Ubuntu
linux package

Boston-LC:bos1u1: Stress test on Qlogic Fibre Channel on Ubuntu KVM guest that caused KVM host crashed in qlt_free_session_done call

Bug #1750441 reported by bugproxy on 2018-02-19

This bug affects 1 person

	Status	Importance	Assigned to
The Ubuntu-power-systems project	Fix Released	High	Canonical Kernel Team
linux (Ubuntu)	Fix Released	High	Joseph Salisbury
Bionic	Fix Released	High	Joseph Salisbury

Bug Description

Problem Description:
=============
- PCI passthru Qlogic Fibre Channel adapter from Ubuntu 18.04 KVM host to Ubuntu 18.04 KVM guest.

- Stress test on Qlogic Fibre Channel on Ubuntu KVM guest caused KVM host crashed in qlt_free_session_done call.

- Below stack traces from KVM host:

91:mon> t
[c000200e4e81fb60] c00800001162f044 qlt_free_session_done+0x4ec/0x680 [qla2xxx] (unreliable)
[c000200e4e81fc90] c00000000012fbb8 process_one_work+0x298/0x5a0
[c000200e4e81fd20] c00000000012ff58 worker_thread+0x98/0x630
[c000200e4e81fdc0] c000000000138ae8 kthread+0x1a8/0x1b0
[c000200e4e81fe30] c00000000000b528 ret_from_kernel_thread+0x5c/0xb4

91:mon> e
cpu 0x91: Vector: 300 (Data Access) at [c000200e4e81f8e0]
    pc: c00800001162ed58: qlt_free_session_done+0x200/0x680 [qla2xxx]
    lr: c00800001162eca8: qlt_free_session_done+0x150/0x680 [qla2xxx]
    sp: c000200e4e81fb60
   msr: 900000000280b033
   dar: 20
dsisr: 40000000
  current = 0xc000200e4e7b0e00
  paca = 0xc00000000fae3b00 softe: 0 irq_happened: 0x01
    pid = 1119, comm = kworker/145:1
Linux version 4.15.0-041500rc9-generic (kernel@tangerine) (gcc version 7.2.0 (Ubuntu 7.2.0-6ubuntu1)) #201801212130 SMP Mon Jan 22 03:36:42 UTC 2018

91:mon> r
R00 = c00800001162eca8 R16 = 0000000000000000
R01 = c000200e4e81fb60 R17 = 0000000000000000
R02 = c00800001166ad60 R18 = 0000000000000000
R03 = 0000000000000001 R19 = 0000000000000000
R04 = c000200e44f8c7f8 R20 = c000200e618e7d80
R05 = 000000000000f087 R21 = 0000000000000000
R06 = c00800001165e6c8 R22 = 0000000000000001
R07 = c00800001164adb0 R23 = c000200e44f99d24
R08 = 0000000000000000 R24 = 0000000000000402
R09 = 0000000000000000 R25 = 0000000000000000
R10 = 0000000000000000 R26 = c000000fe1270c20
R11 = c00800001163e170 R27 = c000200e44f99000
R12 = c000000000cfccf0 R28 = c00800001164adb0
R13 = c00000000fae3b00 R29 = c000000fe1270c00
R14 = c000000000138948 R30 = c000200e44f8c7f8
R15 = c000200e4f019440 R31 = c000000fe1270cc0
pc = c00800001162ed58 qlt_free_session_done+0x200/0x680 [qla2xxx]
cfar= c00800001162ed1c qlt_free_session_done+0x1c4/0x680 [qla2xxx]
lr = c00800001162eca8 qlt_free_session_done+0x150/0x680 [qla2xxx]
msr = 900000000280b033 cr = 28002284
ctr = c000000000cfccf0 xer = 0000000000000000 trap = 300
dar = 0000000000000020 dsisr = 40000000
91:mon>

The crash location seems close to this one fixed about two weeks ago:

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/scsi/qla2xxx/qla_os.c?h=next-20180212&id=2ce87cc5b269510de9ca1185ca8a6e10ec78c069

scsi: qla2xxx: Fix memory corruption during hba reset test
This patch fixes memory corrpution while performing HBA Reset test.

Following stack trace is seen:

[ 466.397219] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 466.433669] IP: [<ffffffffc06f5dd0>] qlt_free_session_done+0x260/0x5f0 [qla2xxx]
[ 466.467731] PGD 0
[ 466.476718] Oops: 0000 [#1] SMP

- Luciano built and provided the patch with new Qlogic change on Friday last week.

root@bos1u1p1:~/chavez# ls linux-image*
linux-image-4.15.0-041500rc9-generic_4.15.0-041500rc9.201801212130_ppc64el.deb
linux-image-extra-4.15.0-041500rc9-generic_4.15.0-041500rc9.201801212130_ppc64el.deb

- I configured and ran same test over weekend and test ran good. KVM host did not crash in qlt_free_session_done call like before.

- So the patch fixed the problem.

Hi Canonical,

Please review and consider this a request to pull in commit 2ce87cc5b269510de9ca1185ca8a6e10ec78c069 please. Thanks!

Tags:

CVE References

bugproxy (bugproxy) on 2018-02-19

tags:	added: architecture-ppc64le bugnameltc-164551 severity-high targetmilestone-inin1804
Changed in ubuntu:
assignee:	nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects:	ubuntu → linux (Ubuntu)

Frank Heimes (fheimes) on 2018-02-20

Changed in ubuntu-power-systems:
importance:	Undecided → High
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)
tags:	added: triage-g

Joseph Salisbury (jsalisbury) on 2018-02-21

Changed in linux (Ubuntu):
status:	New → In Progress
importance:	Undecided → High
assignee:	Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Joseph Salisbury (jsalisbury)

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-02-21:

I built a test kernel with commit 2ce87cc5b269510de9ca1185ca8a6e10ec78c069. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1750441

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

Frank Heimes (fheimes) on 2018-02-21

Changed in ubuntu-power-systems:
status:	New → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2018-02-21: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2018-02-21 16:40 EDT-------
The test system will be available at the end of this week. I will setup the test and verify the test kernel at that time.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-03-13:

Bionic request submitted:
https://lists.ubuntu.com/archives/kernel-team/2018-March/090767.html

Thadeu Lima de Souza Cascardo (cascardo) on 2018-03-13

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

bugproxy (bugproxy) wrote on 2018-03-21:

------- Comment From <email address hidden> 2018-03-21 15:10 EDT-------
- From my previous comment, I was plan to setup my system and verify the patch.

- However, after I updated my system to new Ubuntu 18.04, I ran into a new Ubuntu 18.04 issue where an Ubuntu KVM guest could not started due to Transactional Memory error (LTC bug 165081) .

- I need to fix my KVM system by wait for patch from LTC bug 165081 available. So I can get the KVM guest started again. Once that works then I can go back and verify the fix for this github.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-03-27:

Download full text (32.6 KiB)

This bug was fixed in the package linux - 4.15.0-13.14

---------------
linux (4.15.0-13.14) bionic; urgency=medium

* linux: 4.15.0-13.14 -proposed tracker (LP: #1756408)

  * devpts: handle bind-mounts (LP: #1755857)
    - SAUCE: devpts: hoist out check for DEVPTS_SUPER_MAGIC
    - SAUCE: devpts: resolve devpts bind-mounts
    - SAUCE: devpts: comment devpts_mntget()
    - SAUCE: selftests: add devpts selftests

* [bionic][arm64] d-i: add hisi_sas_v3_hw to scsi-modules (LP: #1756103)
- d-i: add hisi_sas_v3_hw to scsi-modules

This bug was fixed in the package linux - 4.15.0-13.14

---------------
linux (4.15.0-13.14) bionic; urgency=medium

* linux: 4.15.0-13.14 -proposed tracker (LP: #1756408)

* [bionic][arm64] d-i: add hisi_sas_v3_hw to scsi-modules (LP: #1756103)
    - d-i: add hisi_sas_v3_hw to scsi-modules

* [Bionic][ARM64] enable ROCE and HNS3 driver support for hip08 SoC
    (LP: #1756097)
    - RDMA/hns: Refactor eq code for hip06
    - RDMA/hns: Add eq support of hip08
    - RDMA/hns: Add detailed comments for mb() call
    - RDMA/hns: Add rq inline data support for hip08 RoCE
    - RDMA/hns: Update the usage of sr_max and rr_max field
    - RDMA/hns: Set access flags of hip08 RoCE
    - RDMA/hns: Filter for zero length of sge in hip08 kernel mode
    - RDMA/hns: Fix QP state judgement before sending work requests
    - RDMA/hns: Assign dest_qp when deregistering mr
    - RDMA/hns: Fix endian problems around imm_data and rkey
    - RDMA/hns: Assign the correct value for tx_cqn
    - RDMA/hns: Create gsi qp in hip08
    - RDMA/hns: Add gsi qp support for modifying qp in hip08
    - RDMA/hns: Fill sq wqe context of ud type in hip08
    - RDMA/hns: Assign zero for pkey_index of wc in hip08
    - RDMA/hns: Update the verbs of polling for completion
    - RDMA/hns: Set the guid for hip08 RoCE device
    - net: hns3: Refactor of the reset interrupt handling logic
    - net: hns3: Add reset service task for handling reset requests
    - net: hns3: Refactors the requested reset & pending reset handling code
    - net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface
    - net: hns3: Add mailbox support to VF driver
    - net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support
    - net: hns3: Add HNS3 VF driver to kernel build framework
    - net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC
    - net: hns3: Add mailbox support to PF driver
    - net: hns3: Change PF to add ring-vect binding & resetQ to mailbox
    - net: hns3: Add mailbox interrupt handling to PF driver
    - net: hns3: add support to query tqps number
    - net: hns3: add support to modify tqps number
    - net: hns3: change the returned tqp number by ethtool -x
    - net: hns3: free the ring_data structrue when change tqps
    - net: hns3: get rss_size_max from configuration but not hardcode
    - net: hns3: add a mask initialization for mac_vlan table
    - net: hns3: add vlan offload config command
    - net: hns3: add ethtool related offload command
    - net: hns3: add handling vlan tag offload in bd
    - net: hns3: cleanup mac auto-negotiation state query
    - net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
    - net: hns3: add support for set_pauseparam
    - net: hns3: add support to update flow control settings after autoneg
    - net: hns3: add Asym Pause support to phy default features
    - net: hns3: add support for querying advertised pause frame by ethtool ethx
    - net: hns3: Increase the default depth of bucket for TM shaper
    - net: hns3: change TM sched mode to TC-based mode when SRIOV enabled
    - net: hns3: hns3_get_channels() can be static
    - net: hns3: Add ethtool interface for vlan filter
    - net: hns3: Disable VFs change rxvlan offload status
    - net: hns3: Unify the strings display of packet statistics
    - net: hns3: Fix spelling errors
    - net: hns3: Remove repeat statistic of rx_errors
    - net: hns3: Modify the update period of packet statistics
    - net: hns3: Mask the packet statistics query when NIC is down
    - net: hns3: Fix an error of total drop packet statistics
    - net: hns3: Fix a loop index error of tqp statistics query
    - net: hns3: Fix an error macro definition of HNS3_TQP_STAT
    - net: hns3: Remove a useless member of struct hns3_stats
    - net: hns3: Add packet statistics of netdev
    - net: hns3: Fix a response data read error of tqp statistics query
    - net: hns3: fix for updating fc_mode_last_time
    - net: hns3: fix for setting MTU
    - net: hns3: fix for changing MTU
    - net: hns3: add MTU initialization for hardware
    - net: hns3: fix for not setting pause parameters
    - net: hns3: remove redundant semicolon
    - net: hns3: Add more packet size statisctics
    - Revert "net: hns3: Add packet statistics of netdev"
    - net: hns3: report the function type the same line with hns3_nic_get_stats64
    - net: hns3: add ethtool_ops.get_channels support for VF
    - net: hns3: remove TSO config command from VF driver
    - net: hns3: add ethtool_ops.get_coalesce support to PF
    - net: hns3: add ethtool_ops.set_coalesce support to PF
    - net: hns3: refactor interrupt coalescing init function
    - net: hns3: refactor GL update function
    - net: hns3: remove unused GL setup function
    - net: hns3: change the unit of GL value macro
    - net: hns3: add int_gl_idx setup for TX and RX queues
    - net: hns3: add feature check when feature changed
    - net: hns3: check for NULL function pointer in hns3_nic_set_features
    - net: hns: Fix for variable may be used uninitialized warnings
    - net: hns3: add support for get_regs
    - net: hns3: add manager table initialization for hardware
    - net: hns3: add ethtool -p support for fiber port
    - net: hns3: add net status led support for fiber port
    - net: hns3: converting spaces into tabs to avoid checkpatch.pl warning
    - net: hns3: add get/set_coalesce support to VF
    - net: hns3: add int_gl_idx setup for VF
    - [Config]: enable CONFIG_HNS3_HCLGEVF as module.

* [Bionic][ARM64] add RAS extension and SDEI features (LP: #1756096)
    - KVM: arm64: Store vcpu on the stack during __guest_enter()
    - KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu allocation
    - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2
    - arm64: alternatives: use tpidr_el2 on VHE hosts
    - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE
    - Docs: dt: add devicetree binding for describing arm64 SDEI firmware
    - firmware: arm_sdei: Add driver for Software Delegated Exceptions
    - arm64: Add vmap_stack header file
    - arm64: uaccess: Add PAN helper
    - arm64: kernel: Add arch-specific SDEI entry code and CPU masking
    - firmware: arm_sdei: Add support for CPU and system power states
    - firmware: arm_sdei: add support for CPU private events
    - arm64: acpi: Remove __init from acpi_psci_use_hvc() for use by SDEI
    - firmware: arm_sdei: Discover SDEI support via ACPI
    - arm64: sysreg: Move to use definitions for all the SCTLR bits
    - arm64: cpufeature: Detect CPU RAS Extentions
    - arm64: kernel: Survive corrected RAS errors notified by SError
    - arm64: Unconditionally enable IESB on exception entry/return for firmware-
      first
    - arm64: kernel: Prepare for a DISR user
    - KVM: arm/arm64: mask/unmask daif around VHE guests
    - KVM: arm64: Set an impdef ESR for Virtual-SError using VSESR_EL2.
    - KVM: arm64: Save/Restore guest DISR_EL1
    - KVM: arm64: Save ESR_EL2 on guest SError
    - KVM: arm64: Handle RAS SErrors from EL1 on guest exit
    - KVM: arm64: Handle RAS SErrors from EL2 on guest exit
    - KVM: arm64: Emulate RAS error registers and set HCR_EL2's TERR & TEA
    - [Config]: enable RAS_EXTN and ARM_SDE_INTERFACE

* [Bionic][ARM64] PCI and SAS driver patches for hip08 SoCs (LP: #1756094)
    - scsi: hisi_sas: fix dma_unmap_sg() parameter
    - scsi: ata: enhance the definition of SET MAX feature field value
    - scsi: hisi_sas: relocate clearing ITCT and freeing device
    - scsi: hisi_sas: optimise port id refresh function
    - scsi: hisi_sas: some optimizations of host controller reset
    - scsi: hisi_sas: modify hisi_sas_dev_gone() for reset
    - scsi: hisi_sas: add an mechanism to do reset work synchronously
    - scsi: hisi_sas: change ncq process for v3 hw
    - scsi: hisi_sas: add RAS feature for v3 hw
    - scsi: hisi_sas: add some print to enhance debugging
    - scsi: hisi_sas: improve int_chnl_int_v2_hw() consistency with v3 hw
    - scsi: hisi_sas: add v2 hw port AXI error handling support
    - scsi: hisi_sas: use an general way to delay PHY work
    - scsi: hisi_sas: do link reset for some CHL_INT2 ints
    - scsi: hisi_sas: judge result of internal abort
    - scsi: hisi_sas: add internal abort dev in some places
    - scsi: hisi_sas: fix SAS_QUEUE_FULL problem while running IO
    - scsi: hisi_sas: re-add the lldd_port_deformed()
    - scsi: hisi_sas: add v3 hw suspend and resume
    - scsi: hisi_sas: Change frame type for SET MAX commands
    - scsi: hisi_sas: make local symbol host_attrs static
    - scsi: hisi_sas: fix a bug in hisi_sas_dev_gone()
    - SAUCE: scsi: hisi_sas: config for hip08 ES
    - SAUCE: scsi: hisi_sas: export device table of v3 hw to userspace
    - PM / core: Add LEAVE_SUSPENDED driver flag
    - PCI / PM: Support for LEAVE_SUSPENDED driver flag
    - PCI/AER: Skip recovery callbacks for correctable errors from ACPI APEI
    - PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics
    - PCI/ASPM: Enable Latency Tolerance Reporting when supported
    - PCI/ASPM: Unexport internal ASPM interfaces
    - PCI: Make PCI_SCAN_ALL_PCIE_DEVS work for Root as well as Downstream Ports
    - PCI/AER: Return error if AER is not supported
    - PCI/DPC: Enable DPC only if AER is available

* [CVE] Spectre: System Z {kernel} UBUNTU18.04 (LP: #1754580)
    - s390: scrub registers on kernel entry and KVM exit
    - s390: add optimized array_index_mask_nospec
    - s390/alternative: use a copy of the facility bit mask
    - s390: add options to change branch prediction behaviour for the kernel
    - s390: run user space and KVM guests with modified branch prediction
    - s390: introduce execute-trampolines for branches
    - s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
    - s390: do not bypass BPENTER for interrupt system calls
    - s390/entry.S: fix spurious zeroing of r0

* s390/crypto: Fix kernel crash on aes_s390 module remove (LP: #1753424)
    - SAUCE: s390/crypto: Fix kernel crash on aes_s390 module remove.

* [Feature]Update Ubuntu 18.04 lpfc FC driver with 32/64GB HBA support and bug
    fixes (LP: #1752182)
    - scsi: lpfc: FLOGI failures are reported when connected to a private loop.
    - scsi: lpfc: Expand WQE capability of every NVME hardware queue
    - scsi: lpfc: Handle XRI_ABORTED_CQE in soft IRQ
    - scsi: lpfc: Fix NVME LS abort_xri
    - scsi: lpfc: Raise maximum NVME sg list size for 256 elements
    - scsi: lpfc: Driver fails to detect direct attach storage array
    - scsi: lpfc: Fix display for debugfs queInfo
    - scsi: lpfc: Adjust default value of lpfc_nvmet_mrq
    - scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN
    - scsi: lpfc: Linux LPFC driver does not process all RSCNs
    - scsi: lpfc: correct port registrations with nvme_fc
    - scsi: lpfc: Correct driver deregistrations with host nvme transport
    - scsi: lpfc: Fix crash during driver unload with running nvme traffic
    - scsi: lpfc: Fix driver handling of nvme resources during unload
    - scsi: lpfc: small sg cnt cleanup
    - scsi: lpfc: Fix random heartbeat timeouts during heavy IO
    - scsi: lpfc: update driver version to 11.4.0.5
    - scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv
    - scsi: lpfc: Fix receive PRLI handling
    - scsi: lpfc: Increase SCSI CQ and WQ sizes.
    - scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled
    - scsi: lpfc: Fix issues connecting with nvme initiator
    - scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port.
    - scsi: lpfc: Beef up stat counters for debug
    - scsi: lpfc: update driver version to 11.4.0.6
    - scsi: lpfc: correct sg_seg_cnt attribute min vs default
    - scsi: scsi_transport_fc: fix typos on 64/128 GBit define names
    - scsi: lpfc: don't dereference localport before it has been null checked
    - scsi: lpfc: fix a couple of minor indentation issues
    - treewide: Use DEVICE_ATTR_RW
    - treewide: Use DEVICE_ATTR_RO
    - treewide: Use DEVICE_ATTR_WO
    - scsi: lpfc: Fix frequency of Release WQE CQEs
    - scsi: lpfc: Increase CQ and WQ sizes for SCSI
    - scsi: lpfc: move placement of target destroy on driver detach
    - scsi: lpfc: correct debug counters for abort
    - scsi: lpfc: Add WQ Full Logic for NVME Target
    - scsi: lpfc: Fix PRLI handling when topology type changes
    - scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
    - scsi: lpfc: Fix RQ empty firmware trap
    - scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target
    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
    - scsi: lpfc: Fix issue_lip if link is disabled
    - scsi: lpfc: Indicate CONF support in NVMe PRLI
    - scsi: lpfc: Fix SCSI io host reset causing kernel crash
    - scsi: lpfc: Validate adapter support for SRIU option
    - scsi: lpfc: Fix header inclusion in lpfc_nvmet
    - scsi: lpfc: Treat SCSI Write operation Underruns as an error
    - scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
    - scsi: lpfc: update driver version to 11.4.0.7
    - scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright
    - scsi: lpfc: Rework lpfc to allow different sli4 cq and eq handlers
    - scsi: lpfc: Rework sli4 doorbell infrastructure
    - scsi: lpfc: Add SLI-4 if_type=6 support to the code base
    - scsi: lpfc: Add push-to-adapter support to sli4
    - scsi: lpfc: Add PCI Ids for if_type=6 hardware
    - scsi: lpfc: Add 64G link speed support
    - scsi: lpfc: Add if_type=6 support for cycling valid bits
    - scsi: lpfc: Enable fw download on if_type=6 devices
    - scsi: lpfc: Add embedded data pointers for enhanced performance
    - scsi: lpfc: Fix nvme embedded io length on new hardware
    - scsi: lpfc: Work around NVME cmd iu SGL type
    - scsi: lpfc: update driver version to 12.0.0.0
    - scsi: lpfc: Change Copyright of 12.0.0.0 modified files to 2018
    - scsi: lpfc: use __raw_writeX on DPP copies
    - scsi: lpfc: Add missing unlock in WQ full logic

* CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

* Bionic update to 4.15.10 stable release (LP: #1756100)
    - Revert "UBUNTU: SAUCE: ALSA: hda/realtek - Add support headset mode for DELL
      WYSE"
    - RDMA/ucma: Limit possible option size
    - RDMA/ucma: Check that user doesn't overflow QP state
    - RDMA/mlx5: Fix integer overflow while resizing CQ
    - bpf: cpumap: use GFP_KERNEL instead of GFP_ATOMIC in __cpu_map_entry_alloc()
    - IB/uverbs: Improve lockdep_check
    - mac80211_hwsim: don't use WQ_MEM_RECLAIM
    - net/smc: fix NULL pointer dereference on sock_create_kern() error path
    - regulator: stm32-vrefbuf: fix check on ready flag
    - drm/i915: Check for fused or unused pipes
    - drm/i915/audio: fix check for av_enc_map overflow
    - drm/i915: Fix rsvd2 mask when out-fence is returned
    - drm/i915: Clear the in-use marker on execbuf failure
    - drm/i915: Disable DC states around GMBUS on GLK
    - drm/i915: Update watermark state correctly in sanitize_watermarks
    - drm/i915: Try EDID bitbanging on HDMI after failed read
    - drm/i915/perf: fix perf stream opening lock
    - scsi: core: Avoid that ATA error handling can trigger a kernel hang or oops
    - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
    - drm/i915: Always call to intel_display_set_init_power() in resume_early.
    - workqueue: Allow retrieval of current task's work struct
    - drm: Allow determining if current task is output poll worker
    - drm/nouveau: Fix deadlock on runtime suspend
    - drm/radeon: Fix deadlock on runtime suspend
    - drm/amdgpu: Fix deadlock on runtime suspend
    - drm/nouveau: prefer XBGR2101010 for addfb ioctl
    - drm/amd/powerplay/smu7: allow mclk switching with no displays
    - drm/amd/powerplay/vega10: allow mclk switching with no displays
    - Revert "drm/radeon/pm: autoswitch power state when in balanced mode"
    - drm/amd/display: check for ipp before calling cursor operations
    - drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
    - drm/amd/powerplay: fix power over limit on Fiji
    - drm/amd/display: Default HDMI6G support to true. Log VBIOS table error.
    - drm/amdgpu: used cached pcie gen info for SI (v2)
    - drm/amdgpu: Notify sbios device ready before send request
    - drm/radeon: fix KV harvesting
    - drm/amdgpu: fix KV harvesting
    - drm/amdgpu:Correct max uvd handles
    - drm/amdgpu:Always save uvd vcpu_bo in VM Mode
    - ovl: redirect_dir=nofollow should not follow redirect for opaque lower
    - MIPS: BMIPS: Do not mask IPIs during suspend
    - MIPS: ath25: Check for kzalloc allocation failure
    - MIPS: OCTEON: irq: Check for null return on kzalloc allocation
    - PCI: dwc: Fix enumeration end when reaching root subordinate
    - Input: matrix_keypad - fix race when disabling interrupts
    - Revert "Input: synaptics - Lenovo Thinkpad T460p devices should use RMI"
    - bug: use %pB in BUG and stack protector failure
    - lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()
    - mm/memblock.c: hardcode the end_pfn being -1
    - Documentation/sphinx: Fix Directive import error
    - loop: Fix lost writes caused by missing flag
    - virtio_ring: fix num_free handling in error case
    - KVM: s390: fix memory overwrites when not using SCA entries
    - arm64: mm: fix thinko in non-global page table attribute check
    - IB/core: Fix missing RDMA cgroups release in case of failure to register
      device
    - Revert "nvme: create 'slaves' and 'holders' entries for hidden controllers"
    - kbuild: Handle builtin dtb file names containing hyphens
    - dm bufio: avoid false-positive Wmaybe-uninitialized warning
    - IB/mlx5: Fix incorrect size of klms in the memory region
    - bcache: fix crashes in duplicate cache device register
    - bcache: don't attach backing with duplicate UUID
    - x86/MCE: Save microcode revision in machine check records
    - x86/MCE: Serialize sysfs changes
    - perf tools: Fix trigger class trigger_on()
    - x86/spectre_v2: Don't check microcode versions when running under
      hypervisors
    - ALSA: hda/realtek - Add support headset mode for DELL WYSE
    - ALSA: hda/realtek - Add headset mode support for Dell laptop
    - ALSA: hda/realtek: Limit mic boost on T480
    - ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
    - ALSA: hda/realtek - Make dock sound work on ThinkPad L570
    - ALSA: seq: More protection for concurrent write and ioctl races
    - ALSA: hda: add dock and led support for HP EliteBook 820 G3
    - ALSA: hda: add dock and led support for HP ProBook 640 G2
    - scsi: qla2xxx: Fix NULL pointer crash due to probe failure
    - scsi: qla2xxx: Fix recursion while sending terminate exchange
    - dt-bindings: Document mti,mips-cpc binding
    - MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base()
    - nospec: Kill array_index_nospec_mask_check()
    - nospec: Include <asm/barrier.h> dependency
    - x86/entry: Reduce the code footprint of the 'idtentry' macro
    - x86/entry/64: Use 'xorl' for faster register clearing
    - x86/mm: Remove stale comment about KMEMCHECK
    - x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers
    - x86/IO-APIC: Avoid warning in 32-bit builds
    - x86/LDT: Avoid warning in 32-bit builds with older gcc
    - x86-64/realmode: Add instruction suffix
    - Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/retpoline: Support retpoline builds with Clang
    - x86/speculation, objtool: Annotate indirect calls/jumps for objtool
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - x86/paravirt, objtool: Annotate indirect calls
    - x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
    - x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
    - objtool: Use existing global variables for options
    - objtool: Add retpoline validation
    - objtool: Add module specific retpoline rules
    - objtool, retpolines: Integrate objtool with retpoline support more closely
    - objtool: Fix another switch table detection issue
    - objtool: Fix 32-bit build
    - x86/kprobes: Fix kernel crash when probing .entry_trampoline code
    - watchdog: hpwdt: SMBIOS check
    - watchdog: hpwdt: Check source of NMI
    - watchdog: hpwdt: fix unused variable warning
    - watchdog: hpwdt: Remove legacy NMI sourcing.
    - netfilter: add back stackpointer size checks
    - netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
    - netfilter: xt_hashlimit: fix lock imbalance
    - netfilter: x_tables: fix missing timer initialization in xt_LED
    - netfilter: nat: cope with negative port range
    - netfilter: IDLETIMER: be syzkaller friendly
    - netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
    - netfilter: bridge: ebt_among: add missing match size checks
    - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
    - netfilter: use skb_to_full_sk in ip6_route_me_harder
    - tpm_tis: Move ilb_base_addr to tpm_tis_data
    - tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd()
    - tpm: delete the TPM_TIS_CLK_ENABLE flag
    - tpm: remove unused variables
    - tpm: only attempt to disable the LPC CLKRUN if is already enabled
    - x86/xen: Calculate __max_logical_packages on PV domains
    - scsi: qla2xxx: Fix system crash for Notify ack timeout handling
    - scsi: qla2xxx: Fix gpnid error processing
    - scsi: qla2xxx: Move session delete to driver work queue
    - scsi: qla2xxx: Skip IRQ affinity for Target QPairs
    - scsi: qla2xxx: Fix re-login for Nport Handle in use
    - scsi: qla2xxx: Retry switch command on time out
    - scsi: qla2xxx: Serialize GPNID for multiple RSCN
    - scsi: qla2xxx: Fix login state machine stuck at GPDB
    - scsi: qla2xxx: Fix NPIV host cleanup in target mode
    - scsi: qla2xxx: Relogin to target port on a cable swap
    - scsi: qla2xxx: Fix Relogin being triggered too fast
    - scsi: qla2xxx: Fix PRLI state check
    - scsi: qla2xxx: Fix abort command deadlock due to spinlock
    - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
    - scsi: qla2xxx: Fix scan state field for fcport
    - scsi: qla2xxx: Clear loop id after delete
    - scsi: qla2xxx: Defer processing of GS IOCB calls
    - scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout.
    - scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref
    - scsi: qla2xxx: Fix memory leak in dual/target mode
    - NFS: Fix an incorrect type in struct nfs_direct_req
    - pNFS: Prevent the layout header refcount going to zero in pnfs_roc()
    - NFS: Fix unstable write completion
    - Linux 4.15.10

* Bionic update to 4.15.10 stable release (LP: #1756100) // CVE-2018-1000004.
    - ALSA: seq: Don't allow resizing pool in use

* nfp: prioritize stats updates (LP: #1752061)
    - nfp: flower: prioritize stats updates

* Ubuntu 18.04 - Kernel crash on nvme subsystem-reset /dev/nvme0 (Bolt / NVMe)
    (LP: #1753371)
    - nvme-pci: Fix EEH failure on ppc

* sbsa watchdog crashes thunderx2 system (LP: #1755595)
    - watchdog: sbsa: use 32-bit read for WCV

* KVM: s390: add vcpu stat counters for many instruction (LP: #1755132)
    - KVM: s390: diagnoses are instructions as well
    - KVM: s390: add vcpu stat counters for many instruction

* CIFS SMB2/SMB3 does not work for domain based DFS (LP: #1747572)
    - CIFS: make IPC a regular tcon
    - CIFS: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl
    - CIFS: dump IPC tcon in debug proc file

* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
    - i2c: octeon: Prevent error message on bus error

* Boston-LC:bos1u1: Stress test on Qlogic Fibre Channel on Ubuntu KVM guest
    that caused KVM host crashed in qlt_free_session_done call (LP: #1750441)
    - scsi: qla2xxx: Fix memory corruption during hba reset test

* Ubuntu 18.04 - Performance: Radix page fault handler bug in KVM
    (LP: #1752236)
    - KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler

* Fix ARC hit rate (LP: #1755158)
    - SAUCE: Fix ARC hit rate (LP: #1755158)

* Bionic update to 4.15.9 stable release (LP: #1755275)
    - bpf: fix mlock precharge on arraymaps
    - bpf: fix memory leak in lpm_trie map_free callback function
    - bpf: fix rcu lockdep warning for lpm_trie map_free callback
    - bpf, x64: implement retpoline for tail call
    - bpf, arm64: fix out of bounds access in tail call
    - bpf: add schedule points in percpu arrays management
    - bpf: allow xadd only on aligned memory
    - bpf, ppc64: fix out of bounds access in tail call
    - scsi: mpt3sas: fix oops in error handlers after shutdown/unload
    - scsi: mpt3sas: wait for and flush running commands on shutdown/unload
    - KVM: x86: fix backward migration with async_PF
    - Linux 4.15.9

* Bionic update to 4.15.8 stable release (LP: #1755179)
    - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
    - ipmi_si: Fix error handling of platform device
    - platform/x86: dell-laptop: Allocate buffer on heap rather than globally
    - powerpc/pseries: Enable RAS hotplug events later
    - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
    - ixgbe: fix crash in build_skb Rx code path
    - tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the
      bus
    - tpm: fix potential buffer overruns caused by bit glitches on the bus
    - tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on
      the bus
    - tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the
      bus
    - tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
    - ALSA: usb-audio: Add a quirck for B&W PX headphones
    - ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
    - ALSA: x86: Fix missing spinlock and mutex initializations
    - ALSA: hda: Add a power_save blacklist
    - ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
    - mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
    - mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
    - mmc: dw_mmc: Avoid accessing registers in runtime suspended state
    - mmc: dw_mmc: Factor out dw_mci_init_slot_caps
    - mmc: dw_mmc: Fix out-of-bounds access for slot's caps
    - timers: Forward timer base before migrating timers
    - parisc: Use cr16 interval timers unconditionally on qemu
    - parisc: Reduce irq overhead when run in qemu
    - parisc: Fix ordering of cache and TLB flushes
    - parisc: Hide virtual kernel memory layout
    - btrfs: use proper endianness accessors for super_copy
    - block: fix the count of PGPGOUT for WRITE_SAME
    - block: kyber: fix domain token leak during requeue
    - block: pass inclusive 'lend' parameter to truncate_inode_pages_range
    - vfio: disable filesystem-dax page pinning
    - cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
    - dax: fix vma_is_fsdax() helper
    - direct-io: Fix sleep in atomic due to sync AIO
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - x86/platform/intel-mid: Handle Intel Edison reboot correctly
    - x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
    - bridge: check brport attr show in brport_show
    - fib_semantics: Don't match route with mismatching tclassid
    - hdlc_ppp: carrier detect ok, don't turn off negotiation
    - ipv6 sit: work around bogus gcc-8 -Wrestrict warning
    - net: amd-xgbe: fix comparison to bitshift when dealing with a mask
    - net: ethernet: ti: cpsw: fix net watchdog timeout
    - net: fix race on decreasing number of TX queues
    - net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
    - netlink: ensure to loop over all netns in genlmsg_multicast_allns()
    - net: sched: report if filter is too large to dump
    - ppp: prevent unregistered channels from connecting to PPP units
    - sctp: verify size of a new chunk in _sctp_make_chunk()
    - udplite: fix partial checksum initialization
    - net/mlx5e: Fix TCP checksum in LRO buffers
    - sctp: fix dst refcnt leak in sctp_v4_get_dst
    - mlxsw: spectrum_switchdev: Check success of FDB add operation
    - net/mlx5e: Specify numa node when allocating drop rq
    - net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
    - tcp: Honor the eor bit in tcp_mtu_probe
    - rxrpc: Fix send in rxrpc_send_data_packet()
    - tcp_bbr: better deal with suboptimal GSO
    - doc: Change the min default value of tcp_wmem/tcp_rmem.
    - net/mlx5e: Fix loopback self test when GRO is off
    - net_sched: gen_estimator: fix broken estimators based on percpu stats
    - net/sched: cls_u32: fix cls_u32 on filter replace
    - sctp: do not pr_err for the duplicated node in transport rhlist
    - mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create
    - net: ipv4: Set addr_type in hash_keys for forwarded case
    - sctp: fix dst refcnt leak in sctp_v6_get_dst()
    - bridge: Fix VLAN reference count problem
    - net/mlx5e: Verify inline header size do not exceed SKB linear size
    - tls: Use correct sk->sk_prot for IPV6
    - amd-xgbe: Restore PCI interrupt enablement setting on resume
    - cls_u32: fix use after free in u32_destroy_key()
    - mlxsw: spectrum_router: Do not unconditionally clear route offload
      indication
    - netlink: put module reference if dump start fails
    - tcp: purge write queue upon RST
    - tuntap: correctly add the missing XDP flush
    - tuntap: disable preemption during XDP processing
    - virtio-net: disable NAPI only when enabled during XDP set
    - cxgb4: fix trailing zero in CIM LA dump
    - net/mlx5: Fix error handling when adding flow rules
    - net: phy: Restore phy_resume() locking assumption
    - tcp: tracepoint: only call trace_tcp_send_reset with full socket
    - l2tp: don't use inet_shutdown on tunnel destroy
    - l2tp: don't use inet_shutdown on ppp session destroy
    - l2tp: fix races with tunnel socket close
    - l2tp: fix race in pppol2tp_release with session object destroy
    - l2tp: fix tunnel lookup use-after-free race
    - s390/qeth: fix underestimated count of buffer elements
    - s390/qeth: fix SETIP command handling
    - s390/qeth: fix overestimated count of buffer elements
    - s390/qeth: fix IP removal on offline cards
    - s390/qeth: fix double-free on IP add/remove race
    - Revert "s390/qeth: fix using of ref counter for rxip addresses"
    - s390/qeth: fix IP address lookup for L3 devices
    - s390/qeth: fix IPA command submission race
    - tcp: revert F-RTO middle-box workaround
    - tcp: revert F-RTO extension to detect more spurious timeouts
    - blk-mq: don't call io sched's .requeue_request when requeueing rq to
      ->dispatch
    - media: m88ds3103: don't call a non-initalized function
    - EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL
    - KVM: s390: take care of clock-comparator sign control
    - KVM: s390: provide only a single function for setting the tod (fix SCK)
    - KVM: s390: consider epoch index on hotplugged CPUs
    - KVM: s390: consider epoch index on TOD clock syncs
    - nospec: Allow index argument to have const-qualified type
    - x86/mm: Fix {pmd,pud}_{set,clear}_flags()
    - ARM: orion: fix orion_ge00_switch_board_info initialization
    - ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som
    - ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
    - ARM: kvm: fix building with gcc-8
    - KVM: X86: Fix SMRAM accessing even if VM is shutdown
    - KVM: mmu: Fix overlap between public and private memslots
    - KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
    - KVM: x86: move LAPIC initialization after VMCS creation
    - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
      path as unlikely()
    - KVM: x86: fix vcpu initialization with userspace lapic
    - KVM/x86: remove WARN_ON() for when vm_munmap() fails
    - ACPI / bus: Parse tables as term_list for Dell XPS 9570 and Precision M5530
    - ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux
    - ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
    - powerpc/64s/radix: Boot-time NULL pointer protection using a guard-PID
    - md: only allow remove_and_add_spares when no sync_thread running.
    - platform/x86: dell-laptop: fix kbd_get_state's request value
    - Linux 4.15.8

* ZFS setgid broken on 0.7 (LP: #1753288)
    - SAUCE: Fix ZFS setgid

* /proc/kallsyms prints "(null)" for null addresses in 4.15 (LP: #1754297)
    - vsprintf: avoid misleading "(null)" for %px

* Miscellaneous Ubuntu changes
    - d-i: Add netsec to nic-modules
    - [Config] fix up retpoline abi files
    - [Config] set NOBP and expoline options for s390

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Fri, 16 Mar 2018 14:49:27 -0300

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2018-04-04

Changed in ubuntu-power-systems:
status:	In Progress → Fix Released

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Boston-LC:bos1u1: Stress test on Qlogic Fibre Channel on Ubuntu KVM guest that caused KVM host crashed in qlt_free_session_done call

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package