This bug was fixed in the package linux - 4.15.0-46.49
---------------
linux (4.15.0-46.49) bionic; urgency=medium
* linux: 4.15.0-46.49 -proposed tracker (LP: #1814726)
* mprotect fails on ext4 with dax (LP: #1799237)
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion
* kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)
- iscsi target: fix session creation failure handling
- scsi: iscsi: target: Set conn->sess to NULL when
iscsi_login_set_conn_values
fails
- scsi: iscsi: target: Fix conn_ops double free
* user_copy in user from ubuntu_kernel_selftests failed on KVM kernel
(LP: #1812198)
- selftests: user: return Kselftest Skip code for skipped tests
- selftests: kselftest: change KSFT_SKIP=4 instead of KSFT_PASS
- selftests: kselftest: Remove outdated comment
* RTL8822BE WiFi Disabled in Kernel 4.18.0-12 (LP: #1806472)
- SAUCE: staging: rtlwifi: allow RTLWIFI_DEBUG_ST to be disabled
- [Config] CONFIG_RTLWIFI_DEBUG_ST=n
- SAUCE: Add r8822be to signature inclusion list
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* CVE-2018-18397
- userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
- userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
- userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
- userfaultfd: shmem: add i_size checks
- userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
* Ignore "incomplete report" from Elan touchpanels (LP: #1813733)
- HID: i2c-hid: Ignore input report if there's no data present on Elan
touchpanels
* Vsock connect fails with ENODEV for large CID (LP: #1813934)
- vhost/vsock: fix vhost vsock cid hashing inconsistent
* SRU: Fix thinkpad 11e 3rd boot hang (LP: #1804604)
- ACPI / LPSS: Force LPSS quirks on boot
* Bionic update: upstream stable patchset 2019-01-17 (LP: #1812229)
- scsi: sd_zbc: Fix variable type and bogus comment
- KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
parallel.
- x86/apm: Don't access __preempt_count with zeroed fs
- x86/events/intel/ds: Fix bts_interrupt_threshold alignment
- x86/MCE: Remove min interval polling limitation
- fat: fix memory allocation failure handling of match_strdup()
- ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
- ARCv2: [plat-hsdk]: Save accl reg pair by default
- ARC: Fix CONFIG_SWAP
- ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
- ARC: mm: allow mprotect to make stack mappings executable
- mm: memcg: fix use after free in mem_cgroup_iter()
- mm/huge_memory.c: fix data loss when splitting a file pmd
- cpufreq: intel_pstate: Register when ACPI PCCH is present
- vfio/pci: Fix potential Spectre v1
- stop_machine: Disable preemption when waking two stopper threads
- drm/i915: Fix hotplug irq ack on i965/g4x
- drm/nouveau: Use drm_connector_list_iter_* for iterating connectors
- drm/nouveau: Avoid looping through fake MST connectors
- gen_stats: Fix netlink stats dumping in the presence of padding
- ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
- ipv6: fix useless rol32 call on hash
- ipv6: ila: select CONFIG_DST_CACHE
- lib/rhashtable: consider param->min_size when setting initial table size
- net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort
- net: Don't copy pfmemalloc flag in __copy_skb_header()
- skbuff: Unconditionally copy pfmemalloc in __skb_clone()
- net/ipv4: Set oif in fib_compute_spec_dst
- net: phy: fix flag masking in __set_phy_supported
- ptp: fix missing break in switch
- qmi_wwan: add support for Quectel EG91
- tg3: Add higher cpu clock for 5762.
- hv_netvsc: Fix napi reschedule while receive completion is busy
- net/mlx4_en: Don't reuse RX page when XDP is set
- net: systemport: Fix CRC forwarding check for SYSTEMPORT Lite
- ipv6: make DAD fail with enhanced DAD when nonce length differs
- net: usb: asix: replace mii_nway_restart in resume path
- alpha: fix osf_wait4() breakage
- cxl_getfile(): fix double-iput() on alloc_file() failures
- powerpc/powernv: Fix save/restore of SPRG3 on entry/exit from stop (idle)
- xhci: Fix perceived dead host due to runtime suspend race with event
handler
- KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
- x86/kvmclock: set pvti_cpu0_va after enabling kvmclock
- ALSA: hda/realtek - Yet another Clevo P950 quirk entry
- drm/amdgpu: Reserve VM root shared fence slot for command submission (v3)
- rhashtable: add restart routine in rhashtable_free_and_destroy()
- sch_fq_codel: zero q->flows_cnt when fq_codel_init fails
- sctp: introduce sctp_dst_mtu
- sctp: fix the issue that pathmtu may be set lower than MINSEGMENT
- net: aquantia: vlan unicast address list correct handling
- drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open()
* Bionic update: upstream stable patchset 2019-01-15 (LP: #1811877)
- compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
- x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
- x86/paravirt: Make native_save_fl() extern inline
- Btrfs: fix duplicate extents after fsync of file with prealloc extents
- cpufreq / CPPC: Set platform specific transition_delay_us
- PCI: exynos: Fix a potential init_clk_resources NULL pointer dereference
- alx: take rtnl before calling __alx_open from resume
- atm: Preserve value of skb->truesize when accounting to vcc
- atm: zatm: Fix potential Spectre v1
- ipv6: sr: fix passing wrong flags to crypto_alloc_shash()
- ipvlan: fix IFLA_MTU ignored on NEWLINK
- ixgbe: split XDP_TX tail and XDP_REDIRECT map flushing
- net: dccp: avoid crash in ccid3_hc_rx_send_feedback()
- net: dccp: switch rx_tstamp_last_feedback to monotonic clock
- net: fix use-after-free in GRO with ESP
- net: macb: Fix ptp time adjustment for large negative delta
- net/mlx5e: Avoid dealing with vport representors if not being e-switch
manager
- net/mlx5: E-Switch, Avoid setup attempt if not being e-switch manager
- net/mlx5: Fix command interface race in polling mode
- net/mlx5: Fix incorrect raw command length parsing
- net/mlx5: Fix required capability for manipulating MPFS
- net/mlx5: Fix wrong size allocation for QoS ETC TC regitster
- net: mvneta: fix the Rx desc DMA address in the Rx path
- net/packet: fix use-after-free
- net_sched: blackhole: tell upper qdisc about dropped packets
- net: sungem: fix rx checksum support
- net/tcp: Fix socket lookups with SO_BINDTODEVICE
- qede: Adverstise software timestamp caps when PHC is not available.
- qed: Fix setting of incorrect eswitch mode.
- qed: Fix use of incorrect size in memcpy call.
- qed: Limit msix vectors in kdump kernel to the minimum required count.
- r8152: napi hangup fix after disconnect
- stmmac: fix DMA channel hang in half-duplex mode
- strparser: Remove early eaten to fix full tcp receive buffer stall
- tcp: fix Fast Open key endianness
- tcp: prevent bogus FRTO undos with non-SACK flows
- vhost_net: validate sock before trying to put its fd
- VSOCK: fix loopback on big-endian systems
- net: cxgb3_main: fix potential Spectre v1
- rtlwifi: Fix kernel Oops "Fw download fail!!"
- rtlwifi: rtl8821ae: fix firmware is not ready to run
- net: lan78xx: Fix race in tx pending skb size calculation
- crypto: af_alg - Initialize sg_num_bytes in error code path
- mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally
- PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
- netfilter: ebtables: reject non-bridge targets
- reiserfs: fix buffer overflow with long warning messages
- KEYS: DNS: fix parsing multiple options
- tls: Stricter error checking in zerocopy sendmsg path
- autofs: fix slab out of bounds read in getname_kernel()
- nsh: set mac len based on inner packet
- bdi: Fix another oops in wb_workfn()
- rds: avoid unenecessary cong_update in loop transport
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
- string: drop __must_check from strscpy() and restore strscpy() usages in
cgroup
- nfsd: COPY and CLONE operations require the saved filehandle to be set
- net/sched: act_ife: fix recursive lock and idr leak
- net/sched: act_ife: preserve the action control in case of error
- hinic: reset irq affinity before freeing irq
- nfp: flower: fix mpls ether type detection
- net: macb: initialize bp->queues[0].bp for at91rm9200
- enic: do not overwrite error code
- virtio_net: fix memory leak in XDP_REDIRECT
- netfilter: ipv6: nf_defrag: drop skb dst before queueing
- ipvs: initialize tbl->entries after allocation
- ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()
