This bug was fixed in the package linux - 4.2.0-21.25 --------------- linux (4.2.0-21.25) wily; urgency=low
[ Luis Henriques ] * Release Tracking Bug - LP: #1522108 [ Upstream Kernel Changes ] * staging/dgnc: fix info leak in ioctl - LP: #1509565 - CVE-2015-7885 * [media] media/vivid-osd: fix info leak in ioctl - LP: #1509564 - CVE-2015-7884 * KEYS: Fix race between key destruction and finding a keyring by name - LP: #1508856 - CVE-2015-7872 * KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring - LP: #1508856 - CVE-2015-7872 * KEYS: Don't permit request_key() to construct a new keyring - LP: #1508856 - CVE-2015-7872 * isdn_ppp: Add checks for allocation failure in isdn_ppp_open() - LP: #1508329 - CVE-2015-7799 * ppp, slip: Validate VJ compression slot parameters completely - LP: #1508329 - CVE-2015-7799 linux (4.2.0-20.24) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1521753 [ Andy Whitcroft ] * [Tests] gcc-multilib does not exist on ppc64el - LP: #1515541 [ Joseph Salisbury ] * SAUCE: scsi_sysfs: protect against double execution of __scsi_remove_device() - LP: #1509029 [ Manoj Kumar ] * SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port 1 - LP: #1513583 [ Matthew R. Ochs ] * SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover failure - LP: #1513583 [ Oren Givon ] * SAUCE: (noup) iwlwifi: Add new PCI IDs for the 8260 series - LP: #1517375 [ Seth Forshee ] * [Config] CONFIG_DRM_AMDGPU_CIK=n - LP: #1510405 [ Upstream Kernel Changes ] * net/mlx5e: Disable VLAN filter in promiscuous mode - LP: #1514861 * drivers: net: xgene: fix RGMII 10/100Mb mode - LP: #1433290 * HID: rmi: Disable scanning if the device is not a wake source - LP: #1515503 * HID: rmi: Set F01 interrupt enable register when not set - LP: #1515503 * net/mlx5e: Ethtool link speed setting fixes - LP: #1517919 * scsi_scan: don't dump trace when scsi_prep_async_scan() is called twice - LP: #1517942 * x86/ioapic: Disable interrupts when re-routing legacy IRQs - LP: #1508593 * xhci: Workaround to get Intel xHCI reset working more reliably * megaraid_sas: Do not use PAGE_SIZE for max_sectors - LP: #1475166 * net: usb: cdc_ether: add Dell DW5580 as a mobile broadband adapter - LP: #1513847 * KVM: svm: unconditionally intercept #DB - LP: #1520184 - CVE-2015-8104 -- Luis Henriques <luis.henriq...@canonical.com> Wed, 02 Dec 2015 17:30:58 +0000 ** Changed in: linux (Ubuntu Wily) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-7799 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-7872 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-7884 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-7885 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-8104 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1508593 Title: [Hyper-V] x86/ioapic: Disable interrupts when re-routing legacy IRQs Status in linux package in Ubuntu: In Progress Status in linux source package in Trusty: In Progress Status in linux source package in Vivid: In Progress Status in linux source package in Wily: Fix Released Bug description: A sporadic hang with consequent crash is observed when booting Hyper-V Gen1 guests... Sauce request for upstream submission: https://lkml.org/lkml/2015/10/15/673 From Vitaly Kuznetsov <> Subject [PATCH] x86/ioapic: Disable interrupts when re-routing legacy IRQs Date Thu, 15 Oct 2015 19:42:23 +0200 A sporadic hang with consequent crash is observed when booting Hyper-V Gen1 guests: Call Trace: <IRQ> [<ffffffff810ab68d>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff8107b616>] queue_work_on+0x46/0x90 [<ffffffff81365696>] ? add_interrupt_randomness+0x176/0x1d0 ... <EOI> [<ffffffff81471ddb>] ? _raw_spin_unlock_irqrestore+0x3b/0x60 [<ffffffff810c295e>] __irq_put_desc_unlock+0x1e/0x40 [<ffffffff810c5c35>] irq_modify_status+0xb5/0xd0 [<ffffffff8104adbb>] mp_register_handler+0x4b/0x70 [<ffffffff8104c55a>] mp_irqdomain_alloc+0x1ea/0x2a0 [<ffffffff810c7f10>] irq_domain_alloc_irqs_recursive+0x40/0xa0 [<ffffffff810c860c>] __irq_domain_alloc_irqs+0x13c/0x2b0 [<ffffffff8104b070>] alloc_isa_irq_from_domain.isra.1+0xc0/0xe0 [<ffffffff8104bfa5>] mp_map_pin_to_irq+0x165/0x2d0 [<ffffffff8104c157>] pin_2_irq+0x47/0x80 [<ffffffff81744253>] setup_IO_APIC+0xfe/0x802 ... [<ffffffff814631c0>] ? rest_init+0x140/0x140 The issue is easily reproducible with a simple instrumentation: if mdelay(10) is put between mp_setup_entry() and mp_register_handler() calls in mp_irqdomain_alloc() Hyper-V guest always fails to boot when re-routing IRQ0. The issue seems to be caused by the fact that we don't disable interrupts while doing IOPIC programming for legacy IRQs and IRQ0 actually happens. Decorate manipulations with legacy IRQs with local_irq_save()/ local_irq_restore(). Cc: Thomas Gleixner <t...@linutronix.de> Cc: Ingo Molnar <mi...@redhat.com> Cc: "H. Peter Anvin" <h...@zytor.com> Cc: Jiang Liu <jiang....@linux.intel.com> Cc: Yinghai Lu <ying...@kernel.org> Cc: K. Y. Srinivasan <k...@microsoft.com> Signed-off-by: Vitaly Kuznetsov <vkuzn...@redhat.com> --- It may make sense to have interrupts disabled for non-legacy IRQs as well but I'm unaware of any bugs with them at this moment. --- arch/x86/kernel/apic/io_apic.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c index 5c60bb1..9aac777 100644 --- a/arch/x86/kernel/apic/io_apic.c +++ b/arch/x86/kernel/apic/io_apic.c @@ -2907,6 +2907,7 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, struct irq_data *irq_data; struct mp_chip_data *data; struct irq_alloc_info *info = arg; + unsigned long flags = 0; if (!info || nr_irqs > 1) return -EINVAL; @@ -2939,11 +2940,16 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, cfg = irqd_cfg(irq_data); add_pin_to_irq_node(data, ioapic_alloc_attr_node(info), ioapic, pin); + + if (virq < nr_legacy_irqs()) + local_irq_save(flags); if (info->ioapic_entry) mp_setup_entry(cfg, data, info->ioapic_entry); mp_register_handler(virq, data->trigger); - if (virq < nr_legacy_irqs()) + if (virq < nr_legacy_irqs()) { legacy_pic->mask(virq); + local_irq_restore(flags); + } apic_printk(APIC_VERBOSE, KERN_DEBUG "IOAPIC[%d]: Set routing entry (%d-%d -> 0x%x -> IRQ %d Mode:%i Active:%i Dest:%d)\n", -- 2.4.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1508593/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp