← Back to team overview

kernel-packages team mailing list archive

[Bug 1519897] Re: [Hyper-V] hv: vmbus: Fix a host signaling bug

 

This bug was fixed in the package linux-lts-trusty -
3.13.0-79.123~precise1

---------------
linux-lts-trusty (3.13.0-79.123~precise1) precise; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of full kernel
    credentials
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.13.0-78.122) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540559

  [ Eric Dumazet ]

  * SAUCE: (no-up) udp: properly support MSG_PEEK with truncated buffers
    - LP: #1527902

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ Upstream Kernel Changes ]

  * Revert "[stable-only] net: add length argument to
    skb_copy_and_csum_datagram_iovec"
    - LP: #1538756
  * unregister_netdevice : move RTM_DELLINK to until after ndo_uninit
    - LP: #1525324
  * rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()
    - LP: #1525324
  * Drivers: hv: Eliminate the channel spinlock in the callback path
    - LP: #1519897
  * Drivers: hv: vmbus: Implement per-CPU mapping of relid to channel
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send packet with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl()
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a siganlling host signalling issue
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a Host signaling bug
    - LP: #1519897
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1538756
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1538756
  * gre6: allow to update all parameters via rtnl
    - LP: #1538756
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1538756
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1538756
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1538756
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1538756
  * net: add validation for the socket syscall protocol argument
    - LP: #1538756
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1538756
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1538756
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1538756
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1538756
  * KEYS: Fix race between read and revoke
    - LP: #1538756
  * tools: Add a "make all" rule
    - LP: #1538756
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
    calls
    - LP: #1538756
  * net: ipmr: fix static mfc/dev leaks on table destruction
    - LP: #1538756
  * fuse: break infinite loop in fuse_fill_write_pages()
    - LP: #1538756
  * usb: gadget: pxa27x: fix suspend callback
    - LP: #1538756
  * iio: fix some warning messages
    - LP: #1538756
  * USB: cp210x: Remove CP2110 ID from compatibility list
    - LP: #1538756
  * USB: cdc_acm: Ignore Infineon Flash Loader utility
    - LP: #1538756
  * USB: serial: Another Infineon flash loader USB ID
    - LP: #1538756
  * ext4: Fix handling of extended tv_sec
    - LP: #1538756
  * jbd2: Fix unreclaimed pages after truncate in data=journal mode
    - LP: #1538756
  * drm/ttm: Fixed a read/write lock imbalance
    - LP: #1538756
  * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
    - LP: #1538756
  * AHCI: Fix softreset failed issue of Port Multiplier
    - LP: #1538756
  * sata_sil: disable trim
    - LP: #1538756
  * staging: lustre: echo_copy.._lsm() dereferences userland pointers
    directly
    - LP: #1538756
  * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
    - LP: #1538756
  * usb: core : hub: Fix BOS 'NULL pointer' kernel panic
    - LP: #1538756
  * USB: whci-hcd: add check for dma mapping error
    - LP: #1538756
  * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log
    message
    - LP: #1538756
  * dm btree: fix leak of bufio-backed block in btree_split_sibling error
    path
    - LP: #1538756
  * SCSI: Fix NULL pointer dereference in runtime PM
    - LP: #1538756
  * usb: xhci: fix config fail of FS hub behind a HS hub with MTT
    - LP: #1538756
  * ALSA: rme96: Fix unexpected volume reset after rate changes
    - LP: #1538756
  * ALSA: hda - Add inverted dmic for Packard Bell DOTS
    - LP: #1523232, #1538756
  * virtio: fix memory leak of virtio ida cache layers
    - LP: #1538756
  * 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
    - LP: #1538756
  * radeon/cik: Fix GFX IB test on Big-Endian
    - LP: #1538756
  * crypto: skcipher - Copy iv from desc even for 0-len walks
    - LP: #1538756
  * dm thin metadata: fix bug when taking a metadata snapshot
    - LP: #1538756
  * dm space map metadata: fix ref counting bug when bootstrapping a new
    space map
    - LP: #1538756
  * ipmi: move timer init to before irq is setup
    - LP: #1538756
  * KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR
    - LP: #1538756
  * rfkill: copy the name into the rfkill struct
    - LP: #1538756
  * dm btree: fix bufio buffer leaks in dm_btree_del() error path
    - LP: #1538756
  * ses: Fix problems with simple enclosures
    - LP: #1538756
  * vgaarb: fix signal handling in vga_get()
    - LP: #1538756
  * ses: fix additional element traversal bug
    - LP: #1538756
  * xhci: fix usb2 resume timing and races.
    - LP: #1538756
  * USB: add quirk for devices with broken LPM
    - LP: #1538756
  * powercap / RAPL: fix BIOS lock check
    - LP: #1538756
  * parisc iommu: fix panic due to trying to allocate too large region
    - LP: #1538756
  * mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't
    make any progress
    - LP: #1538756
  * mm: hugetlb: call huge_pte_alloc() only if ptep is null
    - LP: #1538756
  * drivers/base/memory.c: prohibit offlining of memory blocks with missing
    sections
    - LP: #1538756
  * sh64: fix __NR_fgetxattr
    - LP: #1538756
  * n_tty: Fix poll() after buffer-limited eof push read
    - LP: #1538756
  * tty: Fix GPF in flush_to_ldisc()
    - LP: #1538756
  * genirq: Prevent chip buslock deadlock
    - LP: #1538756
  * ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest
    DragonFly
    - LP: #1538756
  * ARM: 8471/1: need to save/restore arm register(r11) when it is
    corrupted
    - LP: #1538756
  * spi: fix parent-device reference leak
    - LP: #1538756
  * scripts: recordmcount: break hardlinks
    - LP: #1538756
  * ftrace/scripts: Have recordmcount copy the object file
    - LP: #1538756
  * ARC: dw2 unwind: Reinstante unwinding out of modules
    - LP: #1538756
  * ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing
    - LP: #1538756
  * ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
    - LP: #1538756
  * s390/dis: Fix handling of format specifiers
    - LP: #1538756
  * USB: ipaq.c: fix a timeout loop
    - LP: #1538756
  * USB: fix invalid memory access in hub_activate()
    - LP: #1538756
  * x86/mce: Ensure offline CPUs don't participate in rendezvous process
    - LP: #1538756
  * parisc: Fix syscall restarts
    - LP: #1538756
  * ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
    - LP: #1538756
  * ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
    - LP: #1538756
  * mm/memory_hotplug.c: check for missing sections in
    test_pages_in_a_zone()
    - LP: #1538756
  * ftrace/scripts: Fix incorrect use of sprintf in recordmcount
    - LP: #1538756
  * tracing: Fix setting of start_index in find_next()
    - LP: #1538756
  * async_tx: use GFP_NOWAIT rather than GFP_IO
    - LP: #1538756
  * dts: vt8500: Add SDHC node to DTS file for WM8650
    - LP: #1538756
  * ftrace/module: Call clean up function when module init fails early
    - LP: #1538756
  * vmstat: allocate vmstat_wq before it is used
    - LP: #1538756
  * firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6
    - LP: #1538756
  * kvm: x86: only channel 0 of the i8254 is linked to the HPET
    - LP: #1538756
  * ipv6/addrlabel: fix ip6addrlbl_get()
    - LP: #1538756
  * net: fix warnings in 'make htmldocs' by moving macro definition out of
    field declaration
    - LP: #1538756
  * ser_gigaset: fix deallocation of platform device structure
    - LP: #1538756
  * pinctrl: bcm2835: Fix initial value for direction_output
    - LP: #1538756
  * mISDN: fix a loop count
    - LP: #1538756
  * sh_eth: fix TX buffer byte-swapping
    - LP: #1538756
  * qlcnic: fix a timeout loop
    - LP: #1538756
  * net: phy: mdio-mux: Check return value of mdiobus_alloc()
    - LP: #1538756
  * include/linux/mmdebug.h: should include linux/bug.h
    - LP: #1538756
  * net: possible use after free in dst_release
    - LP: #1538756
  * Linux 3.13.11-ckt33
    - LP: #1538756
  * xfrm: dst_entries_init() per-net dst_ops
    - LP: #1486670

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Fri, 19 Feb 2016
13:26:22 +0000

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1519897

Title:
  [Hyper-V] hv: vmbus: Fix a host signaling bug

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-trusty package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-lts-trusty source package in Trusty:
  In Progress
Status in linux source package in Wily:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  The following fix has been submitted upstream, but has high enough
  severity that we would like early inclusion into the Ubuntu kernel.
  Please consider for wily, vivid, and trusty (and the HWE kernels for
  the same).

  Patch follows:

  Currently we have two policies for deciding when to signal the host:
  One based on the ring buffer state and the other based on what the VMBUS client driver wants to do. Consider the case when the client wants to explicitly control when to signal the host. In this case, if the client were to defer signaling, we will not be able to signal the host subsequently when the client does want to signal since the ring buffer state will prevent the signaling. Implement logic to have only one signaling policy in force for a given channel.

  Signed-off-by: K. Y. Srinivasan <kys@xxxxxxxxxxxxx>
  Reviewed-by: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>
  Tested-by: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>
  Cc: <stable@xxxxxxxxxxxxxxx> # v4.2+
  ---
   drivers/hv/channel.c   |   18 ++++++++++++++++++
   include/linux/hyperv.h |   12 ++++++++++++
   2 files changed, 30 insertions(+), 0 deletions(-)

  diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 77d2579..c6278c7 100644
  --- a/drivers/hv/channel.c
  +++ b/drivers/hv/channel.c
  @@ -653,10 +653,19 @@ int vmbus_sendpacket_ctl(struct vmbus_channel *channel, void *buffer,
     *    on the ring. We will not signal if more data is
     *    to be placed.
     *
  +	 * Based on the channel signal state, we will decide
  +	 * which signaling policy will be applied.
  +	 *
     * If we cannot write to the ring-buffer; signal the host
     * even if we may not have written anything. This is a rare
     * enough condition that it should not matter.
     */
  +
  +	if (channel->signal_state)
  +		signal = true;
  +	else
  +		kick_q = true;
  +
    if (((ret == 0) && kick_q && signal) || (ret))
     vmbus_setevent(channel);

  @@ -756,10 +765,19 @@ int vmbus_sendpacket_pagebuffer_ctl(struct vmbus_channel *channel,
     *    on the ring. We will not signal if more data is
     *    to be placed.
     *
  +	 * Based on the channel signal state, we will decide
  +	 * which signaling policy will be applied.
  +	 *
     * If we cannot write to the ring-buffer; signal the host
     * even if we may not have written anything. This is a rare
     * enough condition that it should not matter.
     */
  +
  +	if (channel->signal_state)
  +		signal = true;
  +	else
  +		kick_q = true;
  +
    if (((ret == 0) && kick_q && signal) || (ret))
     vmbus_setevent(channel);

  diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 437c9c8..7b1af52 100644
  --- a/include/linux/hyperv.h
  +++ b/include/linux/hyperv.h
  @@ -756,8 +756,20 @@ struct vmbus_channel {
     * link up channels based on their CPU affinity.
     */
    struct list_head percpu_list;
  +	/*
  +	 * Host signaling policy: The default policy will be
  +	 * based on the ring buffer state. We will also support
  +	 * a policy where the client driver can have explicit
  +	 * signaling control.
  +	 */
  +	bool signal_state;
   };

  +static inline void set_channel_signal_state(struct vmbus_channel *c,
  +bool state) {
  +	c->signal_state = state;
  +}
  +
   static inline void set_channel_read_state(struct vmbus_channel *c, bool state)  {
    c->batched_reading = state;
  --
  1.7.4.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1519897/+subscriptions


References