This bug was fixed in the package linux - 4.4.0-143.169

linux (4.4.0-143.169) xenial; urgency=medium

  * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)

  * x86/kvm: Backport fixup and missing commits (LP: #1811646)
    - KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
    - kvm: nVMX: VMCLEAR an active shadow VMCS after last use
    - X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
    - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
      path as unlikely()
    - kvm: x86: IA32_ARCH_CAPABILITIES is always supported
    - KVM: SVM: Add MSR-based feature support for serializing LFENCE
    - KVM: X86: Allow userspace to define the microcode version
    - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts 
    - KVM: VMX: fixes for vmentry_l1d_flush module parameter
    - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
    - kvm: vmx: Scrub hardware GPRs at VM-exit
    - SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
    - SAUCE: KVM: Move code fragments, cleanup and re-indent

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] zfs/spl -- enhance provides information
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] Add linux-tools-host package for VM host tools
    - [Packaging] signing should be conditional
    - [Packaging] skip cloud tools packaging when not building package
    - [Packaging] add acpidbg
    - [debian] prep linux-libc-dev only if do_libc_dev_package=true
    - [Packaging] Only install cloud init files when do_tools_common=true

  * Redpine: Driver crash with network-manager 1.10 and above (LP: #1813869)
    - SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash

  * Guests using IBRS incur a large performance penalty (LP: #1764956)
    - SAUCE: Restore the IBRS host state on VMEXIT

  * Xenial update: 4.4.170 upstream stable release (LP: #1811647)
    - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
    - xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
    - USB: serial: option: add GosunCn ZTE WeLink ME3630
    - USB: serial: option: add HP lt4132
    - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
    - USB: serial: option: add Fibocom NL668 series
    - USB: serial: option: add Telit LN940 series
    - mmc: core: Reset HPI enabled state during re-init and in case of errors
    - mmc: omap_hsmmc: fix DMA API warning
    - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
    - Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
    - x86/mtrr: Don't copy uninitialized gentry fields back to userspace
    - drm/ioctl: Fix Spectre v1 vulnerabilities
    - ip6mr: Fix potential Spectre v1 vulnerability
    - ipv4: Fix potential Spectre v1 vulnerability
    - ax25: fix a use-after-free in ax25_fillin_cb()
    - ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
    - ieee802154: lowpan_header_create check must check daddr
    - ipv6: explicitly initialize udp6_addr in udp_sock_create6()
    - isdn: fix kernel-infoleak in capi_unlocked_ioctl
    - netrom: fix locking in nr_find_socket()
    - packet: validate address length
    - packet: validate address length if non-zero
    - sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
    - vhost: make sure used idx is seen before log in vhost_add_used_n()
    - VSOCK: Send reset control packet when socket is partially bound
    - xen/netfront: tolerate frags with no data
    - gro_cell: add napi_disable in gro_cells_destroy
    - sock: Make sock->sk_stamp thread-safe
    - ALSA: rme9652: Fix potential Spectre v1 vulnerability
    - ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
    - ALSA: pcm: Fix potential Spectre v1 vulnerability
    - ALSA: emux: Fix potential Spectre v1 vulnerabilities
    - ALSA: hda: add mute LED support for HP EliteBook 840 G4
    - ALSA: hda/tegra: clear pending irq handlers
    - USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
    - USB: serial: option: add Fibocom NL678 series
    - usb: r8a66597: Fix a possible concurrency use-after-free bug in
    - Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G
    - KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
    - perf pmu: Suppress potential format-truncation warning
    - ext4: fix possible use after free in ext4_quota_enable
    - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data()
    - ext4: fix EXT4_IOC_GROUP_ADD ioctl
    - ext4: force inode writes when nfsd calls commit_metadata()
    - spi: bcm2835: Fix race on DMA termination
    - spi: bcm2835: Fix book-keeping of DMA termination
    - spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
    - cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
    - media: vivid: free bitmap_cap when updating std/timings/etc.
    - MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
    - MIPS: Align kernel load address to 64KB
    - CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock 
    - x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when
      running nested
    - spi: bcm2835: Unbreak the build of esoteric configs
    - powerpc: Fix COFF zImage booting on old powermacs
    - ARM: imx: update the cpu power up timing setting on i.mx6sx
    - Input: restore EV_ABS ABS_RESERVED
    - fix for aarch64
    - xfrm: Fix bucket count reported to userspace
    - scsi: bnx2fc: Fix NULL dereference in error handling
    - Input: omap-keypad - fix idle configuration to not block SoC idle states
    - scsi: zfcp: fix posting too many status read buffers leading to adapter
    - hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
    - mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
    - mm, devm_memremap_pages: kill mapping "System RAM" support
    - sunrpc: fix cache_head leak due to queued request
    - sunrpc: use SVC_NET() in svcauth_gss_* functions
    - crypto: x86/chacha20 - avoid sleeping with preemption disabled
    - ALSA: cs46xx: Potential NULL dereference in probe
    - ALSA: usb-audio: Avoid access before bLength check in 
    - ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
    - dlm: fixed memory leaks after failed ls_remove_names allocation
    - dlm: possible memory leak on error path in create_lkb()
    - dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
    - dlm: memory leaks on error path in dlm_user_request()
    - gfs2: Fix loop in gfs2_rbm_find
    - b43: Fix error in cordic routine
    - 9p/net: put a lower bound on msize
    - iommu/vt-d: Handle domain agaw being less than iommu agaw
    - ceph: don't update importing cap's mseq when handing cap export
    - genwqe: Fix size check
    - intel_th: msu: Fix an off-by-one in attribute store
    - power: supply: olpc_battery: correct the temperature units
    - Linux 4.4.170

  * Xenial update: 4.4.169 upstream stable release (LP: #1811252)
    - lib/interval_tree_test.c: make test options module parameters
    - lib/interval_tree_test.c: allow full tree search
    - lib/rbtree_test.c: make input module parameters
    - lib/rbtree-test: lower default params
    - lib/interval_tree_test.c: allow users to limit scope of endpoint
    - timer/debug: Change /proc/timer_list from 0444 to 0400
    - powerpc/boot: Fix random libfdt related build errors
    - pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
    - aio: fix spectre gadget in lookup_ioctx
    - MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
    - tracing: Fix memory leak in set_trigger_filter()
    - tracing: Fix memory leak of instance function hash filters
    - powerpc/msi: Fix NULL pointer access in teardown code
    - Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
    - f2fs: fix a panic caused by NULL flush_cmd_control
    - mac80211: don't WARN on bad WMM parameters from buggy APs
    - mac80211: Fix condition validating WMM IE
    - mac80211_hwsim: fix module init error paths for netlink
    - scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset
    - scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during
    - x86/earlyprintk/efi: Fix infinite loop on some screen widths
    - drm/msm: Grab a vblank reference when waiting for commit_done
    - ARC: io.h: Implement reads{x}()/writes{x}()
    - bonding: fix 802.3ad state sent to partner when unbinding slave
    - SUNRPC: Fix a potential race in xprt_connect()
    - sbus: char: add of_node_put()
    - drivers/sbus/char: add of_node_put()
    - drivers/tty: add missing of_node_put()
    - ide: pmac: add of_node_put()
    - clk: mmp: Off by one in mmp_clk_add()
    - Input: omap-keypad - fix keyboard debounce configuration
    - libata: whitelist all SAMSUNG MZ7KM* solid-state disks
    - mv88e6060: disable hardware level MAC learning
    - ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address
    - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)
    - [Config] Remove CONFIG_CIFS_POSIX=y
    - i2c: axxia: properly handle master timeout
    - i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device 
    - rtc: snvs: add a missing write sync
    - rtc: snvs: Add timeouts to avoid kernel lockups
    - ALSA: isa/wavefront: prevent some out of bound writes
    - Linux 4.4.169

  * Xenial update: 4.4.168 upstream stable release (LP: #1811080)
    - ipv6: Check available headroom in ip6_xmit() even without options
    - net: 8139cp: fix a BUG triggered by changing mtu with network traffic
    - net: phy: don't allow __set_phy_supported to add unsupported modes
    - net: Prevent invalid access to skb->prev in __qdisc_drop_all
    - rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
    - tcp: fix NULL ref in tail loss probe
    - tun: forbid iface creation with rtnl ops
    - neighbour: Avoid writing before skb->head in neigh_hh_output()
    - ARM: OMAP2+: prm44xx: Fix section annotation on
    - ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
    - sysv: return 'err' instead of 0 in __sysv_write_inode
    - s390/cpum_cf: Reject request for sampling in event initialization
    - hwmon: (ina2xx) Fix current value calculation
    - ASoC: dapm: Recalculate audio map forcely when card instantiated
    - hwmon: (w83795) temp4_type has writable permission
    - Btrfs: send, fix infinite loop due to directory rename dependencies
    - ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with 
    - ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
    - exportfs: do not read dentry after free
    - bpf: fix check of allowed specifiers in bpf_trace_printk
    - USB: omap_udc: use devm_request_irq()
    - USB: omap_udc: fix crashes on probe error and module removal
    - USB: omap_udc: fix omap_udc_start() on 15xx machines
    - USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
    - KVM: x86: fix empty-body warnings
    - net: thunderx: fix NULL pointer dereference in nic_remove
    - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
    - net: hisilicon: remove unexpected free_netdev
    - drm/ast: fixed reading monitor EDID not stable issue
    - xen: xlate_mmu: add missing header to fix 'W=1' warning
    - fscache: fix race between enablement and dropping of object
    - fscache, cachefiles: remove redundant variable 'cache'
    - ocfs2: fix deadlock caused by ocfs2_defrag_extent()
    - hfs: do not free node before using
    - hfsplus: do not free node before using
    - debugobjects: avoid recursive calls with kmemleak
    - ocfs2: fix potential use after free
    - pstore: Convert console write to use ->write_buf
    - ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
    - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
    - KVM: nVMX: mark vmcs12 pages dirty on L2 exit
    - KVM: nVMX: Eliminate vmcs02 pool
    - KVM: VMX: introduce alloc_loaded_vmcs
    - KVM: VMX: make MSR bitmaps per-VCPU
    - KVM/x86: Add IBPB support
    - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
    - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
    - KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
    - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
    - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
    - bpf: support 8-byte metafield access
    - bpf/verifier: Add spi variable to check_stack_write()
    - bpf/verifier: Pass instruction index to check_mem_access() and 
    - bpf: Prevent memory disambiguation attack
    - wil6210: missing length check in wmi_set_ie
    - mm/hugetlb.c: don't call region_abort if region_chg fails
    - hugetlbfs: fix offset overflow in hugetlbfs mmap
    - hugetlbfs: check for pgoff value overflow
    - hugetlbfs: fix bug in pgoff overflow checking
    - swiotlb: clean up reporting
    - sr: pass down correctly sized SCSI sense buffer
    - mm: remove write/force parameters from __get_user_pages_locked()
    - mm: remove write/force parameters from __get_user_pages_unlocked()
    - mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages()
    - mm: replace get_user_pages_unlocked() write/force parameters with 
    - mm: replace get_user_pages_locked() write/force parameters with gup_flags
    - mm: replace get_vaddr_frames() write/force parameters with gup_flags
    - mm: replace get_user_pages() write/force parameters with gup_flags
    - mm: replace __access_remote_vm() write parameter with gup_flags
    - mm: replace access_remote_vm() write parameter with gup_flags
    - proc: don't use FOLL_FORCE for reading cmdline and environment
    - proc: do not access cmdline nor environ from file-backed areas
    - media: dvb-frontends: fix i2c access helpers for KASAN
    - matroxfb: fix size of memcpy
    - staging: speakup: Replace strncpy with memcpy
    - rocker: fix rocker_tlv_put_* functions for KASAN
    - selftests: Move networking/timestamping from Documentation
    - Linux 4.4.168

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Userspace break as a result of missing patch backport (LP: #1813873)
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present

  * CVE-2019-6133
    - fork: record start_time late

  * Crash on "ip link add foo type ipip" (LP: #1811803)
    - SAUCE: fan: Fix NULL pointer dereference

 -- Juerg Haefliger <>  Wed, 06 Feb 2019 10:39:59

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added:

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Redpine: Driver crash with network-manager 1.10 and above

Status in linux package in Ubuntu:
Status in linux source package in Xenial:
  Fix Released

Bug description:
  SRU Justification:

        Kernel crash upon inserting Redpine driver

  Test case:
        1) Install network-manager v(1.10) snap.
        2) Insert Redpine modules.
        3) Observe the behavior.

         Redpine driver crashes the entire kernel and below is the crash log.
         ... skipping ...
         [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 
         [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 
         [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 
4.4.0-139-generic #165-Ubuntu
         [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 
01.00.00 04/17/2017
         [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
         [ 49.268385] task: ffff880078538cc0 ti: ffff8800785e4000 task.ti: 
         [ 49.276765] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
         [ 49.387307] [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 
         [ 49.395784] [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 
         [ 49.403486] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
         [ 49.409633] [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
         [ 49.416164] [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
         [ 49.422306] [<ffffffff8109f170>] ? process_one_work+0x490/0x490
         [ 49.429032] [<ffffffff810a5587>] kthread+0xe7/0x100
         [ 49.434589] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
         [ 49.440731] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
         [ 49.448042] [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
         [ 49.454086] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 

  Root cause analysis:
         In nm-1.10 and above versions, MAC spoof is enabled by default. In 
         driver, this handling is missed. Hence, Added the fix for the same.

         Copied the Custom MAC address into driver global structure.

  Regression Petential:
          This is a very direct issue Since the driver is crashing upon 
inserting the
          modules. we ran the multiple times insertion and deletion of modules 
and connected
          to third-party AP, did data transfer.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to