This bug was fixed in the package linux - 4.11.0-13.19

linux (4.11.0-13.19) artful; urgency=low

  * CVE-2017-7533
    - dentry name snapshots

linux (4.11.0-12.18) artful; urgency=low

  * linux: 4.11.0-12.18 -proposed tracker (LP: #1707635)
    - no change rebuild to pick up the new binutils.

  * Adt tests of src:linux time out often on armhf lxc containers (LP: #1705495)
    - [Packaging] tests -- reduce rebuild test to one flavour
    - [Packaging] tests -- reduce rebuild test to one flavour -- use filter

  * [ARM64] config EDAC_GHES=y depends on EDAC_MM_EDAC=y (LP: #1706141)
    - [Config] set EDAC_MM_EDAC=y for ARM64

  * [Hyper-V] hv_netvsc: Exclude non-TCP port numbers from vRSS hashing
    (LP: #1690174)
    - hv_netvsc: Exclude non-TCP port numbers from vRSS hashing

  * ath10k doesn't report full RSSI information (LP: #1706531)
    - ath10k: add per chain RSSI reporting

  * ideapad_laptop don't support v310-14isk (LP: #1705378)
    - platform/x86: ideapad-laptop: Add several models to no_hw_rfkill

  * Ubuntu 16.04.3: Qemu fails on P9 (LP: #1686019)
    - KVM: PPC: Pass kvm* to kvmppc_find_table()
    - KVM: PPC: Use preregistered memory API to access TCE list
    - KVM: PPC: VFIO: Add in-kernel acceleration for VFIO
    - powerpc/powernv/iommu: Add real mode version of 
    - powerpc/iommu/vfio_spapr_tce: Cleanup iommu_table disposal
    - powerpc/vfio_spapr_tce: Add reference counting to iommu_table
    - powerpc/mmu: Add real mode support for IOMMU preregistered memory
    - KVM: PPC: Reserve KVM_CAP_SPAPR_TCE_VFIO capability number
    - KVM: PPC: Book3S HV: Add radix checks in real-mode hypercall handlers

  * hns: ethtool selftest crashes system (LP: #1705712)
    - net/hns:bugfix of ethtool -t phy self_test

  * ThunderX: soft lockup on 4.8+ kernels when running qemu-efi with vhost=on
    (LP: #1673564)
    - KVM: arm/arm64: vgic-v3: Use PREbits to infer the number of ICH_APxRn_EL2
    - KVM: arm/arm64: vgic-v3: Fix nr_pre_bits bitfield extraction
    - arm64: Add a facility to turn an ESR syndrome into a sysreg encoding
    - KVM: arm/arm64: vgic-v3: Add accessors for the ICH_APxRn_EL2 registers
    - KVM: arm64: Make kvm_condition_valid32() accessible from EL2
    - KVM: arm64: vgic-v3: Add hook to handle guest GICv3 sysreg accesses at EL2
    - KVM: arm64: vgic-v3: Add ICV_BPR1_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_IGRPEN1_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_IAR1_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_EOIR1_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_AP1Rn_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_HPPIR1_EL1 handler
    - KVM: arm64: vgic-v3: Enable trapping of Group-1 system registers
    - KVM: arm64: Enable GICv3 Group-1 sysreg trapping via command-line
    - KVM: arm64: vgic-v3: Add ICV_BPR0_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_IGNREN0_EL1 handler
    - KVM: arm64: vgic-v3: Add misc Group-0 handlers
    - KVM: arm64: vgic-v3: Enable trapping of Group-0 system registers
    - KVM: arm64: Enable GICv3 Group-0 sysreg trapping via command-line
    - arm64: Add MIDR values for Cavium cn83XX SoCs
    - arm64: Add workaround for Cavium Thunder erratum 30115
    - KVM: arm64: vgic-v3: Add ICV_DIR_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_RPR_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_CTLR_EL1 handler
    - KVM: arm64: vgic-v3: Add ICV_PMR_EL1 handler
    - KVM: arm64: Enable GICv3 common sysreg trapping via command-line
    - KVM: arm64: vgic-v3: Log which GICv3 system registers are trapped
    - arm64: KVM: Make unexpected reads from WO registers inject an undef
    - KVM: arm64: Log an error if trapping a read-from-write-only GICv3 access
    - KVM: arm64: Log an error if trapping a write-to-read-only GICv3 access

  * ath9k freezes suspend resume Ubuntu 17.04 (LP: #1697027)
    - ath9k: fix an invalid pointer dereference in ath9k_rng_stop()

  * xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2
    comp_code 13 (LP: #1667750)
    - xhci: Bad Ethernet performance plugged in ASM1042A host

  * Migrating KSM page causes the VM lock up as the KSM page merging list is too
    large (LP: #1680513)
    - ksm: introduce ksm_max_page_sharing per page deduplication limit
    - ksm: fix use after free with merge_across_nodes = 0
    - ksm: cleanup stable_node chain collapse case
    - ksm: swap the two output parameters of chain/chain_prune
    - ksm: optimize refile of stable_node_dup at the head of the chain

  * Artful update to v4.11.12 stable release (LP: #1706067)
    - net/phy: micrel: configure intterupts after autoneg workaround
    - ipv6: avoid unregistering inet6_dev for loopback
    - netvsc: don't access netdev->num_rx_queues directly
    - sfc: Fix MCDI command size for filter operations
    - net: account for current skb length when deciding about UFO
    - net: dp83640: Avoid NULL pointer dereference.
    - tcp: reset sk_rx_dst in tcp_disconnect()
    - net: prevent sign extension in dev_get_stats()
    - virtio-net: serialize tx routine during reset
    - net: sched: Fix one possible panic when no destroy callback
    - mlxsw: spectrum_router: Fix NULL pointer dereference
    - rocker: move dereference before free
    - bpf: prevent leaking pointer via xadd on unpriviledged
    - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
    - net/mlx5: Cancel delayed recovery work when unloading the driver
    - net/mlx5e: Fix TX carrier errors report in get stats ndo
    - ipv6: dad: don't remove dynamic addresses if link is down
    - vxlan: fix hlist corruption
    - geneve: fix hlist corruption
    - net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64
    - liquidio: fix bug in soft reset failure detection
    - net: ipv6: Compare lwstate in detecting duplicate nexthops
    - vrf: fix bug_on triggered by rx when destroying a vrf
    - rds: tcp: use sock_create_lite() to create the accept socket
    - net/mlx5e: Initialize CEE's getpermhwaddr address buffer to 0xff
    - cxgb4: fix BUG() on interrupt deallocating path of ULD
    - tap: convert a mutex to a spinlock
    - bridge: mdb: fix leak on complete_info ptr on fail path
    - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
    - sfc: don't read beyond unicast address list
    - Adding asm-prototypes.h for genksyms to generate crc
    - sed regex in requires line break between exported symbols
    - Adding the type of exported symbols
    - sparc64: Fix gup_huge_pmd
    - block: Fix a blk_exit_rl() regression
    - brcmfmac: Fix a memory leak in error handling path in
    - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
    - efi: Process the MEMATTR table only if EFI_MEMMAP is enabled
    - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
    - cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
    - cfg80211: Check if PMKID attribute is of expected size
    - cfg80211: Check if NAN service ID is of expected size
    - drm/amdgpu/gfx6: properly cache mc_arb_ramcfg
    - irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity
    - parisc: Report SIGSEGV instead of SIGBUS when running out of stack
    - parisc: use compat_sys_keyctl()
    - parisc: DMA API: return error instead of BUG_ON for dma ops on non dma 
    - parisc/mm: Ensure IRQs are off in switch_mm()
    - tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/:
    - thp, mm: fix crash due race in MADV_FREE handling
    - kernel/extable.c: mark core_kernel_text notrace
    - mm/list_lru.c: fix list_lru_count_node() to be race free
    - fs/dcache.c: fix spin lockup issue on nlru->lock
    - checkpatch: silence perl 5.26.0 unescaped left brace warnings
    - binfmt_elf: use ELF_ET_DYN_BASE only for PIE
    - arm: move ELF_ET_DYN_BASE to 4MB
    - arm64: move ELF_ET_DYN_BASE to 4GB / 4MB
    - powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB
    - s390: reduce ELF_ET_DYN_BASE
    - exec: Limit arg stack to at most 75% of _STK_LIM
    - powerpc/kexec: Fix radix to hash kexec due to IAMR/AMOR
    - ARM64: dts: marvell: armada37xx: Fix timer interrupt specifiers
    - arm64: Preventing READ_IMPLIES_EXEC propagation
    - vt: fix unchecked __put_user() in tioclinux ioctls
    - rcu: Add memory barriers for NOCB leader wakeup
    - nvmem: core: fix leaks on registration errors
    - Drivers: hv: vmbus: Close timing hole that can corrupt per-cpu page
    - mnt: In umount propagation reparent in a separate pass
    - mnt: In propgate_umount handle visiting mounts in any order
    - mnt: Make propagate_umount less slow for overlapping mount propagation 
    - selftests/capabilities: Fix the test_execve test
    - mm: fix overflow check in expand_upwards()
    - crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
    - crypto: atmel - only treat EBUSY as transient if backlog
    - crypto: sha1-ssse3 - Disable avx2
    - crypto: caam - properly set IV after {en,de}crypt
    - crypto: caam - fix signals handling
    - sched/fair, cpumask: Export for_each_cpu_wrap()
    - sched/topology: Fix building of overlapping sched-groups
    - sched/topology: Optimize build_group_mask()
    - sched/topology: Fix overlapping sched_group_mask
    - PM / wakeirq: Convert to SRCU
    - ALSA: x86: Clear the pdata.notify_lpe_audio pointer before teardown
    - PM / QoS: return -EINVAL for bogus strings
    - kvm: vmx: Do not disable intercepts for BNDCFGS
    - kvm: x86: Guest BNDCFGS requires guest MPX support
    - kvm: vmx: Check value written to IA32_BNDCFGS
    - kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS
    - Linux 4.11.12

  * Artful update to v4.11.11 stable release (LP: #1706066)
    - mqueue: fix a use-after-free in sys_mq_notify()
    - proc: Fix proc_sys_prune_dcache to hold a sb reference
    - locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
    - staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
    - staging: comedi: fix clean-up of comedi_class in comedi_init()
    - crypto: caam - fix gfp allocation flags (part I)
    - crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
    - ext4: check return value of kstrtoull correctly in reserved_clusters_store
    - x86/mm/pat: Don't report PAT on CPUs that don't support it
    - Linux 4.11.11

  * Change CONFIG_IBMVETH to module (LP: #1704479)
    - [Config] CONFIG_IBMVETH=m

  * hns: use after free in hns_nic_net_xmit_hw (LP: #1704885)
    - net: hns: Fix a skb used after free bug

  * Opal and POWER9 DD2 (LP: #1702159)
    - powerpc/powernv: Fix boot on Power8 bare metal due to 

  * CVE-2017-1000364
    - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
    - mm/mmap.c: expand_downwards: don't require the gap if !vm_prev

  * [Xenial] nvme: Quirks for PM1725 controllers (LP: #1704435)
    - nvme: Quirks for PM1725 controllers

  * bonding: stack dump when unregistering a netdev (LP: #1704102)
    - bonding: avoid NETDEV_CHANGEMTU event when unregistering slave

  * Ubuntu 16.04 IOB Error when the Mustang board rebooted (LP: #1693673)
    - drivers: net: xgene: Fix redundant prefetch buffer cleanup

  * Ubuntu16.04: NVMe 4K+T10 DIF/DIX format returns I/O error on dd with split
    op (LP: #1689946)
    - blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split

  * linux >= 4.2: bonding 802.3ad does not work with 5G, 25G and 50G link speeds
    (LP: #1697892)
    - bonding: add 802.3ad support for 25G speeds
    - bonding: fix 802.3ad support for 5G and 50G speeds

  * hns: under heavy load, NIC may fail and require reboot (LP: #1704146)
    - net: hns: Bugfix for Tx timeout handling in hns driver

  * New ACPI identifiers for ThunderX SMMU (LP: #1703437)
    - iommu/arm-smmu: Plumb in new ACPI identifiers

  * Transparent hugepages should default to enabled=madvise (LP: #1703742)
    - [Config] use CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y as default

  * Miscellaneous Ubuntu changes
    - [Config] CONFIG_CAVIUM_ERRATUM_30115=y

  * Miscellaneous upstream changes
    - platform/x86: thinkpad_acpi: guard generic hotkey case
    - platform/x86: thinkpad_acpi: add mapping for new hotkeys
    - selftest/memfd/Makefile: Fix build error

linux (4.11.0-11.16) artful; urgency=low

  * linux: 4.11.0-11.16 -proposed tracker (LP: #1703901)

  * Artful update to v4.11.10 stable release (LP: #1703854)
    - fs: add a VALID_OPEN_FLAGS
    - fs: completely ignore unknown open flags
    - driver core: platform: fix race condition with driver_override
    - RDMA/uverbs: Check port number supplied by user verbs cmds
    - ceph: choose readdir frag based on previous readdir reply
    - tracing/kprobes: Allow to create probe with a module name starting with a
    - usb: dwc3: replace %p with %pK
    - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
    - Add USB quirk for HVR-950q to avoid intermittent device resets
    - usb: usbip: set buffer pointers to NULL after free
    - usb: Fix typo in the definition of Endpoint[out]Request
    - USB: core: fix device node leak
    - arm: remove wrong CONFIG_PROC_SYSCTL ifdef
    - pinctrl: sh-pfc: r8a7794: Swap ATA signals
    - pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
    - pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
    - pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
    - pinctrl: meson: meson8b: fix the NAND DQS pins
    - pinctrl: stm32: Fix bad function call
    - pinctrl: sunxi: Fix SPDIF function name for A83T
    - pinctrl: core: Fix warning by removing bogus code
    - pinctrl: mxs: atomically switch mux and drive strength config
    - pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
    - pinctrl: sh-pfc: Update info pointer after SoC-specific init
    - USB: serial: option: add two Longcheer device ids
    - USB: serial: qcserial: new Sierra Wireless EM7305 device ID
    - xhci: Limit USB2 port wake support for AMD Promontory hosts
    - gfs2: Fix glock rhashtable rcu bug
    - Add "shutdown" to "struct class".
    - tpm: Issue a TPM2_Shutdown for TPM2 devices.
    - tpm: fix a kernel memory leak in tpm-sysfs.c
    - x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
    - xen: avoid deadlock in xenbus driver
    - crypto: drbg - Fixes panic in wait_for_completion call
    - rt286: add Thinkpad Helix 2 to force_combo_jack_table
    - Linux 4.11.10

  * CVE-2017-10810
    - drm/virtio: don't leak bo on drm_gem_object_init failure

  * cxlflash update request in the Xenial SRU stream (LP: #1702521)
    - scsi: cxlflash: Separate RRQ processing from the RRQ interrupt handler
    - scsi: cxlflash: Serialize RRQ access and support offlevel processing
    - scsi: cxlflash: Implement IRQ polling for RRQ processing
    - scsi: cxlflash: Update sysfs helper routines to pass config structure
    - scsi: cxlflash: Support dynamic number of FC ports
    - scsi: cxlflash: Remove port configuration assumptions
    - scsi: cxlflash: Hide FC internals behind common access routine
    - scsi: cxlflash: SISlite updates to support 4 ports
    - scsi: cxlflash: Support up to 4 ports
    - scsi: cxlflash: Fence EEH during probe
    - scsi: cxlflash: Remove unnecessary DMA mapping
    - scsi: cxlflash: Fix power-of-two validations
    - scsi: cxlflash: Fix warnings/errors
    - scsi: cxlflash: Improve asynchronous interrupt processing
    - scsi: cxlflash: Support multiple hardware queues
    - scsi: cxlflash: Add hardware queues attribute
    - scsi: cxlflash: Introduce hardware queue steering
    - cxl: Enable PCI device IDs for future IBM CXL adapters
    - scsi: cxlflash: Select IRQ_POLL
    - scsi: cxlflash: Combine the send queue locks
    - scsi: cxlflash: Update cxlflash_afu_sync() to return errno
    - scsi: cxlflash: Reset hardware queue context via specified register
    - scsi: cxlflash: Schedule asynchronous reset of the host
    - scsi: cxlflash: Handle AFU sync failures
    - scsi: cxlflash: Track pending scsi commands in each hardware queue
    - scsi: cxlflash: Flush pending commands in cleanup path
    - scsi: cxlflash: Add scsi command abort handler
    - scsi: cxlflash: Create character device to provide host management 
    - scsi: cxlflash: Separate AFU internal command handling from AFU sync
    - scsi: cxlflash: Introduce host ioctl support
    - scsi: cxlflash: Refactor AFU capability checking
    - scsi: cxlflash: Support LUN provisioning
    - scsi: cxlflash: Support AFU debug
    - scsi: cxlflash: Support WS16 unmap
    - scsi: cxlflash: Remove zeroing of private command data
    - scsi: cxlflash: Update TMF command processing
    - scsi: cxlflash: Avoid double free of character device
    - scsi: cxlflash: Update send_tmf() parameters
    - scsi: cxlflash: Update debug prints in reset handlers

  * make snap-pkg support (LP: #1700747)
    - make snap-pkg support

  * Quirk for non-compliant PCI bridge on HiSilicon D05 board (LP: #1698706)
    - SAUCE: PCI: Support hibmc VGA cards behind a misbehaving HiSilicon bridge

  * arm64: fix crash reading /proc/kcore (LP: #1702749)
    - fs/proc: kcore: use kcore_list type to check for vmalloc/module address
    - arm64: mm: select CONFIG_ARCH_PROC_KCORE_TEXT

  * Opal and POWER9 DD2 (LP: #1702159)
    - SAUCE: powerpc/powernv: Tell OPAL about our MMU mode on POWER9

  * Data corruption with hio driver  (LP: #1701316)
    - SAUCE: hio: Fix incorrect use of enum req_opf values

  * Artful update to v4.11.9 stable release (LP: #1702515)
    - net: don't call strlen on non-terminated string in dev_set_alias()
    - net: Fix inconsistent teardown and release of private netdev state.
    - net: s390: fix up for "Fix inconsistent teardown and release of private
      netdev state"
    - mac80211: free netdev on dev_alloc_name() error
    - decnet: dn_rtmsg: Improve input length sanitization in
    - net: Zero ifla_vf_info in rtnl_fill_vfinfo()
    - net: ipv6: Release route when device is unregistering
    - net: vrf: Make add_fib_rules per network namespace flag
    - af_unix: Add sockaddr length checks before accessing sa_family in bind and
      connect handlers
    - Fix an intermittent pr_emerg warning about lo becoming free.
    - sctp: disable BH in sctp_for_each_endpoint
    - net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
    - net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse
    - net/mlx5: Remove several module events out of ethtool stats
    - net/mlx5e: Added BW check for DIM decision mechanism
    - net/mlx5e: Fix wrong indications in DIM due to counter wraparound
    - net/mlx5: Enable 4K UAR only when page size is bigger than 4K
    - proc: snmp6: Use correct type in memset
    - igmp: acquire pmc lock for ip_mc_clear_src()
    - igmp: add a missing spin_lock_init()
    - qmi_wwan: new Telewell and Sierra device IDs
    - net: don't global ICMP rate limit packets originating from loopback
    - ipv6: fix calling in6_ifa_hold incorrectly for dad work
    - sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
    - net/mlx5e: Fix min inline value for VF rep SQs
    - net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it
    - net/mlx5: Wait for FW readiness before initializing command interface
    - net/mlx5e: Fix timestamping capabilities reporting
    - decnet: always not take dst->__refcnt when inserting dst into hash table
    - net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
    - ipv6: Do not leak throw route references
    - rtnetlink: add IFLA_GROUP to ifla_policy
    - netfilter: synproxy: fix conntrackd interaction
    - NFSv4.x/callback: Create the callback service through svc_create_pooled
    - xen/blkback: don't use xen_blkif_get() in xen-blkback kthread
    - MIPS: head: Reorder instructions missing a delay slot
    - MIPS: Avoid accidental raw backtrace
    - MIPS: pm-cps: Drop manual cache-line alignment of ready_count
    - MIPS: Fix IRQ tracing & lockdep when rescheduling
    - ALSA: hda - Fix endless loop of codec configure
    - ALSA: hda - set input_path bitmap to zero after moving it to new place
    - NFSv4.2: Don't send mode again in post-EXCLUSIVE4_1 SETATTR with umask
    - NFSv4.1: Fix a race in nfs4_proc_layoutget
    - Revert "NFS: nfs_rename() handle -ERESTARTSYS dentry left behind"
    - ovl: copy-up: don't unlock between lookup and link
    - gpiolib: fix filtering out unwanted events
    - x86/intel_rdt: Fix memory leak on mount failure
    - perf/x86/intel/uncore: Fix wrong box pointer check
    - drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
    - dm thin: do not queue freed thin mapping for next stage processing
    - x86/mm: Fix boot crash caused by incorrect loop count calculation in
    - mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings
    - xen/blkback: don't free be structure too early
    - xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish
    - xfrm: move xfrm_garbage_collect out of xfrm_policy_flush
    - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
    - xfrm: NULL dereference on allocation failure
    - xfrm: Oops on error in pfkey_msg2xfrm_state()
    - watchdog: bcm281xx: Fix use of uninitialized spinlock.
    - ARM64: PCI: Fix struct acpi_pci_root_ops allocation failure path
    - ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
    - ARM: 8685/1: ensure memblock-limit is pmd-aligned
    - ARM: davinci: PM: Free resources in error handling path in 
    - ARM: davinci: PM: Do not free useful resources in normal path in
    - tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel
    - Revert "x86/entry: Fix the end of the stack for newly forked tasks"
    - x86/mshyperv: Remove excess #includes from mshyperv.h
    - x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug
    - perf/x86: Fix spurious NMI with PEBS Load Latency event
    - x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space
    - x86/mm: Fix flush_tlb_page() on Xen
    - ocfs2: o2hb: revert hb threshold to keep compatible
    - ocfs2: fix deadlock caused by recursive locking in xattr
    - iommu/dma: Don't reserve PCI I/O windows
    - iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
    - iommu/amd: Fix interrupt remapping when disable guest_mode
    - infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data
    - mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program
    - mtd: nand: fsmc: fix NAND width handling
    - KVM: x86: fix emulation of RSM and IRET instructions
    - KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
    - KVM: x86: zero base3 of unusable segments
    - KVM: nVMX: Fix exception injection
    - esp4: Fix udpencap for local TCP packets.
    - hsi: Fix build regression due to netdev destructor fix.
    - Linux 4.11.9

  * update ENA driver to 1.2.0k from net-next (LP: #1701575)
    - net/ena: switch to pci_alloc_irq_vectors
    - net: ena: fix rare uncompleted admin command false alarm
    - net: ena: fix bug that might cause hang after consecutive open/close
    - net: ena: add missing return when ena_com_get_io_handlers() fails
    - net: ena: fix race condition between submit and completion admin command
    - net: ena: add missing unmap bars on device removal
    - net: ena: fix theoretical Rx hang on low memory systems
    - net: ena: disable admin msix while working in polling mode
    - net: ena: bug fix in lost tx packets detection mechanism
    - net: ena: update ena driver to version 1.1.7
    - net: ena: change return value for unsupported features unsupported return
    - net: ena: add hardware hints capability to the driver
    - net: ena: change sizeof() argument to be the type pointer
    - net: ena: add reset reason for each device FLR
    - net: ena: add support for out of order rx buffers refill
    - net: ena: allow the driver to work with small number of msix vectors
    - net: ena: use napi_schedule_irqoff when possible
    - net: ena: separate skb allocation to dedicated function
    - net: ena: use lower_32_bits()/upper_32_bits() to split dma address
    - net: ena: update driver's rx drop statistics
    - net: ena: update ena driver to version 1.2.0

  * APST gets enabled against explicit kernel option (LP: #1699004)
    - nvme: Display raw APST configuration via DYNAMIC_DEBUG
    - nvme: Add nvme_core.force_apst to ignore the NO_APST quirk
    - nvme: explicitly disable APST on quirked devices

  * New NVLINK2 patches (LP: #1701272)
    - powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD
    - powerpc/npu-dma: Remove spurious WARN_ON when a PCI device has no of_node

  * ERAT invalidate on context switch removal (LP: #1700819)
    - powerpc: Only do ERAT invalidate on radix context switch on P9 DD1

  * Miscellaneous Ubuntu changes
    - SAUCE: (noup) Update spl to, zfs to
    - snapcraft.yaml: Sync with xenial

  * Miscellaneous upstream changes
    - Revert "UBUNTU: SAUCE: (efi-lockdown) efi: Add sysctls for secureboot and

 -- Thadeu Lima de Souza Cascardo <>  Tue, 01 Aug
2017 19:35:17 -0300

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added:

** CVE added:

** CVE added:

You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs

  Migrating KSM page causes the VM lock up as the KSM page merging list
  is too large

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
Status in linux source package in Zesty:
  Fix Committed

Bug description:
  After numad is enabled and there are several VMs running on the same
  host machine(host kernel version: 4.4.0-72-generic #93), the
  softlockup messages can be observed inside the VMs' dmesg.

  First, the crashdump was captured when the symptom was observed. At
  the first glance, it looks like an IPI lost issue. The numad process
  initiates a migration of memory, and as part of this, needs to flush
  the TLB cache of another CPU. When the crash dump was taken, that
  other CPU has the TLB flush pending, but not executed. 

  The numad kernel task is holding a semaphore lock mmap_sem(for the
  VM's memory) to do the migration, and the tasks that actually end up
  being blocked are other virtual CPUs for the same VM. These tasks need
  to access or make changes to the memory map for the VM because of the
  VM page fault, but cannot acquire the semaphore lock.

  However, the original thoughts on the root cause (unhandled IPI or csd
  lock issue) are incorrect.

  We originally suspected an issue with a lost IPI (inter processor
  interrupt) that performs remote CPU cache flushes during page
  migration, or a known issue with the "csd" lock used to synchronize
  the remote CPU cache flush.  A lost IPI would be a function of the
  system firmware or chipset (it is not a CPU issue), but the known csd
  issue is hardware independent. 

  Gavin created the hotfix kernel with changes in the csd_lock_wait
  function that would time out if the unlock never happens (the end
  result of either cause), and print messages to the console when that
  timeout occurred. The messages look like: 

  csd_lock_wait called %d times

  csd: Detected non-responsive CSD lock (#%d) on CPU#%02d, waiting
  %Ld.%03Ld secs for CPU#%02d

  However, the VMs are still experiencing the hangs, but the
  csd_lock_wait timeout is not happening. This suggests that the csd
  lock / lost IPI is not the actual cause.

  In the crash dump, the numad task has induced a migration, and the
  stack is as follows: 

  #1 [ffff885f8fb4fb78] smp_call_function_many 
  #2 [ffff885f8fb4fbc0] native_flush_tlb_others 
  #3 [ffff885f8fb4fc08] flush_tlb_page 
  #4 [ffff885f8fb4fc30] ptep_clear_flush 
  #5 [ffff885f8fb4fc60] try_to_unmap_one 
  #6 [ffff885f8fb4fcd0] rmap_walk_ksm 
  #7 [ffff885f8fb4fd28] rmap_walk 
  #8 [ffff885f8fb4fd80] try_to_unmap 
  #9 [ffff885f8fb4fdc8] migrate_pages 
  #10 [ffff885f8fb4fe80] do_migrate_pages 

  The frame #1 is actually in the csd_lock_wait function mentioned
  above, but the compiler has optimized that call and it does not appear
  in the stack. 

  What happens here is that do_migrate_pages (frame #10) acquires the
  semaphore that everything else is waiting for (and that eventually
  produce the hang warnings), and it holds that semaphore for the
  duration of the page migration.  This strongly suggests that this
  single do_migrate_pages call is taking in excess of 10 seconds, and if
  the csd lock is not stuck, then something else within its call path is
  not functioning correctly. 

  We originally suspected that the lost IPI/csd lock hang was
  responsible for the hung task timeouts, but in the absence of the csd
  warning messages, the cause presumably lies elsewhere. 

  A KSM function appears in frame #6; this is the function that will
  search out the merged pages to handle them for the migration. 

  Gavin have tried to disassemble the code and finally find the 
  stable_node->hlist is as long as 2306920 entries:

  rmap_item list(stable_node->hlist): 
  stable_node: 0xffff881f836ba000 stable_node->hlist->first = 

  struct hlist_head { 
  [0] struct hlist_node *first; 
  struct hlist_node { 
  [0] struct hlist_node *next; 
  [8] struct hlist_node **pprev; 

  crash> list 0xffff883f3e5746b0 > rmap_item.lst

  $ wc -l rmap_item.lst 
  2306920 rmap_item.lst

  This is roughly 9 GB of pages. The theory is that KSM has merged a
  very large number of pages that are empty (the value of all locations
  in the page are zero).

  The bug can be observed by the perf flame graph[1]:


  Andrea Arcangeli already sent out the patch[2] in the 2015/11/10.
  Andrew Morton also said he will apply the patch. However, the patch
  finally disappears from the mmtom tree in April 2016. Andrea suggested
  apply the 3 patches[3].

  [2]. [PATCH 1/1] ksm: introduce ksm_max_page_sharing per page 
  deduplication limit 

  [3]. Re: [PATCH 1/1] ksm: introduce ksm_max_page_sharing per page
  deduplication limit

  [Test Case]
  The patches has been tested with 9 VMs and each has 32GB ram and 16
  VCPUs.  Numad/KSM are also enabled in the machine. After running for
  6 days, the system is stable and unstable CPU loading cannot be
  observed inside the virtual appliances monitor[4]. The numad cpu
  utilization rate is normal and guest hang also cannot be observed.

  Machine type: Dell PowerEdge R920
  Memory: 528GB with 4 NUMA nodes
  CPU: 120 cores


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to