This bug was fixed in the package linux - 4.8.0-27.29
---------------
linux (4.8.0-27.29) yakkety; urgency=low
[ Seth Forshee ]
* Release Tracking Bug
- LP: #1635377
* proc_keys_show crash when reading /proc/keys (LP: #1634496)
- SAUCE: KEYS: ensure xbuf is large enough to fix buffer overflow in
proc_keys_show (LP: #1634496)
* Revert "If zone is so small that watermarks are the same, stop zone balance"
in yakkety (LP: #1632894)
- Revert "UBUNTU: SAUCE: (no-up) If zone is so small that watermarks are the
same, stop zone balance."
* lts-yakkety 4.8 cannot mount lvm raid1 (LP: #1631298)
- SAUCE: (no-up) dm raid: fix compat_features validation
* kswapd0 100% CPU usage (LP: #1518457)
- SAUCE: (no-up) If zone is so small that watermarks are the same, stop zone
balance.
* [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
__copy_tofrom_user (LP: #1632462)
- SAUCE: (no-up) powerpc/64: Fix incorrect return value from
__copy_tofrom_user
* Ubuntu 16.10: Oops panic in move_page_tables/page_remove_rmap after running
memory_stress_ng. (LP: #1628976)
- SAUCE: (no-up) powerpc/pseries: Fix stack corruption in htpe code
* Paths not failed properly when unmapping virtual FC ports in VIOS (using
ibmvfc) (LP: #1632116)
- scsi: ibmvfc: Fix I/O hang when port is not mapped
* [Ubuntu16.10]KV4.8: kernel livepatch config options are not set
(LP: #1626983)
- [Config] Enable live patching on powerpc/ppc64el
* CONFIG_AUFS_XATTR is not set (LP: #1557776)
- [Config] CONFIG_AUFS_XATTR=y
* Yakkety update to 4.8.1 stable release (LP: #1632445)
- arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
- Using BUG_ON() as an assert() is _never_ acceptable
- usb: misc: legousbtower: Fix NULL pointer deference
- Staging: fbtft: Fix bug in fbtft-core
- usb: usbip: vudc: fix left shift overflow
- USB: serial: cp210x: Add ID for a Juniper console
- Revert "usbtmc: convert to devm_kzalloc"
- ALSA: hda - Adding one more ALC255 pin definition for headset problem
- ALSA: hda - Fix headset mic detection problem for several Dell laptops
- ALSA: hda - Add the top speaker pin config for HP Spectre x360
- Linux 4.8.1
* PSL data cache should be flushed before resetting CAPI adapter
(LP: #1632049)
- cxl: Flush PSL cache before resetting the adapter
* thunder nic: avoid link delays due to RX_PACKET_DIS (LP: #1630038)
- net: thunderx: Don't set RX_PACKET_DIS while initializing
* crypto/vmx/p8_ghash memory corruption (LP: #1630970)
- crypto: ghash-generic - move common definitions to a new header file
- crypto: vmx - Fix memory corruption caused by p8_ghash
- crypto: vmx - Ensure ghash-generic is enabled
* arm64: SPCR console not autodetected (LP: #1630311)
- of/serial: move earlycon early_param handling to serial
- [Config] CONFIG_ACPI_SPCR_TABLE=y
- ACPI: parse SPCR and enable matching console
- ARM64: ACPI: enable ACPI_SPCR_TABLE
- serial: pl011: add console matching function
* include/linux/security.h header syntax error with !CONFIG_SECURITYFS
(LP: #1630990)
- SAUCE: (no-up) include/linux/security.h -- fix syntax error with
CONFIG_SECURITYFS=n
* sha1-powerpc returning wrong results (LP: #1629977)
- crypto: sha1-powerpc - little-endian support
-- Seth Forshee <seth.fors...@canonical.com> Thu, 20 Oct 2016 14:09:37
-0500
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1632462
Title:
[Trusty->Yakkety] powerpc/64: Fix incorrect return value from
__copy_tofrom_user
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Bug description:
== SRU Justification ==
Impacts all releases from Trusty through Yakkety
http://paste.ubuntu.com/23309548/
From ca47910e3b549501b6a3ff786174d2f0d4748ccf Mon Sep 17 00:00:00 2001
From: Paul Mackerras <pau...@ozlabs.org>
Date: Tue, 11 Oct 2016 22:18:58 +1100
Subject: [PATCH] powerpc/64: Fix incorrect return value from__copy_tofrom_user
Debugging a data corruption issue with virtio-net/vhost-net led to
the observation that __copy_tofrom_user was occasionally returning
a value 16 larger than it should. Since the return value from
__copy_tofrom_user is the number of bytes not copied, this means
that __copy_tofrom_user can occasionally return a value larger
than the number of bytes it was asked to copy. In turn this can
cause higher-level copy functions such as copy_page_to_iter_iovec
to corrupt memory by copying data into the wrong memory locations.
It turns out that the failing case involves a fault on the store
at label 79, and at that point the first unmodified byte of the
destination is at R3 + 16. Consequently the exception handler
for that store needs to add 16 to R3 before using it to work out
how many bytes were not copied, but in this one case it was not
adding the offset to R3. To fix it, this moves the label 179 to
the point where we add 16 to R3. I have checked manually all the
exception handlers for the loads and stores in this code and the
rest of them are correct (it would be excellent to have an
automated test of all the exception cases).
Signed-off-by: Paul Mackerras <pau...@ozlabs.org>
---
arch/powerpc/lib/copyuser_64.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/lib/copyuser_64.S b/arch/powerpc/lib/copyuser_64.S
index f09899e..7b22624 100644
--- a/arch/powerpc/lib/copyuser_64.S
+++ b/arch/powerpc/lib/copyuser_64.S
@@ -359,6 +359,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
addi r3,r3,8
171:
177:
+179:
addi r3,r3,8
370:
372:
@@ -373,7 +374,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
173:
174:
175:
-179:
181:
184:
186:
--
2.7.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1632462/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
