This bug was fixed in the package linux - 4.4.0-142.168

linux (4.4.0-142.168) xenial; urgency=medium

  * linux: 4.4.0-142.168 -proposed tracker (LP: #1811846)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * iptables connlimit allows more connections than the limit when using
    multiple CPUs (LP: #1811094)
    - netfilter: xt_connlimit: don't store address in the conn nodes
    - SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in add_hlist()
    - netfilter: nf_conncount: expose connection list interface
    - netfilter: nf_conncount: Fix garbage collection with zones
    - netfilter: nf_conncount: fix garbage collection confirm race
    - netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2017-5715
    - SAUCE: x86/speculation: Cleanup IBPB runtime control handling
    - SAUCE: x86/speculation: Cleanup IBRS runtime control handling
    - SAUCE: x86/speculation: Use x86_spec_ctrl_base in entry/exit code
    - SAUCE: x86/speculation: Move RSB_CTXSW hunk

  * Xenial update: 4.4.167 upstream stable release (LP: #1811077)
    - media: em28xx: Fix use-after-free when disconnecting
    - Revert "wlcore: Add missing PM call for
    - rapidio/rionet: do not free skb before reading its length
    - s390/qeth: fix length check in SNMP processing
    - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
    - kvm: mmu: Fix race in emulated page table writes
    - xtensa: enable coprocessors that are being flushed
    - xtensa: fix coprocessor context offset definitions
    - Btrfs: ensure path name is null terminated at btrfs_control_ioctl
    - ALSA: wss: Fix invalid snd_free_pages() at error path
    - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
    - ALSA: control: Fix race between adding and removing a user element
    - ALSA: sparc: Fix invalid snd_free_pages() at error path
    - ext2: fix potential use after free
    - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
    - dmaengine: at_hdmac: fix module unloading
    - btrfs: release metadata before running delayed refs
    - USB: usb-storage: Add new IDs to ums-realtek
    - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
    - misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
    - Kbuild: suppress packed-not-aligned warning for default setting only
    - exec: avoid gcc-8 warning for get_task_comm
    - disable stringop truncation warnings for now
    - kobject: Replace strncpy with memcpy
    - unifdef: use memcpy instead of strncpy
    - kernfs: Replace strncpy with memcpy
    - ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
    - drm: gma500: fix logic error
    - scsi: bfa: convert to strlcpy/strlcat
    - staging: rts5208: fix gcc-8 logic error warning
    - kdb: use memmove instead of overlapping memcpy
    - iser: set sector for ambiguous mr status errors
    - uprobes: Fix handle_swbp() vs. unregister() + register() race once more
    - MIPS: ralink: Fix mt7620 nd_sd pinmux
    - mips: fix mips_get_syscall_arg o32 check
    - drm/ast: Fix incorrect free on ioregs
    - scsi: scsi_devinfo: cleanly zero-pad devinfo strings
    - ALSA: trident: Suppress gcc string warning
    - scsi: csiostor: Avoid content leaks and casts
    - kgdboc: Fix restrict error
    - kgdboc: Fix warning with module build
    - leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF
    - leds: turn off the LED and wait for completion on unregistering LED class
    - leds: leds-gpio: Fix return value check in create_gpio_led()
    - Input: xpad - quirk all PDP Xbox One gamepads
    - Input: matrix_keypad - check for errors from of_get_named_gpio()
    - Input: elan_i2c - add ELAN0620 to the ACPI table
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
    - Input: elan_i2c - add support for ELAN0621 touchpad
    - btrfs: Always try all copies when reading extent buffers
    - Btrfs: fix use-after-free when dumping free space
    - ARC: change defconfig defaults to ARCv2
    - arc: [devboards] Add support of NFSv3 ACL
    - mm: cleancache: fix corruption on missed inode invalidation
    - usb: gadget: dummy: fix nonsensical comparisons
    - iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
    - iommu/ipmmu-vmsa: Fix crash on early domain free
    - can: rcar_can: Fix erroneous registration
    - batman-adv: Expand merged fragment buffer for full packet
    - bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
    - qed: Fix PTT leak in qed_drain()
    - qed: Fix reading wrong value in loop condition
    - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
    - net/mlx4_core: Fix uninitialized variable compilation warning
    - net/mlx4: Fix UBSAN warning of signed integer overflow
    - net: faraday: ftmac100: remove netif_running(netdev) check before 
    - iommu/vt-d: Use memunmap to free memremap
    - net: amd: add missing of_node_put()
    - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
    - usb: appledisplay: Add 27" Apple Cinema Display
    - USB: check usb_get_extra_descriptor for proper size
    - ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in 
    - ALSA: hda: Add support for AMD Stoney Ridge
    - ALSA: pcm: Fix starvation on down_write_nonblock()
    - ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
    - ALSA: pcm: Fix interval evaluation with openmin/max
    - virtio/s390: avoid race on vcdev->config
    - virtio/s390: fix race in ccw_io_helper()
    - SUNRPC: Fix leak of krb5p encode pages
    - xhci: Prevent U1/U2 link pm states if exit latency is too long
    - Staging: lustre: remove two build warnings
    - cifs: Fix separator when building path from dentry
    - tty: serial: 8250_mtk: always resume the device in probe.
    - kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
    - mac80211_hwsim: Timer should be initialized before device registered
    - mac80211: Clear beacon_int in ieee80211_do_stop
    - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
    - mac80211: fix reordering of buffered broadcast packets
    - mac80211: ignore NullFunc frames in the duplicate detection
    - Linux 4.4.167

  * CVE-2018-19407
    - KVM: X86: Fix scan ioapic use-before-initialization

  * cpu-hotplug test in ubuntu_kernel_selftest always return 0 on Xenial
    (LP: #1809699)
    - selftests/cpu-hotplug: exit with failure when test occured unexpected

  * iommu - need to effectively disable iommu if "intel_iommu=off" is passed as
    a kernel parameter (LP: #1810328)
    - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off

  * ldisc crash on reopened tty (LP: #1791758)
    - tty: fix data race between tty_init_dev and flush of buf
    - tty: Drop tty->count on tty_reopen() failure
    - tty: Hold tty_ldisc_lock() during tty_reopen()
    - tty: Don't block on IO when ldisc change is pending
    - tty: Simplify tty->count math in tty_reopen()

  * Xenial update: 4.4.166 upstream stable release (LP: #1810967)
    - usb: core: Fix hub port connection events lost
    - usb: xhci: fix timeout for transition from RExit to U0
    - MAINTAINERS: Add Sasha as a stable branch maintainer
    - iwlwifi: mvm: support sta_statistics() even on older firmware
    - v9fs_dir_readdir: fix double-free on p9stat_read error
    - bfs: add sanity check at bfs_fill_super()
    - sctp: clear the transport of some out_chunk_list chunks in
    - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
    - llc: do not use sk_eat_skb()
    - drm/ast: change resolution may cause screen blurred
    - drm/ast: fixed cursor may disappear sometimes
    - can: dev: can_get_echo_skb(): factor out non sending code to
    - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to
      access frame length
    - can: dev: __can_get_echo_skb(): Don't crash the kernel if 
      is accessed out of bounds
    - can: dev: __can_get_echo_skb(): print error message, if trying to echo non
      existing skb
    - usb: xhci: Prevent bus suspend if a port connect change or polling state 
    - KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
    - cpufreq: imx6q: add return value check for voltage scale
    - SUNRPC: Fix a bogus get/put in generic_key_to_expire()
    - kdb: Use strscpy with destination buffer size
    - powerpc/numa: Suppress "VPHN is not supported" messages
    - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset
    - of: add helper to lookup compatible child node
    - NFC: nfcmrvl_uart: fix OF child-node lookup
    - net: bcmgenet: fix OF child-node lookup
    - x86/entry: spell EBX register correctly in documentation
    - x86/entry/64: Remove %ebx handling from error_entry/exit
    - arm64: remove no-op -p linker flag
    - ath10k: fix kernel panic due to race in accessing arvif list
    - Input: xpad - remove spurious events of wireless xpad 360 controller
    - Input: xpad - handle "present" and "gone" correctly
    - Input: xpad - update Xbox One Force Feedback Support
    - Input: xpad - workaround dead irq_out after suspend/ resume
    - Input: xpad - use LED API when identifying wireless controllers
    - Input: xpad - correct xbox one pad device name
    - Input: xpad - remove unused function
    - Input: xpad - add Mad Catz FightStick TE 2 VID/PID
    - Input: xpad - prevent spurious input from wired Xbox 360 controllers
    - Input: xpad - add more third-party controllers
    - Input: xpad - xbox one elite controller support
    - Input: xpad - fix rumble on Xbox One controllers with 2015 firmware
    - Input: xpad - power off wireless 360 controllers on suspend
    - Input: xpad - add product ID for Xbox One S pad
    - Input: xpad - fix Xbox One rumble stopping after 2.5 secs
    - Input: xpad - correctly sort vendor id's
    - Input: xpad - move reporting xbox one home button to common function
    - Input: xpad - simplify error condition in init_output
    - Input: xpad - don't depend on endpoint order
    - Input: xpad - fix stuck mode button on Xbox One S pad
    - Input: xpad - restore LED state after device resume
    - Input: xpad - support some quirky Xbox One pads
    - Input: xpad - sort supported devices by USB ID
    - Input: xpad - sync supported devices with xboxdrv
    - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth
    - Input: xpad - sync supported devices with 360Controller
    - Input: xpad - sync supported devices with XBCD
    - Input: xpad - constify usb_device_id
    - Input: xpad - fix PowerA init quirk for some gamepad models
    - Input: xpad - validate USB endpoint type during probe
    - Input: xpad - add support for PDP Xbox One controllers
    - Input: xpad - add PDP device id 0x02a4
    - Input: xpad - fix some coding style issues
    - Input: xpad - avoid using __set_bit() for capabilities
    - Input: xpad - add GPD Win 2 Controller USB IDs
    - Input: xpad - fix GPD Win 2 controller name
    - Input: xpad - add support for Xbox1 PDP Camo series gamepad
    - cw1200: Don't leak memory if krealloc failes
    - mwifiex: Fix NULL pointer dereference in skb_dequeue()
    - mwifiex: fix p2p device doesn't find in scan problem
    - netfilter: nf_tables: fix oops when inserting an element into a verdict 
    - scsi: ufs: fix bugs related to null pointer access and array size
    - scsi: ufshcd: Fix race between clk scaling and ungate work
    - scsi: ufs: fix race between clock gating and devfreq scaling work
    - scsi: ufshcd: release resources if probe fails
    - scsi: qla2xxx: do not queue commands when unloading
    - iwlwifi: mvm: fix regulatory domain update when the firmware starts
    - tty: wipe buffer.
    - tty: wipe buffer if not echoing data
    - usb: xhci: fix uninitialized completion when USB3 port got wrong status
    - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
    - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used
    - s390/mm: Check for valid vma before zapping in gmap_discard
    - drm/ast: Remove existing framebuffers before loading driver
    - Linux 4.4.166

  * Xenial update: 4.4.166 upstream stable release (LP: #1810967) //
    CVE-2000-1134 // CVE-2007-3852 // CVE-2008-0525 // CVE-2009-0416 //
    CVE-2011-4834 // CVE-2015-1838 // CVE-2015-7442 // CVE-2016-7489
    - namei: allow restricted O_CREAT of FIFOs and regular files

  * Xenial update: 4.4.165 upstream stable release (LP: #1810958)
    - flow_dissector: do not dissect l4 ports for fragments
    - ip_tunnel: don't force DF when MTU is locked
    - net-gro: reset skb->pkt_type in napi_reuse_skb()
    - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control 
    - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF
    - kbuild: Add better clang cross build support
    - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS
    - kbuild: Consolidate header generation from ASM offset information
    - kbuild: consolidate redundant sed script ASM offset generation
    - kbuild: fix asm-offset generation to work with clang
    - kbuild: drop -Wno-unknown-warning-option from clang options
    - kbuild, LLVMLinux: Add -Werror to cc-option to support clang
    - kbuild: use -Oz instead of -Os when using clang
    - kbuild: Add support to generate LLVM assembly files
    - modules: mark __inittest/__exittest as __maybe_unused
    - kbuild: clang: Disable 'address-of-packed-member' warning
    - crypto: arm64/sha - avoid non-standard inline asm tricks
    - efi/libstub/arm64: Force 'hidden' visibility for section markers
    - efi/libstub/arm64: Set -fpie when building the EFI stub
    - kbuild: fix linker feature test macros when cross compiling with Clang
    - kbuild: Set KBUILD_CFLAGS before incl. arch Makefile
    - kbuild: move cc-option and cc-disable-warning after incl. arch Makefile
    - kbuild: clang: fix build failures with sparse check
    - kbuild: clang: remove crufty HOSTCFLAGS
    - kbuild: clang: disable unused variable warnings only when constant
    - kbuild: set no-integrated-as before incl. arch Makefile
    - kbuild: allow to use GCC toolchain not in Clang search path
    - arm64: Disable asm-operand-width warning for clang
    - x86/kbuild: Use cc-option to enable -falign-{jumps/loops}
    - crypto, x86: aesni - fix token pasting for clang
    - x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around 
    - kbuild: Add __cc-option macro
    - x86/build: Use __cc-option for boot code compiler options
    - x86/build: Specify stack alignment for clang
    - x86/boot: #undef memcpy() et al in string.c
    - x86/build: Fix stack alignment for CLang
    - x86/build: Use cc-option to validate stack alignment parameter
    - reiserfs: propagate errors from fill_with_dentries() properly
    - hfs: prevent btree data loss on root split
    - hfsplus: prevent btree data loss on root split
    - um: Give start_idle_thread() a return code
    - fs/exofs: fix potential memory leak in mount option parsing
    - clk: samsung: exynos5420: Enable PERIS clocks for suspend
    - platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307
    - arm64: percpu: Initialize ret in the default case
    - s390/vdso: add missing FORCE to build targets
    - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
    - s390/mm: Fix ERROR: "__node_distance" undefined!
    - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment()
    - netfilter: xt_IDLETIMER: add sysfs filename checking routine
    - hwmon: (ibmpowernv) Remove bogus __init annotations
    - lib/raid6: Fix arm64 test build
    - zram: close udev startup race condition as default groups
    - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
    - gfs2: Put bitmap buffers in put_super
    - btrfs: fix pinned underflow after transaction aborted
    - Revert "media: videobuf2-core: don't call memop 'finish' when queueing"
    - media: v4l: event: Add subscription to list before calling "add" operation
    - uio: Fix an Oops on load
    - usb: cdc-acm: add entry for Hiro (Conexant) modem
    - USB: quirks: Add no-lpm quirk for Raydium touchscreens
    - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
    - misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
    - USB: misc: appledisplay: add 20" Apple Cinema Display
    - drivers/misc/sgi-gru: fix Spectre v1 vulnerability
    - ACPI / platform: Add SMB0001 HID to forbidden_id_list
    - new helper: uaccess_kernel()
    - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - Linux 4.4.165

  * Xenial update: 4.4.164 upstream stable release (LP: #1810947)
    - bcache: fix miss key refill->end in writeback
    - hwmon: (pmbus) Fix page count auto-detection.
    - jffs2: free jffs2_sb_info through jffs2_kill_sb()
    - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
    - ipmi: Fix timer race with module unload
    - parisc: Fix address in HPMC IVA
    - parisc: Fix map_pages() to not overwrite existing pte entries
    - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
    - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
    - x86/corruption-check: Fix panic in memory_corruption_check() when boot
      option without value is provided
    - x86/kconfig: Fall back to ticket spinlocks
    - sparc: Fix single-pcr perf event counter management.
    - x86/fpu: Remove second definition of fpu in __fpu__restore_sig()
    - net: qla3xxx: Remove overflowing shift statement
    - selftests: ftrace: Add synthetic event syntax testcase
    - locking/lockdep: Fix debug_locks off performance problem
    - ataflop: fix error handling during setup
    - swim: fix cleanup on setup error
    - tun: Consistently configure generic netdev params via rtnetlink
    - perf tools: Free temporary 'sys' string in read_event_files()
    - perf tools: Cleanup trace-event-info 'tdata' leak
    - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
    - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
    - x86: boot: Fix EFI stub alignment
    - pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
    - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
    - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
    - pinctrl: qcom: spmi-mpp: Fix drive strength setting
    - pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
    - pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
    - ath10k: schedule hardware restart if WMI command times out
    - scsi: esp_scsi: Track residual for PIO transfers
    - scsi: megaraid_sas: fix a missing-check bug
    - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
    - ext4: fix argument checking in EXT4_IOC_MOVE_EXT
    - MD: fix invalid stored role for a disk
    - usb: chipidea: Prevent unbalanced IRQ disable
    - driver/dma/ioat: Call del_timer_sync() without holding prep_lock
    - uio: ensure class is registered before devices
    - scsi: lpfc: Correct soft lockup when running mds diagnostics
    - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace
    - dmaengine: dma-jz4780: Return error if not probed from DT
    - ALSA: hda: Check the non-cached stream buffers more explicitly
    - xen-swiotlb: use actually allocated size on check physical continuous
    - tpm: Restore functionality to xen vtpm driver.
    - xen: fix race in xen_qlock_wait()
    - xen: make xen_qlock_wait() nestable
    - net/ipv4: defensive cipso option parsing
    - libnvdimm: Hold reference on parent while scheduling async init
    - jbd2: fix use after free in jbd2_log_do_checkpoint()
    - gfs2_meta: ->mount() can get NULL dev_name
    - ext4: initialize retries variable in ext4_da_write_inline_data_begin()
    - HID: hiddev: fix potential Spectre v1
    - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
    - signal/GenWQE: Fix sending of SIGKILL
    - crypto: lrw - Fix out-of bounds access on counter overflow
    - ima: fix showing large 'violations' or 'runtime_measurements_count'
    - hugetlbfs: dirty pages as they are added to pagecache
    - kbuild: fix kernel/bounds.c 'W=1' warning
    - iio: adc: at91: fix acking DRDY irq on simple conversions
    - iio: adc: at91: fix wrong channel number in triggered buffer mode
    - w1: omap-hdq: fix missing bus unregister at removal
    - smb3: allow stats which track session and share reconnects to be reset
    - smb3: do not attempt cifs operation in smb3 query info error path
    - smb3: on kerberos mount if server doesn't specify auth type use krb5
    - printk: Fix panic caused by passing log_buf_len to command line
    - genirq: Fix race on spurious interrupt detection
    - NFSv4.1: Fix the r/wsize checking
    - nfsd: Fix an Oops in free_session()
    - lockd: fix access beyond unterminated strings in prints
    - dm ioctl: harden copy_params()'s copy_from_user() from malicious users
    - powerpc/msi: Fix compile error on mpc83xx
    - MIPS: OCTEON: fix out of bounds array access on CN68XX
    - TC: Set DMA masks for devices
    - kgdboc: Passing ekgdboc to command line causes panic
    - xen: fix xen_qlock_wait()
    - media: em28xx: use a default format if TRY_FMT fails
    - media: em28xx: fix input name for Terratec AV 350
    - media: em28xx: make v4l2-compliance happier by starting sequence on zero
    - ext4: avoid running out of journal credits when appending to an inline 
    - Cramfs: fix abad comparison when wrap-arounds occur
    - arm64: dts: stratix10: Correct System Manager register size
    - soc/tegra: pmc: Fix child-node lookup
    - btrfs: Handle owner mismatch gracefully when walking up tree
    - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid 
    - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
    - btrfs: don't attempt to trim devices that don't support it
    - btrfs: wait on caching when putting the bg cache
    - btrfs: reset max_extent_size on clear in a bitmap
    - btrfs: make sure we create all new block groups
    - Btrfs: fix wrong dentries after fsync of file that got its parent replaced
    - btrfs: qgroup: Dirty all qgroups before rescan
    - Btrfs: fix null pointer dereference on compressed write path error
    - btrfs: set max_extent_size properly
    - MD: fix invalid stored role for a disk - try2
    - tty: check name length in tty_find_polling_driver()
    - powerpc/nohash: fix undefined behaviour when testing page size support
    - drm/omap: fix memory barrier bug in DMM driver
    - media: pci: cx23885: handle adding to list failure
    - MIPS: kexec: Mark CPU offline before disabling local IRQ
    - powerpc/boot: Ensure _zimage_start is a weak symbol
    - sc16is7xx: Fix for multi-channel stall
    - media: tvp5150: fix width alignment during set_selection()
    - 9p locks: fix glock.client_id leak in do_lock
    - 9p: clear dangling pointers in p9stat_free
    - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
    - fuse: Fix use-after-free in fuse_dev_do_read()
    - fuse: Fix use-after-free in fuse_dev_do_write()
    - fuse: fix blocked_waitq wakeup
    - fuse: set FR_SENT while locked
    - mm, elf: handle vm_brk error
    - binfmt_elf: fix calculations for bss padding
    - mm: refuse wrapped vm_brk requests
    - fs, elf: make sure to page align bss in load_elf_library
    - mm: do not bug_on on incorrect length in __mm_populate()
    - e1000: avoid null pointer dereference on invalid stat type
    - e1000: fix race condition between e1000_down() and e1000_watchdog
    - bna: ethtool: Avoid reading past end of buffer
    - MIPS: Loongson-3: Fix CPU UART irq delivery problem
    - MIPS: Loongson-3: Fix BRIDGE irq delivery problem
    - xtensa: add NOTES section to the linker script
    - xtensa: make sure bFLT stack is 16 byte aligned
    - xtensa: fix boot parameters address translation
    - clk: s2mps11: Fix matching when built as module and DT node contains
    - libceph: bump CEPH_MSG_MAX_DATA_LEN
    - mach64: fix display corruption on big endian machines
    - mach64: fix image corruption due to reading accelerator registers
    - vhost/scsi: truncate T10 PI iov_iter to prot_bytes
    - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
    - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
    - mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
    - termios, tty/tty_baudrate.c: fix buffer overrun
    - arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
    - Btrfs: fix data corruption due to cloning of eof block
    - clockevents/drivers/i8253: Add support for PIT shutdown quirk
    - ext4: add missing brelse() update_backups()'s error path
    - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
    - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
    - ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
    - ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
    - ext4: avoid buffer leak in ext4_orphan_add() after prior errors
    - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while 
    - ext4: avoid possible double brelse() in add_new_gdb() on error path
    - ext4: fix possible leak of sbi->s_group_desc_leak in error path
    - ext4: release before re-using in ext4_xattr_block_find()
    - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
    - ext4: fix buffer leak in __ext4_read_dirblock() on error path
    - mount: Prevent MNT_DETACH from disconnecting locked mounts
    - sunrpc: correct the computation for page_ptr when truncating
    - rtc: hctosys: Add missing range error reporting
    - fuse: fix leaked notify reply
    - configfs: replace strncpy with memcpy
    - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
    - mm: migration: fix migration of huge PMD shared pages
    - drm/rockchip: Allow driver to be shutdown on reboot/kexec
    - drm/dp_mst: Check if primary mstb is null
    - drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values
    - Linux 4.4.164

  * Xenial update: 4.4.163 upstream stable release (LP: #1810807)
    - xfrm: Validate address prefix lengths in the xfrm selector.
    - xfrm6: call kfree_skb when skb is toobig
    - mac80211: Always report TX status
    - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
    - ARM: 8799/1: mm: fix pci_ioremap_io() offset check
    - xfrm: validate template mode
    - mac80211_hwsim: do not omit multicast announce of first added radio
    - Bluetooth: SMP: fix crash in unpairing
    - pxa168fb: prepare the clock
    - asix: Check for supported Wake-on-LAN modes
    - ax88179_178a: Check for supported Wake-on-LAN modes
    - lan78xx: Check for supported Wake-on-LAN modes
    - sr9800: Check for supported Wake-on-LAN modes
    - r8152: Check for supported Wake-on-LAN Modes
    - smsc75xx: Check for Wake-on-LAN modes
    - smsc95xx: Check for Wake-on-LAN modes
    - perf/ring_buffer: Prevent concurent ring buffer access
    - net: cxgb3_main: fix a missing-check bug
    - KEYS: put keyring if install_session_keyring_to_cred() fails
    - ipv6: suppress sparse warnings in IP6_ECN_set_ce()
    - net: drop write-only stack variable
    - ser_gigaset: use container_of() instead of detour
    - tracing: Skip more functions when doing stack tracing of events
    - ARM: dts: apq8064: add ahci ports-implemented mask
    - x86/mm/pat: Prevent hang during boot when mapping pages
    - radix-tree: fix radix_tree_iter_retry() for tagged iterators.
    - af_iucv: Move sockaddr length checks to before accessing sa_family in bind
      and connect handlers
    - net/mlx4_en: Resolve dividing by zero in 32-bit system
    - ipv6: orphan skbs in reassembly unit
    - um: Avoid longjmp/setjmp symbol clashes with libpthread.a
    - sched/cgroup: Fix cgroup entity load tracking tear-down
    - btrfs: don't create or leak aliased root while cleaning up orphans
    - thermal: allow spear-thermal driver to be a module
    - thermal: allow u8500-thermal driver to be a module
    - x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
    - aacraid: Start adapter after updating number of MSIX vectors
    - perf/core: Don't leak event in the syscall error path
    - usbvision: revert commit 588afcc1
    - MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
    - ASoC: ak4613: Enable cache usage to fix crashes on resume
    - ASoC: wm8940: Enable cache usage to fix crashes on resume
    - CIFS: handle guest access errors to Windows shares
    - arm64: Fix potential race with hardware DBM in ptep_set_access_flags()
    - xfrm: Clear sk_dst_cache when applying per-socket policy.
    - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
    - sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata
    - sch_red: update backlog as well
    - usb-storage: fix bogus hardware error messages for ATA pass-thru devices
    - bpf: generally move prog destruction to RCU deferral
    - drm/nouveau/fbcon: fix oops without fbdev emulation
    - fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio
    - net/mlx5e: Fix LRO modify
    - net/mlx5e: Correctly handle RSS indirection table when changing number of
    - ALSA: timer: Fix zero-division by continue of uninitialized instance
    - vti6: flush x-netns xfrm cache when vti interface is removed
    - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
    - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
    - tty: serial: sprd: fix error return code in sprd_probe()
    - video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe()
    - sparc64 mm: Fix more TSB sizing issues
    - gpu: host1x: fix error return code in host1x_probe()
    - sparc64: Fix exception handling in UltraSPARC-III memcpy.
    - gpio: msic: fix error return code in platform_msic_gpio_probe()
    - usb: imx21-hcd: fix error return code in imx21_probe()
    - usb: ehci-omap: fix error return code in ehci_hcd_omap_probe()
    - usb: dwc3: omap: fix error return code in dwc3_omap_probe()
    - spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe()
    - MIPS: Handle non word sized instructions when examining frame
    - spi/bcm63xx: fix error return code in bcm63xx_spi_probe()
    - spi: xlp: fix error return code in xlp_spi_probe()
    - ASoC: spear: fix error return code in spdif_in_probe()
    - PM / devfreq: tegra: fix error return code in tegra_devfreq_probe()
    - bonding: avoid defaulting hard_header_len to ETH_HLEN on slave removal
    - scsi: aacraid: Fix typo in blink status
    - MIPS: microMIPS: Fix decoding of swsp16 instruction
    - igb: Remove superfluous reset to PHY and page 0 selection
    - MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
    - ARM: dts: imx53-qsb: disable 1.2GHz OPP
    - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
    - mtd: spi-nor: Add support for is25wp series chips
    - perf tools: Disable parallelism for 'make clean'
    - bridge: do not add port to router list when receives query with source
    - net: bridge: remove ipv6 zero address check in mcast queries
    - ipv6: mcast: fix a use-after-free in inet6_mc_check
    - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
    - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
    - net: sched: gred: pass the right attribute to gred_change_table_def()
    - net: socket: fix a missing-check bug
    - net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
    - r8169: fix NAPI handling under high load
    - sctp: fix race on sctp_id2asoc
    - net: drop skb on failure in ip_check_defrag()
    - vhost: Fix Spectre V1 vulnerability
    - rtnetlink: Disallow FDB configuration for non-Ethernet device
    - mremap: properly flush TLB before releasing the page
    - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
    - ahci: don't ignore result code of ahci_reset_controller()
    - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
    - ptp: fix Spectre v1 vulnerability
    - RDMA/ucma: Fix Spectre v1 vulnerability
    - IB/ucm: Fix Spectre v1 vulnerability
    - cdc-acm: correct counting of UART states in serial state notification
    - usb: gadget: storage: Fix Spectre v1 vulnerability
    - USB: fix the usbfs flag sanitization for control transfers
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
    - sched/fair: Fix throttle_list starvation with low CFS quota
    - x86/percpu: Fix this_cpu_read()
    - cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE
    - l2tp: hold tunnel socket when handling control frames in l2tp_ip and
    - x86/time: Correct the attribute on jiffies' definition
    - Linux 4.4.163

  * nvme - Polling on timeout (LP: #1807393)
    - nvme/pci: Poll CQ on timeout

  * Xenial: data corruption when using i40e with iommu (LP: #1802421)
    - i40e: Drop packet split receive routine

  * Fix Intel I210 doesn't work when ethernet cable gets plugged (LP: #1806818)
    - igb: Fix an issue that PME is not enabled during runtime suspend

 -- Kleber Sacilotto de Souza <>  Wed, 16 Jan
2019 17:35:06 +0100

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** CVE added:

** Changed in: linux (Ubuntu Cosmic)
       Status: Fix Committed => Fix Released

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  iptables connlimit allows more connections than the limit when using
  multiple CPUs

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released

Bug description:

   * The iptables connection count/limit rules can be breached
     with multithreaded network driver/server/client (common)
     due to a race in the conncount/connlimit code.

   * For example:

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

   * The fix is a backport from an upstream commit that resolves
     the problem (plus dependencies for a cleaner backport) that
     address the race condition:

     commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
     collection confirm race").

  [Test Case]

   * Server-side: (relevant kernel side)
     (limit TCP port 7777 to only 2000 connections)

     # iptables -A INPUT -p tcp -m tcp --syn --dport 7777 \
       -m connlimit --connlimit-above 2000 --connlimit-mask 0 \
       -j DROP

     # ulimit -SHn 65000   # increase number of open files
     # ruby server.rb      # multi-threaded server

   * Client-side:

     # ulimit -SHn 65000
     # ruby client.rb <server ip> <port> <target # connections> <# threads>
     <test output>

   * Results with Original kernel:
     (client achieves target of 6000 connections > limit of 2000 connections)

     # ruby client.rb 7777 6000 3
     Target reached. Thread finishing
     Target reached. Thread finishing
     Target reached. Thread finishing
     Threads done. 6002 connections
     press enter to exit

   * Results with Modified kernel:
     (client is limited to 2000 connections, and times out afterward)

     # ruby client.rb 7777 6000 3
     <... blocks for a few minutes ...>
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     failed to create connection: Connection timed out - connect(2) for 
"" port 7777
     Threads done. 2000 connections
     press enter to exit

   * Test cases possibly available upon request,
     depending on original author's permission.

  [Regression Potential]

   * The patchset has been reviewed by a netfilter maintainer [1] in
     stable mailing list, and was considered OK for 4.14, and that's
     essentially the same backport for 4.15 and 4.4.

   * The changes are limited to netfilter connlimit/conncount (names
     change between older/newer kernel versions).

  [Other Info]

   * The backport for 4.14 [2] is applied as of 4.14.92.


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to