Bug #1968340 “ip6gre driver does not hold device reference” : Bugs : linux package : Ubuntu

Thadeu Lima de Souza Cascardo (cascardo) on 2022-04-08

Changed in linux (Ubuntu Bionic):
importance:	Undecided → Medium
assignee:	nobody → Thadeu Lima de Souza Cascardo (cascardo)
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Fix Released

Zachary Tahenakos (ztahenakos) on 2022-04-13

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-04-20:

#1

This bug is awaiting verification that the linux/4.15.0-177.186 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2022-05-06:

#2

Fails with the kernel in -updates, 4.15.0-176.

Works with kernel in -proposed, 4.15.0-177.

ubuntu@bionic:~$ uname -r
4.15.0-177-generic
ubuntu@bionic:~$ sudo modprobe ip6_gre
ubuntu@bionic:~$ unshare -Urn true
ubuntu@bionic:~$ unshare -Urn true
ubuntu@bionic:~$ unshare -Urn true
ubuntu@bionic:~$ dmesg | tail -2
[ 14.212867] gre: GRE over IPv4 demultiplexor driver
[ 14.218947] ip6_gre: GRE over IPv6 tunneling driver
ubuntu@bionic:~$

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-05-11:

#3

Download full text (12.6 KiB)

This bug was fixed in the package linux - 4.15.0-177.186

---------------
linux (4.15.0-177.186) bionic; urgency=medium

* bionic/linux: 4.15.0-177.186 -proposed tracker (LP: #1969083)

  * Bionic update: upstream stable patchset 2022-04-13 (LP: #1968932)
    - cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
    - vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
    - parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel
    - parisc/unaligned: Fix ldw() and stw() unalignment handlers
    - sr9700: sanity check for packet length
    - USB: zaurus: support another broken Zaurus
    - ping: remove pr_err from ping_lookup
    - net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends
    - gso: do not skip outer ip header in case of ipip and net_failover
    - openvswitch: Fix setting ipv6 fields causing hw csum failure
    - drm/edid: Always set RGB444
    - net/mlx5e: Fix wrong return value on ioctl EEPROM query failure
    - configfs: fix a race in configfs_{,un}register_subsystem()
    - RDMA/ib_srp: Fix a deadlock
    - iio: adc: men_z188_adc: Fix a resource leak in an error handling path
    - ata: pata_hpt37x: disable primary channel on HPT371
    - Revert "USB: serial: ch341: add new Product ID for CH341A"
    - usb: gadget: rndis: add spinlock for rndis response list
    - tracefs: Set the group ownership in apply_options() not parse_options()
    - USB: serial: option: add support for DW5829e
    - USB: serial: option: add Telit LE910R1 compositions
    - usb: dwc3: gadget: Let the interrupt handler disable bottom halves.
    - xhci: re-initialize the HC during resume if HCE was set
    - xhci: Prevent futile URB re-submissions due to incorrect return value.
    - tty: n_gsm: fix encoding of control signal octet bit DV
    - tty: n_gsm: fix proper link termination after failed open
    - Revert "drm/nouveau/pmu/gm200-: avoid touching PMU outside of
      DEVINIT/PREOS/ACR"
    - memblock: use kfree() to release kmalloced memblock regions
    - fget: clarify and improve __fget_files() implementation
    - gpio: tegra186: Fix chip_data type confusion
    - tracing: Have traceon and traceoff trigger honor the instance
    - mac80211_hwsim: report NOACK frames in tx_status
    - mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work
    - i2c: bcm2835: Avoid clock stretching timeouts
    - Input: clear BTN_RIGHT/MIDDLE on buttonpads
    - cifs: fix double free race when mount fails in cifs_get_root()
    - dmaengine: shdma: Fix runtime PM imbalance on error
    - i2c: cadence: allow COMPILE_TEST
    - i2c: qup: allow COMPILE_TEST
    - net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
    - usb: gadget: don't release an existing dev->buf
    - usb: gadget: clear related members when goto fail
    - ata: pata_hpt37x: fix PCI clock detection
    - ALSA: intel_hdmi: Fix reference to PCM buffer address
    - ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min
    - xfrm: fix MTU regression
    - netfilter: fix use-after-free in __nf_register_net_hook()
    - xfrm: enforce validity of offload input flags
    - netfilter: nf_queue: don't assume sk ...

This bug was fixed in the package linux - 4.15.0-177.186

---------------
linux (4.15.0-177.186) bionic; urgency=medium

* bionic/linux: 4.15.0-177.186 -proposed tracker (LP: #1969083)

* Bionic update: upstream stable patchset 2022-04-13 (LP: #1968932)
    - cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
    - vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
    - parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel
    - parisc/unaligned: Fix ldw() and stw() unalignment handlers
    - sr9700: sanity check for packet length
    - USB: zaurus: support another broken Zaurus
    - ping: remove pr_err from ping_lookup
    - net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends
    - gso: do not skip outer ip header in case of ipip and net_failover
    - openvswitch: Fix setting ipv6 fields causing hw csum failure
    - drm/edid: Always set RGB444
    - net/mlx5e: Fix wrong return value on ioctl EEPROM query failure
    - configfs: fix a race in configfs_{,un}register_subsystem()
    - RDMA/ib_srp: Fix a deadlock
    - iio: adc: men_z188_adc: Fix a resource leak in an error handling path
    - ata: pata_hpt37x: disable primary channel on HPT371
    - Revert "USB: serial: ch341: add new Product ID for CH341A"
    - usb: gadget: rndis: add spinlock for rndis response list
    - tracefs: Set the group ownership in apply_options() not parse_options()
    - USB: serial: option: add support for DW5829e
    - USB: serial: option: add Telit LE910R1 compositions
    - usb: dwc3: gadget: Let the interrupt handler disable bottom halves.
    - xhci: re-initialize the HC during resume if HCE was set
    - xhci: Prevent futile URB re-submissions due to incorrect return value.
    - tty: n_gsm: fix encoding of control signal octet bit DV
    - tty: n_gsm: fix proper link termination after failed open
    - Revert "drm/nouveau/pmu/gm200-: avoid touching PMU outside of
      DEVINIT/PREOS/ACR"
    - memblock: use kfree() to release kmalloced memblock regions
    - fget: clarify and improve __fget_files() implementation
    - gpio: tegra186: Fix chip_data type confusion
    - tracing: Have traceon and traceoff trigger honor the instance
    - mac80211_hwsim: report NOACK frames in tx_status
    - mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work
    - i2c: bcm2835: Avoid clock stretching timeouts
    - Input: clear BTN_RIGHT/MIDDLE on buttonpads
    - cifs: fix double free race when mount fails in cifs_get_root()
    - dmaengine: shdma: Fix runtime PM imbalance on error
    - i2c: cadence: allow COMPILE_TEST
    - i2c: qup: allow COMPILE_TEST
    - net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
    - usb: gadget: don't release an existing dev->buf
    - usb: gadget: clear related members when goto fail
    - ata: pata_hpt37x: fix PCI clock detection
    - ALSA: intel_hdmi: Fix reference to PCM buffer address
    - ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min
    - xfrm: fix MTU regression
    - netfilter: fix use-after-free in __nf_register_net_hook()
    - xfrm: enforce validity of offload input flags
    - netfilter: nf_queue: don't assume sk is full socket
    - netfilter: nf_queue: fix possible use-after-free
    - batman-adv: Request iflink once in batadv-on-batadv check
    - batman-adv: Request iflink once in batadv_get_real_netdevice
    - batman-adv: Don't expect inter-netns unique iflink indices
    - net: dcb: flush lingering app table entries for unregistered devices
    - net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error generated by client
    - net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server
    - mac80211: fix forwarded mesh frames AC & queue selection
    - net: stmmac: fix return value of __setup handler
    - net: sxgbe: fix return value of __setup handler
    - net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
    - efivars: Respect "block" flag in efivar_entry_set_safe()
    - can: gs_usb: change active_channels's type from atomic_t to u8
    - ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions
    - soc: fsl: qe: Check of ioremap return value
    - net: chelsio: cxgb3: check the return value of pci_find_capability()
    - nl80211: Handle nla_memdup failures in handle_nan_filter
    - Input: elan_i2c - move regulator_[en|dis]able() out of
      elan_[en|dis]able_power()
    - Input: elan_i2c - fix regulator enable count imbalance after suspend/resume
    - HID: add mapping for KEY_ALL_APPLICATIONS
    - memfd: fix F_SEAL_WRITE after shmem huge page allocated
    - net: dcb: disable softirqs in dcbnl_flush_dev()
    - hamradio: fix macro redefine warning
    - arm/arm64: Provide a wrapper for SMCCC 1.1 calls
    - arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit()
    - ARM: report Spectre v2 status through sysfs
    - ARM: early traps initialisation
    - ARM: use LOADADDR() to get load address of sections
    - [Config] updateconfigs for HARDEN_BRANCH_HISTORY
    - ARM: Spectre-BHB workaround
    - ARM: include unprivileged BPF status in Spectre V2 reporting
    - ARM: fix build error when BPF_SYSCALL is disabled
    - ARM: fix co-processor register typo
    - ARM: Do not use NOCROSSREFS directive with ld.lld
    - ARM: fix build warning in proc-v7-bugs.c
    - xen/xenbus: don't let xenbus_grant_ring() remove grants in error case
    - xen/grant-table: add gnttab_try_end_foreign_access()
    - xen/blkfront: don't use gnttab_query_foreign_access() for mapped status
    - xen/netfront: don't use gnttab_query_foreign_access() for mapped status
    - xen/scsifront: don't use gnttab_query_foreign_access() for mapped status
    - xen/gntalloc: don't use gnttab_query_foreign_access()
    - xen: remove gnttab_query_foreign_access()
    - xen/9p: use alloc/free_pages_exact()
    - xen/gnttab: fix gnttab_end_foreign_access() without page specified
    - xen/netfront: react properly to failing gnttab_end_foreign_access_ref()

* ip6gre driver does not hold device reference (LP: #1968340)
    - ip6_gre: proper dev_{hold|put} in ndo_[un]init methods

* LRMv6: add multi-architecture support (LP: #1968774)
    - [Packaging] resync dkms-build{,--nvidia-N}

* Use kernel-testing repo from launchpad for ADT tests (LP: #1968016)
    - [Debian] Use kernel-testing repo from launchpad

* vmx_ldtr_test in ubuntu_kvm_unit_tests failed (FAIL: Expected 0 for L1 LDTR
    selector (got 50)) (LP: #1956315)
    - KVM: nVMX: Set LDTR to its architecturally defined value on nested VM-Exit

* Bionic update: upstream stable patchset 2022-03-29 (LP: #1967013)
    - moxart: fix potential use-after-free on remove path
    - x86/mm, mm/hwpoison: Fix the unmap kernel 1:1 pages check condition
    - integrity: check the return value of audit_log_start()
    - ima: Remove ima_policy file before directory
    - ima: Allow template selection with ima_template[_fmt]= after ima_hash=
    - mmc: sdhci-of-esdhc: Check for error num after setting mask
    - net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs
    - NFS: Fix initialisation of nfs_client cl_flags field
    - NFSD: Clamp WRITE offsets
    - NFSv4 only print the label when its queried
    - nfs: nfs4clinet: check the return value of kstrdup()
    - NFSv4.1: Fix uninitialised variable in devicenotify
    - NFSv4 remove zero number of fs_locations entries error check
    - NFSv4 expose nfs_parse_server_name function
    - scsi: target: iscsi: Make sure the np under each tpg is unique
    - usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend
    - net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout()
    - Revert "net: axienet: Wait for PhyRstCmplt after core reset"
    - ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group
    - ARM: dts: meson: Fix the UART compatible strings
    - staging: fbtft: Fix error path in fbtft_driver_module_init()
    - ARM: dts: imx6qdl-udoo: Properly describe the SD card detect
    - usb: f_fs: Fix use-after-free for epfile
    - bonding: pair enable_port with slave_arr_updates
    - ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path
    - net: do not keep the dst cache when uncloning an skb dst and its metadata
    - net: fix a memleak when uncloning an skb dst and its metadata
    - tipc: rate limit warning for received illegal binding update
    - net: amd-xgbe: disable interrupts during pci removal
    - vt_ioctl: fix array_index_nospec in vt_setactivate
    - vt_ioctl: add array_index_nospec to VT_ACTIVATE
    - n_tty: wake up poll(POLLRDNORM) on receiving data
    - usb: ulpi: Move of_node_put to ulpi_dev_release
    - usb: ulpi: Call of_node_put correctly
    - usb: dwc3: gadget: Prevent core from processing stale TRBs
    - USB: gadget: validate interface OS descriptor requests
    - usb: gadget: rndis: check size of RNDIS_MSG_SET command
    - USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
    - USB: serial: option: add ZTE MF286D modem
    - USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
    - USB: serial: cp210x: add NCR Retail IO box id
    - USB: serial: cp210x: add CPI Bulk Coin Recycler id
    - seccomp: Invalidate seccomp mode to catch death failures
    - hwmon: (dell-smm) Speed up setting of fan speed
    - perf: Fix list corruption in perf_cgroup_switch()
    - net: bridge: fix stale eth hdr pointer in br_dev_xmit
    - Makefile.extrawarn: Move -Wunaligned-access to W=1
    - net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
    - serial: parisc: GSC: fix build when IOSAPIC is not set
    - parisc: Fix data TLB miss in sba_unmap_sg
    - parisc: Fix sglist access in ccio-dma.c
    - btrfs: send: in case of IO error log it
    - net: ieee802154: at86rf230: Stop leaking skb's
    - selftests/zram: Skip max_comp_streams interface on newer kernel
    - selftests/zram01.sh: Fix compression ratio calculation
    - selftests/zram: Adapt the situation that /dev/zram0 is being used
    - ax25: improve the incomplete fix to avoid UAF and NPD bugs
    - vfs: make freeze_super abort when sync_filesystem returns error
    - quota: make dquot_quota_sync return errors from ->sync_fs
    - Revert "module, async: async_synchronize_full() on module init iff async is
      used"
    - iwlwifi: fix use-after-free
    - drm/radeon: Fix backlight control on iMac 12,1
    - xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
    - taskstats: Cleanup the use of task->exit_code
    - vsock: remove vsock from connected table when connect is interrupted by a
      signal
    - iwlwifi: pcie: fix locking when "HW not ready"
    - iwlwifi: pcie: gen2: fix locking when "HW not ready"
    - net: ieee802154: ca8210: Fix lifs/sifs periods
    - ping: fix the dif and sdif check in ping_lookup
    - drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
    - bonding: fix data-races around agg_select_timer
    - libsubcmd: Fix use-after-free for realloc(..., 0)
    - ALSA: hda: Fix regression on forced probe mask option
    - ALSA: hda: Fix missing codec probe on Shenker Dock 15
    - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw()
    - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range()
    - powerpc/lib/sstep: fix 'ptesync' build error
    - NFS: LOOKUP_DIRECTORY is also ok with symlinks
    - EDAC: Fix calculation of returned address and next offset in
      edac_align_ptr()
    - net: sched: limit TC_ACT_REPEAT loops
    - dmaengine: sh: rcar-dmac: Check for error num after setting mask
    - i2c: brcmstb: fix support for DSL and CM variants
    - mtd: rawnand: brcmnand: Refactored code to introduce helper functions
    - mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status
    - KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW
    - NFS: Do not report writeback errors in nfs_getattr()
    - ARM: OMAP2+: hwmod: Add of_node_put() before break
    - ata: libata-core: Disable TRIM on M88V29
    - tracing: Fix tp_printk option related with tp_printk_stop_on_boot
    - net: usb: qmi_wwan: Add support for Dell DW5829e
    - net: macb: Align the dma and coherent dma masks
    - net: dsa: lan9303: fix reset on probe

* CVE-2022-27223
    - USB: gadget: validate endpoint index for xilinx udc

* CVE-2022-26490
    - nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

* CVE-2021-26401
    - x86/speculation: Use generic retpoline by default on AMD
    - x86/speculation: Update link to AMD speculation whitepaper
    - x86/speculation: Warn about Spectre v2 LFENCE mitigation
    - x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT

* CVE-2022-0001
    - x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation
      reporting

-- Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com>  Thu, 14 Apr 2022 12:09:07 -0700

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Ubuntu
linux package

ip6gre driver does not hold device reference

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Bionic	Fix Released	Medium	Thadeu Lima de Souza Cascardo

Ubuntulinux package

ip6gre driver does not hold device reference

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package