~vicamo/+git/ubuntu-kernel:bug-1886269/add-to-i8042-nopnp-list/focal

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

6df136f... by You-Sheng Yang on 2020-07-13

Bug 1886269: Input: i8042 - add Intel Desktop Board DG41RQ to nopnp list

34a7565... by You-Sheng Yang on 2020-07-13

Input: i8042 - add Intel Desktop Board DG41RQ to nopnp list

Add DMI matches for Intel Desktop Board DG41RQ that needs 'i8042.nopnp'
to detect PS/2 mouse reliably reported by Jatinderpal Singh.

BugLink: https://bugs.launchpad.net/bugs/1886269
Signed-off-by: You-Sheng Yang <email address hidden>

98c4545... by Khaled El Mously on 2020-07-09

UBUNTU: Ubuntu-5.4.0-42.46

Signed-off-by: Khalid Elmously <email address hidden>

d4dcfe9... by Khaled El Mously on 2020-07-09

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1887069
Properties: no-test-build
Signed-off-by: Khalid Elmously <email address hidden>

de50878... by Khaled El Mously on 2020-07-09

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Khalid Elmously <email address hidden>

00e14e0... by Thadeu Lima de Souza Cascardo on 2020-07-09

UBUNTU: SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

BugLink: https://bugs.launchpad.net/bugs/1886668

This reverts commit 5eebba2159d707ae9533a52839e1ba71754c4426, which is
commit 090e28b229af92dc5b40786ca673999d59e73056 upstream.

There is a crash related to a possible use-after-free of cgroups when
cgroup BPF is user with INET_INGRESS or INET_EGRESS.

[ 696.396993] RIP: 0010:__cgroup_bpf_run_filter_skb+0xbb/0x1e0
[ 696.397005] RSP: 0018:ffff893fdcb83a70 EFLAGS: 00010292
[ 696.397015] RAX: 6d69546e6f697469 RBX: 0000000000000000 RCX: 0000000000000014
[ 696.397028] RDX: 0000000000000000 RSI: ffff893fd0360000 RDI: ffff893fb5154800
[ 696.397041] RBP: ffff893fdcb83ad0 R08: 0000000000000001 R09: 0000000000000000
[ 696.397058] R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000014
[ 696.397075] R13: ffff893fb5154800 R14: 0000000000000020 R15: ffff893fc6ba4d00
[ 696.397091] FS: 0000000000000000(0000) GS:ffff893fdcb80000(0000) knlGS:0000000000000000
[ 696.397107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 696.397119] CR2: 000000c0001b4000 CR3: 00000006dce0a004 CR4: 00000000003606e0
[ 696.397135] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 696.397152] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 696.397169] Call Trace:
[ 696.397175] <IRQ>
[ 696.397183] sk_filter_trim_cap+0xd0/0x1b0
[ 696.397191] tcp_v4_rcv+0x8b7/0xa80
[ 696.397199] ip_local_deliver_finish+0x66/0x210
[ 696.397208] ip_local_deliver+0x7e/0xe0
[ 696.397215] ? ip_rcv_finish+0x430/0x430
[ 696.397223] ip_rcv_finish+0x129/0x430
[ 696.397230] ip_rcv+0x296/0x360
[ 696.397238] ? inet_del_offload+0x40/0x40
[ 696.397249] __netif_receive_skb_core+0x432/0xb80
[ 696.397261] ? skb_send_sock+0x50/0x50
[ 696.397271] ? tcp4_gro_receive+0x137/0x1a0
[ 696.397280] __netif_receive_skb+0x18/0x60
[ 696.397290] ? __netif_receive_skb+0x18/0x60
[ 696.397300] netif_receive_skb_internal+0x45/0xe0
[ 696.397309] napi_gro_receive+0xc5/0xf0
[ 696.397317] xennet_poll+0x9ca/0xbc0
[ 696.397325] net_rx_action+0x140/0x3a0
[ 696.397334] __do_softirq+0xe4/0x2d4
[ 696.397344] irq_exit+0xc5/0xd0
[ 696.397352] xen_evtchn_do_upcall+0x30/0x50
[ 696.397361] xen_hvm_callback_vector+0x90/0xa0
[ 696.397371] </IRQ>
[ 696.397378] RIP: 0010:native_safe_halt+0x12/0x20
[ 696.397390] RSP: 0018:ffff94c4862cbe80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff0c
[ 696.397405] RAX: ffffffff8efc1800 RBX: 0000000000000006 RCX: 0000000000000000
[ 696.397419] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 696.397435] RBP: ffff94c4862cbe80 R08: 0000000000000002 R09: 0000000000000001
[ 696.397449] R10: 0000000000100000 R11: 0000000000000397 R12: 0000000000000006
[ 696.397462] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 696.397479] ? __sched_text_end+0x1/0x1
[ 696.397489] default_idle+0x20/0x100
[ 696.397499] arch_cpu_idle+0x15/0x20
[ 696.397507] default_idle_call+0x23/0x30
[ 696.397515] do_idle+0x172/0x1f0
[ 696.397522] cpu_startup_entry+0x73/0x80
[ 696.397530] start_secondary+0x1ab/0x200
[ 696.397538] secondary_startup_64+0xa5/0xb0
[ 696.397545] Code: 89 5d b0 49 29 cc 45 01 a7 80 00 00 00 44 89 e1 48 29 c8 48 89 4d a8 49 89 87 d8 00 00 00 89 d2 48 8d 84 d6 38 03 00 00 48 8b 00 <4c> 8b 70 10 4c 8d 68 10 4d 85 f6 0f 84 f6 00 00 00 49 8d 47 30
[ 696.397584] RIP: __cgroup_bpf_run_filter_skb+0xbb/0x1e0 RSP: ffff893fdcb83a70
[ 696.397607] ---[ end trace ec5c84424d511a6f ]---
[ 696.397616] Kernel panic - not syncing: Fatal exception in interrupt
[ 696.397876] Kernel Offset: 0xd600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

This is caused by net_cls and net_prio cgroups disabling cgroup BPF and
causing it to stop refcounting when allocating new sockets. Releasing those
sockets will cause the refcount to go negative, leading to the potential
use-after-free.

Though this revert won't prevent the issue from happening as it could still
theoretically be caused by setting net_cls.classid or net_prio.ifpriomap,
this will prevent it from happening on default system configurations. A
combination of systemd use of cgroup BPF and extensive cgroup use including
net_prio will cause this. Reports usually involve using lxd, libvirt,
docker or kubernetes and some systemd service with IPAddressDeny or
IPAddressAllow.

And though this patch has been introduced to avoid some potential memory
leaks, the cure is worse than the disease. We will need to revisit both
issues later on and reapply this patch when we have a real fix for the
crash.

Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Acked-by: Ian May <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

29660db... by Kleber Sacilotto de Souza on 2020-07-03

UBUNTU: Ubuntu-5.4.0-41.45

Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

195dccf... by Kleber Sacilotto de Souza on 2020-07-03

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1885855
Properties: no-test-build
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

b76dadc... by Kleber Sacilotto de Souza on 2020-07-03

UBUNTU: update dkms package versions

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

e3eabcb... by Daniel Axtens on 2020-06-09

kernel/relay.c: handle alloc_percpu returning NULL in relay_open

alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
invalid pointer:

  BUG: Unable to handle kernel data access at 0x7dae0000
  Faulting instruction address: 0xc0000000003f3fec
  ...
  NIP relay_open+0x29c/0x600
  LR relay_open+0x270/0x600
  Call Trace:
     relay_open+0x264/0x600 (unreliable)
     __blk_trace_setup+0x254/0x600
     blk_trace_setup+0x68/0xa0
     sg_ioctl+0x7bc/0x2e80
     do_vfs_ioctl+0x13c/0x1300
     ksys_ioctl+0x94/0x130
     sys_ioctl+0x48/0xb0
     system_call+0x5c/0x68

Check if alloc_percpu returns NULL.

This was found by syzkaller both on x86 and powerpc, and the reproducer
it found on powerpc is capable of hitting the issue as an unprivileged
user.

Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Signed-off-by: Daniel Axtens <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Reviewed-by: Michael Ellerman <email address hidden>
Reviewed-by: Andrew Donnellan <email address hidden>
Acked-by: David Rientjes <email address hidden>
Cc: Akash Goel <email address hidden>
Cc: Andrew Donnellan <email address hidden>
Cc: Guenter Roeck <email address hidden>
Cc: Salvatore Bonaccorso <email address hidden>
Cc: <email address hidden> [4.10+]
Link: http://<email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>

(cherry picked from commit 54e200ab40fc14c863bcc80a51e20b7906608fce)
CVE-2019-19642
Signed-off-by: Benjamin M Romer <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>