This bug was fixed in the package linux - 4.8.0-49.52 --------------- linux (4.8.0-49.52) yakkety; urgency=low
* linux: 4.8.0-49.52 -proposed tracker (LP: #1684427) * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself (LP: #1682561) - Drivers: hv: util: move waiting for release to hv_utils_transport itself linux (4.8.0-48.51) yakkety; urgency=low * linux: 4.8.0-48.51 -proposed tracker (LP: #1682034) * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg() (LP: #1681893) - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() linux (4.8.0-47.50) yakkety; urgency=low * linux: 4.8.0-47.50 -proposed tracker (LP: #1679678) * CVE-2017-6353 - sctp: deny peeloff operation on asocs with threads sleeping on it * CVE-2017-5986 - sctp: avoid BUG_ON on sctp_wait_for_sndbuf * vfat: missing iso8859-1 charset (LP: #1677230) - [Config] NLS_ISO8859_1=y * [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527) - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs * Regression: KVM modules should be on main kernel package (LP: #1678099) - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2 (LP: #1664912) - SAUCE: apparmor: fix link auditing failure due to, uninitialized var * regession tests failing after stackprofile test is run (LP: #1661030) - SAUCE: fix regression with domain change in complain mode * Permission denied and inconsistent behavior in complain mode with 'ip netns list' command (LP: #1648903) - SAUCE: fix regression with domain change in complain mode * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount namespace (LP: #1656121) - SAUCE: apparmor: null profiles should inherit parent control flags * apparmor refcount leak of profile namespace when removing profiles (LP: #1660849) - SAUCE: apparmor: fix ns ref count link when removing profiles from policy * tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor" (LP: #1648143) - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840) - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails * apparmor auditing denied access of special apparmor .null fi\ le (LP: #1660836) - SAUCE: apparmor: Don't audit denied access of special apparmor .null file * apparmor label leak when new label is unused (LP: #1660834) - SAUCE: apparmor: fix label leak when new label is unused * apparmor reference count bug in label_merge_insert() (LP: #1660833) - SAUCE: apparmor: fix reference count bug in label_merge_insert() * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996) - SAUCE: apparmor: fix replacement race in reading rawdata * unix domain socket cross permission check failing with nested namespaces (LP: #1660832) - SAUCE: apparmor: fix cross ns perm of unix domain sockets * [Hyper-V][Mellanox] net/mlx4_core: Avoid delays during VF driver device shutdown (LP: #1672785) - Revert "net/mlx4_en: Avoid unregister_netdev at shutdown flow" - net/mlx4_core: Avoid delays during VF driver device shutdown * Update ENA driver to 1.1.2 from net-next (LP: #1664312) - net: ena: Remove unnecessary pci_set_drvdata() - net: ena: Fix error return code in ena_device_init() - net: ena: change the return type of ena_set_push_mode() to be void. - net: ena: use setup_timer() and mod_timer() - net/ena: remove ntuple filter support from device feature list - net/ena: fix queues number calculation - net/ena: fix ethtool RSS flow configuration - net/ena: fix RSS default hash configuration - net/ena: fix NULL dereference when removing the driver after device reset failed - net/ena: refactor ena_get_stats64 to be atomic context safe - net/ena: fix potential access to freed memory during device reset - net/ena: use READ_ONCE to access completion descriptors - net/ena: reduce the severity of ena printouts - net/ena: change driver's default timeouts - net/ena: change condition for host attribute configuration - net/ena: update driver version to 1.1.2 * ISST-LTE:pVM:roselp4:ubuntu16.04.2: number of numa_miss and numa_foreign wrong in numastat (LP: #1672953) - mm: fix remote numa hits statistics - mm: get rid of __GFP_OTHER_NODE * Using an NVMe drive causes huge power drain (LP: #1664602) - nvme/scsi: Remove power management support - nvme: Pass pointers, not dma addresses, to nvme_get/set_features() - nvme: introduce struct nvme_request - nvme: Add a quirk mechanism that uses identify_ctrl - nvme: Enable autonomous power state transitions * POWER9: Additional patches for TTY and CPU_IDLE (LP: #1674325) - tty: Fix ldisc crash on reopened tty - SAUCE: powerpc/powernv/cpuidle: Pass correct drv->cpumask for registration * Ubuntu 16.10: Network checksum fixes needed for IPoIB for Mellanox CX4/CX5 card (LP: #1670247) - Revert "powerpc: port 64 bits pgtable_cache to 32 bits" - powerpc/Makefile: Drop CONFIG_WORD_SIZE for BITS - powerpc: port 64 bits pgtable_cache to 32 bits - [Config] CONFIG_WORD_SIZE disappeared - powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold - powerpc/64: Use optimized checksum routines on little-endian - CONFIG_GENERIC_CSUM=n for ppc64el - powerpc/64: Fix checksum folding in csum_add() * [Hyper-V] Rebase Hyper-V to the upstream 4.10 kernel (LP: #1670544) - PCI: hv: Use device serial number as PCI domain - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal - PCI: hv: Use the correct buffer size in new_pcichild_device() - scsi: storvsc: Payload buffer incorrectly sized for 32 bit kernels. - hv_netvsc: remove excessive logging on MTU change - net: centralize net_device min/max MTU checking - net: deprecate eth_change_mtu, remove usage - net: use core MTU range checking in virt drivers - hv_netvsc: fix a race between netvsc_send() and netvsc_init_buf() - net: use core MTU range checking in virt drivers - tools: hv: fix a compile warning in snprintf - tools: hv: remove unnecessary header files and netlink related code - vmbus: add support for dynamic device id's - Drivers: hv: utils: reduce HV_UTIL_NEGO_TIMEOUT timeout - Drivers: hv: utils: Fix the mapping between host version and protocol to use - Drivers: hv: vss: Improve log messages. - hv: change clockevents unbind tactics - Drivers: hv: balloon: Disable hot add when CONFIG_MEMORY_HOTPLUG is not set - Drivers: hv: balloon: Fix info request to show max page count - Drivers: hv: balloon: Add logging for dynamic memory operations - [Config] CONFIG_UIO_HV_GENERIC=m - uio-hv-generic: new userspace i/o driver for VMBus - hyperv: Fix spelling of HV_UNKOWN - Drivers: hv: ring_buffer: count on wrap around mappings in get_next_pkt_raw() (v2) - ethernet: use net core MTU range checking in more drivers * Kernel linux-image-4.4.0-67-generic prevent the boot on Microsoft Hyper-v 2012r2 Gen2 VM (LP: #1674635) - scsi: storvsc: Workaround for virtual DVD SCSI version * Enable lspcon on i915 (LP: #1676747) - drm: Helper for lspcon in drm_dp_dual_mode - drm/i915: Add lspcon support for I915 driver - drm/i915: Parse VBT data for lspcon - drm/i915: Enable lspcon initialization - drm/i915: Add lspcon resume function * stress_smoke_test passing and exiting rc=9 (linux 4.9.0-12.13 ADT test failure with linux 4.9.0-12.13) (LP: #1658633) - ext4: lock the xattr block before checksuming it * ip_rcv_finish() NULL pointer kernel panic (LP: #1672470) - (upstream) bridge: drop netfilter fake rtable unconditionally * dm-queue-length module is not included in installer/initramfs (LP: #1673350) - d-i: Also add dm-queue-length to multipath modules * Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101) - Bluetooth: btbcm: Add a delay for module reset * Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113) - Bluetooth: btusb: Add support for 413c:8143 * Unable to Connect Third HDD via USB Hub (LP: #1663991) - mm/slub.c: fix random_seq offset destruction * POWER9 : Enable Stop 0-2 with ESL=EC=0 (LP: #1666197) - powernv:idle: Add IDLE_STATE_ENTER_SEQ_NORET macro - powernv:stop: Rename pnv_arch300_idle_init to pnv_power9_idle_init - cpuidle:powernv: Add helper function to populate powernv idle states. - powernv: Pass PSSCR value and mask to power9_idle_stop - Documentation:powerpc: Add device-tree bindings for power-mgt - powerpc/powernv: Fix bug due to labeling ambiguity in power_enter_stop * Nvlink2: Additional patches (LP: #1667081) - mm: enable CONFIG_MOVABLE_NODE on non-x86 arches - of/fdt: mark hotpluggable memory - dt: add documentation of "hotpluggable" memory property - powerpc/mm: Fix memory hotplug BUG() on radix - powerpc/powernv: Initialise nest mmu - powerpc/powernv: Use OPAL call for TCE kill on NVLink2 - powerpc/mm: refactor radix physical page mapping - powerpc/mm: add radix__create_section_mapping() - powerpc/mm: add radix__remove_section_mapping() - powerpc/mm: unstub radix__vmemmap_remove_mapping() - [Config] Update CONFIG_MOVABLE_NODE values and annotations - [Config] CONFIG_MOVABLE_NODE=n for s390x * FC Adapter (LPe32000-based) prints "iotag out of range", goes offline, and delays boot a lot (Ubuntu17.04/Emulex/lpfc)) (LP: #1670490) - scsi: lpfc: Correct WQ creation for pagesize - scsi: lpfc: Add missing memory barrier * CIFS: Call echo service immediately after socket reconnect (LP: #1669941) - Call echo service immediately after socket reconnect * Kernel: Fix Transactional memory config typo (LP: #1669023) - powerpc/process: Fix CONFIG_ALIVEC typo in restore_tm_state() * h-prod does not function across cores (LP: #1670726) - KVM: PPC: Book3S HV: Fix H_PROD to actually wake the target vcpu * [Hyper-V] Missing PCI patches breaking SR-IOV hot remove (LP: #1670518) - PCI: hv: Fix hv_pci_remove() for hot-remove - PCI: hv: Delete the device earlier from hbus->children for hot-remove - PCI: hv: Make unnecessarily global IRQ masking functions static - PCI: hv: Allocate physically contiguous hypercall params buffer * move aufs.ko from -extra to linux-image package (LP: #1673498) - [config] aufs.ko moved to linux-image package * POWER9: Improve CAS negotiation (LP: #1671169) - powerpc: Parse the command line before calling CAS - powerpc: Add missing error check to prom_find_boot_cpu() - powerpc/pseries: Advertise HPT resizing support via CAS - powerpc/64: Disable use of radix under a hypervisor - powerpc/pseries: Advertise Hot Plug Event support to firmware - powerpc: Update to new option-vector-5 format for CAS * Power9 kernel: add virtualization patches (LP: #1670800) - powerpc/fadump: Set core e_flags using kernel's ELF ABI version - powerpc/sparse: Add more assembler prototypes - powerpc/pasemi: Fix Nemo SB600 i8259 interrupts. - powerpc/pasemi: Fix device_type of Nemo SB600 node. - powerpc/pseries: Use H_CLEAR_HPT to clear MMU hash table during kexec - powerpc/pseries: Move CMO code from plapr_wrappers.h to platforms/pseries - powerpc: Fix old style declaration GCC warnings - powerpc/pseries: add definitions for new H_SIGNAL_SYS_RESET hcall - powerpc/prom: Define structs for client architecture vectors - powerpc/prom: Switch to using structs for ibm_architecture_vec - tracing: Have the reg function allow to fail - powerpc: port 64 bits pgtable_cache to 32 bits - powerpc/64: Don't try to use radix MMU under a hypervisor - powerpc/pseries: Fixes for the "ibm,architecture-vec-5" options - powerpc/64: Enable use of radix MMU under hypervisor on POWER9 * lsattr 32bit does not work on 64bit kernel (Inappropriate ioctl error) (LP: #1619918) - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls * linux-tools-common should Depends: lsb-release (LP: #1667571) - [Config] linux-tools-common depends on lsb-release * CAPI:Ubuntu: Kernel panic while rebooting (LP: #1667599) - pci/hotplug/pnv-php: Remove WARN_ON() in pnv_php_put_slot() * Add Use-After-Free Patch for Ubuntu16.10 - EEH on BELL3 adapter fails to recover (serial/tty) (LP: #1669153) - 8250_pci: Fix potential use-after-free in error path * Request to backport cxlflash patches to Xenial SRU stream (LP: #1623750) - scsi: cxlflash: Scan host only after the port is ready for I/O - scsi: cxlflash: Fix to avoid EEH and host reset collisions - scsi: cxlflash: Improve EEH recovery time * FlashGT Integration and Setup: fsbmc30: After 17th reboot of soft bootme, HTX & Linux errors seen with 256 virtual LUNs (LP: #1667239) - cxl: Fix coredump generation when cxl_get_fd() is used * POWER9: Additional patches for 17.04 and 16.04.2 (LP: #1667116) - powerpc/mm: Update PROTFAULT handling in the page fault path - powerpc/mm/radix: Update pte update sequence for pte clear case - powerpc/mm/radix: Use ptep_get_and_clear_full when clearing pte for full mm - powerpc/mm/radix: Skip ptesync in pte update helpers - SAUCE: powerpc/mm/hash: Always clear UPRT and Host Radix bits when setting up CPU * [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups (LP: #1470250) - Drivers: hv: vss: Operation timeouts should match host expectation - SAUCE: Tools: hv: vss: Thaw the filesystem and continue after freeze fails * PowerNV: No rate limit for kernel error "KVM can't copy data from" (LP: #1667416) - SAUCE: KVM: PPC: Book3S: Ratelimit copy data failure error messages * kernel 4.4.0-63 with USB WLAN RTL8192CU freezes desktop (LP: #1666421) - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data * Export symbol "dev_pm_qos_update_user_latency_tolerance" (LP: #1666401) - PM / QoS: Export dev_pm_qos_update_user_latency_tolerance * Linux ZFS port doesn't respect RLIMIT_FSIZE (LP: #1656259) - SAUCE: (noup) Update zfs to 0.6.5.8-0ubuntu4.2 -- Stefan Bader <stefan.ba...@canonical.com> Thu, 20 Apr 2017 09:38:36 +0200 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1672470 Title: ip_rcv_finish() NULL pointer kernel panic Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Invalid Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: [Impact] When using iptables rules affecting bridge traffic, and if affected traffic is flowing through bridge while br_netfilter module is loaded or unloaded, a kernel panic may occur. [Test Case] It's difficult to reproduce because of a very small race condition window during br_netfilter load/unload when the module is receiving traffic but has not yet registered its hooks (or, has unregistered its hooks but still has traffic it's processing). A system must be set up using a bridge, and iptable netfilter rules must be set up to process the bridge traffic. Then the system should be rebooted until the problem occurs, or the br_netfilter module should be loaded/unloaded until the problem occurs. [Regression Potential] Changing how the br_netfilter module switches its fake dst for a real dst may, if done incorrectly, result in more kernel panics if other code tries to process the br_netfilter module's fake dst. [Other Info] The br_netfilter module processes packets traveling through its bridge, and while processing each skb it places a special fake dst onto the skb. When the skb leaves the bridge, it removes the fake dst and places a real dst onto it. However, it uses a hook to do this, and when the br_netfilter module is unloading it unregisters that hook. Any skbs that are currently being processed in the bridge by the br_netfilter module, but that leave the bridge after the hook is unregistered (or, during br_netfilter module load, before the hook is registered) will still have the fake dst; when other code then tries to process that dst, it causes a kernel panic because the dst is invalid. Recent upstream discussion: https://www.spinics.net/lists/netdev/msg416912.html Upstream patch: https://patchwork.ozlabs.org/patch/738275/ upstream commit is a13b2082ece95247779b9995c4e91b4246bed023 example panic report: [ 214.518262] BUG: unable to handle kernel NULL pointer dereference at (null) [ 214.612199] IP: [< (null)>] (null) [ 214.672744] PGD 0 [ 214.696887] Oops: 0010 [#1] SMP [ 214.735697] Modules linked in: br_netfilter(+) tun 8021q bridge stp llc bonding iTCO_wdt iTCO_vendor_support tpm_tis tpm kvm_intel kvm irqbypass sb_edac edac_core ixgbe mdio ipmi_si ipmi_msghandler lpc_ich mfd_core mousedev evdev igb dca procmemro(O) nokeyctl(O) noptrace(O) [ 215.029240] CPU: 34 PID: 0 Comm: swapper/34 Tainted: G O 4.4.39 #1 [ 215.116720] Hardware name: Cisco Systems Inc UCSC-C220-M3L/UCSC-C220-M3L, BIOS C220M3.2.0.13a.0.0713160937 07/13/16 [ 215.241644] task: ffff882038fb4380 ti: ffff8810392b0000 task.ti: ffff8810392b0000 [ 215.331207] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 215.420877] RSP: 0018:ffff88103fec3880 EFLAGS: 00010286 [ 215.484436] RAX: ffff881011631000 RBX: ffff881011067100 RCX: 0000000000000000 [ 215.569836] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff881011067100 [ 215.655234] RBP: ffff88103fec38a8 R08: 0000000000000008 R09: ffff8810116300a0 [ 215.740629] R10: 0000000000000000 R11: 0000000000000000 R12: ffff881018917dce [ 215.826030] R13: ffffffff81c9be00 R14: ffffffff81c9be00 R15: ffff881011630078 [ 215.911432] FS: 0000000000000000(0000) GS:ffff88103fec0000(0000) knlGS:0000000000000000 [ 216.008274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 216.077032] CR2: 0000000000000000 CR3: 0000001011b9d000 CR4: 00000000001406e0 [ 216.162430] Stack: [ 216.186461] ffffffff8157d7f9 ffff881011067100 ffff881018917dce ffff881011630000 [ 216.275407] ffffffff81c9be00 ffff88103fec3918 ffffffff8157e0db 0000000000000000 [ 216.364352] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 216.453301] Call Trace: [ 216.482536] <IRQ> [ 216.505533] [<ffffffff8157d7f9>] ? ip_rcv_finish+0x99/0x320 [ 216.575442] [<ffffffff8157e0db>] ip_rcv+0x25b/0x370 [ 216.634842] [<ffffffff81540e0b>] __netif_receive_skb_core+0x2cb/0xa20 [ 216.712965] [<ffffffff81541578>] __netif_receive_skb+0x18/0x60 [ 216.783801] [<ffffffff815415e3>] netif_receive_skb_internal+0x23/0x80 [ 216.861921] [<ffffffff8154165c>] netif_receive_skb+0x1c/0x70 [ 216.930686] [<ffffffffa02f6439>] br_handle_frame_finish+0x1b9/0x5b0 [bridge] [ 217.016091] [<ffffffff81187a00>] ? ___slab_alloc+0x1d0/0x440 [ 217.084849] [<ffffffffa0584074>] br_nf_pre_routing_finish+0x174/0x3d0 [br_netfilter] [ 217.178568] [<ffffffffa0584c07>] ? br_nf_pre_routing+0x97/0x470 [br_netfilter] [ 217.266052] [<ffffffffa02f6280>] ? br_handle_local_finish+0x80/0x80 [bridge] [ 217.351450] [<ffffffffa0584d17>] br_nf_pre_routing+0x1a7/0x470 [br_netfilter] [ 217.437891] [<ffffffff81572f6d>] nf_iterate+0x5d/0x70 [ 217.499367] [<ffffffff81572fe4>] nf_hook_slow+0x64/0xc0 [ 217.562928] [<ffffffffa02f69e9>] br_handle_frame+0x1b9/0x290 [bridge] [ 217.641048] [<ffffffffa02f6280>] ? br_handle_local_finish+0x80/0x80 [bridge] [ 217.726446] [<ffffffff81540e82>] __netif_receive_skb_core+0x342/0xa20 [ 217.804566] [<ffffffff815a7916>] ? tcp4_gro_receive+0x126/0x1d0 [ 217.876445] [<ffffffff815b7446>] ? inet_gro_receive+0x1c6/0x250 [ 217.948322] [<ffffffff81541578>] __netif_receive_skb+0x18/0x60 [ 218.019161] [<ffffffff815415e3>] netif_receive_skb_internal+0x23/0x80 [ 218.097281] [<ffffffff81542213>] napi_gro_receive+0xc3/0x110 [ 218.166051] [<ffffffffa00a801f>] ixgbe_clean_rx_irq+0x52f/0xa70 [ixgbe] [ 218.246255] [<ffffffffa00a9248>] ixgbe_poll+0x438/0x790 [ixgbe] [ 218.318131] [<ffffffff81541a6e>] net_rx_action+0x1ee/0x320 [ 218.384813] [<ffffffff8109c837>] ? handle_irq_event_percpu+0x167/0x1d0 [ 218.463973] [<ffffffff8105c3c1>] __do_softirq+0x101/0x280 [ 218.529608] [<ffffffff8105c69e>] irq_exit+0x8e/0x90 [ 218.589007] [<ffffffff816dd504>] do_IRQ+0x54/0xd0 [ 218.646323] [<ffffffff816dba02>] common_interrupt+0x82/0x82 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1672470/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp