This bug was fixed in the package linux - 4.15.0-163.171
---------------
linux (4.15.0-163.171) bionic; urgency=medium
* bionic/linux: 4.15.0-163.171 -proposed tracker (LP: #1949874)
* Packaging resync (LP: #1786013)
- [Packaging] update Ubuntu.md
- debian/dkms-versions -- update from kernel-versions (main/2021.11.08)
* Unable to build net/reuseport_bpf and other tests in ubuntu_kernel_selftests
on Bionic with make command (LP: #1949889)
- selftests: Fix loss of test output in run_kselftests.sh
- selftests: Makefile set KSFT_TAP_LEVEL to prevent nested TAP headers
- selftests: fix headers_install circular dependency
- selftests: fix bpf build/test workflow regression when KBUILD_OUTPUT is
set
- selftests: vm: Fix test build failure when built by itself
* KVM emulation failure when booting into VM crash kernel with multiple CPUs
(LP: #1948862)
- KVM: x86: Properly reset MMU context at vCPU RESET/INIT
* aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
- SAUCE: aufs: bugfix, stop omitting path->mnt
* ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
- net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()
* require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
- Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc
* ACL updates on OCFS2 are not revalidated (LP: #1947161)
- ocfs2: fix remounting needed after setfacl command
* ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
- powerpc/bpf: Fix BPF_MOD when imm == 1
* Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
- Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active"
- cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is
active
* Some test in ubuntu_bpf test_verifier failed on i386 Bionic kernel
(LP: #1788578)
- bpf: fix context access in tracing progs on 32 bit archs
* test_bpf.sh from ubuntu_kernel_selftests.net from linux ADT test failure
with linux/4.15.0-149.153 i386 (Segmentation fault) (LP: #1934414)
- selftests/bpf: make test_verifier run most programs
- bpf: add couple of test cases for div/mod by zero
- bpf: add further test cases around div/mod and others
* Bionic update: upstream stable patchset 2021-11-02 (LP: #1949512)
- usb: gadget: r8a66597: fix a loop in set_feature()
- usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
- cifs: fix incorrect check for null pointer in header_assemble
- xen/x86: fix PV trap handling on secondary processors
- usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
- USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
- staging: greybus: uart: fix tty use after free
- Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
- USB: serial: mos7840: remove duplicated 0xac24 device ID
- USB: serial: option: add Telit LN920 compositions
- USB: serial: option: remove duplicate USB device ID
- USB: serial: option: add device id for Foxconn T99W265
- mcb: fix error handling in mcb_alloc_bus()
- serial: mvebu-uart: fix driver's tx_empty callback
- net: hso: fix muxed tty registration
- bnxt_en: Fix TX timeout when TX ring size is set to the smallest
- net/mlx4_en: Don't allow aRFS for encapsulated packets
- scsi: iscsi: Adjust iface sysfs attr detection
- thermal/core: Potential buffer overflow in
thermal_build_list_of_policies()
- irqchip/gic-v3-its: Fix potential VPE leak on error
- md: fix a lock order reversal in md_alloc
- blktrace: Fix uaf in blk_trace access after removing by sysfs
- net: macb: fix use after free on rmmod
- net: stmmac: allow CSR clock of 300MHz
- m68k: Double cast io functions to unsigned long
- xen/balloon: use a kernel thread instead a workqueue
- compiler.h: Introduce absolute_pointer macro
- net: i825xx: Use absolute_pointer for memcpy from fixed memory location
- sparc: avoid stringop-overread errors
- qnx4: avoid stringop-overread errors
- parisc: Use absolute_pointer() to define PAGE0
- arm64: Mark __stack_chk_guard as __ro_after_init
- alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
volatile
- net: 6pack: Fix tx timeout and slot time
- spi: Fix tegra20 build with CONFIG_PM=n
- arm64: dts: marvell: armada-37xx: Extend PCIe MEM space
- PCI: aardvark: Fix checking for PIO Non-posted Request
- PCI: aardvark: Fix checking for PIO status
- xen/balloon: fix balloon kthread freezing
- qnx4: work around gcc false positive warning bug
- tty: Fix out-of-bound vmalloc access in imageblit
- cpufreq: schedutil: Use kobject release() method to free sugov_tunables
- cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
- mac80211: fix use-after-free in CCMP/GCMP RX
- ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
- mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
- hwmon: (tmp421) fix rounding for negative values
- e100: fix length calculation in e100_get_regs_len
- e100: fix buffer overrun in e100_get_regs
- scsi: csiostor: Add module softdep on cxgb4
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
- ipack: ipoctal: fix stack information leak
- ipack: ipoctal: fix tty registration race
- ipack: ipoctal: fix tty-registration error handling
- ipack: ipoctal: fix missing allocation-failure check
- ipack: ipoctal: fix module reference leak
- ext4: fix potential infinite loop in ext4_dx_readdir()
- net: udp: annotate data race around udp_sk(sk)->corkflag
- EDAC/synopsys: Fix wrong value type assignment for edac_mode
- ARM: 9077/1: PLT: Move struct plt_entries definition to header
- ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link()
- ARM: 9079/1: ftrace: Add MODULE_PLTS support
- ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE
- arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55
- hso: fix bailout in error case of probe
- usb: hso: fix error handling code of hso_create_net_device
- usb: hso: remove the bailout parameter
- crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
- HID: betop: fix slab-out-of-bounds Write in betop_probe
- netfilter: ipset: Fix oversized kvmalloc() calls
- HID: usbhid: free raw_report buffers in usbhid_stop
- cred: allow get_cred() and put_cred() to be given NULL.
- gpio: uniphier: Fix void functions to remove return value
- tty: synclink_gt, drop unneeded forward declarations
- tty: synclink_gt: rename a conflicting function name
- drm/amd/display: Pass PCI deviceid into DC
- hwmon: (tmp421) Replace S_<PERMS> with octal values
- hwmon: (tmp421) report /PVLD condition as fault
* ACL updates on OCFS2 are not revalidated (LP: #1947161) // Bionic update:
upstream stable patchset 2021-11-02 (LP: #1949512)
- ocfs2: drop acl cache for directories too
-- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Fri, 05 Nov
2021 12:22:08 +0100
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1947709
Title:
Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active"
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Hirsute:
Fix Released
Status in linux source package in Impish:
Fix Released
Status in linux source package in Jammy:
Confirmed
Bug description:
[Impact]
"UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active" has been applied
to fix a page leaking issue.
However a slightly different fix has been applied upstream:
9a24ce5b66f9c8190d63b15f4473600db4935f1f cachefiles: Fix page leak in
cachefiles_read_backing_file while vmscan is active
Basically we are fixing the same issue in two different ways at the
same time, but even worse our patch an introduce a potential NULL
pointer dereference: we do a put_page(newpage) and set newpage = NULL
in the main for() loop and then we may do additional put_page(newpage)
after the main for loop if ret == -EEXIST, that would trigger the NULL
pointer dereference.
[Test case]
No test case or reproducer is available at the moment, this issue has
been found simply by reviewing the code.
[Fix]
Drop the SAUCE patch and rely on the upstream fix.
[Regression potential]
If the analysis is not correct we may re-introduce a page leak in
cachefiles (NFS for example), but it seems unlikely to happen, since the
upstream fix is addressing the page leaking already.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947709/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
