earlier devices, when autoneg off, restart autoneg
will return -EINVAL, so make the hns driver for the latest devices
do the same.

Signed-off-by: Yonglong Liu <email address hidden>
Signed-off-by: Peng Li <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit ed29ca8b9592562559c64d027fb5eb126e463e2c)
Signed-off-by: dann frazier <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>