Bug #1837810 “KVM: Fix zero_page reference counter overflow when...” : Bugs : linux package : Ubuntu

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-07-24:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Pooja Ghumre (pooja-9) wrote on 2019-07-25:

#2

kvm14:/usr/share/doc/qemu-system-x86$ zless changelog.Debian.gz | head
qemu (1:2.11+dfsg-1ubuntu7.10~cloud0) xenial-queens; urgency=medium

* New update for the Ubuntu Cloud Archive.

-- Openstack Ubuntu Testing Bot <email address hidden> Tue, 26 Feb 2019 04:25:15 +0000

tags:

added: xenial

Revision history for this message

Kaustubh Phatak (kphatak-pf9) wrote on 2019-07-25:

#3

Kernel version on the environment

```Linux kvm14.snn1.pf9.io 4.15.0-46-generic #49~16.04.1-Ubuntu SMP Tue Feb 12 17:45:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux```

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-08-07:

#4

Hello @pooja-9, @kphatak-pf9 and @vlee,

You wouldn't happen to have Kernel Samepage Merging (KSM) enabled on your compute nodes would you?

You can check by looking at the value of:

$ cat /sys/kernel/mm/ksm/run

If it is 1, your nodes have it enabled, and if it is 0 or "missing", you don't have it on.

We have just hit the problem, and I think I have found a fix for it. I will fix the 4.15 kernel once I have analysed the problem a bit more.

Matthew Ruffell (mruffell) on 2020-08-14

Changed in linux (Ubuntu Bionic):
status:	New → In Progress
Changed in linux (Ubuntu Focal):
status:	New → In Progress
Changed in linux (Ubuntu):
status:	Confirmed → Fix Released
Changed in linux (Ubuntu Bionic):
importance:	Undecided → Medium
Changed in linux (Ubuntu Focal):
importance:	Undecided → Medium
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in linux (Ubuntu Focal):
assignee:	nobody → Matthew Ruffell (mruffell)

Matthew Ruffell (mruffell) on 2020-08-14

summary:	- qemu instance gets paused with error: kvm run failed Bad address + KVM: Fix zero_page reference counter overflow when using KSM on KVM + compute host
description:	updated
tags:	added: bionic focal sts removed: xenial

Revision history for this message

Pooja Ghumre (pooja-9) wrote on 2020-08-14:

#5

Thanks for fixing it @mruffell!

Yes, we did have KSM enabled on the hypervisor where we hit this issue.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-08-16:

#6

Reproducer script to create and destroy VMs Edit (2.1 KiB, text/x-sh)

Attached is a script to create and destroy VMs in a loop, to try and increment the zero_page reference counter.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-08-16:

#7

kernel module to view zero_page reference counter Edit (2.5 KiB, text/x-csrc)

Attached is a kernel module which lets you see the contents of the zero_page reference counter, and to set it to near overflow.

Ian May (ian-may) on 2020-08-20

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Ian May (ian-may) on 2020-08-25

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-08-31:

#8

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-09-01:

#9

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-09-02:

#10

Download full text (3.7 KiB)

Verification steps for Bionic:

First, I made sure I could reproduce the problem on 4.15.0-115-generic.

I made a fresh Bionic VM, and copied over the ksm_refcnt_overflow.sh and zero_page_refcound.c files.

I built the kernel module, and inserted it into the kernel.

From there, I checked the zero_page reference counter.

$ sudo insmod zero_page_refcount.ko
[sudo] password for ubuntu:
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, in another terminal, I ran the script ksm_refcnt_overflow.sh, and
checked to see VMs were running:

$ virsh list
Id Name State
----------------------------------------------------
1 instance-0 running
2 instance-1 running
3 instance-2 running
4 instance-3 running
5 instance-4 running

From there, we can see the reference counter increment:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1158 or 4440
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1622 or 5666
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x163a or 5690

I issued the set command, to get it ready to overflow:

$ cat /proc/zero_page_refcount_set
Zero Page Refcount set to 0x1FFFFFFFFF000

I then checked and saw it overflow:

ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff27 or 2147483431
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff92 or 2147483538
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x80000000 or -2147483648

Instances became paused, and virtualisation broken:

$ virsh list
Id Name State
----------------------------------------------------
5 instance-4 paused
6 instance-5 paused
7 instance-6 paused
8 instance-7 paused
9 instance-0 paused
10 instance-1 paused
11 instance-2 paused
12 instance-3 paused

From there, we see the usual call trace in dmesg:

https://paste.ubuntu.com/p/wpJkGCH3fJ/

I rebooted, and enabled -proposed. I then installed the 4.15.0-116-generic kernel, and rebooted again.

I rebuilt the zero_page_refcount kernel module with the new headers, and inserted it into the running kernel.

$ uname -rv
4.15.0-116-generic #117-Ubuntu SMP Fri Aug 28 16:04:22 UTC 2020
$ sudo insmod zero_page_refcount.ko
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, I started the script ksm_refcnt_overflow.sh in another terminal.

We can see that VMs are running:

$ virsh list
Id Name State
----------------------------------------------------
1 instance-1 running
2 instance-2 running
3 instance-3 running
4 instance-4 running

Checking the value of the zero_page reference counter:

$ cat /proc/zero_pa...

Verification steps for Bionic:

First, I made sure I could reproduce the problem on 4.15.0-115-generic.

I made a fresh Bionic VM, and copied over the ksm_refcnt_overflow.sh and zero_page_refcound.c files.

I built the kernel module, and inserted it into the kernel.

From there, I checked the zero_page reference counter.

$ sudo insmod zero_page_refcount.ko
[sudo] password for ubuntu: 
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, in another terminal, I ran the script ksm_refcnt_overflow.sh, and
checked to see VMs were running:

$ virsh list
 Id    Name                           State
----------------------------------------------------
 1     instance-0                     running
 2     instance-1                     running
 3     instance-2                     running
 4     instance-3                     running
 5     instance-4                     running
 
From there, we can see the reference counter increment:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1158 or 4440
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1622 or 5666
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x163a or 5690

I issued the set command, to get it ready to overflow:

$ cat /proc/zero_page_refcount_set
Zero Page Refcount set to 0x1FFFFFFFFF000

I then checked and saw it overflow:

ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff27 or 2147483431
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff92 or 2147483538
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x80000000 or -2147483648

Instances became paused, and virtualisation broken:

$ virsh list
 Id    Name                           State
----------------------------------------------------
 5     instance-4                     paused
 6     instance-5                     paused
 7     instance-6                     paused
 8     instance-7                     paused
 9     instance-0                     paused
 10    instance-1                     paused
 11    instance-2                     paused
 12    instance-3                     paused

From there, we see the usual call trace in dmesg:

https://paste.ubuntu.com/p/wpJkGCH3fJ/

I rebooted, and enabled -proposed. I then installed the 4.15.0-116-generic kernel, and rebooted again.

I rebuilt the zero_page_refcount kernel module with the new headers, and inserted it into the running kernel.

$ uname -rv
4.15.0-116-generic #117-Ubuntu SMP Fri Aug 28 16:04:22 UTC 2020
$ sudo insmod zero_page_refcount.ko
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, I started the script ksm_refcnt_overflow.sh in another terminal.

We can see that VMs are running:

$ virsh list
 Id    Name                           State
----------------------------------------------------
 1     instance-1                     running
 2     instance-2                     running
 3     instance-3                     running
 4     instance-4                     running

Checking the value of the zero_page reference counter:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

We are still at 1. Now attempting to trigger overflow:

$ cat /proc/zero_page_refcount_set
Zero Page Refcount set to 0x1FFFFFFFFF000

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392

The reference counter is never incremented, and will not overflow.

The problem is solved, and I am happy to mark this bug as verified for bionic.

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-09-02:

#11

Verification steps for focal:

Again, I made sure I can reproduce on the existing 5.4.0-42-generic kernel.

I copied ksm_refcnt_overflow.sh and zero_page_refcount.c to the VM, and built the kernel module, and inserted it into the kernel:

$ sudo insmod zero_page_refcount.ko
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, I started running the ksm_refcnt_script.sh in another terminal. I checked to ensure VMs were running:

$ virsh list
Id Name State
----------------------------
1 instance-0 running
2 instance-1 running
3 instance-2 running

From there, we can see the reference counter increment:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1bd9 or 7129
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1f9e or 8094
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1fb0 or 8112

From there, I set the reference counter in an attempt to make it overflow:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff15 or 2147483413
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x80000000 or -2147483648

From there, all vms became paused:

$ virsh list
Id Name State
----------------------------
137 instance-0 paused
138 instance-1 paused
139 instance-2 paused

We see the following oops in dmesg:

https://paste.ubuntu.com/p/3Dc73k9VYy/

I then rebooted the machine, enabled -proposed and installed 5.4.0-46-generic.

$ uname -rv
5.4.0-46-generic #50-Ubuntu SMP Fri Aug 28 15:33:36 UTC 2020

I rebooted, and built a new kernel module with the new headers, and inserted it into the running kernel:

$ sudo insmod zero_page_refcount.ko
[sudo] password for ubuntu:
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

Again, I started the ksm_refcnt_overflow.sh script in another terminal,
and checked to see that VMs were being created:

$ virsh list
Id Name State
----------------------------
1 instance-0 running
2 instance-1 running

When we check the value of the reference counter, it is still 1 and not incrementing:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

When I attempt to trigger overflow:

$ cat /proc/zero_page_refcount_set
Zero Page Refcount set to 0x1FFFFFFFFF000

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392

We never overflow. The problem is fixed. Marking the bug as verified for focal.

Verification steps for focal:

Again, I made sure I can reproduce on the existing 5.4.0-42-generic kernel.

I copied ksm_refcnt_overflow.sh and zero_page_refcount.c to the VM, and built the kernel module, and inserted it into the kernel:

$ sudo insmod zero_page_refcount.ko
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

From there, I started running the ksm_refcnt_script.sh in another terminal. I checked to ensure VMs were running:

$ virsh list
 Id   Name         State
----------------------------
 1    instance-0   running
 2    instance-1   running
 3    instance-2   running
 
From there, we can see the reference counter increment:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1bd9 or 7129
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1f9e or 8094
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1fb0 or 8112

From there, I set the reference counter in an attempt to make it overflow:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff15 or 2147483413
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x80000000 or -2147483648

From there, all vms became paused:

$ virsh list
 Id    Name         State
----------------------------
 137   instance-0   paused
 138   instance-1   paused
 139   instance-2   paused
 
We see the following oops in dmesg:

https://paste.ubuntu.com/p/3Dc73k9VYy/

I then rebooted the machine, enabled -proposed and installed 5.4.0-46-generic.

$ uname -rv
5.4.0-46-generic #50-Ubuntu SMP Fri Aug 28 15:33:36 UTC 2020

I rebooted, and built a new kernel module with the new headers, and inserted it into the running kernel:

$ sudo insmod zero_page_refcount.ko 
[sudo] password for ubuntu: 
ubuntu@ubuntu:~/module$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

Again, I started the ksm_refcnt_overflow.sh script in another terminal,
and checked to see that VMs were being created:

$ virsh list
 Id   Name         State
----------------------------
 1    instance-0   running
 2    instance-1   running
 
When we check the value of the reference counter, it is still 1 and not incrementing:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

When I attempt to trigger overflow:

$ cat /proc/zero_page_refcount_set
Zero Page Refcount set to 0x1FFFFFFFFF000

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392
$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x7fffff00 or 2147483392

We never overflow. The problem is fixed. Marking the bug as verified for focal.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-09-02:

#12

As requested by the kernel team (in https://lists.ubuntu.com/archives/kernel-team/2020-August/112775.html), I will do some additional testing for this SRU to really make sure it won't cause any regressions.

I provisioned a lab machine on segmaas, running Bionic. I installed the 4.15.0-116-generic kernel from -proposed on it.

I built the zero_page_refcount.c kernel module, and inserted it into the running kernel.

I then got ksm_refcnt_overflow.sh running in a screen session, creating and destroying virtual machines in an infinite loop.

This way we will know the code path has been exercised a fair amount.

I will leave this running creating and destroying virtual machines for a week or so, and I will report back with the results.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-09-09:

#13

As promised, I have an update on the lab machine I left running ksm_refcnt_overflow.sh for a week straight.

The machine was running 4.15.0-116-generic from -proposed:

$ uname -rv
4.15.0-116-generic #117-Ubuntu SMP Fri Aug 28 16:04:22 UTC 2020
$ uptime
04:36:14 up 7 days, 1 min, 1 user, load average: 3.47, 3.14, 2.97

In that time it has created and destroyed 32,950 virtual machines:

$ virsh list
Id Name State
----------------------------------------------------
32945 instance-0 running
32946 instance-1 running
32947 instance-2 running
32948 instance-3 running
32949 instance-4 running

If we look at the current value of the reference counter, it is still set to 1:

$ cat /proc/zero_page_refcount
Zero Page Refcount: 0x1 or 1

I checked /var/log/kern.log, /var/log/syslog and journalctl, there are no oops messages, and the KVM subsystem is stable.

I am shutting the lab machine down now, as I am convinced the patch is stable. This SRU is still verified.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-21:

#14

Download full text (8.2 KiB)

This bug was fixed in the package linux - 4.15.0-118.119

---------------
linux (4.15.0-118.119) bionic; urgency=medium

* bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)

* Packaging resync (LP: #1786013)
- update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
- [packaging] add signed modules for nvidia 450 and 450-server

* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
- cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

  * CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

  * [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

  * KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

  * Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result

  * Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic...

This bug was fixed in the package linux - 4.15.0-118.119

---------------
linux (4.15.0-118.119) bionic; urgency=medium

* bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)

* Packaging resync (LP: #1786013)
    - update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [packaging] add signed modules for nvidia 450 and 450-server

* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

* CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

*  [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

* KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

* Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result

* Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic_array_len
    - Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
    - xattr: break delegations in {set,remove}xattr
    - ipv4: Silence suspicious RCU usage warning
    - ipv6: fix memory leaks on IPV6_ADDRFORM path
    - net: ethernet: mtk_eth_soc: fix MTU warnings
    - vxlan: Ensure FDB dump is performed under RCU
    - net: lan78xx: replace bogus endpoint lookup
    - hv_netvsc: do not use VF device if link is down
    - net: gre: recompute gre csum for sctp over gre tunnels
    - openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
    - Revert "vxlan: fix tos value before xmit"
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test
    - rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
    - i40e: add num_vectors checker in iwarp handler
    - i40e: Wrong truncation from u16 to u8
    - i40e: Memory leak in i40e_config_iwarp_qvlist
    - Smack: fix use-after-free in smk_write_relabel_self()

* Bionic update: upstream stable patchset 2020-08-11 (LP: #1891228)
    - AX.25: Fix out-of-bounds read in ax25_connect()
    - AX.25: Prevent out-of-bounds read in ax25_sendmsg()
    - dev: Defer free of skbs in flush_backlog
    - drivers/net/wan/x25_asy: Fix to make it work
    - net-sysfs: add a newline when printing 'tx_timeout' by sysfs
    - net: udp: Fix wrong clean up for IS_UDPLITE macro
    - rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
    - AX.25: Prevent integer overflows in connect and sendmsg
    - ip6_gre: fix null-ptr-deref in ip6gre_init_net()
    - rtnetlink: Fix memory(net_device) leak when ->newlink fails
    - tcp: allow at most one TLP probe per flight
    - regmap: debugfs: check count when read regmap file
    - qrtr: orphan socket in qrtr_release()
    - sctp: shrink stream outq only when new outcnt < old outcnt
    - sctp: shrink stream outq when fails to do addstream reconf
    - crypto: ccp - Release all allocated memory if sha type is invalid
    - media: rc: prevent memory leak in cx23888_ir_probe
    - iio: imu: adis16400: fix memory leak
    - ath9k_htc: release allocated buffer if timed out
    - ath9k: release allocated buffer if timed out
    - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
    - wireless: Use offsetof instead of custom macro.
    - ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess
      watchpoints
    - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
    - drm: hold gem reference until object is no longer accessed
    - f2fs: check memory boundary by insane namelen
    - f2fs: check if file namelen exceeds max value
    - 9p/trans_fd: abort p9_read_work if req status changed
    - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
    - x86/build/lto: Fix truncated .bss with -fdata-sections
    - rds: Prevent kernel-infoleak in rds_notify_queue_get()
    - xfs: fix missed wakeup on l_flush_wait
    - net/x25: Fix x25_neigh refcnt leak when x25 disconnect
    - net/x25: Fix null-ptr-deref in x25_disconnect
    - selftests/net: rxtimestamp: fix clang issues for target arch PowerPC
    - sh: Fix validation of system call number
    - net: lan78xx: add missing endpoint sanity check
    - net: lan78xx: fix transfer-buffer memory leak
    - mlx4: disable device on shutdown
    - mlxsw: core: Increase scope of RCU read-side critical section
    - mlxsw: core: Free EMAD transactions using kfree_rcu()
    - ibmvnic: Fix IRQ mapping disposal in error path
    - bpf: Fix map leak in HASH_OF_MAPS map
    - mac80211: mesh: Free ie data when leaving mesh
    - mac80211: mesh: Free pending skb when destroying a mpath
    - arm64/alternatives: move length validation inside the subsection
    - arm64: csum: Fix handling of bad packets
    - usb: hso: Fix debug compile warning on sparc32
    - qed: Disable "MFW indication via attention" SPAM every 5 minutes
    - nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
    - parisc: add support for cmpxchg on u8 pointers
    - net: ethernet: ravb: exit if re-initialization fails in tx timeout
    - Revert "i2c: cadence: Fix the hold bit setting"
    - x86/unwind/orc: Fix ORC for newly forked tasks
    - cxgb4: add missing release on skb in uld_send()
    - xen-netfront: fix potential deadlock in xennet_remove()
    - KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw
      disabled
    - x86/i8259: Use printk_deferred() to prevent deadlock
    - drm/amdgpu: fix multiple memory leaks in acp_hw_init
    - selftests/net: psock_fanout: fix clang issues for target arch PowerPC
    - net/mlx5: Verify Hardware supports requested ptp function on a given pin
    - random32: update the net random state on interrupt and activity
    - ARM: percpu.h: fix build error
    - random: fix circular include dependency on arm64 after addition of percpu.h
    - random32: remove net_rand_state from the latent entropy gcc plugin
    - random32: move the pseudo-random 32-bit definitions to prandom.h
    - ext4: fix direct I/O read error

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Tue, 08 Sep 2020 12:09:02 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-21:

#15

Download full text (42.6 KiB)

This bug was fixed in the package linux - 5.4.0-48.52

---------------
linux (5.4.0-48.52) focal; urgency=medium

* focal/linux: 5.4.0-48.52 -proposed tracker (LP: #1894654)

* mm/slub kernel oops on focal kernel 5.4.0-45 (LP: #1895109)
- SAUCE: Revert "mm/slub: fix a memory leak in sysfs_slab_add()"

  * Packaging resync (LP: #1786013)
    - update dkms package versions
    - update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
- [packaging] add signed modules for nvidia 450 and 450-server

  * [UBUNTU 20.04] zPCI attach/detach issues with PF/VF linking support
    (LP: #1892849)
    - s390/pci: fix zpci_bus_link_virtfn()
    - s390/pci: re-introduce zpci_remove_device()
    - s390/pci: fix PF/VF linking on hot plug

  * [UBUNTU 20.04] kernel: s390/cpum_cf,perf: changeDFLT_CCERROR counter name
    (LP: #1891454)
    - s390/cpum_cf, perf: change DFLT_CCERROR counter name

  * [UBUNTU 20.04] zPCI: Enabling of a reserved PCI function regression
    introduced by multi-function support (LP: #1891437)
    - s390/pci: fix enabling a reserved PCI function

  * CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

  * [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

  * alsa/hdmi: support nvidia mst hdmi/dp audio (LP: #1867704)
    - ALSA: hda - Rename snd_hda_pin_sense to snd_hda_jack_pin_sense
    - ALSA: hda - Add DP-MST jack support
    - ALSA: hda - Add DP-MST support for non-acomp codecs
    - ALSA: hda - Add DP-MST support for NVIDIA codecs
    - ALSA: hda: hdmi - fix regression in connect list handling
    - ALSA: hda: hdmi - fix kernel oops caused by invalid PCM idx
    - ALSA: hda: hdmi - preserve non-MST PCM routing for Intel platforms
    - ALSA: hda: hdmi - Keep old slot assignment behavior for Intel platforms
    - ALSA: hda - Fix DP-MST support for NVIDIA codecs

  * Focal update: v5.4.60 upstream stable release (LP: #1892899)
    - smb3: warn on confusing error scenario with sec=krb5
    - genirq/affinity: Make affinity setting if activated opt-in
    - genirq/PM: Always unlock IRQ descriptor in rearm_wake_irq()
    - PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
    - PCI: Add device even if driver attach failed
    - PCI: qcom: Define some PARF params needed for ipq8064 SoC
    - PCI: qcom: Add support for tx term offset for rev 2.1.0
    - btrfs: allow use of global block reserve for balance item deletion
    - btrfs: free anon block device right after subvolume deletion
    - btrfs: don't allocate anonymous block device for user invisible roots
    - btrfs: ref-verify: fix memory leak in add_block_entry
    - btrfs: stop incremening log_batch for the log root tree when syncing log
    - btrfs: remove no longer needed use of log_writers for the log root tree
    - btrfs: don't traverse into the seed devices in show_devname
    - btrfs: open device...

