group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #19378
[Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
This bug was fixed in the package linux - 4.4.0-101.124
---------------
linux (4.4.0-101.124) xenial; urgency=low
* linux: 4.4.0-101.124 -proposed tracker (LP: #1731264)
* s390/mm: fix write access check in gup_huge_pmd() (LP: #1730596)
- s390/mm: fix write access check in gup_huge_pmd()
linux (4.4.0-100.123) xenial; urgency=low
* linux: 4.4.0-100.123 -proposed tracker (LP: #1729273)
* Xenial update to 4.4.95 stable release (LP: #1729107)
- USB: devio: Revert "USB: devio: Don't corrupt user memory"
- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
- USB: serial: metro-usb: add MS7820 device id
- usb: cdc_acm: Add quirk for Elatec TWN3
- usb: quirks: add quirk for WORLDE MINI MIDI keyboard
- usb: hub: Allow reset retry for USB2 devices on connect bounce
- ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
- can: gs_usb: fix busy loop if no more TX context is available
- usb: musb: sunxi: Explicitly release USB PHY on exit
- usb: musb: Check for host-mode using is_host_active() on reset interrupt
- can: esd_usb2: Fix can_dlc value for received RTR, frames
- drm/nouveau/bsp/g92: disable by default
- drm/nouveau/mmu: flush tlbs before deleting page tables
- ALSA: seq: Enable 'use' locking in all configurations
- ALSA: hda: Remove superfluous '-' added by printk conversion
- i2c: ismt: Separate I2C block read from SMBus block read
- brcmsmac: make some local variables 'static const' to reduce stack size
- bus: mbus: fix window size calculation for 4GB windows
- clockevents/drivers/cs5535: Improve resilience to spurious interrupts
- rtlwifi: rtl8821ae: Fix connection lost problem
- KEYS: encrypted: fix dereference of NULL user_key_payload
- lib/digsig: fix dereference of NULL user_key_payload
- KEYS: don't let add_key() update an uninstantiated key
- pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
- parisc: Avoid trashing sr2 and sr3 in LWS code
- parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
- sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
- f2fs crypto: replace some BUG_ON()'s with error checks
- f2fs crypto: add missing locking for keyring_key access
- fscrypt: fix dereference of NULL user_key_payload
- KEYS: Fix race between updating and finding a negative key
- fscrypto: require write access to mount to set encryption policy
- FS-Cache: fix dereference of NULL user_key_payload
- Linux 4.4.95
* Xenial update to 4.4.94 stable release (LP: #1729105)
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
- drm/dp/mst: save vcpi with payloads
- MIPS: Fix minimum alignment requirement of IRQ stack
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
- bpf/verifier: reject BPF_ALU64|BPF_END
- udpv6: Fix the checksum computation when HW checksum does not apply
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
- net: emac: Fix napi poll list corruption
- packet: hold bind lock when rebinding to fanout hook
- bpf: one perf event close won't free bpf program attached by another perf
event
- isdn/i4l: fetch the ppp_write buffer in one shot
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
- l2tp: Avoid schedule while atomic in exit_net
- l2tp: fix race condition in l2tp_tunnel_delete
- tun: bail out from tun_get_user() if the skb is empty
- packet: in packet_do_bind, test fanout with bind_lock held
- packet: only test po->has_vnet_hdr once in packet_snd
- net: Set sk_prot_creator when cloning sockets to the right proto
- tipc: use only positive error codes in messages
- Revert "bsg-lib: don't free job in bsg_prepare_job"
- locking/lockdep: Add nest_lock integrity test
- watchdog: kempld: fix gcc-4.3 build
- irqchip/crossbar: Fix incorrect type of local variables
- mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length
- mac80211: fix power saving clients handling in iwlwifi
- net/mlx4_en: fix overflow in mlx4_en_init_timestamp()
- netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
- iio: adc: xilinx: Fix error handling
- Btrfs: send, fix failure to rename top level inode due to name collision
- f2fs: do not wait for writeback in write_begin
- md/linear: shutup lockdep warnning
- sparc64: Migrate hvcons irq to panicked cpu
- net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new
probed PFs
- crypto: xts - Add ECB dependency
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
- slub: do not merge cache if slub_debug contains a never-merge flag
- scsi: scsi_dh_emc: return success in clariion_std_inquiry()
- net: mvpp2: release reference to txq_cpu[] entry after unmapping
- i2c: at91: ensure state is restored after suspending
- ceph: clean up unsafe d_parent accesses in build_dentry_path
- uapi: fix linux/rds.h userspace compilation errors
- uapi: fix linux/mroute6.h userspace compilation errors
- target/iscsi: Fix unsolicited data seq_end_offset calculation
- nfsd/callback: Cleanup callback cred on shutdown
- cpufreq: CPPC: add ACPI_PROCESSOR dependency
- Revert "tty: goldfish: Fix a parameter of a call to free_irq"
- Linux 4.4.94
linux (4.4.0-99.122) xenial; urgency=low
* linux: 4.4.0-99.122 -proposed tracker (LP: #1728945)
* Remove vmbus-rdma driver from Xenial kernel (LP: #1721538)
- SAUCE: remove hv_network_direct driver
- [Config]: Remove hv_network_direct driver
* usb 3-1: 2:1: cannot get freq at ep 0x1 (LP: #1708499)
- ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M
* Plantronics Blackwire C520-M - Cannot get freq at ep 0x1, 0x81
(LP: #1709282)
- ALSA: usb-audio: Add sample rate quirk for Plantronics C310/C520-M
* wait-for-root fails to detect nbd root (LP: #696435)
- nbd: Create size change events for userspace
* Fix OpenNSL GPL bugs found by CoverityScan static analysis (LP: #1718388)
- SAUCE: opennsl: bcm-knet: check for null sinfo to avoid a null pointer
dereference
- SAUCE: opennsl: bcm-knet: remove redundant null checks on dev->name
- SAUCE: opennsl: bde: check for out-of-bounds index io.dev
* HID: multitouch: Correct ALPS PTP Stick and Touchpad devices ID
(LP: #1722719)
- Revert "HID: multitouch: Support ALPS PTP stick with pid 0x120A"
* Xenial update to 4.4.93 stable release (LP: #1724836)
- brcmfmac: add length check in brcmf_cfg80211_escan_handler()
- ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
- CIFS: Reconnect expired SMB sessions
- nl80211: Define policy for packet pattern attributes
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
- rcu: Allow for page faults in NMI handlers
- USB: dummy-hcd: Fix deadlock caused by disconnect detection
- MIPS: math-emu: Remove pr_err() calls from fpu_emu()
- dmaengine: edma: Align the memcpy acnt array size with the transfer
- HID: usbhid: fix out-of-bounds bug
- crypto: shash - Fix zero-length shash ahash digest crash
- KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
- usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
- iommu/amd: Finish TLB flush in amd_iommu_unmap()
- ALSA: usb-audio: Kill stray URB at exiting
- ALSA: seq: Fix use-after-free at creating a port
- ALSA: seq: Fix copy_from_user() call inside lock
- ALSA: caiaq: Fix stray URB at probe error path
- ALSA: line6: Fix leftover URB at error-path during probe
- usb: gadget: composite: Fix use-after-free in
usb_composite_overwrite_options
- direct-io: Prevent NULL pointer access in submit_page_section
- fix unbalanced page refcounting in bio_map_user_iov
- USB: serial: ftdi_sio: add id for Cypress WICED dev board
- USB: serial: cp210x: add support for ELV TFD500
- USB: serial: option: add support for TP-Link LTE module
- Revert "UBUNTU: SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819"
- USB: serial: qcserial: add Dell DW5818, DW5819
- USB: serial: console: fix use-after-free after failed setup
- x86/alternatives: Fix alt_max_short macro to really be a max()
- Linux 4.4.93
* NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
(LP: #1721065)
- tty: Prepare for destroying line discipline on hangup
* Xenial update to 4.4.92 stable release (LP: #1724783)
- usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write
- USB: gadgetfs: Fix crash caused by inadequate synchronization
- USB: gadgetfs: fix copy_to_user while holding spinlock
- usb: gadget: udc: atmel: set vbus irqflags explicitly
- usb-storage: unusual_devs entry to fix write-access regression for Seagate
external drives
- usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
- usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
- usb: pci-quirks.c: Corrected timeout values used in handshake
- USB: dummy-hcd: fix connection failures (wrong speed)
- USB: dummy-hcd: fix infinite-loop resubmission bug
- USB: dummy-hcd: Fix erroneous synchronization change
- USB: devio: Don't corrupt user memory
- usb: gadget: mass_storage: set msg_registered after msg registered
- USB: g_mass_storage: Fix deadlock when driver is unbound
- lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
- ALSA: compress: Remove unused variable
- ALSA: usx2y: Suppress kernel warning at page allocation failures
- driver core: platform: Don't read past the end of "driver_override" buffer
- Drivers: hv: fcopy: restore correct transfer length
- stm class: Fix a use-after-free
- ftrace: Fix kmemleak in unregister_ftrace_graph
- HID: i2c-hid: allocate hid buffers for real worst case
- iwlwifi: add workaround to disable wide channels in 5GHz
- scsi: sd: Do not override max_sectors_kb sysfs setting
- USB: uas: fix bug in handling of alternate settings
- USB: core: harden cdc_parse_cdc_header
- usb: Increase quirk delay for USB devices
- USB: fix out-of-bounds in usb_set_configuration
- xhci: fix finding correct bus_state structure for USB 3.1 hosts
- iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
- iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path
of 'twl4030_madc_probe()'
- iio: ad_sigma_delta: Implement a dedicated reset function
- staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma
from stack.
- iio: core: Return error for failed read_reg
- iio: ad7793: Fix the serial interface reset
- iio: adc: mcp320x: Fix readout of negative voltages
- iio: adc: mcp320x: Fix oops on module unload
- uwb: properly check kthread_run return value
- uwb: ensure that endpoint is interrupt
- brcmfmac: setup passive scan if requested by user-space
- drm/i915/bios: ignore HDMI on port A
- sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
- ext4: fix data corruption for mmap writes
- ext4: Don't clear SGID when inheriting ACLs
- ext4: don't allow encrypted operations without keys
- Linux 4.4.92
* Xenial update to 4.4.91 stable release (LP: #1724772)
- drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
- drm: bridge: add DT bindings for TI ths8135
- GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
- RDS: RDMA: Fix the composite message user notification
- ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
- MIPS: Ensure bss section ends on a long-aligned address
- MIPS: ralink: Fix incorrect assignment on ralink_soc
- igb: re-assign hw address pointer on reset after PCI error
- extcon: axp288: Use vbus-valid instead of -present to determine cable
presence
- sh_eth: use correct name for ECMR_MPDE bit
- hwmon: (gl520sm) Fix overflows and crash seen when writing into limit
attributes
- iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
- iio: adc: hx711: Add DT binding for avia,hx711
- ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
- tty: goldfish: Fix a parameter of a call to free_irq
- IB/ipoib: Fix deadlock over vlan_mutex
- IB/ipoib: rtnl_unlock can not come after free_netdev
- IB/ipoib: Replace list_del of the neigh->list with list_del_init
- drm/amdkfd: fix improper return value on error
- USB: serial: mos7720: fix control-message error handling
- USB: serial: mos7840: fix control-message error handling
- partitions/efi: Fix integer overflow in GPT size calculation
- ASoC: dapm: handle probe deferrals
- audit: log 32-bit socketcalls
- usb: chipidea: vbus event may exist before starting gadget
- ASoC: dapm: fix some pointer error handling
- MIPS: Lantiq: Fix another request_mem_region() return code check
- net: core: Prevent from dereferencing null pointer when releasing SKB
- net/packet: check length in getsockopt() called with PACKET_HDRLEN
- team: fix memory leaks
- usb: plusb: Add support for PL-27A1
- mmc: sdio: fix alignment issue in struct sdio_func
- bridge: netlink: register netdevice before executing changelink
- netfilter: invoke synchronize_rcu after set the _hook_ to NULL
- MIPS: IRQ Stack: Unwind IRQ stack onto task stack
- exynos-gsc: Do not swap cb/cr for semi planar formats
- netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
- parisc: perf: Fix potential NULL pointer dereference
- iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
- rds: ib: add error handle
- md/raid10: submit bio directly to replacement disk
- i2c: meson: fix wrong variable usage in meson_i2c_put_data
- xfs: remove kmem_zalloc_greedy
- libata: transport: Remove circular dependency at free time
- drivers: firmware: psci: drop duplicate const from psci_of_match
- IB/qib: fix false-postive maybe-uninitialized warning
- ARM: remove duplicate 'const' annotations'
- ALSA: au88x0: avoid theoretical uninitialized access
- ttpci: address stringop overflow warning
- Linux 4.4.91
-- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Fri, 10 Nov
2017 08:24:10 -0200
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1721065
Title:
NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
Fix Released
Bug description:
Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way:
[ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 11.185778] IP: [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.186115] PGD 0
[ 11.186270] Oops: 0000 [#1] SMP
[ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s
nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto
fs4 psmouse ahci libahci pata_acpi fjes
[ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu
[ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor
m, BIOS 13.1.0 (43104) 09/26/2017
[ 11.189156] task: ffff88003db80000 ti: ffff88003db88000 task.ti: ffff88003db88000
[ 11.189546] RIP: 0010:[<ffffffff814f9cf3>] [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.189964] RSP: 0000:ffff88003db8bcc8 EFLAGS: 00010246
[ 11.190255] RAX: 0000000000000000 RBX: ffff8800392dd800 RCX: 0000000000000000
[ 11.190628] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800392dd828
[ 11.191002] RBP: ffff88003db8bd18 R08: ffff88003db88000 R09: 0000000000000000
[ 11.191398] R10: 000000000000005c R11: 0000000000401ce0 R12: 000000000000002f
[ 11.191775] R13: ffff88003584ae70 R14: 000055c8eab15f20 R15: ffff88003584ae00
[ 11.192152] FS: 00007f649d1418c0(0000) GS:ffff88003de00000(0000) knlGS:0000000000000000
[ 11.192573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.192882] CR2: 0000000000000000 CR3: 000000003d3b6000 CR4: 00000000000006f0
[ 11.193264] Stack:
[ 11.193404] 0000000000000000 ffffffff813953ba ffff88003db8bd08 ffffffff813493bd
[ 11.193837] 000000000000002f ffff88003584ae00 000055c8eab15f20 ffff88003584ae70
[ 11.194267] 000000000000002f ffff88003db8bf18 ffff88003db8bd28 ffffffff8120f878
[ 11.194700] Call Trace:
[ 11.194884] [<ffffffff813953ba>] ? apparmor_file_permission+0x1a/0x20
[ 11.195248] [<ffffffff813493bd>] ? security_file_permission+0x3d/0xc0
[ 11.195621] [<ffffffff8120f878>] __vfs_write+0x18/0x40
[ 11.195916] [<ffffffff81210209>] vfs_write+0xa9/0x1a0
[ 11.196202] [<ffffffff814f9fa0>] redirected_tty_write+0x60/0xa0
[ 11.196532] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
[ 11.196830] [<ffffffff8120f5d5>] do_loop_readv_writev+0x75/0xa0
[ 11.197160] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
[ 11.197458] [<ffffffff81210512>] do_readv_writev+0x212/0x230
[ 11.198439] [<ffffffff81223faf>] ? do_vfs_ioctl+0x29f/0x490
[ 11.199374] [<ffffffff812105b9>] vfs_writev+0x39/0x50
[ 11.200268] [<ffffffff812112e9>] SyS_writev+0x59/0xf0
[ 11.201144] [<ffffffff81224219>] ? SyS_ioctl+0x79/0x90
[ 11.202049] [<ffffffff81843272>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff
[ 11.208047] RIP [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.208942] RSP <ffff88003db8bcc8>
[ 11.209713] CR2: 0000000000000000
[ 11.210517] ---[ end trace 3b933544655b49b8 ]---
[ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
[ 11.335210]
[ 11.337095] Kernel Offset: disabled
[ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
The crash occurs here
1227 static ssize_t tty_write(struct file *file, const char __user *buf,
[...]
1243 ld = tty_ldisc_ref_wait(tty);
1244 if (!ld->ops->write) // <===
1245 ret = -EIO;
1246 else
1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count);
because tty_ldisc_ref_wait() returned NULL.
It seems the issue has been introduced into 4.4.0-93+ kernels
by the fix for the bug #1709126: according to the version 4.4.0-93.116
changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed
tty_ldisc_ref_wait() to return NULL has been backported
into the Ubuntu Linux kernel 4.4.0-93+. However, the patch
"tty: Prepare for destroying line discipline on hangup"
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230)
from the same patchset (https://lkml.org/lkml/2015/11/27/476)
that prepares tty_ldisc_ref_wait() callers
for this hasn't been backported.
Additional info:
Kernel version:
Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0
20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #119-Ubuntu SMP Tue Sep 12
14:59:54 UTC 2017
lsb_release -rd output:
Description: Ubuntu 16.04.3 LTS
Release: 16.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1721065/+subscriptions
