This bug was fixed in the package linux - 4.15.0-46.49
---------------
linux (4.15.0-46.49) bionic; urgency=medium
* linux: 4.15.0-46.49 -proposed tracker (LP: #1814726)
* mprotect fails on ext4 with dax (LP: #1799237)
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion
* kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)
- iscsi target: fix session creation failure handling
- scsi: iscsi: target: Set conn->sess to NULL when
iscsi_login_set_conn_values
fails
- scsi: iscsi: target: Fix conn_ops double free
* user_copy in user from ubuntu_kernel_selftests failed on KVM kernel
(LP: #1812198)
- selftests: user: return Kselftest Skip code for skipped tests
- selftests: kselftest: change KSFT_SKIP=4 instead of KSFT_PASS
- selftests: kselftest: Remove outdated comment
* RTL8822BE WiFi Disabled in Kernel 4.18.0-12 (LP: #1806472)
- SAUCE: staging: rtlwifi: allow RTLWIFI_DEBUG_ST to be disabled
- [Config] CONFIG_RTLWIFI_DEBUG_ST=n
- SAUCE: Add r8822be to signature inclusion list
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* CVE-2018-18397
- userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
- userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
- userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
- userfaultfd: shmem: add i_size checks
- userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
* Ignore "incomplete report" from Elan touchpanels (LP: #1813733)
- HID: i2c-hid: Ignore input report if there's no data present on Elan
touchpanels
* Vsock connect fails with ENODEV for large CID (LP: #1813934)
- vhost/vsock: fix vhost vsock cid hashing inconsistent
* SRU: Fix thinkpad 11e 3rd boot hang (LP: #1804604)
- ACPI / LPSS: Force LPSS quirks on boot
* Bionic update: upstream stable patchset 2019-01-17 (LP: #1812229)
- scsi: sd_zbc: Fix variable type and bogus comment
- KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
parallel.
- x86/apm: Don't access __preempt_count with zeroed fs
- x86/events/intel/ds: Fix bts_interrupt_threshold alignment
- x86/MCE: Remove min interval polling limitation
- fat: fix memory allocation failure handling of match_strdup()
- ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
- ARCv2: [plat-hsdk]: Save accl reg pair by default
- ARC: Fix CONFIG_SWAP
- ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
- ARC: mm: allow mprotect to make stack mappings executable
- mm: memcg: fix use after free in mem_cgroup_iter()
- mm/huge_memory.c: fix data loss when splitting a file pmd
- cpufreq: intel_pstate: Register when ACPI PCCH is present
- vfio/pci: Fix potential Spectre v1
- stop_machine: Disable preemption when waking two stopper threads
- drm/i915: Fix hotplug irq ack on i965/g4x
- drm/nouveau: Use drm_connector_list_iter_* for iterating connectors
- drm/nouveau: Avoid looping through fake MST connectors
- gen_stats: Fix netlink stats dumping in the presence of padding
- ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
- ipv6: fix useless rol32 call on hash
- ipv6: ila: select CONFIG_DST_CACHE
- lib/rhashtable: consider param->min_size when setting initial table size
- net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort
- net: Don't copy pfmemalloc flag in __copy_skb_header()
- skbuff: Unconditionally copy pfmemalloc in __skb_clone()
- net/ipv4: Set oif in fib_compute_spec_dst
- net: phy: fix flag masking in __set_phy_supported
- ptp: fix missing break in switch
- qmi_wwan: add support for Quectel EG91
- tg3: Add higher cpu clock for 5762.
- hv_netvsc: Fix napi reschedule while receive completion is busy
- net/mlx4_en: Don't reuse RX page when XDP is set
- net: systemport: Fix CRC forwarding check for SYSTEMPORT Lite
- ipv6: make DAD fail with enhanced DAD when nonce length differs
- net: usb: asix: replace mii_nway_restart in resume path
- alpha: fix osf_wait4() breakage
- cxl_getfile(): fix double-iput() on alloc_file() failures
- powerpc/powernv: Fix save/restore of SPRG3 on entry/exit from stop (idle)
- xhci: Fix perceived dead host due to runtime suspend race with event
handler
- KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
- x86/kvmclock: set pvti_cpu0_va after enabling kvmclock
- ALSA: hda/realtek - Yet another Clevo P950 quirk entry
- drm/amdgpu: Reserve VM root shared fence slot for command submission (v3)
- rhashtable: add restart routine in rhashtable_free_and_destroy()
- sch_fq_codel: zero q->flows_cnt when fq_codel_init fails
- sctp: introduce sctp_dst_mtu
- sctp: fix the issue that pathmtu may be set lower than MINSEGMENT
- net: aquantia: vlan unicast address list correct handling
- drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open()
* Bionic update: upstream stable patchset 2019-01-15 (LP: #1811877)
- compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
- x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
- x86/paravirt: Make native_save_fl() extern inline
- Btrfs: fix duplicate extents after fsync of file with prealloc extents
- cpufreq / CPPC: Set platform specific transition_delay_us
- PCI: exynos: Fix a potential init_clk_resources NULL pointer dereference
- alx: take rtnl before calling __alx_open from resume
- atm: Preserve value of skb->truesize when accounting to vcc
- atm: zatm: Fix potential Spectre v1
- ipv6: sr: fix passing wrong flags to crypto_alloc_shash()
- ipvlan: fix IFLA_MTU ignored on NEWLINK
- ixgbe: split XDP_TX tail and XDP_REDIRECT map flushing
- net: dccp: avoid crash in ccid3_hc_rx_send_feedback()
- net: dccp: switch rx_tstamp_last_feedback to monotonic clock
- net: fix use-after-free in GRO with ESP
- net: macb: Fix ptp time adjustment for large negative delta
- net/mlx5e: Avoid dealing with vport representors if not being e-switch
manager
- net/mlx5: E-Switch, Avoid setup attempt if not being e-switch manager
- net/mlx5: Fix command interface race in polling mode
- net/mlx5: Fix incorrect raw command length parsing
- net/mlx5: Fix required capability for manipulating MPFS
- net/mlx5: Fix wrong size allocation for QoS ETC TC regitster
- net: mvneta: fix the Rx desc DMA address in the Rx path
- net/packet: fix use-after-free
- net_sched: blackhole: tell upper qdisc about dropped packets
- net: sungem: fix rx checksum support
- net/tcp: Fix socket lookups with SO_BINDTODEVICE
- qede: Adverstise software timestamp caps when PHC is not available.
- qed: Fix setting of incorrect eswitch mode.
- qed: Fix use of incorrect size in memcpy call.
- qed: Limit msix vectors in kdump kernel to the minimum required count.
- r8152: napi hangup fix after disconnect
- stmmac: fix DMA channel hang in half-duplex mode
- strparser: Remove early eaten to fix full tcp receive buffer stall
- tcp: fix Fast Open key endianness
- tcp: prevent bogus FRTO undos with non-SACK flows
- vhost_net: validate sock before trying to put its fd
- VSOCK: fix loopback on big-endian systems
- net: cxgb3_main: fix potential Spectre v1
- rtlwifi: Fix kernel Oops "Fw download fail!!"
- rtlwifi: rtl8821ae: fix firmware is not ready to run
- net: lan78xx: Fix race in tx pending skb size calculation
- crypto: af_alg - Initialize sg_num_bytes in error code path
- mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally
- PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
- netfilter: ebtables: reject non-bridge targets
- reiserfs: fix buffer overflow with long warning messages
- KEYS: DNS: fix parsing multiple options
- tls: Stricter error checking in zerocopy sendmsg path
- autofs: fix slab out of bounds read in getname_kernel()
- nsh: set mac len based on inner packet
- bdi: Fix another oops in wb_workfn()
- rds: avoid unenecessary cong_update in loop transport
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
- string: drop __must_check from strscpy() and restore strscpy() usages in
cgroup
- nfsd: COPY and CLONE operations require the saved filehandle to be set
- net/sched: act_ife: fix recursive lock and idr leak
- net/sched: act_ife: preserve the action control in case of error
- hinic: reset irq affinity before freeing irq
- nfp: flower: fix mpls ether type detection
- net: macb: initialize bp->queues[0].bp for at91rm9200
- enic: do not overwrite error code
- virtio_net: fix memory leak in XDP_REDIRECT
- netfilter: ipv6: nf_defrag: drop skb dst before queueing
- ipvs: initialize tbl->entries after allocation
- ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()
- bpf: enforce correct alignment for instructions
- bpf, arm32: fix to use bpf_jit_binary_lock_ro api
* Fix non-working pinctrl-intel (LP: #1811777)
- pinctrl: intel: Implement intel_gpio_get_direction callback
- pinctrl: intel: Do pin translation in other GPIO operations as well
* ip6_gre: fix tunnel list corruption for x-netns (LP: #1812875)
- ip6_gre: fix tunnel list corruption for x-netns
* Userspace break as a result of missing patch backport (LP: #1813873)
- tty: Don't hold ldisc lock in tty_reopen() if ldisc present
* kvm_stat : missing python dependency (LP: #1798776)
- tools/kvm_stat: fix python3 issues
- tools/kvm_stat: switch to python3
* [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
(LP: #1812797)
- vgaarb: Add support for 64-bit frame buffer address
- vgaarb: Keep adding VGA device in queue
* Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
- USB: Add new USB LPM helpers
- USB: Consolidate LPM checks to avoid enabling LPM twice
* ptrace-tm-spd-gpr in powerpc/ptrace from ubuntu_kerenl_selftests failed on
Bionic P8 (LP: #1813127)
- selftests/powerpc: Fix ptrace tm failure
* [SRU] IO's are issued with incorrect Scatter Gather Buffer (LP: #1795453)
- scsi: megaraid_sas: Use 63-bit DMA addressing
* Consider enabling CONFIG_NETWORK_PHY_TIMESTAMPING (LP: #1785816)
- [Config] Enable timestamping in network PHY devices
* CVE-2018-19854
- crypto: user - fix leaking uninitialized memory to userspace
* x86/mm: Found insecure W+X mapping at address (ptrval)/0xc00a0000
(LP: #1813532)
- x86/mm: Do not warn about PCI BIOS W+X mappings
* CVE-2019-6133
- fork: record start_time late
* Fix not working Goodix touchpad (LP: #1811929)
- HID: i2c-hid: Disable runtime PM on Goodix touchpad
* bluetooth controller not detected with 4.15 kernel (LP: #1810797)
- SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
- [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y
* X1 Extreme: only one of the two SSDs is loaded (LP: #1811755)
- nvme-core: rework a NQN copying operation
- nvme: pad fake subsys NQN vid and ssvid with zeros
- nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN
* Crash on "ip link add foo type ipip" (LP: #1811803)
- SAUCE: fan: Fix NULL pointer dereference
-- Khalid Elmously <khalid.elmou...@canonical.com> Wed, 06 Feb 2019
04:57:21 +0000
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18397
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19854
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1812086
Title:
kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Bionic:
Fix Released
Bug description:
== SRU Justification ==
Rebooting an iSCSI target while the initiator is writing to a LUN
leads to the following trace:
[ 59.879202] ------------[ cut here ]------------
[ 59.879202] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
[ 59.880636] invalid opcode: 0000 [#1] SMP PTI
[ 59.881569] Modules linked in: iscsi_target_mod target_core_pscsi
target_core_file target_core_iblock target_core_user uio target_core_mod
nls_iso8859_1 kvm_intel isofs kvm irqbypass joydev input_leds serio_raw
sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp
libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor
raid6_pq libcrc32c raid1 raid0 multipath linear psmouse virtio_blk virtio_net
floppy
[ 59.891096] CPU: 0 PID: 1027 Comm: iscsi_np Not tainted 4.15.0-43-generic
#46-Ubuntu
[ 59.892726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.11.1-1ubuntu1 04/01/2014
[ 59.894606] RIP: 0010:kfree+0x16a/0x180
[ 59.895429] RSP: 0018:ffffac0d8050fe58 EFLAGS: 00010246
[ 59.896531] RAX: ffff9cf099475800 RBX: ffff9cf099475800 RCX:
ffff9cf099475800
[ 59.898083] RDX: 0000000000011bbb RSI: ffff9cf09fc27140 RDI:
ffff9cf09f002000
[ 59.899627] RBP: ffffac0d8050fe70 R08: 0000000000000000 R09:
ffffffffc07a329b
[ 59.901186] R10: ffffe95780651d40 R11: ffffffffa511dc90 R12:
ffff9cf099625600
[ 59.902769] R13: ffffffffc07a329b R14: ffff9cf09ee07600 R15:
ffff9cf099475800
[ 59.904321] FS: 0000000000000000(0000) GS:ffff9cf09fc00000(0000)
knlGS:0000000000000000
[ 59.906120] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 59.907806] CR2: 00007f7153b88470 CR3: 000000001babe000 CR4:
00000000000006f0
[ 59.909376] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 59.910950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 59.913098] Call Trace:
[ 59.913783] iscsi_target_login_sess_out+0x1fb/0x250 [iscsi_target_mod]
[ 59.915292] iscsi_target_login_thread+0x44d/0x1060 [iscsi_target_mod]
[ 59.916775] kthread+0x121/0x140
[ 59.917622] ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
[ 59.919244] ? kthread_create_worker_on_cpu+0x70/0x70
[ 59.920483] ? do_syscall_64+0x73/0x130
[ 59.921460] ? SyS_exit_group+0x14/0x20
[ 59.922583] ret_from_fork+0x35/0x40
[ 59.923523] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41
b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b
48 8b 3d 6d c4 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00
[ 59.927778] RIP: kfree+0x16a/0x180 RSP: ffffac0d8050fe58
[ 59.929063] ---[ end trace 082da4d341633d3e ]---
== Fix ==
Backport the following 3 commits:
* scsi: iscsi: target: Fix conn_ops double free
* scsi: iscsi: target: Set conn->sess to NULL when
iscsi_login_set_conn_values fails
* iscsi target: fix session creation failure handling
== Regression Potential ==
Low. Clean cherry-picks that modify a very isolated area.
== Test ==
Setup an iSCSI target using the scsi_target_user module and
tcmu_runner. Setup an initiator to connect to the target and do IOs.
Reboot the target. When the target comes back, the kernel falls over
when the initiator tries to re-connect.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1812086/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