This bug was fixed in the package linux - 5.4.0-48.52

---------------
linux (5.4.0-48.52) focal; urgency=medium

* focal/linux: 5.4.0-48.52 -proposed tracker (LP: #1894654)

* mm/slub kernel oops on focal kernel 5.4.0-45 (LP: #1895109)
    - SAUCE: Revert "mm/slub: fix a memory leak in sysfs_slab_add()"

* Packaging resync (LP: #1786013)
    - update dkms package versions
    - update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [packaging] add signed modules for nvidia 450 and 450-server

* [UBUNTU 20.04] zPCI attach/detach issues with PF/VF linking support
    (LP: #1892849)
    - s390/pci: fix zpci_bus_link_virtfn()
    - s390/pci: re-introduce zpci_remove_device()
    - s390/pci: fix PF/VF linking on hot plug

* [UBUNTU 20.04] kernel: s390/cpum_cf,perf: changeDFLT_CCERROR counter name
    (LP: #1891454)
    - s390/cpum_cf, perf: change DFLT_CCERROR counter name

* [UBUNTU 20.04] zPCI: Enabling of a reserved PCI function regression
    introduced by multi-function support (LP: #1891437)
    - s390/pci: fix enabling a reserved PCI function

* CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

*  [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

* alsa/hdmi: support nvidia mst hdmi/dp audio (LP: #1867704)
    - ALSA: hda - Rename snd_hda_pin_sense to snd_hda_jack_pin_sense
    - ALSA: hda - Add DP-MST jack support
    - ALSA: hda - Add DP-MST support for non-acomp codecs
    - ALSA: hda - Add DP-MST support for NVIDIA codecs
    - ALSA: hda: hdmi - fix regression in connect list handling
    - ALSA: hda: hdmi - fix kernel oops caused by invalid PCM idx
    - ALSA: hda: hdmi - preserve non-MST PCM routing for Intel platforms
    - ALSA: hda: hdmi - Keep old slot assignment behavior for Intel platforms
    - ALSA: hda - Fix DP-MST support for NVIDIA codecs

* Focal update: v5.4.60 upstream stable release (LP: #1892899)
    - smb3: warn on confusing error scenario with sec=krb5
    - genirq/affinity: Make affinity setting if activated opt-in
    - genirq/PM: Always unlock IRQ descriptor in rearm_wake_irq()
    - PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
    - PCI: Add device even if driver attach failed
    - PCI: qcom: Define some PARF params needed for ipq8064 SoC
    - PCI: qcom: Add support for tx term offset for rev 2.1.0
    - btrfs: allow use of global block reserve for balance item deletion
    - btrfs: free anon block device right after subvolume deletion
    - btrfs: don't allocate anonymous block device for user invisible roots
    - btrfs: ref-verify: fix memory leak in add_block_entry
    - btrfs: stop incremening log_batch for the log root tree when syncing log
    - btrfs: remove no longer needed use of log_writers for the log root tree
    - btrfs: don't traverse into the seed devices in show_devname
    - btrfs: open device without device_list_mutex
    - btrfs: move the chunk_mutex in btrfs_read_chunk_tree
    - btrfs: relocation: review the call sites which can be interrupted by signal
    - btrfs: add missing check for nocow and compression inode flags
    - btrfs: avoid possible signal interruption of btrfs_drop_snapshot() on
      relocation tree
    - btrfs: sysfs: use NOFS for device creation
    - btrfs: don't WARN if we abort a transaction with EROFS
    - btrfs: fix race between page release and a fast fsync
    - btrfs: fix messages after changing compression level by remount
    - btrfs: only search for left_info if there is no right_info in
      try_merge_free_space
    - btrfs: inode: fix NULL pointer dereference if inode doesn't need compression
    - btrfs: fix memory leaks after failure to lookup checksums during inode
      logging
    - btrfs: make sure SB_I_VERSION doesn't get unset by remount
    - btrfs: fix return value mixup in btrfs_get_extent
    - arm64: perf: Correct the event index in sysfs
    - dt-bindings: iio: io-channel-mux: Fix compatible string in example code
    - iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
    - xtensa: add missing exclusive access state management
    - xtensa: fix xtensa_pmu_setup prototype
    - cifs: Fix leak when handling lease break for cached root fid
    - powerpc/ptdump: Fix build failure in hashpagetable.c
    - powerpc: Allow 4224 bytes of stack expansion for the signal frame
    - powerpc: Fix circular dependency between percpu.h and mmu.h
    - pinctrl: ingenic: Enhance support for IRQ_TYPE_EDGE_BOTH
    - media: vsp1: dl: Fix NULL pointer dereference on unbind
    - net: ethernet: stmmac: Disable hardware multicast filter
    - net: stmmac: dwmac1000: provide multicast filter fallback
    - net/compat: Add missing sock updates for SCM_RIGHTS
    - md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
    - bcache: allocate meta data pages as compound pages
    - bcache: fix overflow in offset_to_stripe()
    - mac80211: fix misplaced while instead of if
    - driver core: Avoid binding drivers to dead devices
    - MIPS: CPU#0 is not hotpluggable
    - MIPS: qi_lb60: Fix routing to audio amplifier
    - ext2: fix missing percpu_counter_inc
    - khugepaged: collapse_pte_mapped_thp() flush the right range
    - khugepaged: collapse_pte_mapped_thp() protect the pmd lock
    - ocfs2: change slot number type s16 to u16
    - mm/page_counter.c: fix protection usage propagation
    - mm/memory_hotplug: fix unpaired mem_hotplug_begin/done
    - ftrace: Setup correct FTRACE_FL_REGS flags for module
    - kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
    - tracing/hwlat: Honor the tracing_cpumask
    - tracing: Use trace_sched_process_free() instead of exit() for pid tracing
    - tracing: Move pipe reference to trace array instead of current_tracer
    - watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in
      watchdog_info.options
    - watchdog: f71808e_wdt: remove use of wrong watchdog_info option
    - watchdog: f71808e_wdt: clear watchdog timeout occurred flag
    - ceph: set sec_context xattr on symlink creation
    - ceph: handle zero-length feature mask in session messages
    - pseries: Fix 64 bit logical memory block panic
    - module: Correctly truncate sysfs sections output
    - perf intel-pt: Fix FUP packet state
    - perf intel-pt: Fix duplicate branch after CBR
    - remoteproc: qcom: q6v5: Update running state before requesting stop
    - remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
    - remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
    - drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
    - orangefs: get rid of knob code...
    - pinctrl: ingenic: Properly detect GPIO direction when configured for IRQ
    - crypto: algif_aead - Only wake up when ctx->more is zero
    - mfd: arizona: Ensure 32k clock is put on driver unbind and error
    - octeontx2-af: change (struct qmem)->entry_sz from u8 to u16
    - mtd: rawnand: fsl_upm: Remove unused mtd var
    - platform/chrome: cros_ec_ishtp: Fix a double-unlock issue
    - RDMA/ipoib: Return void from ipoib_ib_dev_stop()
    - RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah()
    - media: rockchip: rga: Introduce color fmt macros and refactor CSC mode logic
    - media: rockchip: rga: Only set output CSC mode for RGB input
    - IB/uverbs: Set IOVA on IB MR in uverbs layer
    - selftests/bpf: Test_progs indicate to shell on non-actions
    - selftests/bpf: test_progs use another shell exit on non-actions
    - USB: serial: ftdi_sio: make process-packet buffer unsigned
    - USB: serial: ftdi_sio: clean up receive processing
    - crypto: af_alg - Fix regression on empty requests
    - devres: keep both device name and resource name in pretty name
    - RDMA/counter: Only bind user QPs in auto mode
    - RDMA/counter: Allow manually bind QPs with different pids to same counter
    - mmc: renesas_sdhi_internal_dmac: clean up the code for dma complete
    - crypto: caam - Remove broken arc4 support
    - gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers
    - gpu: ipu-v3: image-convert: Wait for all EOFs before completing a tile
    - dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue()
    - clk: actions: Fix h_clk for Actions S500 SoC
    - selftests/powerpc: ptrace-pkey: Rename variables to make it easier to follow
      code
    - selftests/powerpc: ptrace-pkey: Update the test to mark an invalid pkey
      correctly
    - selftests/powerpc: ptrace-pkey: Don't update expected UAMOR value
    - iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
    - clk: qcom: gcc: fix sm8150 GPU and NPU clocks
    - clk: qcom: clk-alpha-pll: remove unused/incorrect PLL_CAL_VAL
    - iommu/vt-d: Enforce PASID devTLB field mask
    - i2c: rcar: slave: only send STOP event when we have been addressed
    - clk: qcom: gcc-sdm660: Fix up gcc_mss_mnoc_bimc_axi_clk
    - clk: clk-atlas6: fix return value check in atlas6_clk_init()
    - pwm: bcm-iproc: handle clk_get_rate() return
    - tools build feature: Use CC and CXX from parent
    - i2c: rcar: avoid race when unregistering slave
    - nfs: ensure correct writeback errors are returned on close()
    - ubifs: Fix wrong orphan node deletion in ubifs_jnl_update|rename
    - clk: bcm2835: Do not use prediv with bcm2711's PLLs
    - libnvdimm/security: fix a typo
    - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr
    - openrisc: Fix oops caused when dumping stack
    - scsi: lpfc: nvmet: Avoid hang / use-after-free again when destroying
      targetport
    - nfs: nfs_file_write() should check for writeback errors
    - watchdog: initialize device before misc_register
    - md-cluster: Fix potential error pointer dereference in resize_bitmaps()
    - x86/tsr: Fix tsc frequency enumeration bug on Lightning Mountain SoC
    - Input: sentelic - fix error return when fsp_reg_write fails
    - recordmcount: Fix build failure on non arm64
    - drm/vmwgfx: Use correct vmw_legacy_display_unit pointer
    - drm/vmwgfx: Fix two list_for_each loop exit tests
    - net: qcom/emac: add missed clk_disable_unprepare in error path of
      emac_clks_phase1_init
    - nfs: Fix getxattr kernel panic and memory overflow
    - fs/minix: set s_maxbytes correctly
    - fs/minix: fix block limit check for V1 filesystems
    - fs/minix: remove expected error message in block_to_path()
    - fs/ufs: avoid potential u32 multiplication overflow
    - test_kmod: avoid potential double free in trigger_config_run_type()
    - i2c: iproc: fix race between client unreg and isr
    - mfd: dln2: Run event handler loop under spinlock
    - crypto: algif_aead - fix uninitialized ctx->init
    - ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
    - perf bench mem: Always memset source before memcpy
    - tools build feature: Quote CC and CXX for their arguments
    - perf/x86/rapl: Fix missing psys sysfs attributes
    - sh: landisk: Add missing initialization of sh_io_port_base
    - khugepaged: retract_page_tables() remember to test exit
    - arm64: dts: marvell: espressobin: add ethernet alias
    - drm/panfrost: Use kvfree() to free bo->sgts
    - drm: Added orientation quirk for ASUS tablet model T103HAF
    - drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi
    - drm/amdgpu: Fix bug where DPM is not enabled after hibernate and resume
    - drm/amd/display: dchubbub p-state warning during surface planes switch
    - Linux 5.4.60
    - kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE

* Focal update: v5.4.59 upstream stable release (LP: #1892417)
    - tracepoint: Mark __tracepoint_string's __used
    - HID: input: Fix devices that return multiple bytes in battery report
    - nvme: add a Identify Namespace Identification Descriptor list quirk
    - fs/io_uring.c: Fix uninitialized variable is referenced in io_submit_sqe
    - clk: qcom: clk-rpmh: Wait for completion when enabling clocks
    - x86/mce/inject: Fix a wrong assignment of i_mce.status
    - sched/fair: Fix NOHZ next idle balance
    - sched: correct SD_flags returned by tl->sd_flags()
    - arm64: dts: rockchip: fix rk3368-lion gmac reset gpio
    - arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
    - arm64: dts: rockchip: fix rk3399-puma gmac reset gpio
    - EDAC: Fix reference count leaks
    - crc-t10dif: Fix potential crypto notify dead-lock
    - arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
    - crypto: ccree - fix resource leak on error path
    - ARM: exynos: MCPM: Restore big.LITTLE cpuidle support
    - firmware: arm_scmi: Fix SCMI genpd domain probing
    - arm64: dts: exynos: Fix silent hang after boot on Espresso
    - sched/uclamp: Fix initialization of struct uclamp_rq
    - clk: scmi: Fix min and max rate when registering clocks with discrete rates
    - m68k: mac: Don't send IOP message until channel is idle
    - m68k: mac: Fix IOP status/control register writes
    - platform/x86: intel-hid: Fix return value check in check_acpi_dev()
    - platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
    - ARM: dts: gose: Fix ports node name for adv7180
    - ARM: dts: gose: Fix ports node name for adv7612
    - ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
    - ARM: dts: sunxi: bananapi-m2-plus-v1.2: Add regulator supply to all CPU
      cores
    - ARM: dts: sunxi: bananapi-m2-plus-v1.2: Fix CPU supply voltages
    - spi: lantiq: fix: Rx overflow error in full duplex mode
    - tpm: Require that all digests are present in TCG_PCR_EVENT2 structures
    - recordmcount: only record relocation of type R_AARCH64_CALL26 on arm64.
    - regulator: fix memory leak on error path of regulator_register()
    - io_uring: fix sq array offset calculation
    - spi: rockchip: Fix error in SPI slave pio read
    - ARM: socfpga: PM: add missing put_device() call in
      socfpga_setup_ocram_self_refresh()
    - iocost: Fix check condition of iocg abs_vdebt
    - irqchip/ti-sci-inta: Fix return value about devm_ioremap_resource()
    - seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID
    - md: raid0/linear: fix dereference before null check on pointer mddev
    - nvme-tcp: fix controller reset hang during traffic
    - nvme-rdma: fix controller reset hang during traffic
    - nvme-multipath: fix logic for non-optimized paths
    - nvme-multipath: do not fall back to __nvme_find_path() for non-optimized
      paths
    - drm/tilcdc: fix leak & null ref in panel_connector_get_modes
    - soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag
    - Bluetooth: add a mutex lock to avoid UAF in do_enale_set
    - loop: be paranoid on exit and prevent new additions / removals
    - fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
    - drm/amdgpu: avoid dereferencing a NULL pointer
    - drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
    - crypto: aesni - Fix build with LLVM_IAS=1
    - video: fbdev: savage: fix memory leak on error handling path in probe
    - video: fbdev: neofb: fix memory leak in neo_scan_monitor()
    - bus: ti-sysc: Add missing quirk flags for usb_host_hs
    - md-cluster: fix wild pointer of unlock_all_bitmaps()
    - drm/nouveau/kms/nv50-: Fix disabling dithering
    - arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding
    - drm/etnaviv: fix ref count leak via pm_runtime_get_sync
    - drm/nouveau: fix reference count leak in nouveau_debugfs_strap_peek
    - drm/nouveau: fix multiple instances of reference count leaks
    - mmc: sdhci-cadence: do not use hardware tuning for SD mode
    - btrfs: fix lockdep splat from btrfs_dump_space_info
    - usb: mtu3: clear dual mode of u3port when disable device
    - drm: msm: a6xx: fix gpu failure after system resume
    - drm/msm: Fix a null pointer access in msm_gem_shrinker_count()
    - drm/debugfs: fix plain echo to connector "force" attribute
    - drm/radeon: disable AGP by default
    - irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock
    - mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
    - drm/amdgpu/display bail early in dm_pp_get_static_clocks
    - drm/amd/powerplay: fix compile error with ARCH=arc
    - bpf: Fix fds_example SIGSEGV error
    - brcmfmac: keep SDIO watchdog running when console_interval is non-zero
    - brcmfmac: To fix Bss Info flag definition Bug
    - brcmfmac: set state of hanger slot to FREE when flushing PSQ
    - platform/x86: asus-nb-wmi: add support for ASUS ROG Zephyrus G14 and G15
    - iwlegacy: Check the return value of pcie_capability_read_*()
    - gpu: host1x: debug: Fix multiple channels emitting messages simultaneously
    - ionic: update eid test for overflow
    - mmc: sdhci-pci-o2micro: Bug fix for O2 host controller Seabird1
    - usb: gadget: net2280: fix memory leak on probe error handling paths
    - bdc: Fix bug causing crash after multiple disconnects
    - usb: bdc: Halt controller on suspend
    - dyndbg: fix a BUG_ON in ddebug_describe_flags
    - bcache: fix super block seq numbers comparision in register_cache_set()
    - ACPICA: Do not increment operation_region reference counts for field units
    - drm/msm: ratelimit crtc event overflow error
    - drm/gem: Fix a leak in drm_gem_objects_lookup()
    - drm/bridge: ti-sn65dsi86: Clear old error bits before AUX transfers
    - agp/intel: Fix a memory leak on module initialisation failure
    - mwifiex: Fix firmware filename for sd8977 chipset
    - mwifiex: Fix firmware filename for sd8997 chipset
    - btmrvl: Fix firmware filename for sd8977 chipset
    - btmrvl: Fix firmware filename for sd8997 chipset
    - video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
    - console: newport_con: fix an issue about leak related system resources
    - video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
    - ath10k: Acquire tx_lock in tx error paths
    - iio: improve IIO_CONCENTRATION channel type description
    - drm/etnaviv: Fix error path on failure to enable bus clk
    - drm/arm: fix unintentional integer overflow on left shift
    - clk: bcm63xx-gate: fix last clock availability
    - leds: lm355x: avoid enum conversion warning
    - Bluetooth: btusb: fix up firmware download sequence
    - Bluetooth: btmtksdio: fix up firmware download sequence
    - media: cxusb-analog: fix V4L2 dependency
    - media: marvell-ccic: Add missed v4l2_async_notifier_cleanup()
    - media: omap3isp: Add missed v4l2_ctrl_handler_free() for
      preview_init_entities()
    - ASoC: SOF: nocodec: add missing .owner field
    - ASoC: Intel: bxt_rt298: add missing .owner field
    - scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
    - drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
    - cxl: Fix kobject memleak
    - drm/radeon: fix array out-of-bounds read and write issues
    - staging: vchiq_arm: Add a matching unregister call
    - iavf: fix error return code in iavf_init_get_resources()
    - iavf: Fix updating statistics
    - RDMA/core: Fix bogus WARN_ON during ib_unregister_device_queued()
    - scsi: powertec: Fix different dev_id between request_irq() and free_irq()
    - scsi: eesox: Fix different dev_id between request_irq() and free_irq()
    - ipvs: allow connection reuse for unconfirmed conntrack
    - media: firewire: Using uninitialized values in node_probe()
    - media: exynos4-is: Add missed check for pinctrl_lookup_state()
    - media: cros-ec-cec: do not bail on device_init_wakeup failure
    - xfs: don't eat an EIO/ENOSPC writeback error when scrubbing data fork
    - xfs: fix reflink quota reservation accounting error
    - RDMA/rxe: Skip dgid check in loopback mode
    - PCI: Fix pci_cfg_wait queue locking problem
    - drm/stm: repair runtime power management
    - kobject: Avoid premature parent object freeing in kobject_cleanup()
    - leds: core: Flush scheduled work for system suspend
    - drm: panel: simple: Fix bpc for LG LB070WV8 panel
    - phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 PHY
    - drm/bridge: sil_sii8620: initialize return of sii8620_readb
    - scsi: scsi_debug: Add check for sdebug_max_queue during module init
    - mwifiex: Prevent memory corruption handling keys
    - kernfs: do not call fsnotify() with name without a parent
    - powerpc/rtas: don't online CPUs for partition suspend
    - powerpc/vdso: Fix vdso cpu truncation
    - RDMA/qedr: SRQ's bug fixes
    - RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
    - ima: Have the LSM free its audit rule
    - staging: rtl8192u: fix a dubious looking mask before a shift
    - ASoC: meson: fixes the missed kfree() for axg_card_add_tdm_loopback
    - PCI/ASPM: Add missing newline in sysfs 'policy'
    - phy: renesas: rcar-gen3-usb2: move irq registration to init
    - powerpc/book3s64/pkeys: Use PVR check instead of cpu feature
    - drm/imx: fix use after free
    - drm/imx: tve: fix regulator_disable error path
    - gpu: ipu-v3: Restore RGB32, BGR32
    - spi: lantiq-ssc: Fix warning by using WQ_MEM_RECLAIM
    - USB: serial: iuu_phoenix: fix led-activity helpers
    - usb: core: fix quirks_param_set() writing to a const pointer
    - thermal: ti-soc-thermal: Fix reversed condition in
      ti_thermal_expose_sensor()
    - coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()
    - powerpc/perf: Fix missing is_sier_aviable() during build
    - mt76: mt7615: fix potential memory leak in mcu message handler
    - phy: armada-38x: fix NETA lockup when repeatedly switching speeds
    - MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()
    - usb: dwc2: Fix error path in gadget registration
    - usb: gadget: f_uac2: fix AC Interface Header Descriptor wTotalLength
    - scsi: megaraid_sas: Clear affinity hint
    - scsi: mesh: Fix panic after host or bus reset
    - net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration
    - macintosh/via-macii: Access autopoll_devs when inside lock
    - PCI: cadence: Fix updating Vendor ID and Subsystem Vendor ID register
    - RDMA/core: Fix return error value in _ib_modify_qp() to negative
    - Smack: fix another vsscanf out of bounds
    - Smack: prevent underflow in smk_set_cipso()
    - power: supply: check if calc_soc succeeded in pm860x_init_battery
    - Bluetooth: hci_h5: Set HCI_UART_RESET_ON_INIT to correct flags
    - Bluetooth: hci_serdev: Only unregister device if it was registered
    - net: dsa: rtl8366: Fix VLAN semantics
    - net: dsa: rtl8366: Fix VLAN set-up
    - xfs: fix inode allocation block res calculation precedence
    - selftests/powerpc: Squash spurious errors due to device removal
    - powerpc/32s: Fix CONFIG_BOOK3S_601 uses
    - powerpc/boot: Fix CONFIG_PPC_MPC52XX references
    - selftests/powerpc: Fix CPU affinity for child process
    - RDMA/netlink: Remove CAP_NET_RAW check when dump a raw QP
    - PCI: Release IVRS table in AMD ACS quirk
    - [Config] update config for ARMADA_AP_CPU_CLK
    - cpufreq: ap806: fix cpufreq driver needs ap cpu clk
    - selftests/powerpc: Fix online CPU selection
    - ASoC: meson: axg-tdm-interface: fix link fmt setup
    - ASoC: meson: axg-tdmin: fix g12a skew
    - ASoC: meson: axg-tdm-formatters: fix sclk inversion
    - ASoC: fsl_sai: Fix value of FSL_SAI_CR1_RFW_MASK
    - s390/qeth: don't process empty bridge port events
    - ice: Graceful error handling in HW table calloc failure
    - rtw88: fix LDPC field for RA info
    - rtw88: fix short GI capability based on current bandwidth
    - rtw88: coex: only skip coex triggered by BT info
    - wl1251: fix always return 0 error
    - tools, build: Propagate build failures from tools/build/Makefile.build
    - tools, bpftool: Fix wrong return value in do_dump()
    - net/mlx5: DR, Change push vlan action sequence
    - net/mlx5: Delete extra dump stack that gives nothing
    - net: ethernet: aquantia: Fix wrong return value
    - liquidio: Fix wrong return value in cn23xx_get_pf_num()
    - net: spider_net: Fix the size used in a 'dma_free_coherent()' call
    - fsl/fman: use 32-bit unsigned integer
    - fsl/fman: fix dereference null return value
    - fsl/fman: fix unreachable code
    - fsl/fman: check dereferencing null pointer
    - fsl/fman: fix eth hash table allocation
    - net: thunderx: initialize VF's mailbox mutex before first usage
    - dlm: Fix kobject memleak
    - ocfs2: fix unbalanced locking
    - pinctrl-single: fix pcs_parse_pinconf() return value
    - svcrdma: Fix page leak in svc_rdma_recv_read_chunk()
    - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
    - crypto: aesni - add compatibility with IAS
    - af_packet: TPACKET_V3: fix fill status rwlock imbalance
    - drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
    - net: Fix potential memory leak in proto_register()
    - net/nfc/rawsock.c: add CAP_NET_RAW check.
    - net: phy: fix memory leak in device-create error path
    - net: Set fput_needed iff FDPUT_FPUT is set
    - net/tls: Fix kmap usage
    - vmxnet3: use correct tcp hdr length when packet is encapsulated
    - net: refactor bind_bucket fastreuse into helper
    - net: initialize fastreuse on inet_inherit_port
    - USB: serial: cp210x: re-enable auto-RTS on open
    - USB: serial: cp210x: enable usb generic throttle/unthrottle
    - ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO
    - ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
    - ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
    - ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
    - 9p: Fix memory leak in v9fs_mount
    - media: media-request: Fix crash if memory allocation fails
    - drm/ttm/nouveau: don't call tt destroy callback on alloc failure.
    - io_uring: set ctx sq/cq entry count earlier
    - NFS: Don't move layouts to plh_return_segs list while in use
    - NFS: Don't return layout segments that are in use
    - cpufreq: Fix locking issues with governors
    - cpufreq: dt: fix oops on armada37xx
    - include/asm-generic/vmlinux.lds.h: align ro_after_init
    - spi: spidev: Align buffers for DMA
    - mtd: rawnand: qcom: avoid write to unavailable register
    - erofs: fix extended inode could cross boundary
    - Revert "parisc: Drop LDCW barrier in CAS code when running UP"
    - Revert "parisc: Use ldcw instruction for SMP spinlock release barrier"
    - Revert "parisc: Revert "Release spinlocks using ordered store""
    - parisc: Do not use an ordered store in pa_tlb_lock()
    - parisc: Implement __smp_store_release and __smp_load_acquire barriers
    - parisc: mask out enable and reserved bits from sba imask
    - ARM: 8992/1: Fix unwind_frame for clang-built kernels
    - irqdomain/treewide: Free firmware node after domain removal
    - ALSA: usb-audio: add quirk for Pioneer DDJ-RB
    - tpm: Unify the mismatching TPM space buffer sizes
    - pstore: Fix linking when crypto API disabled
    - crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not
      specified
    - crypto: qat - fix double free in qat_uclo_create_batch_init_list
    - crypto: ccp - Fix use of merged scatterlists
    - crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
    - bitfield.h: don't compile-time validate _val in FIELD_FIT
    - fs/minix: check return value of sb_getblk()
    - fs/minix: don't allow getting deleted inodes
    - fs/minix: reject too-large maximum file size
    - xen/balloon: fix accounting in alloc_xenballooned_pages error path
    - xen/balloon: make the balloon wait interruptible
    - xen/gntdev: Fix dmabuf import with non-zero sgt offset
    - s390/dasd: fix inability to use DASD with DIAG driver
    - s390/gmap: improve THP splitting
    - io_uring: Fix NULL pointer dereference in loop_rw_iter()
    - Linux 5.4.59

* Regression on NFS: unable to handle page fault in mempool_alloc_slab
    (LP: #1886277) // Focal update: v5.4.59 upstream stable release
    (LP: #1892417)
    - SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()")

* Focal update: v5.4.59 upstream stable release (LP: #1892417) //
    CVE-2019-19770 which shows this issue is not a core debugfs issue, but
    - blktrace: fix debugfs use after free

* update ENA driver for LLQ acceleration mode, new hw support (LP: #1890845)
    - net: ena: change num_queues to num_io_queues for clarity and consistency
    - net: ena: multiple queue creation related cleanups
    - net: ena: ethtool: get_channels: use combined only
    - net: ena: make ethtool -l show correct max number of queues
    - net: ena: remove redundant print of number of queues
    - net: ena: ethtool: support set_channels callback
    - net: ena: implement XDP drop support
    - net: ena: Implement XDP_TX action
    - net: ena: Add first_interrupt field to napi struct
    - net: ena: fix default tx interrupt moderation interval
    - net: ena: remove set but not used variable 'rx_ring'
    - net: ena: remove set but not used variable 'hash_key'
    - net: ena: ethtool: remove redundant non-zero check on rc
    - net/amazon: Ensure that driver version is aligned to the linux kernel
    - net: ena: fix broken interface between ENA driver and FW
    - net: ena: ethtool: clean up minor indentation issue
    - net: ena: fix incorrect setting of the number of msix vectors
    - net: ena: fix request of incorrect number of IRQ vectors
    - net: ena: avoid memory access violation by validating req_id properly
    - net: ena: fix continuous keep-alive resets
    - net: ena: Make some functions static
    - net: ena: avoid unnecessary admin command when RSS function set fails
    - net: ena: allow setting the hash function without changing the key
    - net: ena: change default RSS hash function to Toeplitz
    - net: ena: changes to RSS hash key allocation
    - net: ena: remove code that does nothing
    - net: ena: add unmask interrupts statistics to ethtool
    - net: ena: add support for reporting of packet drops
    - net: ena: drop superfluous prototype
    - net: ena: use SHUTDOWN as reset reason when closing interface
    - net: ena: cosmetic: remove unnecessary spaces and tabs in ena_com.h macros
    - net: ena: cosmetic: extract code to ena_indirection_table_set()
    - net: ena: add support for the rx offset feature
    - net: ena: rename ena_com_free_desc to make API more uniform
    - net: ena: use explicit variable size for clarity
    - net: ena: fix ena_com_comp_status_to_errno() return value
    - net: ena: simplify ena_com_update_intr_delay_resolution()
    - net: ena: cosmetic: set queue sizes to u32 for consistency
    - net: ena: cosmetic: fix spelling and grammar mistakes in comments
    - net: ena: cosmetic: fix line break issues
    - net: ena: cosmetic: remove unnecessary code
    - net: ena: cosmetic: code reorderings
    - net: ena: cosmetic: fix spacing issues
    - net: ena: cosmetic: minor code changes
    - net: ena: reduce driver load time
    - net: ena: xdp: XDP_TX: fix memory leak
    - net: ena: xdp: update napi budget for DROP and ABORTED
    - ena_netdev: use generic power management
    - net: ena: Fix using plain integer as NULL pointer in ena_init_napi_in_range
    - net: ena: avoid unnecessary rearming of interrupt vector when busy-polling
    - net: ena: add reserved PCI device ID
    - net: ena: cosmetic: satisfy gcc warning
    - net: ena: cosmetic: change ena_com_stats_admin stats to u64
    - net: ena: add support for traffic mirroring
    - net: ena: enable support of rss hash key and function changes
    - net: ena: move llq configuration from ena_probe to ena_device_init()
    - net: ena: support new LLQ acceleration mode

* [SRU] Fix acpi backlight issue on some thinkpads (LP: #1892010)
    - platform/x86: thinkpad_acpi: not loading brightness_init when _BCL invalid

* [SRU][F/OEM-5.6] add a new OLED panel support for brightness control
    (LP: #1887909)
    - drm/dp: Lenovo X13 Yoga OLED panel brightness fix

* Realtek [10ec:c82f] Subsystem [17aa:c02f] Wifi adapter not found
    (LP: #1886247)
    - SAUCE: rtw88: 8822ce: add support for device ID 0xc82f

* KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

* Fix missing HDMI Audio on another HP Desktop (LP: #1891617)
    - ALSA: hda/hdmi: Use force connectivity quirk on another HP desktop

* alsa/sof: support 1 and 3 dmics (LP: #1891585)
    - SAUCE: ASoC: SOF: intel: hda: support also devices with 1 and 3 dmics

* tcp_fastopen_backup_key.sh from net in ubuntu_kernel_selftests failed on
    Eoan LPAR (LP: #1869134)
    - tcp: correct read of TFO keys on big endian systems

* Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result

* Focal update: v5.4.58 upstream stable release (LP: #1891387)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - perf/core: Fix endless multiplex timer
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - io_uring: prevent re-read of sqe->opcode
    - io_uring: Fix use-after-free in io_sq_wq_submit_work()
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops
    - ALSA: hda/ca0132 - Add new quirk ID for Recon3D.
    - ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value.
    - ALSA: hda/ca0132 - Fix AE-5 microphone selection commands.
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - staging: rtl8712: handle firmware load failure
    - Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - Smack: fix use-after-free in smk_write_relabel_self()
    - scripts: add dummy report mode to add_namespace.cocci
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: lm36274: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - drm/drm_fb_helper: fix fbdev with sparc64
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - net: ethernet: mtk_eth_soc: Always call mtk_gmac0_rgmii_adjust() for mt7623
    - ALSA: hda: fix NULL pointer dereference during suspend
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic_array_len
    - Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
    - xattr: break delegations in {set,remove}xattr
    - Revert "powerpc/kasan: Fix shadow pages allocation failure"
    - PCI: tegra: Revert tegra124 raw_violation_fixup
    - ipv4: Silence suspicious RCU usage warning
    - ipv6: fix memory leaks on IPV6_ADDRFORM path
    - ipv6: Fix nexthop refcnt leak when creating ipv6 route info
    - net: ethernet: mtk_eth_soc: fix MTU warnings
    - rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
    - vxlan: Ensure FDB dump is performed under RCU
    - net: lan78xx: replace bogus endpoint lookup
    - appletalk: Fix atalk_proc_init() return path
    - dpaa2-eth: Fix passing zero to 'PTR_ERR' warning
    - hv_netvsc: do not use VF device if link is down
    - net: gre: recompute gre csum for sctp over gre tunnels
    - net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task()
    - openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
    - Revert "vxlan: fix tos value before xmit"
    - tcp: apply a floor of 1 for RTT samples from TCP timestamps
    - ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
    - [Config] update annotations for IMA_APPRAISE_BOOTPARAM
    - nfsd: Fix NFSv4 READ on RDMA when using readv
    - Linux 5.4.58

* Focal update: v5.4.57 upstream stable release (LP: #1891064)
    - random32: update the net random state on interrupt and activity
    - ARM: percpu.h: fix build error
    - random: fix circular include dependency on arm64 after addition of percpu.h
    - random32: remove net_rand_state from the latent entropy gcc plugin
    - random32: move the pseudo-random 32-bit definitions to prandom.h
    - arm64: Workaround circular dependency in pointer_auth.h
    - ext4: fix direct I/O read error
    - selftests: bpf: Fix detach from sockmap tests
    - bpf: sockmap: Require attach_bpf_fd when detaching a program
    - Linux 5.4.57

* Focal update: v5.4.56 upstream stable release (LP: #1891063)
    - crypto: ccp - Release all allocated memory if sha type is invalid
    - media: rc: prevent memory leak in cx23888_ir_probe
    - sunrpc: check that domain table is empty at module unload.
    - ath10k: enable transmit data ack RSSI for QCA9884
    - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
    - mm/filemap.c: don't bother dropping mmap_sem for zero size readahead
    - ALSA: usb-audio: Add implicit feedback quirk for SSL2
    - ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G15(GA502) series
      with ALC289
    - ALSA: hda/realtek: typo_fix: enable headset mic of ASUS ROG Zephyrus
      G14(GA401) series with ALC289
    - ALSA: hda/realtek: Fix add a "ultra_low_power" function for intel reference
      board (alc256)
    - ALSA: hda/hdmi: Fix keep_power assignment for non-component devices
    - IB/rdmavt: Fix RQ counting issues causing use of an invalid RWQE
    - vhost/scsi: fix up req type endian-ness
    - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
    - wireless: Use offsetof instead of custom macro.
    - ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess
      watchpoints
    - ARM: dts: imx6sx-sabreauto: Fix the phy-mode on fec2
    - ARM: dts: imx6sx-sdb: Fix the phy-mode on fec2
    - ARM: dts: imx6qdl-icore: Fix OTG_ID pin and sdcard detect
    - virtio_balloon: fix up endian-ness for free cmd id
    - Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers"
    - drm/amd/display: Clear dm_state for fast updates
    - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
    - drm/dbi: Fix SPI Type 1 (9-bit) transfer
    - drm: hold gem reference until object is no longer accessed
    - rds: Prevent kernel-infoleak in rds_notify_queue_get()
    - libtraceevent: Fix build with binutils 2.35
    - net/x25: Fix x25_neigh refcnt leak when x25 disconnect
    - net/x25: Fix null-ptr-deref in x25_disconnect
    - ARM: dts sunxi: Relax a bit the CMA pool allocation range
    - xfrm: Fix crash when the hold queue is used.
    - ARM: dts: armada-38x: fix NETA lockup when repeatedly switching speeds
    - nvme-tcp: fix possible hang waiting for icresp response
    - selftests/net: rxtimestamp: fix clang issues for target arch PowerPC
    - selftests/net: psock_fanout: fix clang issues for target arch PowerPC
    - selftests/net: so_txtime: fix clang issues for target arch PowerPC
    - sh/tlb: Fix PGTABLE_LEVELS > 2
    - sh: Fix validation of system call number
    - net: hns3: fix a TX timeout issue
    - net: hns3: fix aRFS FD rules leftover after add a user FD rule
    - net/mlx5: E-switch, Destroy TSAR when fail to enable the mode
    - net/mlx5e: Fix error path of device attach
    - net/mlx5: Verify Hardware supports requested ptp function on a given pin
    - net/mlx5e: Modify uplink state on interface up/down
    - net/mlx5e: Fix kernel crash when setting vf VLANID on a VF dev
    - net: lan78xx: add missing endpoint sanity check
    - net: lan78xx: fix transfer-buffer memory leak
    - rhashtable: Fix unprotected RCU dereference in __rht_ptr
    - mlx4: disable device on shutdown
    - mlxsw: core: Increase scope of RCU read-side critical section
    - mlxsw: core: Free EMAD transactions using kfree_rcu()
    - ibmvnic: Fix IRQ mapping disposal in error path
    - bpf: Fix map leak in HASH_OF_MAPS map
    - mac80211: mesh: Free ie data when leaving mesh
    - mac80211: mesh: Free pending skb when destroying a mpath
    - arm64/alternatives: move length validation inside the subsection
    - arm64: csum: Fix handling of bad packets
    - Bluetooth: fix kernel oops in store_pending_adv_report
    - net: nixge: fix potential memory leak in nixge_probe()
    - net: gemini: Fix missing clk_disable_unprepare() in error path of
      gemini_ethernet_port_probe()
    - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq
    - perf tools: Fix record failure when mixed with ARM SPE event
    - vxlan: fix memleak of fdb
    - usb: hso: Fix debug compile warning on sparc32
    - selftests: fib_nexthop_multiprefix: fix cleanup() netns deletion
    - qed: Disable "MFW indication via attention" SPAM every 5 minutes
    - selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 support
    - nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
    - scsi: core: Run queue in case of I/O resource contention failure
    - parisc: add support for cmpxchg on u8 pointers
    - net: ethernet: ravb: exit if re-initialization fails in tx timeout
    - Revert "i2c: cadence: Fix the hold bit setting"
    - x86/unwind/orc: Fix ORC for newly forked tasks
    - x86/stacktrace: Fix reliable check for empty user task stacks
    - cxgb4: add missing release on skb in uld_send()
    - xen-netfront: fix potential deadlock in xennet_remove()
    - RISC-V: Set maximum number of mapped pages correctly
    - drivers/net/wan: lapb: Corrected the usage of skb_cow
    - KVM: arm64: Don't inherit exec permission across page-table levels
    - KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw
      disabled
    - x86/i8259: Use printk_deferred() to prevent deadlock
    - perf tests bp_account: Make global variable static
    - perf env: Do not return pointers to local variables
    - perf bench: Share some global variables to fix build with gcc 10
    - Linux 5.4.56

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Thu, 10 Sep 2020 12:12:09 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

norman shen (jshen28) wrote on 2021-05-16:

#16

Download full text (6.2 KiB)

Interestingly, I hit this warning log without enabling ksm

```console
# cat /sys/kernel/mm/ksm/run
0
# uname -a
Linux compute12 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
```

log is

[Sat May 15 11:28:32 2021] WARNING: CPU: 31 PID: 3196546 at /build/linux-E6MDAa/linux-4.15.0/include/linux/mm.h:857 follow_page_pte+0x663/0x6d0
[Sat May 15 11:28:32 2021] Modules linked in: nls_iso8859_1 act_police cls_u32 sch_ingress cls_fw sch_sfq sch_htb ip6table_raw xt_CT xt_mac vhost_net vhost tap ebtable_filter ebtables ip6table_filter devlink vxlan ip6_udp_tunnel udp_tunnel ip_gre gre xt_multiport xt_set iptable_raw iptable_mangle ip_set_hash_net ip_set_hash_ip ip_set ipip tunnel4 ip_tunnel veth xt_statistic xt_physdev xt_nat xt_recent ipt_REJECT nf_reject_ipv4 xt_tcpudp xt_addrtype ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs ip6table_nat ip6_tables xt_comment xt_mark iptable_filter xt_conntrack nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat aufs rbd libceph overlay openvswitch nsh nf_conntrack_ipv6 nf_nat_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_defrag_ipv6 nf_nat bonding dm_service_time dm_multipath
[Sat May 15 11:28:32 2021] scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl skx_edac x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass intel_cstate intel_rapl_perf ipmi_ssif ioatdma joydev input_leds acpi_power_meter mei_me mei shpchp mac_hid ipmi_si ipmi_devintf ipmi_msghandler lpc_ich sch_fq_codel nf_conntrack ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi br_netfilter bridge stp llc ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear ses enclosure scsi_transport_sas hid_generic crct10dif_pclmul crc32_pclmul usbhid ghash_clmulni_intel hid pcbc lpfc aesni_intel aes_x86_64 nvmet_fc crypto_simd ast glue_helper nvmet cryptd nvme_fc ttm nvme_fabrics
[Sat May 15 11:28:32 2021] igb nvme_core drm_kms_helper dca scsi_transport_fc syscopyarea i2c_algo_bit sysfillrect sysimgblt i40e aacraid fb_sys_fops drm ptp pps_core ahci libahci wmi
[Sat May 15 11:28:32 2021] CPU: 31 PID: 3196546 Comm: CPU 2/KVM Not tainted 4.15.0-72-generic #81-Ubuntu
[Sat May 15 11:28:32 2021] Hardware name: Inspur NF5280M5/YZMB-00882-104, BIOS 4.0.8 10/17/2018
[Sat May 15 11:28:32 2021] RIP: 0010:follow_page_pte+0x663/0x6d0
[Sat May 15 11:28:32 2021] RSP: 0018:ffffb1eff4e5b8f8 EFLAGS: 00010286
[Sat May 15 11:28:32 2021] RAX: ffffe041b58cba40 RBX: ffffe043fed90cf0 RCX: 0000000080000000
[Sat May 15 11:28:32 2021] RDX: ffffe041b58cba40 RSI: 00007f7306766000 RDI: 8000000d632e9225
[Sat May 15 11:28:32 2021] RBP: ffffb1eff4e5b960 R08: 8000000d632e9225 R09: ffffa0249cceb1e0
[Sat May 15 11:28:32 2021] R10: 0000000000000000 R11: ffffb1eff4e5ba8c R12: ffffe041b58cba40
[Sat May 15 11:28:32 2021] R13: 00003ffffffff000 R14: 0000000000000326 R15: ffffa076af75a198
[Sat May 15 11:28:32 2021]...

Interestingly, I hit this warning log without enabling ksm

```console
# cat /sys/kernel/mm/ksm/run
0
# uname -a
Linux compute12 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.3 LTS
Release:        18.04
Codename:       bionic
```

log is

[Sat May 15 11:28:32 2021] WARNING: CPU: 31 PID: 3196546 at /build/linux-E6MDAa/linux-4.15.0/include/linux/mm.h:857 follow_page_pte+0x663/0x6d0
[Sat May 15 11:28:32 2021] Modules linked in: nls_iso8859_1 act_police cls_u32 sch_ingress cls_fw sch_sfq sch_htb ip6table_raw xt_CT xt_mac vhost_net vhost tap ebtable_filter ebtables ip6table_filter devlink vxlan ip6_udp_tunnel udp_tunnel ip_gre gre xt_multiport xt_set iptable_raw iptable_mangle ip_set_hash_net ip_set_hash_ip ip_set ipip tunnel4 ip_tunnel veth xt_statistic xt_physdev xt_nat xt_recent ipt_REJECT nf_reject_ipv4 xt_tcpudp xt_addrtype ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs ip6table_nat ip6_tables xt_comment xt_mark iptable_filter xt_conntrack nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat aufs rbd libceph overlay openvswitch nsh nf_conntrack_ipv6 nf_nat_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_defrag_ipv6 nf_nat bonding dm_service_time dm_multipath
[Sat May 15 11:28:32 2021]  scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl skx_edac x86_pkg_temp_thermal coretemp kvm_intel kvm irqbypass intel_cstate intel_rapl_perf ipmi_ssif ioatdma joydev input_leds acpi_power_meter mei_me mei shpchp mac_hid ipmi_si ipmi_devintf ipmi_msghandler lpc_ich sch_fq_codel nf_conntrack ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi br_netfilter bridge stp llc ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear ses enclosure scsi_transport_sas hid_generic crct10dif_pclmul crc32_pclmul usbhid ghash_clmulni_intel hid pcbc lpfc aesni_intel aes_x86_64 nvmet_fc crypto_simd ast glue_helper nvmet cryptd nvme_fc ttm nvme_fabrics
[Sat May 15 11:28:32 2021]  igb nvme_core drm_kms_helper dca scsi_transport_fc syscopyarea i2c_algo_bit sysfillrect sysimgblt i40e aacraid fb_sys_fops drm ptp pps_core ahci libahci wmi
[Sat May 15 11:28:32 2021] CPU: 31 PID: 3196546 Comm: CPU 2/KVM Not tainted 4.15.0-72-generic #81-Ubuntu
[Sat May 15 11:28:32 2021] Hardware name: Inspur NF5280M5/YZMB-00882-104, BIOS 4.0.8 10/17/2018
[Sat May 15 11:28:32 2021] RIP: 0010:follow_page_pte+0x663/0x6d0
[Sat May 15 11:28:32 2021] RSP: 0018:ffffb1eff4e5b8f8 EFLAGS: 00010286
[Sat May 15 11:28:32 2021] RAX: ffffe041b58cba40 RBX: ffffe043fed90cf0 RCX: 0000000080000000
[Sat May 15 11:28:32 2021] RDX: ffffe041b58cba40 RSI: 00007f7306766000 RDI: 8000000d632e9225
[Sat May 15 11:28:32 2021] RBP: ffffb1eff4e5b960 R08: 8000000d632e9225 R09: ffffa0249cceb1e0
[Sat May 15 11:28:32 2021] R10: 0000000000000000 R11: ffffb1eff4e5ba8c R12: ffffe041b58cba40
[Sat May 15 11:28:32 2021] R13: 00003ffffffff000 R14: 0000000000000326 R15: ffffa076af75a198
[Sat May 15 11:28:32 2021] FS:  00007f73f48ee700(0000) GS:ffffa0947f2c0000(0000) knlGS:fffff88001e81000
[Sat May 15 11:28:32 2021] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Sat May 15 11:28:32 2021] CR2: fffff8a016819000 CR3: 0000004e72518004 CR4: 00000000007626e0
[Sat May 15 11:28:32 2021] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[Sat May 15 11:28:32 2021] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[Sat May 15 11:28:32 2021] PKRU: 55555554
[Sat May 15 11:28:32 2021] Call Trace:
[Sat May 15 11:28:32 2021]  follow_pmd_mask+0x209/0x640
[Sat May 15 11:28:32 2021]  follow_page_mask+0x17a/0x210
[Sat May 15 11:28:32 2021]  __get_user_pages+0x18c/0x720
[Sat May 15 11:28:32 2021]  get_user_pages+0x42/0x50
[Sat May 15 11:28:32 2021]  __gfn_to_pfn_memslot+0x126/0x410 [kvm]
[Sat May 15 11:28:32 2021]  try_async_pf+0x66/0x1f0 [kvm]
[Sat May 15 11:28:32 2021]  tdp_page_fault+0x138/0x290 [kvm]
[Sat May 15 11:28:32 2021]  ? vmexit_fill_RSB+0x1c/0x40 [kvm_intel]
[Sat May 15 11:28:32 2021]  kvm_mmu_page_fault+0x62/0x160 [kvm]
[Sat May 15 11:28:32 2021]  handle_ept_violation+0xbb/0x150 [kvm_intel]
[Sat May 15 11:28:32 2021]  vmx_handle_exit+0xb3/0xe80 [kvm_intel]
[Sat May 15 11:28:32 2021]  ? vmexit_fill_RSB+0x1c/0x40 [kvm_intel]
[Sat May 15 11:28:32 2021]  ? vmexit_fill_RSB+0x10/0x40 [kvm_intel]
[Sat May 15 11:28:32 2021]  ? vmexit_fill_RSB+0x1c/0x40 [kvm_intel]
[Sat May 15 11:28:32 2021]  ? vmexit_fill_RSB+0x10/0x40 [kvm_intel]
[Sat May 15 11:28:32 2021]  ? vmx_vcpu_run+0x3fa/0x600 [kvm_intel]
[Sat May 15 11:28:32 2021]  vcpu_enter_guest+0x424/0x1260 [kvm]
[Sat May 15 11:28:32 2021]  ? __schedule+0x256/0x880
[Sat May 15 11:28:32 2021]  kvm_arch_vcpu_ioctl_run+0x203/0x3e0 [kvm]
[Sat May 15 11:28:32 2021]  ? kvm_arch_vcpu_ioctl_run+0x203/0x3e0 [kvm]
[Sat May 15 11:28:32 2021]  kvm_vcpu_ioctl+0x2a6/0x620 [kvm]
[Sat May 15 11:28:32 2021]  ? do_futex+0x185/0x590
[Sat May 15 11:28:32 2021]  do_vfs_ioctl+0xa8/0x630
[Sat May 15 11:28:32 2021]  ? SyS_futex+0x13b/0x180
[Sat May 15 11:28:32 2021]  SyS_ioctl+0x79/0x90
[Sat May 15 11:28:32 2021]  ? fire_user_return_notifiers+0x3e/0x50
[Sat May 15 11:28:32 2021]  do_syscall_64+0x73/0x130
[Sat May 15 11:28:32 2021]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[Sat May 15 11:28:32 2021] RIP: 0033:0x7f73ff02f5d7
[Sat May 15 11:28:32 2021] RSP: 002b:00007f73f48ed818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[Sat May 15 11:28:32 2021] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007f73ff02f5d7
[Sat May 15 11:28:32 2021] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000017
[Sat May 15 11:28:32 2021] RBP: 000055d6a736d3f0 R08: 000055d6a5edf270 R09: 000000000000ffff
[Sat May 15 11:28:32 2021] R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000000
[Sat May 15 11:28:32 2021] R13: 00007f7404cd6000 R14: 0000000000000000 R15: 000055d6a736d3f0
[Sat May 15 11:28:32 2021] Code: 20 41 bd ef ff ff ff 48 39 c8 74 17 48 8b 45 d0 48 8b 75 c0 48 8b 55 b8 48 8b 78 40 e8 f7 c8 e5 ff 66 90 4d 63 e5 e9 1e fd ff ff <0f> 0b 49 c7 c4 f4 ff ff ff e9 10 fd ff ff f0 48 83 2f 01 0f 85 
[Sat May 15 11:28:32 2021] ---[ end trace 5685e985b988fffa ]---

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-05-17:

#17

Download full text (3.6 KiB)

Hi Jiatong,

Thanks for emailing me, happy to answer questions anytime.

> 1. why linux-hwe-4.15.0 source code is used?

If you look closely at the oops in the description, the customer I was working with was running:

4.15.0-106-generic #107~16.04.1-Ubuntu

This is the Xenial (16.04) HWE kernel. I was using the linux-hwe-4.15.0 source code to make sure the debug symbols used for the debug symbol package matched exactly.

In your case:

4.15.0-72-generic #81-Ubuntu

you are running the 4.15 kernel on normal Bionic (18.04), so we can use the normal linux-4.15.0 source code.

> 2. we are using linux-4.15.0-unsigned and by skimming through the source code, looks like try_get_page is not defined at that time?

Yes! You are correct, the original mainline 4.15 kernel did not have try_get_page() defined at:

https://elixir.bootlin.com/linux/v4.15/source/mm/gup.c#L156

But if you look closely at the actual kernel sources for 4.15.0-72-generic:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/mm/gup.c?h=Ubuntu-4.15.0-72.81#n156

We see that try_get_page() is there. That is because we backported:

commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64
Author: Linus Torvalds <email address hidden>
Date: Thu Apr 11 10:49:19 2019 -0700
Subject: mm: prevent get_user_pages() from overflowing page refcount
Link:https://github.com/torvalds/linux/commit/8fde12ca79aff9b5ba951fce1a2641901b8d8e64

Ubuntu 4.15 backport link: https://paste.ubuntu.com/p/2bF5WWQy2r/

That commit first turned up in 4.15.0-59-generic, via upstream-stable.

Anyway, let's have a look at your stack trace:

4.15.0-72-generic #81-Ubuntu
RIP: 0010:follow_page_pte+0x663/0x6d0

I downloaded the debug symbols:

http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-unsigned-4.15.0-72-generic-dbgsym_4.15.0-72.81_amd64.ddeb

Extracted them:

dpkg -x linux-image-unsigned-4.15.0-72-generic-dbgsym_4.15.0-72.81_amd64.ddeb debug

and looked up:

$ eu-addr2line -e ./vmlinux-4.15.0-72-generic -f follow_page_pte+0x663
try_get_page inlined at /build/linux-E6MDAa/linux-4.15.0/mm/gup.c:156 in follow_page_pte
/build/linux-E6MDAa/linux-4.15.0/mm/gup.c:138

We see that you hit try_get_page() in mm/gup.c:156

155 if (flags & FOLL_GET) {
156 if (unlikely(!try_get_page(page))) {
157 page = ERR_PTR(-ENOMEM);
158 goto out;
159 }

Looking at try_get_page() in include/linux/mm.h:

854 static inline __must_check bool try_get_page(struct page *page)
855 {
856 page = compound_head(page);
857 if (WARN_ON_ONCE(page_ref_count(page) <= 0))
858 return false;
859 page_ref_inc(page);
860 return true;
861 }

We see that you hit the exact same WARN_ON_ONCE for the page_ref_count(page) <= 0).

So, whatever page you are trying to access, has its reference counter in the negatives, which suggests that has either wrapped around, or has been decremented too many times.

Looking at your error log, I can't tell for sure if it is the zero_page, but its quite likely going to be. The zero_page is a frequently used page in the system, and it is used outside of ksm, it's just that ksm is a heavy user of the zero_page...

Hi Jiatong,

Thanks for emailing me, happy to answer questions anytime.

> 1. why linux-hwe-4.15.0 source code is used?

If you look closely at the oops in the description, the customer I was working with was running:

4.15.0-106-generic #107~16.04.1-Ubuntu
 
This is the Xenial (16.04) HWE kernel. I was using the linux-hwe-4.15.0 source code to make sure the debug symbols used for the debug symbol package matched exactly.

In your case:

4.15.0-72-generic #81-Ubuntu

you are running the 4.15 kernel on normal Bionic (18.04), so we can use the normal linux-4.15.0 source code.

> 2. we are using linux-4.15.0-unsigned and by skimming through the source code, looks like try_get_page is not defined at that time?

Yes! You are correct, the original mainline 4.15 kernel did not have try_get_page() defined at:

https://elixir.bootlin.com/linux/v4.15/source/mm/gup.c#L156

But if you look closely at the actual kernel sources for 4.15.0-72-generic:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/mm/gup.c?h=Ubuntu-4.15.0-72.81#n156

We see that try_get_page() is there. That is because we backported:

commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Apr 11 10:49:19 2019 -0700
Subject: mm: prevent get_user_pages() from overflowing page refcount
Link:https://github.com/torvalds/linux/commit/8fde12ca79aff9b5ba951fce1a2641901b8d8e64

Ubuntu 4.15 backport link: https://paste.ubuntu.com/p/2bF5WWQy2r/

That commit first turned up in 4.15.0-59-generic, via upstream-stable.

Anyway, let's have a look at your stack trace:

4.15.0-72-generic #81-Ubuntu
RIP: 0010:follow_page_pte+0x663/0x6d0

I downloaded the debug symbols:

http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-unsigned-4.15.0-72-generic-dbgsym_4.15.0-72.81_amd64.ddeb

Extracted them:

dpkg -x linux-image-unsigned-4.15.0-72-generic-dbgsym_4.15.0-72.81_amd64.ddeb debug

and looked up:

$ eu-addr2line -e ./vmlinux-4.15.0-72-generic -f follow_page_pte+0x663
try_get_page inlined at /build/linux-E6MDAa/linux-4.15.0/mm/gup.c:156 in follow_page_pte
/build/linux-E6MDAa/linux-4.15.0/mm/gup.c:138

We see that you hit try_get_page() in mm/gup.c:156

155     if (flags & FOLL_GET) {
 156         if (unlikely(!try_get_page(page))) {
 157             page = ERR_PTR(-ENOMEM);
 158             goto out;
 159         }
 
Looking at try_get_page() in include/linux/mm.h:

854 static inline __must_check bool try_get_page(struct page *page)
 855 {
 856     page = compound_head(page);
 857     if (WARN_ON_ONCE(page_ref_count(page) <= 0))
 858         return false;
 859     page_ref_inc(page);
 860     return true;
 861 }
 
We see that you hit the exact same WARN_ON_ONCE for the page_ref_count(page) <= 0).

So, whatever page you are trying to access, has its reference counter in the negatives, which suggests that has either wrapped around, or has been decremented too many times.

Looking at your error log, I can't tell for sure if it is the zero_page, but its quite likely going to be. The zero_page is a frequently used page in the system, and it is used outside of ksm, it's just that ksm is a heavy user of the zero_page. If you are constantly allocating large amounts of new memory, you will be be using the zero_page similar to ksm, and the reference counter will eventually overflow.

I think there is a good chance that the fix I submitted in 4.15.0-118-generic will solve your problems. Please do a "apt update" and "apt upgrade" and upgrade to a newer kernel, the newer the better, and it will most likely fix the problem.

Let me know if you have any more questions.

Thanks,
Matthew

Revision history for this message

norman shen (jshen28) wrote on 2023-04-11:

#18

Thank you very much for the reply. Another question is try_get_page returns -ENOMEM but kvm warning is bad address which should be EFAULT. Why qemu prints error log says bad address?

Ubuntu
linux package

KVM: Fix zero_page reference counter overflow when using KSM on KVM compute host

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Unassigned
Bionic	Fix Released	Medium	Matthew Ruffell
Focal	Fix Released	Medium	Matthew Ruffell

Ubuntulinux package

KVM: Fix zero_page reference counter overflow when using KSM on KVM compute host

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package