← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1791758] Re: ldisc crash on reopened tty

 

This bug was fixed in the package linux - 4.4.0-142.168

---------------
linux (4.4.0-142.168) xenial; urgency=medium

  * linux: 4.4.0-142.168 -proposed tracker (LP: #1811846)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * iptables connlimit allows more connections than the limit when using
    multiple CPUs (LP: #1811094)
    - netfilter: xt_connlimit: don't store address in the conn nodes
    - SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in add_hlist()
    - netfilter: nf_conncount: expose connection list interface
    - netfilter: nf_conncount: Fix garbage collection with zones
    - netfilter: nf_conncount: fix garbage collection confirm race
    - netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2017-5715
    - SAUCE: x86/speculation: Cleanup IBPB runtime control handling
    - SAUCE: x86/speculation: Cleanup IBRS runtime control handling
    - SAUCE: x86/speculation: Use x86_spec_ctrl_base in entry/exit code
    - SAUCE: x86/speculation: Move RSB_CTXSW hunk

  * Xenial update: 4.4.167 upstream stable release (LP: #1811077)
    - media: em28xx: Fix use-after-free when disconnecting
    - Revert "wlcore: Add missing PM call for
      wlcore_cmd_wait_for_event_or_timeout()"
    - rapidio/rionet: do not free skb before reading its length
    - s390/qeth: fix length check in SNMP processing
    - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
    - kvm: mmu: Fix race in emulated page table writes
    - xtensa: enable coprocessors that are being flushed
    - xtensa: fix coprocessor context offset definitions
    - Btrfs: ensure path name is null terminated at btrfs_control_ioctl
    - ALSA: wss: Fix invalid snd_free_pages() at error path
    - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
    - ALSA: control: Fix race between adding and removing a user element
    - ALSA: sparc: Fix invalid snd_free_pages() at error path
    - ext2: fix potential use after free
    - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
    - dmaengine: at_hdmac: fix module unloading
    - btrfs: release metadata before running delayed refs
    - USB: usb-storage: Add new IDs to ums-realtek
    - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
    - misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
    - Kbuild: suppress packed-not-aligned warning for default setting only
    - exec: avoid gcc-8 warning for get_task_comm
    - disable stringop truncation warnings for now
    - kobject: Replace strncpy with memcpy
    - unifdef: use memcpy instead of strncpy
    - kernfs: Replace strncpy with memcpy
    - ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
    - drm: gma500: fix logic error
    - scsi: bfa: convert to strlcpy/strlcat
    - staging: rts5208: fix gcc-8 logic error warning
    - kdb: use memmove instead of overlapping memcpy
    - iser: set sector for ambiguous mr status errors
    - uprobes: Fix handle_swbp() vs. unregister() + register() race once more
    - MIPS: ralink: Fix mt7620 nd_sd pinmux
    - mips: fix mips_get_syscall_arg o32 check
    - drm/ast: Fix incorrect free on ioregs
    - scsi: scsi_devinfo: cleanly zero-pad devinfo strings
    - ALSA: trident: Suppress gcc string warning
    - scsi: csiostor: Avoid content leaks and casts
    - kgdboc: Fix restrict error
    - kgdboc: Fix warning with module build
    - leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF
    - leds: turn off the LED and wait for completion on unregistering LED class
      device
    - leds: leds-gpio: Fix return value check in create_gpio_led()
    - Input: xpad - quirk all PDP Xbox One gamepads
    - Input: matrix_keypad - check for errors from of_get_named_gpio()
    - Input: elan_i2c - add ELAN0620 to the ACPI table
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
    - Input: elan_i2c - add support for ELAN0621 touchpad
    - btrfs: Always try all copies when reading extent buffers
    - Btrfs: fix use-after-free when dumping free space
    - ARC: change defconfig defaults to ARCv2
    - arc: [devboards] Add support of NFSv3 ACL
    - mm: cleancache: fix corruption on missed inode invalidation
    - usb: gadget: dummy: fix nonsensical comparisons
    - iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
    - iommu/ipmmu-vmsa: Fix crash on early domain free
    - can: rcar_can: Fix erroneous registration
    - batman-adv: Expand merged fragment buffer for full packet
    - bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
    - qed: Fix PTT leak in qed_drain()
    - qed: Fix reading wrong value in loop condition
    - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
    - net/mlx4_core: Fix uninitialized variable compilation warning
    - net/mlx4: Fix UBSAN warning of signed integer overflow
    - net: faraday: ftmac100: remove netif_running(netdev) check before disabling
      interrupts
    - iommu/vt-d: Use memunmap to free memremap
    - net: amd: add missing of_node_put()
    - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
    - usb: appledisplay: Add 27" Apple Cinema Display
    - USB: check usb_get_extra_descriptor for proper size
    - ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
    - ALSA: hda: Add support for AMD Stoney Ridge
    - ALSA: pcm: Fix starvation on down_write_nonblock()
    - ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
    - ALSA: pcm: Fix interval evaluation with openmin/max
    - virtio/s390: avoid race on vcdev->config
    - virtio/s390: fix race in ccw_io_helper()
    - SUNRPC: Fix leak of krb5p encode pages
    - xhci: Prevent U1/U2 link pm states if exit latency is too long
    - Staging: lustre: remove two build warnings
    - cifs: Fix separator when building path from dentry
    - tty: serial: 8250_mtk: always resume the device in probe.
    - kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
    - mac80211_hwsim: Timer should be initialized before device registered
    - mac80211: Clear beacon_int in ieee80211_do_stop
    - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
    - mac80211: fix reordering of buffered broadcast packets
    - mac80211: ignore NullFunc frames in the duplicate detection
    - Linux 4.4.167

  * CVE-2018-19407
    - KVM: X86: Fix scan ioapic use-before-initialization

  * cpu-hotplug test in ubuntu_kernel_selftest always return 0 on Xenial
    (LP: #1809699)
    - selftests/cpu-hotplug: exit with failure when test occured unexpected
      behaviors

  * iommu - need to effectively disable iommu if "intel_iommu=off" is passed as
    a kernel parameter (LP: #1810328)
    - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off

  * ldisc crash on reopened tty (LP: #1791758)
    - tty: fix data race between tty_init_dev and flush of buf
    - tty: Drop tty->count on tty_reopen() failure
    - tty: Hold tty_ldisc_lock() during tty_reopen()
    - tty: Don't block on IO when ldisc change is pending
    - tty: Simplify tty->count math in tty_reopen()

  * Xenial update: 4.4.166 upstream stable release (LP: #1810967)
    - usb: core: Fix hub port connection events lost
    - usb: xhci: fix timeout for transition from RExit to U0
    - MAINTAINERS: Add Sasha as a stable branch maintainer
    - iwlwifi: mvm: support sta_statistics() even on older firmware
    - v9fs_dir_readdir: fix double-free on p9stat_read error
    - bfs: add sanity check at bfs_fill_super()
    - sctp: clear the transport of some out_chunk_list chunks in
      sctp_assoc_rm_peer
    - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
    - llc: do not use sk_eat_skb()
    - drm/ast: change resolution may cause screen blurred
    - drm/ast: fixed cursor may disappear sometimes
    - can: dev: can_get_echo_skb(): factor out non sending code to
      __can_get_echo_skb()
    - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to
      access frame length
    - can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb
      is accessed out of bounds
    - can: dev: __can_get_echo_skb(): print error message, if trying to echo non
      existing skb
    - usb: xhci: Prevent bus suspend if a port connect change or polling state is
      detected
    - KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
    - cpufreq: imx6q: add return value check for voltage scale
    - SUNRPC: Fix a bogus get/put in generic_key_to_expire()
    - kdb: Use strscpy with destination buffer size
    - powerpc/numa: Suppress "VPHN is not supported" messages
    - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset
    - of: add helper to lookup compatible child node
    - NFC: nfcmrvl_uart: fix OF child-node lookup
    - net: bcmgenet: fix OF child-node lookup
    - x86/entry: spell EBX register correctly in documentation
    - x86/entry/64: Remove %ebx handling from error_entry/exit
    - arm64: remove no-op -p linker flag
    - ath10k: fix kernel panic due to race in accessing arvif list
    - Input: xpad - remove spurious events of wireless xpad 360 controller
    - Input: xpad - handle "present" and "gone" correctly
    - Input: xpad - update Xbox One Force Feedback Support
    - Input: xpad - workaround dead irq_out after suspend/ resume
    - Input: xpad - use LED API when identifying wireless controllers
    - Input: xpad - correct xbox one pad device name
    - Input: xpad - remove unused function
    - Input: xpad - add Mad Catz FightStick TE 2 VID/PID
    - Input: xpad - prevent spurious input from wired Xbox 360 controllers
    - Input: xpad - add more third-party controllers
    - Input: xpad - xbox one elite controller support
    - Input: xpad - fix rumble on Xbox One controllers with 2015 firmware
    - Input: xpad - power off wireless 360 controllers on suspend
    - Input: xpad - add product ID for Xbox One S pad
    - Input: xpad - fix Xbox One rumble stopping after 2.5 secs
    - Input: xpad - correctly sort vendor id's
    - Input: xpad - move reporting xbox one home button to common function
    - Input: xpad - simplify error condition in init_output
    - Input: xpad - don't depend on endpoint order
    - Input: xpad - fix stuck mode button on Xbox One S pad
    - Input: xpad - restore LED state after device resume
    - Input: xpad - support some quirky Xbox One pads
    - Input: xpad - sort supported devices by USB ID
    - Input: xpad - sync supported devices with xboxdrv
    - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth
    - Input: xpad - sync supported devices with 360Controller
    - Input: xpad - sync supported devices with XBCD
    - Input: xpad - constify usb_device_id
    - Input: xpad - fix PowerA init quirk for some gamepad models
    - Input: xpad - validate USB endpoint type during probe
    - Input: xpad - add support for PDP Xbox One controllers
    - Input: xpad - add PDP device id 0x02a4
    - Input: xpad - fix some coding style issues
    - Input: xpad - avoid using __set_bit() for capabilities
    - Input: xpad - add GPD Win 2 Controller USB IDs
    - Input: xpad - fix GPD Win 2 controller name
    - Input: xpad - add support for Xbox1 PDP Camo series gamepad
    - cw1200: Don't leak memory if krealloc failes
    - mwifiex: Fix NULL pointer dereference in skb_dequeue()
    - mwifiex: fix p2p device doesn't find in scan problem
    - netfilter: nf_tables: fix oops when inserting an element into a verdict map
    - scsi: ufs: fix bugs related to null pointer access and array size
    - scsi: ufshcd: Fix race between clk scaling and ungate work
    - scsi: ufs: fix race between clock gating and devfreq scaling work
    - scsi: ufshcd: release resources if probe fails
    - scsi: qla2xxx: do not queue commands when unloading
    - iwlwifi: mvm: fix regulatory domain update when the firmware starts
    - tty: wipe buffer.
    - tty: wipe buffer if not echoing data
    - usb: xhci: fix uninitialized completion when USB3 port got wrong status
    - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
    - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used
    - s390/mm: Check for valid vma before zapping in gmap_discard
    - drm/ast: Remove existing framebuffers before loading driver
    - Linux 4.4.166

  * Xenial update: 4.4.166 upstream stable release (LP: #1810967) //
    CVE-2000-1134 // CVE-2007-3852 // CVE-2008-0525 // CVE-2009-0416 //
    CVE-2011-4834 // CVE-2015-1838 // CVE-2015-7442 // CVE-2016-7489
    - namei: allow restricted O_CREAT of FIFOs and regular files

  * Xenial update: 4.4.165 upstream stable release (LP: #1810958)
    - flow_dissector: do not dissect l4 ports for fragments
    - ip_tunnel: don't force DF when MTU is locked
    - net-gro: reset skb->pkt_type in napi_reuse_skb()
    - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths
    - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF
    - kbuild: Add better clang cross build support
    - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS
    - kbuild: Consolidate header generation from ASM offset information
    - kbuild: consolidate redundant sed script ASM offset generation
    - kbuild: fix asm-offset generation to work with clang
    - kbuild: drop -Wno-unknown-warning-option from clang options
    - kbuild, LLVMLinux: Add -Werror to cc-option to support clang
    - kbuild: use -Oz instead of -Os when using clang
    - kbuild: Add support to generate LLVM assembly files
    - modules: mark __inittest/__exittest as __maybe_unused
    - kbuild: clang: Disable 'address-of-packed-member' warning
    - crypto: arm64/sha - avoid non-standard inline asm tricks
    - efi/libstub/arm64: Force 'hidden' visibility for section markers
    - efi/libstub/arm64: Set -fpie when building the EFI stub
    - kbuild: fix linker feature test macros when cross compiling with Clang
    - kbuild: Set KBUILD_CFLAGS before incl. arch Makefile
    - kbuild: move cc-option and cc-disable-warning after incl. arch Makefile
    - kbuild: clang: fix build failures with sparse check
    - kbuild: clang: remove crufty HOSTCFLAGS
    - kbuild: clang: disable unused variable warnings only when constant
    - kbuild: set no-integrated-as before incl. arch Makefile
    - kbuild: allow to use GCC toolchain not in Clang search path
    - arm64: Disable asm-operand-width warning for clang
    - x86/kbuild: Use cc-option to enable -falign-{jumps/loops}
    - crypto, x86: aesni - fix token pasting for clang
    - x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang
      incompatibility
    - kbuild: Add __cc-option macro
    - x86/build: Use __cc-option for boot code compiler options
    - x86/build: Specify stack alignment for clang
    - x86/boot: #undef memcpy() et al in string.c
    - x86/build: Fix stack alignment for CLang
    - x86/build: Use cc-option to validate stack alignment parameter
    - reiserfs: propagate errors from fill_with_dentries() properly
    - hfs: prevent btree data loss on root split
    - hfsplus: prevent btree data loss on root split
    - um: Give start_idle_thread() a return code
    - fs/exofs: fix potential memory leak in mount option parsing
    - clk: samsung: exynos5420: Enable PERIS clocks for suspend
    - platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307
    - arm64: percpu: Initialize ret in the default case
    - s390/vdso: add missing FORCE to build targets
    - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
    - s390/mm: Fix ERROR: "__node_distance" undefined!
    - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment()
    - netfilter: xt_IDLETIMER: add sysfs filename checking routine
    - hwmon: (ibmpowernv) Remove bogus __init annotations
    - lib/raid6: Fix arm64 test build
    - zram: close udev startup race condition as default groups
    - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
    - gfs2: Put bitmap buffers in put_super
    - btrfs: fix pinned underflow after transaction aborted
    - Revert "media: videobuf2-core: don't call memop 'finish' when queueing"
    - media: v4l: event: Add subscription to list before calling "add" operation
    - uio: Fix an Oops on load
    - usb: cdc-acm: add entry for Hiro (Conexant) modem
    - USB: quirks: Add no-lpm quirk for Raydium touchscreens
    - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
    - misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
    - USB: misc: appledisplay: add 20" Apple Cinema Display
    - drivers/misc/sgi-gru: fix Spectre v1 vulnerability
    - ACPI / platform: Add SMB0001 HID to forbidden_id_list
    - new helper: uaccess_kernel()
    - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - Linux 4.4.165

  * Xenial update: 4.4.164 upstream stable release (LP: #1810947)
    - bcache: fix miss key refill->end in writeback
    - hwmon: (pmbus) Fix page count auto-detection.
    - jffs2: free jffs2_sb_info through jffs2_kill_sb()
    - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
    - ipmi: Fix timer race with module unload
    - parisc: Fix address in HPMC IVA
    - parisc: Fix map_pages() to not overwrite existing pte entries
    - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
    - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
    - x86/corruption-check: Fix panic in memory_corruption_check() when boot
      option without value is provided
    - x86/kconfig: Fall back to ticket spinlocks
    - [Config] Remove CONFIG{,_ARCH_USE}_QUEUED_SPINLOCKS
    - sparc: Fix single-pcr perf event counter management.
    - x86/fpu: Remove second definition of fpu in __fpu__restore_sig()
    - net: qla3xxx: Remove overflowing shift statement
    - selftests: ftrace: Add synthetic event syntax testcase
    - locking/lockdep: Fix debug_locks off performance problem
    - ataflop: fix error handling during setup
    - swim: fix cleanup on setup error
    - tun: Consistently configure generic netdev params via rtnetlink
    - perf tools: Free temporary 'sys' string in read_event_files()
    - perf tools: Cleanup trace-event-info 'tdata' leak
    - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
    - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
    - x86: boot: Fix EFI stub alignment
    - pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
    - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
    - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
    - pinctrl: qcom: spmi-mpp: Fix drive strength setting
    - pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
    - pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
    - ath10k: schedule hardware restart if WMI command times out
    - scsi: esp_scsi: Track residual for PIO transfers
    - scsi: megaraid_sas: fix a missing-check bug
    - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
    - ext4: fix argument checking in EXT4_IOC_MOVE_EXT
    - MD: fix invalid stored role for a disk
    - usb: chipidea: Prevent unbalanced IRQ disable
    - driver/dma/ioat: Call del_timer_sync() without holding prep_lock
    - uio: ensure class is registered before devices
    - scsi: lpfc: Correct soft lockup when running mds diagnostics
    - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace
      init
    - dmaengine: dma-jz4780: Return error if not probed from DT
    - ALSA: hda: Check the non-cached stream buffers more explicitly
    - xen-swiotlb: use actually allocated size on check physical continuous
    - tpm: Restore functionality to xen vtpm driver.
    - xen: fix race in xen_qlock_wait()
    - xen: make xen_qlock_wait() nestable
    - net/ipv4: defensive cipso option parsing
    - libnvdimm: Hold reference on parent while scheduling async init
    - jbd2: fix use after free in jbd2_log_do_checkpoint()
    - gfs2_meta: ->mount() can get NULL dev_name
    - ext4: initialize retries variable in ext4_da_write_inline_data_begin()
    - HID: hiddev: fix potential Spectre v1
    - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
    - signal/GenWQE: Fix sending of SIGKILL
    - crypto: lrw - Fix out-of bounds access on counter overflow
    - ima: fix showing large 'violations' or 'runtime_measurements_count'
    - hugetlbfs: dirty pages as they are added to pagecache
    - kbuild: fix kernel/bounds.c 'W=1' warning
    - iio: adc: at91: fix acking DRDY irq on simple conversions
    - iio: adc: at91: fix wrong channel number in triggered buffer mode
    - w1: omap-hdq: fix missing bus unregister at removal
    - smb3: allow stats which track session and share reconnects to be reset
    - smb3: do not attempt cifs operation in smb3 query info error path
    - smb3: on kerberos mount if server doesn't specify auth type use krb5
    - printk: Fix panic caused by passing log_buf_len to command line
    - genirq: Fix race on spurious interrupt detection
    - NFSv4.1: Fix the r/wsize checking
    - nfsd: Fix an Oops in free_session()
    - lockd: fix access beyond unterminated strings in prints
    - dm ioctl: harden copy_params()'s copy_from_user() from malicious users
    - powerpc/msi: Fix compile error on mpc83xx
    - MIPS: OCTEON: fix out of bounds array access on CN68XX
    - TC: Set DMA masks for devices
    - kgdboc: Passing ekgdboc to command line causes panic
    - xen: fix xen_qlock_wait()
    - media: em28xx: use a default format if TRY_FMT fails
    - media: em28xx: fix input name for Terratec AV 350
    - media: em28xx: make v4l2-compliance happier by starting sequence on zero
    - ext4: avoid running out of journal credits when appending to an inline file
    - Cramfs: fix abad comparison when wrap-arounds occur
    - arm64: dts: stratix10: Correct System Manager register size
    - soc/tegra: pmc: Fix child-node lookup
    - btrfs: Handle owner mismatch gracefully when walking up tree
    - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock
    - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
    - btrfs: don't attempt to trim devices that don't support it
    - btrfs: wait on caching when putting the bg cache
    - btrfs: reset max_extent_size on clear in a bitmap
    - btrfs: make sure we create all new block groups
    - Btrfs: fix wrong dentries after fsync of file that got its parent replaced
    - btrfs: qgroup: Dirty all qgroups before rescan
    - Btrfs: fix null pointer dereference on compressed write path error
    - btrfs: set max_extent_size properly
    - MD: fix invalid stored role for a disk - try2
    - tty: check name length in tty_find_polling_driver()
    - powerpc/nohash: fix undefined behaviour when testing page size support
    - drm/omap: fix memory barrier bug in DMM driver
    - media: pci: cx23885: handle adding to list failure
    - MIPS: kexec: Mark CPU offline before disabling local IRQ
    - powerpc/boot: Ensure _zimage_start is a weak symbol
    - sc16is7xx: Fix for multi-channel stall
    - media: tvp5150: fix width alignment during set_selection()
    - 9p locks: fix glock.client_id leak in do_lock
    - 9p: clear dangling pointers in p9stat_free
    - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
    - fuse: Fix use-after-free in fuse_dev_do_read()
    - fuse: Fix use-after-free in fuse_dev_do_write()
    - fuse: fix blocked_waitq wakeup
    - fuse: set FR_SENT while locked
    - mm, elf: handle vm_brk error
    - binfmt_elf: fix calculations for bss padding
    - mm: refuse wrapped vm_brk requests
    - fs, elf: make sure to page align bss in load_elf_library
    - mm: do not bug_on on incorrect length in __mm_populate()
    - e1000: avoid null pointer dereference on invalid stat type
    - e1000: fix race condition between e1000_down() and e1000_watchdog
    - bna: ethtool: Avoid reading past end of buffer
    - MIPS: Loongson-3: Fix CPU UART irq delivery problem
    - MIPS: Loongson-3: Fix BRIDGE irq delivery problem
    - xtensa: add NOTES section to the linker script
    - xtensa: make sure bFLT stack is 16 byte aligned
    - xtensa: fix boot parameters address translation
    - clk: s2mps11: Fix matching when built as module and DT node contains
      compatible
    - libceph: bump CEPH_MSG_MAX_DATA_LEN
    - mach64: fix display corruption on big endian machines
    - mach64: fix image corruption due to reading accelerator registers
    - vhost/scsi: truncate T10 PI iov_iter to prot_bytes
    - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
    - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
    - mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
    - termios, tty/tty_baudrate.c: fix buffer overrun
    - arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
    - Btrfs: fix data corruption due to cloning of eof block
    - clockevents/drivers/i8253: Add support for PIT shutdown quirk
    - ext4: add missing brelse() update_backups()'s error path
    - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
    - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
    - ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
    - ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
    - ext4: avoid buffer leak in ext4_orphan_add() after prior errors
    - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
    - ext4: avoid possible double brelse() in add_new_gdb() on error path
    - ext4: fix possible leak of sbi->s_group_desc_leak in error path
    - ext4: release bs.bh before re-using in ext4_xattr_block_find()
    - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
    - ext4: fix buffer leak in __ext4_read_dirblock() on error path
    - mount: Prevent MNT_DETACH from disconnecting locked mounts
    - sunrpc: correct the computation for page_ptr when truncating
    - rtc: hctosys: Add missing range error reporting
    - fuse: fix leaked notify reply
    - configfs: replace strncpy with memcpy
    - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
    - mm: migration: fix migration of huge PMD shared pages
    - drm/rockchip: Allow driver to be shutdown on reboot/kexec
    - drm/dp_mst: Check if primary mstb is null
    - drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values
    - Linux 4.4.164

  * Xenial update: 4.4.163 upstream stable release (LP: #1810807)
    - xfrm: Validate address prefix lengths in the xfrm selector.
    - xfrm6: call kfree_skb when skb is toobig
    - mac80211: Always report TX status
    - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
    - ARM: 8799/1: mm: fix pci_ioremap_io() offset check
    - xfrm: validate template mode
    - mac80211_hwsim: do not omit multicast announce of first added radio
    - Bluetooth: SMP: fix crash in unpairing
    - pxa168fb: prepare the clock
    - asix: Check for supported Wake-on-LAN modes
    - ax88179_178a: Check for supported Wake-on-LAN modes
    - lan78xx: Check for supported Wake-on-LAN modes
    - sr9800: Check for supported Wake-on-LAN modes
    - r8152: Check for supported Wake-on-LAN Modes
    - smsc75xx: Check for Wake-on-LAN modes
    - smsc95xx: Check for Wake-on-LAN modes
    - perf/ring_buffer: Prevent concurent ring buffer access
    - net: cxgb3_main: fix a missing-check bug
    - KEYS: put keyring if install_session_keyring_to_cred() fails
    - ipv6: suppress sparse warnings in IP6_ECN_set_ce()
    - net: drop write-only stack variable
    - ser_gigaset: use container_of() instead of detour
    - tracing: Skip more functions when doing stack tracing of events
    - ARM: dts: apq8064: add ahci ports-implemented mask
    - x86/mm/pat: Prevent hang during boot when mapping pages
    - radix-tree: fix radix_tree_iter_retry() for tagged iterators.
    - af_iucv: Move sockaddr length checks to before accessing sa_family in bind
      and connect handlers
    - net/mlx4_en: Resolve dividing by zero in 32-bit system
    - ipv6: orphan skbs in reassembly unit
    - um: Avoid longjmp/setjmp symbol clashes with libpthread.a
    - sched/cgroup: Fix cgroup entity load tracking tear-down
    - btrfs: don't create or leak aliased root while cleaning up orphans
    - thermal: allow spear-thermal driver to be a module
    - thermal: allow u8500-thermal driver to be a module
    - x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
    - aacraid: Start adapter after updating number of MSIX vectors
    - perf/core: Don't leak event in the syscall error path
    - usbvision: revert commit 588afcc1
    - MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
    - ASoC: ak4613: Enable cache usage to fix crashes on resume
    - ASoC: wm8940: Enable cache usage to fix crashes on resume
    - CIFS: handle guest access errors to Windows shares
    - arm64: Fix potential race with hardware DBM in ptep_set_access_flags()
    - xfrm: Clear sk_dst_cache when applying per-socket policy.
    - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
    - sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata
    - sch_red: update backlog as well
    - usb-storage: fix bogus hardware error messages for ATA pass-thru devices
    - bpf: generally move prog destruction to RCU deferral
    - drm/nouveau/fbcon: fix oops without fbdev emulation
    - fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio
    - net/mlx5e: Fix LRO modify
    - net/mlx5e: Correctly handle RSS indirection table when changing number of
      channels
    - ALSA: timer: Fix zero-division by continue of uninitialized instance
    - vti6: flush x-netns xfrm cache when vti interface is removed
    - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
    - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
    - tty: serial: sprd: fix error return code in sprd_probe()
    - video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe()
    - sparc64 mm: Fix more TSB sizing issues
    - gpu: host1x: fix error return code in host1x_probe()
    - sparc64: Fix exception handling in UltraSPARC-III memcpy.
    - gpio: msic: fix error return code in platform_msic_gpio_probe()
    - usb: imx21-hcd: fix error return code in imx21_probe()
    - usb: ehci-omap: fix error return code in ehci_hcd_omap_probe()
    - usb: dwc3: omap: fix error return code in dwc3_omap_probe()
    - spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe()
    - MIPS: Handle non word sized instructions when examining frame
    - spi/bcm63xx: fix error return code in bcm63xx_spi_probe()
    - spi: xlp: fix error return code in xlp_spi_probe()
    - ASoC: spear: fix error return code in spdif_in_probe()
    - PM / devfreq: tegra: fix error return code in tegra_devfreq_probe()
    - bonding: avoid defaulting hard_header_len to ETH_HLEN on slave removal
    - scsi: aacraid: Fix typo in blink status
    - MIPS: microMIPS: Fix decoding of swsp16 instruction
    - igb: Remove superfluous reset to PHY and page 0 selection
    - MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
    - ARM: dts: imx53-qsb: disable 1.2GHz OPP
    - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
    - mtd: spi-nor: Add support for is25wp series chips
    - perf tools: Disable parallelism for 'make clean'
    - bridge: do not add port to router list when receives query with source
      0.0.0.0
    - net: bridge: remove ipv6 zero address check in mcast queries
    - ipv6: mcast: fix a use-after-free in inet6_mc_check
    - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
      called
    - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
    - net: sched: gred: pass the right attribute to gred_change_table_def()
    - net: socket: fix a missing-check bug
    - net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
    - r8169: fix NAPI handling under high load
    - sctp: fix race on sctp_id2asoc
    - net: drop skb on failure in ip_check_defrag()
    - vhost: Fix Spectre V1 vulnerability
    - rtnetlink: Disallow FDB configuration for non-Ethernet device
    - mremap: properly flush TLB before releasing the page
    - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
    - ahci: don't ignore result code of ahci_reset_controller()
    - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
    - ptp: fix Spectre v1 vulnerability
    - RDMA/ucma: Fix Spectre v1 vulnerability
    - IB/ucm: Fix Spectre v1 vulnerability
    - cdc-acm: correct counting of UART states in serial state notification
    - usb: gadget: storage: Fix Spectre v1 vulnerability
    - USB: fix the usbfs flag sanitization for control transfers
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
    - sched/fair: Fix throttle_list starvation with low CFS quota
    - x86/percpu: Fix this_cpu_read()
    - cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE
    - l2tp: hold tunnel socket when handling control frames in l2tp_ip and
      l2tp_ip6
    - x86/time: Correct the attribute on jiffies' definition
    - Linux 4.4.163

  * nvme - Polling on timeout (LP: #1807393)
    - nvme/pci: Poll CQ on timeout

  * Xenial: data corruption when using i40e with iommu (LP: #1802421)
    - i40e: Drop packet split receive routine

  * Fix Intel I210 doesn't work when ethernet cable gets plugged (LP: #1806818)
    - igb: Fix an issue that PME is not enabled during runtime suspend

 -- Kleber Sacilotto de Souza <kleber.souza@xxxxxxxxxxxxx>  Wed, 16 Jan
2019 17:35:06 +0100

** Changed in: linux (Ubuntu Cosmic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1791758

Title:
  ldisc crash on reopened tty

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Won't Fix
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

  * Line discipline code is racy when we have buffer being flush while
  the tty is being initialized or reinitialized. For the first problem,
  we have an upstream patch since January 2018: b027e2298bd5 ("tty: fix
  data race between tty_init_dev and flush of buf") - although it is not
  in Ubuntu kernel 4.4, only in kernels 4.15 and subsequent ones.

  * For the race between the buffer flush while tty is being reopened,
  we have a patch that addresses this issue recently merged for 5.0-rc1:
  83d817f41070 ("tty: Hold tty_ldisc_lock() during tty_reopen()"). No
  Ubuntu kernel currently contains this patch, hence we're hereby
  submitting the SRU request. The upstream complete patch series for
  this is in [0].

  * The approach of both patches are similar - they rely in locking/semaphore to prevent race conditions. Some additional patches are
  necessary to prevent correlated issues, like preventing a potential deadlock due to bad prioritization in servicing I/O over releasing
  tty_ldisc_lock() - refer to c96cf923a98d ("tty: Don't block on IO when ldisc change is pending"). All the necessary fixes are grouped here in this SRU request.

  * The symptom of the race condition between the buffer flush and the
  tty reopen routine is a kernel crash with the following trace:

  BUG: unable to handle kernel paging request at 0000000000002268
  IP: [<addr>] n_tty_receive_buf_common+0x6a/0xae0
  [...]
  Call Trace:
  [<addr>] ? kvm_sched_clock_read+0x1e/0x30
  [<addr>] n_tty_receive_buf2+0x14/0x20
  [<addr>] flush_to_ldisc+0xd5/0x120
  [<addr>] process_one_work+0x156/0x400
  [<addr>] worker_thread+0x11a/0x480
  [...]

  * A kernel crash was collected from an user, analysis is present in
  comment #4 in this LP.

  [Test Case]

  * It is not trivial to trigger this fault, but the usual recipe is to
  keep accessing a machine through SSH (or keep killing getty when in
  IPMI serial console) and in some way run commands before the terminal
  is ready in that machine (like hacking some echo into ttySx or pts in
  an infinite loop).

  * We have reports of users that could reproduce this issue in their
  production environment, and with the patches present in this SRU
  request the problem was fixed.

  [Regression Potential]

  * tty subsystem is highly central and patches in that area are always
  delicate. For example, the upstream series [0] is a re-spin (V6) due
  to a hard to reproduce issue reported in the PA-RISC architecture,
  which was found in the V5 iteration [1] but was fixed by the patch
  c96cf923a98d, present in this SRU request.

  * The patchset [0] is present in tty-next tree since mid-November, and
  the patch b027e2298bd5 is available upstream since January/2018 (it's
  available in both Ubuntu kernels 4.15 and 4.18), so the overall
  likelihood of regressions is low.

  * These patches were sniff-tested for the 3 versions (4.4, 4.15 and
  4.18) and didn't show any issues.

  [0] https://marc.info/?l=linux-kernel&m=154103190111795
  [1] https://marc.info/?l=linux-kernel&m=153737852618183

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1791758/+subscriptions