Ubuntu
linux package

[P9,Power NV][WSP][Ubuntu 1804] : "Kernel access of bad area " when grouping different pmu events using perf fuzzer . (perf:)

Bug #1746225 reported by bugproxy on 2018-01-30

This bug affects 1 person

	Status	Importance	Assigned to
The Ubuntu-power-systems project	Fix Released	Critical	Canonical Kernel Team
linux (Ubuntu)	Fix Released	Critical	Joseph Salisbury
Artful	Fix Released	Critical	Joseph Salisbury
Bionic	Fix Released	Critical	Joseph Salisbury

Bug Description

== SRU Justification ==
Due to this bug, perf fuzzer resulted in crash and system goes for a reboot
and results in a call trace shown in the bug. It is due to grouping of
different PMU events, which is fixed by mainline commit 5aa04b3eb6fca63d2e9827be656dcadc26d54e1

Commit 5aa04b3eb6fca63d2e9827be656dcadc26d54e11 is in mailine as of v4.15-rc5.

== Fix ==
commit 5aa04b3eb6fca63d2e9827be656dcadc26d54e11
Author: Ravi Bangoria <email address hidden>
Date: Thu Nov 30 14:03:22 2017 +0530

powerpc/perf: Fix oops when grouping different pmu events

== Regression Potential ==
Low. This fix is specific to powerpc.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

==Original Bug Description==
== Comment: #0 - Shriya R. Kulkarni <email address hidden> - 2018-01-30 03:24:47 ==
Problem Description :
==============
Perf fuzzer resulted in crash and system goes for reboot and the call trace is shown below . It is due to grouping of different PMU events.

Machine details :
==========
OS : Ubuntu 1804
uname -r : 4.13.0-25-generic
system : Witherspoon + DD2.1
perf -v : perf version 4.13.13

ltc-wspoon12 login: [78592.995848] Unable to handle kernel paging request for instruction fetch
[78592.995914] Faulting instruction address: 0x00000000
[78592.995950] Oops: Kernel access of bad area, sig: 11 [#1]
[78592.995982] SMP NR_CPUS=2048
[78592.995985] NUMA
[78592.996011] PowerNV
[78592.996045] Modules linked in: vmx_crypto idt_89hpesx crct10dif_vpmsum at24 ofpart uio_pdrv_genirq uio cmdlinepart powernv_flash mtd ibmpowernv opal_prd ipmi_powernv ipmi_devintf ipmi_msghandler sch_fq_codel ip_tables x_tables autofs4 nouveau lpfc ast i2c_algo_bit crc32c_vpmsum ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm mlx5_core nvmet_fc nvmet tg3 nvme_fc nvme_fabrics ahci nvme_core libahci mlxfw devlink scsi_transport_fc
[78592.996367] CPU: 69 PID: 6010 Comm: perf_fuzzer Tainted: G W 4.13.0-25-generic #29-Ubuntu
[78592.996422] task: c000003f77b5b500 task.stack: c000003d0b0c8000
[78592.996462] NIP: 0000000000000000 LR: c0000000000e9b1c CTR: 0000000000000000
[78592.996509] REGS: c000003d0b0cb780 TRAP: 0400 Tainted: G W (4.13.0-25-generic)
[78592.996562] MSR: 9000000040009033 <SF,HV,EE,ME,IR,DR,RI,LE>
[78592.996588] CR: 48002874 XER: 00000000
[78592.996642] CFAR: c0000000000e9b18 SOFTE: 1
[78592.996642] GPR00: c0000000000eb128 c000003d0b0cba00 c0000000015f6200 0000000000000000
[78592.996642] GPR04: c000003d0b0cbba0 c000003d0b0cbc20 0000000000000002 c000000001596b10
[78592.996642] GPR08: 0000000000000002 0000000000000000 c000000001596b10 c000003fecad0028
[78592.996642] GPR12: 0000000000000000 c000000007a8d480 0000000000000000 0000000000000000
[78592.996642] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[78592.996642] GPR20: 0000000000000001 c000003d0b0cbc1c c000003d0b0cbc24 c000003d0b0cbb98
[78592.996642] GPR24: c000003d0b0cbba0 c000003d0b0cbc20 0000000000001555 c000003fefeb4ea0
[78592.996642] GPR28: c000003d0b0cbc20 0000000000000002 0000000000003000 c000003fefeb5190
[78592.997170] NIP [0000000000000000] (null)
[78592.997208] LR [c0000000000e9b1c] power_check_constraints+0x13c/0x5a0
[78592.997247] Call Trace:
[78592.997267] [c000003d0b0cba00] [c000003d0b0cbaa0] 0xc000003d0b0cbaa0 (unreliable)
[78592.997321] [c000003d0b0cbb80] [c0000000000eb128] power_pmu_event_init+0x298/0x6a0
[78592.997373] [c000003d0b0cbc70] [c00000000029e6b4] perf_try_init_event+0xd4/0x120
[78592.997424] [c000003d0b0cbcb0] [c0000000002a1038] perf_event_alloc.part.23+0x7b8/0xb90
[78592.997475] [c000003d0b0cbd30] [c0000000002aa0dc] SyS_perf_event_open+0x69c/0xfa0
[78592.997527] [c000003d0b0cbe30] [c00000000000b184] system_call+0x58/0x6c
[78592.997568] Instruction dump:
[78592.997597] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
[78592.997664] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
[78592.997733] ---[ end trace 57fb7542c4083583 ]---
[78594.008780]
[78594.008932] Sending IP[78773.335857584,5] OPAL: Switch to big-endian OS
I to other CPUs
[78594.01029

Steps to reproduce :
============

#! /bin/bash
set -x
git clone https://github.com/deater/perf_event_tests.git
cd perf_event_tests/include
mkdir asm
cd asm
wget http://9.114.13.132/repo/shriya/perf_regs.h
cd ../../lib
make
sleep 10
cd ../fuzzer
make
sleep 10

echo 0 > /proc/sys/kernel/nmi_watchdog
echo 2 > /proc/sys/kernel/perf_event_paranoid
echo 100000 > /proc/sys/kernel/perf_event_max_sample_rate
./perf_fuzzer -r 1492143527

See original description

Tags:

CVE References

bugproxy (bugproxy) on 2018-01-30

tags:	added: architecture-ppc64le bugnameltc-164107 severity-critical targetmilestone-inin1804
Changed in ubuntu:
assignee:	nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects:	ubuntu → kernel-package (Ubuntu)

Andrew Cloke (andrew-cloke) on 2018-01-30

Changed in ubuntu-power-systems:
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)
importance:	Undecided → Critical
tags:	added: triage-g

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-01-30:

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.15 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15

tags:	added: kernel-da-key
Changed in kernel-package (Ubuntu):
importance:	Undecided → Critical
affects:	kernel-package (Ubuntu) → linux (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2018-01-31: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2018-01-31 02:45 EDT-------
(In reply to comment #5)
> Did this issue start happening after an update/upgrade? Was there a prior
> kernel version where you were not having this particular problem?
>
> Would it be possible for you to test the latest upstream kernel? Refer to
> https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.15
> kernel[0].
>
> If this bug is fixed in the mainline kernel, please add the following tag
> 'kernel-fixed-upstream'.
>
> If the mainline kernel does not fix this bug, please add the tag:
> 'kernel-bug-exists-upstream'.
>
> Once testing of the upstream kernel is complete, please mark this bug as
> "Confirmed".
>
> Thanks in advance.
>
> [0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15

This patch should fix the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa04b3eb6fca63d2e9827be656dcadc26d54e11

Please cherry pick

Joseph Salisbury (jsalisbury) on 2018-01-31

Changed in linux (Ubuntu):
status:	New → In Progress
assignee:	Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Artful):
status:	New → In Progress
importance:	Undecided → Critical
assignee:	nobody → Joseph Salisbury (jsalisbury)

Frank Heimes (fheimes) on 2018-01-31

Changed in ubuntu-power-systems:
status:	New → In Progress

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-01-31:

I built a test kernel with commit 5aa04b3eb6fca. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1746225

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-02:

------- Comment From <email address hidden> 2018-02-02 02:08 EDT-------
(In reply to comment #7)
> I built a test kernel with commit 5aa04b3eb6fca. The test kernel can be
> downloaded from:
> http://kernel.ubuntu.com/~jsalisbury/lp1746225
>
> Can you test this kernel and see if it resolves this bug?
>
> Note, to test this kernel, you need to install both the linux-image and
> linux-image-extra .deb packages.
>
> Thanks in advance!

Issue is resolved.

Verified the kernel provided in http://kernel.ubuntu.com/~jsalisbury/lp1746225 fixes the issue.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-02-02:

SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2018-February/089902.html

description:

updated

Seth Forshee (sforshee) on 2018-02-03

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-12:

------- Comment From <email address hidden> 2018-02-12 07:37 EDT-------
Any update on this ?

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-13:

------- Comment From <email address hidden> 2018-02-13 04:06 EDT-------
Hi ,
Any updates on this defect ? On which build the fix will be available ?

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-02-13:

According to comment #5 the SRU request was already submitted and is in progress.
So it usually will go out with the next SRU cycle, but that might be held up a bit due to Spectre/Meltdown activities.

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-22:

------- Comment From <email address hidden> 2018-02-22 03:43 EDT-------
Hi ,
Can you please let us know in which build we are expecting the fix ?

Thanks

Revision history for this message

Manoj Iyer (manjo) wrote on 2018-02-26:

#10

This should be available in Bionic now. The patch was applied to bionic earlier this month. And, in Artful in a couple of weeks.

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-27:

#11

------- Comment From <email address hidden> 2018-02-27 00:25 EDT-------
Hi ,
Unable to hit the above call trace , hence the issue is resolved.

Verified on kernel :

root@ltc-wcwsp1:~/shriya/kernel# uname -a
Linux ltc-wcwsp1 4.15.0-10-generic #11 SMP Fri Feb 23 01:59:38 EST 2018 ppc64le ppc64le ppc64le GNU/Linux

Perf fuzzer :
=======
+ ./perf_fuzzer -r 1492143527
Using user-specified random seed of 1492143527

*** perf_fuzzer 0.32-rc0 *** by Vince Weaver

Linux version 4.15.0-10-generic ppc64le
Processor: ppc64le UNKNOWN

Watchdog enabled with timeout 60s
Will auto-exit if signal storm detected
Seeding RNG with supplied seed 1492143527

To reproduce, try:
echo 0 > /proc/sys/kernel/nmi_watchdog
echo 2 > /proc/sys/kernel/perf_event_paranoid
echo 100000 > /proc/sys/kernel/perf_event_max_sample_rate
./perf_fuzzer -r 1492143527

Fuzzing the following syscalls: mmap perf_event_open close read write ioctl fork prctl poll
Also attempting the following: signal-handler-on-overflow busy-instruction-loop accessing-perf-proc-and-sys-files trashing-the-mmap-page

Pid=4506, sleeping 1s

==================================================
Starting fuzzing at 2018-02-26 21:36:45
==================================================
Cannot open /sys/kernel/tracing/kprobe_events
Iteration 10000, 98728 syscalls in 5.32 s (18.554 k syscalls/s)
Open attempts: 90726 Successful: 917 Currently open: 54
ENOENT : 446
E2BIG : 7816
EBADF : 8522
EINVAL : 72718
ENOSPC : 81
EOVERFLOW : 2
EOPNOTSUPP : 224
Trinity Type (Normal 345/22780)(Sampling 28/22630)(Global 488/22586)(Random 56/22730)
Type (Hardware 246/12690)(software 362/11897)(tracepoint 58/11874)(Cache 55/11258)(cpu 136/11638)(breakpoint 33/11690)(nest_capp0_imc 1/357)(nest_capp1_imc 1/365)(core_imc 0/460)(nest_mba0_imc 1/378)(nest_mba1_imc 0/352)(nest_mba2_imc 0/362)(nest_mba3_imc 1/371)(nest_mba4_imc 1/357)(nest_mba5_imc 0/320)(nest_mba6_imc 1/358)(nest_mba7_imc 0/439)(nest_mcs01_imc 0/359)(nest_mcs23_imc 2/361)(nest_nvlink0_imc 19/14840)
Close: 863/863 Successful
Read: 824/912 Successful
Write: 0/855 Successful
Ioctl: 371/924 Successful: (ENABLE 91/91)(DISABLE 81/81)(REFRESH 9/78)(RESET 84/84)(PERIOD 2/75)(SET_OUTPUT 8/80)(SET_FILTER 0/92)(ID 87/87)(SET_BPF 0/91)(PAUSE_OUTPUT 9/79)(#10 0/0)(#11 0/0)(#12 0/0)(#13 0/0)(#14 0/0)(>14 0/86)
Mmap: 662/1060 Successful: (MMAP 662/1060)(TRASH 144/156)(READ 133/143)(UNMAP 653/988)(AUX 0/169)(AUX_READ 0/0)
Prctl: 929/929 Successful
Fork: 471/471 Successful
Poll: 895/921 Successful
Access: 0/0 Successful
Overflows: 0 Recursive: 0
SIGIOs due to RT signal queue full: 0
Memset of mmap#18 at (nil) caused segfault!
MAP_SHARED MAP_DENYWRITE MAP_FIXED MAP_NONBLOCK MAP_STACK PROT_READ PROT_WRITE size 27661 fd 47
event: cpu=4 pid=-1 group_fd=-1 flags=9
memset(&pe[47],0,sizeof(struct perf_event_attr));
pe[47].type=PERF_TYPE_SOFTWARE;
pe[47].size=64;
pe[47].config=PERF_COUNT_SW_PAGE_FAULTS;
pe[47].sample_type=0; /* 0 */
pe[47].read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_GROUP; /* a */
pe[47].disabled=1;
pe[47].inherit=1;
pe[47].pinned=1;
pe[47].precise_ip=0; /* arbitrary skid */
pe[47].wakeup_events=0;
pe[47].bp_type=HW_BREAKPOINT_EMPTY;

------- Comment From shriykul@in.ibm.com 2018-02-27 00:25 EDT-------
Hi ,
Unable to hit the above call trace , hence the issue is resolved.

Verified on kernel :

root@ltc-wcwsp1:~/shriya/kernel# uname -a
Linux ltc-wcwsp1 4.15.0-10-generic #11 SMP Fri Feb 23 01:59:38 EST 2018 ppc64le ppc64le ppc64le GNU/Linux

Perf fuzzer :
=======
+ ./perf_fuzzer -r 1492143527
Using user-specified random seed of 1492143527

*** perf_fuzzer 0.32-rc0 *** by Vince Weaver

Linux version 4.15.0-10-generic ppc64le
Processor: ppc64le UNKNOWN

Watchdog enabled with timeout 60s
Will auto-exit if signal storm detected
Seeding RNG with supplied seed 1492143527

To reproduce, try:
echo 0 > /proc/sys/kernel/nmi_watchdog
echo 2 > /proc/sys/kernel/perf_event_paranoid
echo 100000 > /proc/sys/kernel/perf_event_max_sample_rate
./perf_fuzzer -r 1492143527

Pid=4506, sleeping 1s

==================================================
Starting fuzzing at 2018-02-26 21:36:45
==================================================
Cannot open /sys/kernel/tracing/kprobe_events
Iteration 10000, 98728 syscalls in 5.32 s (18.554 k syscalls/s)
Open attempts: 90726  Successful: 917  Currently open: 54
ENOENT : 446
E2BIG : 7816
EBADF : 8522
EINVAL : 72718
ENOSPC : 81
EOVERFLOW : 2
EOPNOTSUPP : 224
Trinity Type (Normal 345/22780)(Sampling 28/22630)(Global 488/22586)(Random 56/22730)
Type (Hardware 246/12690)(software 362/11897)(tracepoint 58/11874)(Cache 55/11258)(cpu 136/11638)(breakpoint 33/11690)(nest_capp0_imc 1/357)(nest_capp1_imc 1/365)(core_imc 0/460)(nest_mba0_imc 1/378)(nest_mba1_imc 0/352)(nest_mba2_imc 0/362)(nest_mba3_imc 1/371)(nest_mba4_imc 1/357)(nest_mba5_imc 0/320)(nest_mba6_imc 1/358)(nest_mba7_imc 0/439)(nest_mcs01_imc 0/359)(nest_mcs23_imc 2/361)(nest_nvlink0_imc 19/14840)
Close:	863/863 Successful
Read:	824/912 Successful
Write:	0/855 Successful
Ioctl:	371/924 Successful: (ENABLE 91/91)(DISABLE 81/81)(REFRESH 9/78)(RESET 84/84)(PERIOD 2/75)(SET_OUTPUT 8/80)(SET_FILTER 0/92)(ID 87/87)(SET_BPF 0/91)(PAUSE_OUTPUT 9/79)(#10 0/0)(#11 0/0)(#12 0/0)(#13 0/0)(#14 0/0)(>14 0/86)
Mmap:	662/1060 Successful: (MMAP 662/1060)(TRASH 144/156)(READ 133/143)(UNMAP 653/988)(AUX 0/169)(AUX_READ 0/0)
Prctl:	929/929 Successful
Fork:	471/471 Successful
Poll:	895/921 Successful
Access:	0/0 Successful
Overflows: 0  Recursive: 0
SIGIOs due to RT signal queue full: 0
Memset of mmap#18 at (nil) caused segfault!
MAP_SHARED MAP_DENYWRITE MAP_FIXED MAP_NONBLOCK MAP_STACK PROT_READ PROT_WRITE size 27661 fd 47
event: cpu=4 pid=-1 group_fd=-1 flags=9
memset(&pe[47],0,sizeof(struct perf_event_attr));
pe[47].type=PERF_TYPE_SOFTWARE;
pe[47].size=64;
pe[47].config=PERF_COUNT_SW_PAGE_FAULTS;
pe[47].sample_type=0; /* 0 */
pe[47].read_format=PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_GROUP; /* a */
pe[47].disabled=1;
pe[47].inherit=1;
pe[47].pinned=1;
pe[47].precise_ip=0; /* arbitrary skid */
pe[47].wakeup_events=0;
pe[47].bp_type=HW_BREAKPOINT_EMPTY;

Joseph Salisbury (jsalisbury) on 2018-02-27

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Kleber Sacilotto de Souza (kleber-souza) on 2018-03-01

Changed in linux (Ubuntu Artful):
status:	In Progress → Fix Committed

Manoj Iyer (manjo) on 2018-03-05

Changed in ubuntu-power-systems:
status:	In Progress → Fix Committed

Revision history for this message

Stefan Bader (smb) wrote on 2018-03-19:

#12

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed-artful'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-artful

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-19:

#13

------- Comment From <email address hidden> 2018-03-19 07:13 EDT-------
Bug was raised Bionic and tester had verified the issue. Please close.

Manoj Iyer (manjo) on 2018-03-26

tags:

added: verification-done-artful
removed: verification-needed-artful

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-03:

#14

Download full text (18.9 KiB)

This bug was fixed in the package linux - 4.13.0-38.43

---------------
linux (4.13.0-38.43) artful; urgency=medium

* linux: 4.13.0-38.43 -proposed tracker (LP: #1755762)

  * Servers going OOM after updating kernel from 4.10 to 4.13 (LP: #1748408)
    - i40e: Fix memory leak related filter programming status
    - i40e: Add programming descriptors to cleaned_count

* [SRU] Lenovo E41 Mic mute hotkey is not responding (LP: #1753347)
- platform/x86: ideapad-laptop: Increase timeout to wait for EC answer

* fails to dump with latest kpti fixes (LP: #1750021)
- kdump: write correct address of mem_section into vmcoreinfo

  * headset mic can't be detected on two Dell machines (LP: #1748807)
    - ALSA: hda/realtek - Support headset mode for ALC215/ALC285/ALC289
    - ALSA: hda - Fix headset mic detection problem for two Dell machines
    - ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines

  * CIFS SMB2/SMB3 does not work for domain based DFS (LP: #1747572)
    - CIFS: make IPC a regular tcon
    - CIFS: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl
    - CIFS: dump IPC tcon in debug proc file

* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
- i2c: octeon: Prevent error message on bus error

* hisi_sas: Add disk LED support (LP: #1752695)
- scsi: hisi_sas: directly attached disk LED feature for v2 hw

  * EDAC, sb_edac: Backport 1 patch to Ubuntu 17.10 (Fix missing DIMM sysfs
    entries with KNL SNC2/SNC4 mode) (LP: #1743856)
    - EDAC, sb_edac: Fix missing DIMM sysfs entries with KNL SNC2/SNC4 mode

  * [regression] Colour banding and artefacts appear system-wide on an Asus
    Zenbook UX303LA with Intel HD 4400 graphics (LP: #1749420)
    - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA

* DVB Card with SAA7146 chipset not working (LP: #1742316)
- vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems

  * [Asus UX360UA] battery status in unity-panel is not changing when battery is
    being charged (LP: #1661876) // AC adapter status not detected on Asus
    ZenBook UX410UAK (LP: #1745032)
    - ACPI / battery: Add quirk for Asus UX360UA and UX410UAK

* ASUS UX305LA - Battery state not detected correctly (LP: #1482390)
- ACPI / battery: Add quirk for Asus GL502VSK and UX305LA

  * support thunderx2 vendor pmu events (LP: #1747523)
    - perf pmu: Extract function to get JSON alias map
    - perf pmu: Pass pmu as a parameter to get_cpuid_str()
    - perf tools arm64: Add support for get_cpuid_str function.
    - perf pmu: Add helper function is_pmu_core to detect PMU CORE devices
    - perf vendor events arm64: Add ThunderX2 implementation defined pmu core
      events
    - perf pmu: Add check for valid cpuid in perf_pmu__find_map()

* lpfc.ko module doesn't work (LP: #1746970)
- scsi: lpfc: Fix loop mode target discovery

  * Ubuntu 17.10 crashes on vmalloc.c (LP: #1739498)
    - powerpc/mm/book3s64: Make KERN_IO_START a variable
    - powerpc/mm/slb: Move comment next to the code it's referring to
    - powerpc/mm/hash64: Make vmalloc 56T on hash

* ethtool -p fails to light NIC LED on HiSilicon D05 systems (LP: #1748567)
- net...

This bug was fixed in the package linux - 4.13.0-38.43

---------------
linux (4.13.0-38.43) artful; urgency=medium

* linux: 4.13.0-38.43 -proposed tracker (LP: #1755762)

* Servers going OOM after updating kernel from 4.10 to 4.13 (LP: #1748408)
    - i40e: Fix memory leak related filter programming status
    - i40e: Add programming descriptors to cleaned_count

* [SRU] Lenovo E41 Mic mute hotkey is not responding (LP: #1753347)
    - platform/x86: ideapad-laptop: Increase timeout to wait for EC answer

* fails to dump with latest kpti fixes (LP: #1750021)
    - kdump: write correct address of mem_section into vmcoreinfo

* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
    - i2c: octeon: Prevent error message on bus error

* hisi_sas: Add disk LED support (LP: #1752695)
    - scsi: hisi_sas: directly attached disk LED feature for v2 hw

* [regression] Colour banding and artefacts appear system-wide on an Asus
    Zenbook UX303LA with Intel HD 4400 graphics (LP: #1749420)
    - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA

* DVB Card with SAA7146 chipset not working (LP: #1742316)
    - vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems

* ASUS UX305LA - Battery state not detected correctly (LP: #1482390)
    - ACPI / battery: Add quirk for Asus GL502VSK and UX305LA

* lpfc.ko module doesn't work (LP: #1746970)
    - scsi: lpfc: Fix loop mode target discovery

* ethtool -p fails to light NIC LED on HiSilicon D05 systems (LP: #1748567)
    - net: hns: add ACPI mode support for ethtool -p

* CVE-2017-17807
    - KEYS: add missing permission check for request_key() destination

* [Artful SRU] Fix capsule update regression (LP: #1746019)
    - efi/capsule-loader: Reinstate virtual capsule mapping

* [Artful/Bionic] [Config] enable EDAC_GHES for ARM64 (LP: #1747746)
    - Ubuntu: [Config] enable EDAC_GHES for ARM64

* linux-tools: perf incorrectly linking libbfd (LP: #1748922)
    - SAUCE: tools -- add ability to disable libbfd
    - [Packaging] correct disablement of libbfd

* Cherry pick c96f5471ce7d for delayacct fix (LP: #1747769)
    - delayacct: Account blkio completion on the correct task

* Error in CPU frequency reporting when nominal and min pstates are same
    (cpufreq) (LP: #1746174)
    - cpufreq: powernv: Dont assume distinct pstate values for nominal and pmin

* retpoline abi files are empty on i386 (LP: #1751021)
    - [Packaging] retpoline-extract -- instantiate retpoline files for i386
    - [Packaging] final-checks -- sanity checking ABI contents
    - [Packaging] final-checks -- check for empty retpoline files

* [P9,Power NV][WSP][Ubuntu 1804] : "Kernel access of bad area " when grouping
    different pmu events using perf fuzzer . (perf:) (LP: #1746225)
    - powerpc/perf: Fix oops when grouping different pmu events

* bnx2x_attn_int_deasserted3:4323 MC assert! (LP: #1715519) //
    CVE-2018-1000026
    - net: create skb_gso_validate_mac_len()
    - bnx2x: disable GSO where gso_size is too big for hardware

* Ubuntu16.04.03: ISAv3 initialize MMU registers before setting partition
    table (LP: #1736145)
    - powerpc/64s: Initialize ISAv3 MMU registers before setting partition table

* powerpc/powernv: Flush console before platform error reboot (LP: #1735159)
    - powerpc/powernv: Flush console before platform error reboot

* Touchpad stops working after a few seconds in Lenovo ideapad 320
    (LP: #1732056)
    - pinctrl/amd: fix masking of GPIO interrupts

* [Artful][Wyse 3040] System hang when trying to enable an offlined CPU core
    (LP: #1736393)
    - SAUCE: drm/i915:Don't set chip specific data
    - SAUCE: drm/i915: make previous commit affects Wyse 3040 only

* ppc64el: Do not call ibm,os-term on panic (LP: #1736954)
    - powerpc: Do not call ppc_md.panic in fadump panic notifier

* Artful update to 4.13.16 stable release (LP: #1744213)
    - tcp_nv: fix division by zero in tcpnv_acked()
    - net: vrf: correct FRA_L3MDEV encode type
    - tcp: do not mangle skb->cb[] in tcp_make_synack()
    - net: systemport: Correct IPG length settings
    - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
    - l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
    - bonding: discard lowest hash bit for 802.3ad layer3+4
    - net: cdc_ether: fix divide by 0 on bad descriptors
    - net: qmi_wwan: fix divide by 0 on bad descriptors
    - qmi_wwan: Add missing skb_reset_mac_header-call
    - net: usb: asix: fill null-ptr-deref in asix_suspend
    - tcp: gso: avoid refcount_t warning from tcp_gso_segment()
    - tcp: fix tcp_fastretrans_alert warning
    - vlan: fix a use-after-free in vlan_device_event()
    - net/mlx5: Cancel health poll before sending panic teardown command
    - net/mlx5e: Set page to null in case dma mapping fails
    - af_netlink: ensure that NLMSG_DONE never fails in dumps
    - vxlan: fix the issue that neigh proxy blocks all icmpv6 packets
    - net: cdc_ncm: GetNtbFormat endian fix
    - fealnx: Fix building error on MIPS
    - net/sctp: Always set scope_id in sctp_inet6_skb_msgname
    - ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
    - serial: omap: Fix EFR write on RTS deassertion
    - serial: 8250_fintek: Fix finding base_port with activated SuperIO
    - tpm-dev-common: Reject too short writes
    - rcu: Fix up pending cbs check in rcu_prepare_for_idle
    - ocfs2: fix cluster hang after a node dies
    - ocfs2: should wait dio before inode lock in ocfs2_setattr()
    - ipmi: fix unsigned long underflow
    - mm/page_alloc.c: broken deferred calculation
    - mm/page_ext.c: check if page_ext is not prepared
    - x86/cpu/amd: Derive L3 shared_cpu_map from cpu_llc_shared_mask
    - coda: fix 'kernel memory exposure attempt' in fsync
    - Linux 4.13.16

* Artful update to 4.13.15 stable release (LP: #1744212)
    - media: imon: Fix null-ptr-deref in imon_probe
    - media: dib0700: fix invalid dvb_detach argument
    - crypto: dh - Fix double free of ctx->p
    - crypto: dh - Don't permit 'p' to be 0
    - crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
    - USB: early: Use new USB product ID and strings for DbC device
    - USB: usbfs: compute urb->actual_length for isochronous
    - USB: Add delay-init quirk for Corsair K70 LUX keyboards
    - usb: gadget: f_fs: Fix use-after-free in ffs_free_inst
    - USB: serial: metro-usb: stop I/O after failed open
    - USB: serial: Change DbC debug device binding ID
    - USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
    - USB: serial: garmin_gps: fix I/O after failed probe and remove
    - USB: serial: garmin_gps: fix memory leak on probe errors
    - x86/MCE/AMD: Always give panic severity for UC errors in kernel context
    - platform/x86: peaq-wmi: Add DMI check before binding to the WMI interface
    - platform/x86: peaq_wmi: Fix missing terminating entry for peaq_dmi_table
    - HID: cp2112: add HIDRAW dependency
    - HID: wacom: generic: Recognize WACOM_HID_WD_PEN as a type of pen collection
    - staging: wilc1000: Fix bssid buffer offset in Txq
    - staging: ccree: fix 64 bit scatter/gather DMA ops
    - staging: greybus: spilib: fix use-after-free after deregistration
    - staging: vboxvideo: Fix reporting invalid suggested-offset-properties
    - staging: rtl8188eu: Revert 4 commits breaking ARP
    - Linux 4.13.15

* time drifting on linux-hwe kernels (LP: #1744988)
    - x86/tsc: Future-proof native_calibrate_tsc()
    - x86/tsc: Fix erroneous TSC rate on Skylake Xeon
    - x86/tsc: Print tsc_khz, when it differs from cpu_khz

* Please backport vmd suspend/resume patches to 16.04 hwe (LP: #1745508)
    - PCI: vmd: Free up IRQs on suspend path

* CVE-2017-17448
    - netfilter: nfnetlink_cthelper: Add missing permission checks

* Dell XPS 13 9360 bluetooth (Atheros) won't connect after resume
    (LP: #1744712)
    - Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten"
      version

* [SRU] TrackPoint: middle button doesn't work on TrackPoint-compatible
    device. (LP: #1746002)
    - Input: trackpoint - force 3 buttons if 0 button is reported

* TB16 dock ethernet corrupts data with hw checksum silently failing
    (LP: #1729674)
    - r8152: disable RX aggregation on Dell TB16 dock

* [Artful] Realtek ALC225: 2 secs noise when a headset plugged in
    (LP: #1744058)
    - Revert "UBUNTU: SAUCE: ALSA: hda/realtek - Add support headset mode for DELL
      WYSE"
    - SAUCE: ALSA: hda/realtek - Add support headset mode for DELL WYSE
    - ALSA: hda/realtek - update ALC225 depop optimize

* [A] skb leak in vhost_net / tun / tap (LP: #1738975)
    - vhost: fix skb leak in handle_rx()
    - tap: free skb if flags error
    - tun: free skb in early errors

* Commit d9018976cdb6 missing in Kernels <4.14.x preventing lasting fix of
    Intel SPI bug on certain serial flash (LP: #1742696)
    - mfd: lpc_ich: Do not touch SPI-NOR write protection bit on Haswell/Broadwell
    - spi-nor: intel-spi: Fix broken software sequencing codes

* CVE-2018-5332
    - RDS: Heap OOB write in rds_message_alloc_sgs()

* [A] KVM Windows BSOD on 4.13.x (LP: #1738972)
    - KVM: x86: fix APIC page invalidation

* elantech touchpad of Lenovo L480/580 failed to detect hw_version
    (LP: #1733605)
    - Input: elantech - add new icbody type 15

* [SRU] External HDMI monitor failed to show screen on Lenovo X1 series
    (LP: #1738523)
    - SAUCE: drm/i915: Disable writing of TMDS_OE on Lenovo ThinkPad X1 series

* ubuntu/xr-usb-serial didn't get built in zesty and artful (LP: #1733281)
    - SAUCE: make sure ubuntu/xr-usb-serial builds for x86

* Disabling zfs does not always disable module checks for the zfs modules
    (LP: #1737176)
    - [Packaging] disable zfs module checks when zfs is disabled

* CVE-2017-17806
    - crypto: hmac - require that the underlying hash algorithm is unkeyed

* CVE-2017-17805
    - crypto: salsa20 - fix blkcipher_walk API usage

* CVE-2017-16994
    - mm/pagewalk.c: report holes in hugetlb ranges

* CVE-2017-17450
    - netfilter: xt_osf: Add missing permission checks

* apparmor profile load in stacked policy container fails (LP: #1746463)
    - SAUCE: apparmor: fix display of .ns_name for containers

* CVE-2017-15129
    - net: Fix double free and memory corruption in get_net_ns_by_id()

* CVE-2018-5344
    - loop: fix concurrent lo_open/lo_release

* CVE-2017-1000407
    - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

* CVE-2017-0861
    - ALSA: pcm: prevent UAF in snd_pcm_info

* perf stat segfaults on uncore events w/o -a (LP: #1745246)
    - perf xyarray: Save max_x, max_y
    - perf evsel: Fix buffer overflow while freeing events

* Support cppc-cpufreq driver on ThunderX2 systems (LP: #1745007)
    - mailbox: PCC: Move the MAX_PCC_SUBSPACES definition to header file
    - ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs
    - ACPI / CPPC: Fix KASAN global out of bounds warning
    - ACPI: CPPC: remove initial assignment of pcc_ss_data

* P-state not working in kernel 4.13 (LP: #1743269)
    - x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu()
    - x86 / CPU: Always show current CPU frequency in /proc/cpuinfo

* Regression: KVM no longer supports Intel CPUs without Virtual NMI
    (LP: #1741655)
    - kvm: vmx: Reinstate support for CPUs without virtual NMI

* System hang with Linux kernel due to mainline commit 24247aeeabe
    (LP: #1733662)
    - x86/intel_rdt/cqm: Prevent use after free

* $(LOCAL_ENV_CC) and $(LOCAL_ENV_DISTCC_HOSTS) should be properly quoted
    (LP: #1744077)
    - [Debian] pass LOCAL_ENV_CC and LOCAL_ENV_DISTCC_HOSTS properly

* the wifi driver is always hard blocked on a lenovo laptop (LP: #1743672)
    - ACPI: EC: Fix possible issues related to EC initialization order

* text VTs are unavailable on desktop after upgrade to Ubuntu 17.10
    (LP: #1724911)
    - drm/i915/fbdev: Always forward hotplug events

* Samsung SSD 960 EVO 500GB refused to change power state (LP: #1705748)
    - nvme-pci: disable APST on Samsung SSD 960 EVO + ASUS PRIME B350M-A

* [0cf3:e010] QCA6174A XR failed to pair with bt 4.0 device  (LP: #1741166)
    - Bluetooth: btusb: Add support for 0cf3:e010

* CVE-2017-17741
    - KVM: Fix stack-out-of-bounds read in write_mmio

* CVE-2018-5333
    - RDS: null pointer dereference in rds_atomic_free_op

* [800 G3 SFF] [800 G3 DM]External microphone of headset(3-ring) is working,
    2-ring mic not working, both not shown in sound settings  (LP: #1740974)
    - ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines

* Two front mics can't work on a lenovo machine (LP: #1740973)
    - ALSA: hda - change the location for one mic on a Lenovo machine

* No external microphone be detected via headset jack on a dell machine
    (LP: #1740972)
    - ALSA: hda - fix headset mic detection issue on a Dell machine

*  Can't detect external headset via line-out jack on some Dell machines
    (LP: #1740971)
    - ALSA: hda/realtek - Fix Dell AIO LineOut issue

* Support realtek new codec alc257 in the alsa hda driver  (LP: #1738911)
    - ALSA: hda/realtek - New codec support for ALC257

* Add support for 16g huge pages on Ubuntu 16.04.2 PowerNV (LP: #1706247)
    - powerpc/mm/hugetlb: Allow runtime allocation of 16G.
    - powerpc/mm/hugetlb: Add support for reserving gigantic huge pages via kernel
      command line
    - mm/hugetlb: Allow arch to override and call the weak function

* the kernel is blackholing IPv6 packets to linkdown nexthops (LP: #1738219)
    - ipv6: Do not consider linkdown nexthops during multipath

* e1000e in 4.4.0-97-generic breaks 82574L under heavy load. (LP: #1730550)
    - e1000e: Avoid receiver overrun interrupt bursts
    - e1000e: Separate signaling for link check/link up

* Ubuntu 17.10: Include patch "crypto: vmx - Use skcipher for ctr fallback"
    (LP: #1732978)
    - crypto: vmx - Use skcipher for ctr fallback

* QCA Rome bluetooth can not wakeup after USB runtime suspended.
    (LP: #1737890)
    - Bluetooth: btusb: driver to enable the usb-wakeup feature

* /dev/bcache/by-uuid links not created after reboot (LP: #1729145)
    - SAUCE: (no-up) bcache: decouple emitting a cached_dev CHANGE uevent

* Some VMs fail to reboot with "watchdog: BUG: soft lockup - CPU#0 stuck for
    22s! [systemd:1]" (LP: #1730717)
    - SAUCE: exec: fix lockup because retry loop may never exit

* Request to backport cxlflash patches to 16.04 HWE Kernel (LP: #1730515)
    - scsi: cxlflash: Use derived maximum write same length
    - scsi: cxlflash: Allow cards without WWPN VPD to configure
    - scsi: cxlflash: Derive pid through accessors

* vagrant artful64 box filesystem too small (LP: #1726818)
    - block: factor out __blkdev_issue_zero_pages()
    - block: cope with WRITE ZEROES failing in blkdev_issue_zeroout()

* Artful update to 4.13.14 stable release (LP: #1744121)
    - ppp: fix race in ppp device destruction
    - gso: fix payload length when gso_size is zero
    - ipv4: Fix traffic triggered IPsec connections.
    - ipv6: Fix traffic triggered IPsec connections.
    - netlink: do not set cb_running if dump's start() errs
    - net: call cgroup_sk_alloc() earlier in sk_clone_lock()
    - macsec: fix memory leaks when skb_to_sgvec fails
    - l2tp: check ps->sock before running pppol2tp_session_ioctl()
    - netlink: fix netlink_ack() extack race
    - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
    - tcp/dccp: fix ireq->opt races
    - packet: avoid panic in packet_getsockopt()
    - geneve: Fix function matching VNI and tunnel ID on big-endian
    - net: bridge: fix returning of vlan range op errors
    - soreuseport: fix initialization race
    - ipv6: flowlabel: do not leave opt->tot_len with garbage
    - sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
    - tcp/dccp: fix lockdep splat in inet_csk_route_req()
    - tcp/dccp: fix other lockdep splats accessing ireq_opt
    - net: dsa: check master device before put
    - net/unix: don't show information about sockets from other namespaces
    - tap: double-free in error path in tap_open()
    - net/mlx5: Fix health work queue spin lock to IRQ safe
    - net/mlx5e: Properly deal with encap flows add/del under neigh update
    - ipip: only increase err_count for some certain type icmp in ipip_err
    - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
    - ip6_gre: update dst pmtu if dev mtu has been updated by toobig in
      __gre6_xmit
    - tcp: refresh tp timestamp before tcp_mtu_probe()
    - tap: reference to KVA of an unloaded module causes kernel panic
    - sctp: reset owner sk for data chunks on out queues when migrating a sock
    - net_sched: avoid matching qdisc with zero handle
    - l2tp: hold tunnel in pppol2tp_connect()
    - ipv6: addrconf: increment ifp refcount before ipv6_del_addr()
    - tcp: fix tcp_mtu_probe() vs highest_sack
    - mac80211: accept key reinstall without changing anything
    - mac80211: use constant time comparison with keys
    - mac80211: don't compare TKIP TX MIC key in reinstall prevention
    - usb: usbtest: fix NULL pointer dereference
    - Input: ims-psu - check if CDC union descriptor is sane
    - EDAC, sb_edac: Don't create a second memory controller if HA1 is not present
    - dmaengine: dmatest: warn user when dma test times out
    - Linux 4.13.14

-- Stefan Bader <stefan.bader@canonical.com>  Wed, 14 Mar 2018 11:38:23 +0100

Changed in linux (Ubuntu Artful):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2018-04-04

Changed in ubuntu-power-systems:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[P9,Power NV][WSP][Ubuntu 1804] : "Kernel access of bad area " when grouping different pmu events using perf fuzzer . (perf:)

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package