group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #12363
[Bug 1672470] Re: ip_rcv_finish() NULL pointer kernel panic
This bug was fixed in the package linux - 4.10.0-15.17
---------------
linux (4.10.0-15.17) zesty; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1675868
* In ZZ-BML (POWER9):ubuntu17.04 installation Fails (LP: #1675771)
- powerpc/64s: fix handling of non-synchronous machine checks
- powerpc/64s: allow machine check handler to set severity and initiator
- powerpc/64s: POWER9 machine check handler
* [Feature] R3 mwait support for Knights Mill (LP: #1637550)
- x86/cpufeature: Enable RING3MWAIT for Knights Landing
- x86/cpufeature: Enable RING3MWAIT for Knights Mill
- x86/msr: Add MSR_MISC_FEATURE_ENABLES and RING3MWAIT bit
- x86/elf: Add HWCAP2 to expose ring 3 MONITOR/MWAIT
- x86/cpufeature: Add RING3MWAIT to CPU features
* [Feature] GLK:New device IDs (LP: #1645951)
- mfd: intel-lpss: Add Intel Gemini Lake PCI IDs
- pwm: lpss: Add Intel Gemini Lake PCI ID
- i2c: i801: Add support for Intel Gemini Lake
- spi: pxa2xx: Add support for Intel Gemini Lake
- [Config] CONFIG_PINCTRL_GEMINILAKE=m
- pinctrl: intel: Add Intel Gemini Lake pin controller support
* Zesty update to v4.10.5 stable release (LP: #1675032)
- net/mlx5e: Register/unregister vport representors on interface attach/detach
- net/mlx5e: Do not reduce LRO WQE size when not using build_skb
- net/mlx5e: Fix broken CQE compression initialization
- net/mlx5e: Update MPWQE stride size when modifying CQE compress state
- net/mlx5e: Fix wrong CQE decompression
- vxlan: correctly validate VXLAN ID against VXLAN_N_VID
- vti6: return GRE_KEY for vti6
- vxlan: don't allow overwrite of config src addr
- ipv4: add missing initialization for flowi4_uid
- ipv4: mask tos for input route
- sctp: set sin_port for addr param when checking duplicate address
- net sched actions: decrement module reference count after table flush.
- l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
- vxlan: lock RCU on TX path
- geneve: lock RCU on TX path
- mlxsw: spectrum_router: Avoid potential packets loss
- net: bridge: allow IPv6 when multicast flood is disabled
- net: don't call strlen() on the user buffer in packet_bind_spkt()
- net: net_enable_timestamp() can be called from irq contexts
- ipv6: orphan skbs in reassembly unit
- dccp: Unlock sock before calling sk_free()
- amd-xgbe: Stop the PHY before releasing interrupts
- amd-xgbe: Be sure to set MDIO modes on device (re)start
- amd-xgbe: Don't overwrite SFP PHY mod_absent settings
- bonding: use ETH_MAX_MTU as max mtu
- strparser: destroy workqueue on module exit
- tcp: fix various issues for sockets morphing to listen state
- net: fix socket refcounting in skb_complete_wifi_ack()
- net: fix socket refcounting in skb_complete_tx_timestamp()
- net/sched: act_skbmod: remove unneeded rcu_read_unlock in tcf_skbmod_dump
- dccp: fix use-after-free in dccp_feat_activate_values
- team: use ETH_MAX_MTU as max mtu
- vrf: Fix use-after-free in vrf_xmit
- net/tunnel: set inner protocol in network gro hooks
- uapi: fix linux/packet_diag.h userspace compilation error
- amd-xgbe: Enable IRQs only if napi_complete_done() is true
- act_connmark: avoid crashing on malformed nlattrs with null parms
- mpls: Send route delete notifications when router module is unloaded
- mpls: Do not decrement alive counter for unregister events
- ipv6: make ECMP route replacement less greedy
- ipv6: avoid write to a possibly cloned skb
- net: use net->count to check whether a netns is alive or not
- dccp/tcp: fix routing redirect race
- tun: fix premature POLLOUT notification on tun devices
- dccp: fix memory leak during tear-down of unsuccessful connection request
- arm64: KVM: VHE: Clear HCR_TGE when invalidating guest TLBs
- drm/i915/lspcon: Enable AUX interrupts for resume time initialization
- drm/i915/gen9+: Enable hotplug detection early
- drm/i915/lspcon: Fix resume time initialization due to unasserted HPD
- x86/unwind: Fix last frame check for aligned function stacks
- x86/tsc: Fix ART for TSC_KNOWN_FREQ
- x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
- x86/intel_rdt: Put group node in rdtgroup_kn_unlock
- x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
- futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
- futex: Add missing error handling to FUTEX_REQUEUE_PI
- locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y
- crypto: powerpc - Fix initialisation of crc32c context
- crypto: s5p-sss - Fix spinlock recursion on LRW(AES)
- Linux 4.10.5
* Ubuntu server enables screenblanking, concealing crashdumps (DPMS is not
used) (LP: #869017)
- SAUCE: Disable default console blanking interval
* CVE-CVE-2017-5986
- sctp: deny peeloff operation on asocs with threads sleeping on it
* tty: acpi/spcr: QDF2400 E44 checks for wrong OEM revision (LP: #1674466)
- tty: acpi/spcr: QDF2400 E44 checks for wrong OEM revision
* Ubuntu 17.04: machine crashes with Oops in dccp_v4_ctl_send_reset while
running stress-ng. (LP: #1654073)
- tcp/dccp: block BH for SYN processing
* POWER9: Additional patches for TTY and CPU_IDLE (LP: #1674325)
- tty: Fix ldisc crash on reopened tty
- SAUCE: powerpc/powernv/cpuidle: Pass correct drv->cpumask for registration
* Fix MODULE_FIRMWARE for intel 6030 wireless (LP: #1674334)
- iwlwifi: fix MODULE_FIRMWARE for 6030
* [zesty] net sched actions - Adding support for user cookies (LP: #1674087)
- net sched actions: Add support for user cookies
- net sched actions: do not overwrite status of action creation.
* Zesty update to v4.10.4 stable release (LP: #1674288)
- iio: 104-quad-8: Fix off-by-one error when addressing flag register
- ARM: qcom_defconfig: Enable RPM/RPM-SMD clocks
- USB: serial: digi_acceleport: fix OOB data sanity check
- USB: serial: digi_acceleport: fix OOB-event processing
- crypto: improve gcc optimization flags for serpent and wp512
- MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE change
- MIPS: VDSO: avoid duplicate CAC_BASE definition
- MIPS: ip27: Disable qlge driver in defconfig
- MIPS: Update ip27_defconfig for SCSI_DH change
- MIPS: ip22: Fix ip28 build for modern gcc
- MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT change
- mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
- MIPS: ralink: Cosmetic change to prom_init().
- MIPS: ralink: Remove unused timer functions
- MIPS: ralink: Remove unused rt*_wdt_reset functions
- i2c: bcm2835: Avoid possible NULL ptr dereference
- tracing: Add #undef to fix compile error
- ucount: Remove the atomicity from ucount->count
- efi/arm: Fix boot crash with CONFIG_CPUMASK_OFFSTACK=y
- dw2102: don't do DMA on stack
- i2c: add missing of_node_put in i2c_mux_del_adapters
- powerpc: Emulation support for load/store instructions on LE
- powerpc/booke: Fix boot crash due to null hugepd
- powerpc/xics: Work around limitations of OPAL XICS priority handling
- PCI: Prevent VPD access for QLogic ISP2722
- usb: gadget: dummy_hcd: clear usb_gadget region before registration
- usb: dwc3: gadget: make Set Endpoint Configuration macros safe
- usb: dwc3-omap: Fix missing break in dwc3_omap_set_mailbox()
- usb: ohci-at91: Do not drop unhandled USB suspend control requests
- usb: gadget: function: f_fs: pass companion descriptor along
- Revert "usb: gadget: uvc: Add missing call for additional setup data"
- usb: host: xhci-dbg: HCIVERSION should be a binary number
- usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
- USB: serial: safe_serial: fix information leak in completion handler
- USB: serial: omninet: fix reference leaks at open
- USB: iowarrior: fix NULL-deref at probe
- USB: iowarrior: fix NULL-deref in write
- USB: serial: io_ti: fix NULL-deref in interrupt callback
- USB: serial: io_ti: fix information leak in completion handler
- serial: samsung: Continue to work if DMA request fails
- KVM: s390: Fix guest migration for huge guests resulting in panic
- KVM: arm/arm64: Let vcpu thread modify its own active state
- drm/i915/gvt: Fix superfluous newline in GVT_DISPLAY_READY env var
- serial_ir: ensure we're ready to receive interrupts
- dm: flush queued bios when process blocks to avoid deadlock
- rc: raw decoder for keymap protocol is not loaded on register
- ext4: don't BUG when truncating encrypted inodes on the orphan list
- IB/mlx5: Verify that Q counters are supported
- Linux 4.10.4
* ip_rcv_finish() NULL pointer kernel panic (LP: #1672470)
- bridge: drop netfilter fake rtable unconditionally
* Miscellaneous Ubuntu changes
- [Config] Remove powerpc architecture build
- [Config] updateconfigs after removing powerpc builds
- [Config] Update annotations after removing powerpc configs
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Mon, 20 Mar 2017 05:15:32
-0600
** Changed in: linux (Ubuntu Zesty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-5986
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1672470
Title:
ip_rcv_finish() NULL pointer kernel panic
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Fix Committed
Status in linux source package in Zesty:
Fix Released
Bug description:
[Impact]
When using iptables rules affecting bridge traffic, and if affected
traffic is flowing through bridge while br_netfilter module is loaded
or unloaded, a kernel panic may occur.
[Test Case]
It's difficult to reproduce because of a very small race condition
window during br_netfilter load/unload when the module is receiving
traffic but has not yet registered its hooks (or, has unregistered its
hooks but still has traffic it's processing). A system must be set up
using a bridge, and iptable netfilter rules must be set up to process
the bridge traffic. Then the system should be rebooted until the
problem occurs, or the br_netfilter module should be loaded/unloaded
until the problem occurs.
[Regression Potential]
Changing how the br_netfilter module switches its fake dst for a real
dst may, if done incorrectly, result in more kernel panics if other
code tries to process the br_netfilter module's fake dst.
[Other Info]
The br_netfilter module processes packets traveling through its
bridge, and while processing each skb it places a special fake dst
onto the skb. When the skb leaves the bridge, it removes the fake dst
and places a real dst onto it. However, it uses a hook to do this,
and when the br_netfilter module is unloading it unregisters that
hook. Any skbs that are currently being processed in the bridge by
the br_netfilter module, but that leave the bridge after the hook is
unregistered (or, during br_netfilter module load, before the hook is
registered) will still have the fake dst; when other code then tries
to process that dst, it causes a kernel panic because the dst is
invalid.
Recent upstream discussion:
https://www.spinics.net/lists/netdev/msg416912.html
Upstream patch:
https://patchwork.ozlabs.org/patch/738275/
upstream commit is a13b2082ece95247779b9995c4e91b4246bed023
example panic report:
[ 214.518262] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 214.612199] IP: [< (null)>] (null)
[ 214.672744] PGD 0 [ 214.696887] Oops: 0010 [#1] SMP [ 214.735697] Modules linked in: br_netfilter(+) tun 8021q bridge stp llc bonding iTCO_wdt iTCO_vendor_support tpm_tis tpm kvm_intel kvm irqbypass sb_edac edac_core ixgbe mdio ipmi_si ipmi_msghandler lpc_ich mfd_core mousedev evdev igb dca procmemro(O) nokeyctl(O) noptrace(O)
[ 215.029240] CPU: 34 PID: 0 Comm: swapper/34 Tainted: G O 4.4.39 #1
[ 215.116720] Hardware name: Cisco Systems Inc UCSC-C220-M3L/UCSC-C220-M3L, BIOS C220M3.2.0.13a.0.0713160937 07/13/16
[ 215.241644] task: ffff882038fb4380 ti: ffff8810392b0000 task.ti: ffff8810392b0000
[ 215.331207] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
[ 215.420877] RSP: 0018:ffff88103fec3880 EFLAGS: 00010286
[ 215.484436] RAX: ffff881011631000 RBX: ffff881011067100 RCX: 0000000000000000
[ 215.569836] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff881011067100
[ 215.655234] RBP: ffff88103fec38a8 R08: 0000000000000008 R09: ffff8810116300a0
[ 215.740629] R10: 0000000000000000 R11: 0000000000000000 R12: ffff881018917dce
[ 215.826030] R13: ffffffff81c9be00 R14: ffffffff81c9be00 R15: ffff881011630078
[ 215.911432] FS: 0000000000000000(0000) GS:ffff88103fec0000(0000) knlGS:0000000000000000
[ 216.008274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 216.077032] CR2: 0000000000000000 CR3: 0000001011b9d000 CR4: 00000000001406e0
[ 216.162430] Stack:
[ 216.186461] ffffffff8157d7f9 ffff881011067100 ffff881018917dce ffff881011630000
[ 216.275407] ffffffff81c9be00 ffff88103fec3918 ffffffff8157e0db 0000000000000000
[ 216.364352] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 216.453301] Call Trace:
[ 216.482536] <IRQ> [ 216.505533] [<ffffffff8157d7f9>] ? ip_rcv_finish+0x99/0x320
[ 216.575442] [<ffffffff8157e0db>] ip_rcv+0x25b/0x370
[ 216.634842] [<ffffffff81540e0b>] __netif_receive_skb_core+0x2cb/0xa20
[ 216.712965] [<ffffffff81541578>] __netif_receive_skb+0x18/0x60
[ 216.783801] [<ffffffff815415e3>] netif_receive_skb_internal+0x23/0x80
[ 216.861921] [<ffffffff8154165c>] netif_receive_skb+0x1c/0x70
[ 216.930686] [<ffffffffa02f6439>] br_handle_frame_finish+0x1b9/0x5b0 [bridge]
[ 217.016091] [<ffffffff81187a00>] ? ___slab_alloc+0x1d0/0x440
[ 217.084849] [<ffffffffa0584074>] br_nf_pre_routing_finish+0x174/0x3d0 [br_netfilter]
[ 217.178568] [<ffffffffa0584c07>] ? br_nf_pre_routing+0x97/0x470 [br_netfilter]
[ 217.266052] [<ffffffffa02f6280>] ? br_handle_local_finish+0x80/0x80 [bridge]
[ 217.351450] [<ffffffffa0584d17>] br_nf_pre_routing+0x1a7/0x470 [br_netfilter]
[ 217.437891] [<ffffffff81572f6d>] nf_iterate+0x5d/0x70
[ 217.499367] [<ffffffff81572fe4>] nf_hook_slow+0x64/0xc0
[ 217.562928] [<ffffffffa02f69e9>] br_handle_frame+0x1b9/0x290 [bridge]
[ 217.641048] [<ffffffffa02f6280>] ? br_handle_local_finish+0x80/0x80 [bridge]
[ 217.726446] [<ffffffff81540e82>] __netif_receive_skb_core+0x342/0xa20
[ 217.804566] [<ffffffff815a7916>] ? tcp4_gro_receive+0x126/0x1d0
[ 217.876445] [<ffffffff815b7446>] ? inet_gro_receive+0x1c6/0x250
[ 217.948322] [<ffffffff81541578>] __netif_receive_skb+0x18/0x60
[ 218.019161] [<ffffffff815415e3>] netif_receive_skb_internal+0x23/0x80
[ 218.097281] [<ffffffff81542213>] napi_gro_receive+0xc3/0x110
[ 218.166051] [<ffffffffa00a801f>] ixgbe_clean_rx_irq+0x52f/0xa70 [ixgbe]
[ 218.246255] [<ffffffffa00a9248>] ixgbe_poll+0x438/0x790 [ixgbe]
[ 218.318131] [<ffffffff81541a6e>] net_rx_action+0x1ee/0x320
[ 218.384813] [<ffffffff8109c837>] ? handle_irq_event_percpu+0x167/0x1d0
[ 218.463973] [<ffffffff8105c3c1>] __do_softirq+0x101/0x280
[ 218.529608] [<ffffffff8105c69e>] irq_exit+0x8e/0x90
[ 218.589007] [<ffffffff816dd504>] do_IRQ+0x54/0xd0
[ 218.646323] [<ffffffff816dba02>] common_interrupt+0x82/0x82
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1672470/+subscriptions
