This bug was fixed in the package linux - 4.4.0-96.119
---------------
linux (4.4.0-96.119) xenial; urgency=low
* linux: 4.4.0-96.119 -proposed tracker (LP: #1716613)
* kernel panic -not syncing: Fatal exception: panic_on_oops (LP: #1708399)
- s390/mm: no local TLB flush for clearing-by-ASCE IDTE
- SAUCE: s390/mm: fix local TLB flushing vs. detach of an mm address space
- SAUCE: s390/mm: fix race on mm->context.flush_mm
* CVE-2017-1000251
- Bluetooth: Properly check L2CAP config option output buffer length
linux (4.4.0-95.118) xenial; urgency=low
* linux: 4.4.0-95.118 -proposed tracker (LP: #1715651)
* Xenial update to 4.4.78 stable release broke Address Sanitizer
(LP: #1715636)
- mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
linux (4.4.0-94.117) xenial; urgency=low
* linux: 4.4.0-94.117 -proposed tracker (LP: #1713462)
* mwifiex causes kernel oops when AP mode is enabled (LP: #1712746)
- SAUCE: net/wireless: do not dereference invalid pointer
- SAUCE: mwifiex: do not dereference invalid pointer
* Backport more recent Broadcom bnxt_en driver (LP: #1711056)
- SAUCE: bnxt_en_bpo: Import bnxt_en driver version 1.8.1
- SAUCE: bnxt_en_bpo: Drop distro out-of-tree detection logic
- SAUCE: bnxt_en_bpo: Remove unnecessary compile flags
- SAUCE: bnxt_en_bpo: Move config settings to Kconfig
- SAUCE: bnxt_en_bpo: Remove PCI_IDs handled by the regular driver
- SAUCE: bnxt_en_bpo: Rename the backport driver to bnxt_en_bpo
- bnxt_en_bpo: [Config] Enable CONFIG_BNXT_BPO=m
* HID: multitouch: Support ALPS PTP Stick and Touchpad devices (LP: #1712481)
- HID: multitouch: Support PTP Stick and Touchpad device
- SAUCE: HID: multitouch: Support ALPS PTP stick with pid 0x120A
* igb: Support using Broadcom 54616 as PHY (LP: #1712024)
- SAUCE: igb: add support for using Broadcom 54616 as PHY
* IPR driver causes multipath to fail paths/stuck IO on Medium Errors
(LP: #1682644)
- scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION
* accessing /dev/hvc1 with stress-ng on Ubuntu xenial causes crash
(LP: #1711401)
- tty/hvc: Use IRQF_SHARED for OPAL hvc consoles
* memory-hotplug test needs to be fixed (LP: #1710868)
- selftests: typo correction for memory-hotplug test
- selftests: check hot-pluggagble memory for memory-hotplug test
- selftests: check percentage range for memory-hotplug test
- selftests: add missing test name in memory-hotplug test
- selftests: fix memory-hotplug test
* HP lt4132 LTE/HSPA+ 4G Module (03f0:a31d) does not work (LP: #1707643)
- net: cdc_mbim: apply "NDP to end" quirk to HP lt4132
* Migrating KSM page causes the VM lock up as the KSM page merging list is too
large (LP: #1680513)
- ksm: introduce ksm_max_page_sharing per page deduplication limit
- ksm: fix use after free with merge_across_nodes = 0
- ksm: cleanup stable_node chain collapse case
- ksm: swap the two output parameters of chain/chain_prune
- ksm: optimize refile of stable_node_dup at the head of the chain
* sort ABI files with C.UTF-8 locale (LP: #1712345)
- [Packaging] sort ABI files with C.UTF-8 locale
* Include Broadcom GPL modules in Xenial Kernel (LP: #1665783)
- [Config] OpenNSL Kconfig/Makefile
- Import OpenNSL v3.1.0.17
- [Config] CONFIG_OPENNSL=y for amd64
- OpenNSL: Enable Kconfig and build
- SAUCE: opennsl: add proper CFLAGS
* Xenial update to 4.4.83 stable release (LP: #1711557)
- cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
- mm: ratelimit PFNs busy info message
- iscsi-target: fix memory leak in iscsit_setup_text_cmd()
- iscsi-target: Fix iscsi_np reset hung task during parallel delete
- fuse: initialize the flock flag in fuse_file on allocation
- nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays
- USB: serial: option: add D-Link DWM-222 device ID
- USB: serial: cp210x: add support for Qivicon USB ZigBee dongle
- USB: serial: pl2303: add new ATEN device id
- usb: musb: fix tx fifo flush handling again
- USB: hcd: Mark secondary HCD as dead if the primary one died
- staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
- iio: accel: bmc150: Always restore device to normal mode after suspend-
resume
- iio: light: tsl2563: use correct event code
- uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
- USB: Check for dropped connection before switching to full speed
- usb: core: unlink urbs from the tail of the endpoint's urb_list
- usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
- usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
- iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits
- pnfs/blocklayout: require 64-bit sector_t
- pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
- pinctrl: samsung: Remove bogus irq_[un]mask from resource management
- Linux 4.4.83
* Xenial update to 4.4.82 stable release (LP: #1711535)
- tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
- net: fix keepalive code vs TCP_FASTOPEN_CONNECT
- bpf, s390: fix jit branch offset related to ldimm64
- net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target
- tcp: fastopen: tcp_connect() must refresh the route
- net: avoid skb_warn_bad_offload false positives on UFO
- sparc64: Prevent perf from running during super critical sections
- KVM: arm/arm64: Handle hva aging while destroying the vm
- mm/mempool: avoid KASAN marking mempool poison checks as use-after-free
- Linux 4.4.82
* Xenial update to 4.4.81 stable release (LP: #1711526)
- libata: array underflow in ata_find_dev()
- workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
- ALSA: hda - Fix speaker output from VAIO VPCL14M1R
- ASoC: do not close shared backend dailink
- KVM: async_pf: make rcu irq exit if not triggered from idle task
- mm/page_alloc: Remove kernel address exposure in free_reserved_area()
- ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
- ext4: fix overflow caused by missing cast in ext4_resize_fs()
- ARM: dts: armada-38x: Fix irq type for pca955
- media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
ioctl
- target: Avoid mappedlun symlink creation during lun shutdown
- iscsi-target: Always wait for kthread_should_stop() before kthread exit
- iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race
- iscsi-target: Fix initial login PDU asynchronous socket close OOPs
- iscsi-target: Fix delayed logout processing greater than
SECONDS_FOR_LOGOUT_COMP
- iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
- mm, mprotect: flush TLB if potentially racing with a parallel reclaim
leaving stale TLB entries
- media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
- f2fs: sanity check checkpoint segno and blkoff
- drm: rcar-du: fix backport bug
- saa7164: fix double fetch PCIe access condition
- ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
- net: Zero terminate ifr_name in dev_ifname().
- ipv6: avoid overflow of offset in ip6_find_1stfragopt
- ipv4: initialize fib_trie prior to register_netdev_notifier call.
- rtnetlink: allocate more memory for dev_set_mac_address()
- mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
- openvswitch: fix potential out of bound access in parse_ct
- packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
- ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
- net: ethernet: nb8800: Handle all 4 RGMII modes identically
- dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
- dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
- dccp: fix a memleak for dccp_feat_init err process
- sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
- sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
- net/mlx5: Fix command bad flow on command entry allocation failure
- net: phy: Correctly process PHY_HALTED in phy_stop_machine()
- net: phy: Fix PHY unbind crash
- xen-netback: correctly schedule rate-limited queues
- sparc64: Measure receiver forward progress to avoid send mondo timeout
- wext: handle NULL extra data in iwe_stream_add_point better
- sh_eth: R8A7740 supports packet shecksumming
- net: phy: dp83867: fix irq generation
- tg3: Fix race condition in tg3_get_stats64().
- x86/boot: Add missing declaration of string functions
- phy state machine: failsafe leave invalid RUNNING state
- scsi: qla2xxx: Get mutex lock before checking optrom_state
- drm/virtio: fix framebuffer sparse warning
- virtio_blk: fix panic in initialization error path
- ARM: 8632/1: ftrace: fix syscall name matching
- mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER
- lib/Kconfig.debug: fix frv build failure
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing.
- mm: don't dereference struct page fields of invalid pages
- workqueue: implicit ordered attribute should be overridable
- Linux 4.4.81
* Xenial update to 4.4.80 stable release (LP: #1710646)
- af_key: Add lock to key dump
- pstore: Make spinlock per zone instead of global
- powerpc/pseries: Fix of_node_put() underflow during reconfig remove
- crypto: authencesn - Fix digest_null crash
- md/raid5: add thread_group worker async_tx_issue_pending_all
- drm/vmwgfx: Fix gcc-7.1.1 warning
- drm/nouveau/bar/gf100: fix access to upper half of BAR2
- KVM: PPC: Book3S HV: Context-switch EBB registers properly
- KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit
- KVM: PPC: Book3S HV: Reload HTM registers explicitly
- KVM: PPC: Book3S HV: Save/restore host values of debug registers
- Revert "powerpc/numa: Fix percpu allocations to be NUMA aware"
- Staging: comedi: comedi_fops: Avoid orphaned proc entry
- drm/rcar: Nuke preclose hook
- drm: rcar-du: Perform initialization/cleanup at probe/remove time
- drm: rcar-du: Simplify and fix probe error handling
- perf intel-pt: Fix ip compression
- perf intel-pt: Fix last_ip usage
- perf intel-pt: Use FUP always when scanning for an IP
- perf intel-pt: Ensure never to set 'last_ip' when packet 'count' is zero
- xfs: don't BUG() on mixed direct and mapped I/O
- nfc: fdp: fix NULL pointer dereference
- net: phy: Do not perform software reset for Generic PHY
- isdn: Fix a sleep-in-atomic bug
- isdn/i4l: fix buffer overflow
- ath10k: fix null deref on wmi-tlv when trying spectral scan
- wil6210: fix deadlock when using fw_no_recovery option
- mailbox: always wait in mbox_send_message for blocking Tx mode
- mailbox: skip complete wait event if timer expired
- mailbox: handle empty message in tx_tick
- mpt3sas: Don't overreach ioc->reply_post[] during initialization
- kaweth: fix firmware download
- kaweth: fix oops upon failed memory allocation
- sched/cgroup: Move sched_online_group() back into css_online() to fix
crash
- PM / Domains: defer dev_pm_domain_set() until genpd->attach_dev succeeds
if
present
- RDMA/uverbs: Fix the check for port number
- libnvdimm, btt: fix btt_rw_page not returning errors
- ipmi/watchdog: fix watchdog timeout set on reboot
- v4l: s5c73m3: fix negation operator
- pstore: Allow prz to control need for locking
- pstore: Correctly initialize spinlock and flags
- pstore: Use dynamic spinlock initializer
- net: skb_needs_check() accepts CHECKSUM_NONE for tx
- sched/cputime: Fix prev steal time accouting during CPU hotplug
- xen/blkback: don't free be structure too early
- xen/blkback: don't use xen_blkif_get() in xen-blkback kthread
- tpm: fix a kernel memory leak in tpm-sysfs.c
- tpm: Replace device number bitmap with IDR
- x86/mce/AMD: Make the init code more robust
- r8169: add support for RTL8168 series add-on card.
- ARM: dts: n900: Mark eMMC slot with no-sdio and no-sd flags
- net/mlx4: Remove BUG_ON from ICM allocation routine
- drm/msm: Ensure that the hardware write pointer is valid
- drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set
- vfio-pci: use 32-bit comparisons for register address for gcc-4.5
- irqchip/keystone: Fix "scheduling while atomic" on rt
- ASoC: tlv320aic3x: Mark the RESET register as volatile
- spi: dw: Make debugfs name unique between instances
- ASoC: nau8825: fix invalid configuration in Pre-Scalar of FLL
- irqchip/mxs: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND
- openrisc: Add _text symbol to fix ksym build error
- dmaengine: ioatdma: Add Skylake PCI Dev ID
- dmaengine: ioatdma: workaround SKX ioatdma version
- dmaengine: ti-dma-crossbar: Add some 'of_node_put()' in error path.
- ARM64: zynqmp: Fix W=1 dtc 1.4 warnings
- ARM64: zynqmp: Fix i2c node's compatible string
- ARM: s3c2410_defconfig: Fix invalid values for NF_CT_PROTO_*
- ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
- usb: gadget: Fix copy/pasted error message
- Btrfs: adjust outstanding_extents counter properly when dio write is split
- tools lib traceevent: Fix prev/next_prio for deadline tasks
- xfrm: Don't use sk_family for socket policy lookups
- perf tools: Install tools/lib/traceevent plugins with install-bin
- perf symbols: Robustify reading of build-id from sysfs
- video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap
- vfio-pci: Handle error from pci_iomap
- arm64: mm: fix show_pte KERN_CONT fallout
- nvmem: imx-ocotp: Fix wrong register size
- sh_eth: enable RX descriptor word 0 shift on SH7734
- ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion
- HID: ignore Petzl USB headlamp
- scsi: fnic: Avoid sending reset to firmware when another reset is in
progress
- scsi: snic: Return error code on memory allocation failure
- ASoC: dpcm: Avoid putting stream state to STOP when FE stream is paused
- Linux 4.4.80
* Please only recommend or suggest initramfs-tools | linux-initramfs-tool for
kernels able to boot without initramfs (LP: #1700972)
- [Debian] Don't depend on initramfs-tools
-- Stefan Bader <stefan.ba...@canonical.com> Tue, 12 Sep 2017 15:40:01
+0200
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000251
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1712746
Title:
mwifiex causes kernel oops when AP mode is enabled
Status in HWE Next:
In Progress
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
Fix Released
Bug description:
When it's in AP mode, there's quite a chance to find kernel oops
during reboot.
This is caused by the wiphy may be NULL for some reason. It's likely a
bug in mwifiex. We've already pinged Marvell and Murata. Before
there's a real fix available, we should check wiphy before accessing
it.
I've tried a 4.13-rc6 kernel. Though it has oops for NULL pointer
deference too, it happens in a different function in mwifiex. Thus the
workaround for Xenial may or may not help for other series. Will need
to reproduce this issue with Zesty and then we can decide whether this
workaround should be applied to Zesty.
[ 30.701441] BUG: unable to handle kernel NULL pointer dereference at
00000000000000f0
[ 30.709511] IP: [<ffffffffc05781b9>] mwifiex_get_cfp+0x49/0x150 [mwifiex]
[ 30.716494] PGD 0
[ 30.718575] Oops: 0000 [#1] SMP
[ 30.721918] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conni
[ 30.836915] CPU: 1 PID: 679 Comm: kworker/u5:0 Not tainted
4.4.0-57-generic #78-Ubuntu
[ 30.845018] Hardware name: Dell Inc. Edge Gateway 5000/ , BIOS
01.05.00 10/18/2016
[ 30.853218] Workqueue: MWIFIEX_WORK_QUEUE mwifiex_main_work_queue [mwifiex]
[ 30.860362] task: ffff880077c11980 ti: ffff880075e48000 task.ti:
ffff880075e48000
[ 30.868018] RIP: 0010:[<ffffffffc05781b9>] [<ffffffffc05781b9>]
mwifiex_get_cfp+0x49/0x150 [mwifiex]
[ 30.877484] RSP: 0018:ffff880075e4bbf8 EFLAGS: 00010202
[ 30.882920] RAX: 0000000000000000 RBX: 0000000000000004 RCX:
0000000000000004
[ 30.890221] RDX: 0010000000110010 RSI: 0000000000000004 RDI:
0000000000000004
[ 30.897520] RBP: ffff880075e4bc28 R08: 0000000000000003 R09:
0000000000000001
[ 30.904821] R10: 0000000000000001 R11: 00000000000002ff R12:
0000000000000095
[ 30.912123] R13: 0000000000000000 R14: ffff880075e40000 R15:
0000000000000095
[ 30.919425] FS: 0000000000000000(0000) GS:ffff880071300000(0000)
knlGS:0000000000000000
[ 30.927701] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 30.933581] CR2: 00000000000000f0 CR3: 0000000001e0a000 CR4:
00000000001006e0
[ 30.940882] Stack:
[ 30.942944] 0000000000000118 ffff880075e40000 ffff8800750c4000
ffff880075e3ed59
[ 30.950592] 0000000000000095 ffff880075e3ee01 ffff880075e4bcd0
ffffffffc05846fc
[ 30.958232] 0000000000000000 ffff880075e4bc50 ffffffff8140bcb5
ffff880075e4bc70
[ 30.965873] Call Trace:
[ 30.968397] [<ffffffffc05846fc>]
mwifiex_parse_single_response_buf+0x1fc/0x560 [mwifiex]
[ 30.976772] [<ffffffff8140bcb5>] ? find_next_bit+0x15/0x20
[ 30.982490] [<ffffffffc0584d9c>]
mwifiex_handle_event_ext_scan_report+0x15c/0x340 [mwifiex]
[ 30.991139] [<ffffffffc058f4c6>] mwifiex_process_sta_event+0x276/0xb40
[mwifiex]
[ 30.998806] [<ffffffffc0578952>] mwifiex_process_event+0x102/0x1c0
[mwifiex]
[ 31.006120] [<ffffffffc057677e>] mwifiex_main_process+0x5de/0x8d0
[mwifiex]
[ 31.013346] [<ffffffffc0576a8f>] mwifiex_main_work_queue+0x1f/0x30
[mwifiex]
[ 31.020650] [<ffffffff8109a575>] process_one_work+0x165/0x480
[ 31.026624] [<ffffffff8109a8db>] worker_thread+0x4b/0x4c0
[ 31.032240] [<ffffffff8109a890>] ? process_one_work+0x480/0x480
[ 31.038387] [<ffffffff810a0c08>] kthread+0xd8/0xf0
[ 31.043384] [<ffffffff810a0b30>] ? kthread_create_on_node+0x1e0/0x1e0
[ 31.050071] [<ffffffff8183788f>] ret_from_fork+0x3f/0x70
[ 31.055596] [<ffffffff810a0b30>] ? kthread_create_on_node+0x1e0/0x1e0
[ 31.062276] Code: 85 c9 0f 84 ef 00 00 00 40 0f b6 de 49 89 fe 41 89 cd 89
df 41 89 d4 e8 46 f1 00 00 84 c0 49 8b 86 e0 13 00 00 0f 84 98 00
[ 31.082756] RIP [<ffffffffc05781b9>] mwifiex_get_cfp+0x49/0x150 [mwifiex]
[ 31.089820] RSP <ffff880075e4bbf8>
[ 31.093392] CR2: 00000000000000f0
[ 31.096787] ---[ end trace f3a762be5787f138 ]---
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1712746/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
