exercising ptys causes a kernel oops

Bug #1586418 reported by Colin Ian King on 2016-05-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Colin Ian King
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Medium
Colin Ian King
Yakkety
Medium
Colin Ian King

Bug Description

[SRU JUSTIFICATION][TRUSTY][WILY][XENIAL]

Running stress-ng --pty 1 with a very low vmalloc memory available can trip an oops. This can be generally only be reproduced when memory is under a high amount of pressure. I was able to reproduce reliably by forcefully injecting vmalloc to return NULL when the stress-ng pty was running.

[FIX]
Upstream commit 5353ed8deedee9e5acb9f896e9032158f5d998de ("devpts: fix null pointer dereference on failed memory allocation"). This needs backporting to Yakkey, Xenial, Wily and Trusty because of changes in variable names.

[TEST]
Forcefully inject vmalloc to return NULL when running the pty stressor. Without the fix, an oops can be tripped, with the fix, no issues occur.

------------------------------------------------------------------

running: "stress-ng --pty 1" and this occurs in less than 1 second:

[ 67.753230] alloc_vmap_area: 9 callbacks suppressed
[ 67.753233] vmap allocation for size 16384 failed: use vmalloc=<size> to increase size.
[ 67.753235] vmalloc: allocation failure: 8844 bytes
[ 67.753237] stress-ng-pty: page allocation failure: order:0, mode:0x24000c2
[ 67.753240] CPU: 2 PID: 2150 Comm: stress-ng-pty Not tainted 4.4.0-23-generic #41-Ubuntu
[ 67.753241] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 67.753243] c1abf967 0832d3cc 00000286 f2497c8c c139fe1f c19ce22c 00000001 f2497cbc
[ 67.753248] c1177396 c19cc624 f506b5f0 00000000 024000c2 f2497cd0 c19ce22c f2497ca4
[ 67.753252] 0832d3cc 0000228c 00000000 f2497cec c11ad2ff 024000c2 00000000 c19ce22c
[ 67.753256] Call Trace:
[ 67.753264] [<c139fe1f>] dump_stack+0x58/0x79
[ 67.753267] [<c1177396>] warn_alloc_failed+0xd6/0x110
[ 67.753272] [<c11ad2ff>] __vmalloc_node_range+0x1ef/0x210
[ 67.753276] [<c148f590>] ? tty_get_pgrp+0x40/0x40
[ 67.753278] [<c11ad386>] __vmalloc_node+0x66/0x70
[ 67.753280] [<c1494e46>] ? n_tty_open+0x16/0xc0
[ 67.753283] [<c11ad408>] vmalloc+0x38/0x40
[ 67.753284] [<c1494e46>] ? n_tty_open+0x16/0xc0
[ 67.753290] [<c1494e46>] n_tty_open+0x16/0xc0
[ 67.753293] [<c1498fd8>] tty_ldisc_open.isra.2+0x28/0x60
[ 67.753295] [<c14997fc>] tty_ldisc_setup+0x1c/0x70
[ 67.753297] [<c14935bc>] tty_init_dev+0x7c/0x180
[ 67.753301] [<c124fee1>] ? devpts_new_index+0xf1/0x120
[ 67.753303] [<c149b7a5>] ptmx_open+0x75/0x160
[ 67.753306] [<c11e0a14>] chrdev_open+0xa4/0x180
[ 67.753310] [<c11da62c>] do_dentry_open+0x1ec/0x300
[ 67.753312] [<c11e0970>] ? cdev_put+0x20/0x20
[ 67.753314] [<c11db60f>] vfs_open+0x4f/0x60
[ 67.753316] [<c11ea109>] path_openat+0x509/0x1140
[ 67.753318] [<c11eae94>] ? putname+0x54/0x60
[ 67.753321] [<c11ebde8>] do_filp_open+0x68/0xe0
[ 67.753324] [<c11f8d16>] ? __alloc_fd+0x36/0x150
[ 67.753326] [<c11db9c8>] do_sys_open+0x128/0x2b0
[ 67.753329] [<c11dbb72>] SyS_open+0x22/0x30
[ 67.753332] [<c100393d>] do_fast_syscall_32+0x8d/0x150
[ 67.753336] [<c17a98dc>] sysenter_past_esp+0x3d/0x61
[ 67.753338] Mem-Info:
[ 67.753342] active_anon:5790 inactive_anon:1203 isolated_anon:0
                active_file:30258 inactive_file:14843 isolated_file:0
                unevictable:856 dirty:46 writeback:0 unstable:0
                slab_reclaimable:4643 slab_unreclaimable:5952
                mapped:5271 shmem:1380 pagetables:193 bounce:0
                free:166082 free_pcp:1176 free_cma:0
[ 67.753349] DMA free:9616kB min:788kB low:984kB high:1180kB active_anon:288kB inactive_anon:112kB active_file:2436kB inactive_file:1216kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15916kB mlocked:0kB dirty:4kB writeback:0kB mapped:396kB shmem:108kB slab_reclaimable:268kB slab_unreclaimable:428kB kernel_stack:24kB pagetables:8kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[ 67.753350] lowmem_reserve[]: 0 818 949 949
[ 67.753357] Normal free:567248kB min:41608kB low:52008kB high:62412kB active_anon:18440kB inactive_anon:2992kB active_file:101312kB inactive_file:47608kB unevictable:3164kB isolated(anon):0kB isolated(file):0kB present:897016kB managed:872588kB mlocked:3164kB dirty:180kB writeback:0kB mapped:16216kB shmem:3620kB slab_reclaimable:18304kB slab_unreclaimable:23380kB kernel_stack:1568kB pagetables:688kB unstable:0kB bounce:0kB free_pcp:3736kB local_pcp:224kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[ 67.753358] lowmem_reserve[]: 0 0 1055 1055
[ 67.753364] HighMem free:87464kB min:128kB low:1804kB high:3480kB active_anon:4432kB inactive_anon:1708kB active_file:17284kB inactive_file:10548kB unevictable:260kB isolated(anon):0kB isolated(file):0kB present:135044kB managed:135044kB mlocked:260kB dirty:0kB writeback:0kB mapped:4472kB shmem:1792kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:76kB unstable:0kB bounce:0kB free_pcp:968kB local_pcp:152kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[ 67.753365] lowmem_reserve[]: 0 0 0 0
[ 67.753367] DMA: 2*4kB (UM) 1*8kB (E) 2*16kB (UE) 1*32kB (U) 3*64kB (ME) 3*128kB (UME) 1*256kB (M) 3*512kB (UME) 3*1024kB (UME) 2*2048kB (UM) 0*4096kB = 9616kB
[ 67.753378] Normal: 1*4kB (U) 25*8kB (ME) 38*16kB (UM) 25*32kB (ME) 14*64kB (UME) 9*128kB (UM) 9*256kB (UM) 8*512kB (UME) 8*1024kB (UME) 0*2048kB 134*4096kB (M) = 567116kB
[ 67.753389] HighMem: 1*4kB (U) 0*8kB 1*16kB (U) 0*32kB 1*64kB (M) 0*128kB 3*256kB (UM) 3*512kB (UM) 5*1024kB (UM) 1*2048kB (U) 19*4096kB (M) = 87380kB
[ 67.753435] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[ 67.753436] 47051 total pagecache pages
[ 67.753437] 0 pages in swap cache
[ 67.753439] Swap cache stats: add 0, delete 0, find 0/0
[ 67.753440] Free swap = 1046524kB
[ 67.753444] Total swap = 1046524kB
[ 67.753450] 262013 pages RAM
[ 67.753459] 33761 pages HighMem/MovableOnly
[ 67.753461] 6126 pages reserved
[ 67.753483] 0 pages cma reserved
[ 67.753486] tty_init_dev: ldisc open failed, clearing slot 3474
[ 67.753525] BUG: unable to handle kernel NULL pointer dereference at 0000001c
[ 67.755622] IP: [<c124ff1a>] devpts_kill_index+0xa/0x60
[ 67.756058] *pdpt = 000000002f82f001 *pde = 0000000000000000
[ 67.756461] Oops: 0000 [#1] SMP
[ 67.756866] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm ppdev input_leds snd_timer parport_pc joydev snd parport 8250_fintek soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear qxl crc32_pclmul ttm aesni_intel drm_kms_helper aes_i586 syscopyarea sysfillrect xts sysimgblt lrw fb_sys_fops gf128mul ablk_helper cryptd drm pata_acpi psmouse floppy
[ 67.759038] CPU: 2 PID: 2150 Comm: stress-ng-pty Not tainted 4.4.0-23-generic #41-Ubuntu
[ 67.759396] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 67.759758] task: f506b200 ti: f2496000 task.ti: f2496000
[ 67.760109] EIP: 0060:[<c124ff1a>] EFLAGS: 00010246 CPU: 2
[ 67.760460] EIP is at devpts_kill_index+0xa/0x60
[ 67.760806] EAX: 00000000 EBX: 00000000 ECX: 00000033 EDX: 00000d92
[ 67.761165] ESI: fffffff4 EDI: 00000d92 EBP: f2497d54 ESP: f2497d4c
[ 67.761500] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 67.761830] CR0: 80050033 CR2: 0000001c CR3: 355d6ca0 CR4: 001406f0
[ 67.762166] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 67.762497] DR6: fffe0ff0 DR7: 00000400
[ 67.762822] Stack:
[ 67.763139] 00000000 fffffff4 f2497d60 c149b509 e65caa00 f2497d6c c1492bb0 e65caa00
[ 67.763497] f2497d98 c14935e9 c1a2cf78 00000d92 f64aa7d0 f2497d98 c124fee1 00000d92
[ 67.763860] e65e66c0 f64aa7d0 f64aa7d0 f2497db4 c149b7a5 00000000 00000d92 c1d20ae0
[ 67.764228] Call Trace:
[ 67.764568] [<c149b509>] pty_unix98_shutdown+0x29/0x40
[ 67.764917] [<c1492bb0>] release_tty+0x30/0xe0
[ 67.765272] [<c14935e9>] tty_init_dev+0xa9/0x180
[ 67.765623] [<c124fee1>] ? devpts_new_index+0xf1/0x120
[ 67.765974] [<c149b7a5>] ptmx_open+0x75/0x160
[ 67.766323] [<c11e0a14>] chrdev_open+0xa4/0x180
[ 67.766668] [<c11da62c>] do_dentry_open+0x1ec/0x300
[ 67.767013] [<c11e0970>] ? cdev_put+0x20/0x20
[ 67.767352] [<c11db60f>] vfs_open+0x4f/0x60
[ 67.767690] [<c11ea109>] path_openat+0x509/0x1140
[ 67.768030] [<c11eae94>] ? putname+0x54/0x60
[ 67.768367] [<c11ebde8>] do_filp_open+0x68/0xe0
[ 67.768704] [<c11f8d16>] ? __alloc_fd+0x36/0x150
[ 67.769051] [<c11db9c8>] do_sys_open+0x128/0x2b0
[ 67.769385] [<c11dbb72>] SyS_open+0x22/0x30
[ 67.769717] [<c100393d>] do_fast_syscall_32+0x8d/0x150
[ 67.770052] [<c17a98dc>] sysenter_past_esp+0x3d/0x61
[ 67.770385] Code: 00 b8 fb ff ff ff eb 9d b8 ed ff ff ff eb 96 e8 9d 01 e2 ff 8d b6 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 56 53 3e 8d 74 26 00 <8b> 40 1c 89 d6 81 78 38 d1 1c 00 00 74 0c a1 f8 59 d1 c1 85 c0
[ 67.771232] EIP: [<c124ff1a>] devpts_kill_index+0xa/0x60 SS:ESP 0068:f2497d4c
[ 67.771607] CR2: 000000000000001c
[ 67.772009] ---[ end trace 40e08a6f48f9983e ]---

Colin Ian King (colin-king) wrote :
description: updated
Colin Ian King (colin-king) wrote :

More concerning is that once one logs out, no more ptys are available, so one cannot log back in

Colin Ian King (colin-king) wrote :

Weird, fails on the following kernel in a VM:

Linux version 4.4.0-23-generic (buildd@lcy01-25) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #41-Ubuntu SMP Mon May 16 23:03:32 UTC 2016 (Ubuntu 4.4.0-23.41-generic 4.4.10)

Does not fail on:

Linux version 4.4.0-23-generic (buildd@lcy01-26) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #41-Ubuntu SMP Mon May 16 23:04:25 UTC 2016 (Ubuntu 4.4.0-23.41-generic 4.4.10)

I'm not sure why my kernel in my VM is different to the one on my X220 test laptop.

Colin Ian King (colin-king) wrote :

commit 20bafb3d23d108bc0a896eb8b7c1501f4f649b77
Author: Peter Hurley <email address hidden>
Date: Sat Jun 15 10:21:19 2013 -0400

    n_tty: Move buffers into n_tty_data

    Reduce pointer reloading and improve locality-of-reference;
    allocate read_buf and echo_buf within struct n_tty_data.

    Signed-off-by: Peter Hurley <email address hidden>
    Signed-off-by: Greg Kroah-Hartman <email address hidden>

...

@@ -1715,7 +1713,8 @@ static int n_tty_open(struct tty_struct *tty)
 {
        struct n_tty_data *ldata;

- ldata = kzalloc(sizeof(*ldata), GFP_KERNEL);
+ /* Currently a malloc failure here can panic */
+ ldata = vmalloc(sizeof(*ldata));
        if (!ldata)
                goto err;

So I'm hitting a vmalloc failure and as the comment says, a failure there causes a panic. Nice.

Colin Ian King (colin-king) wrote :

Waiting for my fix to be ack'd by upstream, will SRU this later.

Changed in linux (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Colin Ian King (colin-king)
Colin Ian King (colin-king) wrote :

Landed in linux-next, 5353ed8deedee9e5acb9f896e9032158f5d998de, hopefully should land in linux in a week or so

Colin Ian King (colin-king) wrote :

Landed in linux, commit 5353ed8deedee9e5acb9f896e9032158f5d998de

description: updated
information type: Private Security → Public Security
information type: Public Security → Public
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux (Ubuntu Wily):
status: New → Fix Committed
Changed in linux (Ubuntu Vivid):
status: New → Fix Committed
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

No further updates are planned for Wily's kernel.

Changed in linux (Ubuntu Wily):
status: Fix Committed → Won't Fix
Launchpad Janitor (janitor) wrote :
Download full text (14.6 KiB)

This bug was fixed in the package linux - 4.4.0-33.52

---------------
linux (4.4.0-33.52) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1605709

  * [regression] NFS client: access problems after updating to kernel
    4.4.0-31-generic (LP: #1603719)
    - SAUCE: (namespace) Bypass sget() capability check for nfs

linux (4.4.0-32.51) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604443

  * thinkpad yoga 260 wacom touchscreen not working (LP: #1603975)
    - HID: wacom: break out parsing of device and registering of input
    - HID: wacom: Initialize hid_data.inputmode to -1
    - HID: wacom: Support switching from vendor-defined device mode on G9 and G11

  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog

  * [Xenial] Include Huawei PCIe SSD hio kernel driver (LP: #1603483)
    - SAUCE: import Huawei ES3000_V2 (2.1.0.23)
    - SAUCE: hio: bio_endio() no longer takes errors arg
    - SAUCE: hio: blk_queue make_request_fn now returns a blk_qc_t
    - SAUCE: hio: use alloc_cpumask_var to avoid -Wframe-larger-than
    - SAUCE: hio: fix mask maybe-uninitialized warning
    - [config] enable CONFIG_HIO (Huawei ES3000_V2 PCIe SSD driver)
    - SAUCE: hio: Makefile and Kconfig

  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump
    - tipc: fix nl compat regression for link statistics

  * CVE-2016-4470
    - KEYS: potential uninitialized variable

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - netfilter: x_tables: check for size overflow

  * CVE-2016-3135:
    - Revert "UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow"

  * CVE-2016-4440 (LP: #1584192)
    - kvm:vmx: more complete state update on APICv on/off

  * the system hangs in the dma driver when reboot or shutdown on a baytrail-m
    laptop (LP: #1602579)
    - dmaengine: dw: platform: power on device on shutdown
    - ACPI / LPSS: override power state for LPSS DMA device

  * Add proper palm detection support for MS Precision Touchpad (LP: #1593124)
    - Revert "HID: multitouch: enable palm rejection if device implements
      confidence usage"
    - HID: multitouch: enable palm rejection for Windows Precision Touchpad

  * Add support for Intel 8265 Bluetooth ([8087:0A2B]) (LP: #1599068)
    - Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]

  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix synchronization between chunk->map_extend_work and chunk
      destruction
    - percpu: fix synchronization between synchronous map extension and chunk
      destruction

  * Xenial update to v4.4.15 stable release (LP: #1601952)
    - net_sched: fix pfifo_head_drop behavior vs backlog
    - net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG
    - sit: correct IP protocol used in ipip6_err
    - esp: Fix ESN generation under UDP encapsulation
    - netem: fix a use after free
    - ipmr/ip6mr: Initialize the last assert time of mfc entries.
    - Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address
    - sock_diag: do not broadcast raw socket destruction
    - bpf, perf...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-vivid
tags: added: verification-needed-xenial
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Changed in linux (Ubuntu Xenial):
assignee: nobody → Colin Ian King (colin-king)
importance: Undecided → Medium
Colin Ian King (colin-king) wrote :

I've exhaustively exercised this and cannot reproduce the issue with the -proposed 4.4.0-34-generic #53 kernel. Marking it as verification-done

tags: added: verification-done-xenial
removed: verification-needed-xenial
Colin Ian King (colin-king) wrote :

I've exhaustively exercised this and cannot reproduce the issue with the -proposed 3.19.0-66-generic #74 kernel. Marking it as verification-done

tags: added: verification-done-vivid
removed: verification-needed-vivid
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Colin Ian King (colin-king) wrote :

Even though I'm on vacation I still managed to squeeze in some time to test this on trusty before the 5 days deadline ran out. I have exercised the kernel with a 20 minutes soak test and was unable to trip the bug with the trusty -proposed kernel. Without the fix, the issue can be triggered, with the fix, I can't trigger the issue.

Marking it as verification-done-trusty

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (15.0 KiB)

This bug was fixed in the package linux - 4.4.0-34.53

---------------
linux (4.4.0-34.53) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1606960

  * [APL][SAUCE] Slow system response time due to a monitor bug (LP: #1606147)
    - x86/cpu/intel: Introduce macros for Intel family numbers
    - SAUCE: x86/cpu: Add workaround for MONITOR instruction erratum on Goldmont
      based CPUs

linux (4.4.0-33.52) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1605709

  * [regression] NFS client: access problems after updating to kernel
    4.4.0-31-generic (LP: #1603719)
    - SAUCE: (namespace) Bypass sget() capability check for nfs

linux (4.4.0-32.51) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604443

  * thinkpad yoga 260 wacom touchscreen not working (LP: #1603975)
    - HID: wacom: break out parsing of device and registering of input
    - HID: wacom: Initialize hid_data.inputmode to -1
    - HID: wacom: Support switching from vendor-defined device mode on G9 and G11

  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog

  * [Xenial] Include Huawei PCIe SSD hio kernel driver (LP: #1603483)
    - SAUCE: import Huawei ES3000_V2 (2.1.0.23)
    - SAUCE: hio: bio_endio() no longer takes errors arg
    - SAUCE: hio: blk_queue make_request_fn now returns a blk_qc_t
    - SAUCE: hio: use alloc_cpumask_var to avoid -Wframe-larger-than
    - SAUCE: hio: fix mask maybe-uninitialized warning
    - [config] enable CONFIG_HIO (Huawei ES3000_V2 PCIe SSD driver)
    - SAUCE: hio: Makefile and Kconfig

  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump
    - tipc: fix nl compat regression for link statistics

  * CVE-2016-4470
    - KEYS: potential uninitialized variable

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - netfilter: x_tables: check for size overflow

  * CVE-2016-3135:
    - Revert "UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow"

  * CVE-2016-4440 (LP: #1584192)
    - kvm:vmx: more complete state update on APICv on/off

  * the system hangs in the dma driver when reboot or shutdown on a baytrail-m
    laptop (LP: #1602579)
    - dmaengine: dw: platform: power on device on shutdown
    - ACPI / LPSS: override power state for LPSS DMA device

  * Add proper palm detection support for MS Precision Touchpad (LP: #1593124)
    - Revert "HID: multitouch: enable palm rejection if device implements
      confidence usage"
    - HID: multitouch: enable palm rejection for Windows Precision Touchpad

  * Add support for Intel 8265 Bluetooth ([8087:0A2B]) (LP: #1599068)
    - Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]

  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix synchronization between chunk->map_extend_work and chunk
      destruction
    - percpu: fix synchronization between synchronous map extension and chunk
      destruction

  * Xenial update to v4.4.15 stable release (LP: #1601952)
    - net_sched: fix pfifo_head_drop behavior vs backlog
    - net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-93.140

---------------
linux (3.13.0-93.140) trusty; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604134

  * Boot failure with EFI stub (LP: #1603476)
    - x86/efi: Fix boot failure with EFI stub

  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump

  * qeth: delete napi struct when removing a qeth device (LP: #1601831)
    - qeth: delete napi struct when removing a qeth device

  * deadlock on balloon deflation (LP: #1598197)
    - SAUCE: mm/balloon_compaction: Fix Regression of LP#1572562

  * serial: 8250_pci: Add support for 16 port Exar boards (LP: #1447485)
    - serial: 8250_pci: Add support for 16 port Exar boards
    - serial: 8250_pci: Add support for 12 port Exar boards
    - serial: 8250_pci: Correct uartclk for xr17v35x expansion chips

  * linux: Homogenize changelog format across releases (LP: #1599562)
    - Revert "UBUNTU: [debian] BugLink: close LP: bugs only for Launchpad urls"
    - [Debian] git-ubuntu-log -- switch to bug order
    - [Debian] git-ubuntu-log -- fix empty section formatting
    - [Debian] git-ubuntu-log -- output should be utf-8
    - [Debian] git-ubuntu-log -- handle invalid or private bugs
    - [Debian] git-ubuntu-log -- wrap long bug and commit titles
    - [Debian] git-ubuntu-log -- ensure we get the last commit
    - [Debian] git-ubuntu-log -- prevent bug references being split
    - [Debian] git-ubuntu-log -- git log output is UTF-8

  * exercising ptys causes a kernel oops (LP: #1586418)
    - devpts: fix null pointer dereference on failed memory allocation

  * Miscellaneous upstream changes
    - KEYS: potential uninitialized variable

 -- Seth Forshee <email address hidden> Mon, 18 Jul 2016 15:05:56 -0500

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.19.0-66.74

---------------
linux (3.19.0-66.74) vivid; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604153

  * CVE-2016-1237
    - posix_acl: Add set_posix_acl
    - nfsd: check permissions when setting ACLs

  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog

  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump

  * CVE-2016-4470
    - KEYS: potential uninitialized variable

  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix synchronization between chunk->map_extend_work and chunk
      destruction
    - percpu: fix synchronization between synchronous map extension and chunk
      destruction

  * qeth: delete napi struct when removing a qeth device (LP: #1601831)
    - qeth: delete napi struct when removing a qeth device

  * arm64: statically link rtc-efi (LP: #1583738)
    - [Config] Link rtc-efi statically on arm64

  * linux: Homogenize changelog format across releases (LP: #1599562)
    - Revert "UBUNTU: [debian] BugLink: close LP: bugs only for Launchpad urls"
    - [Debian] git-ubuntu-log -- switch to bug order
    - [Debian] git-ubuntu-log -- fix empty section formatting
    - [Debian] git-ubuntu-log -- output should be utf-8
    - [Debian] git-ubuntu-log -- handle invalid or private bugs
    - [Debian] git-ubuntu-log -- wrap long bug and commit titles
    - [Debian] git-ubuntu-log -- ensure we get the last commit
    - [Debian] git-ubuntu-log -- prevent bug references being split
    - [Debian] git-ubuntu-log -- git log output is UTF-8

  * exercising ptys causes a kernel oops (LP: #1586418)
    - devpts: fix null pointer dereference on failed memory allocation

  * the kernel hangs when reboot or shutdown on a lenovo baytrail-m based
    machine (LP: #1597564)
    - usb: xhci: Makefile: move xhci-pci and xhci-plat-hcd after xhci-hcd

  * [i915_bpo][SKL] Display core init/uninit updates (LP: #1595803)
    - SAUCE: i915_bpo: drm/i915: Extract a intel_power_well_enable() function
    - SAUCE: i915_bpo: drm/i915: Extract a intel_power_well_disable() function
    - SAUCE: i915_bpo: drm/i915/skl: Making DC6 entry is the last call in suspend
      flow.
    - SAUCE: i915_bpo: drm/i915: Kill intel_runtime_pm_disable()
    - SAUCE: i915_bpo: drm/i915/gen9: csr_init after runtime pm enable
    - SAUCE: i915_bpo: drm/i915: use correct power domain for csr loading
    - SAUCE: i915_bpo: drm/i915/gen9: Don't try to load garbage dmc firmware on
      resume
    - SAUCE: i915_bpo: drm/i915/skl: Removed assert for csr-fw-loading check
      during disabling dc6
    - SAUCE: i915_bpo: drm/i915: fix the power well ID for always on wells
    - SAUCE: i915_bpo: drm/i915: fix lookup_power_well for power wells without any
      domain
    - SAUCE: i915_bpo: drm/i915: Make turning on/off PW1 and Misc I/O part of the
      init/fini sequences

 -- Seth Forshee <email address hidden> Tue, 19 Jul 2016 09:07:26 -0500

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers