Wily update to v4.2.8-ckt3 stable release

Bug #1540532 reported by Kamal Mostafa
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released

Bug Description

SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The v4.2.8-ckt3 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.



       The following patches from the v4.2.8-ckt3 stable release shall be applied:

Linux 4.2.8-ckt3
ipv6: update skb->csum when CE mark is propagated
vxlan: fix test which detect duplicate vxlan iface
batman-adv: Drop immediate batadv_hard_iface free function
net: bpf: reject invalid shifts
phonet: properly unshare skbs in phonet_rcv()
net: preserve IP control block during GSO segmentation
udp: disallow UFO for sockets with SO_NO_CHECK option
sched,cls_flower: set key address type when present
tcp_yeah: don't set ssthresh below 2
bridge: Only call /sbin/bridge-stp for the initial network namespace
unix: properly account for FDs passed over unix sockets
af_unix: Fix splice-bind deadlock
connector: bump skb->users before callback invocation
sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close
net: cdc_ncm: avoid changing RX/TX buffers on MTU changes
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
NFS: Ensure we revalidate attributes before using execute_ok()
NFSv4: Don't perform cached access checks before we've OPENed the file
net/mlx4: Remove unused macro
IB/mlx4: Initialize hop_limit when creating address handle
mmc: debugfs: correct wrong voltage value
team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
ARM: dts: armadillo800eva Correct extal1 frequency to 24 MHz
printk: help pr_debug and pr_devel to optimize out arguments
batman-adv: Drop immediate orig_node free function
batman-adv: Drop immediate neigh_ifinfo free function
batman-adv: Drop immediate batadv_neigh_node free function
batman-adv: Drop immediate batadv_orig_ifinfo free function
batman-adv: Avoid recursive call_rcu for batadv_nc_node
batman-adv: Avoid recursive call_rcu for batadv_bla_claim
bridge: fix lockdep addr_list_lock false positive splat
btrfs: initialize the seq counter in struct btrfs_device
Btrfs: clean up an error code in btrfs_init_space_info()
include/linux/memblock.h: fix ordering of 'flags' argument in comments
vmstat: make vmstat_updater deferrable again and shut down on idle
net: tcp_memcontrol: properly detect ancestor socket pressure
mmc: sd: limit SD card power limit according to cards capabilities
kbuild: Demote 'sign-compare' warning to W=2
bonding: Prevent IPv6 link local address on enslaved devices
ipv6: tcp: add rcu locking in tcp_v6_send_synack()
net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
um: Fix build error and kconfig for i386
m68k/atari, m68k/sun3: Fix SCSI platform device registration when driver is modular
phy: micrel: Fix finding PHY properties in MAC node for KSZ9031.
target: Fix a memory leak in target_dev_lba_map_store()
firmware: actually return NULL on failed request_firmware_nowait()
power: test_power: correctly handle empty writes
perf/x86: fix PEBS issues on Intel Atom/Core2
perf/x86: Fix filter_events() bug with event mappings
kconfig: return 'false' instead of 'no' in bool function
sysrq: Fix warning in sysrq generated crash.
x86/LDT: Print the real LDT base address
mmc: sdhci: restore behavior when setting VDD via external regulator
pinctrl: bcm2835: Fix memory leak in error path
ALSA: fm801: detect FM-only card earlier
ALSA: fm801: propagate TUNER_ONLY bit when autodetected
ARM: imx: select SRC for i.MX7
ALSA: fm801: explicitly free IRQ line
tpm_tis: Use devm_free_irq not free_irq
Drivers: hv: utils: use memdup_user in hvt_op_write
Drivers: hv: util: catch allocation errors
mtd: nand: denali: add missing nand_release() call in denali_remove()
Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
mac80211: fix mgmt-tx abort cookie and leak
mtd: nand: fix ONFI parameter page layout
ASoC: tegra_alc5632: check return value
ath9k_htc: check for underflow in ath9k_htc_rx_msg()
PCI/MSI: Initialize MSI capability for all architectures
ASoC: Intel: pass correct parameter in sst_alloc_stream_mrfld()
MAINTAINERS: gpio-brcmstb: Remove stray '>'
clk: st: avoid uninitialized variable use
clk: xgene: Fix divider with non-zero shift value
SCSI: initio: remove duplicate module device table
[media] lirc_imon: do not leave imon_probe() with mutex held
[media] rc: allow rc modules to be loaded if rc-main is not a module
drm/i915: On fb alloc failure, unref gem object where it gets refed
ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list
MIPS: Fix some missing CONFIG_CPU_MIPSR6 #ifdefs
MAINTAINERS: return arch/sh to maintained state, with new maintainers
make sure that freeing shmem fast symlinks is RCU-delayed
pNFS/flexfiles: Fix an XDR encoding bug in layoutreturn
ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock
MIPS: hpet: Choose a safe value for the ETIME check
MIPS: Loongson-3: Fix SMP_ASK_C0COUNT IPI handler
libceph: fix ceph_msg_revoke()
ALSA: timer: Handle disconnection more safely
prctl: take mmap sem for writing to protect against others
zsmalloc: fix migrate_zspage-zs_free race condition
ALSA: hda - Flush the pending probe work at remove
crypto: algif_skcipher - sendmsg SG marking is off by one
iscsi-target: Fix potential dead-lock during node acl delete
Btrfs: fix deadlock running delayed iputs at transaction commit time
ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list
IB/cm: Fix a recently introduced deadlock
IB/mlx5: Expose correct maximum number of CQE capacity
IB/qib: Support creating qps with GFP_NOIO flag
IB/qib: fix mcast detach when qp not attached
crypto: crc32c - Fix crc32c soft dependency
crypto: algif_skcipher - Load TX SG list after waiting
xfs: log mount failures don't wait for buffers to be released
ARM: debug-ll: fix BCM63xx entry for multiplatform
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
dmaengine: at_xdmac: fix resume for cyclic transfers
ALSA: hrtimer: Fix stall by hrtimer_cancel()
crypto: algif_skcipher - Fix race condition in skcipher_check_key
crypto: algif_hash - Fix race condition in hash_check_key
lib: sw842: select crc32
crypto: af_alg - Forbid bind(2) when nokey child sockets are present
crypto: algif_skcipher - Remove custom release parent function
crypto: algif_hash - Remove custom release parent function
crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path
crypto: algif_hash - Require setkey before accept(2)
crypto: hash - Add crypto_ahash_has_setkey
crypto: algif_skcipher - Add nokey compatibility path
crypto: af_alg - Add nokey compatibility path
crypto: af_alg - Fix socket double-free when accept fails
crypto: af_alg - Disallow bind/setkey/... after accept(2)
crypto: algif_skcipher - Require setkey before accept(2)
ALSA: hda - Fix bass pin fixup for ASUS N550JX
printk: do cond_resched() between lines while outputting to consoles
kernel/panic.c: turn off locks debug before releasing console lock
panic: release stale console lock to always get the logbuf printed out
memcg: only free spare array when readers are done
zram: don't call idr_remove() from zram_remove()
mm: soft-offline: check return value in second __get_any_page() call
ACPI / video: Add disable_backlight_sysfs_if quirk for the Toshiba Satellite R830
ACPI / video: Add disable_backlight_sysfs_if quirk for the Toshiba Portege R700
zram: try vmalloc() after kmalloc()
zram/zcomp: use GFP_NOIO to allocate streams
ALSA: timer: Harden slave timer list handling
ALSA: hda - Add fixup for Dell Latitidue E6540
ocfs2/dlm: ignore cleaning the migration mle that is inuse
scripts/bloat-o-meter: fix python3 syntax error
dma-debug: switch check from _text to _stext
m32r: fix m32104ut_defconfig build fail
cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
cifs: fix race between call_async() and reconnect()
cifs: Ratelimit kernel log messages
sparc64: fix incorrect sign extension in sys_sparc64_personality
ALSA: timer: Fix race among timer ioctls
mmc: mmci: fix an ages old detection error
dmaengine: dw: fix cyclic transfer callbacks
dmaengine: dw: fix cyclic transfer setup
ALSA: timer: Fix double unlink of active_list
x86/mm: Improve switch_mm() barrier comments
drm/i915: intel_hpd_init(): Fix suspend/resume reprobing
drm/i915: Restore inhibiting the load of the default context
ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
ALSA: hda - fix the headset mic detection problem for a Dell laptop
powerpc/module: Handle R_PPC64_ENTRY relocations
scripts/recordmcount.pl: support data in text section on powerpc
ALSA: hda - Fix white noise on Dell Latitude E5550
virtio_balloon: fix race between migration and ballooning
virtio_balloon: fix race by fill and leak
ALSA: seq: Fix race at timer setup and close
ALSA: seq: Fix missing NULL check at remove_events ioctl
x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
Input: elantech - mark protocols v2 and v3 as semi-mt
clocksource/drivers/vt8500: Increase the minimum delta
xfs: handle dquot buffer readahead in log recovery correctly
xfs: inode recovery readahead can race with inode buffer creation
s390: fix normalization bug in exception table sorting
x86/boot: Double BOOT_HEAP_SIZE to 64KB
x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
ALSA: hda - Fixup inverted internal mic for Lenovo E50-80
ALSA: usb: Add native DSD support for Oppo HA-1
drm/nouveau/kms: take mode_config mutex in connector hotplug path
uml: flush stdout before forking
uml: fix hostfs mknod()
dm snapshot: fix hung bios when copy error occurs
ASoC: compress: Fix compress device direction check
scsi: add Synology to 1024 sector blacklist
locks: fix unlock when fcntl_setlk races with a close
iwlwifi: pcie: properly configure the debug buffer size for 8000
iwlwifi: update and fix 7265 series PCI IDs
btrfs: handle invalid num_stripes in sys_array
PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
PCI: Fix minimum allocation address overwrite
drm/dp/mst: fix in RAD element access
drm/dp/mst: fix in MSTB RAD initialization
drm/dp/mst: always send reply for UP request
drm/dp/mst: process broadcast messages correctly
udf: Check output buffer length when converting name to CS0
udf: Prevent buffer overrun with multi-byte characters
x86/xen: don't reset vcpu_info on a cancelled suspend
libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct
Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
bcache: Change refill_dirty() to always scan entire disk if necessary
bcache: allows use of register in udev to avoid "device_busy" error.
bcache: unregister reboot notifier if bcache fails to unregister device
bcache: fix a leak in bch_cached_dev_run()
bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device
bcache: Add a cond_resched() call to gc
bcache: fix a livelock when we cause a huge number of cache misses
rtlwifi: rtl_pci: Fix kernel panic
NFS: Fix attribute cache revalidation
rtlwifi: rtl8192cu: Add missing parameter setup
rtlwifi: rtl8192ce: Fix handling of module parameters
rtlwifi: rtl8192se: Fix module parameter initialization
rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
rtlwifi: rtl8188ee: Fix module parameter initialization
rtlwifi: rtl8821ae: Fix errors in parameter initialization
rtlwifi: rtl8723ae: Fix initialization of module parameters
rtlwifi: rtl8723be: Fix module parameter initialization
posix-clock: Fix return code on the poll method's error path
Thermal: do thermal zone update after a cooling device registered
Thermal: handle thermal zone device properly during system sleep
Thermal: initialize thermal zone device correctly
USB: cp210x: add ID for ELV Marble Sound Board 1
nfs: Fix race in __update_open_stateid()
[media] rc: sunxi-cir: Initialize the spinlock properly
udf: limit the maximum number of indirect extents in a row
regulator: axp20x: Fix GPIO LDO enable value for AXP22x
mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
mmc: sdhci: Fix DMA descriptor with zero data length
mmc: sdio: Fix invalid vdd in voltage switch power cycle
mmc: sdhci-pci: Do not default to 33 Ohm driver strength for Intel SPT
mmc: mmc: Fix incorrect use of driver strength switching HS200 and HS400
drm/radeon: clean up fujitsu quirks
drm/amdgpu: Fix off-by-one errors in amdgpu_vm_bo_map
drm/radeon: Fix off-by-one errors in radeon_vm_bo_set_addr
coresight: checking for NULL string in coresight_name_match()
arm64: kernel: enforce pmuserenr_el0 initialization and restore
arm64: mdscr_el1: avoid exposing DCC to userspace
futex: Drop refcount if requeue_pi() acquired the rtmutex
drm/radeon: Fix "slow" audio over DP on DCE8+
dm thin: fix race condition when destroying thin pool workqueue
iommu/io-pgtable-arm: Ensure we free the final level on teardown
clk: exynos: use irqsave version of spin_lock to avoid deadlock with irqs
tools: hv: vss: fix the write()'s argument: error -> vss_msg
Drivers: hv: vmbus: Fix a Host signaling bug
dm space map metadata: remove unused variable in brb_pop()
powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
powerpc: Make value-returning atomics fully ordered
arm64: mm: ensure that the zero page is visible to the page table walker
EDAC: Robustify workqueues destruction
EDAC, mc_sysfs: Fix freeing bus' name
ovl: check dentry positiveness in ovl_cleanup_whiteouts()
ovl: setattr: check permissions before copy-up
wlcore/wl12xx: spi: fix oops on firmware load
rtlwifi: fix memory leak for USB device
ext4 crypto: add missing locking for keyring_key access
ext4 crypto: exit cleanly if ext4_derive_key_aes() fails
Bluetooth: Add support of Toshiba Broadcom based devices
ovl: root: copy attr
time: Avoid signed overflow in timekeeping_get_ns()
arm64: Clear out any singlestep state on a ptrace detach operation
ARM: mvebu: remove duplicated regulator definition in Armada 388 GP
xhci: refuse loading if nousb is used
drm/radeon: call hpd_irq_event on resume
drm/amdgpu: call hpd_irq_event on resume
KVM: x86: correctly print #AC in traces
KVM: x86: expose MSR_TSC_AUX to userspace
cxl: use correct operator when writing pcie config space values
tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines
[media] si2157: return -EINVAL if firmware blob is too big
[media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
[media] gspca: ov534/topro: prevent a division by 0
[media] vb2: fix a regression in poll() behavior for output,streams
ovl: use a minimal buffer in ovl_copy_xattr
ovl: allow zero size xattr
drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c

tags: added: kernel-stable-tracking-bug
description: updated
Brad Figg (brad-figg)
Changed in linux (Ubuntu Wily):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (43.7 KiB)

This bug was fixed in the package linux - 4.2.0-30.35

linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
    - LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
    - LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540634

  [ Brad Figg ]


  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
    - LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
    - LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1540532
  * tools: Add a "make all" rule
    - LP: #1536370
  * vf610_adc: Fix internal temperature calculation
    - LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
    - LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
    - LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
    - LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
    - LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
    - LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
    - LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
    - LP: #1536370
  * crypto: qat - don't use userspace pointer
    - LP: #1536370
  * iio: si7020: Swap data byte order
    - LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
    - LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
    - LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
    - LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
    - LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
    - LP: #1536370

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Revision history for this message
Thomas Lamprecht (t-lamprecht) wrote :


commit 3f11933efc9ef55ecb2ac7e6d626e8d05a99a4b1 - KVM: x86: expose MSR_TSC_AUX to userspace
breaks KVM/QEMU live migration of host with a graphical user interface.

== Software Versions: ==
Kenel: this one, namely: Ubuntu-4.2.0-30.35
kvm-qemu: 2.5.0

== Reproduction ==
Install kernel with 3f11933efc9ef55ecb2ac7e6d626e8d05a99a4b1 included (Ubuntu-4.2.0-30.35)
Start VM with GUI
Start migration (no post copy, same migration as you'd in qemu 2.4)
When migration has finished snf you switch the vnc over to the migration target the VM running but frozen showing the last frame buffer, its also not ping-able

== VMs tested ==
Linux Mint Live ISO
elementaryOS Live ISO
Windows 7

VMs tested with minimal configuration. No disks on live cds, no network (but also with both enabled tested, same result)

== Hardware Used ==
Two Nested VMs on an Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
Two physical supermicro servers with Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
NFS for storage (for the live ISOs and diskes)

If I revert 3f11933efc9ef55ecb2ac7e6d626e8d05a99a4b1 and install the kernel on _both_ hosts the freeze does not happen anymore.
But this commit is also included in the ubuntu-xenial kernel (master and master-next tested) and there I have no such problem, thus its a side effect from some other (missing?) commit.

I'm currently trying to break the problem further down and try find the real culprit (or get closer to it).

Backtrace of the hung Linux Mint ISO follows in next comment.

Revision history for this message
Thomas Lamprecht (t-lamprecht) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Thomas Lamprecht (t-lamprecht) wrote :

Follow up, I tried it with a Ubuntu Server and Alpine Linux without any gui and it frozed also, same backtrace.

Sorry I could swear Alpine Linux did not froze when I first tested it in a nested VM.

Revision history for this message
Thomas Lamprecht (t-lamprecht) wrote :

Soo, after some digging I found the root cause, while those two KVM patches listed above were backported/added another on was not, namely:
KVM: VMX: Fix host initiated access to guest MSR_TSC_AUX

I backported it to this Ubuntu-4.2.0-30.35 kernel and tested it successfully.

Revision history for this message
Thomas Lamprecht (t-lamprecht) wrote :

For easy access, upstream patch is here (and also already included in ubuntu-xenial 4.4 kernel (git master repo))

Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

For the record, the KVM problem identified by Thomas will be tracked by LP: #1552592.

Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.