- bpf: enforce correct alignment for instructions
- bpf, arm32: fix to use bpf_jit_binary_lock_ro api
* Fix non-working pinctrl-intel (LP: #1811777)
- pinctrl: intel: Implement intel_gpio_get_direction callback
- pinctrl: intel: Do pin translation in other GPIO operations as well
* ip6_gre: fix tunnel list corruption for x-netns (LP: #1812875)
- ip6_gre: fix tunnel list corruption for x-netns
* Userspace break as a result of missing patch backport (LP: #1813873)
- tty: Don't hold ldisc lock in tty_reopen() if ldisc present
* kvm_stat : missing python dependency (LP: #1798776)
- tools/kvm_stat: fix python3 issues
- tools/kvm_stat: switch to python3
* [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
(LP: #1812797)
- vgaarb: Add support for 64-bit frame buffer address
- vgaarb: Keep adding VGA device in queue
* Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
- USB: Add new USB LPM helpers
- USB: Consolidate LPM checks to avoid enabling LPM twice
* ptrace-tm-spd-gpr in powerpc/ptrace from ubuntu_kerenl_selftests failed on
Bionic P8 (LP: #1813127)
- selftests/powerpc: Fix ptrace tm failure
* [SRU] IO's are issued with incorrect Scatter Gather Buffer (LP: #1795453)
- scsi: megaraid_sas: Use 63-bit DMA addressing
* Consider enabling CONFIG_NETWORK_PHY_TIMESTAMPING (LP: #1785816)
- [Config] Enable timestamping in network PHY devices
* CVE-2018-19854
- crypto: user - fix leaking uninitialized memory to userspace
* x86/mm: Found insecure W+X mapping at address (ptrval)/0xc00a0000
(LP: #1813532)
- x86/mm: Do not warn about PCI BIOS W+X mappings
* CVE-2019-6133
- fork: record start_time late
* Fix not working Goodix touchpad (LP: #1811929)
- HID: i2c-hid: Disable runtime PM on Goodix touchpad
* bluetooth controller not detected with 4.15 kernel (LP: #1810797)
- SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
- [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y
* X1 Extreme: only one of the two SSDs is loaded (LP: #1811755)
- nvme-core: rework a NQN copying operation
- nvme: pad fake subsys NQN vid and ssvid with zeros
- nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN
* Crash on "ip link add foo type ipip" (LP: #1811803)
- SAUCE: fan: Fix NULL pointer dereference
-- Khalid Elmously <[email protected]> Wed, 06 Feb 2019
04:57:21 +0000
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18397
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19854
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1799237
Title:
mprotect fails on ext4 with dax
Status in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Invalid
Status in pmdk package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Fix Released
Bug description:
I have a file located on ext4 mounted with "dax". When I call mmap on that
file with protection flag different than PROT_NONE and pass the returned
address to mprotect(..., PROT_NONE) it fails with:
mprotect: Permission denied
This bug affects PMDK (https://github.com/pmem/pmdk) and seems to be Ubuntu
kernel-specific.
Problem was observer on kernel 4.15.0-36-generic and 4.15.0-34-generic
Below is a code which can be used to reproduce the issue.
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
int main(int argc, char *argv[])
{
if (argc < 3) {
fprintf(stderr, "usage %s file size\n",
argv[0]);
return 1;
}
int size = atoi(argv[2]);
int fd = open(argv[1], O_RDWR);
if (fd < 0) {
perror("open");
return 1;
}
void *addr = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_SHARED, fd, 0);
if (addr == MAP_FAILED) {
perror("mmap");
return 1;
}
if(mprotect(addr, size, PROT_NONE)) {
perror("mprotect");
return 1;
}
return 0;
}
---
ProblemType: Bug
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211
not found.
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2018-10-23 (0 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64
(20180725)
IwConfig:
lo no wireless extensions.
enp0s3 no wireless extensions.
Lsusb:
Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: innotek GmbH VirtualBox
Package: linux (not installed)
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-36-generic
root=UUID=48e87c4c-3028-4252-b7bb-e1e6091ff7f6 ro quiet splash
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
RelatedPackageVersions:
linux-restricted-modules-4.15.0-36-generic N/A
linux-backports-modules-4.15.0-36-generic N/A
linux-firmware 1.173.1
RfKill:
Tags: bionic
Uname: Linux 4.15.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.board.name: VirtualBox
dmi.board.vendor: Oracle Corporation
dmi.board.version: 1.2
dmi.chassis.type: 1
dmi.chassis.vendor: Oracle Corporation
dmi.modalias:
dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
dmi.product.family: Virtual Machine
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1799237/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
