Ubuntu
linux package

kernel bug found when disconnecting one fiber channel interface on Cisco Chassis with fnic DRV_VERSION "1.6.0.47"

Bug #1944586 reported by Eric Desrochers on 2021-09-22

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Focal	Fix Released	High	Eric Desrochers

Bug Description

[Impact]

It has been brought to my attention the following:

"
We have been experiencing node lockups and degradation when testing fiber channel fail over for multi-path PURESTORAGE drives.

Testing usually consists of either failing over the fabric or the local I/O module for the Cisco chassis which houses a number of individual blades.

After rebooting a local Chassis I/O module we see commands like multipath -ll hanging.
Resetting the blades individual fiber channel interface results in the following messages.
"

6051160.241383] rport-9:0-1: blocked FC remote port time out: removing target and saving binding
[6051160.252901] BUG: kernel NULL pointer dereference, address: 0000000000000040
[6051160.262267] #PF: supervisor read access in kernel mode
[6051160.269314] #PF: error_code(0x0000) - not-present page
[6051160.276016] PGD 0 P4D 0
[6051160.279807] Oops: 0000 [#1] SMP NOPTI
[6051160.284642] CPU: 10 PID: 49346 Comm: kworker/10:2 Tainted: P O 5.4.0-77-generic #86-Ubuntu
[6051160.295967] Hardware name: Cisco Systems Inc UCSB-B200-M5/UCSB-B200-M5, BIOS B200M5.4.1.1d.0.0609200543 06/09/2020
[6051160.308199] Workqueue: fc_dl_9 fc_timeout_deleted_rport [scsi_transport_fc]
[6051160.316640] RIP: 0010:fnic_terminate_rport_io+0x10f/0x510 [fnic]
[6051160.324050] Code: 48 89 c3 48 85 c0 0f 84 7b 02 00 00 48 05 20 01 00 00 48 89 45 b0 0f 84 6b 02 00 00 48 8b 83 58 01 00 00 48 8b 80 b8 01 00 00 <48> 8b 78 40 e8 68 e6 06 00 85 c0 0f 84 4c 02 00 00 48 8b 83 58 01
[6051160.346553] RSP: 0018:ffffbc224f297d90 EFLAGS: 00010082
[6051160.353115] RAX: 0000000000000000 RBX: ffff90abdd4c4b00 RCX: ffff90d8ab2c2bb0
[6051160.361983] RDX: ffff90d8b5467400 RSI: 0000000000000000 RDI: ffff90d8ab3b4b40
[6051160.370812] RBP: ffffbc224f297df8 R08: ffff90d8c08978c8 R09: ffff90d8b8850800
[6051160.379518] R10: ffff90d8a59d64c0 R11: 0000000000000001 R12: ffff90d8ab2c31f8
[6051160.388242] R13: 0000000000000000 R14: 0000000000000246 R15: ffff90d8ab2c27b8
[6051160.396953] FS: 0000000000000000(0000) GS:ffff90d8c0880000(0000) knlGS:0000000000000000
[6051160.406838] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[6051160.414168] CR2: 0000000000000040 CR3: 0000000fc1c0a004 CR4: 00000000007626e0
[6051160.423146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[6051160.431884] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[6051160.440615] PKRU: 55555554
[6051160.444337] Call Trace:
[6051160.447841] fc_terminate_rport_io+0x56/0x70 [scsi_transport_fc]
[6051160.455263] fc_timeout_deleted_rport.cold+0x1bc/0x2c7 [scsi_transport_fc]
[6051160.463623] process_one_work+0x1eb/0x3b0
[6051160.468784] worker_thread+0x4d/0x400
[6051160.473660] kthread+0x104/0x140
[6051160.478102] ? process_one_work+0x3b0/0x3b0
[6051160.483439] ? kthread_park+0x90/0x90
[6051160.488213] ret_from_fork+0x1f/0x40
[6051160.492901] Modules linked in: dm_service_time zfs(PO) zunicode(PO) zlua(PO) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) ebtable_filter ebtables ip6table_raw ip6table_mangle ip6table_nat iptable_raw iptable_mangle iptable_nat nf_nat vhost_vsock vmw_vsock_virtio_transport_common vsock unix_diag nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 vhost_net vhost tap 8021q garp mrp bluetooth ecdh_generic ecc tcp_diag inet_diag sctp nf_tables nfnetlink ip6table_filter ip6_tables iptable_filter bpfilter bridge stp llc nls_iso8859_1 dm_queue_length dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common isst_if_common skx_edac nfit x86_pkg_temp_thermal intel_powerclamp ipmi_ssif coretemp kvm_intel kvm rapl input_leds joydev intel_cstate mei_me ioatdma mei dca ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad mac_hid sch_fq_codel ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
[6051160.492928] async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear fnic mgag200 drm_vram_helper i2c_algo_bit ttm drm_kms_helper crct10dif_pclmul syscopyarea hid_generic crc32_pclmul libfcoe sysfillrect ghash_clmulni_intel sysimgblt aesni_intel fb_sys_fops crypto_simd libfc usbhid cryptd scsi_transport_fc hid drm glue_helper enic ahci lpc_ich libahci wmi
[6051160.632623] CR2: 0000000000000040
[6051160.637043] ---[ end trace 236e6f4850146477 ]---

[Test Plan]

There are two ways to replicate the bug:

Reset a single chassis I/O module or fail over a fabric interconnect (FI) for all chassis in the cluster. We have performed both tests.

Specific hardware:
   Chassis Cisco UCS 5108 AC2 Chassis
   Blades Cisco UCS B200
   IO module Cisco UCS 2408

Server loads - Ubuntu 20.04 cluster running deployed maas, juju and openstack.

Tests

1) Fail over of single chassis I/O module results in at least one node locking up.
After patching the kernel multiple tests by resetting the I/O module did not result in further failures. Each chassis holds 8 blades.

2) The larger test reboots the actual FI (fabric interconnect) for one channel serving 3 chassis. What we call a fiber channel fail over test.
This test covers 3 chassis with 8 blades each. In this test at least one and often as many as 4 nodes will lock up. After loading the patched kernel we ran this test 3 times with no failures.

[Where problems could occur]

Cisco "fNIC" driver enables FCoE support for the Cisco UCS Virtual Interface Card family of products.

If a problem arise it would be limited to these VIC which are specially designed for Cisco UCS blade and rack servers and possibly command to terminate I/O in any case at worst case (again only on Cisco UCS hw family.

Note that Field Engineer and I did test the patch on Cisco UCS hw and the patch didn't reproduce the problem nor produce observable subsequent issues/regressions.

[Other informations]

https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2792832_1.html#FIX
https://www.spinics.net/lists/linux-scsi/msg142179.html

See original description

Tags:

CVE References

Revision history for this message

Eric Desrochers (slashd) wrote on 2021-09-22:

[Potential fix candidate]

commit 712582e60f288e7cede8d6fc8769529317e0f3e0
Author: Hannes Reinecke <email address hidden>
Date: Fri May 15 13:26:47 2020 +0200

scsi: fnic: Do not call 'scsi_done()' for unhandled commands

The fnic drivers assigns an ioreq structure to each command and severs this
assignment once scsi_done() has been called and the command has been
completed.

When traversing commands to terminate outstanding I/O we should not call
scsi_done() on commands which do not have a corresponding ioreq structure;
these commands have either never entered the driver or have already been
completed.

tags:	added: seg sts
description:	updated
description:	updated
summary:	kernel bug found when disconnecting one fiber channel interface on Cisco - Chassis with fnic DRV_VERSION below 1.6.0.47 + Chassis with fnic DRV_VERSION " 1.6.0.47"

Eric Desrochers (slashd) on 2021-09-22

description:

updated

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-09-22: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1944586

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: focal

Eric Desrochers (slashd) on 2021-09-22

summary:

kernel bug found when disconnecting one fiber channel interface on Cisco
- Chassis with fnic DRV_VERSION " 1.6.0.47"
+ Chassis with fnic DRV_VERSION "1.6.0.47"

Revision history for this message

Eric Desrochers (slashd) wrote on 2021-09-27:

A test kernel of v5.4 (kernel series where the problem has been found) has been tested by Field Engineer and here's the outcome:

"
-Extensive testing about 4/5 failovers both HWE (v5.11) and the patched kernels seem stable (v5.4).

Thank you this unblocks us for deployment of this cloud.
"

- Eric

description:	updated
description:	updated

Eric Desrochers (slashd) on 2021-09-27

Changed in linux (Ubuntu):
status:	Incomplete → In Progress
status:	In Progress → Fix Released
Changed in linux (Ubuntu Focal):
status:	New → In Progress
assignee:	nobody → Eric Desrochers (slashd)
importance:	Undecided → Critical
importance:	Critical → High
description:	updated

Steven Parker (sbparke) on 2021-09-27

description:	updated
description:	updated
description:	updated

Kelsey Steele (kelsey-steele) on 2021-10-12

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-10-19:

This bug is awaiting verification that the linux/5.4.0-90.101 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

Kelsey Steele (kelsey-steele) wrote on 2021-10-29:

Hi Eric, may you please verify the focal kernel in -proposed resolves this bug? You can find more instructions for this in comment #4. Thank you!

Revision history for this message

Eric Desrochers (slashd) wrote on 2021-11-01:

This has been tested on Cisco Hardware by Field Engineering and the bug is no longer reproducible.

- Eric

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Kelsey Steele (kelsey-steele) wrote on 2021-11-02:

Thank you, Eric! :)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-11-08:

Download full text (32.6 KiB)

This bug was fixed in the package linux - 5.4.0-90.101

---------------
linux (5.4.0-90.101) focal; urgency=medium

* focal/linux: 5.4.0-90.101 -proposed tracker (LP: #1947260)

* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2021.10.18)

* Add final-checks to check certificates (LP: #1947174)
- [Packaging] Add system trusted and revocation keys final check

  * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s
    Gen2 (LP: #1939052)
    - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
      15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s
      Gen2

  * CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

This bug was fixed in the package linux - 5.4.0-90.101

---------------
linux (5.4.0-90.101) focal; urgency=medium

* focal/linux: 5.4.0-90.101 -proposed tracker (LP: #1947260)

* Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.10.18)

* Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check

* CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

* Focal update: v5.4.148 upstream stable release (LP: #1946802)
    - rtc: tps65910: Correct driver module alias
    - btrfs: wake up async_delalloc_pages waiters after submit
    - btrfs: reset replace target device to allocation state on close
    - blk-zoned: allow zone management send operations without CAP_SYS_ADMIN
    - blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN
    - PCI/MSI: Skip masking MSI-X on Xen PV
    - powerpc/perf/hv-gpci: Fix counter value parsing
    - xen: fix setting of max_pfn in shared_info
    - include/linux/list.h: add a macro to test if entry is pointing to the head
    - 9p/xen: Fix end of loop tests for list_for_each_entry
    - tools/thermal/tmon: Add cross compiling support
    - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast
    - pinctrl: ingenic: Fix incorrect pull up/down info
    - soc: qcom: aoss: Fix the out of bound usage of cooling_devs
    - soc: aspeed: lpc-ctrl: Fix boundary check for mmap
    - soc: aspeed: p2a-ctrl: Fix boundary check for mmap
    - arm64: head: avoid over-mapping in map_memory
    - crypto: public_key: fix overflow during implicit conversion
    - block: bfq: fix bfq_set_next_ioprio_data()
    - power: supply: max17042: handle fails of reading status register
    - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc()
    - VMCI: fix NULL pointer dereference when unmapping queue pair
    - media: uvc: don't do DMA on stack
    - media: rc-loopback: return number of emitters rather than error
    - Revert "dmaengine: imx-sdma: refine to load context only once"
    - dmaengine: imx-sdma: remove duplicated sdma_load_context
    - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs
    - ARM: 9105/1: atags_to_fdt: don't warn about stack size
    - PCI/portdrv: Enable Bandwidth Notification only if port supports it
    - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported
    - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure
    - PCI: xilinx-nwl: Enable the clock through CCF
    - PCI: aardvark: Fix checking for PIO status
    - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response
    - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts
    - HID: input: do not report stylus battery state as "full"
    - f2fs: quota: fix potential deadlock
    - scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND
    - IB/hfi1: Adjust pkey entry in index 0
    - RDMA/iwcm: Release resources if iw_cm module initialization fails
    - docs: Fix infiniband uverbs minor number
    - pinctrl: samsung: Fix pinctrl bank pin count
    - vfio: Use config not menuconfig for VFIO_NOIOMMU
    - powerpc/stacktrace: Include linux/delay.h
    - RDMA/efa: Remove double QP type assignment
    - f2fs: show f2fs instance in printk_ratelimited
    - f2fs: reduce the scope of setting fsck tag when de->name_len is zero
    - openrisc: don't printk() unconditionally
    - dma-debug: fix debugfs initialization order
    - SUNRPC: Fix potential memory corruption
    - scsi: fdomain: Fix error return code in fdomain_probe()
    - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry()
    - scsi: smartpqi: Fix an error code in pqi_get_raid_map()
    - scsi: qedi: Fix error codes in qedi_alloc_global_queues()
    - scsi: qedf: Fix error codes in qedf_alloc_global_queues()
    - powerpc/config: Renable MTD_PHYSMAP_OF
    - scsi: target: avoid per-loop XCOPY buffer allocations
    - HID: i2c-hid: Fix Elan touchpad regression
    - KVM: PPC: Book3S HV Nested: Reflect guest PMU in-use to L0 when guest SPRs
      are live
    - platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from
      run_smbios_call
    - fscache: Fix cookie key hashing
    - clk: at91: sam9x60: Don't use audio PLL
    - clk: at91: clk-generated: pass the id of changeable parent at registration
    - clk: at91: clk-generated: Limit the requested rate to our range
    - KVM: PPC: Fix clearing never mapped TCEs in realmode
    - f2fs: fix to account missing .skipped_gc_rwsem
    - f2fs: fix unexpected ENOENT comes from f2fs_map_blocks()
    - f2fs: fix to unmap pages from userspace process in punch_hole()
    - MIPS: Malta: fix alignment of the devicetree buffer
    - kbuild: Fix 'no symbols' warning when CONFIG_TRIM_UNUSD_KSYMS=y
    - userfaultfd: prevent concurrent API initialization
    - drm/amdgpu: Fix amdgpu_ras_eeprom_init()
    - ASoC: atmel: ATMEL drivers don't need HAS_DMA
    - media: dib8000: rewrite the init prbs logic
    - crypto: mxs-dcp - Use sg_mapping_iter to copy data
    - PCI: Use pci_update_current_state() in pci_enable_device_flags()
    - tipc: keep the skb in rcv queue until the whole data is read
    - iio: dac: ad5624r: Fix incorrect handling of an optional regulator.
    - iavf: do not override the adapter state in the watchdog task
    - iavf: fix locking of critical sections
    - ARM: dts: qcom: apq8064: correct clock names
    - video: fbdev: kyro: fix a DoS bug by restricting user input
    - netlink: Deal with ESRCH error in nlmsg_notify()
    - Smack: Fix wrong semantics in smk_access_entry()
    - drm: avoid blocking in drm_clients_info's rcu section
    - igc: Check if num of q_vectors is smaller than max before array access
    - usb: host: fotg210: fix the endpoint's transactional opportunities
      calculation
    - usb: host: fotg210: fix the actual_length of an iso packet
    - usb: gadget: u_ether: fix a potential null pointer dereference
    - USB: EHCI: ehci-mv: improve error handling in mv_ehci_enable()
    - usb: gadget: composite: Allow bMaxPower=0 if self-powered
    - staging: board: Fix uninitialized spinlock when attaching genpd
    - tty: serial: jsm: hold port lock when reporting modem line changes
    - drm/amd/display: Fix timer_per_pixel unit error
    - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex
    - bpf/tests: Fix copy-and-paste error in double word test
    - bpf/tests: Do not PASS tests without actually testing the result
    - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero
    - video: fbdev: kyro: Error out if 'pixclock' equals zero
    - video: fbdev: riva: Error out if 'pixclock' equals zero
    - ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs()
    - flow_dissector: Fix out-of-bounds warnings
    - s390/jump_label: print real address in a case of a jump label bug
    - s390: make PCI mio support a machine flag
    - serial: 8250: Define RX trigger levels for OxSemi 950 devices
    - xtensa: ISS: don't panic in rs_init
    - hvsi: don't panic on tty_register_driver failure
    - serial: 8250_pci: make setup_port() parameters explicitly unsigned
    - staging: ks7010: Fix the initialization of the 'sleep_status' structure
    - samples: bpf: Fix tracex7 error raised on the missing argument
    - ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init()
    - Bluetooth: skip invalid hci_sync_conn_complete_evt
    - workqueue: Fix possible memory leaks in wq_numa_init()
    - bonding: 3ad: fix the concurrency between __bond_release_one() and
      bond_3ad_state_machine_handler()
    - arm64: tegra: Fix Tegra194 PCIe EP compatible string
    - ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps for the
      matching in-/output
    - media: imx258: Rectify mismatch of VTS value
    - media: imx258: Limit the max analogue gain to 480
    - media: v4l2-dv-timings.c: fix wrong condition in two for-loops
    - media: TDA1997x: fix tda1997x_query_dv_timings() return value
    - media: tegra-cec: Handle errors of clk_prepare_enable()
    - ARM: dts: imx53-ppd: Fix ACHC entry
    - arm64: dts: qcom: sdm660: use reg value for memory node
    - net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe()
    - drm/msm: mdp4: drop vblank get/put from prepare/complete_commit
    - selftests/bpf: Fix xdp_tx.c prog section name
    - Bluetooth: schedule SCO timeouts with delayed_work
    - Bluetooth: avoid circular locks in sco_sock_connect
    - net/mlx5: Fix variable type to match 64bit
    - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable
      access in amdgpu_i2c_router_select_ddc_port()
    - drm/display: fix possible null-pointer dereference in dcn10_set_clock()
    - mac80211: Fix monitor MTU limit so that A-MSDUs get through
    - ARM: tegra: tamonten: Fix UART pad setting
    - arm64: tegra: Fix compatible string for Tegra132 CPUs
    - arm64: dts: ls1046a: fix eeprom entries
    - nvme-tcp: don't check blk_mq_tag_to_rq when receiving pdu data
    - Bluetooth: Fix handling of LE Enhanced Connection Complete
    - opp: Don't print an error if required-opps is missing
    - serial: sh-sci: fix break handling for sysrq
    - tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD
    - rpc: fix gss_svc_init cleanup on failure
    - staging: rts5208: Fix get_ms_information() heap buffer size
    - gfs2: Don't call dlm after protocol is unmounted
    - usb: chipidea: host: fix port index underflow and UBSAN complains
    - lockd: lockd server-side shouldn't set fl_ops
    - drm/exynos: Always initialize mapping in exynos_drm_register_dma()
    - m68knommu: only set CONFIG_ISA_DMA_API for ColdFire sub-arch
    - btrfs: tree-log: check btrfs_lookup_data_extent return value
    - ASoC: Intel: Skylake: Fix module configuration for KPB and MIXER
    - ASoC: Intel: Skylake: Fix passing loadable flag for module
    - of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS
    - mmc: sdhci-of-arasan: Check return value of non-void funtions
    - mmc: rtsx_pci: Fix long reads when clock is prescaled
    - selftests/bpf: Enlarge select() timeout for test_maps
    - mmc: core: Return correct emmc response in case of ioctl error
    - cifs: fix wrong release in sess_alloc_buffer() failed path
    - Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST
      quirk set"
    - usb: musb: musb_dsps: request_irq() after initializing musb
    - usbip: give back URBs for unsent unlink requests during cleanup
    - usbip:vhci_hcd USB port can get stuck in the disabled state
    - ASoC: rockchip: i2s: Fix regmap_ops hang
    - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B
    - drm/amdkfd: Account for SH/SE count when setting up cu masks.
    - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed
    - iwlwifi: mvm: avoid static queue number aliasing
    - iwlwifi: mvm: fix access to BSS elements
    - net/mlx5: DR, Enable QP retransmission
    - parport: remove non-zero check on count
    - ath9k: fix OOB read ar9300_eeprom_restore_internal
    - ath9k: fix sleeping in atomic context
    - net: fix NULL pointer reference in cipso_v4_doi_free
    - fix array-index-out-of-bounds in taprio_change
    - net: w5100: check return value after calling platform_get_resource()
    - parisc: fix crash with signals and alloca
    - ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup()
    - scsi: BusLogic: Fix missing pr_cont() use
    - scsi: qla2xxx: Changes to support kdump kernel
    - scsi: qla2xxx: Sync queue idx with queue_pair_map idx
    - cpufreq: powernv: Fix init_chip_info initialization in numa=off
    - s390/pv: fix the forcing of the swiotlb
    - mm/hugetlb: initialize hugetlb_usage in mm_init
    - mm,vmscan: fix divide by zero in get_scan_count
    - memcg: enable accounting for pids in nested pid namespaces
    - platform/chrome: cros_ec_proto: Send command again when timeout occurs
    - lib/test_stackinit: Fix static initializer test
    - net: dsa: lantiq_gswip: fix maximum frame length
    - drm/msi/mdp4: populate priv->kms in mdp4_kms_init
    - drm/amdgpu: Fix BUG_ON assert
    - drm/panfrost: Simplify lock_region calculation
    - drm/panfrost: Use u64 for size in lock_region
    - drm/panfrost: Clamp lock region to Bifrost minimum
    - btrfs: fix upper limit for max_inline for page size 64K
    - xen: reset legacy rtc flag for PV domU
    - bnx2x: Fix enabling network interfaces without VFs
    - arm64/sve: Use correct size when reinitialising SVE state
    - PM: base: power: don't try to use non-existing RTC for storing data
    - PCI: Add AMD GPU multi-function power dependencies
    - drm/amd/amdgpu: Increase HWIP_MAX_INSTANCE to 10
    - drm/etnaviv: return context from etnaviv_iommu_context_get
    - drm/etnaviv: put submit prev MMU context when it exists
    - drm/etnaviv: stop abusing mmu_context as FE running marker
    - drm/etnaviv: keep MMU context across runtime suspend/resume
    - drm/etnaviv: exec and MMU state is lost when resetting the GPU
    - drm/etnaviv: fix MMU context leak on GPU reset
    - drm/etnaviv: reference MMU context when setting up hardware state
    - drm/etnaviv: add missing MMU context put when reaping MMU mapping
    - s390/sclp: fix Secure-IPL facility detection
    - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries
    - tipc: fix an use-after-free issue in tipc_recvmsg
    - net-caif: avoid user-triggerable WARN_ON(1)
    - ptp: dp83640: don't define PAGE0
    - net/l2tp: Fix reference count leak in l2tp_udp_recv_core
    - r6040: Restore MDIO clock frequency after MAC reset
    - tipc: increase timeout in tipc_sk_enqueue()
    - perf machine: Initialize srcline string member in add_location struct
    - net/mlx5: FWTrace, cancel work on alloc pd error flow
    - net/mlx5: Fix potential sleeping in atomic context
    - events: Reuse value read using READ_ONCE instead of re-reading it
    - vhost_net: fix OoB on sendmsg() failure.
    - net/af_unix: fix a data-race in unix_dgram_poll
    - net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup
    - tcp: fix tp->undo_retrans accounting in tcp_sacktag_one()
    - qed: Handle management FW error
    - dt-bindings: arm: Fix Toradex compatible typo
    - ibmvnic: check failover_pending in login response
    - KVM: PPC: Book3S HV: Tolerate treclaim. in fake-suspend mode changing
      registers
    - net: hns3: pad the short tunnel frame before sending to hardware
    - net: hns3: change affinity_mask to numa node range
    - net: hns3: disable mac in flr process
    - net: hns3: fix the timing issue of VF clearing interrupt sources
    - mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range()
    - dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation
    - mfd: db8500-prcmu: Adjust map to reality
    - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms
    - fuse: fix use after free in fuse_read_interrupt()
    - mfd: Don't use irq_create_mapping() to resolve a mapping
    - tracing/probes: Reject events which have the same name of existing one
    - PCI: Add ACS quirks for Cavium multi-function devices
    - Set fc_nlinfo in nh_create_ipv4, nh_create_ipv6
    - net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920
    - PCI: ibmphp: Fix double unmap of io_mem
    - ethtool: Fix an error code in cxgb2.c
    - NTB: Fix an error code in ntb_msit_probe()
    - NTB: perf: Fix an error code in perf_setup_inbuf()
    - mfd: axp20x: Update AXP288 volatile ranges
    - PCI: Fix pci_dev_str_match_path() alloc while atomic bug
    - mfd: tqmx86: Clear GPIO IRQ resource when no IRQ is set
    - KVM: arm64: Handle PSCI resets before userspace touches vCPU state
    - PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n
    - mtd: rawnand: cafe: Fix a resource leak in the error handling path of
      'cafe_nand_probe()'
    - ARC: export clear_user_page() for modules
    - perf unwind: Do not overwrite FEATURE_CHECK_LDFLAGS-libunwind-{x86,aarch64}
    - net: dsa: b53: Fix calculating number of switch ports
    - netfilter: socket: icmp6: fix use-after-scope
    - fq_codel: reject silly quantum parameters
    - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom
    - ip_gre: validate csum_start only on pull
    - net: renesas: sh_eth: Fix freeing wrong tx descriptor
    - Linux 5.4.148

* Focal update: v5.4.147 upstream stable release (LP: #1946795)
    - Linux 5.4.147
    - upstream stable to v5.4.147

* CVE-2021-3428
    - ext4: save the error code which triggered an ext4_error() in the superblock
    - ext4: simulate various I/O and checksum errors when reading metadata
    - ext4: save all error info in save_error_info() and drop ext4_set_errno()
    - ext4: check journal inode extents more carefully

* ip6gretap / erspan / ip6erspan in rtnetlink.sh from net of
    ubuntu_kernel_selftests failed on B-5.4-aws / B-5.4-gke / B-5.4-oracle /
    B-5.4-azure / B-5.4 (LP: #1896448)
    - SAUCE: selftests: rtnetlink: fixes for older iproute2

* CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count

* kernel bug found when disconnecting one fiber channel interface on Cisco
    Chassis with fnic DRV_VERSION "1.6.0.47" (LP: #1944586)
    - scsi: fnic: Do not call 'scsi_done()' for unhandled commands

* memfd from ubuntu_kernel_selftests failed to build on B-5.4 (unknown type
    name ‘__u64’) (LP: #1944613)
    - SAUCE: selftests/memfd: fix __u64 not defined build issue

* Medion Notebook Keyboard not working (LP: #1909814)
    - ACPI: resources: Add DMI-based legacy IRQ override quirk

* vrf: fix refcnt leak with vxlan slaves (LP: #1945180)
    - ipv4: Fix device used for dst_alloc with local routes

* Check for changes relevant for security certifications (LP: #1945989)
    - [Packaging] Add a new fips-checks script
    - [Packaging] Add fips-checks as part of finalchecks

* Fix cold plugged USB device on certain PCIe USB cards (LP: #1945211)
    - Revert "UBUNTU: SAUCE: Revert "usb: core: reduce power-on-good delay time of
      root hub""
    - usb: core: hcd: Add support for deferring roothub registration
    - xhci: Set HCD flag to defer primary roothub registration
    - usb: core: hcd: Modularize HCD stop configuration in usb_stop_hcd()

* CVE-2021-3759
    - memcg: enable accounting of ipc resources

* Focal update: v5.4.146 upstream stable release (LP: #1946024)
    - locking/mutex: Fix HANDOFF condition
    - regmap: fix the offset of register error log
    - crypto: mxs-dcp - Check for DMA mapping errors
    - sched/deadline: Fix reset_on_fork reporting of DL tasks
    - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb
      errors
    - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop()
    - sched/deadline: Fix missing clock update in migrate_task_rq_dl()
    - rcu/tree: Handle VM stoppage in stall detection
    - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns()
    - hrtimer: Ensure timerfd notification for HIGHRES=n
    - udf: Check LVID earlier
    - udf: Fix iocharset=utf8 mount option
    - isofs: joliet: Fix iocharset=utf8 mount option
    - bcache: add proper error unwinding in bcache_device_init
    - nvme-tcp: don't update queue count when failing to set io queues
    - nvme-rdma: don't update queue count when failing to set io queues
    - nvmet: pass back cntlid on successful completion
    - power: supply: max17042_battery: fix typo in MAx17042_TOFF
    - s390/cio: add dev_busid sysfs entry for each subchannel
    - libata: fix ata_host_start()
    - crypto: qat - do not ignore errors from enable_vf2pf_comms()
    - crypto: qat - handle both source of interrupt in VF ISR
    - crypto: qat - fix reuse of completion variable
    - crypto: qat - fix naming for init/shutdown VF to PF notifications
    - crypto: qat - do not export adf_iov_putmsg()
    - fcntl: fix potential deadlock for &fasync_struct.fa_lock
    - udf_get_extendedattr() had no boundary checks.
    - s390/kasan: fix large PMD pages address alignment check
    - s390/debug: fix debug area life cycle
    - m68k: emu: Fix invalid free in nfeth_cleanup()
    - sched: Fix UCLAMP_FLAG_IDLE setting
    - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config
    - spi: spi-pic32: Fix issue with uninitialized dma_slave_config
    - genirq/timings: Fix error return code in irq_timings_test_irqs()
    - lib/mpi: use kcalloc in mpi_resize
    - clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock
      source channel
    - crypto: qat - use proper type for vf_mask
    - certs: Trigger creation of RSA module signing key if it's not an RSA key
    - regulator: vctrl: Use locked regulator_get_voltage in probe path
    - regulator: vctrl: Avoid lockdep warning in enable/disable ops
    - spi: sprd: Fix the wrong WDG_LOAD_VAL
    - spi: spi-zynq-qspi: use wait_for_completion_timeout to make
      zynq_qspi_exec_mem_op not interruptible
    - EDAC/i10nm: Fix NVDIMM detection
    - drm/panfrost: Fix missing clk_disable_unprepare() on error in
      panfrost_clk_init()
    - media: TDA1997x: enable EDID support
    - soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally
    - media: cxd2880-spi: Fix an error handling path
    - bpf: Fix a typo of reuseport map in bpf.h.
    - bpf: Fix potential memleak and UAF in the verifier.
    - ARM: dts: aspeed-g6: Fix HVI3C function-group in pinctrl dtsi
    - arm64: dts: renesas: r8a77995: draak: Remove bogus adv7511w properties
    - soc: qcom: rpmhpd: Use corner in power_off
    - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
    - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr
    - media: dvb-usb: Fix error handling in dvb_usb_i2c_init
    - media: go7007: remove redundant initialization
    - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats
    - Bluetooth: sco: prevent information leak in sco_conn_defer_accept()
    - 6lowpan: iphc: Fix an off-by-one check of array index
    - netns: protect netns ID lookups with RCU
    - tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
    - ARM: dts: meson8: Use a higher default GPU clock frequency
    - ARM: dts: meson8b: odroidc1: Fix the pwm regulator supply properties
    - ARM: dts: meson8b: mxq: Fix the pwm regulator supply properties
    - ARM: dts: meson8b: ec100: Fix the pwm regulator supply properties
    - net/mlx5e: Prohibit inner indir TIRs in IPoIB
    - cgroup/cpuset: Fix a partition bug with hotplug
    - net: cipso: fix warnings in netlbl_cipsov4_add_std
    - i2c: highlander: add IRQ check
    - leds: lt3593: Put fwnode in any case during ->probe()
    - leds: trigger: audio: Add an activate callback to ensure the initial
      brightness is set
    - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect
    - media: venus: venc: Fix potential null pointer dereference on pointer fmt
    - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently
    - PCI: PM: Enable PME if it can be signaled from D3cold
    - soc: qcom: smsm: Fix missed interrupts if state changes while masked
    - debugfs: Return error during {full/open}_proxy_open() on rmmod
    - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
    - PM: EM: Increase energy calculation precision
    - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs
    - arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7
    - counter: 104-quad-8: Return error when invalid mode during ceiling_write
    - Bluetooth: fix repeated calls to sco_sock_kill
    - drm/msm/dsi: Fix some reference counted resource leaks
    - usb: gadget: udc: at91: add IRQ check
    - usb: phy: fsl-usb: add IRQ check
    - usb: phy: twl6030: add IRQ checks
    - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse
    - usb: host: ohci-tmio: add IRQ check
    - usb: phy: tahvo: add IRQ check
    - mac80211: Fix insufficient headroom issue for AMSDU
    - lockd: Fix invalid lockowner cast after vfs_test_lock
    - nfsd4: Fix forced-expiry locking
    - usb: gadget: mv_u3d: request_irq() after initializing UDC
    - mm/swap: consider max pages in iomap_swapfile_add_extent
    - Bluetooth: add timeout sanity check to hci_inquiry
    - i2c: iop3xx: fix deferred probing
    - i2c: s3c2410: fix IRQ check
    - rsi: fix error code in rsi_load_9116_firmware()
    - rsi: fix an error code in rsi_probe()
    - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs
    - ASoC: Intel: Skylake: Fix module resource and format selection
    - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config
    - mmc: moxart: Fix issue with uninitialized dma_slave_config
    - bpf: Fix possible out of bound write in narrow load handling
    - CIFS: Fix a potencially linear read overflow
    - i2c: mt65xx: fix IRQ check
    - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe
    - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA
      config is available
    - tty: serial: fsl_lpuart: fix the wrong mapbase value
    - ASoC: wcd9335: Fix a double irq free in the remove function
    - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe
      function
    - ASoC: wcd9335: Disable irq on slave ports in the remove function
    - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point()
    - bcma: Fix memory leak for internally-handled cores
    - brcmfmac: pcie: fix oops on failure to resume and reprobe
    - ipv6: make exception cache less predictible
    - ipv4: make exception cache less predictible
    - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed
    - net: qualcomm: fix QCA7000 checksum handling
    - octeontx2-af: Fix loop in free and unmap counter
    - ipv4: fix endianness issue in inet_rtm_getroute_build_skb()
    - bpf: Introduce BPF nospec instruction for mitigating Spectre v4
    - bpf: Fix leakage due to insufficient speculative store bypass mitigation
    - bpf: verifier: Allocate idmap scratch in verifier env
    - bpf: Fix pointer arithmetic mask tightening under state pruning
    - tty: Fix data race between tiocsti() and flush_to_ldisc()
    - perf/x86/amd/ibs: Extend PERF_PMU_CAP_NO_EXCLUDE to IBS Op
    - x86/resctrl: Fix a maybe-uninitialized build warning treated as error
    - KVM: s390: index kvm->arch.idle_mask by vcpu_idx
    - KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is
      adjusted
    - KVM: nVMX: Unconditionally clear nested.pi_pending on nested VM-Enter
    - fuse: truncate pagecache on atomic_o_trunc
    - fuse: flush extending writes
    - IMA: remove -Wmissing-prototypes warning
    - IMA: remove the dependency on CRYPTO_MD5
    - fbmem: don't allow too huge resolutions
    - backlight: pwm_bl: Improve bootloader/kernel device handover
    - clk: kirkwood: Fix a clocking boot regression
    - Linux 5.4.146

* AMD A8-7680 (amdgpu): broken Xorg acceleration and hibernation
    (LP: #1920674) // Focal update: v5.4.146 upstream stable release
    (LP: #1946024)
    - drm/amdgpu/acp: Make PM domain really work

* Focal update: v5.4.145 upstream stable release (LP: #1945517)
    - fscrypt: add fscrypt_symlink_getattr() for computing st_size
    - ext4: report correct st_size for encrypted symlinks
    - f2fs: report correct st_size for encrypted symlinks
    - ubifs: report correct st_size for encrypted symlinks
    - kthread: Fix PF_KTHREAD vs to_kthread() race
    - xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG
    - gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V
      formats
    - reset: reset-zynqmp: Fixed the argument data type
    - qed: Fix the VF msix vectors flow
    - net: macb: Add a NULL check on desc_ptp
    - qede: Fix memset corruption
    - perf/x86/intel/pt: Fix mask of num_address_ranges
    - perf/x86/amd/ibs: Work around erratum #1197
    - perf/x86/amd/power: Assign pmu.module
    - cryptoloop: add a deprecation warning
    - ARM: 8918/2: only build return_address() if needed
    - ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17
    - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl
    - ARC: wireup clone3 syscall
    - media: stkwebcam: fix memory leak in stk_camera_probe
    - igmp: Add ip_mc_list lock in ip_check_mc_rcu
    - USB: serial: mos7720: improve OOM-handling in read_mos_reg()
    - ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing
      table (v2)
    - powerpc/boot: Delete unneeded .globl _zimage_start
    - net: ll_temac: Remove left-over debug message
    - mm/page_alloc: speed up the iteration of max_order
    - Revert "r8169: avoid link-up interrupt issue on RTL8106e if user enables
      ASPM"
    - x86/events/amd/iommu: Fix invalid Perf result due to IOMMU PMC power-gating
    - Revert "btrfs: compression: don't try to compress if we don't have enough
      pages"
    - ALSA: usb-audio: Add registration quirk for JBL Quantum 800
    - usb: host: xhci-rcar: Don't reload firmware after the completion
    - usb: mtu3: use @mult for HS isoc or intr
    - usb: mtu3: fix the wrong HS mult value
    - xhci: fix unsafe memory usage in xhci tracing
    - x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions
    - PCI: Call Max Payload Size-related fixup quirks early
    - Linux 5.4.145

* Focal update: v5.4.144 upstream stable release (LP: #1944756)
    - net: qrtr: fix another OOB Read in qrtr_endpoint_post
    - ARC: Fix CONFIG_STACKDEPOT
    - netfilter: conntrack: collect all entries in one cycle
    - once: Fix panic when module unload
    - ovl: fix uninitialized pointer read in ovl_lookup_real_one()
    - mmc: sdhci-msm: Update the software timeout value for sdhc
    - mm, oom: make the calculation of oom badness more accurate
    - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX
      and TX error counters
    - Revert "USB: serial: ch341: fix character loss at high transfer rates"
    - USB: serial: option: add new VID/PID to support Fibocom FG150
    - usb: dwc3: gadget: Fix dwc3_calc_trbs_left()
    - usb: dwc3: gadget: Stop EP0 transfers during pullup disable
    - scsi: core: Fix hang of freezing queue between blocking and running device
    - RDMA/bnxt_re: Add missing spin lock initialization
    - IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs()
    - e1000e: Fix the max snoop/no-snoop latency for 10M
    - RDMA/efa: Free IRQ vectors on error flow
    - ip_gre: add validation for csum_start
    - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()'
    - net: marvell: fix MVNETA_TX_IN_PRGRS bit number
    - rtnetlink: Return correct error on changing device netns
    - net: hns3: clear hardware resource when loading driver
    - net: hns3: fix duplicate node in VLAN list
    - net: hns3: fix get wrong pfc_en when query PFC configuration
    - drm/i915: Fix syncmap memory leak
    - usb: gadget: u_audio: fix race condition on endpoint stop
    - perf/x86/intel/uncore: Fix integer overflow on 23 bit left shift of a u32
    - opp: remove WARN when no valid OPPs remain
    - virtio: Improve vq->broken access to avoid any compiler optimization
    - virtio_pci: Support surprise removal of virtio pci device
    - vringh: Use wiov->used to check for read/write desc order
    - qed: qed ll2 race condition fixes
    - qed: Fix null-pointer dereference in qed_rdma_create_qp()
    - drm: Copy drm_wait_vblank to user before returning
    - drm/nouveau/disp: power down unused DP links during init
    - net/rds: dma_map_sg is entitled to merge entries
    - btrfs: fix race between marking inode needs to be logged and log syncing
    - vt_kdsetmode: extend console locking
    - bpf: Track contents of read-only maps as scalars
    - bpf: Fix cast to pointer from integer of different size warning
    - net: dsa: mt7530: fix VLAN traffic leaks again
    - KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
    - arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88
    - btrfs: fix NULL pointer dereference when deleting device by invalid id
    - Revert "floppy: reintroduce O_NDELAY fix"
    - Revert "parisc: Add assembly implementations for memset, strlen, strcpy,
      strncpy and strcat"
    - net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
    - audit: move put_tree() to avoid trim_trees refcount underflow and UAF
    - Linux 5.4.144

-- Kelsey Skunberg <kelsey.skunberg@canonical.com>  Fri, 15 Oct 2021 11:56:24 -0600

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1944005

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

kernel bug found when disconnecting one fiber channel interface on Cisco Chassis with fnic DRV_VERSION "1.6.0.47"

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
linux package