Ubuntu
linux package

overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120

Bug #1900141 reported by Philipp Wendler on 2020-10-16

This bug affects 5 people

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Seth Forshee
Focal	Fix Released	High	Seth Forshee
Groovy	Fix Released	High	Seth Forshee

Bug Description

SRU Justification

[Impact]

The backports to fix CVE-2020-16120 introduced a regression for overlay mounts within user namespaces. Files with ownership outside of the user namespace can no longer be accessed, even if allowed by both DAC and MAC.

This issue is fixed by the following upstream commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6650dab404c701d7fe08a108b746542a934da84

This commit relaxes the check to remove O_NOATIME from the open flags for the file in the lower filesystem when the overlay filesystem mounter is not privileged with respect to the underlying inode, rather than failing the open as happens now.

[Test Case]

The attached lp1900141.sh script reproduces the issue.

[Where problems could occur]

For the most part this patch restores previous behavior of allowing access to these files while keeping the enhanced permission checks towards the lower filesystem to help prevent unauthorized access to file data in the lower filesystem. The one difference in behavior is that files in the lower filesystem may no longer be opened with the O_NOATIME flag, potentially causing atime updates for these files which were not happening before. If any software expects O_NOATIME behavior in this situation then it could cause problems for that software. However, the correct behavior is that only the inode owner or a process with CAP_FOWNER towards the inode owner is allowed to open with O_NOATIME (as documented in open(2)).

---

We use unprivileged user namespaces with overlay mounts for containers. After recently upgrading our Focal kernels to 5.4.0-51.56 this breaks, one cannot access files through the overlay mount in the container anymore. This is very likely caused by some of the patches that were added in relation to CVE-2020-16120.

The following commands allow to reproduce the problem when executed as an arbitrary non-root user:

mkdir /tmp/test /tmp/test/upper /tmp/test/work /tmp/test/usr
unshare -m -U -r /bin/sh -c "mount -t overlay none /tmp/test/usr -o lowerdir=/usr,upperdir=/tmp/test/upper,workdir=/tmp/test/work; ls -l /tmp/test/usr/bin/id; file /tmp/test/usr/bin/id; /tmp/test/usr/bin/id"

The output when broken is this:

-rwxr-xr-x 1 nobody nogroup 47480 Sep 5 2019 /tmp/test/usr/bin/id
/tmp/test/usr/bin/id: executable, regular file, no read permission
/bin/sh: 1: /tmp/test/usr/bin/id: Operation not permitted

The expected output is this:

-rwxr-xr-x 1 nobody nogroup 43224 Jan 18 2018 /tmp/test/usr/bin/id
/tmp/test/usr/bin/id: ELF 64-bit LSB shared object, ...
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

These commands create a user namespace and within it mount an overlay of /usr to /tmp/test/usr and then try to access something in it.

This works on Ubuntu Bionic with kernel 4.15.0-121.123 (note that this already includes a fix for CVE-2020-16120) and on kernel 5.4.0-48.52 but is broken on kernel 5.4.0-51.56, no matter whether on Bionic or Focal.

So I strongly suspect that not the actual security fixes for CVE-2020-16120 are the cause, but one of the following two patches that according to the changelogs were applied in the same revision but only to 5.4, not to 4.15:

ovl: call secutiry hook in ovl_real_ioctl()
ovl: check permission to open real file

The mail with the announcement (https://www.openwall.com/lists/oss-security/2020/10/13/6) lists these two commits as separate from the actual security fixes ("may be desired or necessary").

Is it possible to revert these two changes or fix them such that our unprivileged containers work again on Ubuntu kernel 5.4? Or is there a workaround that I can add to my container solution such that this use case works again?

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.4.0-51-generic 5.4.0-51.56
ProcVersionSignature: User Name 5.4.0-51.56-generic 5.4.65
Uname: Linux 5.4.0-51-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Oct 14 04:48 seq
crw-rw---- 1 root audio 116, 33 Oct 14 04:48 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-0ubuntu27.9
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckResult: skip
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Fri Oct 16 13:02:32 2020
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=C.UTF-8
SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-51-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0
RelatedPackageVersions:
linux-restricted-modules-5.4.0-51-generic N/A
linux-backports-modules-5.4.0-51-generic N/A
linux-firmware 1.187.3
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-5.0
dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.0:cvnQEMU:ct1:cvrpc-i440fx-5.0:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-5.0
dmi.sys.vendor: QEMU

See original description

Tags:

CVE References

2020-16120

Revision history for this message

Philipp Wendler (philw85) wrote on 2020-10-16:

CRDA.txt Edit (454 bytes, text/plain; charset="utf-8")
Dependencies.txt Edit (2.5 KiB, text/plain; charset="utf-8")
Lspci.txt Edit (8.7 KiB, text/plain; charset="utf-8")
Lspci-vt.txt Edit (711 bytes, text/plain; charset="utf-8")
Lsusb-v.txt Edit (3.5 KiB, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (1.8 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (2.7 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (96.9 KiB, text/plain; charset="utf-8")
WifiSyslog.txt Edit (1.7 KiB, text/plain; charset="utf-8")
acpidump.txt Edit (582 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-10-16:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Seth Forshee (sforshee) wrote on 2020-10-20:

I think I see what the problem is, one of the patches adds a check that is probably unnecessary and too restrictive. This is an upstream issue though, so I'm going to follow up with the upstream developers to ensure there isn't a good reason for the check that isn't apparent to me.

Changed in linux (Ubuntu):
assignee:	nobody → Seth Forshee (sforshee)
status:	Confirmed → In Progress

Revision history for this message

Philipp Wendler (philw85) wrote on 2020-11-23:

I noticed that the changelog of the kernel package 5.4.0-50.55~18.04.1 for Bionic now also includes the two additional patches, and indeed I can confirm that on Bionic with kernel 5.4.0-54-generic the regression was now also introduced.

Is there an update whether it will be possible to solve this regression? It breaks our container runtime unfortunately.

Revision history for this message

Lane Roberts (lanecroberts) wrote on 2020-12-22:

This also breaks some of our containers - is there any kind of work-around we can use?

Revision history for this message

Seth Forshee (sforshee) wrote on 2021-01-06:

lp1900141.sh Edit (345 bytes, text/x-sh)

Apologies for the delay on this bug. There is a fix upstream in 5.11-rc1, I've backported the fix to the test kernel located here:

https://people.canonical.com/~sforshee/lp1900141/linux-5.4.0-59.65+lp1900141v202101061102/

I'm also attaching a script which reproduces the bug. In my testing the problem looks to be fixed by this patch, but additional testing is appreciated.

Seth Forshee (sforshee) on 2021-01-06

Changed in linux (Ubuntu Focal):
assignee:	nobody → Seth Forshee (sforshee)
importance:	Undecided → High
status:	New → In Progress
Changed in linux (Ubuntu Groovy):
assignee:	nobody → Seth Forshee (sforshee)
importance:	Undecided → High
status:	New → In Progress

Seth Forshee (sforshee) on 2021-01-06

description:

updated

Revision history for this message

Lane Roberts (lanecroberts) wrote on 2021-01-07:

Thanks Seth - that appears to fix our problem as well!

Kleber Sacilotto de Souza (kleber-souza) on 2021-01-07

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Groovy):
status:	In Progress → Fix Committed

Seth Forshee (sforshee) on 2021-01-07

Changed in linux (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-01-08:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-groovy' to 'verification-done-groovy'. If the problem still exists, change the tag 'verification-needed-groovy' to 'verification-failed-groovy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:	added: verification-needed-groovy
tags:	added: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-01-08:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Philipp Wendler (philw85) wrote on 2021-01-11:

#10

Thanks!

I tested it on a Focal machine and the -proposed kernel works. However, I don't have a Groovy machine here, is it necessary for me to test this?

I noticed that in the list of affected packages in the bug metadata Bionic is not mentioned. Will the fix also be backported there?

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Seth Forshee (sforshee) wrote on 2021-01-11: Re: [Bug 1900141] Re: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120

#11

On Mon, Jan 11, 2021 at 11:12:35AM -0000, Philipp Wendler wrote:
> I tested it on a Focal machine and the -proposed kernel works. However,
> I don't have a Groovy machine here, is it necessary for me to test this?

I can verify the fix in groovy.

> I noticed that in the list of affected packages in the bug metadata
> Bionic is not mentioned. Will the fix also be backported there?

It depends on which kernel you are talking about. The bionic GA kernel
(4.15) was not affected based on my testing. If you are seeing problems
with it, please let me know.

The bionic HWE kernel is derived from the kernel source in focal, so
that kernel does not need to be fixed separately from the focal kernel.

Revision history for this message

Seth Forshee (sforshee) wrote on 2021-01-11:

#12

Confirmed that the attached test script reproduces the problem with 5.8.0-36-generic from groovy-updates. ith 5.8.0-37-generic from groovy-proposed the problem is fixed.

tags:

added: verification-done-groovy
removed: verification-needed-groovy

Revision history for this message

Philipp Wendler (philw85) wrote on 2021-01-12:

#13

Thanks!

>> I noticed that in the list of affected packages in the bug metadata
>> Bionic is not mentioned. Will the fix also be backported there?
>
> It depends on which kernel you are talking about. The bionic GA kernel
> (4.15) was not affected based on my testing. If you are seeing problems
> with it, please let me know.

4.15 was not affected indeed.

> The bionic HWE kernel is derived from the kernel source in focal, so
> that kernel does not need to be fixed separately from the focal kernel.

Ok, just wanted to make sure this is the case.

Everything is fine for me now.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-01-26:

#14

This bug was fixed in the package linux - 5.4.0-65.73

---------------
linux (5.4.0-65.73) focal; urgency=medium

* focal/linux: 5.4.0-65.73 -proposed tracker (LP: #1912220)

* initramfs unpacking failed (LP: #1835660)
- SAUCE: lib/decompress_unlz4.c: correctly handle zero-padding around initrds.

  * overlay: permission regression in 5.4.0-51.56 due to patches related to
    CVE-2020-16120 (LP: #1900141)
    - ovl: do not fail because of O_NOATIME

  * Focal update: v5.4.79 upstream stable release (LP: #1907151)
    - net/mlx5: Use async EQ setup cleanup helpers for multiple EQs
    - net/mlx5: poll cmd EQ in case of command timeout
    - net/mlx5: Fix a race when moving command interface to events mode
    - net/mlx5: Add retry mechanism to the command entry index allocation

* Kernel 5.4.0-56 Wi-Fi does not connect (LP: #1906770)
- mt76: fix fix ampdu locking

  * [Ubuntu 21.04 FEAT] mpt3sas: Request to include the patch set which supports
    topology where zoning is enabled in expander (LP: #1899802)
    - scsi: mpt3sas: Define hba_port structure
    - scsi: mpt3sas: Allocate memory for hba_port objects
    - scsi: mpt3sas: Rearrange _scsih_mark_responding_sas_device()
    - scsi: mpt3sas: Update hba_port's sas_address & phy_mask
    - scsi: mpt3sas: Get device objects using sas_address & portID
    - scsi: mpt3sas: Rename transport_del_phy_from_an_existing_port()
    - scsi: mpt3sas: Get sas_device objects using device's rphy
    - scsi: mpt3sas: Update hba_port objects after host reset
    - scsi: mpt3sas: Set valid PhysicalPort in SMPPassThrough
    - scsi: mpt3sas: Handling HBA vSES device
    - scsi: mpt3sas: Add bypass_dirty_port_flag parameter
    - scsi: mpt3sas: Handle vSES vphy object during HBA reset
    - scsi: mpt3sas: Add module parameter multipath_on_hba
    - scsi: mpt3sas: Bump driver version to 35.101.00.00

-- Kleber Sacilotto de Souza <email address hidden> Mon, 18 Jan 2021 17:31:23 +0100

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-01-26:

#15

This bug was fixed in the package linux - 5.8.0-41.46

---------------
linux (5.8.0-41.46) groovy; urgency=medium

* groovy/linux: 5.8.0-41.46 -proposed tracker (LP: #1912219)

  * Groovy update: upstream stable patchset 2020-12-17 (LP: #1908555) // nvme
    drive fails after some time (LP: #1910866)
    - Revert "nvme-pci: remove last_sq_tail"

* initramfs unpacking failed (LP: #1835660)
- SAUCE: lib/decompress_unlz4.c: correctly handle zero-padding around initrds.

  * overlay: permission regression in 5.4.0-51.56 due to patches related to
    CVE-2020-16120 (LP: #1900141)
    - ovl: do not fail because of O_NOATIME

-- Kleber Sacilotto de Souza <email address hidden> Mon, 18 Jan 2021 17:01:08 +0100

Changed in linux (Ubuntu Groovy):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-02-19:

#16

Download full text (20.7 KiB)

This bug was fixed in the package linux - 5.10.0-14.15

---------------
linux (5.10.0-14.15) hirsute; urgency=medium

* hirsute/linux: 5.10.0-14.15 -proposed tracker (LP: #1913724)

* Restore palm ejection on multi-input devices (LP: #1913520)
- HID: multitouch: Apply MT_QUIRK_CONFIDENCE quirk for multi-input devices

* intel-hid is not loaded on new Intel platform (LP: #1907160)
- platform/x86: intel-hid: add Rocket Lake ACPI device ID

This bug was fixed in the package linux - 5.10.0-14.15

---------------
linux (5.10.0-14.15) hirsute; urgency=medium

* hirsute/linux: 5.10.0-14.15 -proposed tracker (LP: #1913724)

* Restore palm ejection on multi-input devices (LP: #1913520)
    - HID: multitouch: Apply MT_QUIRK_CONFIDENCE quirk for multi-input devices

* intel-hid is not loaded on new Intel platform (LP: #1907160)
    - platform/x86: intel-hid: add Rocket Lake ACPI device ID

* Hirsute update: v5.10.11 upstream stable release (LP: #1913430)
    - scsi: target: tcmu: Fix use-after-free of se_cmd->priv
    - mtd: rawnand: gpmi: fix dst bit offset when extracting raw payload
    - mtd: rawnand: nandsim: Fix the logic when selecting Hamming soft ECC engine
    - i2c: tegra: Wait for config load atomically while in ISR
    - i2c: bpmp-tegra: Ignore unknown I2C_M flags
    - platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634
    - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info()
    - ALSA: hda/realtek - Limit int mic boost on Acer Aspire E5-575T
    - ALSA: hda/via: Add minimum mute flag
    - crypto: xor - Fix divide error in do_xor_speed()
    - dm crypt: fix copy and paste bug in crypt_alloc_req_aead
    - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error
    - btrfs: don't get an EINTR during drop_snapshot for reloc
    - btrfs: do not double free backref nodes on error
    - btrfs: fix lockdep splat in btrfs_recover_relocation
    - btrfs: don't clear ret in btrfs_start_dirty_block_groups
    - btrfs: send: fix invalid clone operations when cloning from the same file
      and root
    - fs: fix lazytime expiration handling in __writeback_single_inode()
    - pinctrl: ingenic: Fix JZ4760 support
    - mmc: core: don't initialize block size from ext_csd if not present
    - mmc: sdhci-of-dwcmshc: fix rpmb access
    - mmc: sdhci-xenon: fix 1.8v regulator stabilization
    - mmc: sdhci-brcmstb: Fix mmc timeout errors on S5 suspend
    - dm: avoid filesystem lookup in dm_get_dev_t()
    - dm integrity: fix a crash if "recalculate" used without "internal_hash"
    - dm integrity: conditionally disable "recalculate" feature
    - drm/atomic: put state on error path
    - drm/syncobj: Fix use-after-free
    - drm/amdgpu: remove gpu info firmware of green sardine
    - drm/amd/display: DCN2X Find Secondary Pipe properly in MPO + ODM Case
    - drm/i915/gt: Prevent use of engine->wa_ctx after error
    - drm/i915: Check for rq->hwsp validity after acquiring RCU lock
    - ASoC: Intel: haswell: Add missing pm_ops
    - ASoC: rt711: mutex between calibration and power state changes
    - SUNRPC: Handle TCP socket sends with kernel_sendpage() again
    - HID: sony: select CONFIG_CRC32
    - dm integrity: select CRYPTO_SKCIPHER
    - x86/hyperv: Fix kexec panic/hang issues
    - scsi: ufs: Relax the condition of UFSHCI_QUIRK_SKIP_MANUAL_WB_FLUSH_CTRL
    - scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback
    - scsi: qedi: Correct max length of CHAP secret
    - scsi: scsi_debug: Fix memleak in scsi_debug_init()
    - scsi: sd: Suppress spurious errors when WRITE SAME is being disabled
    - riscv: Fix kernel time_init()
    - riscv: Fix sifive serial driver
    - riscv: Enable interrupts during syscalls with M-Mode
    - HID: logitech-dj: add the G602 receiver
    - HID: Ignore battery for Elan touchscreen on ASUS UX550
    - clk: tegra30: Add hda clock default rates to clock driver
    - ALSA: hda/tegra: fix tegra-hda on tegra30 soc
    - riscv: cacheinfo: Fix using smp_processor_id() in preemptible
    - arm64: make atomic helpers __always_inline
    - xen: Fix event channel callback via INTX/GSI
    - x86/xen: Add xen_no_vector_callback option to test PCI INTX delivery
    - x86/xen: Fix xen_hvm_smp_init() when vector callback not available
    - dts: phy: fix missing mdio device and probe failure of vsc8541-01 device
    - dts: phy: add GPIO number and active state used for phy reset
    - riscv: defconfig: enable gpio support for HiFive Unleashed
    - drm/amdgpu/psp: fix psp gfx ctrl cmds
    - drm/amd/display: disable dcn10 pipe split by default
    - HID: logitech-hidpp: Add product ID for MX Ergo in Bluetooth mode
    - drm/amd/display: Fix to be able to stop crc calculation
    - drm/nouveau/bios: fix issue shadowing expansion ROMs
    - drm/nouveau/privring: ack interrupts the same way as RM
    - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields
    - drm/nouveau/mmu: fix vram heap sizing
    - drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0
    - io_uring: flush timeouts that should already have expired
    - libperf tests: If a test fails return non-zero
    - libperf tests: Fail when failing to get a tracepoint id
    - RISC-V: Set current memblock limit
    - RISC-V: Fix maximum allowed phsyical memory for RV32
    - x86/xen: fix 'nopvspin' build error
    - nfsd: Fixes for nfsd4_encode_read_plus_data()
    - nfsd: Don't set eof on a truncated READ_PLUS
    - gpiolib: cdev: fix frame size warning in gpio_ioctl()
    - pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting
    - pinctrl: mediatek: Fix fallback call path
    - RDMA/ucma: Do not miss ctx destruction steps in some cases
    - btrfs: print the actual offset in btrfs_root_name
    - scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
    - scsi: ufs: ufshcd-pltfrm depends on HAS_IOMEM
    - scsi: ufs: Fix tm request when non-fatal error happens
    - crypto: omap-sham - Fix link error without crypto-engine
    - bpf: Prevent double bpf_prog_put call from bpf_tracing_prog_attach
    - powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S
    - powerpc: Fix alignment bug within the init sections
    - arm64: entry: remove redundant IRQ flag tracing
    - bpf: Reject too big ctx_size_in for raw_tp test run
    - drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu()
    - RDMA/umem: Avoid undefined behavior of rounddown_pow_of_two()
    - RDMA/cma: Fix error flow in default_roce_mode_store
    - printk: ringbuffer: fix line counting
    - printk: fix kmsg_dump_get_buffer length calulations
    - iov_iter: fix the uaccess area in copy_compat_iovec_from_user
    - i2c: octeon: check correct size of maximum RECV_LEN packet
    - drm/vc4: Unify PCM card's driver_name
    - platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-
      list
    - platform/x86: hp-wmi: Don't log a warning on HPWMI_RET_UNKNOWN_COMMAND
      errors
    - gpio: sifive: select IRQ_DOMAIN_HIERARCHY rather than depend on it
    - xsk: Clear pool even for inactive queues
    - selftests: net: fib_tests: remove duplicate log test
    - can: dev: can_restart: fix use after free bug
    - can: vxcan: vxcan_xmit: fix use after free bug
    - can: peak_usb: fix use after free bugs
    - perf evlist: Fix id index for heterogeneous systems
    - i2c: sprd: depend on COMMON_CLK to fix compile tests
    - iio: common: st_sensors: fix possible infinite loop in st_sensors_irq_thread
    - iio: ad5504: Fix setting power-down state
    - drivers: iio: temperature: Add delay after the addressed reset command in
      mlx90632.c
    - iio: adc: ti_am335x_adc: remove omitted iio_kfifo_free()
    - counter:ti-eqep: remove floor
    - powerpc/64s: fix scv entry fallback flush vs interrupt
    - cifs: do not fail __smb_send_rqst if non-fatal signals are pending
    - irqchip/mips-cpu: Set IPI domain parent chip
    - x86/fpu: Add kernel_fpu_begin_mask() to selectively initialize state
    - x86/topology: Make __max_die_per_package available unconditionally
    - x86/mmx: Use KFPU_387 for MMX string operations
    - x86/setup: don't remove E820_TYPE_RAM for pfn 0
    - proc_sysctl: fix oops caused by incorrect command parameters
    - mm: memcg/slab: optimize objcg stock draining
    - mm: memcg: fix memcg file_dirty numa stat
    - mm: fix numa stats for thp migration
    - io_uring: iopoll requests should also wake task ->in_idle state
    - io_uring: fix SQPOLL IORING_OP_CLOSE cancelation state
    - io_uring: fix short read retries for non-reg files
    - intel_th: pci: Add Alder Lake-P support
    - stm class: Fix module init return on allocation failure
    - serial: mvebu-uart: fix tx lost characters at power off
    - ehci: fix EHCI host controller initialization sequence
    - USB: ehci: fix an interrupt calltrace error
    - usb: gadget: aspeed: fix stop dma register setting.
    - USB: gadget: dummy-hcd: Fix errors in port-reset handling
    - usb: udc: core: Use lock when write to soft_connect
    - usb: bdc: Make bdc pci driver depend on BROKEN
    - usb: cdns3: imx: fix writing read-only memory issue
    - usb: cdns3: imx: fix can't create core device the second time issue
    - xhci: make sure TRB is fully written before giving it to the controller
    - xhci: tegra: Delay for disabling LFPS detector
    - drivers core: Free dma_range_map when driver probe failed
    - driver core: Fix device link device name collision
    - driver core: Extend device_is_dependent()
    - drm/i915: s/intel_dp_sink_dpms/intel_dp_set_power/
    - drm/i915: Only enable DFP 4:4:4->4:2:0 conversion when outputting YCbCr
      4:4:4
    - x86/entry: Fix noinstr fail
    - x86/cpu/amd: Set __max_die_per_package on AMD
    - cls_flower: call nla_ok() before nla_next()
    - netfilter: rpfilter: mask ecn bits before fib lookup
    - tools: gpio: fix %llu warning in gpio-event-mon.c
    - tools: gpio: fix %llu warning in gpio-watch.c
    - drm/i915/hdcp: Update CP property in update_pipe
    - sh: dma: fix kconfig dependency for G2_DMA
    - sh: Remove unused HAVE_COPY_THREAD_TLS macro
    - locking/lockdep: Cure noinstr fail
    - ASoC: SOF: Intel: fix page fault at probe if i915 init fails
    - octeontx2-af: Fix missing check bugs in rvu_cgx.c
    - net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext
    - selftests/powerpc: Fix exit status of pkey tests
    - sh_eth: Fix power down vs. is_opened flag ordering
    - nvme-pci: refactor nvme_unmap_data
    - nvme-pci: fix error unwind in nvme_map_data
    - cachefiles: Drop superfluous readpages aops NULL check
    - lightnvm: fix memory leak when submit fails
    - skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
    - kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
    - kasan: fix incorrect arguments passing in kasan_add_zero_shadow
    - tcp: fix TCP socket rehash stats mis-accounting
    - net_sched: gen_estimator: support large ewma log
    - udp: mask TOS bits in udp_v4_early_demux()
    - ipv6: create multicast route with RTPROT_KERNEL
    - net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
    - net_sched: reject silly cell_log in qdisc_get_rtab()
    - ipv6: set multicast flag on the multicast route
    - net: mscc: ocelot: allow offloading of bridge on top of LAG
    - net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
    - net: dsa: b53: fix an off by one in checking "vlan->vid"
    - tcp: do not mess with cloned skbs in tcp_add_backlog()
    - tcp: fix TCP_USER_TIMEOUT with zero window
    - net: mscc: ocelot: Fix multicast to the CPU port
    - net: core: devlink: use right genl user_ptr when handling port param get/set
    - pinctrl: qcom: Allow SoCs to specify a GPIO function that's not 0
    - pinctrl: qcom: No need to read-modify-write the interrupt status
    - pinctrl: qcom: Properly clear "intr_ack_high" interrupts when unmasking
    - pinctrl: qcom: Don't clear pending interrupts when enabling
    - x86/sev: Fix nonistr violation
    - tty: implement write_iter
    - tty: fix up hung_up_tty_write() conversion
    - net: systemport: free dev before on error path
    - x86/sev-es: Handle string port IO to kernel memory properly
    - tcp: Fix potential use-after-free due to double kfree()
    - drm/i915/hdcp: Get conn while content_type changed
    - bpf: Local storage helpers should check nullness of owner ptr passed
    - kernfs: implement ->read_iter
    - kernfs: implement ->write_iter
    - kernfs: wire up ->splice_read and ->splice_write
    - interconnect: imx8mq: Use icc_sync_state
    - fs/pipe: allow sendfile() to pipe again
    - Commit 9bb48c82aced ("tty: implement write_iter") converted the tty layer to
      use write_iter. Fix the redirected_tty_write declaration also in n_tty and
      change the comparisons to use write_iter instead of write. also in n_tty and
      change the comparisons to use write_iter instead of write.
    - mm: fix initialization of struct page for holes in memory layout
    - Revert "mm: fix initialization of struct page for holes in memory layout"
    - Linux 5.10.11

* High load from process irq/65-i2c-INT3  - kernel module tps6598x
    (LP: #1883511) // Hirsute update: v5.10.11 upstream stable release
    (LP: #1913430)
    - platform/x86: i2c-multi-instantiate: Don't create platform device for
      INT3515 ACPI nodes

* Hirsute update: v5.10.10 upstream stable release (LP: #1913429)
    - Revert "kconfig: remove 'kvmconfig' and 'xenconfig' shorthands"
    - x86/hyperv: Initialize clockevents after LAPIC is initialized
    - drm/amdgpu/display: drop DCN support for aarch64
    - bpf: Fix signed_{sub,add32}_overflows type handling
    - X.509: Fix crash caused by NULL pointer
    - nfsd4: readdirplus shouldn't return parent of export
    - bpf: Don't leak memory in bpf getsockopt when optlen == 0
    - bpf: Support PTR_TO_MEM{,_OR_NULL} register spilling
    - bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback
    - net: ipa: modem: add missing SET_NETDEV_DEV() for proper sysfs links
    - net: fix use-after-free when UDP GRO with shared fraglist
    - udp: Prevent reuseport_select_sock from reading uninitialized socks
    - netxen_nic: fix MSI/MSI-x interrupts
    - net: ipv6: Validate GSO SKB before finish IPv6 processing
    - tipc: fix NULL deref in tipc_link_xmit()
    - mlxsw: core: Add validation of transceiver temperature thresholds
    - mlxsw: core: Increase critical threshold for ASIC thermal zone
    - net: mvpp2: Remove Pause and Asym_Pause support
    - rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
    - esp: avoid unneeded kmap_atomic call
    - net: dcb: Validate netlink message in DCB handler
    - net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
    - rxrpc: Call state should be read with READ_ONCE() under some circumstances
    - i40e: fix potential NULL pointer dereferencing
    - net: stmmac: Fixed mtu channged by cache aligned
    - net: sit: unregister_netdevice on newlink's error path
    - net: stmmac: fix taprio schedule configuration
    - net: stmmac: fix taprio configuration when base_time is in the past
    - net: avoid 32 x truesize under-estimation for tiny skbs
    - dt-bindings: net: renesas,etheravb: RZ/G2H needs tx-internal-delay-ps
    - net: phy: smsc: fix clk error handling
    - net: dsa: clear devlink port type before unregistering slave netdevs
    - rxrpc: Fix handling of an unsupported token type in rxrpc_read()
    - net: stmmac: use __napi_schedule() for PREEMPT_RT
    - can: mcp251xfd: mcp251xfd_handle_rxif_one(): fix wrong NULL pointer check
    - drm/panel: otm8009a: allow using non-continuous dsi clock
    - mac80211: do not drop tx nulldata packets on encrypted links
    - mac80211: check if atf has been disabled in __ieee80211_schedule_txq
    - net: dsa: unbind all switches from tree when DSA master unbinds
    - cxgb4/chtls: Fix tid stuck due to wrong update of qid
    - spi: fsl: Fix driver breakage when SPI_CS_HIGH is not set in spi->mode
    - spi: cadence: cache reference clock rate during probe
    - Linux 5.10.10

* Remove scary stack trace from Realtek WiFi driver (LP: #1913263)
    - rtw88: reduce the log level for failure of tx report

* Packaging resync (LP: #1786013)
    - update dkms package versions

* Introduce the new NVIDIA 460-server series and update the 460 series
    (LP: #1913200)
    - [Config] dkms-versions -- add the 460-server nvidia driver

* backlight parsing for VBT 234+ (LP: #1912157)
    - drm/i915/vbt: Fix backlight parsing for VBT 234+
    - drm/i915/vbt: Update the version and expected size of
      BDB_GENERAL_DEFINITIONS map
    - drm/i915/vbt: Add VRR VBT toggle

* Support CML-S CPU + TGP PCH (LP: #1909457)
    - drm/i915/dg1: gmbus pin mapping
    - drm/i915/dg1: Don't program PHY_MISC for PHY-C and PHY-D
    - drm/i915/dg1: add hpd interrupt handling
    - drm/i915/display/ehl: Limit eDP to HBR2
    - drm/i915/jsl: Split EHL/JSL platform info and PCI ids
    - drm/i915: Add PORT_TCn aliases to enum port
    - drm/i915: s/PORT_TC/TC_PORT_/
    - drm/i915/rkl: new rkl ddc map for different PCH
    - SAUCE: drm/i915/gen9_bc : Add TGP PCH support

* Fix the video can't output through WD19TB connected with TGL platform during
    cold-boot (LP: #1910211)
    - SAUCE: drm/i915/dp: Prevent setting LTTPR mode if no LTTPR is detected

* Stop using get_scalar_status command in Dell AIO uart backlight driver
    (LP: #1865402)
    - SAUCE: platform/x86: dell-uart-backlight: add get_display_mode command

* Killer 500s (QCA6390) WLAN/BT [17cb:1101] unavailable (LP: #1879633)
    - SAUCE: ath11k: add 64bit check before reading msi high addr
    - SAUCE: ath11k: pci: support platforms with one MSI vector
    - SAUCE: ath11k: dp_rx: fix monitor status dma unmap direction
    - SAUCE: ath11k: hook mhi suspend and resume
    - SAUCE: ath11k: implement hif suspend and resume functions.
    - SAUCE: ath11k: read select_window register to ensure write is finished
    - SAUCE: ath11k: implement htc suspend related callbacks
    - SAUCE: ath11k: put target to suspend when system enters suspend state
    - SAUCE: ath11k: pci: print a warning if firmware crashed
    - SAUCE: ath11k: qmi: print allocated memory segment addresses and sizes
    - SAUCE: HACK: ath11k: add delays to suspend and resume handlers
    - SAUCE: ath11k: put hw to DBS using WMI_PDEV_SET_HW_MODE_CMDID
    - SAUCE: ath11k: fix pcie link unstable issue
    - SAUCE: ath11k: fix PCI L1ss clock unstable problem
    - SAUCE: ath11k: disable OTP write privilege
    - SAUCE: ath11k: disable ASPM L0sLs before downloading firmware
    - SAUCE: ath11k: purge rx pktlog when entering suspend
    - SAUCE: ath11k: set credit_update flag for flow controlled ep only
    - SAUCE: ath11k: implement wow enable and wow wakeup command
    - SAUCE: ath11k: add ce irq enable and disable hif layer functions
    - SAUCE: ath11k: put target to wow state when suspend happens
    - SAUCE: ath11k: vdev delete synchronization with firmware
    - SAUCE: ath11k: peer delete synchronization with firmware

* Add support for Intel Bluetooth Device Typhoon Peak (8087:0032)
    (LP: #1890130)
    - SAUCE: Bluetooth: btintel: Fix endianness issue for TLV version information
    - SAUCE: Bluetooth: btusb: Add *setup* function for new generation Intel
      controllers
    - SAUCE: Bluetooth: btusb: Define a function to construct firmware filename
    - SAUCE: Bluetooth: btusb: Helper function to download firmware to Intel
      adapters
    - SAUCE: Bluetooth: btusb: Map Typhoon peak controller to BTUSB_INTEL_NEWGEN

* failed to boot to GUI: i915 0000:00:02.0: [drm] *ERROR* Link Training
    Unsuccessful (LP: #1903969)
    - SAUCE: drm/i915: s/old_crtc_state/crtc_state/
    - SAUCE: drm/i915: Make intel_dp_process_phy_request() static
    - SAUCE: drm/i915: Shove the PHY test into the hotplug work
    - SAUCE: drm/i915: Split ICL combo PHY buf trans per output type
    - SAUCE: drm/i915: Split ICL MG PHY buf trans per output type
    - SAUCE: drm/i915: Split EHL combo PHY buf trans per output type
    - SAUCE: drm/i915: Split TGL combo PHY buf trans per output type
    - SAUCE: drm/i915: Split TGL DKL PHY buf trans per output type
    - SAUCE: drm/i915: Plumb crtc_state to link training
    - SAUCE: drm/i915: Fix DP link training pattern mask
    - SAUCE: drm/i915: Simplify the link training functions
    - SAUCE: drm/i915: Factor out a helper to disable the DPCD training pattern
    - SAUCE: drm/dp: Add LTTPR helpers
    - SAUCE: drm/i915: Switch to LTTPR transparent mode link training
    - SAUCE: drm/i915: Switch to LTTPR non-transparent mode link training

* switch to an autogenerated nvidia series based core via dkms-versions
    (LP: #1912803)
    - [Packaging] nvidia -- use dkms-versions to define versions built
    - [Packaging] update-version-dkms -- maintain flags fields
    - [Config] dkms-versions -- add transitional/skip information for nvidia
      packages

* Miscellaneous Ubuntu changes
    - [Config] Move some CONFIG_INTERCONNECT_QCOM_* options to different menu
    - SAUCE: selftests/seccomp: Accept any valid fd in user_notification_addfd
    - [Config] updateconfigs following v5.10.11 import
    - abi: gc bdc_pci module
    - zfs-modules.ignore: add zzstd

* Miscellaneous upstream changes
    - selftests/powerpc: Only test lwm/stmw on big endian

-- Paolo Pisati <paolo.pisati@canonical.com>  Fri, 29 Jan 2021 14:23:04 +0100

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package