This bug was fixed in the package linux - 4.15.0-129.132
---------------
linux (4.15.0-129.132) bionic; urgency=medium
* bionic/linux: 4.15.0-129.132 -proposed tracker (LP: #1907635)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Ubuntu 18.04- call trace in kernel buffer when unloading ib_ipoib module
(LP: #1904848)
- SAUCE: net/mlx5e: IPoIB, initialize update_stat_work for ipoib devices
* memory is leaked when tasks are moved to net_prio (LP: #1886859)
- netprio_cgroup: Fix unlimited memory leak of v2 cgroups
* s390: dbginfo.sh triggers kernel panic, reading from
/sys/kernel/mm/page_idle/bitmap (LP: #1904884)
- mm/page_idle.c: skip offline pages
* Bionic update: upstream stable patchset 2020-11-23 (LP: #1905333)
- drm/i915: Break up error capture compression loops with cond_resched()
- tipc: fix use-after-free in tipc_bcast_get_mode
- gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP
- gianfar: Account for Tx PTP timestamp in the skb headroom
- net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition
- sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms
- sfp: Fix error handing in sfp_probe()
- Blktrace: bail out early if block debugfs is not configured
- i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c
- Fonts: Replace discarded const qualifier
- ALSA: usb-audio: Add implicit feedback quirk for Qu-16
- lib/crc32test: remove extra local_irq_disable/enable
- kthread_worker: prevent queuing delayed work from timer_fn when it is
being
canceled
- mm: always have io_remap_pfn_range() set pgprot_decrypted()
- gfs2: Wake up when sd_glock_disposal becomes zero
- ftrace: Fix recursion check for NMI test
- ftrace: Handle tracing when switching between context
- tracing: Fix out of bounds write in get_trace_buf
- futex: Handle transient "ownerless" rtmutex state correctly
- ARM: dts: sun4i-a10: fix cpu_alert temperature
- x86/kexec: Use up-to-dated screen_info copy to fill boot params
- of: Fix reserved-memory overlap detection
- blk-cgroup: Fix memleak on error path
- blk-cgroup: Pre-allocate tree node on blkg_conf_prep
- scsi: core: Don't start concurrent async scan on same host
- vsock: use ns_capable_noaudit() on socket create
- drm/vc4: drv: Add error handding for bind
- ACPI: NFIT: Fix comparison to '-ENXIO'
- vt: Disable KD_FONT_OP_COPY
- fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent
- serial: 8250_mtk: Fix uart_get_baud_rate warning
- serial: txx9: add missing platform_driver_unregister() on error in
serial_txx9_init
- USB: serial: cyberjack: fix write-URB completion race
- USB: serial: option: add Quectel EC200T module support
- USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
- USB: serial: option: add Telit FN980 composition 0x1055
- USB: Add NO_LPM quirk for Kingston flash drive
- usb: mtu3: fix panic in mtu3_gadget_stop()
- ARC: stack unwinding: avoid indefinite looping
- Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE"
- PM: runtime: Resume the device earlier in __device_release_driver()
- btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io()
- Btrfs: fix unwritten extent buffers and hangs on future writeback attempts
- btrfs: tree-checker: fix the error message for transid error
- mm: mempolicy: fix potential pte_unmap_unlock pte error
- tools: perf: Fix build error in v4.19.y
- net: dsa: read mac address from DT for slave device
- arm64: dts: marvell: espressobin: Add ethernet switch aliases
* Bionic update: upstream stable patchset 2020-11-23 (LP: #1905333) //
CVE-2019-19770 which shows this issue is not a core debugfs issue, but
- blktrace: fix debugfs use after free
* Bionic update: upstream stable patchset 2020-11-18 (LP: #1904791)
- scripts/setlocalversion: make git describe output more reliable
- arm64: link with -z norelro regardless of CONFIG_RELOCATABLE
- gtp: fix an use-before-init in gtp_newlink()
- ravb: Fix bit fields checking in ravb_hwtstamp_get()
- tipc: fix memory leak caused by tipc_buf_append()
- arch/x86/amd/ibs: Fix re-arming IBS Fetch
- x86/xen: disable Firmware First mode for correctable memory errors
- fuse: fix page dereference after free
- p54: avoid accessing the data mapped to streaming DMA
- mtd: lpddr: Fix bad logic in print_drs_error
- ata: sata_rcar: Fix DMA boundary mask
- fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10
compiled kernels
- mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish()
- futex: Fix incorrect should_fail_futex() handling
- powerpc/powernv/smp: Fix spurious DBG() warning
- powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
- sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
- f2fs: add trace exit in exception path
- f2fs: fix to check segment boundary during SIT page readahead
- um: change sigio_spinlock to a mutex
- ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses
- xfs: fix realtime bitmap/summary file truncation when growing rt volume
- video: fbdev: pvr2fb: initialize variables
- ath10k: start recovery process when payload length exceeds max htc length
for sdio
- ath10k: fix VHT NSS calculation when STBC is enabled
- drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working
correctly
- media: videodev2.h: RGB BT2020 and HSV are always full range
- media: platform: Improve queue set up flow for bug fixing
- usb: typec: tcpm: During PR_SWAP, source caps should be sent only after
tSwapSourceStart
- media: tw5864: check status of tw5864_frameinterval_get
- mmc: via-sdmmc: Fix data race bug
- drm/bridge/synopsys: dsi: add support for non-continuous HS clock
- printk: reduce LOG_BUF_SHIFT range for H8300
- kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
- cpufreq: sti-cpufreq: add stih418 support
- USB: adutux: fix debugging
- uio: free uio id after uio file node is freed
- arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE
- ACPI: Add out of bounds and numa_off protections to pxm_to_node()
- drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values
- bus/fsl_mc: Do not rely on caller to provide non NULL mc_io
- power: supply: test_power: add missing newlines when printing parameters
by
sysfs
- md/bitmap: md_bitmap_get_counter returns wrong blocks
- bnxt_en: Log unknown link speed appropriately.
