~xnox/ubuntu/+source/linux/+git/focal:hwe-5.8

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

8ef2619... by David Rientjes <email address hidden> on 2021-09-23

KVM: SVM: Periodically schedule when unregistering regions on destroy

There may be many encrypted regions that need to be unregistered when a
SEV VM is destroyed. This can lead to soft lockups. For example, on a
host running 4.15:

watchdog: BUG: soft lockup - CPU#206 stuck for 11s! [t_virtual_machi:194348]
CPU: 206 PID: 194348 Comm: t_virtual_machi
RIP: 0010:free_unref_page_list+0x105/0x170
...
Call Trace:
 [<0>] release_pages+0x159/0x3d0
 [<0>] sev_unpin_memory+0x2c/0x50 [kvm_amd]
 [<0>] __unregister_enc_region_locked+0x2f/0x70 [kvm_amd]
 [<0>] svm_vm_destroy+0xa9/0x200 [kvm_amd]
 [<0>] kvm_arch_destroy_vm+0x47/0x200
 [<0>] kvm_put_kvm+0x1a8/0x2f0
 [<0>] kvm_vm_release+0x25/0x30
 [<0>] do_exit+0x335/0xc10
 [<0>] do_group_exit+0x3f/0xa0
 [<0>] get_signal+0x1bc/0x670
 [<0>] do_signal+0x31/0x130

Although the CLFLUSH is no longer issued on every encrypted region to be
unregistered, there are no other changes that can prevent soft lockups for
very large SEV VMs in the latest kernel.

Periodically schedule if necessary. This still holds kvm->lock across the
resched, but since this only happens when the VM is destroyed this is
assumed to be acceptable.

Signed-off-by: David Rientjes <email address hidden>
Message-Id: <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
(cherry picked from commit 7be74942f184fdfba34ddd19a0d995deb34d4a03)
CVE-2020-36311
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

3142618... by Nicholas Piggin <email address hidden> on 2021-09-23

KVM: do not allow mapping valid but non-reference-counted pages

It's possible to create a region which maps valid but non-refcounted
pages (e.g., tail pages of non-compound higher order allocations). These
host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family
of APIs, which take a reference to the page, which takes it from 0 to 1.
When the reference is dropped, this will free the page incorrectly.

Fix this by only taking a reference on valid pages if it was non-zero,
which indicates it is participating in normal refcounting (and can be
released with put_page).

This addresses CVE-2021-22543.

Signed-off-by: Nicholas Piggin <email address hidden>
Tested-by: Paolo Bonzini <email address hidden>
Cc: <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
(cherry picked from commit f8be156be163a052a067306417cd0ff679068c97)
CVE-2021-22543
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

54a3b4a... by Alexander Larkin on 2021-09-23

Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl

Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):

int main(void) {
 int fd, ret;
 unsigned int buffer[10000];

 fd = open("/dev/input/js0", O_RDONLY);
 if (fd == -1)
  printf("Error opening file\n");

 ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
 printf("%d\n", ret);
}

The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <email address hidden>
Suggested-by: Linus Torvalds <email address hidden>
Signed-off-by: Alexander Larkin <email address hidden>
Link: https://<email address hidden>
Cc: <email address hidden>
Signed-off-by: Dmitry Torokhov <email address hidden>
(cherry picked from commit f8f84af5da9ee04ef1d271528656dac42a090d00)
CVE-2021-3612
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

0d097b0... by Esben Haabendal <email address hidden> on 2021-09-23

net: ll_temac: Fix TX BD buffer overwrite

Just as the initial check, we need to ensure num_frag+1 buffers available,
as that is the number of buffers we are going to use.

This fixes a buffer overflow, which might be seen during heavy network
load. Complete lockup of TEMAC was reproducible within about 10 minutes of
a particular load.

Fixes: 84823ff80f74 ("net: ll_temac: Fix race condition causing TX hang")
Cc: <email address hidden> # v5.4+
Signed-off-by: Esben Haabendal <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit c364df2489b8ef2f5e3159b1dff1ff1fdb16040d)
CVE-2021-38207
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

2bf7fd7... by Theodore Ts'o on 2021-09-15

ext4: fix race writing to an inline_data file while its xattrs are changing

The location of the system.data extended attribute can change whenever
xattr_sem is not taken. So we need to recalculate the i_inline_off
field since it mgiht have changed between ext4_write_begin() and
ext4_write_end().

This means that caching i_inline_off is probably not helpful, so in
the long run we should probably get rid of it and shrink the in-memory
ext4 inode slightly, but let's fix the race the simple way for now.

Cc: <email address hidden>
Fixes: f19d5870cbf72 ("ext4: add normal write support for inline data")
Reported-by: <email address hidden>
Signed-off-by: Theodore Ts'o <email address hidden>
(cherry picked from commit a54c4613dac1500b40e4ab55199f7c51f028e848)
CVE-2021-40490
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Kelsey Skunberg <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

6da3b96... by Tim Gardner on 2021-09-20

UBUNTU: [Config] hwe-5.8: Fix annotation syntax errors

Ignore: yes
Signed-off-by: Tim Gardner <email address hidden>

76cce7d... by Andy Whitcroft on 2021-09-01

UBUNTU: [Packaging] switch to kernel-versions

Switch to obtaining the DKMS package versions from the kernel-versions
dataset rather than from the archive. This allows it to be more
resilient against parallel update of those versions in the archive.

Replace the existing `update-versions-dkms` script with
`update-dkms-versions`. This change in name is deliberate as the new
script must be called at a different stage of the crank process, it must
follow the `cranky link-tb` stage to obtain the correct versions. See
the crank documentation for details.

BugLink: https://bugs.launchpad.net/bugs/1928921
Properties: no-test-build
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

a92b2c4... by Stefan Bader on 2021-08-13

UBUNTU: Ubuntu-hwe-5.8-5.8.0-65.73

Signed-off-by: Stefan Bader <email address hidden>

1d936e4... by Stefan Bader on 2021-08-13

UBUNTU: debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Stefan Bader <email address hidden>

69b38de... by Stefan Bader on 2021-08-13

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1939805
Properties: no-test-build
Signed-off-by: Stefan Bader <email address hidden>