← Back to team overview

kernel-packages team mailing list archive

[Bug 1556562] Re: VIA C7-D machine "kernel NULL pointer dereference" in skcipher_recvmsg_async

 

This bug was fixed in the package linux - 4.2.0-36.41

---------------
linux (4.2.0-36.41) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1571667

  [ Benjamin Tissoires ]

  * SAUCE: Input: synaptics - handle spurious release of trackstick
    buttons, again
    - LP: #1553811

  [ dann frazier ]

  * Revert "SAUCE: arm64, numa, dt: adding dt based numa support using dt
    node property arm, associativity"
    - LP: #1558828
  * Revert "SAUCE: Documentation: arm64/arm: dt bindings for numa."
    - LP: #1558828
  * Revert "SAUCE: arm64, numa: adding numa support for arm64 platforms."
    - LP: #1558828
  * Revert "[Config] Enable NUMA on ARM64"
    - LP: #1558828

  [ K. Y. Srinivasan ]

  * SAUCE: (noup): Drivers: hv: vmbus: Fix a bug in
    hv_need_to_signal_on_read()
    - LP: #1556264

  [ Kamal Mostafa ]

  * [debian] BugLink: close LP: bugs only for Launchpad urls
  * [Config] updateconfigs after v4.2.8-ckt7

  [ Upstream Kernel Changes ]

  * Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
    - LP: #1561677
  * tipc: fix connection abort during subscription cancel
    - LP: #1561677
  * tipc: fix nullptr crash during subscription cancel
    - LP: #1561677
  * s390/mm: four page table levels vs. fork
    - LP: #1561677
  * Input: aiptek - fix crash on detecting device without endpoints
    - LP: #1561677
  * wext: fix message delay/ordering
    - LP: #1561677
  * cfg80211/wext: fix message ordering
    - LP: #1561677
  * mac80211: fix use of uninitialised values in RX aggregation
    - LP: #1561677
  * mac80211: minstrel: Change expected throughput unit back to Kbps
    - LP: #1561677
  * libata: fix HDIO_GET_32BIT ioctl
    - LP: #1561677
  * iwlwifi: mvm: inc pending frames counter also when txing non-sta
    - LP: #1561677
  * [media] adv7604: fix tx 5v detect regression
    - LP: #1561677
  * ahci: add new Intel device IDs
    - LP: #1561677
  * ahci: Order SATA device IDs for codename Lewisburg
    - LP: #1561677
  * Adding Intel Lewisburg device IDs for SATA
    - LP: #1561677
  * ASoC: samsung: Use IRQ safe spin lock calls
    - LP: #1561677
  * mac80211: minstrel_ht: set default tx aggregation timeout to 0
    - LP: #1561677
  * usb: chipidea: otg: change workqueue ci_otg as freezable
    - LP: #1561677
  * jffs2: Fix page lock / f->sem deadlock
    - LP: #1561677
  * Fix directory hardlinks from deleted directories
    - LP: #1561677
  * iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - LP: #1561677
  * iommu/amd: Apply workaround for ATS write permission check
    - LP: #1561677
  * libata: Align ata_device's id on a cacheline
    - LP: #1561677
  * can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()
    - LP: #1561677
  * fbcon: set a default value to blink interval
    - LP: #1561677
  * KVM: x86: fix root cause for missed hardware breakpoints
    - LP: #1561677
  * arm64: vmemmap: use virtual projection of linear region
    - LP: #1561677
  * vfio: fix ioctl error handling
    - LP: #1561677
  * ALSA: ctl: Fix ioctls for X32 ABI
    - LP: #1561677
  * ALSA: pcm: Fix ioctls for X32 ABI
    - LP: #1561677
  * ALSA: rawmidi: Fix ioctls X32 ABI
    - LP: #1561677
  * ALSA: timer: Fix broken compat timer user status ioctl
    - LP: #1561677
  * ALSA: timer: Fix ioctls for X32 ABI
    - LP: #1561677
  * cifs: fix out-of-bounds access in lease parsing
    - LP: #1561677
  * CIFS: Fix SMB2+ interim response processing for read requests
    - LP: #1561677
  * Fix cifs_uniqueid_to_ino_t() function for s390x
    - LP: #1561677
  * arm/arm64: KVM: Fix ioctl error handling
    - LP: #1561677
  * MIPS: kvm: Fix ioctl error handling.
    - LP: #1561677
  * ALSA: hdspm: Fix wrong boolean ctl value accesses
    - LP: #1561677
  * ALSA: hdspm: Fix zero-division
    - LP: #1561677
  * ALSA: hdsp: Fix wrong boolean ctl value accesses
    - LP: #1561677
  * use ->d_seq to get coherency between ->d_inode and ->d_flags
    - LP: #1561677
  * USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)
    - LP: #1561677
  * USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder
    - LP: #1561677
  * ASoC: dapm: Fix ctl value accesses in a wrong type
    - LP: #1561677
  * ASoC: wm8958: Fix enum ctl accesses in a wrong type
    - LP: #1561677
  * ASoC: wm8994: Fix enum ctl accesses in a wrong type
    - LP: #1561677
  * ASoC: wm_adsp: Fix enum ctl accesses in a wrong type
    - LP: #1561677
  * USB: serial: option: add support for Telit LE922 PID 0x1045
    - LP: #1561677
  * USB: serial: option: add support for Quectel UC20
    - LP: #1561677
  * ALSA: usb-audio: Add a quirk for Plantronics DA45
    - LP: #1561677
  * mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs
    - LP: #1561677
  * mac80211: Fix Public Action frame RX in AP mode
    - LP: #1561677
  * i2c: brcmstb: allocate correct amount of memory for regmap
    - LP: #1561677
  * ALSA: seq: oss: Don't drain at closing a client
    - LP: #1561677
  * parisc: Fix ptrace syscall number and return value modification
    - LP: #1561677
  * drm/ast: Fix incorrect register check for DRAM width
    - LP: #1561677
  * USB: qcserial: add Sierra Wireless EM74xx device ID
    - LP: #1561677
  * drm/amdgpu/pm: update current crtc info after setting the powerstate
    - LP: #1561677
  * drm/radeon/pm: update current crtc info after setting the powerstate
    - LP: #1561677
  * drm/amdgpu: return from atombios_dp_get_dpcd only when error
    - LP: #1561677
  * PM / sleep / x86: Fix crash on graph trace through x86 suspend
    - LP: #1561677
  * ALSA: hda - Fix mic issues on Acer Aspire E1-472
    - LP: #1561677
  * ovl: fix working on distributed fs as lower layer
    - LP: #1561677
  * ovl: fix getcwd() failure after unsuccessful rmdir
    - LP: #1561677
  * ovl: ignore lower entries when checking purity of non-directory entries
    - LP: #1561677
  * MIPS: traps: Fix SIGFPE information leak from `do_ov' and
    `do_trap_or_bp'
    - LP: #1561677
  * ubi: Fix out of bounds write in volume update code
    - LP: #1561677
  * target: Drop incorrect ABORT_TASK put for completed commands
    - LP: #1561677
  * ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property
    - LP: #1561677
  * ARM: dts: dra7: do not gate cpsw clock due to errata i877
    - LP: #1561677
  * PCI: Allow a NULL "parent" pointer in pci_bus_assign_domain_nr()
    - LP: #1561677
  * KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest
    exit
    - LP: #1561677
  * ncpfs: fix a braino in OOM handling in ncp_fill_cache()
    - LP: #1561677
  * jffs2: reduce the breakage on recovery from halfway failed rename()
    - LP: #1561677
  * KVM: VMX: disable PEBS before a guest entry
    - LP: #1561677
  * arm64: account for sparsemem section alignment when choosing vmemmap
    offset
    - LP: #1561677
  * tracing: Fix check for cpu online when event is disabled
    - LP: #1561677
  * KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
    - LP: #1561677
  * dmaengine: at_xdmac: fix residue computation
    - LP: #1561677
  * MIPS: Fix build error when SMP is used without GIC
    - LP: #1561677
  * IB/core: Use GRH when the path hop-limit > 0
    - LP: #1561677
  * dmaengine: pxa_dma: fix cyclic transfers
    - LP: #1561677
  * MIPS: smp.c: Fix uninitialised temp_foreign_map
    - LP: #1561677
  * tcp: fix tcpi_segs_in after connection establishment
    - LP: #1561677
  * be2net: Don't leak iomapped memory on removal.
    - LP: #1561677
  * tcp: convert cached rtt from usec to jiffies when feeding initial rto
    - LP: #1561677
  * ext4: iterate over buffer heads correctly in move_extent_per_page()
    - LP: #1561677
  * ppp: release rtnl mutex when interface creation fails
    - LP: #1561677
  * net/mlx4_core: Allow resetting VF admin mac to zero
    - LP: #1561677
  * ipv6: re-enable fragment header matching in ipv6_find_hdr
    - LP: #1561677
  * net/mlx5e: Remove wrong poll CQ optimization
    - LP: #1561677
  * cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
    - LP: #1561677
  * net: qca_spi: Don't clear IFF_BROADCAST
    - LP: #1561677
  * net: moxa: fix an error code
    - LP: #1561677
  * mld, igmp: Fix reserved tailroom calculation
    - LP: #1561677
  * Linux 4.2.8-ckt6
    - LP: #1561677
  * (upstream) net/mlx5e: Avoid NULL pointer access in case of
    configuration failure
    - LP: #1528466
  * PCI: Disable IO/MEM decoding for devices with non-compliant BARs
    - LP: #1559929
  * x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant
    BARs
    - LP: #1559929
  * fuse: do not use iocb after it may have been freed
    - LP: #1505948
  * fuse: Add reference counting for fuse_io_priv
    - LP: #1505948
  * intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled
    - LP: #1559918
  * crypto: skcipher - Add crypto_skcipher_has_setkey
    - LP: #1556562
  * crypto: algif_skcipher - Add key check exception for cipher_null
    - LP: #1556562
  * crypto: algif_skcipher - Do not assume that req is unchanged
    - LP: #1556562
  * crypto: algif_skcipher - Do not dereference ctx without socket lock
    - LP: #1556562
  * proc: revert /proc/<pid>/maps [stack:TID] annotation
    - LP: #1547231
  * ACPI / processor: Request native thermal interrupt handling via _OSC
    - LP: #1559923
  * gpiolib: do not allow to insert an empty gpiochip
    - LP: #1566544
  * gpio: add a data pointer to gpio_chip
    - LP: #1566544
  * gpio: rcar: Add Runtime PM handling for interrupts
    - LP: #1566544
  * ipv4: Don't do expensive useless work during inetdev destroy.
    - LP: #1566544
  * Input: powermate - fix oops with malicious USB descriptors
    - LP: #1566544
  * USB: iowarrior: fix oops with malicious USB descriptors
    - LP: #1566544
  * ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
    - LP: #1566544
  * ALSA: usb-audio: Add sanity checks for endpoint accesses
    - LP: #1566544
  * include/linux/poison.h: fix LIST_POISON{1,2} offset
    - LP: #1566544
  * Input: ati_remote2 - fix crashes on detecting device with invalid
    descriptor
    - LP: #1566544
  * USB: cdc-acm: more sanity checking
    - LP: #1566544
  * drm/i915: Workaround CHV pipe C cursor fail
    - LP: #1566544
  * EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
    - LP: #1566544
  * crypto: ccp - Add hash state import and export support
    - LP: #1566544
  * clk: rockchip: add pclk_cpu to the list of rk3188 critical clocks
    - LP: #1566544
  * clk: rockchip: Add pclk_peri to critical clocks on RK3066/RK3188
    - LP: #1566544
  * clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks
    - LP: #1566544
  * tty: Fix GPF in flush_to_ldisc(), part 2
    - LP: #1566544
  * media: v4l2-compat-ioctl32: fix missing length copy in
    put_v4l2_buffer32
    - LP: #1566544
  * pwc: Add USB id for Philips Spc880nc webcam
    - LP: #1566544
  * crypto: ccp - Limit the amount of information exported
    - LP: #1566544
  * crypto: ccp - Don't assume export/import areas are aligned
    - LP: #1566544
  * 8250: use callbacks to access UART_DLL/UART_DLM
    - LP: #1566544
  * net: irda: Fix use-after-free in irtty_open()
    - LP: #1566544
  * mei: bus: check if the device is enabled before data transfer
    - LP: #1566544
  * staging: comedi: ni_tiocmd: change mistaken use of start_src for
    start_arg
    - LP: #1566544
  * tools/hv: Use include/uapi with __EXPORTED_HEADERS__
    - LP: #1566544
  * tpm: fix the rollback in tpm_chip_register()
    - LP: #1566544
  * tpm: fix the cleanup of struct tpm_chip
    - LP: #1566544
  * ARM: dts: armada-375: use armada-370-sata for SATA
    - LP: #1566544
  * usb: retry reset if a device times out
    - LP: #1566544
  * HID: fix hid_ignore_special_drivers module parameter
    - LP: #1566544
  * scripts/coccinelle: modernize &
    - LP: #1566544
  * adv7511: TX_EDID_PRESENT is still 1 after a disconnect
    - LP: #1566544
  * saa7134: Fix bytesperline not being set correctly for planar formats
    - LP: #1566544
  * tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister()
    - LP: #1566544
  * perf tools: Dont stop PMU parsing on alias parse error
    - LP: #1566544
  * Bluetooth: btusb: Add new AR3012 ID 13d3:3395
    - LP: #1542564, #1566544
  * Bluetooth: Add new AR3012 ID 0489:e095
    - LP: #1542944, #1566544
  * aacraid: Fix RRQ overload
    - LP: #1566544
  * aacraid: Fix memory leak in aac_fib_map_free
    - LP: #1566544
  * aic7xxx: Fix queue depth handling
    - LP: #1566544
  * mtd: onenand: fix deadlock in onenand_block_markbad
    - LP: #1566544
  * md/raid5: Compare apples to apples (or sectors to sectors)
    - LP: #1566544
  * RAID5: check_reshape() shouldn't call mddev_suspend
    - LP: #1566544
  * RAID5: revert e9e4c377e2f563 to fix a livelock
    - LP: #1566544
  * crypto: ccp - memset request context to zero during import
    - LP: #1566544
  * Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
    - LP: #1546694, #1566544
  * mmc: sdhci: fix data timeout (part 1)
    - LP: #1566544
  * mmc: sdhci: fix data timeout (part 2)
    - LP: #1566544
  * perf tools: Fix python extension build
    - LP: #1566544
  * IB/srpt: Simplify srpt_handle_tsk_mgmt()
    - LP: #1566544
  * bttv: Width must be a multiple of 16 when capturing planar formats
    - LP: #1566544
  * watchdog: rc32434_wdt: fix ioctl error handling
    - LP: #1566544
  * nfsd4: fix bad bounds checking
    - LP: #1566544
  * xfs: fix two memory leaks in xfs_attr_list.c error paths
    - LP: #1566544
  * quota: Fix possible GPF due to uninitialised pointers
    - LP: #1566544
  * mtip32xx: Fix broken service thread handling
    - LP: #1566544
  * mtip32xx: Remove unwanted code from taskfile error handler
    - LP: #1566544
  * mtip32xx: Print exact time when an internal command is interrupted
    - LP: #1566544
  * mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild
    - LP: #1566544
  * mtip32xx: Fix for rmmod crash when drive is in FTL rebuild
    - LP: #1566544
  * mtip32xx: Handle safe removal during IO
    - LP: #1566544
  * mtip32xx: Handle FTL rebuild failure state during device initialization
    - LP: #1566544
  * of: alloc anywhere from memblock if range not specified
    - LP: #1566544
  * usb: hub: fix a typo in hub_port_init() leading to wrong logic
    - LP: #1566544
  * KVM: i8254: change PIT discard tick policy
    - LP: #1566544
  * sched/cputime: Fix steal time accounting vs. CPU hotplug
    - LP: #1566544
  * libnvdimm: Fix security issue with DSM IOCTL.
    - LP: #1566544
  * rt2x00: add new rt2800usb device Buffalo WLI-UC-G450
    - LP: #1566544
  * pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing
    - LP: #1566544
  * perf/core: Fix perf_sched_count derailment
    - LP: #1566544
  * perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2
    - LP: #1566544
  * perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi
    - LP: #1566544
  * sched/cputime: Fix steal_account_process_tick() to always return
    jiffies
    - LP: #1566544
  * bcache: fix race of writeback thread starting before complete
    initialization
    - LP: #1566544
  * bcache: cleaned up error handling around register_cache()
    - LP: #1566544
  * bcache: fix cache_set_flush() NULL pointer dereference on OOM
    - LP: #1566544
  * be2iscsi: set the boot_kset pointer to NULL in case of failure
    - LP: #1566544
  * md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list
    - LP: #1566544
  * drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
    - LP: #1566544
  * sg: fix dxferp in from_to case
    - LP: #1566544
  * jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount
    path
    - LP: #1566544
  * ALSA: hda - Apply reboot D3 fix for CX20724 codec, too
    - LP: #1566544
  * EDAC/sb_edac: Fix computation of channel address
    - LP: #1566544
  * Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
    - LP: #1552925, #1566544
  * ALSA: pcm: Avoid "BUG:" string for warnings again
    - LP: #1566544
  * dm snapshot: disallow the COW and origin devices from being identical
    - LP: #1566544
  * dm thin metadata: don't issue prefetches if a transaction abort has
    failed
    - LP: #1566544
  * dm cache: make sure every metadata function checks fail_io
    - LP: #1566544
  * iser-target: Fix identification of login rx descriptor type
    - LP: #1566544
  * iser-target: Add new state ISER_CONN_BOUND to isert_conn
    - LP: #1566544
  * iser-target: Separate flows for np listeners and connections cma events
    - LP: #1566544
  * ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO
    - LP: #1555912, #1566544
  * xtensa: ISS: don't hang if stdin EOF is reached
    - LP: #1566544
  * xtensa: fix preemption in {clear,copy}_user_highpage
    - LP: #1566544
  * xtensa: clear all DBREAKC registers on start
    - LP: #1566544
  * Bluetooth: Fix potential buffer overflow with Add Advertising
    - LP: #1566544
  * ARC: [BE] readl()/writel() to work in Big Endian CPU configuration
    - LP: #1566544
  * bus: imx-weim: Take the 'status' property value into account
    - LP: #1566544
  * ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
    - LP: #1566544
  * s390/pci: enforce fmb page boundary rule
    - LP: #1566544
  * drm/radeon: rework fbdev handling on chips with no connectors
    - LP: #1566544
  * md: multipath: don't hardcopy bio in .make_request path
    - LP: #1566544
  * net: mvneta: enable change MAC address when interface is up
    - LP: #1566544
  * dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request()
    - LP: #1566544
  * HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
    - LP: #1566544
  * ALSA: hda - Fix unconditional GPIO toggle via automute
    - LP: #1566544
  * mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case
    - LP: #1566544
  * nfsd: fix deadlock secinfo+readdir compound
    - LP: #1566544
  * vfs: show_vfsstat: do not ignore errors from show_devname method
    - LP: #1566544
  * x86/iopl: Fix iopl capability check on Xen PV
    - LP: #1566544
  * crypto: marvell/cesa - forward devm_ioremap_resource() error code
    - LP: #1566544
  * mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout
    - LP: #1566544
  * drm/amdgpu: include the right version of gmc header files for iceland
    - LP: #1566544
  * Input: ims-pcu - sanity check against missing interfaces
    - LP: #1566544
  * watchdog: don't run proc_watchdog_update if new value is same as old
    - LP: #1566544
  * mm: memcontrol: reclaim when shrinking memory.high below usage
    - LP: #1566544
  * mm: memcontrol: reclaim and OOM kill when shrinking memory.max below
    usage
    - LP: #1566544
  * x86/apic: Fix suspicious RCU usage in
    smp_trace_call_function_interrupt()
    - LP: #1566544
  * USB: usb_driver_claim_interface: add sanity checking
    - LP: #1566544
  * USB: uas: Reduce can_queue to MAX_CMNDS
    - LP: #1566544
  * tracing: Have preempt(irqs)off trace preempt disabled functions
    - LP: #1566544
  * tracing: Fix crash from reading trace_pipe with sendfile
    - LP: #1566544
  * splice: handle zero nr_pages in splice_to_pipe()
    - LP: #1566544
  * ALSA: usb-audio: add Microsoft HD-5001 to quirks
    - LP: #1566544
  * writeback, cgroup: fix premature wb_put() in
    locked_inode_to_wb_and_lock_list()
    - LP: #1566544
  * fs-writeback: unplug before cond_resched in writeback_sb_inodes
    - LP: #1566544
  * writeback, cgroup: fix use of the wrong bdi_writeback which mismatches
    the inode
    - LP: #1566544
  * bitops: Do not default to __clear_bit() for __clear_bit_unlock()
    - LP: #1566544
  * target: Fix target_release_cmd_kref shutdown comp leak
    - LP: #1566544
  * KVM: VMX: avoid guest hang on invalid invept instruction
    - LP: #1566544
  * KVM: fix spin_lock_init order on x86
    - LP: #1566544
  * tracing: Fix trace_printk() to print when not using bprintk()
    - LP: #1566544
  * fs/coredump: prevent fsuid=0 dumps into user-controlled directories
    - LP: #1566544
  * rapidio/rionet: fix deadlock on SMP
    - LP: #1566544
  * staging: comedi: ni_mio_common: fix the ni_write[blw]() functions
    - LP: #1566544
  * staging: android: ion_test: fix check of
    platform_device_register_simple() error code
    - LP: #1566544
  * ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list
    - LP: #1566544
  * MAINTAINERS: Update mailing list and web page for hwmon subsystem
    - LP: #1566544
  * ocfs2/dlm: fix race between convert and recovery
    - LP: #1566544
  * ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
    - LP: #1566544
  * mm/page_alloc: prevent merging between isolated and other pageblocks
    - LP: #1566544
  * mac80211: avoid excessive stack usage in sta_info
    - LP: #1566544
  * clk: xgene: Add missing parenthesis when clearing divider value
    - LP: #1566544
  * clk: qcom: msm8960: Fix ce3_src register offset
    - LP: #1566544
  * xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
    - LP: #1566544
  * ppp: take reference on channels netns
    - LP: #1566544
  * mdio-sun4i: oops in error handling in probe
    - LP: #1566544
  * clk: rockchip: free memory in error cases when registering clock
    branches
    - LP: #1566544
  * ARC: bitops: Remove non relevant comments
    - LP: #1566544
  * mac80211: fix txq queue related crashes
    - LP: #1566544
  * net: Fix use after free in the recvmmsg exit path
    - LP: #1566544
  * ath9k: fix misleading indentation
    - LP: #1566544
  * sctp: fix the transports round robin issue when init is retransmitted
    - LP: #1566544
  * ethernet: micrel: fix some error codes
    - LP: #1566544
  * megaraid_sas: add missing curly braces in ioctl handler
    - LP: #1566544
  * clk-divider: make sure read-only dividers do not write to their
    register
    - LP: #1566544
  * misc/bmp085: Enable building as a module
    - LP: #1566544
  * HID: logitech: fix Dual Action gamepad support
    - LP: #1566544
  * net/mlx5: Make command timeout way shorter
    - LP: #1566544
  * ASoC: ssm4567: Reset device before regcache_sync()
    - LP: #1566544
  * fbdev: da8xx-fb: fix videomodes of lcd panels
    - LP: #1566544
  * clk: qcom: msm8960: fix ce3_core clk enable register
    - LP: #1566544
  * ipvs: correct initial offset of Call-ID header search in SIP
    persistence engine
    - LP: #1566544
  * drm/i915: Cleanup phys status page too
    - LP: #1566544
  * ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - LP: #1566544
  * ath9k: fix buffer overrun for ar9287
    - LP: #1566544
  * perf tools: handle spaces in file names obtained from /proc/pid/maps
    - LP: #1566544
  * rtc: ds1685: passing bogus values to irq_restore
    - LP: #1566544
  * ARM: davinci: make I2C support optional
    - LP: #1566544
  * drm/amdkfd: uninitialized variable in
    dbgdev_wave_control_set_registers()
    - LP: #1566544
  * mtd: map: fix .set_vpp() documentation
    - LP: #1566544
  * ARM: OMAP3: Add cpuidle parameters table for omap3430
    - LP: #1566544
  * efi: Expose non-blocking set_variable() wrapper to efivars
    - LP: #1566544
  * rtc: vr41xx: Wire up alarm_irq_enable
    - LP: #1566544
  * sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a
    race
    - LP: #1566544
  * ipv4: fix broadcast packets reception
    - LP: #1566544
  * lpfc: fix misleading indentation
    - LP: #1566544
  * sched/preempt, sh: kmap_coherent relies on disabled preemption
    - LP: #1566544
  * ipip: Properly mark ipip GRO packets as encapsulated.
    - LP: #1566544
  * spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs
    - LP: #1566544
  * ASoC: s3c24xx: use const snd_soc_component_driver pointer
    - LP: #1566544
  * mlx4: add missing braces in verify_qp_parameters
    - LP: #1566544
  * clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - LP: #1566544
  * coda: fix error path in case of missing pdata on non-DT platform
    - LP: #1566544
  * kbuild/mkspec: fix grub2 installkernel issue
    - LP: #1566544
  * bpf: avoid copying junk bytes in bpf_get_current_comm()
    - LP: #1566544
  * mac80211: fix unnecessary frame drops in mesh fwding
    - LP: #1566544
  * mtd: brcmnand: Fix v7.1 register offsets
    - LP: #1566544
  * mac80211: fix ibss scan parameters
    - LP: #1566544
  * at803x: fix reset handling
    - LP: #1566544
  * rtc: hym8563: fix invalid year calculation
    - LP: #1566544
  * perf pmu: Fix misleadingly indented assignment (whitespace)
    - LP: #1566544
  * paride: make 'verbose' parameter an 'int' again
    - LP: #1566544
  * regulator: s5m8767: fix get_register() error handling
    - LP: #1566544
  * ppp: ensure file->private_data can't be overridden
    - LP: #1566544
  * clk: versatile: sp810: support reentrance
    - LP: #1566544
  * net: add description for len argument of dev_get_phys_port_name
    - LP: #1566544
  * net: bcmgenet: fix dma api length mismatch
    - LP: #1566544
  * ARM: prima2: always enable reset controller
    - LP: #1566544
  * drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
    - LP: #1566544
  * perf stat: Document --detailed option
    - LP: #1566544
  * v4l: vsp1: Set the SRU CTRL0 register when starting the stream
    - LP: #1566544
  * ipvs: drop first packet to redirect conntrack
    - LP: #1566544
  * rtc: max77686: Properly handle regmap_irq_get_virq() error code
    - LP: #1566544
  * x86/iopl/64: Properly context-switch IOPL on Xen PV
    - LP: #1566544
  * Linux 4.2.8-ckt7
    - LP: #1566544
  * PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
    - LP: #1571027
  * ALSA: hda - Asus N750JV external subwoofer fixup
    - LP: #1571027
  * ALSA: hda - Fix white noise on Asus N750JV headphone
    - LP: #1571027
  * ALSA: hda - Apply fix for white noise on Asus N550JV, too
    - LP: #1571027
  * drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
    - LP: #1571027
  * fs: add file_dentry()
    - LP: #1571027
  * nfs: use file_dentry()
    - LP: #1571027
  * hwmon: (max1111) Return -ENODEV from max1111_read_channel if not
    instantiated
    - LP: #1571027
  * drm/radeon: add another R7 370 quirk
    - LP: #1571027
  * drm/radeon: add a dpm quirk for all R7 370 parts
    - LP: #1571027
  * powerpc/mm: Fixup preempt underflow with huge pages
    - LP: #1571027
  * pinctrl: pistachio: fix mfio84-89 function description and pinmux.
    - LP: #1571027
  * pinctrl: sunxi: Fix A33 external interrupts not working
    - LP: #1571027
  * usb: renesas_usbhs: avoid NULL pointer derefernce in
    usbhsf_pkt_handler()
    - LP: #1571027
  * usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
    - LP: #1571027
  * btrfs: fix crash/invalid memory access on fsync when using overlayfs
    - LP: #1571027
  * ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
    - LP: #1571027
  * ALSA: usb-audio: Fix double-free in error paths after
    snd_usb_add_audio_stream() call
    - LP: #1571027
  * USB: mct_u232: add sanity checking in probe
    - LP: #1571027
    - CVE-2016-3136
  * USB: cypress_m8: add endpoint sanity check
    - LP: #1571027
    - CVE-2016-3137
  * USB: digi_acceleport: do sanity checking for the number of ports
    - LP: #1571027
  * [media] au0828: fix au0828_v4l2_close() dev_state race condition
    - LP: #1571027
  * [media] au0828: Fix dev_state handling
    - LP: #1571027
  * sd: Fix excessive capacity printing on devices with blocks bigger than
    512 bytes
    - LP: #1571027
  * drm/dp: move hw_mutex up the call stack
    - LP: #1571027
  * drm/udl: Use unlocked gem unreferencing
    - LP: #1571027
  * ext4: add lockdep annotations for i_data_sem
    - LP: #1571027
  * ALSA: hda - fix front mic problem for a HP desktop
    - LP: #1564712, #1571027
  * KVM: x86: Inject pending interrupt even if pending nmi exist
    - LP: #1571027
  * ALSA: timer: Use mod_timer() for rearming the system timer
    - LP: #1571027
  * mm: fix invalid node in alloc_migrate_target()
    - LP: #1571027
  * iio: st_magn: always define ST_MAGN_TRIGGER_SET_STATE
    - LP: #1571027
  * ext4: ignore quota mount options if the quota feature is enabled
    - LP: #1571027
  * xen/events: Mask a moving irq
    - LP: #1571027
  * usb: renesas_usbhs: fix to avoid using a disabled ep in
    usbhsg_queue_done()
    - LP: #1571027
  * mac80211: properly deal with station hashtable insert errors
    - LP: #1571027
  * compiler-gcc: disable -ftracer for __noclone functions
    - LP: #1571027
  * rbd: use GFP_NOIO consistently for request allocations
    - LP: #1571027
  * Btrfs: fix file/data loss caused by fsync after rename and new inode
    - LP: #1571027
  * USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
    - LP: #1571027
  * USB: serial: cp210x: Adding GE Healthcare Device ID
    - LP: #1571027
  * USB: option: add "D-Link DWM-221 B1" device id
    - LP: #1571027
  * virtio: virtio 1.0 cs04 spec compliance for reset
    - LP: #1571027
  * libnvdimm: fix smart data retrieval
    - LP: #1571027
  * gpio: pca953x: Use correct u16 value for register word write
    - LP: #1571027
  * parisc: Avoid function pointers for kernel exception routines
    - LP: #1571027
  * parisc: Fix kernel crash with reversed copy_from_user()
    - LP: #1571027
  * parisc: Unbreak handling exceptions from kernel modules
    - LP: #1571027
  * net: macb: replace macb_writel() call by queue_writel() to update queue
    ISR
    - LP: #1571027
  * net: bcmgenet: fix dev->stats.tx_bytes accounting
    - LP: #1571027
  * net: bcmgenet: fix skb_len in bcmgenet_xmit_single()
    - LP: #1571027
  * ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
    - LP: #1571027
  * pinctrl: nomadik: fix pull debug print inversion
    - LP: #1571027
  * ip6_tunnel: set rtnl_link_ops before calling register_netdevice
    - LP: #1571027
  * KVM: x86: move steal time initialization to vcpu entry time
    - LP: #1571027
  * lib/ucs2_string: Add ucs2 -> utf8 helper functions
    - LP: #1571027
  * efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
    - LP: #1571027
  * efi: Do variable name validation tests in utf8
    - LP: #1571027
  * efi: Make our variable validation list include the guid
    - LP: #1571027
  * efi: Make efivarfs entries immutable by default
    - LP: #1571027
  * efi: Add pstore variables to the deletion whitelist
    - LP: #1571027
  * lib/ucs2_string: Correct ucs2 -> utf8 conversion
    - LP: #1571027
  * ipr: Fix out-of-bounds null overwrite
    - LP: #1571027
  * ipr: Fix regression when loading firmware
    - LP: #1571027
  * perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
    - LP: #1571027
  * ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda
    - LP: #1571027
  * mwifiex: fix corner case association failure
    - LP: #1571027
  * net: phy: at803x: Request 'reset' GPIO only for AT8030 PHY
    - LP: #1571027
  * Linux 4.2.8-ckt8
    - LP: #1571027

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Mon, 18 Apr 2016 06:54:19 -0700

** Changed in: linux (Ubuntu Wily)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3136

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3137

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1556562

Title:
  VIA C7-D machine "kernel NULL pointer dereference" in
  skcipher_recvmsg_async

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Wily:
  Fix Released

Bug description:
  I'm working on an Lubuntu 15 machine. It was chosen because it
  supports VIA C7-D processor and the VIA PM400 chipset without crashing
  (also see ). Lubuntu 15 uses the 4.2 kernel:

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 15.10
    Release:	15.10
    Codename:	wily

  And:

    $ uname -a
    Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux

  When running a particular program (details below), it hangs in syscall
  248 and results in the following dmesg/syslog output. The process
  cannot be killed, the machine does not respond to a 'shutdown -r now',
  and the machine requires a hard reset.

  ...
  [ 4505.429577] BUG: unable to handle kernel NULL pointer dereference at 00000008
  [ 4505.429593] IP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
  [ 4505.429607] *pdpt = 0000000034ee3001 *pde = 0000000000000000 
  [ 4505.429614] Oops: 0000 [#3] SMP 
  [ 4505.429621] Modules linked in: jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi padlock_sha snd_seq padlock_aes snd_seq_device via_cputemp snd_timer hwmon_vid via_rng snd input_leds serio_raw soundcore i2c_viapro shpchp 8250_fintek mac_hid parport_pc ppdev lp parport autofs4 pata_acpi hid_generic usbhid hid psmouse r8169 pata_via sata_via mii
  [ 4505.429689] CPU: 0 PID: 1532 Comm: afalgtest Tainted: G      D         4.2.0-30-generic #36-Ubuntu
  [ 4505.429695] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Weibu, BIOS 080014  11/17/2011
  [ 4505.429700] task: f4e0e040 ti: f4e3c000 task.ti: f4e3c000
  [ 4505.429705] EIP: 0060:[<f8a6ccf2>] EFLAGS: 00010202 CPU: 0
  [ 4505.429712] EIP is at skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
  [ 4505.429717] EAX: f3f97c00 EBX: f3f3ee00 ECX: f3f97c00 EDX: 00000000
  [ 4505.429722] ESI: f3f3ee00 EDI: 00000ff0 EBP: f4e3ddc8 ESP: f4e3dd70
  [ 4505.429726]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
  [ 4505.429731] CR0: 80050033 CR2: 00000008 CR3: 3247a520 CR4: 000006b0
  [ 4505.429735] Stack:
  [ 4505.429738]  f3f97df4 f3f97c00 f3f97de0 00000000 f3f97c04 00000020 f4e3dd00 00000018
  [ 4505.429750]  00001ff0 f3fb4400 f3f97c04 00000ff0 f4e3de40 f3f97de8 f4e3de38 f3fa0000
  [ 4505.429761]  00000002 00000002 f3f97c00 f1f58180 c1210510 f4e3de38 f4e3ddf4 f8a6cd6b
  [ 4505.429772] Call Trace:
  [ 4505.429788]  [<c1210510>] ? free_ioctx_users+0xa0/0xa0
  [ 4505.429795]  [<f8a6cd6b>] skcipher_recvmsg+0x2b/0x1f0 [algif_skcipher]
  [ 4505.429803]  [<f8a6c71a>] ? skcipher_check_key.isra.8+0x2a/0xb0 [algif_skcipher]
  [ 4505.429810]  [<f8a6cf61>] skcipher_recvmsg_nokey+0x31/0x40 [algif_skcipher]
  [ 4505.429820]  [<c164e1fd>] sock_recvmsg+0x3d/0x50
  [ 4505.429826]  [<c164e294>] sock_read_iter+0x84/0xd0
  [ 4505.429833]  [<c164e210>] ? sock_recvmsg+0x50/0x50
  [ 4505.429839]  [<c12108b0>] aio_run_iocb+0x110/0x2c0
  [ 4505.429846]  [<c164e210>] ? sock_recvmsg+0x50/0x50
  [ 4505.429854]  [<c1767b8f>] ? error_code+0x67/0x6c
  [ 4505.429865]  [<c11b25e4>] ? kmem_cache_alloc+0x1b4/0x1e0
  [ 4505.429875]  [<c11e5112>] ? __fdget+0x12/0x20
  [ 4505.429881]  [<c121168f>] do_io_submit+0x1ef/0x4a0
  [ 4505.429893]  [<c12ddd2f>] ? security_file_alloc+0x2f/0x50
  [ 4505.429900]  [<c1211960>] SyS_io_submit+0x20/0x30
  [ 4505.429911]  [<c176695f>] sysenter_do_call+0x12/0x12
  [ 4505.429915] Code: 00 00 00 75 24 8b 45 ac ff 52 0c 89 c7 83 ff 8d 75 8f 8b 45 e4 3e ff 80 fc 01 00 00 bf ef fd ff ff e9 62 fc ff ff 8d 76 00 89 c8 <ff> 52 08 89 c7 eb db 8b 45 e4 31 d2 8b 80 20 02 00 00 8b 58 1c
  [ 4505.429982] EIP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] SS:ESP 0068:f4e3dd70
  [ 4505.429991] CR2: 0000000000000008
  [ 4505.429997] ---[ end trace 3cce7cc6be0ad960 ]---

  **********

  The process details is this is a failed self test for the upcoming
  OpenSSL 1.1.0. The OpenSSL RT bug report for this issue is at
  http://rt.openssl.org/Ticket/Display.html?id=4411. Two attempts to
  debug it resulted in two hung processes:

  $ ps -A | grep afalgtest
  1030 pts/0    00:00:00 afalgtest
  1196 pts/0    00:00:00 afalgtest

  And:

  via:test$ sudo cat /proc/1030/syscall 
  248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8
  via:test$ sudo cat /proc/1196/syscall 
  248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8

  Its not clear to me what that particular syscall is:

  $ cat /usr/include/asm-generic/unistd.h
  ...
  /*
   * Architectures may provide up to 16 syscalls of their own
   * starting with this value.
   */
  #define __NR_arch_specific_syscall 244

  #define __NR_wait4 260
  __SC_COMP(__NR_wait4, sys_wait4, compat_sys_wait4)
  #define __NR_prlimit64 261
  __SYSCALL(__NR_prlimit64, sys_prlimit64)
  #define __NR_fanotify_init 262
  __SYSCALL(__NR_fanotify_init, sys_fanotify_init)
  #define __NR_fanotify_mark 263
  ...

  **********

  If interested, you should be able to duplicate it with the following.
  That's resuming you have the hardware.

  $ git clone git://git.openssl.org/openssl.git
  $ cd openssl

  $ ./config -d
  $ make
  $ make test/afalgtest
  $ cd test
  $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest

  **********

  In this case, the hardware was selected for the VIA C7-D processor and the Padlock engine. Its relatively low-end, and can be found at http://www.amazon.com/gp/product/B01AXR2KBQ.
  --- 
  ApportVersion: 2.19.1-0ubuntu5
  Architecture: i386
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  jwalton   16458 F.... lxpanel
  DistroRelease: Ubuntu 15.10
  HibernationDevice: RESUME=UUID=e056d1a4-73ea-4667-a51f-604158d1b9fb
  InstallationDate: Installed on 2016-03-22 (1 days ago)
  InstallationMedia: Lubuntu 15.10 "Wily Werewolf" - Release i386 (20151021)
  IwConfig:
   lo        no wireless extensions.
   
   enp3s0    no wireless extensions.
  MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
  Package: linux (not installed)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 VESA VGA
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.2.0-35-generic root=UUID=ed37a08c-3f91-4903-b20a-ba9829326044 ro ipv6.disable=1 biosdevname=0 audit=0 quiet splash vt.handoff=7
  ProcVersionSignature: Ubuntu 4.2.0-35.40-generic 4.2.8-ckt5
  RelatedPackageVersions:
   linux-restricted-modules-4.2.0-35-generic N/A
   linux-backports-modules-4.2.0-35-generic  N/A
   linux-firmware                            1.149.3
  RfKill:
   
  Tags:  wily wily
  UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
  Uname: Linux 4.2.0-35-generic i686
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups:
   
  _MarkForUpload: True
  dmi.bios.date: 11/17/2011
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 080014
  dmi.board.asset.tag: To Be Filled By O.E.M.
  dmi.board.name: Weibu
  dmi.board.vendor: WB
  dmi.board.version: 1.0
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: To Be Filled By O.E.M.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080014:bd11/17/2011:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnWB:rnWeibu:rvr1.0:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
  dmi.product.name: To Be Filled By O.E.M.
  dmi.product.version: To Be Filled By O.E.M.
  dmi.sys.vendor: To Be Filled By O.E.M.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1556562/+subscriptions