[Kernel-packages] [Bug 1960427] Re: Add inner_ipproto into sec_path
This bug was fixed in the package linux-bluefield - 5.4.0-1032.35 --- linux-bluefield (5.4.0-1032.35) focal; urgency=medium * focal/linux-bluefield: 5.4.0-1032.35 -proposed tracker (LP: #1966249) [ Ubuntu: 5.4.0-107.121 ] * focal/linux: 5.4.0-107.121 -proposed tracker (LP: #1966275) * CVE-2022-27666 - esp: Fix possible buffer overflow in ESP transformation * CVE-2022-1055 - net: sched: fix use-after-free in tc_new_tfilter() * Pick fixup from v5.4.176 upstream stable release to address cert failure with clock jitter test in NUC7i3DNHE (LP: #1964204) - Bluetooth: refactor malicious adv data check linux-bluefield (5.4.0-1031.34) focal; urgency=medium * focal/linux-bluefield: 5.4.0-1031.34 -proposed tracker (LP: #1964182) * IPsec tunnel mode fix inner_ipproto setting in sec_path (LP: #1960430) - net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path * Add inner_ipproto into sec_path (LP: #1960427) - net/xfrm: Add inner_ipproto into sec_path [ Ubuntu: 5.4.0-105.119 ] * CVE-2022-0847 - lib/iov_iter: initialize "flags" in new pipe_buffer * Broken network on some AWS instances with focal/impish kernels (LP: #1961968) - SAUCE: Revert "PCI/MSI: Mask MSI-X vectors only on success" * [UBUNTU 20.04] kernel: Add support for CPU-MF counter second version 7 (LP: #1960182) - s390/cpumf: Support for CPU Measurement Facility CSVN 7 - s390/cpumf: Support for CPU Measurement Sampling Facility LS bit * Hipersocket page allocation failure on Ubuntu 20.04 based SSC environments (LP: #1959529) - s390/qeth: use memory reserves to back RX buffers * CVE-2022-0516 - KVM: s390: Return error on SIDA memop on normal guest * CVE-2022-0435 - tipc: improve size validations for received domain records * CVE-2022-0492 - cgroup-v1: Require capabilities to set release_agent * Recalled NFSv4 files delegations overwhelm server (LP: #1957986) - NFSv4: Fix delegation handling in update_open_stateid() - NFSv4: nfs4_callback_getattr() should ignore revoked delegations - NFSv4: Delegation recalls should not find revoked delegations - NFSv4: fail nfs4_refresh_delegation_stateid() when the delegation was revoked - NFS: Rename nfs_inode_return_delegation_noreclaim() - NFSv4: Don't remove the delegation from the super_list more than once - NFSv4: Hold the delegation spinlock when updating the seqid - NFSv4: Clear the NFS_DELEGATION_REVOKED flag in nfs_update_inplace_delegation() - NFSv4: Update the stateid seqid in nfs_revoke_delegation() - NFSv4: Revoke the delegation on success in nfs4_delegreturn_done() - NFSv4: Ignore requests to return the delegation if it was revoked - NFSv4: Don't reclaim delegations that have been returned or revoked - NFSv4: nfs4_return_incompatible_delegation() should check delegation validity - NFSv4: Fix nfs4_inode_make_writeable() - NFS: nfs_inode_find_state_and_recover() fix stateid matching - NFSv4: Fix races between open and delegreturn - NFSv4: Handle NFS4ERR_OLD_STATEID in delegreturn - NFSv4: Don't retry the GETATTR on old stateid in nfs4_delegreturn_done() - NFSv4: nfs_inode_evict_delegation() should set NFS_DELEGATION_RETURNING - NFS: Clear NFS_DELEGATION_RETURN_IF_CLOSED when the delegation is returned - NFSv4: Try to return the delegation immediately when marked for return on close - NFSv4: Add accounting for the number of active delegations held - NFSv4: Limit the total number of cached delegations - NFSv4: Ensure the delegation is pinned in nfs_do_return_delegation() - NFSv4: Ensure the delegation cred is pinned when we call delegreturn * Focal update: v5.4.174 upstream stable release (LP: #1960566) - HID: uhid: Fix worker destroying device without any protection - HID: wacom: Reset expected and received contact counts at the same time - HID: wacom: Ignore the confidence flag when a touch is removed - HID: wacom: Avoid using stale array indicies to read contact count - f2fs: fix to do sanity check in is_alive() - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() - mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings - mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 - x86/gpu: Reserve stolen memory for first integrated Intel GPU - tools/nolibc: x86-64: Fix startup code bug - tools/nolibc: i386: fix initial stack alignment - tools/nolibc: fix incorrect truncation of exit code - rtc: cmos: take rtc_lock while reading from CMOS - media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE - media: flexcop-usb: fix control-message timeouts - media: mceusb: fix control-message timeouts - media: em28xx: fix control-message timeouts - media: cpia2: fix control-message timeouts - media: s2255: fix control-message
[Kernel-packages] [Bug 1960427] Re: Add inner_ipproto into sec_path
This bug is awaiting verification that the linux-bluefield/5.4.0-1029.32 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/1960427 Title: Add inner_ipproto into sec_path Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: Fix Committed Bug description: * Explain the bug(s) The inner_ipproto saves the inner IP protocol of the plain text packet. This allows vendor's IPsec feature making offload decision at skb's features_check and configuring hardware at ndo_start_xmit. For example, ConnectX6-DX IPsec device needs the plaintext's IP protocol to support partial checksum offload on VXLAN/GENEVE packet over IPsec transport mode tunnel * Brief explanation of fixes As this data unrelated to the specific driver (the inner ip protocol of the plain text) then it makes sense to provide it in the xfrm stack layer to avoid code duplication in various drivers and do it on the fly in the xfrm layer instead of reparse the packet at the driver layer. * How to test Need to make sure that the code compiles post this change, run TCP encapsulated traffic (for example using vxlan) when IPSec crypto offload with transport mode is configured * What it could break. NA, this function adds data to a new field introduced to struct xfrm_offload, so if not used it have no effect and it is assigned in stack and used in driver so if driver does not used it then no effect. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1960427/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1960427] Re: Add inner_ipproto into sec_path
** Changed in: linux-bluefield (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/1960427 Title: Add inner_ipproto into sec_path Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: Fix Committed Bug description: * Explain the bug(s) The inner_ipproto saves the inner IP protocol of the plain text packet. This allows vendor's IPsec feature making offload decision at skb's features_check and configuring hardware at ndo_start_xmit. For example, ConnectX6-DX IPsec device needs the plaintext's IP protocol to support partial checksum offload on VXLAN/GENEVE packet over IPsec transport mode tunnel * Brief explanation of fixes As this data unrelated to the specific driver (the inner ip protocol of the plain text) then it makes sense to provide it in the xfrm stack layer to avoid code duplication in various drivers and do it on the fly in the xfrm layer instead of reparse the packet at the driver layer. * How to test Need to make sure that the code compiles post this change, run TCP encapsulated traffic (for example using vxlan) when IPSec crypto offload with transport mode is configured * What it could break. NA, this function adds data to a new field introduced to struct xfrm_offload, so if not used it have no effect and it is assigned in stack and used in driver so if driver does not used it then no effect. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1960427/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1960427] Re: Add inner_ipproto into sec_path
** Also affects: linux-bluefield (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: linux-bluefield (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux-bluefield (Ubuntu Focal) Status: New => In Progress ** Changed in: linux-bluefield (Ubuntu Focal) Assignee: (unassigned) => Bodong Wang (bodong-wang) ** Changed in: linux-bluefield (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/1960427 Title: Add inner_ipproto into sec_path Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: In Progress Bug description: * Explain the bug(s) The inner_ipproto saves the inner IP protocol of the plain text packet. This allows vendor's IPsec feature making offload decision at skb's features_check and configuring hardware at ndo_start_xmit. For example, ConnectX6-DX IPsec device needs the plaintext's IP protocol to support partial checksum offload on VXLAN/GENEVE packet over IPsec transport mode tunnel * Brief explanation of fixes As this data unrelated to the specific driver (the inner ip protocol of the plain text) then it makes sense to provide it in the xfrm stack layer to avoid code duplication in various drivers and do it on the fly in the xfrm layer instead of reparse the packet at the driver layer. * How to test Need to make sure that the code compiles post this change, run TCP encapsulated traffic (for example using vxlan) when IPSec crypto offload with transport mode is configured * What it could break. NA, this function adds data to a new field introduced to struct xfrm_offload, so if not used it have no effect and it is assigned in stack and used in driver so if driver does not used it then no effect. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1960427/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