- clk: ti: clockdomain: fix static checker warning
- net: 9p: initialize sun_server.sun_path to have addr's value only when
addr
is valid
- drivers: watchdog: rdc321x_wdt: Fix race condition bugs
- ext4: Detect already used quota file early
- gfs2: add validation checks for size of superblock
- arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC nodes
- memory: emif: Remove bogus debugfs error handling
- ARM: dts: s5pv210: remove DMA controller bus node name to fix dtschema
warnings
- ARM: dts: s5pv210: move PMU node out of clock controller
- ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
- nbd: make the config put is called before the notifying the waiter
- sgl_alloc_order: fix memory leak
- nvme-rdma: fix crash when connect rejected
- md/raid5: fix oops during stripe resizing
- perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count()
- perf/x86/amd/ibs: Fix raw sample data accumulation
- leds: bcm6328, bcm6358: use devres LED registering function
- fs: Don't invalidate page buffers in block_write_full_page()
- NFS: fix nfs_path in case of a rename retry
- ACPI / extlog: Check for RDMSR failure
- ACPI: debug: don't allow debugging when ACPI is disabled
- acpi-cpufreq: Honor _PSD table setting on new AMD CPUs
- w1: mxc_w1: Fix timeout resolution problem leading to bus error
- scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove()
- btrfs: reschedule if necessary when logging directory items
- btrfs: send, recompute reference path after orphanization of a directory
- btrfs: use kvzalloc() to allocate clone_roots in btrfs_ioctl_send()
- btrfs: cleanup cow block on error
- btrfs: fix use-after-free on readahead extent after failure to create it
- usb: dwc3: ep0: Fix ZLP for OUT ep0 requests
- usb: dwc3: core: add phy cleanup for probe error handling
- usb: dwc3: core: don't trigger runtime pm when remove driver
- usb: cdc-acm: fix cooldown mechanism
- usb: host: fsl-mph-dr-of: check return of dma_set_mask()
- drm/i915: Force VT'd workarounds when running as a guest OS
- vt: keyboard, simplify vt_kdgkbsent
- vt: keyboard, extend func_buf_lock to readers
- dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status
- iio:light:si1145: Fix timestamp alignment and prevent data leak.
- iio:adc:ti-adc0832 Fix alignment issue with timestamp
- iio:adc:ti-adc12138 Fix alignment issue with timestamp
- iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
- s390/stp: add locking to sysfs functions
- [Config] update config for PPC_RTAS_FILTER
- powerpc/rtas: Restrict RTAS requests from userspace
- powerpc: Warn about use of smt_snooze_delay
- powerpc/powernv/elog: Fix race while processing OPAL error log event.
- NFSv4.2: support EXCHGID4_FLAG_SUPP_FENCE_OPS 4.2 EXCHANGE_ID flag
- NFSD: Add missing NFSv2 .pc_func methods
- ubifs: dent: Fix some potential memory leaks while iterating entries
- perf python scripting: Fix printable strings in python3 scripts
- ubi: check kthread_should_stop() after the setting of task state
- ia64: fix build error with !COREDUMP
- drm/amdgpu: don't map BO in reserved region
- ceph: promote to unsigned long long before shifting
- libceph: clear con->out_msg on Policy::stateful_server faults
- 9P: Cast to loff_t before multiplying
- ring-buffer: Return 0 on success from ring_buffer_resize()
- vringh: fix __vringh_iov() when riov and wiov are different
- ext4: fix leaking sysfs kobject after failed mount
- ext4: fix error handling code in add_new_gdb
- ext4: fix invalid inode checksum
- drm/ttm: fix eviction valuable range check.
- rtc: rx8010: don't modify the global rtc ops
- tty: make FONTX ioctl use the tty pointer they were actually passed
- arm64: berlin: Select DW_APB_TIMER_OF
- [Config] update annotations for DW_APB_TIMER
- cachefiles: Handle readpage error correctly
- hil/parisc: Disable HIL driver when it gets stuck
- arm: dts: mt7623: add missing pause for switchport
- ARM: samsung: fix PM debug build with DEBUG_LL but !MMU
- ARM: s3c24xx: fix missing system reset
- device property: Keep secondary firmware node secondary by type
- device property: Don't clear secondary pointer for shared primary firmware
node
- KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR
- staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
- staging: octeon: repair "fixed-link" support
- staging: octeon: Drop on uncorrectable alignment or FCS error
- objtool: Support Clang non-section symbols in ORC generation
- arm64: Run ARCH_WORKAROUND_1 enabling code on all CPUs
- x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled
- cxgb4: set up filter action after rewrites
- cxl: Rework error message for incompatible slots
- serial: pl011: Fix lockdep splat when handling magic-sysrq interrupt
- fscrypt: only set dentry_operations on ciphertext dentries
- xen/events: don't use chip_data for legacy IRQs
- xen/events: avoid removing an event channel while handling it
- xen/events: add a proper barrier to 2-level uevent unmasking
- xen/events: fix race in evtchn_fifo_unmask()
- xen/events: add a new "late EOI" evtchn framework
- xen/blkback: use lateeoi irq binding
- xen/netback: use lateeoi irq binding
- xen/scsiback: use lateeoi irq binding
- xen/pvcallsback: use lateeoi irq binding
- xen/pciback: use lateeoi irq binding
- xen/events: switch user event channels to lateeoi model
- xen/events: use a common cpu hotplug hook for event channels
- xen/events: defer eoi in case of excessive number of events
- xen/events: block rogue events for some time
- RDMA/qedr: Fix memory leak in iWARP CM
- [Config] update config for ARCH_WANT_IRQS_OFF_ACTIVATE_MM
- mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race
- f2fs: fix uninit-value in f2fs_lookup
- power: supply: bq27xxx: report "not charging" on all types
- media: imx274: fix frame interval handling
- arm64: topology: Stop using MPIDR for topology information
- ia64: kprobes: Use generic kretprobe trampoline handler
- media: uvcvideo: Fix dereference of out-of-bound list iterator
- riscv: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
- usb: xhci: omit duplicate actions when suspending a runtime suspended
host.
- drm/amd/display: HDMI remote sink need mode validation for Linux
- btrfs: fix replace of seed device
- rpmsg: glink: Use complete_all for open states
- cifs: handle -EINTR in cifs_setattr
- ACPI: button: fix handling lid state changes when input device closed
- scsi: qla2xxx: Fix crash on session cleanup with unload
- btrfs: improve device scanning messages
- usb: xhci: Workaround for S3 issue on AMD SNPS 3.0 xHC
- usb: typec: tcpm: reset hard_reset_count for any disconnect
- powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load
emulation
- drm/amd/display: Don't invoke kgdb_breakpoint() unconditionally
* [HP 635] Radeon 6310 brightness control does not work (LP: #1894667) //
Bionic update: upstream stable patchset 2020-11-18 (LP: #1904791)
- ACPI: video: use ACPI backlight for HP 635 Notebook
* Bionic update: upstream stable patchset 2020-11-17 (LP: #1904613)
- RDMA/cma: Remove dead code for kernel rdmacm multicast
- RDMA/hns: Fix missing sq_sig_type when querying QP
- rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge()
- pwm: img: Fix null pointer access in probe
- watchdog: Fix memleak in watchdog_cdev_register
- watchdog: Use put_device on error
- SUNRPC: fix copying of multiple pages in gss_read_proxy_verf()
- netfilter: conntrack: connection timeout after re-register
- netfilter: nf_fwd_netdev: clear timestamp in forwarding path
- ARM: dts: imx6sl: fix rng node
- ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator
- memory: omap-gpmc: Fix build error without CONFIG_OF
- arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec
- ip_gre: set dev->hard_header_len and dev->needed_headroom properly
- usb: dwc3: simple: add support for Hikey 970
* Bionic: btrfs: kernel BUG at /build/linux-
eTBZpZ/linux-4.15.0/fs/btrfs/ctree.c:3233! (LP: #1902254)
- btrfs: tree-checker: fix incorrect printk format
* Bionic update: upstream stable patchset 2020-11-10 (LP: #1903768)
- Bluetooth: fix kernel oops in store_pending_adv_report
- Bluetooth: Consolidate encryption handling in hci_encrypt_cfm
- Bluetooth: Fix update of connection state in `hci_encrypt_cfm`
- Bluetooth: Disconnect if E0 is used for Level 4
- media: usbtv: Fix refcounting mixup
- USB: serial: option: add Cellient MPL200 card
- USB: serial: option: Add Telit FT980-KS composition
- staging: comedi: check validity of wMaxPacketSize of usb endpoints found
- USB: serial: pl2303: add device-id for HP GC device
- USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters
- reiserfs: Initialize inode keys properly
- reiserfs: Fix oops during mount
- drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case
- crypto: bcm - Verify GCM/CCM key length in setkey
- crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA
- ARM: 8858/1: vdso: use $(LD) instead of $(CC) to link VDSO
- ARM: 8939/1: kbuild: use correct nm executable
- ARM: 8867/1: vdso: pass --be8 to linker if necessary
- ibmveth: Switch order of ibmveth_helper calls.
- ibmveth: Identify ingress large send packets.
- ipv4: Restore flowi4_oif update before call to xfrm_lookup_route
- mlx4: handle non-napi callers to napi_poll
- net: usb: qmi_wwan: add Cellient MPL200 card
- tipc: fix the skb_unshare() in tipc_buf_append()
- net/ipv4: always honour route mtu during forwarding
- r8169: fix data corruption issue on RTL8402
- binder: fix UAF when releasing todo list
- ALSA: bebob: potential info leak in hwdep_read()
- net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device
- net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling
ether_setup
- nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in
nfc_genl_fw_download()
- tcp: fix to update snd_wl1 in bulk receiver fast path
- icmp: randomize the global rate limiter
- cifs: remove bogus debug code
- cifs: Return the error from crypt_message when enc/dec key not found.
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages
- KVM: SVM: Initialize prev_ga_tag before use
- ima: Don't ignore errors from crypto_shash_update()
- crypto: algif_aead - Do not set MAY_BACKLOG on the async path
- EDAC/i5100: Fix error handling order in i5100_init_one()
- x86/fpu: Allow multiple bits in clearcpuid= parameter
- drivers/perf: xgene_pmu: Fix uninitialized resource struct
- crypto: algif_skcipher - EBUSY on aio should be an error
- crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc()
- crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call
- media: tuner-simple: fix regression in simple_set_radio_freq
- media: Revert "media: exynos4-is: Add missed check for
pinctrl_lookup_state()"
- media: m5mols: Check function pointer in m5mols_sensor_power
- media: uvcvideo: Set media controller entity functions
- media: omap3isp: Fix memleak in isp_probe
- crypto: omap-sham - fix digcnt register handling with export/import
- cypto: mediatek - fix leaks in mtk_desc_ring_alloc
- media: mx2_emmaprp: Fix memleak in emmaprp_probe
- media: tc358743: initialize variable
- media: platform: fcp: Fix a reference count leak.
- media: s5p-mfc: Fix a reference count leak
- media: ti-vpe: Fix a missing check and reference count leak
- regulator: resolve supply after creating regulator
- ath10k: provide survey info as accumulated data
- Bluetooth: hci_uart: Cancel init work before unregistering
- ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
- ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
- wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680
- ASoC: qcom: lpass-platform: fix memory leak
- ASoC: qcom: lpass-cpu: fix concurrency issue
- brcmfmac: check ndev pointer
- mwifiex: Do not use GFP_KERNEL in atomic context
- drm/gma500: fix error check
- scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()'
- scsi: csiostor: Fix wrong return value in csio_hw_prep_fw()
- backlight: sky81452-backlight: Fix refcount imbalance on error
- VMCI: check return value of get_user_pages_fast() for errors
- tty: serial: earlycon dependency
- pty: do tty_flip_buffer_push without port->lock in pty_write
- pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare()
- pwm: lpss: Add range limit check for the base_unit register value
- drivers/virt/fsl_hypervisor: Fix error handling path
- video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value
error
- video: fbdev: sis: fix null ptr dereference
- HID: roccat: add bounds checking in kone_sysfs_write_settings()
- pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser
- pinctrl: mcp23s08: Fix mcp23x17 precious range
- ath6kl: wmi: prevent a shift wrapping bug in
ath6kl_wmi_delete_pstream_cmd()
- misc: mic: scif: Fix error handling path
- ALSA: seq: oss: Avoid mutex lock for a long-time ioctl
- usb: dwc2: Fix parameter type in function pointer prototype
- quota: clear padding in v2r1_mem2diskdqb()
- HID: hid-input: fix stylus battery reporting
- qtnfmac: fix resource leaks on unsupported iftype error return path
- net: enic: Cure the enic api locking trainwreck
- mfd: sm501: Fix leaks in probe()
- iwlwifi: mvm: split a print to avoid a WARNING in ROC
- usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
- usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well
- nl80211: fix non-split wiphy information
- usb: dwc2: Fix INTR OUT transfers in DDMA mode.
- scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()
- mwifiex: fix double free
- net: korina: fix kfree of rx/tx descriptor array
- mm/memcg: fix device private memcg accounting
- mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary
- IB/mlx4: Fix starvation in paravirt mux/demux
- IB/mlx4: Adjust delayed work when a dup is observed
- powerpc/pseries: Fix missing of_node_put() in rng_init()
- powerpc/icp-hv: Fix missing of_node_put() in success path
- mtd: lpddr: fix excessive stack usage with clang
- mtd: mtdoops: Don't write panic data twice
- ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values
- arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER
- xfs: limit entries returned when counting fsmap records
- RDMA/qedr: Fix use of uninitialized field
- powerpc/tau: Use appropriate temperature sample interval
- powerpc/tau: Remove duplicated set_thresholds() call
- powerpc/tau: Disable TAU between measurements
- perf intel-pt: Fix "context_switch event has no tid" error
- RDMA/hns: Set the unsupported wr opcode
- kdb: Fix pager search for multi-line strings
- overflow: Include header file with SIZE_MAX declaration
- powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group constraints
- powerpc/perf/hv-gpci: Fix starting index value
- cpufreq: powernv: Fix frame-size-overflow in
powernv_cpufreq_reboot_notifier
- IB/rdmavt: Fix sizeof mismatch
- f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
- lib/crc32.c: fix trivial typo in preprocessor condition
- ramfs: fix nommu mmap with gaps in the page cache
- rapidio: fix error handling path
- rapidio: fix the missed put_device() for rio_mport_add_riodev
- mailbox: avoid timer start from callback
- i2c: rcar: Auto select RESET_CONTROLLER
- PCI: iproc: Set affinity mask on MSI interrupts
- clk: at91: clk-main: update key before writing AT91_CKGR_MOR
- clk: bcm2835: add missing release if devm_clk_hw_register fails
- ext4: limit entries returned when counting fsmap records
- vfio/pci: Clear token on bypass registration failure
- vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages
- Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume()
- Input: stmfts - fix a & vs && typo
- Input: ep93xx_keypad - fix handling of platform_get_irq() error
- Input: omap4-keypad - fix handling of platform_get_irq() error
- Input: twl4030_keypad - fix handling of platform_get_irq() error
- Input: sun4i-ps2 - fix handling of platform_get_irq() error
- KVM: x86: emulating RDPID failure shall return #UD rather than #GP
- memory: omap-gpmc: Fix a couple off by ones
- memory: fsl-corenet-cf: Fix handling of platform_get_irq() error
- arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts
- ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers
- arm64: dts: zynqmp: Remove additional compatible string for i2c IPs
- powerpc/powernv/dump: Fix race while processing OPAL dump
- nvmet: fix uninitialized work for zero kato
- NTB: hw: amd: fix an issue about leak system resources
- perf: correct SNOOPX field offset
- i2c: core: Restore acpi_walk_dep_device_list() getting called after
registering the ACPI i2c devs
- crypto: ccp - fix error handling
- media: firewire: fix memory leak
- media: ati_remote: sanity check for both endpoints
- media: st-delta: Fix reference count leak in delta_run_work
- media: sti: Fix reference count leaks
- media: exynos4-is: Fix several reference count leaks due to
pm_runtime_get_sync
- media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync
- media: exynos4-is: Fix a reference count leak
- media: vsp1: Fix runtime PM imbalance on error
- media: platform: s3c-camif: Fix runtime PM imbalance on error
- media: platform: sti: hva: Fix runtime PM imbalance on error
- media: bdisp: Fix runtime PM imbalance on error
- media: media/pci: prevent memory leak in bttv_probe
- media: uvcvideo: Ensure all probed info is returned to v4l2
- mmc: sdio: Check for CISTPL_VERS_1 buffer size
- media: saa7134: avoid a shift overflow
- fs: dlm: fix configfs memory leak
- media: venus: core: Fix runtime PM imbalance in venus_probe
- ntfs: add check for mft record size in superblock
- mac80211: handle lack of sband->bitrates in rates
- PM: hibernate: remove the bogus call to get_gendisk() in software_resume()
- scsi: mvumi: Fix error return in mvumi_io_attach()
- scsi: target: core: Add CONTROL field for trace events
- mic: vop: copy data to kernel space then write to io memory
- misc: vop: add round_up(x,4) for vring_size to avoid kernel panic
- usb: gadget: function: printer: fix use-after-free in __lock_acquire
- udf: Limit sparing table size
- udf: Avoid accessing uninitialized data on failed inode read
- USB: cdc-acm: handle broken union descriptors
- can: flexcan: flexcan_chip_stop(): add error handling and propagate error
value
- ath9k: hif_usb: fix race condition between usb_get_urb() and
usb_kill_anchored_urbs()
- misc: rtsx: Fix memory leak in rtsx_pci_probe
- reiserfs: only call unlock_new_inode() if I_NEW
- xfs: make sure the rt allocator doesn't run off the end
- usb: ohci: Default to per-port over-current protection
- Bluetooth: Only mark socket zapped after unlocking
- scsi: ibmvfc: Fix error return in ibmvfc_probe()
- brcmsmac: fix memory leak in wlc_phy_attach_lcnphy
- rtl8xxxu: prevent potential memory leak
- Fix use after free in get_capset_info callback.
- scsi: qedi: Protect active command list to avoid list corruption
- scsi: qedi: Fix list_del corruption while removing active I/O
- tty: ipwireless: fix error handling
- ipvs: Fix uninit-value in do_ip_vs_set_ctl()
- reiserfs: Fix memory leak in reiserfs_parse_options()
- mwifiex: don't call del_timer_sync() on uninitialized timer
- brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach
- usb: core: Solve race condition in anchor cleanup functions
- scsi: ufs: ufs-qcom: Fix race conditions caused by
ufs_qcom_testbus_config()
- ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
- net: korina: cast KSEG0 address to pointer in kfree
- tty: serial: fsl_lpuart: fix lpuart32_poll_get_char
- usb: cdc-acm: add quirk to blacklist ETAS ES58X devices
- USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync().
- eeprom: at25: set minimum read/write access stride to 1
- usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets.
- powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in
interrupt
handler
- net: fix pos incrementment in ipv6_route_seq_next
- ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887
- x86/nmi: Fix nmi_handle() duration miscalculation
- x86/events/amd/iommu: Fix sizeof mismatch
- media: uvcvideo: Silence shift-out-of-bounds warning
- hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61}
- media: tc358743: cleanup tc358743_cec_isr
- pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB
- spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath()
- staging: rtl8192u: Do not use GFP_KERNEL in atomic context
- net: stmmac: use netif_tx_start|stop_all_queues() function
- scsi: target: tcmu: Fix warning: 'page' may be used uninitialized
- ipvs: clear skb->tstamp in forwarding path
- netfilter: nf_log: missing vlan offload tag and proto
- RDMA/ucma: Fix locking for ctx->events_reported
- RDMA/ucma: Add missing locking around rdma_leave_multicast()
- RDMA/qedr: Fix inline size returned for iWARP
-- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Thu, 10 Dec
2020 12:54:32 +0100
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19770
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1904848
Title:
Ubuntu 18.04- call trace in kernel buffer when unloading ib_ipoib
module
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Fix Released
Bug description:
[Impact]
unloading ib_ipoib causes a call trace to be logged in kernel buffer.
bisecting the bionic kernel reveals that this issue was discovered by
616e695435e3 workqueue: Try to catch flush_work() without INIT_WORK()
in version 4.15.0-59.66
[test case]
# modprobe ib_ipoib
# modprobe ib_ipoib -r
# dmesg
[ 306.277717] ------------[ cut here ]------------
[ 306.277738] WARNING: CPU: 10 PID: 2148 at
/build/linux-RJNBJC/linux-4.15.0/kernel/workqueue.c:2906
__flush_work+0x1f8/0x210
[ 306.277739] Modules linked in: nfsv3 nfs fscache xt_CHECKSUM
iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4
nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c
ipt_REJECT nf_reject_ipv4 xt_tcpudp ebtable_filter ebtables ip6table_filter
ip6_tables iptable_filter bridge stp llc binfmt_misc intel_rapl sb_edac
x86_pkg_temp_thermal intel_powerclamp rpcrdma rdma_ucm ib_umad ib_uverbs
coretemp ib_iser rdma_cm kvm_intel kvm iw_cm irqbypass ib_ipoib(-) libiscsi
scsi_transport_iscsi ib_cm joydev input_leds crct10dif_pclmul crc32_pclmul
mgag200 ttm drm_kms_helper drm hpilo ghash_clmulni_intel pcbc i2c_algo_bit
ipmi_ssif fb_sys_fops syscopyarea sysfillrect sysimgblt aesni_intel aes_x86_64
crypto_simd ioatdma glue_helper shpchp cryptd dca intel_cstate intel_rapl_perf
[ 306.277790] serio_raw acpi_power_meter lpc_ich mac_hid ipmi_si
ipmi_devintf ipmi_msghandler nfsd auth_rpcgss nfs_acl lockd grace sunrpc
sch_fq_codel ip_tables x_tables autofs4 mlx5_ib mlx4_ib mlx4_en ib_core
hid_generic psmouse mlx5_core usbhid hid pata_acpi hpsa tg3 mlxfw mlx4_core
scsi_transport_sas ptp pps_core devlink
[ 306.277817] CPU: 10 PID: 2148 Comm: modprobe Not tainted
4.15.0-124-generic #127-Ubuntu
[ 306.277818] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 07/01/2015
[ 306.277823] RIP: 0010:__flush_work+0x1f8/0x210
[ 306.277825] RSP: 0018:ffffbdeb47ecfcd8 EFLAGS: 00010286
[ 306.277827] RAX: 0000000000000024 RBX: ffff993a5c3d8ec8 RCX:
0000000000000006
[ 306.277829] RDX: 0000000000000000 RSI: ffff99429ef16498 RDI:
ffff99429ef16490
[ 306.277830] RBP: ffffbdeb47ecfd48 R08: 000000000000050d R09:
0000000000000004
[ 306.277832] R10: ffffe263a058c1c0 R11: 0000000000000001 R12:
ffff993a5c3d8ec8
[ 306.277833] R13: 0000000000000001 R14: ffffbdeb47ecfd78 R15:
ffffffffb00a9800
[ 306.277835] FS: 00007fa1124a9540(0000) GS:ffff99429ef00000(0000)
knlGS:0000000000000000
[ 306.277837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 306.277839] CR2: 000055b1c5007bb0 CR3: 0000000fcf36c002 CR4:
00000000001606e0
[ 306.277840] Call Trace:
[ 306.277850] __cancel_work_timer+0x136/0x1b0
[ 306.277881] ? mlx5_core_destroy_qp+0x99/0xd0 [mlx5_core]
[ 306.277886] cancel_delayed_work_sync+0x13/0x20
[ 306.277909] mlx5e_detach_netdev+0x83/0x90 [mlx5_core]
[ 306.277931] mlx5_rdma_netdev_free+0x30/0x80 [mlx5_core]
[ 306.277941] mlx5_ib_free_rdma_netdev+0xe/0x10 [mlx5_ib]
[ 306.277948] ipoib_remove_one+0xe4/0x180 [ib_ipoib]
[ 306.277965] ib_unregister_client+0x171/0x1e0 [ib_core]
[ 306.277972] ipoib_cleanup_module+0x15/0x2f [ib_ipoib]
[ 306.277978] SyS_delete_module+0x1ab/0x2d0
[ 306.277983] do_syscall_64+0x73/0x130
[ 306.277989] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[ 306.277992] RIP: 0033:0x7fa111fc1047
[ 306.277993] RSP: 002b:00007ffc0db32298 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 306.277996] RAX: ffffffffffffffda RBX: 00005614be46cca0 RCX:
00007fa111fc1047
[ 306.277997] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
00005614be46cd08
[ 306.277999] RBP: 00005614be46cca0 R08: 00007ffc0db31241 R09:
0000000000000000
[ 306.278000] R10: 00007fa11203dc40 R11: 0000000000000206 R12:
00005614be46cd08
[ 306.278002] R13: 0000000000000001 R14: 00005614be46cd08 R15:
00007ffc0db33680
[ 306.278004] Code: 24 03 80 c9 f0 e9 5b ff ff ff 48 c7 c7 18 50 0b b1 e8 ed
66 04 00 0f 0b 31 c0 e9 75 ff ff ff 48 c7 c7 18 50 0b b1 e8 d8 66 04 00 <0f> 0b
31 c0 e9 60 ff ff ff e8 5a 35 fe ff 66 2e 0f 1f 84 00 00
[ 306.278035] ---[ end trace 652f7759937172a2 ]---
[ 306.646061] ------------[ cut here ]------------
[ 306.646077] WARNING: CPU: 6 PID: 2148 at
/build/linux-RJNBJC/linux-4.15.0/kernel/workqueue.c:2906
__flush_work+0x1f8/0x210
[ 306.646078] Modules linked in: nfsv3 nfs fscache xt_CHECKSUM
iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4
nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c
ipt_REJECT nf_reject_ipv4 xt_tcpudp ebtable_filter ebtables ip6table_filter
ip6_tables iptable_filter bridge stp llc binfmt_misc intel_rapl sb_edac
x86_pkg_temp_thermal intel_powerclamp rpcrdma rdma_ucm ib_umad ib_uverbs
coretemp ib_iser rdma_cm kvm_intel kvm iw_cm irqbypass ib_ipoib(-) libiscsi
scsi_transport_iscsi ib_cm joydev input_leds crct10dif_pclmul crc32_pclmul
mgag200 ttm drm_kms_helper drm hpilo ghash_clmulni_intel pcbc i2c_algo_bit
ipmi_ssif fb_sys_fops syscopyarea sysfillrect sysimgblt aesni_intel aes_x86_64
crypto_simd ioatdma glue_helper shpchp cryptd dca intel_cstate intel_rapl_perf
[ 306.646123] serio_raw acpi_power_meter lpc_ich mac_hid ipmi_si
ipmi_devintf ipmi_msghandler nfsd auth_rpcgss nfs_acl lockd grace sunrpc
sch_fq_codel ip_tables x_tables autofs4 mlx5_ib mlx4_ib mlx4_en ib_core
hid_generic psmouse mlx5_core usbhid hid pata_acpi hpsa tg3 mlxfw mlx4_core
scsi_transport_sas ptp pps_core devlink
[ 306.646146] CPU: 6 PID: 2148 Comm: modprobe Tainted: G W
4.15.0-124-generic #127-Ubuntu
[ 306.646148] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 07/01/2015
[ 306.646152] RIP: 0010:__flush_work+0x1f8/0x210
[ 306.646154] RSP: 0018:ffffbdeb47ecfcd8 EFLAGS: 00010286
[ 306.646156] RAX: 0000000000000024 RBX: ffff9942970b8ec8 RCX:
0000000000000006
[ 306.646158] RDX: 0000000000000000 RSI: ffff99429ee16498 RDI:
ffff99429ee16490
[ 306.646159] RBP: ffffbdeb47ecfd48 R08: 0000000000000533 R09:
0000000000000004
[ 306.646161] R10: ffffe2639fa66740 R11: 0000000000000001 R12:
ffff9942970b8ec8
[ 306.646162] R13: 0000000000000001 R14: ffffbdeb47ecfd78 R15:
ffffffffb00a9800
[ 306.646164] FS: 00007fa1124a9540(0000) GS:ffff99429ee00000(0000)
knlGS:0000000000000000
[ 306.646166] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 306.646167] CR2: 000055dd889e4a30 CR3: 0000000fcf36c006 CR4:
00000000001606e0
[ 306.646169] Call Trace:
[ 306.646177] __cancel_work_timer+0x136/0x1b0
[ 306.646205] ? mlx5_core_destroy_qp+0x99/0xd0 [mlx5_core]
[ 306.646210] cancel_delayed_work_sync+0x13/0x20
[ 306.646233] mlx5e_detach_netdev+0x83/0x90 [mlx5_core]
[ 306.646255] mlx5_rdma_netdev_free+0x30/0x80 [mlx5_core]
[ 306.646264] mlx5_ib_free_rdma_netdev+0xe/0x10 [mlx5_ib]
[ 306.646271] ipoib_remove_one+0xe4/0x180 [ib_ipoib]
[ 306.646287] ib_unregister_client+0x171/0x1e0 [ib_core]
[ 306.646295] ipoib_cleanup_module+0x15/0x2f [ib_ipoib]
[ 306.646300] SyS_delete_module+0x1ab/0x2d0
[ 306.646305] do_syscall_64+0x73/0x130
[ 306.646310] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[ 306.646313] RIP: 0033:0x7fa111fc1047
[ 306.646314] RSP: 002b:00007ffc0db32298 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 306.646317] RAX: ffffffffffffffda RBX: 00005614be46cca0 RCX:
00007fa111fc1047
[ 306.646318] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
00005614be46cd08
[ 306.646319] RBP: 00005614be46cca0 R08: 00007ffc0db31241 R09:
0000000000000000
[ 306.646321] R10: 00007fa11203dc40 R11: 0000000000000206 R12:
00005614be46cd08
[ 306.646322] R13: 0000000000000001 R14: 00005614be46cd08 R15:
00007ffc0db33680
[ 306.646325] Code: 24 03 80 c9 f0 e9 5b ff ff ff 48 c7 c7 18 50 0b b1 e8 ed
66 04 00 0f 0b 31 c0 e9 75 ff ff ff 48 c7 c7 18 50 0b b1 e8 d8 66 04 00 <0f> 0b
31 c0 e9 60 ff ff ff e8 5a 35 fe ff 66 2e 0f 1f 84 00 00
[ 306.646355] ---[ end trace 652f7759937172a3 ]---
[Fix]
the root cause for this error is canceling uninitialized delayed_work_queue
belongs to ipoib net devices and the solution is not failing to initialize it.
this solution is specified in the very small patched (one line) attached.
please note that this patch is not upstream and it is based on the following
upstream commits which introduced similar functionality to upstream v4.20-rc1.
303211b44ce3 net/mlx5e: Always initialize update stats delayed work
182570b26223 net/mlx5e: Gather common netdev init/cleanup functionality in
one place
applying this two on the bionic tree in a clean way requires more
patches that might introduce a large change so I think it's better (if
possible) to use the attached patch.
[Regression Potential]
Regression risk is low since it's introduce a small fix that was also
accepted upstream in v4.20.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1904848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
