This bug was fixed in the package linux - 4.10.0-22.24
---------------
linux (4.10.0-22.24) zesty; urgency=low
* linux: 4.10.0-22.24 -proposed tracker (LP: #1691146)
* Fix NVLINK2 TCE route (LP: #1690155)
- powerpc/powernv: Fix TCE kill on NVLink2
* CVE-2017-0605
- tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
* perf: qcom: Add L3 cache PMU driver (LP: #1689856)
- [Config] CONFIG_QCOM_L3_PMU=y
- perf: qcom: Add L3 cache PMU driver
* No PMU support for ACPI-based arm64 systems (LP: #1689661)
- drivers/perf: arm_pmu: rework per-cpu allocation
- drivers/perf: arm_pmu: manage interrupts per-cpu
- drivers/perf: arm_pmu: split irq request from enable
- drivers/perf: arm_pmu: remove pointless PMU disabling
- drivers/perf: arm_pmu: define armpmu_init_fn
- drivers/perf: arm_pmu: fold init into alloc
- drivers/perf: arm_pmu: factor out pmu registration
- drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs()
- drivers/perf: arm_pmu: handle no platform_device
- drivers/perf: arm_pmu: rename irq request/free functions
- drivers/perf: arm_pmu: split cpu-local irq request/free
- drivers/perf: arm_pmu: move irq request/free into probe
- drivers/perf: arm_pmu: split out platform device probe logic
- arm64: add function to get a cpu's MADT GICC table
- [Config] CONFIG_ARM_PMU_ACPI=y
- drivers/perf: arm_pmu: add ACPI framework
- arm64: pmuv3: handle !PMUv3 when probing
- arm64: pmuv3: use arm_pmu ACPI framework
* [SRU][Zesty]QDF2400 kernel oops on ipmitool fru write 0 fru.bin
(LP: #1689886)
- ipmi: Fix kernel panic at ipmi_ssif_thread()
* tty: pl011: fix earlycon work-around for QDF2400 erratum 44 (LP: #1689818)
- tty: pl011: fix earlycon work-around for QDF2400 erratum 44
- tty: pl011: use "qdf2400_e44" as the earlycon name for QDF2400 E44
* kernel-wedge fails in artful due to leftover squashfs-modules d-i files
(LP: #1688259)
- Remove squashfs-modules files from d-i
- [Config] as squashfs-modules is builtin kernel-image must Provides: it
* arm64/ACPI support for SBSA watchdog (LP: #1688114)
- clocksource: arm_arch_timer: clean up printk usage
- clocksource: arm_arch_timer: rename type macros
- clocksource: arm_arch_timer: rename the PPI enum
- clocksource: arm_arch_timer: move enums and defines to header file
- clocksource: arm_arch_timer: add a new enum for spi type
- clocksource: arm_arch_timer: rework PPI selection
- clocksource: arm_arch_timer: split dt-only rate handling
- clocksource: arm_arch_timer: refactor arch_timer_needs_probing
- clocksource: arm_arch_timer: move arch_timer_needs_of_probing into DT init
call
- clocksource: arm_arch_timer: add structs to describe MMIO timer
- clocksource: arm_arch_timer: split MMIO timer probing.
- [Config] CONFIG_ACPI_GTDT=y
- acpi/arm64: Add GTDT table parse driver
- clocksource: arm_arch_timer: simplify ACPI support code.
- acpi/arm64: Add memory-mapped timer support in GTDT driver
- clocksource: arm_arch_timer: add GTDT support for memory-mapped timer
- acpi/arm64: Add SBSA Generic Watchdog support in GTDT driver
* kernel BUG at /build/linux-7LGLH_/linux-4.10.0/include/linux/swapops.h:129
(LP: #1674838)
- Revert "mm/ksm: handle protnone saved writes when making page write
protect"
- Revert "mm, ksm: convert write_protect_page() to use
page_vma_mapped_walk()"
- Revert "mm: introduce page_vma_mapped_walk()"
- mm/ksm: handle protnone saved writes when making page write protect
* arm64: Add CNTFRQ_EL0 handler (LP: #1688164)
- arm64: Add CNTFRQ_EL0 trap handler
* Support IPMI system interface on Cavium ThunderX (LP: #1688132)
- i2c: thunderx: Enable HWMON class probing
* Update ENA driver to 1.1.2 from net-next (LP: #1664312)
- net/ena: remove ntuple filter support from device feature list
- net/ena: fix queues number calculation
- net/ena: fix ethtool RSS flow configuration
- net/ena: fix RSS default hash configuration
- net/ena: fix NULL dereference when removing the driver after device reset
failed
- net/ena: refactor ena_get_stats64 to be atomic context safe
- net/ena: fix potential access to freed memory during device reset
- net/ena: use READ_ONCE to access completion descriptors
- net/ena: reduce the severity of ena printouts
- net/ena: change driver's default timeouts
- net/ena: change condition for host attribute configuration
- net/ena: update driver version to 1.1.2
* Zesty update to 4.10.15 stable release (LP: #1689258)
- timerfd: Protect the might cancel mechanism proper
- Handle mismatched open calls
- hwmon: (it87) Avoid registering the same chip on both SIO addresses
- dm ioctl: prevent stack leak in dm ioctl call
- Linux 4.10.15
* Zesty update to 4.10.14 stable release (LP: #1688499)
- ping: implement proper locking
- sparc64: kern_addr_valid regression
- sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()
- net: neigh: guard against NULL solicit() method
- net: phy: handle state correctly in phy_stop_machine
- kcm: return immediately after copy_from_user() failure
- secure_seq: downgrade to per-host timestamp offsets
- bpf: improve verifier packet range checks
- Revert "UBUNTU: SAUCE: (no-up) net/mlx5: Avoid dereferencing uninitialized
pointer"
- net/mlx5: Avoid dereferencing uninitialized pointer
- l2tp: hold tunnel socket when handling control frames in l2tp_ip and
l2tp_ip6
- l2tp: purge socket queues in the .destruct() callback
- openvswitch: Fix ovs_flow_key_update()
- l2tp: take reference on sessions being dumped
- l2tp: fix PPP pseudo-wire auto-loading
- net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
- sctp: listen on the sock only when it's state is listening or closed
- tcp: clear saved_syn in tcp_disconnect()
- ipv6: Fix idev->addr_list corruption
- net-timestamp: avoid use-after-free in ip_recv_error
- net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
- sh_eth: unmap DMA buffers when freeing rings
- ipv6: sr: fix out-of-bounds access in SRH validation
- dp83640: don't recieve time stamps twice
- ipv6: sr: fix double free of skb after handling invalid SRH
- ipv6: fix source routing
- gso: Validate assumption of frag_list segementation
- net: ipv6: RTF_PCPU should not be settable from userspace
- netpoll: Check for skb->queue_mapping
- ip6mr: fix notification device destruction
- net/mlx5: Fix driver load bad flow when having fw initializing timeout
- net/mlx5: E-Switch, Correctly deal with inline mode on ConnectX-5
- net/mlx5e: Fix small packet threshold
- net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling
- tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs
- tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
- macvlan: Fix device ref leak when purging bc_queue
- net: ipv6: regenerate host route if moved to gc list
- net: phy: fix auto-negotiation stall due to unavailable interrupt
- ipv6: check skb->protocol before lookup for nexthop
- tcp: memset ca_priv data to 0 properly
- ipv6: check raw payload size correctly in ioctl
- ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
- ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned
type
- ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
- scsi: return correct blkprep status code in case scsi_init_io() fails.
- ARC: [plat-eznps] Fix build error
- MIPS: KGDB: Use kernel context for sleeping threads
- MIPS: cevt-r4k: Fix out-of-bounds array access
- MIPS: Avoid BUG warning in arch_check_elf
- p9_client_readdir() fix
- ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
- Input: i8042 - add Clevo P650RS to the i8042 reset list
- nfsd: check for oversized NFSv2/v3 arguments
- nfsd4: minor NFSv2/v3 write decoding cleanup
- nfsd: stricter decoding of write-like NFSv2/v3 ops
- ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
- macsec: avoid heap overflow in skb_to_sgvec
- net: can: usb: gs_usb: Fix buffer on stack
- cpu/hotplug: Serialize callback invocations proper
- ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
- Linux 4.10.14
* Zesty update to 4.10.13 stable release (LP: #1688485)
- KEYS: Disallow keyrings beginning with '.' to be joined as session
keyrings
- KEYS: Change the name of the dead type to ".dead" to prevent user access
- KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
- tracing: Allocate the snapshot buffer before enabling probe
- HID: wacom: Treat HID_DG_TOOLSERIALNUMBER as unsigned
- ring-buffer: Have ring_buffer_iter_empty() return true when empty
- mm: prevent NR_ISOLATE_* stats from going negative
- cifs: Do not send echoes before Negotiate is complete
- CIFS: remove bad_network_name flag
- mmc: dw_mmc: silent verbose log when calling from PM context
- s390/mm: fix CMMA vs KSM vs others
- Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
- ACPI / power: Avoid maybe-uninitialized warning
- mmc: dw_mmc: Don't allow Runtime PM for SDIO cards
- mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card
- ubifs: Fix RENAME_WHITEOUT support
- ubifs: Fix O_TMPFILE corner case in ubifs_link()
- mac80211: reject ToDS broadcast data frames
- mac80211: fix MU-MIMO follow-MAC mode
- x86/mce: Make the MCE notifier a blocking one
- ubi/upd: Always flush after prepared for an update
- powerpc/kprobe: Fix oops when kprobed on 'stdu' instruction
- x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
- device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation
- Linux 4.10.13
* Zesty update to 4.10.12 stable release (LP: #1687045)
- Revert "UBUNTU: SAUCE: Revert "audit: fix auditd/kernel connection state
tracking""
- cgroup, kthread: close race window where new kthreads can be migrated to
non-root cgroups
- audit: make sure we don't let the retry queue grow without bounds
- tcmu: Fix possible overwrite of t_data_sg's last iov[]
- tcmu: Fix wrongly calculating of the base_command_size
- tcmu: Skip Data-Out blocks before gathering Data-In buffer for BIDI case
- thp: fix MADV_DONTNEED vs. MADV_FREE race
- thp: fix MADV_DONTNEED vs clear soft dirty race
- zsmalloc: expand class bit
- orangefs: free superblock when mount fails
- drm/nouveau/mpeg: mthd returns true on success now
- drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one
- drm/nouveau/kms/nv50: fix setting of HeadSetRasterVertBlankDmi method
- drm/nouveau/kms/nv50: fix double dma_fence_put() when destroying plane
state
- drm/nouveau: initial support (display-only) for GP107
- drm/etnaviv: fix missing unlock on error in etnaviv_gpu_submit()
- drm/fb-helper: Allow var->x/yres(_virtual) < fb->width/height again
- CIFS: reconnect thread reschedule itself
- CIFS: store results of cifs_reopen_file to avoid infinite wait
- Input: xpad - add support for Razer Wildcat gamepad
- perf annotate s390: Fix perf annotate error -95 (4.10 regression)
- perf/x86: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
- x86/efi: Don't try to reserve runtime regions
- x86/signals: Fix lower/upper bound reporting in compat siginfo
- x86/intel_rdt: Fix locking in rdtgroup_schemata_write()
- x86, pmem: fix broken __copy_user_nocache cache-bypass assumptions
- x86/vdso: Ensure vdso32_enabled gets set to valid values only
- x86/vdso: Plug race between mapping and ELF header setup
- acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit
comparison)
- ACPI / scan: Set the visited flag for all enumerated devices
- parisc: fix bugs in pa_memcpy
- efi/libstub: Skip GOP with PIXEL_BLT_ONLY format
- efi/fb: Avoid reconfiguration of BAR that covers the framebuffer
- iscsi-target: Fix TMR reference leak during session shutdown
- iscsi-target: Drop work-around for legacy GlobalSAN initiator
- scsi: sr: Sanity check returned mode data
- scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
- scsi: qla2xxx: Add fix to read correct register value for ISP82xx.
- scsi: sd: Fix capacity calculation with 32-bit sector_t
- target: Avoid mappedlun symlink creation during lun shutdown
- xen, fbfront: fix connecting to backend
- new privimitive: iov_iter_revert()
- make skb_copy_datagram_msg() et.al. preserve ->msg_iter on error
- libnvdimm: fix blk free space accounting
- libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
- libnvdimm: band aid btt vs clear poison locking
- can: ifi: use correct register to read rx status
- pwm: rockchip: State of PWM clock should synchronize with PWM enabled
state
- cpufreq: Bring CPUs up even if cpufreq_online() failed
- irqchip/irq-imx-gpcv2: Fix spinlock initialization
- ftrace: Fix removing of second function probe
- drm/i915/gvt: set the correct default value of CTX STATUS PTR
- char: lack of bool string made CONFIG_DEVPORT always on
- Revert "MIPS: Lantiq: Fix cascaded IRQ setup"
- zram: do not use copy_page with non-page aligned address
- ftrace: Fix function pid filter on instances
- crypto: algif_aead - Fix bogus request dereference in completion function
- crypto: xts - Fix use-after-free on EINPROGRESS
- crypto: ahash - Fix EINPROGRESS notification callback
- crypto: lrw - Fix use-after-free on EINPROGRESS
- parisc: Fix get_user() for 64-bit value on 32-bit kernel
- dvb-usb-v2: avoid use-after-free
- [Config] CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m
- ASoC: Intel: select DW_DMAC_CORE since it's mandatory
- platform/x86: acer-wmi: setup accelerometer when machine has appropriate
notify event
- x86/xen: Fix APIC id mismatch warning on Intel
- ACPI / EC: Use busy polling mode when GPE is not enabled
- rtc: tegra: Implement clock handling
- mm: Tighten x86 /dev/mem with zeroing reads
- cxusb: Use a dma capable buffer also for reading
- virtio-console: avoid DMA from stack
- Linux 4.10.12
* Support low-pin-count devices on Hisilicon SoCs (LP: #1677319)
- [Config] CONFIG_LIBIO=y on arm64 only
- SAUCE: LIBIO: Introduce a generic PIO mapping method
- SAUCE: OF: Add missing I/O range exception for indirect-IO devices
- [Config] CONFIG_HISILICON_LPC=y
- SAUCE: LPC: Support the device-tree LPC host on Hip06/Hip07
- SAUCE: LIBIO: Support the dynamically logical PIO registration of ACPI
host
I/O
- SAUCE: LPC: Add the ACPI LPC support
- SAUCE: PCI: Apply the new generic I/O management on PCI IO hosts
- SAUCE: PCI: Restore codepath for !CONFIG_LIBIO
* APST quirk needed for Samsung 512GB NVMe drive (LP: #1678184)
- nvme: Adjust the Samsung APST quirk
- nvme: Quirk APST off on "THNSF5256GPUK TOSHIBA"
* [Zesty] d-i: replace msm_emac with qcom_emac (LP: #1677297)
- Revert "UBUNTU: d-i: initrd needs msm_emac on amberwing platform."
- d-i: initrd needs qcom_emac on amberwing platform.
* POWER9: CAPI2 enablement (LP: #1686519)
- cxl: Fix build when CONFIG_DEBUG_FS=n
- cxl: Read vsec perst load image
- cxl: Remove unused values in bare-metal environment.
- cxl: Keep track of mm struct associated with a context
- cxl: Update implementation service layer
- cxl: Rename some psl8 specific functions
- cxl: Isolate few psl8 specific calls
- cxl: Force psl data-cache flush during device shutdown
- cxl: Add psl9 specific code
* CVE-2017-7979
- net sched actions: allocate act cookie early
* refcount underflow / kernel NULL dereference after attempting to add basic
tc filter (LP: #1682368)
- net_sched: nla_memdup_cookie() can be static
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Wed, 17 May
2017 18:13:39 -0300
** Changed in: linux (Ubuntu Zesty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1682368
Title:
refcount underflow / kernel NULL dereference after attempting to add
basic tc filter
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Zesty:
Fix Released
Bug description:
== SRU Justification ==
Impact: adding a tc filter sometimes fails, potentially followed by
kernel hangs and kernel NULL pointer dereference
Fix: proposed upstream by Wolfgang Bumiller [1,2]
Regression Potential: Since nobody else noticed this issue in 4.11 >=
rc1 or Ubuntu 4.10 >= 15.17, and the fix only touches the broken code,
the regression potential should be minimal ;)
1: http://marc.info/?l=linux-netdev&m=149200746116365
2: http://marc.info/?l=linux-netdev&m=149200742616349
---
Commit 1045ba77a which was backported for #1674087 in
fc0cef7a8ec1e63ee3405f642983dd86e04ab6cc (first released with
Ubuntu-4.10.0-15.17) introduces the problematic code. Note that while
the traces below were generated using a custom patched kernel, the
same issue is reproducible using Ubuntu Zesty's 4.10.0-15.17 (and
later) kernels.
The full cover letter of the proposed fix by my colleague Wolfgang
Bumiller follows:
Commit 1045ba77a ("net sched actions: Add support for user cookies")
added code to net/sched/act_api.c's tcf_action_init_1 using the `tb`
nlattr array unconditionally, while it was otherwise used as well as
initialized only when `name == NULL`:
if (name == NULL) {
err = nla_parse_nested(tb, TCA_ACT_MAX, nla, NULL);
In the other case `nla` is instead passed over to ->init to be parsed
there (using a different set of TCA_ enum values, iow. TCA_ACT_COOKIE
then "clashes" with some other value). This lead to the following three
example commands resulting in errors (sometimes followed by more traces
and hangups some time later (although the hangups happened seconds or
sometimes minutes later, sometimes not at all - results differed between
different kernel versions (linux git-master vs ubuntu's mainline 4.11
rc6 vs. pve 4.10.5 (based off ubuntu's zesty kernel where the commit is
cherry-picked)...))):
# ip link add ve0 type veth peer name ve0b
# tc qdisc add dev ve0 handle ffff: ingress
# tc filter add dev ve0 parent ffff: prio 50 basic police rate 1000bps burst
1000b drop
The 3rd command would sometimes succeed, sometimes error with:
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
and sometimes error with:
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
In the latter case I assume `cklen` became negative, which passes the
TC_COOKIE_MAX_SIZE check since it is signed but becomes unsigned later
in kmemdup() (see the crash dump below)
When the `tc filter add` command fails a backtrace shows up in dmesg,
added below.
I'm not sure why the TC_ACT_COOKIE code was added to tcf_action_init_1
where it is now. It makes me think that it's supposed to be available
universally, but the `name == NULL` check for how nla is used or passed
to ->init() shows that the there are various different TC_ACT_* enums in
use at this point, hence the 'RFC' part of the patches, I'm not that
familiar with the code yet.
Backtrace when running `tc filter add`:
Apr 12 11:31:38 testmachine kernel: ------------[ cut here ]------------
Apr 12 11:31:38 testmachine kernel: WARNING: CPU: 7 PID: 16596 at
mm/page_alloc.c:3541 __alloc_pages_slowpath+0x9fe/0xba0
Apr 12 11:31:38 testmachine kernel: Modules linked in: act_police
cls_basic sch_ingress veth nfsv3 nfs_acl nfs lockd grace ip6t_REJECT
nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables
xt_mac ipt_REJECT nf_reject_ipv4 xt_physdev xt_comment nf_conntrack_ipv4
nf_defrag_ipv4 xt_tcpudp xt_mark xt_set xt_addrtype xt_multiport xt_conntrack
nf_conntrack ip_set_hash_net ip_set arc4 md4 nls_utf8 cifs ccm fscache ipta
Apr 12 11:31:38 testmachine kernel: snd_hda_codec_realtek
snd_hda_codec_generic aesni_intel aes_x86_64 crypto_simd drm_kms_helper
glue_helper cryptd drm snd_hda_intel intel_cstate snd_hda_codec i2c_algo_bit
fb_sys_fops snd_hda_core joydev syscopyarea snd_hwdep sysfillrect input_leds
sysimgblt intel_rapl_perf snd_pcm snd_timer snd pcspkr soundcore mei_me lpc_ich
mei shpchp tpm_infineon mac_hid wmi acpi_pad video vhost_net vhost macv
Apr 12 11:31:38 testmachine kernel: CPU: 7 PID: 16596 Comm: tc Tainted: P
O 4.10.5-1-pve #1
Apr 12 11:31:38 testmachine kernel: Hardware name: ASUS All Series/Z97-A,
BIOS 2801 11/11/2015
Apr 12 11:31:38 testmachine kernel: Call Trace:
Apr 12 11:31:38 testmachine kernel: dump_stack+0x63/0x81
Apr 12 11:31:38 testmachine kernel: __warn+0xcb/0xf0
Apr 12 11:31:38 testmachine kernel: warn_slowpath_null+0x1d/0x20
Apr 12 11:31:38 testmachine kernel: __alloc_pages_slowpath+0x9fe/0xba0
Apr 12 11:31:38 testmachine kernel: ? get_page_from_freelist+0x46a/0xb20
Apr 12 11:31:38 testmachine kernel: ? schedule+0x36/0x80
Apr 12 11:31:38 testmachine kernel: ? schedule_timeout+0x22a/0x3f0
Apr 12 11:31:38 testmachine kernel: __alloc_pages_nodemask+0x209/0x260
Apr 12 11:31:38 testmachine kernel: alloc_pages_current+0x95/0x140
Apr 12 11:31:38 testmachine kernel: kmalloc_order+0x18/0x40
Apr 12 11:31:38 testmachine kernel: kmalloc_order_trace+0x24/0xa0
Apr 12 11:31:38 testmachine kernel: __kmalloc_track_caller+0x1e5/0x200
Apr 12 11:31:38 testmachine kernel: kmemdup+0x20/0x50
Apr 12 11:31:38 testmachine kernel: nla_memdup_cookie+0x55/0x90
Apr 12 11:31:38 testmachine kernel: tcf_action_init_1+0xcc/0x230
Apr 12 11:31:38 testmachine kernel: tcf_exts_validate+0x52/0x110
Apr 12 11:31:38 testmachine kernel: basic_change+0x194/0x4d2 [cls_basic]
Apr 12 11:31:38 testmachine kernel: tc_ctl_tfilter+0x54d/0x9a0
Apr 12 11:31:38 testmachine kernel: rtnetlink_rcv_msg+0xe6/0x210
Apr 12 11:31:38 testmachine kernel: ?
__kmalloc_node_track_caller+0x1f0/0x2a0
Apr 12 11:31:38 testmachine kernel: ? __alloc_skb+0x87/0x1e0
Apr 12 11:31:38 testmachine kernel: ? rtnl_newlink+0x860/0x860
Apr 12 11:31:38 testmachine kernel: netlink_rcv_skb+0xa4/0xc0
Apr 12 11:31:38 testmachine kernel: rtnetlink_rcv+0x28/0x30
Apr 12 11:31:38 testmachine kernel: netlink_unicast+0x18c/0x220
Apr 12 11:31:38 testmachine kernel: netlink_sendmsg+0x2f7/0x3b0
Apr 12 11:31:38 testmachine kernel: ? aa_sock_msg_perm+0x61/0x150
Apr 12 11:31:38 testmachine kernel: sock_sendmsg+0x38/0x50
Apr 12 11:31:38 testmachine kernel: ___sys_sendmsg+0x2c2/0x2d0
Apr 12 11:31:38 testmachine kernel: ? schedule+0x36/0x80
Apr 12 11:31:38 testmachine kernel: ? ptrace_stop+0x20a/0x2a0
Apr 12 11:31:38 testmachine kernel: ? ptrace_do_notify+0x98/0xc0
Apr 12 11:31:38 testmachine kernel: __sys_sendmsg+0x54/0x90
Apr 12 11:31:38 testmachine kernel: SyS_sendmsg+0x12/0x20
Apr 12 11:31:38 testmachine kernel: do_syscall_64+0x5b/0xc0
Apr 12 11:31:38 testmachine kernel: entry_SYSCALL64_slow_path+0x25/0x25
Apr 12 11:31:38 testmachine kernel: RIP: 0033:0x7f0aef7d0a77
Apr 12 11:31:38 testmachine kernel: RSP: 002b:00007ffe88627568 EFLAGS:
00000246 ORIG_RAX: 000000000000002e
Apr 12 11:31:38 testmachine kernel: RAX: ffffffffffffffda RBX:
0000000058edf3fc RCX: 00007f0aef7d0a77
Apr 12 11:31:38 testmachine kernel: RDX: 0000000000000000 RSI:
00007ffe886275b0 RDI: 0000000000000003
Apr 12 11:31:38 testmachine kernel: RBP: 00007ffe886275b0 R08:
0000000000000001 R09: 0000000000000050
Apr 12 11:31:38 testmachine kernel: R10: 00000000000005e9 R11:
0000000000000246 R12: 00007ffe886275f0
Apr 12 11:31:38 testmachine kernel: R13: 00005619ea31ee00 R14:
00007ffe8862f690 R15: 0000000000000000
Apr 12 11:31:38 testmachine kernel: ---[ end trace be009b606808485e ]---
Which would later on be followed by different kinds of hangups,
sometimes with more seemingly unrelated crash dumps such as:
Apr 12 11:38:50 testmachine kernel: general protection fault: 0000 [#1]
SMP
Apr 12 11:38:50 testmachine kernel: Modules linked in: act_police
cls_basic sch_ingress veth nfsv3 nfs_acl nfs lockd grace ip6t_REJECT
nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables
xt_mac ipt_REJECT nf_reject_ipv4 xt_physdev xt_comment nf_conntrack_ipv4
nf_defrag_ipv4 xt_tcpudp xt_mark xt_set xt_addrtype xt_multiport xt_conntrack
nf_conntrack ip_set_hash_net ip_set arc4 md4 nls_utf8 cifs ccm fscache ipta
Apr 12 11:38:50 testmachine kernel: snd_hda_codec_realtek
snd_hda_codec_generic aesni_intel aes_x86_64 crypto_simd drm_kms_helper
glue_helper cryptd drm snd_hda_intel intel_cstate snd_hda_codec i2c_algo_bit
fb_sys_fops snd_hda_core joydev syscopyarea snd_hwdep sysfillrect input_leds
sysimgblt intel_rapl_perf snd_pcm snd_timer snd pcspkr soundcore mei_me lpc_ich
mei shpchp tpm_infineon mac_hid wmi acpi_pad video vhost_net vhost macv
Apr 12 11:38:50 testmachine kernel: CPU: 7 PID: 4829 Comm: chromium
Tainted: P W O 4.10.5-1-pve #1
Apr 12 11:38:50 testmachine kernel: Hardware name: ASUS All Series/Z97-A,
BIOS 2801 11/11/2015
Apr 12 11:38:50 testmachine kernel: task: ffff93679b132d00 task.stack:
ffffa479a0e00000
Apr 12 11:38:50 testmachine kernel: RIP:
0010:kmem_cache_alloc_trace+0x7b/0x190
Apr 12 11:38:50 testmachine kernel: RSP: 0018:ffffa479a0e03ad0 EFLAGS:
00010202
Apr 12 11:38:50 testmachine kernel: RAX: 0000000000000000 RBX:
00000000014000c0 RCX: 0000000000005291
Apr 12 11:38:50 testmachine kernel: RDX: 0000000000005290 RSI:
00000000014000c0 RDI: 000000000001c5c0
Apr 12 11:38:50 testmachine kernel: RBP: ffffa479a0e03b00 R08:
ffff9367bfbdc5c0 R09: ffff936724698580
Apr 12 11:38:50 testmachine kernel: R10: 0017ffffc0040038 R11:
0000000000000007 R12: 00000000014000c0
Apr 12 11:38:50 testmachine kernel: R13: ffff93679f003b80 R14:
ffffffffc0b9090f R15: ffff93679f003b80
Apr 12 11:38:50 testmachine kernel: FS: 00007f5a069c4040(0000)
GS:ffff9367bfbc0000(0000) knlGS:0000000000000000
Apr 12 11:38:50 testmachine kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
Apr 12 11:38:50 testmachine kernel: CR2: 00007f5a068de000 CR3:
00000007ccb8b000 CR4: 00000000001426e0
Apr 12 11:38:50 testmachine kernel: DR0: 0000000000000000 DR1:
0000000000000000 DR2: 0000000000000000
Apr 12 11:38:50 testmachine kernel: DR3: 0000000000000000 DR6:
00000000fffe0ff0 DR7: 0000000000000400
Apr 12 11:38:50 testmachine kernel: Call Trace:
Apr 12 11:38:50 testmachine kernel:
i915_gem_object_get_pages_internal+0x6f/0x250 [i915]
Apr 12 11:38:50 testmachine kernel: ? kmem_cache_alloc+0x185/0x1a0
Apr 12 11:38:50 testmachine kernel:
____i915_gem_object_get_pages+0x20/0x60 [i915]
Apr 12 11:38:50 testmachine kernel:
__i915_gem_object_get_pages+0x52/0x60 [i915]
Apr 12 11:38:50 testmachine kernel: i915_gem_batch_pool_get+0x11d/0x180
[i915]
Apr 12 11:38:50 testmachine kernel:
i915_gem_do_execbuffer.isra.38+0x1027/0x1790 [i915]
Apr 12 11:38:50 testmachine kernel: ? shmem_getpage_gfp+0xf9/0xc20
Apr 12 11:38:50 testmachine kernel: i915_gem_execbuffer2+0xc5/0x240
[i915]
Apr 12 11:38:50 testmachine kernel: drm_ioctl+0x21b/0x4c0 [drm]
Apr 12 11:38:50 testmachine kernel: ? i915_gem_execbuffer+0x310/0x310
[i915]
Apr 12 11:38:50 testmachine kernel: ? __seccomp_filter+0x67/0x250
Apr 12 11:38:50 testmachine kernel: do_vfs_ioctl+0xa3/0x610
Apr 12 11:38:50 testmachine kernel: ? __secure_computing+0x3f/0xd0
Apr 12 11:38:50 testmachine kernel: ? syscall_trace_enter+0xcd/0x2e0
Apr 12 11:38:50 testmachine kernel: SyS_ioctl+0x79/0x90
Apr 12 11:38:50 testmachine kernel: do_syscall_64+0x5b/0xc0
Apr 12 11:38:50 testmachine kernel: entry_SYSCALL64_slow_path+0x25/0x25
Apr 12 11:38:50 testmachine kernel: RIP: 0033:0x7f59fba67ca7
Apr 12 11:38:50 testmachine kernel: RSP: 002b:00007ffd39778868 EFLAGS:
00000246 ORIG_RAX: 0000000000000010
Apr 12 11:38:50 testmachine kernel: RAX: ffffffffffffffda RBX:
000024e398f52800 RCX: 00007f59fba67ca7
Apr 12 11:38:50 testmachine kernel: RDX: 00007ffd397788b0 RSI:
0000000040406469 RDI: 00000000000000a4
Apr 12 11:38:50 testmachine kernel: RBP: 00007ffd397788b0 R08:
0000000000000000 R09: 0000000000000000
Apr 12 11:38:50 testmachine kernel: R10: 0000000000000000 R11:
0000000000000246 R12: 0000000040406469
Apr 12 11:38:50 testmachine kernel: R13: 00000000000000a4 R14:
000024e399dd82c0 R15: 0000000000000070
Apr 12 11:38:50 testmachine kernel: Code: 08 65 4c 03 05 e7 de 9e 68 49
83 78 10 00 4d 8b 10 0f 84 e0 00 00 00 4d 85 d2 0f 84 d7 00 00 00 49 63 47 20
49 8b 3f 48 8d 4a 01 <49> 8b 1c 02 4c 89 d0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb
49 63
Apr 12 11:38:50 testmachine kernel: RIP:
kmem_cache_alloc_trace+0x7b/0x190 RSP: ffffa479a0e03ad0
Apr 12 11:38:50 testmachine kernel: general protection fault: 0000 [#2]
SMP
Apr 12 11:38:50 testmachine kernel: general protection fault: 0000 [#3]
SMP
or:
Apr 12 09:19:35 testmachine kernel: BUG: unable to handle kernel NULL
pointer dereference at 000000000000019c
Apr 12 09:19:35 testmachine kernel: IP: __free_pages+0x5/0x30
Apr 12 09:19:35 testmachine kernel: PGD 0
Apr 12 09:19:35 testmachine kernel:
Apr 12 09:19:35 testmachine kernel: Oops: 0002 [#1] SMP
Apr 12 09:19:35 testmachine kernel: Modules linked in: act_police
cls_basic sch_ingress veth nfsv3 nfs_acl nfs lockd grace ip6t_REJECT
nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables
xt_mac ipt_REJECT nf_reject_ipv4 xt_physdev xt_comment nf_conntrack_ipv4
nf_defrag_ipv4 xt_tcpudp xt_mark xt_set xt_addrtype xt_multiport xt_conntrack
nf_conntrack ip_set_hash_net ip_set arc4 md4 nls_utf8 cifs ccm fscache ipta
Apr 12 09:19:35 testmachine kernel: aes_x86_64 crypto_simd glue_helper
cryptd intel_cstate snd_hda_codec_realtek snd_hda_codec_generic i915
intel_rapl_perf snd_hda_intel drm_kms_helper input_leds joydev snd_hda_codec
drm snd_hda_core snd_hwdep i2c_algo_bit fb_sys_fops snd_pcm syscopyarea
snd_timer sysfillrect sysimgblt snd soundcore mei_me shpchp lpc_ich mei pcspkr
tpm_infineon wmi video mac_hid acpi_pad vhost_net vhost macvtap mac
Apr 12 09:19:35 testmachine kernel: CPU: 2 PID: 69 Comm: kworker/2:1
Tainted: P W O 4.10.5-1-pve #1
Apr 12 09:19:35 testmachine kernel: Hardware name: ASUS All Series/Z97-A,
BIOS 2801 11/11/2015
Apr 12 09:19:35 testmachine kernel: Workqueue: events
__i915_gem_free_work [i915]
Apr 12 09:19:35 testmachine kernel: task: ffff88885b134380 task.stack:
ffffa7e243410000
Apr 12 09:19:35 testmachine kernel: RIP: 0010:__free_pages+0x5/0x30
Apr 12 09:19:35 testmachine kernel: RSP: 0018:ffffa7e243413d18 EFLAGS:
00010206
Apr 12 09:19:35 testmachine kernel: RAX: 00000000000ffff8 RBX:
ffff888762473460 RCX: ffff888762473470
Apr 12 09:19:35 testmachine kernel: RDX: ffff888762473460 RSI:
0000000000000014 RDI: 0000000000000180
Apr 12 09:19:35 testmachine kernel: RBP: ffffa7e243413d38 R08:
0000000000000000 R09: 0000000000000000
Apr 12 09:19:35 testmachine kernel: R10: ffff8887dd8c1080 R11:
0000000000000000 R12: ffff8887624738f0
Apr 12 09:19:35 testmachine kernel: R13: 00000000ffffffff R14:
ffff8887dd8c0440 R15: 0000000000000000
Apr 12 09:19:35 testmachine kernel: FS: 0000000000000000(0000)
GS:ffff88887fa80000(0000) knlGS:0000000000000000
Apr 12 09:19:35 testmachine kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
Apr 12 09:19:35 testmachine kernel: CR2: 000000000000019c CR3:
0000000476e09000 CR4: 00000000001426e0
Apr 12 09:19:35 testmachine kernel: DR0: 0000000000000000 DR1:
0000000000000000 DR2: 0000000000000000
Apr 12 09:19:35 testmachine kernel: DR3: 0000000000000000 DR6:
00000000fffe0ff0 DR7: 0000000000000400
Apr 12 09:19:35 testmachine kernel: Call Trace:
Apr 12 09:19:35 testmachine kernel: ? internal_free_pages+0x40/0x80
[i915]
Apr 12 09:19:35 testmachine kernel:
i915_gem_object_put_pages_internal+0x1f/0x30 [i915]
Apr 12 09:19:35 testmachine kernel:
__i915_gem_object_put_pages.part.62+0x11d/0x180 [i915]
Apr 12 09:19:35 testmachine kernel: ? dma_fence_context_alloc+0x20/0x20
Apr 12 09:19:35 testmachine kernel: __i915_gem_free_objects+0x161/0x330
[i915]
Apr 12 09:19:35 testmachine kernel: __i915_gem_free_work+0x33/0x50 [i915]
Apr 12 09:19:35 testmachine kernel: process_one_work+0x1fc/0x4b0
Apr 12 09:19:35 testmachine kernel: worker_thread+0x4b/0x500
Apr 12 09:19:35 testmachine kernel: kthread+0x101/0x140
Apr 12 09:19:35 testmachine kernel: ? process_one_work+0x4b0/0x4b0
Apr 12 09:19:35 testmachine kernel: ? kthread_create_on_node+0x60/0x60
Apr 12 09:19:35 testmachine kernel: ret_from_fork+0x2c/0x40
Apr 12 09:19:35 testmachine kernel: Code: ff 41 b8 05 00 00 00 31 c9 4c
89 ea 4c 89 fe e8 a2 e0 ff ff e9 1e ff ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00
00 00 0f 1f 44 00 00 <f0> ff 4f 1c 75 0e 55 85 f6 48 89 e5 74 08 e8 48 e4 ff ff
5d f3
Apr 12 09:19:35 testmachine kernel: RIP: __free_pages+0x5/0x30 RSP:
ffffa7e243413d18
Apr 12 09:19:35 testmachine kernel: CR2: 000000000000019c
Apr 12 09:19:35 testmachine kernel: ---[ end trace 89cb022ec57f7bd1 ]---
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
