Bug #1668042 “[Xenial - 16.04 ]Bonding driver - stack corruption...” : Trusty (14.04) : Bugs : linux package : Ubuntu

Revision history for this message

Brad Figg (brad-figg) wrote on 2017-02-26: Missing required logs.

#1

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1668042

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Joseph Salisbury (jsalisbury) on 2017-02-27

Changed in linux (Ubuntu):
importance:	Undecided → High
tags:	added: kernel-da-key

Joseph Salisbury (jsalisbury) on 2017-02-27

Changed in linux (Ubuntu):
status:	Incomplete → In Progress
Changed in linux (Ubuntu Xenial):
status:	New → In Progress
importance:	Undecided → High
Changed in linux (Ubuntu):
assignee:	nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Joseph Salisbury (jsalisbury)

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2017-02-27:

#2

I built a Xenial test kernel with a pick of commit 1533e77315220dc1d5ec3bd6d9fe32e2aa0a74c0. The test kernel can be downloaded from:

http://kernel.ubuntu.com/~jsalisbury/lp1668042/

Can you test this kernel and see if it resolves this bug?

Revision history for this message

Talat Batheesh (talat-b87) wrote on 2017-02-28:

#3

Thank you, will test and update.
By the way, i sent the patch to <email address hidden>.

Thank you,
Talat

Revision history for this message

Talat Batheesh (talat-b87) wrote on 2017-02-28:

#4

Could you please add this fix also to trusty?

no longer affects:	linux-lts-trusty (Ubuntu)
no longer affects:	linux-lts-trusty (Ubuntu Xenial)

Revision history for this message

Talat Batheesh (talat-b87) wrote on 2017-02-28:

#5

Thank you, the fix works as expected in Xenial.

tags:

added: verification-done

Joseph Salisbury (jsalisbury) on 2017-02-28

Changed in linux (Ubuntu Trusty):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Joseph Salisbury (jsalisbury)
tags:	added: trusty

Thadeu Lima de Souza Cascardo (cascardo) on 2017-03-14

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2017-03-21:

#6

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2017-03-22:

#7

I backported commit 1533e77315220 to Trusty and built a test kernel. The test kernel can be downloaded from:

http://kernel.ubuntu.com/~jsalisbury/lp1668042/trusty

Can you test this kernel and see if it resolves this bug for Trusty?

Revision history for this message

Talat Batheesh (talat-b87) wrote on 2017-03-29:

#8

Thanks,
Tested and the fix is working properly.

Talat

tags:

removed: verification-needed-xenial

Thadeu Lima de Souza Cascardo (cascardo) on 2017-04-03

Changed in linux (Ubuntu Trusty):
status:	In Progress → Fix Committed

Joseph Salisbury (jsalisbury) on 2017-04-04

Changed in linux (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2017-04-13:

#9

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:	added: verification-needed-trusty
tags:	added: verification-needed-xenial

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2017-04-13:

#10

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2017-04-18:

#11

Changing tags as per comment #5 and #8

tags:

added: verification-done-trusty verification-done-xenial
removed: verification-done verification-needed-trusty verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-24:

#12

This bug was fixed in the package linux - 3.13.0-117.164

---------------
linux (3.13.0-117.164) trusty; urgency=low

* linux: 3.13.0-117.164 -proposed tracker (LP: #1680733)

* CVE-2017-6353
- sctp: deny peeloff operation on asocs with threads sleeping on it

* CVE-2017-5986
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf

  * Update ENA driver to 1.1.2 from net-next (LP: #1664312)
    - net: ena: Remove unnecessary pci_set_drvdata()
    - net: ena: Fix error return code in ena_device_init()
    - net: ena: change the return type of ena_set_push_mode() to be void.
    - net: ena: use setup_timer() and mod_timer()
    - net/ena: remove ntuple filter support from device feature list
    - net/ena: fix queues number calculation
    - net/ena: fix ethtool RSS flow configuration
    - net/ena: fix RSS default hash configuration
    - net/ena: fix NULL dereference when removing the driver after device reset
      failed
    - net/ena: refactor ena_get_stats64 to be atomic context safe
    - net/ena: fix potential access to freed memory during device reset
    - net/ena: use READ_ONCE to access completion descriptors
    - net/ena: reduce the severity of ena printouts
    - net/ena: change driver's default timeouts
    - net/ena: change condition for host attribute configuration
    - net/ena: update driver version to 1.1.2

  * [Xenial - 16.04 ]Bonding driver - stack corruption when trying to copy 20
    bytes to a sockaddr (LP: #1668042)
    - net/bonding: Enforce active-backup policy for IPoIB bonds

  * stress_smoke_test passing and exiting rc=9 (linux 4.9.0-12.13 ADT test
    failure with linux 4.9.0-12.13) (LP: #1658633)
    - ext4: lock the xattr block before checksuming it

* vmxnet3 LRO IPv6 performance issues (stalling TCP) (LP: #1605494)
- Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets

* move aufs.ko from -extra to linux-image package (LP: #1673498)
- [config] aufs.ko moved to linux-image package

  * lsattr 32bit does not work on 64bit kernel (Inappropriate ioctl error)
    (LP: #1619918)
    - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls

-- Kleber Sacilotto de Souza <email address hidden> Thu, 06 Apr 2017 17:52:50 +0100

This bug was fixed in the package linux - 3.13.0-117.164

---------------
linux (3.13.0-117.164) trusty; urgency=low

* linux: 3.13.0-117.164 -proposed tracker (LP: #1680733)

* CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

* CVE-2017-5986
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf

* Update ENA driver to 1.1.2 from net-next (LP: #1664312)
    - net: ena: Remove unnecessary pci_set_drvdata()
    - net: ena: Fix error return code in ena_device_init()
    - net: ena: change the return type of ena_set_push_mode() to be void.
    - net: ena: use setup_timer() and mod_timer()
    - net/ena: remove ntuple filter support from device feature list
    - net/ena: fix queues number calculation
    - net/ena: fix ethtool RSS flow configuration
    - net/ena: fix RSS default hash configuration
    - net/ena: fix NULL dereference when removing the driver after device reset
      failed
    - net/ena: refactor ena_get_stats64 to be atomic context safe
    - net/ena: fix potential access to freed memory during device reset
    - net/ena: use READ_ONCE to access completion descriptors
    - net/ena: reduce the severity of ena printouts
    - net/ena: change driver's default timeouts
    - net/ena: change condition for host attribute configuration
    - net/ena: update driver version to 1.1.2

* [Xenial - 16.04 ]Bonding driver - stack corruption when trying to copy 20
    bytes to a sockaddr (LP: #1668042)
    - net/bonding: Enforce active-backup policy for IPoIB bonds

* stress_smoke_test passing and exiting rc=9 (linux 4.9.0-12.13 ADT test
    failure with linux 4.9.0-12.13) (LP: #1658633)
    - ext4: lock the xattr block before checksuming it

* vmxnet3 LRO IPv6 performance issues (stalling TCP) (LP: #1605494)
    - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets

* move aufs.ko from -extra to linux-image package (LP: #1673498)
    - [config] aufs.ko moved to linux-image package

* lsattr 32bit does not work on 64bit kernel (Inappropriate ioctl error)
    (LP: #1619918)
    - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Thu, 06 Apr 2017 17:52:50 +0100

Changed in linux (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-24:

#13

Download full text (29.1 KiB)

This bug was fixed in the package linux - 4.4.0-75.96

---------------
linux (4.4.0-75.96) xenial; urgency=low

* linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.4.0-74.95) xenial; urgency=low

* linux: 4.4.0-74.95 -proposed tracker (LP: #1682041)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.4.0-73.94) xenial; urgency=low

* linux: 4.4.0-73.94 -proposed tracker (LP: #1680416)

* CVE-2017-6353
- sctp: deny peeloff operation on asocs with threads sleeping on it

* vfat: missing iso8859-1 charset (LP: #1677230)
- [Config] NLS_ISO8859_1=y

* Regression: KVM modules should be on main kernel package (LP: #1678099)
- [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

* regession tests failing after stackprofile test is run (LP: #1661030)
- SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

* apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
- SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

* apparmor label leak when new label is unused (LP: #1660834)
- SAUCE: apparmor: fix label leak when new label is unused

* apparmor reference count bug in label_merge_insert() (LP: #1660833)
- SAUCE: apparmor: fix reference count bug in label_merge_insert()

* apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
- SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

  * Xenial update to v4.4.59 stable release (LP: #1678960)
    - xfrm: policy: init locks early
    - virtio_balloon: init ...

This bug was fixed in the package linux - 4.4.0-75.96

---------------
linux (4.4.0-75.96) xenial; urgency=low

* linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)

* [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.4.0-74.95) xenial; urgency=low

* linux: 4.4.0-74.95 -proposed tracker (LP: #1682041)

* [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.4.0-73.94) xenial; urgency=low

* linux: 4.4.0-73.94 -proposed tracker (LP: #1680416)

* CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

* vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

* Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

* linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

* regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

* Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

* unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

* apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

* tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

* apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

* apparmor  auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

* apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

* apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

* apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

* unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

* Xenial update to v4.4.59 stable release (LP: #1678960)
    - xfrm: policy: init locks early
    - virtio_balloon: init 1st buffer in stats vq
    - pinctrl: qcom: Don't clear status bit on irq_unmask
    - c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
    - h8300/ptrace: Fix incorrect register transfer count
    - mips/ptrace: Preserve previous registers for short regset write
    - sparc/ptrace: Preserve previous registers for short regset write
    - metag/ptrace: Preserve previous registers for short regset write
    - metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
    - metag/ptrace: Reject partial NT_METAG_RPIPE writes
    - fscrypt: remove broken support for detecting keyring key revocation
    - sched/rt: Add a missing rescheduling point
    - Linux 4.4.59

* Update ENA driver to 1.1.2 from net-next (LP: #1664312)
    - net: ena: Remove unnecessary pci_set_drvdata()
    - net: ena: Fix error return code in ena_device_init()
    - net: ena: change the return type of ena_set_push_mode() to be void.
    - net: ena: use setup_timer() and mod_timer()
    - net/ena: remove ntuple filter support from device feature list
    - net/ena: fix queues number calculation
    - net/ena: fix ethtool RSS flow configuration
    - net/ena: fix RSS default hash configuration
    - net/ena: fix NULL dereference when removing the driver after device reset
      failed
    - net/ena: refactor ena_get_stats64 to be atomic context safe
    - net/ena: fix potential access to freed memory during device reset
    - net/ena: use READ_ONCE to access completion descriptors
    - net/ena: reduce the severity of ena printouts
    - net/ena: change driver's default timeouts
    - net/ena: change condition for host attribute configuration
    - net/ena: update driver version to 1.1.2

* Xenial update to v4.4.58 stable release (LP: #1677600)
    - net/openvswitch: Set the ipv6 source tunnel key address attribute correctly
    - net: bcmgenet: Do not suspend PHY if Wake-on-LAN is enabled
    - net: properly release sk_frag.page
    - amd-xgbe: Fix jumbo MTU processing on newer hardware
    - net: unix: properly re-increment inflight counter of GC discarded candidates
    - net/mlx5: Increase number of max QPs in default profile
    - net/mlx5e: Count LRO packets correctly
    - net: bcmgenet: remove bcmgenet_internal_phy_setup()
    - ipv4: provide stronger user input validation in nl_fib_input()
    - socket, bpf: fix sk_filter use after free in sk_clone_lock
    - tcp: initialize icsk_ack.lrcvtime at session start time
    - Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
    - Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
    - Input: iforce - validate number of endpoints before using them
    - Input: ims-pcu - validate number of endpoints before using them
    - Input: hanwang - validate number of endpoints before using them
    - Input: yealink - validate number of endpoints before using them
    - Input: cm109 - validate number of endpoints before using them
    - Input: kbtab - validate number of endpoints before using them
    - Input: sur40 - validate number of endpoints before using them
    - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
    - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
    - ALSA: hda - Adding a group of pin definition to fix headset problem
    - USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
    - USB: serial: qcserial: add Dell DW5811e
    - ACM gadget: fix endianness in notifications
    - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval
    - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
    - USB: uss720: fix NULL-deref at probe
    - USB: lvtest: fix NULL-deref at probe
    - USB: idmouse: fix NULL-deref at probe
    - USB: wusbcore: fix NULL-deref at probe
    - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
    - usb: hub: Fix crash after failure to read BOS descriptor
    - uwb: i1480-dfu: fix NULL-deref at probe
    - uwb: hwa-rc: fix NULL-deref at probe
    - mmc: ushc: fix NULL-deref at probe
    - iio: adc: ti_am335x_adc: fix fifo overrun recovery
    - iio: hid-sensor-trigger: Change get poll value function order to avoid
      sensor properties losing after resume from S3
    - parport: fix attempt to write duplicate procfiles
    - ext4: mark inode dirty after converting inline directory
    - mmc: sdhci: Do not disable interrupts while waiting for clock
    - xen/acpi: upload PM state from init-domain to Xen
    - iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
    - ARM: at91: pm: cpu_idle: switch DDR to power-down mode
    - ARM: dts: at91: sama5d2: add dma properties to UART nodes
    - cpufreq: Restore policy min/max limits on CPU online
    - raid10: increment write counter after bio is split
    - libceph: don't set weight to IN when OSD is destroyed
    - xfs: don't allow di_size with high bit set
    - xfs: fix up xfs_swap_extent_forks inline extent handling
    - nl80211: fix dumpit error path RTNL deadlocks
    - USB: usbtmc: add missing endpoint sanity check
    - xfs: clear _XBF_PAGES from buffers when readahead page
    - igb: add i211 to i210 PHY workaround
    - vfio/spapr: Postpone allocation of userspace version of TCE table
    - block: allow WRITE_SAME commands with the SG_IO ioctl
    - fbcon: Fix vc attr at deinit
    - crypto: algif_hash - avoid zero-sized array
    - Linux 4.4.58

* PS/2 mouse does not work on Dell embedded computer (LP: #1591053)
    - Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000

* Xenial update to v4.4.57 stable release (LP: #1676424)
    - give up on gcc ilog2() constant optimizations
    - perf/core: Fix event inheritance on fork()
    - cpufreq: Fix and clean up show_cpuinfo_cur_freq()
    - powerpc/boot: Fix zImage TOC alignment
    - md/raid1/10: fix potential deadlock
    - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
    - scsi: lpfc: Add shutdown method for kexec
    - scsi: libiscsi: add lock around task lists to fix list corruption regression
    - target: Fix VERIFY_16 handling in sbc_parse_cdb
    - isdn/gigaset: fix NULL-deref at probe
    - gfs2: Avoid alignment hole in struct lm_lockname
    - percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages
    - ext4: fix fencepost in s_first_meta_bg validation
    - Linux 4.4.57

* Xenial update to v4.4.56 stable release (LP: #1675789)
    - netlink: remove mmapped netlink support
    - [Config] CONFIG_NETLINK_MMAP disappeared
    - vxlan: correctly validate VXLAN ID against VXLAN_N_VID
    - vti6: return GRE_KEY for vti6
    - ipv4: mask tos for input route
    - l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
    - net: don't call strlen() on the user buffer in packet_bind_spkt()
    - net: net_enable_timestamp() can be called from irq contexts
    - dccp: Unlock sock before calling sk_free()
    - tcp: fix various issues for sockets morphing to listen state
    - net: fix socket refcounting in skb_complete_wifi_ack()
    - net: fix socket refcounting in skb_complete_tx_timestamp()
    - dccp: fix use-after-free in dccp_feat_activate_values
    - vrf: Fix use-after-free in vrf_xmit
    - uapi: fix linux/packet_diag.h userspace compilation error
    - act_connmark: avoid crashing on malformed nlattrs with null parms
    - mpls: Send route delete notifications when router module is unloaded
    - ipv6: make ECMP route replacement less greedy
    - ipv6: avoid write to a possibly cloned skb
    - dccp/tcp: fix routing redirect race
    - dccp: fix memory leak during tear-down of unsuccessful connection request
    - net sched actions: decrement module reference count after table flush.
    - fscrypt: fix renaming and linking special files
    - fscrypto: lock inode while setting encryption policy
    - x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
    - x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
    - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
    - futex: Add missing error handling to FUTEX_REQUEUE_PI
    - Linux 4.4.56

* Kernel linux-image-4.4.0-67-generic prevent the boot on Microsoft Hyper-v
    2012r2 Gen2 VM (LP: #1674635)
    - scsi: storvsc: Workaround for virtual DVD SCSI version

* [Hyper-V][Mellanox] net/mlx4_core: Avoid delays during VF driver device
    shutdown (LP: #1672785)
    - net/mlx4_core: Avoid delays during VF driver device shutdown

* Channel data values for IIO based st_sensors (st_accel, st_pressure) are
    incorrect (LP: #1676356)
    - iio: core: added support for IIO_VAL_INT
    - iio: st_sensors: simplify buffer address handling
    - iio: st_sensors: read each channel individually
    - iio:st_sensors: emulate SMBus block read if needed
    - iio:st_sensors: align on storagebits boundaries
    - iio:st_pressure: temperature triggered buffering
    - iio:st_pressure: clean useless static channel initializers
    - iio: st_pressure: Fix data sign

* Enable lspcon on i915 (LP: #1676747)
    - drm: Helper for lspcon in drm_dp_dual_mode
    - drm/i915: Add lspcon support for I915 driver
    - drm/i915: Parse VBT data for lspcon
    - drm/i915: Enable lspcon initialization
    - drm/i915: Add lspcon resume function

* stress_smoke_test passing and exiting rc=9 (linux 4.9.0-12.13 ADT test
    failure with linux 4.9.0-12.13) (LP: #1658633)
    - ext4: lock the xattr block before checksuming it

* Fix line-out port noise on Baytrail-I with RT5660 based sound card
    (LP: #1675327)
    - SAUCE: (no-up): ASoC: Intel: bytcr-rt5660: Fix noise in line-out

* Kernel 4.4.0-67 Defaults to ACPI-cpufreq rather than P-State - Dell
    Precision 5520  (LP: #1674390)
    - cpufreq: intel_pstate: Enable HWP by default

* ip_rcv_finish() NULL pointer kernel panic (LP: #1672470)
    - bridge: drop netfilter fake rtable unconditionally

* dm-queue-length module is not included in installer/initramfs (LP: #1673350)
    - d-i: Also add dm-queue-length to multipath modules

* Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
    - Bluetooth: btbcm: Add a delay for module reset

* Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
    - Bluetooth: btusb: Add support for 413c:8143

* i40e Intel X710 error during device probe prevents link set up and ip
    association (LP: #1672550)
    - i40e: check for and deal with non-contiguous TCs

* CIFS: Call echo service immediately after socket reconnect (LP: #1669941)
    - Call echo service immediately after socket reconnect

* FC Adapter (LPe32000-based) prints "iotag out of range", goes offline, and
    delays boot a lot (Ubuntu17.04/Emulex/lpfc)) (LP: #1670490)
    - scsi: lpfc: Add missing memory barrier

* No C-State Deeper than C3 utilized by Kaby Lake 7820HQ in Precision 5520
    (LP: #1672439)
    - intel_idle: Add KBL support

* [Hyper-V] Missing PCI patches breaking SR-IOV hot remove (LP: #1670518)
    - PCI: hv: Fix hv_pci_remove() for hot-remove
    - PCI: hv: Delete the device earlier from hbus->children for hot-remove
    - PCI: hv: Make unnecessarily global IRQ masking functions static
    - PCI: hv: Allocate physically contiguous hypercall params buffer

* Xenial update to v4.4.55 stable release (LP: #1674292)
    - USB: serial: digi_acceleport: fix OOB data sanity check
    - USB: serial: digi_acceleport: fix OOB-event processing
    - crypto: improve gcc optimization flags for serpent and wp512
    - MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE change
    - MIPS: ip27: Disable qlge driver in defconfig
    - MIPS: Update ip27_defconfig for SCSI_DH change
    - MIPS: ip22: Fix ip28 build for modern gcc
    - MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT change
    - mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
    - MIPS: ralink: Cosmetic change to prom_init().
    - MIPS: ralink: Remove unused rt*_wdt_reset functions
    - cpmac: remove hopeless #warning
    - mm: memcontrol: avoid unused function warning
    - MIPS: DEC: Avoid la pseudo-instruction in delay slots
    - MIPS: Netlogic: Fix CP0_EBASE redefinition warnings
    - tracing: Add #undef to fix compile error
    - powerpc: Emulation support for load/store instructions on LE
    - usb: gadget: dummy_hcd: clear usb_gadget region before registration
    - usb: dwc3: gadget: make Set Endpoint Configuration macros safe
    - usb: gadget: function: f_fs: pass companion descriptor along
    - usb: host: xhci-dbg: HCIVERSION should be a binary number
    - usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci
      controllers
    - USB: serial: safe_serial: fix information leak in completion handler
    - USB: serial: omninet: fix reference leaks at open
    - USB: iowarrior: fix NULL-deref at probe
    - USB: iowarrior: fix NULL-deref in write
    - USB: serial: io_ti: fix NULL-deref in interrupt callback
    - USB: serial: io_ti: fix information leak in completion handler
    - serial: samsung: Continue to work if DMA request fails
    - mvsas: fix misleading indentation
    - KVM: s390: Fix guest migration for huge guests resulting in panic
    - s390/kdump: Use "LINUX" ELF note name instead of "CORE"
    - nfit, libnvdimm: fix interleave set cookie calculation
    - dm: flush queued bios when process blocks to avoid deadlock
    - ext4: don't BUG when truncating encrypted inodes on the orphan list
    - Linux 4.4.55

* Xenial update to v4.4.54 stable release (LP: #1673541)
    - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
    - KVM: s390: Disable dirty log retrieval for UCONTROL guests
    - KVM: VMX: use correct vmcs_read/write for guest segment selector/base
    - Bluetooth: Add another AR3012 04ca:3018 device
    - s390/qdio: clear DSCI prior to scanning multiple input queues
    - s390/dcssblk: fix device size calculation in dcssblk_direct_access()
    - s390: TASK_SIZE for kernel threads
    - s390: make setup_randomness work
    - s390: use correct input data address for setup_randomness
    - net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
    - mnt: Tuck mounts under others instead of creating shadow/side mounts.
    - IB/ipoib: Fix deadlock between rmmod and set_mode
    - IB/IPoIB: Add destination address when re-queue packet
    - IB/srp: Avoid that duplicate responses trigger a kernel bug
    - IB/srp: Fix race conditions related to task management
    - ktest: Fix child exit code processing
    - ceph: remove req from unsafe list when unregistering it
    - target: Fix NULL dereference during LUN lookup + active I/O shutdown
    - nlm: Ensure callback code also checks that the files match
    - pwm: pca9685: Fix period change with same duty cycle
    - xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
    - mac80211: flush delayed work when entering suspend
    - drm/amdgpu: add more cases to DCE11 possible crtc mask setup
    - drm/ast: Fix test for VGA enabled
    - drm/ast: Call open_key before enable_mmio in POST code
    - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
    - drm/edid: Add EDID_QUIRK_FORCE_8BPC quirk for Rotel RSX-1058
    - drm/ttm: Make sure BOs being swapped out are cacheable
    - drm/atomic: fix an error code in mode_fixup()
    - fakelb: fix schedule while atomic
    - drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from
      vlv_init_display_clock_gating
    - libceph: use BUG() instead of BUG_ON(1)
    - fat: fix using uninitialized fields of fat_inode/fsinfo_inode
    - drivers: hv: Turn off write permission on the hypercall page
    - Linux 4.4.54

* Xenial update to v4.4.53 stable release (LP: #1673538)
    - samples: move mic/mpssd example code from Documentation
    - MIPS: Fix special case in 64 bit IP checksumming.
    - MIPS: BCM47XX: Fix button inversion for Asus WL-500W
    - MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
    - MIPS: Lantiq: Keep ethernet enabled during boot
    - MIPS: Clear ISA bit correctly in get_frame_info()
    - MIPS: Prevent unaligned accesses during stack unwinding
    - MIPS: Fix get_frame_info() handling of microMIPS function size
    - MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
    - MIPS: Calculate microMIPS ra properly when unwinding the stack
    - MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
    - am437x-vpfe: always assign bpp variable
    - uvcvideo: Fix a wrong macro
    - media: fix dm1105.c build error
    - ARM: at91: define LPDDR types
    - ARM: dts: at91: Enable DMA on sama5d4_xplained console
    - ARM: dts: at91: Enable DMA on sama5d2_xplained console
    - ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
    - ALSA: hda - fix Lewisburg audio issue
    - ALSA: timer: Reject user params with too small ticks
    - ALSA: ctxfi: Fallback DMA mask to 32bit
    - ALSA: seq: Fix link corruption by event error handling
    - ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
    - ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
    - staging: rtl: fix possible NULL pointer dereference
    - regulator: Fix regulator_summary for deviceless consumers
    - iommu/vt-d: Fix some macros that are incorrectly specified in intel-iommu
    - iommu/vt-d: Tylersburg isoch identity map check is done too late.
    - mm/page_alloc: fix nodes for reclaim in fast path
    - mm: vmpressure: fix sending wrong events on underflow
    - mm: do not access page->mapping directly on page_endio
    - ipc/shm: Fix shmat mmap nil-page protection
    - dm cache: fix corruption seen when using cache > 2TB
    - dm stats: fix a leaked s->histogram_boundaries array
    - Revert "scsi: storvsc: properly set residual data length on errors"
    - scsi: storvsc: properly set residual data length on errors
    - scsi: aacraid: Reorder Adapter status check
    - scsi: use 'scsi_device_from_queue()' for scsi_dh
    - sd: get disk reference in sd_check_events()
    - Fix: Disable sys_membarrier when nohz_full is enabled
    - jbd2: don't leak modified metadata buffers on an aborted journal
    - block/loop: fix race between I/O and set_status
    - loop: fix LO_FLAGS_PARTSCAN hang
    - ext4: Include forgotten start block on fallocate insert range
    - ext4: do not polute the extents cache while shifting extents
    - ext4: trim allocation requests to group size
    - ext4: fix data corruption in data=journal mode
    - ext4: fix inline data error paths
    - ext4: preserve the needs_recovery flag when the journal is aborted
    - ext4: return EROFS if device is r/o and journal replay is needed
    - samples/seccomp: fix 64-bit comparison macros
    - target: Obtain se_node_acl->acl_kref during get_initiator_node_acl
    - target: Fix multi-session dynamic se_node_acl double free OOPs
    - ath5k: drop bogus warning on drv_set_key with unsupported cipher
    - ath9k: fix race condition in enabling/disabling IRQs
    - ath9k: use correct OTP register offsets for the AR9340 and AR9550
    - crypto: testmgr - Pad aes_ccm_enc_tv_template vector
    - fuse: add missing FR_FORCE
    - arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
    - iio: pressure: mpl115: do not rely on structure field ordering
    - iio: pressure: mpl3115: do not rely on structure field ordering
    - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
    - w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
    - w1: ds2490: USB transfer buffers need to be DMAable
    - usb: musb: da8xx: Remove CPPI 3.0 quirk and methods
    - usb: host: xhci: plat: check hcc_params after add hcd
    - usb: gadget: udc: fsl: Add missing complete function.
    - hv: allocate synic pages for all present CPUs
    - hv: init percpu_list in hv_synic_alloc()
    - Drivers: hv: util: kvp: Fix a rescind processing issue
    - Drivers: hv: util: Fcopy: Fix a rescind processing issue
    - Drivers: hv: util: Backup: Fix a rescind processing issue
    - RDMA/core: Fix incorrect structure packing for booleans
    - rdma_cm: fail iwarp accepts w/o connection params
    - gfs2: Add missing rcu locking for glock lookup
    - rtlwifi: Fix alignment issues
    - rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
    - nfsd: minor nfsd_setattr cleanup
    - nfsd: special case truncates some more
    - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
    - NFSv4: fix getacl head length estimation
    - NFSv4: fix getacl ERANGE for some ACL buffer sizes
    - rtc: sun6i: Add some locking
    - rtc: sun6i: Switch to the external oscillator
    - md linear: fix a race between linear_add() and linear_congested()
    - bcma: use (get|put)_device when probing/removing device driver
    - dmaengine: ipu: Make sure the interrupt routine checks all interrupts.
    - powerpc/xmon: Fix data-breakpoint
    - MIPS: IP22: Reformat inline assembler code to modern standards.
    - MIPS: IP22: Fix build error due to binutils 2.25 uselessnes.
    - scsi: lpfc: Correct WQ creation for pagesize
    - Linux 4.4.53

* move aufs.ko from -extra to linux-image package (LP: #1673498)
    - [config] aufs.ko moved to linux-image package

* [Xenial] net: better skb->sender_cpu and skb->napi_id cohabitation
    (LP: #1673303)
    - net: better skb->sender_cpu and skb->napi_id cohabitation

* lsattr 32bit does not work on 64bit kernel (Inappropriate ioctl error)
    (LP: #1619918)
    - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls

* linux-tools-common should Depends: lsb-release (LP: #1667571)
    - [Config] linux-tools-common depends on lsb-release

* Add Use-After-Free Patch for Ubuntu16.10 - EEH on BELL3 adapter fails to
    recover (serial/tty) (LP: #1669153)
    - 8250_pci: Fix potential use-after-free in error path

* [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527)
    - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs
    - PCI: hv: Use device serial number as PCI domain

* [Xenial - 16.04 ]Bonding driver - stack corruption when trying to copy 20
    bytes to a sockaddr (LP: #1668042)
    - net/bonding: Enforce active-backup policy for IPoIB bonds

* Request to backport cxlflash patches to Xenial SRU stream (LP: #1623750)
    - scsi: cxlflash: Scan host only after the port is ready for I/O
    - scsi: cxlflash: Remove the device cleanly in the system shutdown path
    - scsi: cxlflash: Fix to avoid EEH and host reset collisions
    - scsi: cxlflash: Improve EEH recovery time

* Xenial update to v4.4.52 stable release (LP: #1669016)
    - net/llc: avoid BUG_ON() in skb_orphan()
    - packet: fix races in fanout_add()
    - packet: Do not call fanout_release from atomic contexts
    - irda: Fix lockdep annotations in hashbin_delete().
    - ip: fix IP_CHECKSUM handling
    - net: socket: fix recvmmsg not returning error from sock_error
    - tty: serial: msm: Fix module autoload
    - USB: serial: mos7840: fix another NULL-deref at open
    - USB: serial: cp210x: add new IDs for GE Bx50v3 boards
    - USB: serial: ftdi_sio: fix modem-status error handling
    - USB: serial: ftdi_sio: fix extreme low-latency setting
    - USB: serial: ftdi_sio: fix line-status over-reporting
    - USB: serial: spcp8x5: fix modem-status handling
    - USB: serial: opticon: fix CTS retrieval at open
    - USB: serial: ark3116: fix register-accessor error handling
    - x86/platform/goldfish: Prevent unconditional loading
    - goldfish: Sanitize the broken interrupt handler
    - block: fix double-free in the failure path of cgwb_bdi_init()
    - rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
    - Revert "usb: chipidea: imx: enable CI_HDRC_SET_NON_ZERO_TTHA"
    - kvm: vmx: ensure VMCS is current while enabling PML
    - Linux 4.4.52

* Xenial update to v4.4.51 stable release (LP: #1669015)
    - vfs: fix uninitialized flags in splice_to_pipe()
    - siano: make it work again with CONFIG_VMAP_STACK
    - fuse: fix use after free issue in fuse_dev_do_read()
    - scsi: don't BUG_ON() empty DMA transfers
    - Fix missing sanity check in /dev/sg
    - Input: elan_i2c - add ELAN0605 to the ACPI table
    - drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
    - drm/dp/mst: fix kernel oops when turning off secondary monitor
    - futex: Move futex_init() to core_initcall
    - ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
    - printk: use rcuidle console tracepoint
    - NTB: ntb_transport: fix debugfs_remove_recursive
    - ntb_transport: Pick an unused queue
    - bcache: Make gc wakeup sane, remove set_task_state()
    - mmc: core: fix multi-bit bus width without high-speed mode
    - Linux 4.4.51

* Xenial update to v4.4.50 stable release (LP: #1666324)
    - can: Fix kernel panic at security_sock_rcv_skb
    - ipv6: fix ip6_tnl_parse_tlv_enc_lim()
    - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
    - tcp: fix 0 divide in __tcp_select_window()
    - net: use a work queue to defer net_disable_timestamp() work
    - ipv4: keep skb->dst around in presence of IP options
    - netlabel: out of bound access in cipso_v4_validate()
    - ip6_gre: fix ip6gre_err() invalid reads
    - ipv6: tcp: add a missing tcp_v6_restore_cb()
    - tcp: avoid infinite loop in tcp_splice_read()
    - tun: read vnet_hdr_sz once
    - macvtap: read vnet_hdr_size once
    - mlx4: Invoke softirqs after napi_reschedule
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf
    - sit: fix a double free on error path
    - net: introduce device min_header_len
    - packet: round up linear to header len
    - ping: fix a null pointer dereference
    - l2tp: do not use udp_ioctl()
    - Linux 4.4.50

* FlashGT Integration and Setup: fsbmc30: After 17th reboot of soft bootme,
    HTX & Linux errors seen with 256 virtual LUNs (LP: #1667239)
    - cxl: Fix coredump generation when cxl_get_fd() is used

* [Hyper-V] Ubuntu 14.04.2 LTS Generation 2 SCSI Errors on VSS Based Backups
    (LP: #1470250)
    - Drivers: hv: vss: Operation timeouts should match host expectation
    - SAUCE: Tools: hv: vss: Thaw the filesystem and continue after freeze fails

* kernel 4.4.0-63 with USB WLAN RTL8192CU freezes desktop (LP: #1666421)
    - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data

* Export symbol "dev_pm_qos_update_user_latency_tolerance" (LP: #1666401)
    - PM / QoS: Export dev_pm_qos_update_user_latency_tolerance

* Linux ZFS port doesn't respect RLIMIT_FSIZE (LP: #1656259)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu16

-- Stefan Bader <stefan.bader@canonical.com>  Wed, 19 Apr 2017 17:14:23 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Po-Hsu Lin (cypressyew) on 2019-10-03

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released

Ubuntu
linux package

[Xenial - 16.04 ]Bonding driver - stack corruption when trying to copy 20 bytes to a sockaddr

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	High	Joseph Salisbury
Trusty	Fix Released	High	Joseph Salisbury
Xenial	Fix Released	High	Joseph Salisbury

Ubuntulinux package

[Xenial - 16.04 ]Bonding driver - stack corruption when trying to copy 20 bytes to a sockaddr

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package