Bug #1869229 “Mounting LVM snapshots with xfs can hit kernel BUG...” : Bugs : linux package : Ubuntu

Heitor Alves de Siqueira (halves) on 2020-03-26

Changed in linux (Ubuntu):
assignee:	Heitor Alves de Siqueira (halves) → nobody
status:	New → Fix Released

Heitor Alves de Siqueira (halves) on 2020-03-26

Changed in linux (Ubuntu Xenial):
status:	New → Confirmed
assignee:	nobody → Heitor Alves de Siqueira (halves)

Heitor Alves de Siqueira (halves) on 2020-03-26

description:

updated

Revision history for this message

Heitor Alves de Siqueira (halves) wrote on 2020-03-26:

#1

Download full text (4.5 KiB)

For reference, the kernel spew of the BUG_ON:

[ 78.354129] kernel BUG at /home/ubuntu/xenial-aws/drivers/nvme/host/pci.c:619!
[ 78.357297] invalid opcode: 0000 [#1] SMP
[ 78.359613] Modules linked in: dm_snapshot dm_bufio xfs ppdev serio_raw parport_pc 8250_fintek parport i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ena
[ 78.387878] CPU: 0 PID: 1687 Comm: mount Not tainted 4.4.0-1105-aws #116
[ 78.390837] Hardware name: Amazon EC2 c5d.large/, BIOS 1.0 10/16/2017
[ 78.393692] task: ffff8800bb155400 ti: ffff8800b93bc000 task.ti: ffff8800b93bc000
[ 78.396973] RIP: 0010:[<ffffffff815dbd06>] [<ffffffff815dbd06>] nvme_queue_rq+0x8c6/0xa60
[ 78.400787] RSP: 0018:ffff8800b93bf7c8 EFLAGS: 00010286
[ 78.403151] RAX: 0000000000000078 RBX: 0000000000001000 RCX: 0000000000001000
[ 78.406276] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000000
[ 78.409390] RBP: ffff8800b93bf8a8 R08: ffff8800b916c700 R09: 0000000000001000
[ 78.412518] R10: 000000000001ec00 R11: ffff8800b8e30000 R12: 00000000fffffc00
[ 78.417056] R13: 0000000000000010 R14: 000000000000fc00 R15: 0000000035fd5000
[ 78.421581] FS: 00007f30fe043840(0000) GS:ffff880130a00000(0000) knlGS:0000000000000000
[ 78.427884] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.431827] CR2: 00007f57d4057889 CR3: 0000000035974000 CR4: 0000000000360670
[ 78.436322] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 78.440821] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 78.445316] Stack:
[ 78.447706] ffff880036009480 ffff880036009700 ffff8800b7782800 0000000000000ff8
[ 78.454583] ffff8800b8e30420 ffff8800360a9400 ffff88000001fc00 ffff8800b7697b00
[ 78.461462] ffff880100001000 ffff8800b8e30000 ffff88003604c000 00000001ffc00400
[ 78.468332] Call Trace:
[ 78.470921] [<ffffffff813e6617>] blk_mq_make_request+0x407/0x550
[ 78.475001] [<ffffffff813d8f14>] generic_make_request+0x114/0x2d0
[ 78.479110] [<ffffffff813d0371>] ? bvec_alloc+0x91/0x100
[ 78.482936] [<ffffffff813d9146>] submit_bio+0x76/0x160
[ 78.486680] [<ffffffffc0347a14>] _xfs_buf_ioapply+0x2e4/0x4a0 [xfs]
[ 78.490866] [<ffffffff810b22e0>] ? wake_up_q+0x70/0x70
[ 78.494601] [<ffffffffc0349c94>] ? xfs_bwrite+0x24/0x60 [xfs]
[ 78.498583] [<ffffffffc034975d>] xfs_buf_submit_wait+0x5d/0x230 [xfs]
[ 78.502861] [<ffffffffc0349c94>] xfs_bwrite+0x24/0x60 [xfs]
[ 78.506785] [<ffffffffc037108f>] xlog_bwrite+0x7f/0x100 [xfs]
[ 78.510787] [<ffffffffc0371f34>] xlog_write_log_records+0x1a4/0x230 [xfs]
[ 78.515192] [<ffffffffc0372077>] xlog_clear_stale_blocks+0xb7/0x1b0 [xfs]
[ 78.519596] [<ffffffffc037198f>] ? xlog_bread+0x3f/0x50 [xfs]
[ 78.523588] [<ffffffffc03765eb>] xlog_find_tail+0x2db/0x3b0 [xfs]
[ 78.527705] [<ffffffffc03766ed>] xlog_recover+0x2d/0x160 [xfs]
[ 78.531720] [<ffffffff...

For reference, the kernel spew of the BUG_ON:

[   78.354129] kernel BUG at /home/ubuntu/xenial-aws/drivers/nvme/host/pci.c:619!
[   78.357297] invalid opcode: 0000 [#1] SMP
[   78.359613] Modules linked in: dm_snapshot dm_bufio xfs ppdev serio_raw parport_pc 8250_fintek parport i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ena
[   78.387878] CPU: 0 PID: 1687 Comm: mount Not tainted 4.4.0-1105-aws #116
[   78.390837] Hardware name: Amazon EC2 c5d.large/, BIOS 1.0 10/16/2017
[   78.393692] task: ffff8800bb155400 ti: ffff8800b93bc000 task.ti: ffff8800b93bc000
[   78.396973] RIP: 0010:[<ffffffff815dbd06>]  [<ffffffff815dbd06>] nvme_queue_rq+0x8c6/0xa60
[   78.400787] RSP: 0018:ffff8800b93bf7c8  EFLAGS: 00010286
[   78.403151] RAX: 0000000000000078 RBX: 0000000000001000 RCX: 0000000000001000
[   78.406276] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000000
[   78.409390] RBP: ffff8800b93bf8a8 R08: ffff8800b916c700 R09: 0000000000001000
[   78.412518] R10: 000000000001ec00 R11: ffff8800b8e30000 R12: 00000000fffffc00
[   78.417056] R13: 0000000000000010 R14: 000000000000fc00 R15: 0000000035fd5000
[   78.421581] FS:  00007f30fe043840(0000) GS:ffff880130a00000(0000) knlGS:0000000000000000
[   78.427884] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.431827] CR2: 00007f57d4057889 CR3: 0000000035974000 CR4: 0000000000360670
[   78.436322] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   78.440821] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   78.445316] Stack:
[   78.447706]  ffff880036009480 ffff880036009700 ffff8800b7782800 0000000000000ff8
[   78.454583]  ffff8800b8e30420 ffff8800360a9400 ffff88000001fc00 ffff8800b7697b00
[   78.461462]  ffff880100001000 ffff8800b8e30000 ffff88003604c000 00000001ffc00400
[   78.468332] Call Trace:
[   78.470921]  [<ffffffff813e6617>] blk_mq_make_request+0x407/0x550
[   78.475001]  [<ffffffff813d8f14>] generic_make_request+0x114/0x2d0
[   78.479110]  [<ffffffff813d0371>] ? bvec_alloc+0x91/0x100
[   78.482936]  [<ffffffff813d9146>] submit_bio+0x76/0x160
[   78.486680]  [<ffffffffc0347a14>] _xfs_buf_ioapply+0x2e4/0x4a0 [xfs]
[   78.490866]  [<ffffffff810b22e0>] ? wake_up_q+0x70/0x70
[   78.494601]  [<ffffffffc0349c94>] ? xfs_bwrite+0x24/0x60 [xfs]
[   78.498583]  [<ffffffffc034975d>] xfs_buf_submit_wait+0x5d/0x230 [xfs]
[   78.502861]  [<ffffffffc0349c94>] xfs_bwrite+0x24/0x60 [xfs]
[   78.506785]  [<ffffffffc037108f>] xlog_bwrite+0x7f/0x100 [xfs]
[   78.510787]  [<ffffffffc0371f34>] xlog_write_log_records+0x1a4/0x230 [xfs]
[   78.515192]  [<ffffffffc0372077>] xlog_clear_stale_blocks+0xb7/0x1b0 [xfs]
[   78.519596]  [<ffffffffc037198f>] ? xlog_bread+0x3f/0x50 [xfs]
[   78.523588]  [<ffffffffc03765eb>] xlog_find_tail+0x2db/0x3b0 [xfs]
[   78.527705]  [<ffffffffc03766ed>] xlog_recover+0x2d/0x160 [xfs]
[   78.531720]  [<ffffffffc036a11b>] xfs_log_mount+0xdb/0x2a0 [xfs]
[   78.535767]  [<ffffffffc03612e3>] xfs_mountfs+0x4f3/0x870 [xfs]
[   78.539788]  [<ffffffffc036216b>] ? xfs_mru_cache_create+0x12b/0x180 [xfs]
[   78.544197]  [<ffffffffc036463b>] xfs_fs_fill_super+0x3bb/0x4e0 [xfs]
[   78.548400]  [<ffffffff8121dc70>] mount_bdev+0x270/0x2c0
[   78.552169]  [<ffffffffc0364280>] ? xfs_parseargs+0xab0/0xab0 [xfs]
[   78.556338]  [<ffffffffc03628e5>] xfs_fs_mount+0x15/0x20 [xfs]
[   78.560337]  [<ffffffff8121e65d>] mount_fs+0x3d/0x170
[   78.564091]  [<ffffffff811bc405>] ? __alloc_percpu+0x15/0x20
[   78.568060]  [<ffffffff8123b257>] vfs_kern_mount+0x67/0x110
[   78.571971]  [<ffffffff8123d95f>] do_mount+0x25f/0xda0
[   78.575692]  [<ffffffff8123bad4>] ? mntput+0x24/0x40
[   78.579334]  [<ffffffff811fbf06>] ? __kmalloc_track_caller+0x1b6/0x250
[   78.583595]  [<ffffffff8121c483>] ? __fput+0x193/0x230
[   78.587296]  [<ffffffff811b6952>] ? memdup_user+0x42/0x70
[   78.591111]  [<ffffffff8123e7df>] SyS_mount+0x9f/0x100
[   78.594804]  [<ffffffff818449db>] entry_SYSCALL_64_fastpath+0x22/0xcb
[   78.599029] Code: 11 e3 e3 ff 44 8b 95 50 ff ff ff 48 89 85 68 ff ff ff 4c 8b 48 10 44 8b 58 18 8b 95 58 ff ff ff 8b 8d 60 ff ff ff e9 0a fd ff ff <0f> 0b 48 8b 73 68 48 8b bd 70 ff ff ff e8 58 c5 e2 ff 83 f8 01
[   78.625198] RIP  [<ffffffff815dbd06>] nvme_queue_rq+0x8c6/0xa60
[   78.629410]  RSP <ffff8800b93bf7c8>
[   78.632442] ---[ end trace de20412ccd13806e ]---

Revision history for this message

Heitor Alves de Siqueira (halves) wrote on 2020-03-26:

#2

Patches sent out to kernel-team list:

https://lists.ubuntu.com/archives/kernel-team/2020-March/108551.html
https://lists.ubuntu.com/archives/kernel-team/2020-March/108552.html

Kelsey Steele (kelsey-steele) on 2020-04-01

Changed in linux (Ubuntu Xenial):
status:	Confirmed → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-04-07:

#3

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-04-08:

#4

I created a new c5d.large instance on AWS, and installed 4.4.0-177-generic from -updates. I ran through the reproduction steps, and the issue reproduces.

I then created a new c5d.large instance, enabled -proposed and installed 4.4.0-178-generic. I again ran through the reproduction steps, and this time, the final mount succeeds, there is no segmentation fault and dmesg is clean of any errors.

I am happy to mark this as verified.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-04-28:

#5

Download full text (17.6 KiB)

This bug was fixed in the package linux - 4.4.0-178.208

---------------
linux (4.4.0-178.208) xenial; urgency=medium

* xenial/linux: 4.4.0-178.208 -proposed tracker (LP: #1870660)

  * CVE-2019-19768
    - blktrace: Protect q->blk_trace with RCU
    - blktrace: fix dereference after null check

* Multiple Kexec in AWS Nitro instances fail (LP: #1869948)
- net: ena: Add PCI shutdown handler to allow safe kexec

  * Insert test_bpf module will report 4 failures for ubuntu_bpf_jit on X s390x
    (LP: #1768452)
    - test_bpf: flag tests that cannot be jited on s390

  * Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver
    (LP: #1869229)
    - block: fix bio_will_gap() for first bvec with offset

  * Xenial update: 4.4.217 upstream stable release (LP: #1868629)
    - NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array
    - r8152: check disconnect status after long sleep
    - net: nfc: fix bounds checking bugs on "pipe"
    - bnxt_en: reinitialize IRQs when MTU is modified
    - fib: add missing attribute validation for tun_id
    - nl802154: add missing attribute validation
    - nl802154: add missing attribute validation for dev_type
    - team: add missing attribute validation for port ifindex
    - team: add missing attribute validation for array index
    - nfc: add missing attribute validation for SE API
    - nfc: add missing attribute validation for vendor subcommand
    - ipvlan: add cond_resched_rcu() while processing muticast backlog
    - ipvlan: do not add hardware address of master to its unicast filter list
    - ipvlan: egress mcast packets are not exceptional
    - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
    - ipvlan: don't deref eth hdr before checking it's set
    - macvlan: add cond_resched() during multicast processing
    - net: fec: validate the new settings in fec_enet_set_coalesce()
    - slip: make slhc_compress() more robust against malicious packets
    - bonding/alb: make sure arp header is pulled before accessing it
    - net: fq: add missing attribute validation for orphan mask
    - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn +
      add_taint
    - drm/amd/display: remove duplicated assignment to grph_obj_type
    - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
    - KVM: x86: clear stale x86_emulate_ctxt->intercept value
    - ARC: define __ALIGN_STR and __ALIGN symbols for ARC
    - efi: Fix a race and a buffer overflow while reading efivars via sysfs
    - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint
    - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page
    - nl80211: add missing attribute validation for critical protocol indication
    - nl80211: add missing attribute validation for channel switch
    - netfilter: cthelper: add missing attribute validation for cthelper
    - iommu/vt-d: Fix the wrong printing in RHSA parsing
    - iommu/vt-d: Ignore devices with out-of-spec domain number
    - ipv6: restrict IPV6_ADDRFORM operation
    - efi: Add a sanity check to efivar_store_raw()
    - batman-adv: Fix invalid read while copying bat_iv.bcast_own
    - batman-adv: Only p...

This bug was fixed in the package linux - 4.4.0-178.208

---------------
linux (4.4.0-178.208) xenial; urgency=medium

* xenial/linux: 4.4.0-178.208 -proposed tracker (LP: #1870660)

* CVE-2019-19768
    - blktrace: Protect q->blk_trace with RCU
    - blktrace: fix dereference after null check

* Multiple Kexec in AWS Nitro instances fail (LP: #1869948)
    - net: ena: Add PCI shutdown handler to allow safe kexec

* Insert test_bpf module will report 4 failures for ubuntu_bpf_jit on X s390x
    (LP: #1768452)
    - test_bpf: flag tests that cannot be jited on s390

* Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver
    (LP: #1869229)
    - block: fix bio_will_gap() for first bvec with offset

* Xenial update: 4.4.217 upstream stable release (LP: #1868629)
    - NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array
    - r8152: check disconnect status after long sleep
    - net: nfc: fix bounds checking bugs on "pipe"
    - bnxt_en: reinitialize IRQs when MTU is modified
    - fib: add missing attribute validation for tun_id
    - nl802154: add missing attribute validation
    - nl802154: add missing attribute validation for dev_type
    - team: add missing attribute validation for port ifindex
    - team: add missing attribute validation for array index
    - nfc: add missing attribute validation for SE API
    - nfc: add missing attribute validation for vendor subcommand
    - ipvlan: add cond_resched_rcu() while processing muticast backlog
    - ipvlan: do not add hardware address of master to its unicast filter list
    - ipvlan: egress mcast packets are not exceptional
    - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
    - ipvlan: don't deref eth hdr before checking it's set
    - macvlan: add cond_resched() during multicast processing
    - net: fec: validate the new settings in fec_enet_set_coalesce()
    - slip: make slhc_compress() more robust against malicious packets
    - bonding/alb: make sure arp header is pulled before accessing it
    - net: fq: add missing attribute validation for orphan mask
    - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn +
      add_taint
    - drm/amd/display: remove duplicated assignment to grph_obj_type
    - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
    - KVM: x86: clear stale x86_emulate_ctxt->intercept value
    - ARC: define __ALIGN_STR and __ALIGN symbols for ARC
    - efi: Fix a race and a buffer overflow while reading efivars via sysfs
    - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint
    - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page
    - nl80211: add missing attribute validation for critical protocol indication
    - nl80211: add missing attribute validation for channel switch
    - netfilter: cthelper: add missing attribute validation for cthelper
    - iommu/vt-d: Fix the wrong printing in RHSA parsing
    - iommu/vt-d: Ignore devices with out-of-spec domain number
    - ipv6: restrict IPV6_ADDRFORM operation
    - efi: Add a sanity check to efivar_store_raw()
    - batman-adv: Fix invalid read while copying bat_iv.bcast_own
    - batman-adv: Only put gw_node list reference when removed
    - batman-adv: Only put orig_node_vlan list reference when removed
    - batman-adv: Avoid endless loop in bat-on-bat netdevice check
    - batman-adv: Fix unexpected free of bcast_own on add_if error
    - batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
    - batman-adv: init neigh node last seen field
    - batman-adv: Deactivate TO_BE_ACTIVATED hardif on shutdown
    - batman-adv: Drop reference to netdevice on last reference
    - batman-adv: Fix reference counting of vlan object for tt_local_entry
    - batman-adv: Avoid duplicate neigh_node additions
    - batman-adv: fix skb deref after free
    - batman-adv: Fix use-after-free/double-free of tt_req_node
    - batman-adv: Fix ICMP RR ethernet access after skb_linearize
    - batman-adv: Clean up untagged vlan when destroying via rtnl-link
    - batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
    - batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
    - batman-adv: Fix orig_node_vlan leak on orig_node_release
    - batman-adv: lock crc access in bridge loop avoidance
    - batman-adv: Fix non-atomic bla_claim::backbone_gw access
    - batman-adv: Fix reference leak in batadv_find_router
    - batman-adv: Free last_bonding_candidate on release of orig_node
    - batman-adv: Fix speedy join in gateway client mode
    - batman-adv: Add missing refcnt for last_candidate
    - batman-adv: Fix double free during fragment merge error
    - batman-adv: Fix transmission of final, 16th fragment
    - batman-adv: Fix rx packet/bytes stats on local ARP reply
    - batman-adv: fix TT sync flag inconsistencies
    - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
    - batman-adv: Fix internal interface indices types
    - batman-adv: update data pointers after skb_cow()
    - batman-adv: Fix skbuff rcsum on packet reroute
    - batman-adv: Avoid race in TT TVLV allocator helper
    - batman-adv: Fix TT sync flags for intermediate TT responses
    - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs
    - batman-adv: Fix debugfs path for renamed hardif
    - batman-adv: Fix debugfs path for renamed softif
    - batman-adv: Avoid storing non-TT-sync flags on singular entries too
    - batman-adv: Prevent duplicated gateway_node entry
    - batman-adv: Prevent duplicated nc_node entry
    - batman-adv: Prevent duplicated global TT entry
    - batman-adv: Prevent duplicated tvlv handler
    - batman-adv: Reduce claim hash refcnt only for removed entry
    - batman-adv: Reduce tt_local hash refcnt only for removed entry
    - batman-adv: Reduce tt_global hash refcnt only for removed entry
    - batman-adv: Only read OGM tvlv_len after buffer len check
    - batman-adv: Avoid free/alloc race when handling OGM buffer
    - batman-adv: Don't schedule OGM for disabled interface
    - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag
    - net: ks8851-ml: Fix IRQ handling and locking
    - signal: avoid double atomic counter increments for user accounting
    - jbd2: fix data races at struct journal_head
    - ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional()
    - ARM: 8958/1: rename missed uaccess .fixup section
    - mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
    - ipv4: ensure rcu_read_lock() in cipso_v4_error()
    - Linux 4.4.217

* Xenial update: 4.4.216 upstream stable release (LP: #1868628)
    - iwlwifi: pcie: fix rb_allocator workqueue allocation
    - ext4: fix potential race between online resizing and write operations
    - ext4: fix potential race between s_flex_groups online resizing and access
    - ext4: fix potential race between s_group_info online resizing and access
    - ipmi:ssif: Handle a possible NULL pointer reference
    - mac80211: consider more elements in parsing CRC
    - cfg80211: check wiphy driver existence for drvinfo report
    - cifs: Fix mode output in debugging statements
    - cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
    - sysrq: Restore original console_loglevel when sysrq disabled
    - sysrq: Remove duplicated sysrq message
    - net: fib_rules: Correctly set table field when table number exceeds 8 bits
    - net: phy: restore mdio regs in the iproc mdio driver
    - ipv6: Fix nlmsg_flags when splitting a multipath route
    - ipv6: Fix route replacement with dev-only route
    - sctp: move the format error check out of __sctp_sf_do_9_1_abort
    - nfc: pn544: Fix occasional HW initialization failure
    - net: sched: correct flower port blocking
    - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
    - audit: fix error handling in audit_data_to_entry()
    - HID: core: fix off-by-one memset in hid_report_raw_event()
    - HID: core: increase HID report buffer size to 8KiB
    - HID: hiddev: Fix race in in hiddev_disconnect()
    - MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
    - i2c: jz4780: silence log flood on txabrt
    - ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66
    - net: netlink: cap max groups which will be considered in netlink_bind()
    - namei: only return -ECHILD from follow_dotdot_rcu()
    - KVM: Check for a bad hva before dropping into the ghc slow path
    - slip: stop double free sl->dev in slip_open
    - mm: make page ref count overflow check tighter and more explicit
    - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
    - audit: always check the netlink payload length in audit_receive_msg()
    - serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
    - usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
    - usb: gadget: serial: fix Tx stall after buffer overflow
    - drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
    - drm/msm/dsi: save pll state before dsi host is powered off
    - net: ks8851-ml: Remove 8-bit bus accessors
    - net: ks8851-ml: Fix 16-bit data access
    - net: ks8851-ml: Fix 16-bit IO operation
    - watchdog: da9062: do not ping the hw during stop()
    - s390/cio: cio_ignore_proc_seq_next should increase position index
    - cifs: don't leak -EAGAIN for stat() during reconnect
    - usb: storage: Add quirk for Samsung Fit flash
    - usb: quirks: add NO_LPM quirk for Logitech Screen Share
    - usb: core: hub: do error out if usb_autopm_get_interface() fails
    - usb: core: port: do error out if usb_autopm_get_interface() fails
    - vgacon: Fix a UAF in vgacon_invert_region
    - fat: fix uninit-memory access for partial initialized inode
    - vt: selection, close sel_buffer race
    - vt: selection, push console lock down
    - vt: selection, push sel_lock up
    - dmaengine: tegra-apb: Fix use-after-free
    - dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
    - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
    - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
    - ASoC: dapm: Correct DAPM handling of active widgets during shutdown
    - RDMA/iwcm: Fix iwcm work deallocation
    - RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
    - ARM: imx: build v7_cpu_resume() unconditionally
    - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
    - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
    - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode
      systems
    - dm cache: fix a crash due to incorrect work item cancelling
    - crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
    - Linux 4.4.216

* Xenial update: 4.4.215 upstream stable release (LP: #1868627)
    - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
    - ecryptfs: fix a memory leak bug in parse_tag_1_packet()
    - ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
    - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
    - ubifs: Fix deadlock in concurrent bulk-read and writepage
    - ext4: fix checksum errors with indexed dirs
    - Btrfs: fix race between using extent maps and merging them
    - btrfs: log message when rw remount is attempted with unclean tree-log
    - padata: Remove broken queue flushing
    - s390/time: Fix clk type in get_tod_clock
    - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
    - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
    - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
    - btrfs: print message when tree-log replay starts
    - scsi: qla2xxx: fix a potential NULL pointer dereference
    - Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
    - drm/gma500: Fixup fbdev stolen size usage evaluation
    - brcmfmac: Fix use after free in brcmf_sdio_readframes()
    - gianfar: Fix TX timestamping with a stacked DSA driver
    - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
    - media: i2c: mt9v032: fix enum mbus codes and frame sizes
    - media: sti: bdisp: fix a possible sleep-in-atomic-context bug in
      bdisp_device_run()
    - efi/x86: Map the entire EFI vendor string before copying it
    - MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
    - uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
    - usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
    - nfs: NFS_SWAP should depend on SWAP
    - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info
      when load journal
    - tracing: Fix very unlikely race of registering two stat tracers
    - ext4, jbd2: ensure panic when aborting with zero errno
    - kconfig: fix broken dependency in randconfig-generated .config
    - clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
    - drm/amdgpu: remove 4 set but not used variable in
      amdgpu_atombios_get_connector_info_from_object_table
    - regulator: rk808: Lower log level on optional GPIOs being not available
    - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use
      le16_add_cpu().
    - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
    - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
    - b43legacy: Fix -Wcast-function-type
    - ipw2x00: Fix -Wcast-function-type
    - iwlegacy: Fix -Wcast-function-type
    - rtlwifi: rtl_pci: Fix -Wcast-function-type
    - orinoco: avoid assertion in case of NULL pointer
    - ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
    - scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
    - ARM: dts: r8a7779: Add device node for ARM global timer
    - x86/vdso: Provide missing include file
    - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
    - ALSA: sh: Fix compile warning wrt const
    - tools lib api fs: Fix gcc9 stringop-truncation compilation error
    - usbip: Fix unsafe unaligned pointer usage
    - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
    - rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
    - Input: edt-ft5x06 - work around first register access error
    - wan: ixp4xx_hss: fix compile-testing on 64-bit
    - ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
    - PCI: Don't disable bridge BARs when assigning bus resources
    - driver core: Print device when resources present in really_probe()
    - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
    - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
    - iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
    - scsi: iscsi: Don't destroy session if there are outstanding connections
    - cmd64x: potential buffer overflow in cmd64x_program_timings()
    - ide: serverworks: potential overflow in svwks_set_pio_mode()
    - remoteproc: Initialize rproc_class before use
    - s390/ftrace: generate traced function stack frame
    - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
    - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit
      record
    - ARM: 8951/1: Fix Kexec compilation issue.
    - hostap: Adjust indentation in prism2_hostapd_add_sta
    - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
    - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
    - trigger_next should increase position index
    - radeon: insert 10ms sleep in dce5_crtc_load_lut
    - ocfs2: fix a NULL pointer dereference when call
      ocfs2_update_inode_fsync_trans()
    - lib/scatterlist.c: adjust indentation in __sg_alloc_table
    - reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
    - bcache: explicity type cast in bset_bkey_last()
    - irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building
      INVALL
    - microblaze: Prevent the overflow of the start
    - brd: check and limit max_part par
    - selinux: ensure we cleanup the internal AVC counters on error in
      avc_update()
    - enic: prevent waking up stopped tx queues over watchdog reset
    - floppy: check FDC index for errors before assigning it
    - staging: android: ashmem: Disallow ashmem memory from being remapped
    - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
    - usb: uas: fix a plug & unplug racing
    - USB: Fix novation SourceControl XL after suspend
    - USB: hub: Don't record a connect-change event during reset-resume
    - staging: rtl8188eu: Fix potential security hole
    - staging: rtl8188eu: Fix potential overuse of kernel memory
    - x86/mce/amd: Fix kobject lifetime
    - tty: serial: imx: setup the correct sg entry for tx dma
    - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
    - VT_RESIZEX: get rid of field-by-field copyin
    - vt: vt_ioctl: fix race in VT_RESIZEX
    - netfilter: xt_bpf: add overflow checks
    - ext4: fix a data race in EXT4_I(inode)->i_disksize
    - ext4: add cond_resched() to __ext4_find_entry()
    - KVM: apic: avoid calculating pending eoi from an uninitialized val
    - Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered
      extents
    - scsi: Revert "RDMA/isert: Fix a recently introduced regression related to
      logout"
    - scsi: Revert "target: iscsi: Wait for all commands to finish before freeing
      a session"
    - ecryptfs: replace BUG_ON with error handling code
    - ALSA: rawmidi: Avoid bit fields for state flags
    - ALSA: seq: Avoid concurrent access to queue flags
    - ALSA: seq: Fix concurrent access to queue current tick/time
    - xen: Enable interrupts when calling _cond_resched()
    - Linux 4.4.215

-- Khalid Elmously <khalid.elmously@canonical.com>  Sun, 05 Apr 2020 18:51:07 -0400

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Xenial	Fix Released	Undecided	Heitor Alves de Siqueira

Ubuntu
linux package

Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntulinux package

Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package