This bug was fixed in the package linux - 4.4.0-116.140 --------------- linux (4.4.0-116.140) xenial; urgency=medium
* linux: 4.4.0-116.140 -proposed tracker (LP: #1748990) * BUG: unable to handle kernel NULL pointer dereference at 0000000000000009 (LP: #1748671) - SAUCE: net: ipv4: fix for a race condition in raw_sendmsg -- fix backport linux (4.4.0-115.139) xenial; urgency=medium * linux: 4.4.0-115.138 -proposed tracker (LP: #1748745) * CVE-2017-5715 (Spectre v2 Intel) - Revert "UBUNTU: SAUCE: turn off IBPB when full retpoline is present" - SAUCE: turn off IBRS when full retpoline is present - [Packaging] retpoline files must be sorted - [Packaging] pull in retpoline files linux (4.4.0-114.137) xenial; urgency=medium * linux: 4.4.0-114.137 -proposed tracker (LP: #1748484) * ALSA backport missing NVIDIA GPU codec IDs to patch table to Ubuntu 16.04 LTS Kernel (LP: #1744117) - ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table * Shutdown hang on 16.04 with iscsi targets (LP: #1569925) - scsi: libiscsi: Allow sd_shutdown on bad transport * libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (LP: #1743053) - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices * KVM patches for s390x to provide facility bits 81 (ppa15) and 82 (bpb) (LP: #1747090) - KVM: s390: wire up bpb feature - KVM: s390: Enable all facility bits that are known good for passthrough * CVE-2017-5715 (Spectre v2 Intel) - SAUCE: drop lingering gmb() macro - x86/feature: Enable the x86 feature to control Speculation - x86/feature: Report presence of IBPB and IBRS control - x86/enter: MACROS to set/clear IBRS and set IBPB - x86/enter: Use IBRS on syscall and interrupts - x86/idle: Disable IBRS entering idle and enable it on wakeup - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup - x86/mm: Set IBPB upon context switch - x86/mm: Only set IBPB when the new thread cannot ptrace current thread - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm - x86/kvm: Set IBPB when switching VM - x86/kvm: Toggle IBRS on VM entry and exit - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control - x86/cpu/amd, kvm: Satisfy guest kernel reads of IC_CFG MSR - x86/cpu/AMD: Add speculative control support for AMD - x86/microcode: Extend post microcode reload to support IBPB feature - KVM: SVM: Do not intercept new speculative control MSRs - x86/svm: Set IBRS value on VM entry and exit - x86/svm: Set IBPB when running a different VCPU - KVM: x86: Add speculative control CPUID support for guests - SAUCE: Fix spec_ctrl support in KVM - SAUCE: turn off IBPB when full retpoline is present linux (4.4.0-113.136) xenial; urgency=low * linux: 4.4.0-113.136 -proposed tracker (LP: #1746936) [ Stefan Bader ] * Missing install-time driver for QLogic QED 25/40/100Gb Ethernet NIC (LP: #1743638) - [d-i] Add qede to nic-modules udeb * CVE-2017-5753 (Spectre v1 Intel) - x86/cpu/AMD: Make the LFENCE instruction serialized - x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature - SAUCE: reinstate MFENCE_RDTSC feature definition - locking/barriers: introduce new observable speculation barrier - bpf: prevent speculative execution in eBPF interpreter - x86, bpf, jit: prevent speculative execution when JIT is enabled - SAUCE: FIX: x86, bpf, jit: prevent speculative execution when JIT is enabled - carl9170: prevent speculative execution - qla2xxx: prevent speculative execution - Thermal/int340x: prevent speculative execution - ipv4: prevent speculative execution - ipv6: prevent speculative execution - fs: prevent speculative execution - net: mpls: prevent speculative execution - udf: prevent speculative execution - userns: prevent speculative execution - SAUCE: claim mitigation via observable speculation barrier - SAUCE: powerpc: add osb barrier - SAUCE: s390/spinlock: add osb memory barrier - SAUCE: arm64: no osb() implementation yet - SAUCE: arm: no osb() implementation yet * CVE-2017-5715 (Spectre v2 retpoline) - x86/cpuid: Provide get_scattered_cpuid_leaf() - x86/cpu: Factor out application of forced CPU caps - x86/cpufeatures: Make CPU bugs sticky - x86/cpufeatures: Add X86_BUG_CPU_INSECURE - x86/cpu, x86/pti: Do not enable PTI on AMD processors - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] - x86/cpu: Merge bugs.c and bugs_64.c - sysfs/cpu: Add vulnerability folder - x86/cpu: Implement CPU vulnerabilites sysfs functions - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier - x86/asm: Use register variable to get stack pointer value - x86/kbuild: enable modversions for symbols exported from asm - x86/asm: Make asm/alternative.h safe from assembly - EXPORT_SYMBOL() for asm - kconfig.h: use __is_defined() to check if MODULE is defined - x86/retpoline: Add initial retpoline support - x86/spectre: Add boot time option to select Spectre v2 mitigation - x86/retpoline/crypto: Convert crypto assembler indirect jumps - x86/retpoline/entry: Convert entry assembler indirect jumps - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps - x86/retpoline/hyperv: Convert assembler indirect jumps - x86/retpoline/xen: Convert Xen hypercall indirect jumps - x86/retpoline/checksum32: Convert assembler indirect jumps - x86/retpoline/irq32: Convert assembler indirect jumps - x86/retpoline: Fill return stack buffer on vmexit - x86/retpoline: Remove compile time warning - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros - module: Add retpoline tag to VERMAGIC - x86/mce: Make machine check speculation protected - retpoline: Introduce start/end markers of indirect thunk - kprobes/x86: Blacklist indirect thunk functions for kprobes - kprobes/x86: Disable optimizing on the function jumps to indirect thunk - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB - [Config] CONFIG_RETPOLINE=y - [Packaging] retpoline -- add call site validation - [Config] disable retpoline checks for first upload * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed) - Revert "UBUNTU: SAUCE: Fix spec_ctrl support in KVM" - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()" - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit" - Revert "Revert "x86/svm: Add code to clear registers on VM exit"" - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature -- repair missmerge" - Revert "arm: no gmb() implementation yet" - Revert "arm64: no gmb() implementation yet" - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit" - Revert "s390/spinlock: add gmb memory barrier" - Revert "powerpc: add gmb barrier" - Revert "x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature" - Revert "x86/cpu/AMD: Make the LFENCE instruction serialized" - Revert "x86/svm: Add code to clear registers on VM exit" - Revert "x86/svm: Add code to clobber the RSB on VM exit" - Revert "KVM: x86: Add speculative control CPUID support for guests" - Revert "x86/svm: Set IBPB when running a different VCPU" - Revert "x86/svm: Set IBRS value on VM entry and exit" - Revert "KVM: SVM: Do not intercept new speculative control MSRs" - Revert "x86/microcode: Extend post microcode reload to support IBPB feature" - Revert "x86/cpu/AMD: Add speculative control support for AMD" - Revert "x86/cpu/amd, kvm: Satisfy guest kernel reads of IC_CFG MSR" - Revert "x86/entry: Use retpoline for syscall's indirect calls" - Revert "x86/syscall: Clear unused extra registers on 32-bit compatible syscall entrance" - Revert "x86/syscall: Clear unused extra registers on syscall entrance" - Revert "x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control" - Revert "x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature" - Revert "x86/kvm: Pad RSB on VM transition" - Revert "x86/kvm: Toggle IBRS on VM entry and exit" - Revert "x86/kvm: Set IBPB when switching VM" - Revert "x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm" - Revert "x86/entry: Stuff RSB for entry to kernel for non-SMEP platform" - Revert "x86/mm: Only set IBPB when the new thread cannot ptrace current thread" - Revert "x86/mm: Set IBPB upon context switch" - Revert "x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup" - Revert "x86/idle: Disable IBRS entering idle and enable it on wakeup" - Revert "x86/enter: Use IBRS on syscall and interrupts" - Revert "x86/enter: MACROS to set/clear IBRS and set IBPB" - Revert "x86/feature: Report presence of IBPB and IBRS control" - Revert "x86/feature: Enable the x86 feature to control Speculation" - Revert "udf: prevent speculative execution" - Revert "net: mpls: prevent speculative execution" - Revert "fs: prevent speculative execution" - Revert "ipv6: prevent speculative execution" - Revert "userns: prevent speculative execution" - Revert "Thermal/int340x: prevent speculative execution" - Revert "qla2xxx: prevent speculative execution" - Revert "carl9170: prevent speculative execution" - Revert "uvcvideo: prevent speculative execution" - Revert "x86, bpf, jit: prevent speculative execution when JIT is enabled" - Revert "bpf: prevent speculative execution in eBPF interpreter" * CVE-2017-17712 - net: ipv4: fix for a race condition in raw_sendmsg * upload urgency should be medium by default (LP: #1745338) - [Packaging] update urgency to medium by default * CVE-CVE-2017-12190 - more bio_map_user_iov() leak fixes * CVE-2015-8952 - mbcache2: reimplement mbcache - ext2: convert to mbcache2 - ext4: convert to mbcache2 - mbcache2: limit cache size - mbcache2: Use referenced bit instead of LRU - ext4: kill ext4_mballoc_ready - ext4: shortcut setting of xattr to the same value - mbcache: remove mbcache - mbcache2: rename to mbcache - mbcache: get rid of _e_hash_list_head - mbcache: add reusable flag to cache entries * CVE-2017-15115 - sctp: do not peel off an assoc from one netns to another one * CVE-2017-8824 - dccp: CVE-2017-8824: use-after-free in DCCP code -- Khalid Elmously <khalid.elmou...@canonical.com> Mon, 12 Feb 2018 20:17:57 +0000 ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8952 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12190 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15115 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17712 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1748671 Title: BUG: unable to handle kernel NULL pointer dereference at 0000000000000009 Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Fix Released Bug description: Got this bug/oops while running with the linux-image-4.4.0-113-generic (4.4.0-113.136) kernel from -proposed: BUG: unable to handle kernel NULL pointer dereference at 0000000000000009 IP: [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0 PGD 0 Oops: 0000 [#1] SMP Modules linked in: ctr ccm veth xt_CHECKSUM iptable_mangle xt_comment ec_sys bridge stp llc nf_log_ipv6 ip6table_filter ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_nat_ipv6 ip6_tables nf_log_ip snd ghash_clmulni_intel soundcore r8169 psmouse input_leds cfg80211 rtsx_pci mii vhost_net vhost media ahci libahci macvtap macvlan mei_me mei kvm_intel kvm irqbypass tpm_crb i2c_hid intel_lpss_acpi inte CPU: 2 PID: 3997 Comm: dnsmasq Tainted: P W O 4.4.0-113-generic #136-Ubuntu Hardware name: System76 Lemur/Lemur, BIOS 5.12 02/17/2017 task: ffff880830269e00 ti: ffff880035c44000 task.ti: ffff880035c44000 RIP: 0010:[<ffffffffab413ad5>] [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0 RSP: 0018:ffff880035c47a18 EFLAGS: 00010246 RAX: 00000000ab729fd0 RBX: 000000000000001c RCX: ffff880035c47e98 RDX: ffff880035c47a94 RSI: 000000000000001c RDI: ffff8807ef1a7424 RBP: ffff880035c47a80 R08: 0000000000000000 R09: ffff8807ef1a7424 R10: ffff8807ef1a7424 R11: ffff8807ef1a7400 R12: ffff880035c47e98 R13: 0000000000000000 R14: 00ffffffabea6920 R15: 0000000000000001 FS: 00007ff2b234d880(0000) GS:ffff88086ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000009 CR3: 0000000035c1e000 CR4: 0000000000360670 Stack: ffff88084e001600 ffffffffab72d1d7 ffff880830f18500 ffff880035c47aaf ffff880035c47a94 00000000000001c0 00000000ffffffff b0f4001fc4815eea 000000000000001c ffff880830f18500 0000000000000000 ffff880035c47d30 Call Trace: [<ffffffffab72d1d7>] ? __alloc_skb+0x87/0x1f0 [<ffffffffab782cb6>] ip_generic_getfrag+0x56/0xe0 [<ffffffffab7abc0f>] raw_getfrag+0xaf/0x100 [<ffffffffab78450a>] __ip_append_data.isra.45+0x98a/0xb90 [<ffffffffab7abb60>] ? raw_recvmsg+0x1c0/0x1c0 [<ffffffffab7abb60>] ? raw_recvmsg+0x1c0/0x1c0 [<ffffffffab78478a>] ip_append_data.part.46+0x7a/0xe0 [<ffffffffab785474>] ip_append_data+0x34/0x40 [<ffffffffab7ac8a4>] raw_sendmsg+0x724/0xc00 [<ffffffffab3a4ea0>] ? aa_sk_perm+0x70/0x210 [<ffffffffab3a5761>] ? aa_sock_msg_perm+0x61/0x150 [<ffffffffab7bc91b>] inet_sendmsg+0x6b/0xa0 [<ffffffffab723b5e>] sock_sendmsg+0x3e/0x50 [<ffffffffab724151>] SYSC_sendto+0x101/0x190 [<ffffffffab729fd0>] ? sock_setsockopt+0x180/0x830 [<ffffffffab397072>] ? apparmor_socket_setsockopt+0x22/0x30 [<ffffffffab724c7e>] SyS_sendto+0xe/0x10 [<ffffffffab84df9f>] entry_SYSCALL_64_fastpath+0x1c/0x93 Code: f3 48 0f 47 de 48 85 db 0f 84 8b 01 00 00 8b 02 49 89 f9 49 89 cc 4c 8b 71 08 89 45 c4 8b 01 a8 04 0f 85 79 01 00 00 4c 8b 79 18 <4d> 8b 6f 08 4d 29 f5 49 39 dd 4c 0f 47 eb a8 02 0f 85 36 02 00 RIP [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0 RSP <ffff880035c47a18> CR2: 0000000000000009 ---[ end trace bdd9157c94a456b6 ]--- The trigger is when I start an artful lxd container and it tries to get an IPv4/IPv6. Oddly enough, the same thing works perfectly for my xenial container. My lxd-bridge has dnsmasq contained by Apparmor which is non standard but always worked flawlessly. I can trigger the bug 100% of the time so validating any tentative fix should be easy. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: linux-image-4.4.0-113-generic 4.4.0-113.136 ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98 Uname: Linux 4.4.0-112-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: simon 7244 F.... pulseaudio CurrentDesktop: Unity CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Sat Feb 10 16:45:26 2018 HibernationDevice: RESUME=/dev/mapper/nvme0n1p3_crypt InstallationDate: Installed on 2016-12-06 (431 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161206) MachineType: System76 Lemur ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-112-generic.efi.signed root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4 nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7 RelatedPackageVersions: linux-restricted-modules-4.4.0-112-generic N/A linux-backports-modules-4.4.0-112-generic N/A linux-firmware 1.157.16 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2017 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 5.12 dmi.board.asset.tag: Tag 12345 dmi.board.name: Lemur dmi.board.vendor: System76 dmi.board.version: lemu7 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: System76 dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A: dmi.product.name: Lemur dmi.product.version: lemu7 dmi.sys.vendor: System76 --- ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: simon 7244 F.... pulseaudio CurrentDesktop: Unity CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted DistroRelease: Ubuntu 16.04 HibernationDevice: RESUME=/dev/mapper/nvme0n1p3_crypt InstallationDate: Installed on 2016-12-06 (431 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161206) MachineType: System76 Lemur NonfreeKernelModules: zfs zunicode zcommon znvpair zavl Package: linux (not installed) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-112-generic.efi.signed root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4 nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7 ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98 RelatedPackageVersions: linux-restricted-modules-4.4.0-112-generic N/A linux-backports-modules-4.4.0-112-generic N/A linux-firmware 1.157.16 RfKill: Error: [Errno 2] No such file or directory Tags: xenial Uname: Linux 4.4.0-112-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip libvirtd lpadmin lxd plugdev sambashare sudo wireshark _MarkForUpload: True dmi.bios.date: 02/17/2017 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 5.12 dmi.board.asset.tag: Tag 12345 dmi.board.name: Lemur dmi.board.vendor: System76 dmi.board.version: lemu7 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: System76 dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A: dmi.product.name: Lemur dmi.product.version: lemu7 dmi.sys.vendor: System76 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1748671/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp