This bug was fixed in the package linux - 3.13.0-39.66 --------------- linux (3.13.0-39.66) trusty; urgency=low
[ Luis Henriques ] * Release Tracking Bug - LP: #1386629 [ Upstream Kernel Changes ] * KVM: x86: Check non-canonical addresses upon WRMSR - LP: #1384539 - CVE-2014-3610 * KVM: x86: Prevent host from panicking on shared MSR writes. - LP: #1384539 - CVE-2014-3610 * KVM: x86: Improve thread safety in pit - LP: #1384540 - CVE-2014-3611 * KVM: x86: Fix wrong masking on relative jump/call - LP: #1384545 - CVE-2014-3647 * KVM: x86: Warn if guest virtual address space is not 48-bits - LP: #1384545 - CVE-2014-3647 * KVM: x86: Emulator fixes for eip canonical checks on near branches - LP: #1384545 - CVE-2014-3647 * KVM: x86: emulating descriptor load misses long-mode case - LP: #1384545 - CVE-2014-3647 * KVM: x86: Handle errors when RIP is set during far jumps - LP: #1384545 - CVE-2014-3647 * kvm: vmx: handle invvpid vm exit gracefully - LP: #1384544 - CVE-2014-3646 * Input: synaptics - gate forcepad support by DMI check - LP: #1381815 linux (3.13.0-38.65) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1379244 [ Andy Whitcroft ] * Revert "SAUCE: scsi: hyper-v storsvc switch up to SPC-3" - LP: #1354397 * [Config] linux-image-extra is additive to linux-image - LP: #1375310 * [Config] linux-image-extra postrm is not needed on purge - LP: #1375310 [ Upstream Kernel Changes ] * Revert "KVM: x86: Increase the number of fixed MTRR regs to 10" - LP: #1377564 * Revert "USB: option,zte_ev: move most ZTE CDMA devices to zte_ev" - LP: #1377564 * aufs: bugfix, stop calling security_mmap_file() again - LP: #1371316 * ipvs: fix ipv6 hook registration for local replies - LP: #1349768 * Drivers: add blist flags - LP: #1354397 * sd: fix a bug in deriving the FLUSH_TIMEOUT from the basic I/O timeout - LP: #1354397 * drm/i915/bdw: Add 42ms delay for IPS disable - LP: #1374389 * drm/i915: add null render states for gen6, gen7 and gen8 - LP: #1374389 * drm/i915/bdw: 3D_CHICKEN3 has write mask bits - LP: #1374389 * drm/i915/bdw: Disable idle DOP clock gating - LP: #1374389 * drm/i915: call lpt_init_clock_gating on BDW too - LP: #1374389 * drm/i915: shuffle panel code - LP: #1374389 * drm/i915: extract backlight minimum brightness from VBT - LP: #1374389 * drm/i915: respect the VBT minimum backlight brightness - LP: #1374389 * drm/i915/bdw: Apply workarounds in render ring init function - LP: #1374389 * drm/i915/bdw: Cleanup pre prod workarounds - LP: #1374389 * drm/i915: Replace hardcoded cacheline size with macro - LP: #1374389 * drm/i915: Refactor Broadwell PIPE_CONTROL emission into a helper. - LP: #1374389 * drm/i915: Add the WaCsStallBeforeStateCacheInvalidate:bdw workaround. - LP: #1374389 * drm/i915/bdw: Remove BDW preproduction W/As until C stepping. - LP: #1374389 * mptfusion: enable no_write_same for vmware scsi disks - LP: #1371591 * iommu/amd: Fix cleanup_domain for mass device removal - LP: #1375266 * cifs: mask off top byte in get_rfc1002_length() - LP: #1372482 * Input: synaptics - add support for ForcePads - LP: #1377564 * ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE - LP: #1377564 * drm/radeon: add bapm module parameter - LP: #1377564 * drm/radeon: Add missing lines to ci_set_thermal_temperature_range - LP: #1377564 * drm/radeon: Add ability to get and change dpm state when radeon PX card is turned off - LP: #1377564 * ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co - LP: #1377564 * of/irq: Fix lookup to use 'interrupts-extended' property first - LP: #1377564 * Possible null ptr deref in SMB2_tcon - LP: #1377564 * CIFS: Fix SMB2 readdir error handling - LP: #1377564 * CIFS: Fix wrong directory attributes after rename - LP: #1377564 * md/raid6: avoid data corruption during recovery of double-degraded RAID6 - LP: #1377564 * ARM: dts: i.MX53: fix apparent bug in VPU clks - LP: #1377564 * pata_scc: propagate return value of scc_wait_after_reset - LP: #1377564 * libata: widen Crucial M550 blacklist matching - LP: #1377564 * ALSA: hda - restore the gpio led after resume - LP: #1358116, #1377564 * md/raid10: fix memory leak when reshaping a RAID10. - LP: #1377564 * md/raid10: Fix memory leak when raid10 reshape completes. - LP: #1377564 * MIPS: OCTEON: make get_system_type() thread-safe - LP: #1377564 * can: c_can: checking IS_ERR() instead of NULL - LP: #1377564 * HID: logitech: perform bounds checking on device_id early enough - LP: #1377564 * firmware: Do not use WARN_ON(!spin_is_locked()) - LP: #1377564 * drm/radeon: add new KV pci id - LP: #1377564 * drm/radeon: add new bonaire pci ids - LP: #1377564 * drm/radeon: add additional SI pci ids - LP: #1377564 * ibmveth: Fix endian issues with rx_no_buffer statistic - LP: #1377564 * spi/omap-mcspi: Fix the spi task hangs waiting dma_rx - LP: #1377564 * xtensa: replace IOCTL code definitions with constants - LP: #1377564 * xtensa: fix address checks in dma_{alloc,free}_coherent - LP: #1377564 * xtensa: fix access to THREAD_RA/THREAD_SP/THREAD_DS - LP: #1377564 * xtensa: fix TLBTEMP_BASE_2 region handling in fast_second_level_miss - LP: #1377564 * xtensa: fix a6 and a7 handling in fast_syscall_xtensa - LP: #1377564 * staging: lustre: Remove circular dependency on header - LP: #1377564 * USB: option: reduce interrupt-urb logging verbosity - LP: #1377564 * USB: option: add VIA Telecom CDS7 chipset device id - LP: #1377564 * USB: zte_ev: remove duplicate Gobi PID - LP: #1377564 * USB: zte_ev: remove duplicate Qualcom PID - LP: #1377564 * USB: ftdi_sio: add Basic Micro ATOM Nano USB2Serial PID - LP: #1377564 * USB: serial: pl2303: add device id for ztek device - LP: #1377564 * USB: ftdi_sio: Added PID for new ekey device - LP: #1377564 * xhci: Treat not finding the event_seg on COMP_STOP the same as COMP_STOP_INVAL - LP: #1377564 * usb: xhci: amd chipset also needs short TX quirk - LP: #1377564 * xhci: rework cycle bit checking for new dequeue pointers - LP: #1377564 * spi/pxa2xx: Add ACPI ID for Intel Braswell - LP: #1377564 * ALSA: core: fix buffer overflow in snd_info_get_line() - LP: #1377564 * HID: logitech-dj: prevent false errors to be shown - LP: #1377564 * usb: ehci: using wIndex + 1 for hub port - LP: #1377564 * staging/rtl8188eu: add 0df6:0076 Sitecom Europe B.V. - LP: #1377564 * staging: r8188eu: Add new USB ID - LP: #1377564 * mtd: nand: omap: Fix 1-bit Hamming code scheme, omap_calculate_ecc() - LP: #1377564 * trace: Fix epoll hang when we race with new entries - LP: #1377564 * cfq-iosched: Fix wrong children_weight calculation - LP: #1377564 * USB: sisusb: add device id for Magic Control USB video - LP: #1377564 * NFSv4: Fix problems with close in the presence of a delegation - LP: #1377564 * usb: hub: Prevent hub autosuspend if usbcore.autosuspend is -1 - LP: #1377564 * ARM: 8128/1: abort: don't clear the exclusive monitors - LP: #1377564 * ARM: 8129/1: errata: work around Cortex-A15 erratum 830321 using dummy strex - LP: #1377564 * USB: serial: fix potential stack buffer overflow - LP: #1377564 * USB: serial: fix potential heap buffer overflow - LP: #1377564 * ext4: update i_disksize coherently with block allocation on error path - LP: #1377564 * jbd2: fix infinite loop when recovering corrupt journal blocks - LP: #1377564 * jbd2: fix descriptor block size handling errors with journal_csum - LP: #1377564 * memblock, memhotplug: fix wrong type in memblock_find_in_range_node(). - LP: #1377564 * xattr: fix check for simultaneous glibc header inclusion - LP: #1377564 * KVM: s390: Fix user triggerable bug in dead code - LP: #1377564 * KVM: s390/mm: try a cow on read only pages for key ops - LP: #1377564 * regmap: Fix regcache debugfs initialization - LP: #1377564 * regmap: Fix handling of volatile registers for format_write() chips - LP: #1377564 * ASoC: rt5640: Do not allow regmap to use bulk read-write operations - LP: #1377564 * drm/i915: Remove bogus __init annotation from DMI callbacks - LP: #1377564 * hwmon: (ds1621) Update zbits after conversion rate change - LP: #1377564 * arm64: ptrace: fix compat hardware watchpoint reporting - LP: #1377564 * ARM/ARM64: KVM: Nuke Hyp-mode tlbs before enabling MMU - LP: #1377564 * arm/arm64: KVM: Complete WFI/WFE instructions - LP: #1377564 * get rid of propagate_umount() mistakenly treating slaves as busy. - LP: #1377564 * fix EBUSY on umount() from MNT_SHRINKABLE - LP: #1377564 * regmap: Don't attempt block writes when syncing cache on single_rw devices - LP: #1377564 * drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle - LP: #1377564 * ALSA: hda - Fix digital mic on Acer Aspire 3830TG - LP: #1377564 * xfs: don't dirty buffers beyond EOF - LP: #1377564 * xfs: don't zero partial page cache pages during O_DIRECT writes - LP: #1377564 * xfs: don't zero partial page cache pages during O_DIRECT writes - LP: #1377564 * ALSA: hda - Fix COEF setups for ALC1150 codec - LP: #1377564 * i2c: rcar: fix MNR interrupt handling - LP: #1377564 * i2c: mv64xxx: continue probe when clock-frequency is missing - LP: #1377564 * i2c: at91: Fix a race condition during signal handling in at91_do_twi_xfer. - LP: #1377564 * i2c: at91: add bound checking on SMBus block length bytes - LP: #1377564 * aio: add missing smp_rmb() in read_events_ring - LP: #1377564 * KEYS: Fix use-after-free in assoc_array_gc() - LP: #1377564 * ACPI / cpuidle: fix deadlock between cpuidle_lock and cpu_hotplug.lock - LP: #1377564 * USB: fix build error with CONFIG_PM_RUNTIME disabled - LP: #1377564 * Linux 3.13.11.8 - LP: #1377564 * powerpc: Fix kdump hang issue on p8 with relocation on exception enabled. - LP: #1352056 * net-gre-gro: Fix a bug that breaks the forwarding path - LP: #1377851 -- Luis Henriques <luis.henriq...@canonical.com> Tue, 28 Oct 2014 10:29:51 +0000 ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3610 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3611 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3646 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-3647 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377851 Title: Kernel panic skb_segment+0x5d7/0x980 Status in “linux” package in Ubuntu: Fix Released Status in “linux” source package in Trusty: Fix Released Status in “linux” source package in Utopic: Fix Released Bug description: On two Ubuntu 14.04 amd64 servers with tg3 NICs acting as a openvpn gateway we recently had a lot of trouble with kernel panics (linux-image-3.13.0-36-generic 3.13.0-36.63) The panics were kind of random happening sometimes already during the boot process and sometimes a couple of hours later. The boxes were running perfectly find for a couple of months before. We believe some kind of "special" packet triggered the bug. Potential related bugs: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1331219 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1313591 Upgrading to linux-image-3.16.3-031603-generic (3.16.3-031603.201409171435) solved the problem for us. [ 6076.726520] BUG: unable to handle kernel NULL pointer dereference at 000000000000006c [ 6076.737716] IP: [<ffffffff81616787>] skb_segment+0x5d7/0x980 [ 6076.745780] PGD 0 [ 6076.748641] Oops: 0000 [#1] SMP [ 6076.753268] Modules linked in: btrfs ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c cdc_ether usbnet mii mpt3sas mpt2sas raid_class scsi_transport_sas mptctl mptbase ipmi_si ipmi_devintf dell_rbu gpio_ich intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dcdbas kvm_intel kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd 8021q garp stp mrp llc sb_edac edac_core shpchp joydev pl2303 usbserial lpc_ich wmi mei_me mei mac_hid acpi_power_meter ioatdma nf_conntrack dca lp parport raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 tg3 ahci hid_generic raid0 ptp usbhid multipath hid libahci pps_core linear [last unloaded: ipmi_si] [ 6076.850743] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 3.13.0-36-generic #63-Ubuntu [ 6076.861485] Hardware name: Dell Inc. PowerEdge R620/0PXXHP, BIOS 1.6.0 03/07/2013 [ 6076.872104] task: ffff880223841800 ti: ffff880223848000 task.ti: ffff880223848000 [ 6076.882722] RIP: 0010:[<ffffffff81616787>] [<ffffffff81616787>] skb_segment+0x5d7/0x980 [ 6076.894243] RSP: 0018:ffff880227263790 EFLAGS: 00010246 [ 6076.901769] RAX: 0000000000000646 RBX: ffff88021f03f000 RCX: ffff8801ed4fff00 [ 6076.911893] RDX: 0000000000000646 RSI: 00000000000000c2 RDI: ffffea0007f6de00 [ 6076.971665] RBP: ffff880227263858 R08: 000000000000fff6 R09: 0000000000000001 [ 6077.031463] R10: ffff88021f03e800 R11: 0000000000010552 R12: ffff8801fdb1fc80 [ 6077.091313] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000646 [ 6077.151619] FS: 0000000000000000(0000) GS:ffff880227260000(0000) knlGS:0000000000000000 [ 6077.262424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6077.320083] CR2: 000000000000006c CR3: 0000000001c0e000 CR4: 00000000000407e0 [ 6077.379854] Stack: [ 6077.433555] ffffffff811a48f9 ffff8802272772c0 000000000000fff6 ffffffffffff000a [ 6077.546280] ffffffff00010552 000000000000006a ffff88021f03e800 0000000100000020 [ 6077.658915] ffffffffffffffe4 0000000000010012 0000001c0000055c ffff88021f03f000 [ 6077.771400] Call Trace: [ 6077.824494] <IRQ> [ 6077.827251] [<ffffffff811a48f9>] ? __kmalloc_node_track_caller+0xb9/0x290 [ 6077.933211] [<ffffffff8168149d>] tcp_gso_segment+0x10d/0x3f0 [ 6077.988641] [<ffffffff81691822>] inet_gso_segment+0x132/0x360 [ 6078.043154] [<ffffffff810a5db2>] ? enqueue_task_fair+0x422/0x6c0 [ 6078.097358] [<ffffffff81623ffc>] skb_mac_gso_segment+0x9c/0x180 [ 6078.150464] [<ffffffff816a0fb4>] gre_gso_segment+0x134/0x370 [ 6078.202321] [<ffffffff8109828d>] ? ttwu_do_activate.constprop.74+0x5d/0x70 [ 6078.255348] [<ffffffff81691822>] inet_gso_segment+0x132/0x360 [ 6078.306129] [<ffffffff8109a800>] ? try_to_wake_up+0x240/0x2c0 [ 6078.355712] [<ffffffff81623ffc>] skb_mac_gso_segment+0x9c/0x180 [ 6078.404660] [<ffffffff8162413d>] __skb_gso_segment+0x5d/0xb0 [ 6078.452918] [<ffffffff8162444a>] dev_hard_start_xmit+0x18a/0x560 [ 6078.501057] [<ffffffff8164360e>] sch_direct_xmit+0xee/0x1c0 [ 6078.548821] [<ffffffff81624a50>] __dev_queue_xmit+0x230/0x500 [ 6078.596793] [<ffffffff81624d30>] dev_queue_xmit+0x10/0x20 [ 6078.644041] [<ffffffff8162be31>] neigh_direct_output+0x11/0x20 [ 6078.691822] [<ffffffff8165d370>] ip_finish_output+0x1b0/0x3b0 [ 6078.739211] [<ffffffff8165e8d8>] ip_output+0x58/0x90 [ 6078.784448] [<ffffffff8165a84b>] ip_forward_finish+0x8b/0x170 [ 6078.830211] [<ffffffff8165ac85>] ip_forward+0x355/0x410 [ 6078.874484] [<ffffffff8165899d>] ip_rcv_finish+0x7d/0x350 [ 6078.918046] [<ffffffff816592e8>] ip_rcv+0x298/0x3d0 [ 6078.959829] [<ffffffff81622bb6>] __netif_receive_skb_core+0x666/0x840 [ 6079.003064] [<ffffffff8101b200>] ? flush_ptrace_hw_breakpoint+0x30/0x60 [ 6079.045844] [<ffffffff81622da8>] __netif_receive_skb+0x18/0x60 [ 6079.086823] [<ffffffff81622e13>] netif_receive_skb+0x23/0x90 [ 6079.126412] [<ffffffff81622f24>] napi_gro_complete+0xa4/0xe0 [ 6079.164669] [<ffffffff816234a0>] dev_gro_receive+0x210/0x2d0 [ 6079.203193] [<ffffffff816237e5>] napi_gro_receive+0x25/0xb0 [ 6079.242062] [<ffffffffa00d8c2b>] tg3_poll_work+0xc2b/0xf30 [tg3] [ 6079.281003] [<ffffffffa00d8f6b>] tg3_poll_msix+0x3b/0x140 [tg3] [ 6079.319178] [<ffffffff81623192>] net_rx_action+0x152/0x250 [ 6079.356843] [<ffffffff8106cbac>] __do_softirq+0xec/0x2c0 [ 6079.394099] [<ffffffff8106d0f5>] irq_exit+0x105/0x110 [ 6079.430844] [<ffffffff817312d6>] do_IRQ+0x56/0xc0 [ 6079.466888] [<ffffffff81726a6d>] common_interrupt+0x6d/0x6d [ 6079.503660] <EOI> [ 6079.506415] [<ffffffff815d11bf>] ? cpuidle_enter_state+0x4f/0xc0 [ 6079.573717] [<ffffffff815d12e9>] cpuidle_idle_call+0xb9/0x1f0 [ 6079.611376] [<ffffffff8101cede>] arch_cpu_idle+0xe/0x30 [ 6079.648243] [<ffffffff810bed95>] cpu_startup_entry+0xc5/0x290 [ 6079.685771] [<ffffffff81041018>] start_secondary+0x218/0x2c0 [ 6079.723121] Code: 4c 24 60 eb 21 0f 1f 80 00 00 00 00 41 83 c5 01 49 83 c4 10 48 83 c1 10 41 39 c3 0f 86 83 01 00 00 41 89 c7 89 c2 45 39 e9 7f 37 <41> 8b 46 6c 41 39 46 68 0f 85 75 03 00 00 45 8b a6 cc 00 00 00 [ 6079.844842] RIP [<ffffffff81616787>] skb_segment+0x5d7/0x980 [ 6079.885283] RSP <ffff880227263790> [ 6079.922830] CR2: 000000000000006c [ 6080.024035] ---[ end trace 6e658236aae2d239 ]--- [ 6080.065884] Kernel panic - not syncing: Fatal exception in interrupt ethtool -k port1 Features for port1: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed] scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: on tx-tcp-segmentation: on tx-tcp-ecn-segmentation: on tx-tcp6-segmentation: on udp-fragmentation-offload: off [fixed] generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off [fixed] rx-vlan-offload: on [fixed] tx-vlan-offload: on [fixed] ntuple-filters: off [fixed] receive-hashing: off [fixed] highdma: on rx-vlan-filter: off [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] tx-gre-segmentation: off [fixed] tx-ipip-segmentation: off [fixed] tx-sit-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] tx-mpls-segmentation: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: on loopback: off [fixed] rx-fcs: off [fixed] rx-all: off [fixed] tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed] l2-fwd-offload: off [fixed] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1377851/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp