This bug was fixed in the package linux - 4.4.0-57.78

linux (4.4.0-57.78) xenial; urgency=low

  * Release Tracking Bug
    - LP: #1648867

  * Miscellaneous Ubuntu changes
    - SAUCE: Do not build the xr-usb-serial driver for s390

linux (4.4.0-56.77) xenial; urgency=low

  * Release Tracking Bug
    - LP: #1648867

  * Release Tracking Bug
    - LP: #1648579

  * CONFIG_NR_CPUS=256 is too low (LP: #1579205)
    - [Config] Increase the NR_CPUS to 512 for amd64 to support systems with a
      large number of cores.

  * NVMe drives in Amazon AWS instance fail to initialize (LP: #1648449)
    - SAUCE: (no-up) NVMe: only setup MSIX once

linux (4.4.0-55.76) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1648503

  * NVMe driver accidentally reverted to use GSI instead of MSIX (LP: #1647887)
    - (fix) NVMe: restore code to always use MSI/MSI-x interrupts

linux (4.4.0-54.75) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1648017

  * Update hio driver to (LP: #1646643)
    - SAUCE: hio: update to Huawei ES3000_V2 (

  * linux: Enable live patching for all supported architectures (LP: #1633577)
    - [Config] CONFIG_LIVEPATCH=y for s390x

  * Botched backport breaks level triggered EOIs in QEMU guests with --machine
    kernel_irqchip=split (LP: #1644394)
    - kvm/irqchip: kvm_arch_irq_routing_update renaming split

  * Xenial update to v4.4.35 stable release (LP: #1645453)
    - x86/cpu/AMD: Fix cpu_llc_id for AMD Fam17h systems
    - KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr
    - KVM: Disable irq while unregistering user notifier
    - fuse: fix fuse_write_end() if zero bytes were copied
    - mfd: intel-lpss: Do not put device in reset state on suspend
    - can: bcm: fix warning in bcm_connect/proc_register
    - i2c: mux: fix up dependencies
    - kbuild: add -fno-PIE
    - scripts/has-stack-protector: add -fno-PIE
    - x86/kexec: add -fno-PIE
    - kbuild: Steal gcc's pie from the very beginning
    - ext4: sanity check the block and cluster size at mount time
    - crypto: caam - do not register AES-XTS mode on LP units
    - drm/amdgpu: Attach exclusive fence to prime exported bo's. (v5)
    - clk: mmp: pxa910: fix return value check in pxa910_clk_init()
    - clk: mmp: pxa168: fix return value check in pxa168_clk_init()
    - clk: mmp: mmp2: fix return value check in mmp2_clk_init()
    - rtc: omap: Fix selecting external osc
    - iwlwifi: pcie: fix SPLC structure parsing
    - mfd: core: Fix device reference leak in mfd_clone_cell
    - uwb: fix device reference leaks
    - PM / sleep: fix device reference leak in test_suspend
    - PM / sleep: don't suspend parent when async child suspend_{noirq, late}
    - IB/mlx4: Check gid_index return value
    - IB/mlx4: Fix create CQ error flow
    - IB/mlx5: Use cache line size to select CQE stride
    - IB/mlx5: Fix fatal error dispatching
    - IB/core: Avoid unsigned int overflow in sg_alloc_table
    - IB/uverbs: Fix leak of XRC target QPs
    - IB/cm: Mark stale CM id's whenever the mad agent was unregistered
    - netfilter: nft_dynset: fix element timeout for HZ != 1000
    - Linux 4.4.35

  * Upstream stable 4.4.34 and 4.8.10 regression (LP: #1645278)
    - flow_dissect: call init_default_flow_dissectors() earlier

  * AD5593R configurable multi-channel converter support (LP: #1644726)
    - iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs
    - iio: dac: ad5592r: Off by one bug in ad5592r_alloc_channels()
    - [Config] CONFIG_AD5592R/AD5593R=m

  * ST Micro lps22hb pressure sensor support (LP: #1642258)
    - iio:st_pressure:initial lps22hb sensor support
    - iio:st_pressure: align storagebits on power of 2
    - iio:st_pressure: document sampling gains
    - iio:st_pressure:lps22hb: temperature support

  * Fix Kernel Crashing under IBM Virtual Scsi Driver (LP: #1642299)
    - SAUCE: ibmvscsis: Rearrange functions for future patches
    - SAUCE: ibmvscsis: Synchronize cmds at tpg_enable_store time
    - SAUCE: ibmvscsis: Synchronize cmds at remove time
    - SAUCE: ibmvscsis: Clean up properly if target_submit_cmd/tmr fails
    - SAUCE: ibmvscsis: Return correct partition name/# to client
    - SAUCE: ibmvscsis: Issues from Dan Carpenter/Smatch

  * System stalls when creating device node on booting (LP: #1643797)
    - sched/fair: Fix new task's load avg removed from source CPU in

  * nvme: improve performance for virtual Google NVMe devices (LP: #1637565)
    - blk-mq: add blk_mq_alloc_request_hctx
    - nvme.h: add NVMe over Fabrics definitions
    - SAUCE: nvme: improve performance for virtual NVMe devices

  * Move some kernel modules to the main kernel package (LP: #1642228)
    - [Config] Move some powerpc kernel modules to the main kernel package

  * sched: Match-all classifier is missing in xenial (LP: #1642514)
    - net/sched: introduce Match-all classifier

  * Xenial update to 4.4.34 stable release (LP: #1643637)
    - dctcp: avoid bogus doubling of cwnd after loss
    - net: clear sk_err_soft in sk_clone_lock()
    - net: mangle zero checksum in skb_checksum_help()
    - bgmac: stop clearing DMA receive control register right after it is set
    - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
    - tcp: fix potential memory corruption
    - dccp: do not send reset to already closed sockets
    - dccp: fix out of bound access in dccp_v4_err()
    - ipv6: dccp: fix out of bound access in dccp_v6_err()
    - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
    - sctp: assign assoc_id earlier in __sctp_connect
    - fib_trie: Correct /proc/net/route off by one error
    - sock: fix sendmmsg for partial sendmsg
    - net: __skb_flow_dissect() must cap its return value
    - ipv4: use new_gw for redirect neigh lookup
    - tcp: take care of truncations done by sk_filter()
    - tty: Prevent ldisc drivers from re-using stale tty fields
    - sparc: Don't leak context bits into thread->fault_address
    - sparc: serial: sunhv: fix a double lock bug
    - sparc64 mm: Fix base TSB sizing when hugetlb pages are used
    - sparc: Handle negative offsets in arch_jump_label_transform
    - sparc64: Handle extremely large kernel TSB range flushes sanely.
    - sparc64: Fix illegal relative branches in hypervisor patched TLB code.
    - sparc64: Fix instruction count in comment for
    - sparc64: Fix illegal relative branches in hypervisor patched TLB 
    - sparc64: Handle extremely large kernel TLB range flushes more gracefully.
    - sparc64: Delete __ret_efault.
    - sparc64: Prepare to move to more saner user copy exception handling.
    - sparc64: Convert copy_in_user to accurate exception reporting.
    - sparc64: Convert GENcopy_{from,to}_user to accurate exception reporting.
    - sparc64: Convert U1copy_{from,to}_user to accurate exception reporting.
    - sparc64: Convert NG4copy_{from,to}_user to accurate exception reporting.
    - sparc64: Convert NGcopy_{from,to}_user to accurate exception reporting.
    - sparc64: Convert NG2copy_{from,to}_user to accurate exception reporting.
    - sparc64: Convert U3copy_{from,to}_user to accurate exception reporting.
    - sparc64: Delete now unused user copy assembler helpers.
    - sparc64: Delete now unused user copy fixup functions.
    - Linux 4.4.34

  * Xenial update to v4.4.33 stable release (LP: #1642968)
    - ALSA: info: Return error for invalid read/write
    - ALSA: info: Limit the proc text input size
    - ASoC: cs4270: fix DAPM stream name mismatch
    - dib0700: fix nec repeat handling
    - swapfile: fix memory corruption via malformed swapfile
    - coredump: fix unfreezable coredumping task
    - s390/hypfs: Use get_free_page() instead of kmalloc to ensure page 
    - ARC: timer: rtc: implement read loop in "C" vs. inline asm
    - pinctrl: cherryview: Serialize register access in suspend/resume
    - pinctrl: cherryview: Prevent possible interrupt storm on resume
    - staging: iio: ad5933: avoid uninitialized variable in error case
    - drivers: staging: nvec: remove bogus reset command for PS/2 interface
    - Revert "staging: nvec: ps2: change serio type to passthrough"
    - staging: nvec: remove managed resource from PS2 driver
    - USB: cdc-acm: fix TIOCMIWAIT
    - usb: gadget: u_ether: remove interrupt throttling
    - drbd: Fix kernel_sendmsg() usage - potential NULL deref
    - toshiba-wmi: Fix loading the driver on non Toshiba laptops
    - clk: qoriq: Don't allow CPU clocks higher than starting value
    - iio: hid-sensors: Increase the precision of scale to fix wrong reading
    - iio: orientation: hid-sensor-rotation: Add PM function (fix non working
    - scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init
    - scsi: mpt3sas: Fix for block device of raid exists even after deleting 
    - KVM: MIPS: Precalculate MMIO load resume PC
    - drm/i915: Respect alternate_ddc_pin for all DDI ports
    - dmaengine: at_xdmac: fix spurious flag status for mem2mem transfers
    - tty/serial: at91: fix hardware handshake on Atmel platforms
    - iommu/amd: Free domain id when free a domain of struct dma_ops_domain
    - iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path
    - mei: bus: fix received data size check in NFC fixup
    - lib/genalloc.c: start search from start of chunk
    - hwrng: core - Don't use a stack buffer in add_early_randomness()
    - i40e: fix call of ndo_dflt_bridge_getlink()
    - ACPI / APEI: Fix incorrect return value of ghes_proc()
    - ASoC: sun4i-codec: return error code instead of NULL when create_card 
    - mmc: mxs: Initialize the spinlock prior to using it
    - btrfs: qgroup: Prevent qgroup->reserved from going subzero
    - netfilter: fix namespace handling in nf_log_proc_dostring
    - Linux 4.4.33

  * Xenial update to 4.4.32 stable release (LP: #1642573)
    - tcp: fix overflow in __tcp_retransmit_skb()
    - net: avoid sk_forward_alloc overflows
    - tcp: fix wrong checksum calculation on MTU probing
    - tcp: fix a compile error in DBGUNDO()
    - ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
    - ipmr, ip6mr: fix scheduling while atomic and a deadlock with 
    - tg3: Avoid NULL pointer dereference in tg3_io_error_detected()
    - net: fec: set mac address unconditionally
    - net: pktgen: fix pkt_size
    - net/sched: act_vlan: Push skb->data to mac_header prior calling 
    - net: Add netdev all_adj_list refcnt propagation to fix panic
    - packet: call fanout_release, while UNREGISTERING a netdev
    - netlink: do not enter direct reclaim from netlink_dump()
    - ipv6: tcp: restore IP6CB for pktoptions skbs
    - ip6_tunnel: fix ip6_tnl_lookup
    - net: pktgen: remove rcu locking in pktgen_change_name()
    - bridge: multicast: restore perm router ports on multicast enable
    - rtnetlink: Add rtnexthop offload flag to compare mask
    - net: add recursion limit to GRO
    - ipv4: disable BH in set_ping_group_range()
    - ipv4: use the right lock for ping_group_range
    - net: sctp, forbid negative length
    - udp: fix IP_CHECKSUM handling
    - net sched filters: fix notification of filter delete with proper handle
    - sctp: validate chunk len before actually using it
    - packet: on direct_xmit, limit tso and csum to supported devices
    - of: silence warnings due to max() usage
    - Revert KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
    - KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
    - drm/amdgpu/dp: add back special handling for NUTMEG
    - drm/amdgpu: fix DP mode validation
    - drm/radeon: fix DP mode validation
    - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
    - Linux 4.4.32

  * Xenial update to 4.4.31 stable release (LP: #1642572)
    - i2c: xgene: Avoid dma_buffer overrun
    - i2c: core: fix NULL pointer dereference under race condition
    - drm/dp/mst: Clear port->pdt when tearing down the i2c adapter
    - h8300: fix syscall restarting
    - libxfs: clean up _calc_dquots_per_chunk
    - mm/list_lru.c: avoid error-path NULL pointer deref
    - mm: memcontrol: do not recurse in direct reclaim
    - ALSA: usb-audio: Add quirk for Syntek STK1160
    - ALSA: hda - Merge RIRB_PRE_DELAY into CTX_WORKAROUND caps
    - ALSA: hda - Raise AZX_DCAPS_RIRB_DELAY handling into top drivers
    - ALSA: hda - allow 40 bit DMA mask for NVidia devices
    - ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table
    - ALSA: hda - Fix headset mic detection problem for two Dell laptops
    - ANDROID: binder: Add strong ref checks
    - ANDROID: binder: Clear binder and cookie when setting handle in flat 
    - btrfs: fix races on root_log_ctx lists
    - ubifs: Abort readdir upon error
    - ubifs: Fix regression in ubifs_readdir()
    - mei: txe: don't clean an unprocessed interrupt cause.
    - usb: gadget: function: u_ether: don't starve tx request queue
    - USB: serial: fix potential NULL-dereference at probe
    - USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7
    - xhci: use default USB_RESUME_TIMEOUT when resuming ports.
    - usb: increase ohci watchdog delay to 275 msec
    - Fix potential infoleak in older kernels
    - vt: clear selection before resizing
    - xhci: add restart quirk for Intel Wildcatpoint PCH
    - tty: limit terminal size to 4M chars
    - USB: serial: cp210x: fix tiocmget error handling
    - dm: free io_barrier after blk_cleanup_queue call
    - KVM: x86: fix wbinvd_dirty_mask use-after-free
    - KVM: MIPS: Make ERET handle ERL before EXL
    - ovl: fsync after copy-up
    - parisc: Ensure consistent state when switching to kernel stack at syscall
    - virtio_ring: Make interrupt suppression spec compliant
    - virtio: console: Unlock vqs while freeing buffers
    - dm mirror: fix read error on recovery after default leg failure
    - Input: i8042 - add XMG C504 to keyboard reset table
    - firewire: net: guard against rx buffer overflows
    - firewire: net: fix fragmented datagram_size off-by-one
    - mac80211: discard multicast and 4-addr A-MSDUs
    - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough)
    - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
    - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
    - mmc: dw_mmc-pltfm: fix the potential NULL pointer dereference
    - Revert "drm/radeon: fix DP link training issue with second 4K monitor"
    - drm/radeon/si_dpm: Limit clocks on HD86xx part
    - drm/radeon/si_dpm: workaround for SI kickers
    - drm/radeon: drop register readback in cayman_cp_int_cntl_setup
    - drm/dp/mst: Check peer device type before attempting EDID read
    - perf build: Fix traceevent plugins build race
    - x86/xen: fix upper bound of pmd loop in xen_cleanhighmap()
    - powerpc/ptrace: Fix out of bounds array access warning
    - ARM: 8584/1: floppy: avoid gcc-6 warning
    - mm/cma: silence warnings due to max() usage
    - drm/exynos: fix error handling in exynos_drm_subdrv_open
    - cgroup: avoid false positive gcc-6 warning
    - smc91x: avoid self-comparison warning
    - Disable "frame-address" warning
    - UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
    - pwm: Unexport children before chip removal
    - usb: dwc3: Fix size used in dma_free_coherent()
    - tty: vt, fix bogus division in csi_J
    - kvm: x86: Check memopp before dereference (CVE-2016-8630)
    - ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap()
    - HID: usbhid: add ATEN CS962 to list of quirky devices
    - Linux 4.4.31

  * CVE-2016-6213
    - mnt: Add a per mount namespace limit on the number of mounts

  * ThinkPad T460 hotkeys stop working in Ubuntu 16.04 (LP: #1642114)
    - thinkpad_acpi: Add support for HKEY version 0x200

  * CVE-2016-4568
    - videobuf2-v4l2: Verify planes array in buffer dequeueing

  * [SRU] Add 0cf3:e009 to btusb (LP: #1641562)
    - Bluetooth: btusb: Add support for 0cf3:e009

  * Fix resource leak in btusb (LP: #1641569)
    - SAUCE: Bluetooth: decrease refcount after use

  * WiFi LED doesn't work on some Edge Gateway units (LP: #1640418)
    - SAUCE: mwifiex: Use PCI ID instead of DMI ID to identify Edge Gateways

  * [Hyper-V] do not lose pending heartbeat vmbus packets (LP: #1632786)
    - hv: do not lose pending heartbeat vmbus packets

  * ipv6: connected routes are missing after a down/up cycle on the loopback
    (LP: #1634545)
    - ipv6: correctly add local routes when lo goes up

  * audit: prevent a new auditd to stop an old auditd still alive (LP: #1633404)
    - audit: stop an old auditd being starved out by a new auditd

  * hv_set_ifconfig script parsing fails for certain configuration
    (LP: #1640109)
    - hv_set_ifconfig -- handle DHCP interfaces correctly
    - hv_set_ifconfig -- ensure we include the last stanza

  * CVE-2016-7039 and CVE-2016-8666 (LP: #1631287)
    - Revert "UBUNTU: SAUCE: net: add recursion limit to GRO"

 -- Brad Figg <>  Fri, 09 Dec 2016 10:51:16 -0800

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** Changed in: linux (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  ipv6: connected routes are missing after a down/up cycle on the

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  This upstream patch is missing:

  ipv6: correctly add local routes when lo goes up

  The goal of the patch is to fix this scenario:
   ip link add dummy1 type dummy
   ip link set dummy1 up
   ip link set lo down ; ip link set lo up

  After that sequence, the local route to the link layer address of dummy1 is
  not there anymore.

  When the loopback is set down, all local routes are deleted by
  addrconf_ifdown()/rt6_ifdown(). At this time, the rt6_info entry still
  exists, because the corresponding idev has a reference on it. After the rcu
  grace period, dst_rcu_free() is called, and thus ___dst_free(), which will
  set obsolete to DST_OBSOLETE_DEAD.

  In this case, init_loopback() is called before dst_rcu_free(), thus
  obsolete is still sets to something <= 0. So, the function doesn't add the
  route again. To avoid that race, let's check the rt6 refcnt instead.

  Fixes: 25fb6ca4ed9c ("net IPv6 : Fix broken IPv6 routing table after loopback 
  Fixes: a881ae1f625c ("ipv6: don't call addrconf_dst_alloc again when enable 
  Fixes: 33d99113b110 ("ipv6: reallocate addrconf router for ipv6 address when 
lo device up")
  Reported-by: Francesco Santoro <>
  Reported-by: Samuel Gauthier <>
  CC: Balakumaran Kannan <>
  CC: Maruthi Thotad <>
  CC: Sabrina Dubroca <>
  CC: Hannes Frederic Sowa <>
  CC: Weilong Chen <>
  CC: Gao feng <>
  Signed-off-by: Nicolas Dichtel <>
  Signed-off-by: David S. Miller <>

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to