This bug was fixed in the package linux - 3.2.0-70.105 --------------- linux (3.2.0-70.105) precise; urgency=low
[ Kamal Mostafa ] * Release Tracking Bug - re-used previous tracking bug [ Upstream Kernel Changes ] * udf: Avoid infinite loop when processing indirect ICBs - LP: #1370042 - CVE-2014-6410 linux (3.2.0-70.104) precise; urgency=low [ Joseph Salisbury ] * Release Tracking Bug - LP: #1372522 [ Tim Gardner ] * SAUCE: Fix nfs oops stable regression - LP: #1348670 * [Config] updateconfigs - LP: #1369711 [ Upstream Kernel Changes ] * Revert "x86-64, modify_ldt: Make support for 16-bit segments a runtime option" - LP: #1369711 * KVM: x86: Inter-privilege level ret emulation is not implemeneted - LP: #1369711 * ASoC: samsung: Correct I2S DAI suspend/resume ops - LP: #1369711 * block: don't assume last put of shared tags is for the host - LP: #1369711 * stable_kernel_rules: Add pointer to netdev-FAQ for network patches - LP: #1369711 * debugfs: Fix corrupted loop in debugfs_remove_recursive - LP: #1369711 * serial: core: Preserve termios c_cflag for console resume - LP: #1369711 * tda10071: force modulation to QPSK on DVB-S - LP: #1369711 * gspca_pac7302: Add new usb-id for Genius i-Look 317 - LP: #1369711 * mtd/ftl: fix the double free of the buffers allocated in build_maps() - LP: #1369711 * x86: don't exclude low BIOS area when allocating address space for non-PCI cards - LP: #1369711 * Bluetooth: never linger on process exit - LP: #1369711 * scsi: handle flush errors properly - LP: #1369711 * USB: OHCI: don't lose track of EDs when a controller dies - LP: #1369711 * ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) - LP: #1369711 * usbcore: don't log on consecutive debounce failures of the same port - LP: #1369711 * USB: Fix persist resume of some SS USB devices - LP: #1369711 * drm/radeon: fix irq ring buffer overflow handling - LP: #1369711 * hwmon: (smsc47m192) Fix temperature limit and vrm write operations - LP: #1369711 * staging: vt6655: Fix Warning on boot handle_irq_event_percpu. - LP: #1369711 * staging: vt6655: Fix disassociated messages every 10 seconds - LP: #1369711 * bfa: Fix undefined bit shift on big-endian architectures with 32-bit DMA address - LP: #1369711 * hpsa: fix bad -ENOMEM return value in hpsa_big_passthru_ioctl - LP: #1369711 * Drivers: scsi: storvsc: Implement a eh_timed_out handler - LP: #1369711 * Fix gcc-4.9.0 miscompilation of load_balance() in scheduler - LP: #1369711 * iommu/vt-d: Exclude devices using RMRRs from IOMMU API domains - LP: #1369711 * net: sendmsg: fix NULL pointer dereference - LP: #1369711 * tpm: Provide a generic means to override the chip returned timeouts - LP: #1369711 * hwmon: (ads1015) Fix off-by-one for valid channel index checking - LP: #1369711 * MIPS: tlbex: Fix a missing statement for HUGETLB - LP: #1369711 * MIPS: Prevent user from setting FCSR cause bits - LP: #1369711 * mm, thp: do not allow thp faults to avoid cpuset restrictions - LP: #1369711 * md/raid1,raid10: always abort recover on write error. - LP: #1369711 * ext4: cleanup in ext4_discard_allocated_blocks() - LP: #1369711 * ext4: fix ext4_discard_allocated_blocks() if we can't allocate the pa struct - LP: #1369711 * hwmon: (lm85) Fix various errors on attribute writes - LP: #1369711 * hwmon: (lm78) Fix overflow problems seen when writing large temperature limits - LP: #1369711 * hwmon: (amc6821) Fix return value - LP: #1369711 * hwmon: (amc6821) Fix possible race condition bug - LP: #1369711 * MIPS: GIC: Prevent array overrun - LP: #1369711 * crypto: af_alg - properly label AF_ALG socket - LP: #1369711 * mnt: Change the default remount atime from relatime to the existing value - LP: #1369711 * ARM: OMAP3: Fix choice of omap3_restore_es function in OMAP34XX rev3.1.2 case. - LP: #1369711 * netlabel: use GFP flags from caller instead of GFP_ATOMIC - LP: #1369711 * netlabel: fix a problem when setting bits below the previously lowest bit - LP: #1369711 * USB: serial: ftdi_sio: Annotate the current Xsens PID assignments - LP: #1369711 * USB: serial: ftdi_sio: Add support for new Xsens devices - LP: #1369711 * ALSA: virtuoso: Xonar DSX support - LP: #1369711 * ALSA: virtuoso: add Xonar Essence STX II support - LP: #1369711 * hwmon: (gpio-fan) Prevent overflow problem when writing large limits - LP: #1369711 * hwmon: (sis5595) Prevent overflow problem when writing large limits - LP: #1369711 * drm/ttm: Fix possible stack overflow by recursive shrinker calls. - LP: #1369711 * powerpc/mm/numa: Fix break placement - LP: #1369711 * drm/radeon: load the lm63 driver for an lm64 thermal chip. - LP: #1369711 * RDMA/iwcm: Use a default listen backlog if needed - LP: #1369711 * hwmon: (lm92) Prevent overflow problem when writing large limits - LP: #1369711 * hwmon: (ads1015) Fix out-of-bounds array access - LP: #1369711 * s390/locking: Reenable optimistic spinning - LP: #1369711 * ring-buffer: Up rb_iter_peek() loop count to 3 - LP: #1369711 * ring-buffer: Always reset iterator to reader page - LP: #1369711 * x86/xen: resume timer irqs early - LP: #1369711 * carl9170: fix sending URBs with wrong type when using full-speed - LP: #1369711 * reiserfs: Fix use after free in journal teardown - LP: #1369711 * powerpc: Fix build errors STRICT_MM_TYPECHECKS - LP: #1369711 * powerpc/mm: Use read barrier when creating real_pte - LP: #1369711 * ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE - LP: #1369711 * Btrfs: fix csum tree corruption, duplicate and outdated checksums - LP: #1369711 * ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co - LP: #1369711 * CIFS: Fix wrong directory attributes after rename - LP: #1369711 * md/raid6: avoid data corruption during recovery of double-degraded RAID6 - LP: #1369711 * USB: option: add VIA Telecom CDS7 chipset device id - LP: #1369711 * USB: ftdi_sio: add Basic Micro ATOM Nano USB2Serial PID - LP: #1369711 * USB: serial: pl2303: add device id for ztek device - LP: #1369711 * USB: ftdi_sio: Added PID for new ekey device - LP: #1369711 * iommu/amd: Fix cleanup_domain for mass device removal - LP: #1369711 * pata_scc: propagate return value of scc_wait_after_reset - LP: #1369711 * xhci: Treat not finding the event_seg on COMP_STOP the same as COMP_STOP_INVAL - LP: #1369711 * usb: xhci: amd chipset also needs short TX quirk - LP: #1369711 * MIPS: OCTEON: make get_system_type() thread-safe - LP: #1369711 * xhci: rework cycle bit checking for new dequeue pointers - LP: #1369711 * HID: logitech: perform bounds checking on device_id early enough - LP: #1369711 * HID: fix a couple of off-by-ones - LP: #1369711 * USB: whiteheat: Added bounds checking for bulk command response - LP: #1369711 * HID: logitech-dj: prevent false errors to be shown - LP: #1369711 * ACPI / EC: Add support to disallow QR_EC to be issued when SCI_EVT isn't set - LP: #1369711 * USB: sisusb: add device id for Magic Control USB video - LP: #1369711 * NFSv4: Fix problems with close in the presence of a delegation - LP: #1369711 * HID: magicmouse: sanity check report size in raw_event() callback - LP: #1369711 * HID: picolcd: sanity check report size in raw_event() callback - LP: #1369711 * ARM: 8128/1: abort: don't clear the exclusive monitors - LP: #1369711 * ARM: 8129/1: errata: work around Cortex-A15 erratum 830321 using dummy strex - LP: #1369711 * USB: serial: fix potential stack buffer overflow - LP: #1369711 * USB: serial: fix potential heap buffer overflow - LP: #1369711 * openrisc: add missing header inclusion - LP: #1369711 * MIPS: perf: Fix build error caused by unused counters_per_cpu_to_total() - LP: #1369711 * MIPS: Fix accessing to per-cpu data when flushing the cache - LP: #1369711 * openrisc: include export.h for EXPORT_SYMBOL - LP: #1369711 * inetpeer: get rid of ip_id_count - LP: #1369711 * ip: make IP identifiers less predictable - LP: #1369711 * tcp: Fix integer-overflows in TCP veno - LP: #1369711 * tcp: Fix integer-overflow in TCP vegas - LP: #1369711 * macvlan: Initialize vlan_features to turn on offload support. - LP: #1369711 * iovec: make sure the caller actually wants anything in memcpy_fromiovecend - LP: #1369711 * sctp: fix possible seqlock seadlock in sctp_packet_transmit() - LP: #1369711 * sparc64: Fix argument sign extension for compat_sys_futex(). - LP: #1369711 * sparc64: Make itc_sync_lock raw - LP: #1369711 * sparc64: Handle 32-bit tasks properly in compute_effective_address(). - LP: #1369711 * sparc64: Fix top-level fault handling bugs. - LP: #1369711 * sparc64: Don't bark so loudly about 32-bit tasks generating 64-bit fault addresses. - LP: #1369711 * sparc64: Fix huge TSB mapping on pre-UltraSPARC-III cpus. - LP: #1369711 * sparc64: Add membar to Niagara2 memcpy code. - LP: #1369711 * sparc64: Do not insert non-valid PTEs into the TSB hash table. - LP: #1369711 * sparc64: Guard against flushing openfirmware mappings. - LP: #1369711 * bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000 - LP: #1369711 * sunsab: Fix detection of BREAK on sunsab serial console - LP: #1369711 * sparc64: ldc_connect() should not return EINVAL when handshake is in progress. - LP: #1369711 * arch/sparc/math-emu/math_32.c: drop stray break operator - LP: #1369711 * slab/mempolicy: always use local policy from interrupt context - LP: #1369711 * sparc: use asm-generic version of types.h - LP: #1369711 * x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack - LP: #1369711 * x86, espfix: Move espfix definitions into a separate header file - LP: #1369711 * x86, espfix: Fix broken header guard - LP: #1369711 * x86, espfix: Make espfix64 a Kconfig option, fix UML - LP: #1369711 * x86, espfix: Make it possible to disable 16-bit support - LP: #1369711 * x86_64/entry/xen: Do not invoke espfix64 on Xen - LP: #1369711 * x86/espfix/xen: Fix allocation of pages for paravirt page tables - LP: #1369711 * microblaze: Fix makefile to work with latest toolchain - LP: #1369711 * Linux 3.2.63 - LP: #1369711 * libceph: add process_one_ticket() helper - LP: #1370044, #1370046, #1370047 - CVE-2014-6418 * libceph: do not hard code max auth ticket len - LP: #1370044, #1370046, #1370047 - CVE-2014-6418 -- Kamal Mostafa <ka...@canonical.com> Wed, 24 Sep 2014 12:16:42 -0700 ** Changed in: linux (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1348670 Title: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010, set_nfsv4_acl_one+0x21/0xb0 [nfsd] Status in “linux” package in Ubuntu: Invalid Status in “linux” source package in Lucid: Invalid Status in “linux” source package in Precise: Fix Released Status in “linux” source package in Trusty: Fix Released Status in “linux” source package in Utopic: Invalid Status in “linux” package in Debian: Fix Released Bug description: I've seen this happen twice in the last 8 days on an NFS server running Ubuntu precise and kernels 3.2.0-65.98-generic (on the first occasion) and 3.2.0-67.101-generic (the second time), amd64. This never happened before in several months of operation; until 2014-07-01 this server was running an older 3.2.0 kernel. When this error appears in the logs, the system stops answering NFS RPCs (e.g., "rpcinfo -u localhost nfs 3" hangs) and a reboot is necessary to restore NFS service. A more detailed stack trace follows. Looking at the source code (fs/nfsd/vfs.c:set_nfsv4_acl_one()) I see that the call posix_acl_xattr_size(pacl->a_count) is not preceded by a check that pacl != NULL. Could this be related to the following entry in the changelog for 3.2.0-65.98? * NFSD: Call ->set_acl with a NULL ACL structure if no entries - LP: #1328154 Jul 24 10:12:53 server kernel: [575939.742131] IP: [<ffffffffa055c451>] set_nfsv4_acl_one+0x21/0xb0 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] PGD c243bb067 PUD c2400a067 PMD 0 Jul 24 10:12:53 server kernel: [575939.742131] Oops: 0000 [#1] SMP Jul 24 10:12:53 server kernel: [575939.742131] CPU 3 Jul 24 10:12:53 server kernel: [575939.742131] Modules linked in: usblp btrfs zlib_deflate libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs reiserfs ext2 cts openafs(P) xt_tcpudp ipmi_si ipmi_devintf ipmi_msghandler iptable_filter ip_tables x_tables autofs4 bnep parport_pc rfcomm bluetooth ppdev binfmt_misc rpcsec_gss_krb5 nfsd nfs lockd fscache auth_rpcgss nfs_acl sunrpc xfs dm_crypt bridge stp psmouse hpilo sp5100_tco i2c_piix4 amd64_edac_mod hpwdt edac_core k10temp edac_mce_amd joydev serio_raw acpi_power_meter mac_hid lp parport raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx raid1 raid0 multipath linear radeon ttm drm_kms_helper drm osst usbhid hid st ch i2c_algo_bit pata_atiixp hpsa bnx2 Jul 24 10:12:53 server kernel: [575939.742131] Jul 24 10:12:53 server kernel: [575939.742131] Pid: 2523, comm: nfsd Tainted: P O 3.2.0-67-generic #101-Ubuntu HP ProLiant DL385 G7 Jul 24 10:12:53 server kernel: [575939.742131] RIP: 0010:[<ffffffffa055c451>] [<ffffffffa055c451>] set_nfsv4_acl_one+0x21/0xb0 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] RSP: 0018:ffff880422085ce0 EFLAGS: 00010282 Jul 24 10:12:53 server kernel: [575939.742131] RAX: 0000000000004000 RBX: ffff880e29b16cc0 RCX: 00000000013cc2cc Jul 24 10:12:53 server kernel: [575939.742131] RDX: ffffffffa0583374 RSI: 0000000000000000 RDI: ffff880e29b16cc0 Jul 24 10:12:53 server kernel: [575939.742131] RBP: ffff880422085d10 R08: ffffea002cdf3b80 R09: ffffffffa055c4af Jul 24 10:12:53 server kernel: [575939.742131] R10: ffff880b37ceed00 R11: 0000000040000004 R12: 0000000000000000 Jul 24 10:12:53 server kernel: [575939.742131] R13: ffff8807f56418c0 R14: 0000000000000000 R15: ffff880c2268d180 Jul 24 10:12:53 server kernel: [575939.742131] FS: 00007fbbbbafd700(0000) GS:ffff88103fc80000(0000) knlGS:0000000000000000 Jul 24 10:12:53 server kernel: [575939.742131] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b Jul 24 10:12:53 server kernel: [575939.742131] CR2: 0000000000000010 CR3: 0000000c22d6c000 CR4: 00000000000006e0 Jul 24 10:12:53 server kernel: [575939.742131] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Jul 24 10:12:53 server kernel: [575939.742131] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Jul 24 10:12:53 server kernel: [575939.742131] Process nfsd (pid: 2523, threadinfo ffff880422084000, task ffff880425964500) Jul 24 10:12:53 server kernel: [575939.742131] Stack: Jul 24 10:12:53 server kernel: [575939.742131] ffff880c2268d040 ffff880e29b16cc0 0000000000000000 ffff8807f56418c0 Jul 24 10:12:53 server kernel: [575939.742131] 0000000000000000 ffff880c2268d180 ffff880422085d50 ffffffffa055d5e3 Jul 24 10:12:53 server kernel: [575939.742131] ffff880b37cee840 0000000000000000 ffff880c22684000 ffff880c2268d040 Jul 24 10:12:53 server kernel: [575939.742131] Call Trace: Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa055d5e3>] nfsd4_set_nfs4_acl+0x143/0x150 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa056ab74>] nfsd4_setattr+0xd4/0x130 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa0569be8>] nfsd4_proc_compound+0x518/0x6e0 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa0558a4b>] nfsd_dispatch+0xeb/0x230 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa03ae475>] svc_process_common+0x345/0x690 [sunrpc] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffff81060ad0>] ? try_to_wake_up+0x200/0x200 Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa03aeb12>] svc_process+0x102/0x150 [sunrpc] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa05581ad>] nfsd+0xbd/0x160 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffffa05580f0>] ? nfsd_startup+0xf0/0xf0 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffff8108b8cc>] kthread+0x8c/0xa0 Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffff8166deb4>] kernel_thread_helper+0x4/0x10 Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffff8108b840>] ? flush_kthread_worker+0xa0/0xa0 Jul 24 10:12:53 server kernel: [575939.742131] [<ffffffff8166deb0>] ? gs_change+0x13/0x13 Jul 24 10:12:53 server kernel: [575939.742131] Code: 19 c0 f7 d0 83 e0 02 c3 90 90 55 48 89 e5 48 83 ec 30 48 89 5d d8 4c 89 65 e0 4c 89 6d e8 4c 89 75 f0 4c 89 7d f8 66 66 66 66 90 <48> 63 46 10 49 89 fd 49 89 f6 be d0 00 00 00 49 89 d4 4c 8d 3c Jul 24 10:12:53 server kernel: [575939.742131] RIP [<ffffffffa055c451>] set_nfsv4_acl_one+0x21/0xb0 [nfsd] Jul 24 10:12:53 server kernel: [575939.742131] RSP <ffff880422085ce0> Jul 24 10:12:53 server kernel: [575939.742131] CR2: 0000000000000010 Jul 24 10:12:53 server kernel: [575942.132715] ---[ end trace ba2b82e486b77140 ]--- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1348670/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp