Bug #231746 “kernel crash in iov_iter_advance (caused by nfs-ker...” : Bugs : linux package : Ubuntu

Revision history for this message

deti (deti) wrote on 2008-05-18:

#1

Kernel messages from boot to nfsd crash Edit (47.6 KiB, text/plain)

Revision history for this message

deti (deti) wrote on 2008-05-20:

#2

There was a fix commited by Nick Piggin (http://linux.derkeiler.com/Mailing-Lists/Kernel/2008-03/msg08396.html) which was included in 2.6.25-rc6. Please apply this patch to standard 8.04 kernel.

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1725,21 +1725,27 @@ size_t iov_iter_copy_from_user(struct pa
}
EXPORT_SYMBOL(iov_iter_copy_from_user);

-static void __iov_iter_advance_iov(struct iov_iter *i, size_t bytes)
+void iov_iter_advance(struct iov_iter *i, size_t bytes)
{
+ BUG_ON(i->count < bytes);
+
if (likely(i->nr_segs == 1)) {
i->iov_offset += bytes;
+ i->count -= bytes;
} else {
const struct iovec *iov = i->iov;
size_t base = i->iov_offset;

/*
* The !iov->iov_len check ensures we skip over unlikely
- * zero-length segments.
+ * zero-length segments (without overruning the iovec).
*/
- while (bytes || !iov->iov_len) {
- int copy = min(bytes, iov->iov_len - base);
+ while (bytes || unlikely(!iov->iov_len && i->count)) {
+ int copy;

+ copy = min(bytes, iov->iov_len - base);
+ BUG_ON(!i->count || i->count < copy);
+ i->count -= copy;
bytes -= copy;
base += copy;
if (iov->iov_len == base) {
@@ -1751,14 +1757,6 @@ static void __iov_iter_advance_iov(struc
i->iov_offset = base;
}
}
-
-void iov_iter_advance(struct iov_iter *i, size_t bytes)
-{
- BUG_ON(i->count < bytes);
-
- __iov_iter_advance_iov(i, bytes);
- i->count -= bytes;
-}
EXPORT_SYMBOL(iov_iter_advance);

/*

Revision history for this message

deti (deti) wrote on 2008-05-21:

#3

Patch to fix the crash in iov_iter_advance Edit (1.2 KiB, text/plain)

Revision history for this message

deti (deti) wrote on 2008-05-21:

#4

A fixed xen kernel for the x86_64 platform can be downloaded from:

http://www.fliegl.de/download/linux-image-2.6.24-16-xen_2.6.24-16.30_amd64.deb
http://www.fliegl.de/download/linux-headers-2.6.24-16-xen_2.6.24-16.30_amd64.deb

(This kernel also includes the patch of Hirano Takahito to fix xen networking. See Bug #218126)

Revision history for this message

deti (deti) wrote on 2008-05-27:

#5

oops.txt Edit (65.6 KiB, text/plain)

The crash still occurs with original ubuntu kernel 2.6.24-17-xen, see log attached. The patch above does not fix the problem, it just reduces the probability

Revision history for this message

mar_rio (mario-minners) wrote on 2008-07-09:

#6

oops.txt Edit (6.6 KiB, text/plain)

The oops still occurs with original ubuntu kernel 2.6.24-19.34-xen

Revision history for this message

Andy Boyett (aboyett) wrote on 2008-07-15:

#7

This is definitely reproducible here too. I'm bootstrapping new domUs and seeing the bug rear it's head in the form shown in Bug #207774. The patch in this thread completely eliminates the bug here. I have not seen the oops in weeks of use since applying the patch, creating quite a few domU's in that time.

FYI: the patch is commit f7009264c519603b8ec67c881bd368a56703cfc9 in Linus's linux-2.6 tree.

Revision history for this message

Jesper Krogh (jesper) wrote on 2008-08-04:

#8

Download full text (5.8 KiB)

We're also seing this kernel bug in relation to NFS .. (not using XEN at all);

Aug 4 14:56:00 ko kernel: [263156.166854] PGD 8063 PUD 9063 PMD 0
Aug 4 14:56:00 ko kernel: [263156.166905] CPU 2
Aug 4 14:56:00 ko kernel: [263156.166926] Modules linked in: nfsd auth_rpcgss exportfs nfs lockd nfs_acl sunrpc autofs4 iptable_filter ip_tables x_
tables parport_pc lp parport loop joydev ipv6 psmouse evdev serio_raw pcspkr jedec_probe cfi_probe gen_probe mtd chipreg map_funcs i2c_nforce2 i2c_c
ore button shpchp pci_hotplug k8temp ext3 jbd mbcache pata_amd pata_acpi sr_mod cdrom usb_storage libusual usbhid hid sg sd_mod mptsas mptscsih mptb
ase scsi_transport_sas qla2xxx scsi_transport_fc e1000 scsi_tgt ata_generic ehci_hcd ohci_hcd libata scsi_mod usbcore thermal processor fan fbcon tileblit font bitblit softcursor fuse
Aug 4 14:56:00 ko kernel: [263156.167218] Pid: 7150, comm: nfsd Not tainted 2.6.24-19-server #1
Aug 4 14:56:00 ko kernel: [263156.167246] RIP: 0010:[iov_iter_advance+0x66/0x80] [iov_iter_advance+0x66/0x80] iov_iter_advance+0x66/0x80
Aug 4 14:56:00 ko kernel: [263156.167292] RSP: 0018:ffff8101fa8478e8 EFLAGS: 00010246
Aug 4 14:56:00 ko kernel: [263156.167317] RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000000
Aug 4 14:56:00 ko kernel: [263156.167360] RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff8101fa847980
Aug 4 14:56:00 ko kernel: [263156.167402] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
Aug 4 14:56:00 ko kernel: [263156.167444] R10: ffff810004000000 R11: 0000000000000000 R12: 00000005ba1f8000
Aug 4 14:56:00 ko kernel: [263156.167487] R13: 0000000000001000 R14: ffff8101760241d8 R15: 0000000000000000
Aug 4 14:56:00 ko kernel: [263156.167530] FS: 00007f9a5e8106e0(0000) GS:ffff8101fb042380(0000) knlGS:0000000000000000
Aug 4 14:56:00 ko kernel: [263156.167574] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Aug 4 14:56:00 ko kernel: [263156.167600] CR2: ffff810004000008 CR3: 0000000055597000 CR4: 00000000000006e0
Aug 4 14:56:00 ko kernel: [263156.167643] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Aug 4 14:56:00 ko kernel: [263156.167686] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Aug 4 14:56:00 ko kernel: [263156.167730] Process nfsd (pid: 7150, threadinfo ffff8101fa846000, task ffff8101fb8947e0)
Aug 4 14:56:00 ko kernel: [263156.167774] Stack: ffffffff80286a9e ffff8101e8df4600 ffff81033ec88680 0000000100000000
Aug 4 14:56:00 ko kernel: [263156.167823] ffff8101fa847b90 00000005ba0f9000 ffff8101fa847b10 ffff8101e8df4600
Aug 4 14:56:00 ko kernel: [263156.167871] ffff8101760241d8 ffffffff882559a0 ffff8101760240c8 ffffffff882559a0
Aug 4 14:56:00 ko kernel: [263156.167903] Call Trace:
Aug 4 14:56:00 ko kernel: [263156.167940] [generic_file_buffered_write+0x1de/0x6b0] generic_file_buffered_write+0x1de/0x6b0
Aug 4 14:56:00 ko kernel: [263156.167979] [__generic_file_aio_write_nolock+0x24f/0x400] __generic_file_aio_write_nolock+0x24f/0x400
Aug 4 14:56:00 ko kernel: [263156.168028] [ext3:generic_file_aio_write+0x64/0x450] generic_file_aio_write+0x64/0xd0
Aug 4 14:56:00 ko kernel: [263156.168069] [ext3:ext3_file_write+...

I think bug #249340 may be related to this one.

I've just run the same version of localedef on 2.6.22-14-generic, where it runs fine, and on 2.6.22-15-generic, where it hangs.

Here's the output of "strace localedef" immediately before it hung:

1218150691.384821 creat("/usr/lib/locale/en_NZ.utf8/LC_CTYPE", 0666) = 3
1218150691.403450 writev(3, [{"\x15\x11\x03\x20\x58\x00\x00\x00", 8}, {"\x68\x01\x00\x00\x68\x04\x00\x00\x68\x0a\x00\x00\x68\x0a"..., 352}, {"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 768}, {"\x80\x00\x00\x00\x81\x00\x00\x00\x82\x00\x00\x00\x83\x00"..., 1536}, {NULL, 0}, {"\x80\x00\x00\x00\x81\x00\x00\x00\x82\x00\x00\x00\x83\x00"..., 1536}, {NULL, 0}, {"\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00"..., 1024}, {NULL, 0}, {NULL, 0}, {NULL, 0}, {NULL, 0}, {"\x75\x70\x70\x65\x72\x00", 6}, {"\x6c\x6f\x77\x65\x72\x00", 6}, {"\x61\x6c\x70\x68\x61\x00", 6}, {"\x64\x69\x67\x69\x74\x00", 6}, {"\x78\x64\x69\x67\x69\x74\x00", 7}, {"\x73\x70\x61\x63\x65\x00", 6}, {"\x70\x72\x69\x6e\x74\x00", 6}, {"\x67\x72\x61\x70\x68\x00", 6}, {"\x62\x6c\x61\x6e\x6b\x00", 6}, {"\x63\x6e\x74\x72\x6c\x00", 6}, {"\x70\x75\x6e\x63\x74\x00", 6}, {"\x61\x6c\x6e\x75\x6d\x00", 6}, {"\x63\x6f\x6d\x62\x69\x6e\x69\x6e\x67\x00", 10}, {"\x63\x6f\x6d\x62\x69\x6e\x69\x6e\x67\x5f\x6c\x65\x76\x65"..., 17}, {"\x00\x00\x00\x00", 4}, {"\x74\x6f\x75\x70\x70\x65\x72\x00", 8}, {"\x74\x6f\x6c\x6f\x77\x65\x72\x00", 8}, {"\x74\x6f\x74\x69\x74\x6c\x65\x00", 8}, {"\x00\x00\x00\x00", 4}, {"\x10\x00\x00\x00\x11\x00\x00\x00\x07\x00\x00\x00\xff\x01"..., 25560}, ...], 125

(Note the "{NULL, 0}" elements.)

Here's the relevant part of the diff for mm/file:
--- linux-source-2.6.22-2.6.22.orig/mm/filemap.c
+++ linux-source-2.6.22-2.6.22/mm/filemap.c
@@ -2146,22 +2146,9 @@
                }
 
                status = a_ops->prepare_write(file, page, offset, offset+bytes);
-               if (unlikely(status)) {
-                       loff_t isize = i_size_read(inode);
+               if (unlikely(status))
+                       goto fs_write_aop_error;
 
-                       if (status != AOP_TRUNCATED_PAGE)
-                               unlock_page(page);
-                       page_cache_release(page);
-                       if (status == AOP_TRUNCATED_PAGE)
-                               continue;
-                       /*
-                        * prepare_write() may have instantiated a few blocks
-                        * outside i_size.  Trim these off again.
-                        */
-                       if (pos + bytes > isize)
-                               vmtruncate(inode, isize);
-                       break;
-               }
                if (likely(nr_segs == 1))
                        copied = filemap_copy_from_user(page, offset,
                                                        buf, bytes);
@@ -2170,41 +2157,54 @@
                                                cur_iov, iov_base, bytes);
                flush_dcache_page(page);
                status = a_ops->commit_write(file, page, offset, offset+bytes);
-               if (status == AOP_TRUNCATED_PAGE) {
-                       page_cache_release(page);
-                       continue;
+               if (unlikely(status < 0 || status == AOP_TRUNCATED_PAGE))
+                       goto fs_write_aop_error;
+               if (unlikely(copied != bytes)) {
+                       status = -EFAULT;
+                       goto fs_write_aop_error;
                }
 zero_length_segment:
-               if (likely(copied >= 0)) {
-                       if (!status)
-                               status = copied;
-
-                       if (status >= 0) {
-                               written += status;
-                               count -= status;
-                               pos += status;
-                               buf += status;
-                               if (unlikely(nr_segs > 1)) {
-                                       filemap_set_next_iovec(&cur_iov,
-                                                       &iov_base, status);
-                                       if (count)
-                                               buf = cur_iov->iov_base +
-                                                       iov_base;
-                               } else {
-                                       iov_base += status;
-                               }
+               if (unlikely(status > 0)) /* filesystem did partial write */
+                       copied = status;
+
+               if (likely(copied > 0)) {
+                       written += copied;
+                       count -= copied;
+                       pos += copied;
+                       buf += copied;
+                       if (unlikely(nr_segs > 1)) {
+                               filemap_set_next_iovec(&cur_iov,
+                                               &iov_base, copied);
+                               if (count)
+                                       buf = cur_iov->iov_base + iov_base;
+                       } else {
+                               iov_base += copied;
                        }
                }
-               if (unlikely(copied != bytes))
-                       if (status >= 0)
-                               status = -EFAULT;
                unlock_page(page);
                mark_page_accessed(page);
                page_cache_release(page);
-               if (status < 0)
-                       break;
                balance_dirty_pages_ratelimited(mapping);
                cond_resched();
+               continue;
+
+fs_write_aop_error:
+               if (status != AOP_TRUNCATED_PAGE)
+                       unlock_page(page);
+               page_cache_release(page);
+
+               /*
+                * prepare_write() may have instantiated a few blocks
+                * outside i_size.  Trim these off again. Don't need
+                * i_size_read because we hold i_mutex.
+                */
+               if (pos + bytes > inode->i_size)
+                       vmtruncate(inode, inode->i_size);
+               if (status == AOP_TRUNCATED_PAGE)
+                       continue;
+               else
+                       break;
+
        } while (count);
        *ppos = pos;
 
@@ -2269,7 +2269,7 @@
        if (count == 0)
                goto out;
 
-       err = remove_suid(file->f_path.dentry);
+       err = remove_suid(&file->f_path);
        if (err)
                goto out;

Revision history for this message

Stefan Bader (smb) wrote on 2008-09-03:

#16

I uploaded a Hardy kernel to my PPA at https://launchpad.net/~stefan-bader-canonical/+archive
It is currently building (-21.42smb1) but if it completes, could you please verify whether the problem is fixed for you? Thanks.

Changed in linux:
assignee:	nobody → stefan-bader-canonical
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

deti (deti) wrote on 2008-09-04: Re: [Bug 231746] Re: kernel crash in iov_iter_advance (caused by nfs-kernel-server)

#17

Stefan Bader wrote:
> I uploaded a Hardy kernel to my PPA at https://launchpad.net/~stefan-bader-canonical/+archive
> It is currently building (-21.42smb1) but if it completes, could you please verify whether the problem is fixed for you? Thanks.
>
> ** Changed in: linux (Ubuntu Hardy)
> Importance: Undecided => Medium
> Assignee: (unassigned) => Stefan Bader (stefan-bader-canonical)
> Status: New => In Progress
>
Your build did not succeed:
Checking ABI for generic...previous or current ABI file missing!
/build/buildd/linux-2.6.24/debian/abi/2.6.24-21.42smb1/amd64/generic
/build/buildd/linux-2.6.24/debian/abi/2.6.24-21.42/amd64/generic
make: *** [abi-check-generic] Error 1
dpkg-buildpackage: failure: /usr/bin/fakeroot debian/rules binary-arch
gave error exit status 2

Deti

Revision history for this message

Stefan Bader (smb) wrote on 2008-09-04:

#18

Uploaded revised build (amd64 is done already) but waiting for this to finish.

Revision history for this message

deti (deti) wrote on 2008-09-05:

#19

Have a system running 2.6.24-21-xen fine now for 12 hours. Any other
reports?

Revision history for this message

Stefan Bader (smb) wrote on 2008-09-10:

#20

SRU justification:

Impact: iov_iter_advance() skips over zero-length iovecs, however it does not properly terminate at the end of the iovec array. This leads to kernel crashed under this circumstances.

Fix: Check i->count before skipping zero length iov. And also include a fixup to check whther already iteraded over the whole array. One fix comes from the 2.6.24.y stable tree, the other from the 2.6.26.y stable tree.

Testcase: see bug report.

Revision history for this message

Stefan Bader (smb) wrote on 2008-09-12:

#21

commit 8c9a1f5a9c5be826db0ad9af5db6bf373452024e
Fix off-by-one error in iov_iter_advance()
commit 640b5c6dbe62ecf5ce9efd936273deb25afc7b27
iov_iter_advance() fix

Changed in linux:
status:	In Progress → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2008-10-14:

#22

linux 2.6.24-21 copied to hardy-updates.

Changed in linux:
status:	Fix Committed → Fix Released

Revision history for this message

Ian Taylor (ibtaylor) wrote on 2008-10-20:

#23

2.6.24-21-xen_oops.log Edit (5.3 KiB, text/plain)

Has this really been resolved? I tried 2.6.24-21-xen and it still occurs.

Is there any known workaround?

Should I use an older kernel before 2.6.22-15 where it seems to have been introduced (according to Martin Kealey above)?

Revision history for this message

Stefan Bader (smb) wrote on 2008-10-20:

#24

For Intrepid it is released

Changed in linux:
status:	Fix Committed → Fix Released

Revision history for this message

Stefan Bader (smb) wrote on 2008-10-20:

#25

For Hardy unfortunately not, yet. It will come with the next updates.

Changed in linux:
status:	Fix Released → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2008-11-27:

#26

Accepted linux into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-01-08:

#27

Download full text (12.0 KiB)

This bug was fixed in the package linux - 2.6.24-23.46

---------------
linux (2.6.24-23.46) hardy-proposed; urgency=low

[Alessio Igor Bogani]

* rt: Updated PREEMPT_RT support to rt21
- LP: #302138

[Amit Kucheria]

* SAUCE: Update lpia patches from moblin tree
- LP: #291457

[Andy Whitcroft]

* SAUCE: replace gfs2_bitfit with upstream version to prevent oops
- LP: #276641

[Colin Ian King]

  * isdn: Do not validate ISDN net device address prior to interface-up
    - LP: #237306
  * hwmon: (coretemp) Add Penryn CPU to coretemp
    - LP: #235119
  * USB: add support for Motorola ROKR Z6 cellphone in mass storage mode
    - LP: #263217
  * md: fix an occasional deadlock in raid5
    - LP: #208551

[Stefan Bader]

  * SAUCE: buildenv: Show CVE entries in printchanges
  * SAUCE: buildenv: Send git-ubuntu-log informational message to stderr
  * Xen: dma: avoid unnecessarily SWIOTLB bounce buffering
    - LP: #247148
  * Update openvz patchset to apply to latest stable tree.
    - LP: #301634
  * XEN: Fix FTBS with stable updates
    - LP: #301634

[Steve Conklin]

* Add HID quirk for dual USB gamepad
- LP: #140608

[Tim Gardner]

  * Enable CONFIG_AX25_DAMA_SLAVE=y
    - LP: #257684
  * SAUCE: Correctly blacklist Thinkpad r40e in ACPI
    - LP: #278794
  * SAUCE: ALPS touchpad for Dell Latitude E6500/E6400
    - LP: #270643

[Upstream Kernel Changes]

  * Revert "[Bluetooth] Eliminate checks for impossible conditions in IRQ
    handler"
    - LP: #217659
  * KVM: VMX: Clear CR4.VMXE in hardware_disable
    - LP: #268981
  * iov_iter_advance() fix
    - LP: #231746
  * Fix off-by-one error in iov_iter_advance()
    - LP: #231746
  * USB: serial: ch341: New VID/PID for CH341 USB-serial
    - LP: #272485
  * x86: Fix 32-bit x86 MSI-X allocation leakage
    - LP: #273103
  * b43legacy: Fix failure in rate-adjustment mechanism
    - LP: #273143
  * x86: Reserve FIRST_DEVICE_VECTOR in used_vectors bitmap.
    - LP: #276334
  * openvz: merge missed fixes from vanilla 2.6.24 openvz branch
    - LP: #298059
  * openvz: some autofs related fixes
    - LP: #298059
  * openvz: fix ve stop deadlock after nfs connect
    - LP: #298059
  * openvz: fix netlink and rtnl inside container
    - LP: #298059
  * openvz: fix wrong size of ub0_percpu
    - LP: #298059
  * openvz: fix OOPS while stopping VE started before binfmt_misc.ko loaded
    - LP: #298059
  * x86-64: Fix "bytes left to copy" return value for copy_from_user()
  * NET: Fix race in dev_close(). (Bug 9750)
    - LP: #301608
  * IPV6: Fix IPsec datagram fragmentation
    - LP: #301608
  * IPV6: dst_entry leak in ip4ip6_err.
    - LP: #301608
  * IPV4: Remove IP_TOS setting privilege checks.
    - LP: #301608
  * IPCONFIG: The kernel gets no IP from some DHCP servers
    - LP: #301608
  * IPCOMP: Disable BH on output when using shared tfm
    - LP: #301608
  * IRQ_NOPROBE helper functions
    - LP: #301608
  * MIPS: Mark all but i8259 interrupts as no-probe.
    - LP: #301608
  * ub: fix up the conversion to sg_init_table()
    - LP: #301608
  * x86: adjust enable_NMI_through_LVT0()
    - LP: #301608
  * SCSI ips: handle scsi_add_host() failure, and other err cl...

This bug was fixed in the package linux - 2.6.24-23.46

---------------
linux (2.6.24-23.46) hardy-proposed; urgency=low

[Alessio Igor Bogani]

* rt: Updated PREEMPT_RT support to rt21
    - LP: #302138

[Amit Kucheria]

* SAUCE: Update lpia patches from moblin tree
    - LP: #291457

[Andy Whitcroft]

* SAUCE: replace gfs2_bitfit with upstream version to prevent oops
    - LP: #276641

[Colin Ian King]

* isdn: Do not validate ISDN net device address prior to interface-up
    - LP: #237306
  * hwmon: (coretemp) Add Penryn CPU to coretemp
    - LP: #235119
  * USB: add support for Motorola ROKR Z6 cellphone in mass storage mode
    - LP: #263217
  * md: fix an occasional deadlock in raid5
    - LP: #208551

[Stefan Bader]

* SAUCE: buildenv: Show CVE entries in printchanges
  * SAUCE: buildenv: Send git-ubuntu-log informational message to stderr
  * Xen: dma: avoid unnecessarily SWIOTLB bounce buffering
    - LP: #247148
  * Update openvz patchset to apply to latest stable tree.
    - LP: #301634
  * XEN: Fix FTBS with stable updates
    - LP: #301634

[Steve Conklin]

* Add HID quirk for dual USB gamepad
    - LP: #140608

[Tim Gardner]

* Enable CONFIG_AX25_DAMA_SLAVE=y
    - LP: #257684
  * SAUCE: Correctly blacklist Thinkpad r40e in ACPI
    - LP: #278794
  * SAUCE: ALPS touchpad for Dell Latitude E6500/E6400
    - LP: #270643

[Upstream Kernel Changes]

* Revert "[Bluetooth] Eliminate checks for impossible conditions in IRQ
    handler"
    - LP: #217659
  * KVM: VMX: Clear CR4.VMXE in hardware_disable
    - LP: #268981
  * iov_iter_advance() fix
    - LP: #231746
  * Fix off-by-one error in iov_iter_advance()
    - LP: #231746
  * USB: serial: ch341: New VID/PID for CH341 USB-serial
    - LP: #272485
  * x86: Fix 32-bit x86 MSI-X allocation leakage
    - LP: #273103
  * b43legacy: Fix failure in rate-adjustment mechanism
    - LP: #273143
  * x86: Reserve FIRST_DEVICE_VECTOR in used_vectors bitmap.
    - LP: #276334
  * openvz: merge missed fixes from vanilla 2.6.24 openvz branch
    - LP: #298059
  * openvz: some autofs related fixes
    - LP: #298059
  * openvz: fix ve stop deadlock after nfs connect
    - LP: #298059
  * openvz: fix netlink and rtnl inside container
    - LP: #298059
  * openvz: fix wrong size of ub0_percpu
    - LP: #298059
  * openvz: fix OOPS while stopping VE started before binfmt_misc.ko loaded
    - LP: #298059
  * x86-64: Fix "bytes left to copy" return value for copy_from_user()
  * NET: Fix race in dev_close(). (Bug 9750)
    - LP: #301608
  * IPV6: Fix IPsec datagram fragmentation
    - LP: #301608
  * IPV6: dst_entry leak in ip4ip6_err.
    - LP: #301608
  * IPV4: Remove IP_TOS setting privilege checks.
    - LP: #301608
  * IPCONFIG: The kernel gets no IP from some DHCP servers
    - LP: #301608
  * IPCOMP: Disable BH on output when using shared tfm
    - LP: #301608
  * IRQ_NOPROBE helper functions
    - LP: #301608
  * MIPS: Mark all but i8259 interrupts as no-probe.
    - LP: #301608
  * ub: fix up the conversion to sg_init_table()
    - LP: #301608
  * x86: adjust enable_NMI_through_LVT0()
    - LP: #301608
  * SCSI ips: handle scsi_add_host() failure, and other err cleanups
    - LP: #301608
  * CRYPTO xcbc: Fix crash with IPsec
    - LP: #301608
  * CRYPTO xts: Use proper alignment
    - LP: #301608
  * SCSI ips: fix data buffer accessors conversion bug
    - LP: #301608
  * SCSI aic94xx: fix REQ_TASK_ABORT and REQ_DEVICE_RESET
    - LP: #301608
  * x86: replace LOCK_PREFIX in futex.h
    - LP: #301608
  * ARM pxa: fix clock lookup to find specific device clocks
    - LP: #301608
  * futex: fix init order
    - LP: #301608
  * futex: runtime enable pi and robust functionality
    - LP: #301608
  * file capabilities: simplify signal check
    - LP: #301608
  * hugetlb: ensure we do not reference a surplus page after handing it to
    buddy
    - LP: #301608
  * ufs: fix parenthesisation in ufs_set_fs_state()
    - LP: #301608
  * spi: pxa2xx_spi clock polarity fix
    - LP: #301608
  * NETFILTER: Fix incorrect use of skb_make_writable
    - LP: #301608
  * NETFILTER: fix ebtable targets return
    - LP: #301608
  * SCSI advansys: fix overrun_buf aligned bug
    - LP: #301608
  * pata_hpt*, pata_serverworks: fix UDMA masking
    - LP: #301608
  * moduleparam: fix alpha, ia64 and ppc64 compile failures
    - LP: #301608
  * PCI x86: always use conf1 to access config space below 256 bytes
    - LP: #301608
  * e1000e: Fix CRC stripping in hardware context bug
    - LP: #301608
  * atmel_spi: fix clock polarity
    - LP: #301608
  * x86: move out tick_nohz_stop_sched_tick() call from the loop
    - LP: #301608
  * macb: Fix speed setting
    - LP: #301608
  * ioat: fix 'ack' handling, driver must ensure that 'ack' is zero
    - LP: #301608
  * VT notifier fix for VT switch
    - LP: #301608
  * USB: ftdi_sio: Workaround for broken Matrix Orbital serial port
    - LP: #301608
  * USB: ftdi_sio - really enable EM1010PC
    - LP: #301608
  * SCSI: fix BUG when sum(scatterlist) > bufflen
    - LP: #301608
  * x86: don't use P6_NOPs if compiling with CONFIG_X86_GENERIC
    - LP: #301608
  * Fix default compose table initialization
    - LP: #301608
  * SCSI: gdth: bugfix for the at-exit problems
    - LP: #301608
  * sched: fix race in schedule()
    - LP: #301608
  * nfsd: fix oops on access from high-numbered ports
    - LP: #301608
  * sched_nr_migrate wrong mode bits
    - LP: #301608
  * NETFILTER: xt_time: fix failure to match on Sundays
    - LP: #301608
  * NETFILTER: nfnetlink_queue: fix computation of allocated size for
    netlink skb
    - LP: #301608
  * NETFILTER: nfnetlink_log: fix computation of netlink skb size
    - LP: #301608
  * zisofs: fix readpage() outside i_size
    - LP: #301608
  * jbd2: correctly unescape journal data blocks
    - LP: #301608
  * jbd: correctly unescape journal data blocks
    - LP: #301608
  * aio: bad AIO race in aio_complete() leads to process hang
    - LP: #301608
  * async_tx: avoid the async xor_zero_sum path when src_cnt >
    device->max_xor
    - LP: #301608
  * SCSI advansys: Fix bug in AdvLoadMicrocode
    - LP: #301608
  * BLUETOOTH: Fix bugs in previous conn add/del workqueue changes.
    - LP: #301608
  * relay: fix subbuf_splice_actor() adding too many pages
    - LP: #301608
  * slab: NUMA slab allocator migration bugfix
    - LP: #301608
  * S390 futex: let futex_atomic_cmpxchg_pt survive early functional tests.
    - LP: #301608
  * Linux 2.6.24.4
    - LP: #301608
  * time: prevent the loop in timespec_add_ns() from being optimised away
    - LP: #301632
  * kbuild: soften modpost checks when doing cross builds
    - LP: #301632
  * mtd: memory corruption in block2mtd.c
    - LP: #301632
  * md: remove the 'super' sysfs attribute from devices in an 'md' array
    - LP: #301632
  * V4L: ivtv: Add missing sg_init_table()
    - LP: #301632
  * UIO: add pgprot_noncached() to UIO mmap code
    - LP: #301632
  * USB: new quirk flag to avoid Set-Interface
    - LP: #301632
  * NOHZ: reevaluate idle sleep length after add_timer_on()
    - LP: #301632
  * slab: fix cache_cache bootstrap in kmem_cache_init()
    - LP: #301632
  * xen: fix RMW when unmasking events
    - LP: #301632
  * xen: mask out SEP from CPUID
    - LP: #301632
  * xen: fix UP setup of shared_info
    - LP: #301632
  * PERCPU : __percpu_alloc_mask() can dynamically size percpu_data storage
    - LP: #301632
  * alloc_percpu() fails to allocate percpu data
    - LP: #301632
  * vfs: fix data leak in nobh_write_end()
    - LP: #301632
  * pci: revert SMBus unhide on HP Compaq nx6110
    - LP: #301632
  * vmcoreinfo: add the symbol "phys_base"
    - LP: #301632
  * USB: Allow initialization of broken keyspan serial adapters.
    - LP: #301632
  * USB: serial: fix regression in Visor/Palm OS module for kernels >=
    2.6.24
    - LP: #301632
  * USB: serial: ti_usb_3410_5052: Correct TUSB3410 endpoint requirements.
    - LP: #301632
  * CRYPTO xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk
    - LP: #301632
  * mtd: fix broken state in CFI driver caused by FL_SHUTDOWN
    - LP: #301632
  * ipmi: change device node ordering to reflect probe order
    - LP: #301632
  * AX25 ax25_out: check skb for NULL in ax25_kick()
    - LP: #301632
  * NET: include <linux/types.h> into linux/ethtool.h for __u* typedef
    - LP: #301632
  * SUNGEM: Fix NAPI assertion failure.
    - LP: #301632
  * INET: inet_frag_evictor() must run with BH disabled
    - LP: #301632
  * LLC: Restrict LLC sockets to root
    - LP: #301632
  * netpoll: zap_completion_queue: adjust skb->users counter
    - LP: #301632
  * PPPOL2TP: Make locking calls softirq-safe
    - LP: #301632
  * PPPOL2TP: Fix SMP issues in skb reorder queue handling
    - LP: #301632
  * NET: Add preemption point in qdisc_run
    - LP: #301632
  * sch_htb: fix "too many events" situation
    - LP: #301632
  * SCTP: Fix local_addr deletions during list traversals.
    - LP: #301632
  * NET: Fix multicast device ioctl checks
    - LP: #301632
  * TCP: Fix shrinking windows with window scaling
    - LP: #301632
  * TCP: Let skbs grow over a page on fast peers
    - LP: #301632
  * VLAN: Don't copy ALLMULTI/PROMISC flags from underlying device
    - LP: #301632
  * SPARC64: Fix atomic backoff limit.
    - LP: #301632
  * SPARC64: Fix __get_cpu_var in preemption-enabled area.
    - LP: #301632
  * SPARC64: flush_ptrace_access() needs preemption disable.
    - LP: #301632
  * libata: assume no device is attached if both IDENTIFYs are aborted
    - LP: #301632
  * sis190: read the mac address from the eeprom first
    - LP: #301632
  * bluetooth: hci_core: defer hci_unregister_sysfs()
    - LP: #301632
  * SPARC64: Fix FPU saving in 64-bit signal handling.
    - LP: #301632
  * DVB: tda10086: make the 22kHz tone for DISEQC a config option
    - LP: #301632
  * HFS+: fix unlink of links
    - LP: #301632
  * plip: replace spin_lock_irq with spin_lock_irqsave in irq context
    - LP: #301632
  * signalfd: fix for incorrect SI_QUEUE user data reporting
    - LP: #301632
  * POWERPC: Fix build of modular drivers/macintosh/apm_emu.c
    - LP: #301632
  * PARISC futex: special case cmpxchg NULL in kernel space
    - LP: #301632
  * PARISC pdc_console: fix bizarre panic on boot
    - LP: #301632
  * PARISC fix signal trampoline cache flushing
    - LP: #301632
  * acpi: bus: check once more for an empty list after locking it
    - LP: #301632
  * fbdev: fix /proc/fb oops after module removal
    - LP: #301632
  * macb: Call phy_disconnect on removing
    - LP: #301632
  * file capabilities: remove cap_task_kill()
    - LP: #301632
  * locks: fix possible infinite loop in fcntl(F_SETLKW) over nfs
    - LP: #301632
  * Linux 2.6.24.5
    - LP: #301632
  * splice: use mapping_gfp_mask
    - LP: #301634
  * fix oops on rmmod capidrv
    - LP: #301634
  * USB: gadget: queue usb USB_CDC_GET_ENCAPSULATED_RESPONSE message
    - LP: #301634
  * JFFS2: Fix free space leak with in-band cleanmarkers
    - LP: #301634
  * Increase the max_burst threshold from 3 to tp->reordering.
    - LP: #301634
  * USB: remove broken usb-serial num_endpoints check
    - LP: #301634
  * V4L: Fix VIDIOCGAP corruption in ivtv
    - LP: #301634
  * Linux 2.6.24.6, 2.6.24.7
    - LP: #301634

linux (2.6.24-22.45) hardy-security; urgency=low

[Upstream Kernel Changes]

* Don't allow splice() to files opened with O_APPEND
    - CVE-2008-4554
  * sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH
    - CVE-2008-4576
  * sctp: Fix kernel panic while process protocol violation parameter
    - CVE-2008-4618
  * hfsplus: fix Buffer overflow with a corrupted image
    - CVE-2008-4933
  * hfsplus: check read_mapping_page() return value
    - CVE-2008-4934
  * net: Fix recursive descent in __scm_destroy().
    - CVE-2008-5029
  * net: unix: fix inflight counting bug in garbage collector
    - CVE-2008-5029
  * security: avoid calling a NULL function pointer in
    drivers/video/tvaudio.c
    - CVE-2008-5033
  * hfs: fix namelength memory corruption
    - CVE-2008-5025
  * V4L/DVB (9621): Avoid writing outside shadow.bytes[] array

-- Stefan Bader <stefan.bader@canonical.com>   Mon, 24 Nov 2008 09:44:34 +0100

Changed in linux:
status:	Fix Committed → Fix Released

Revision history for this message

Leann Ogasawara (leannogasawara) wrote on 2009-01-08:

#28

deti, since you are the original bug reporter, it would be great to get confirmation from you that this newer kernel does indeed fix the bug you had reported here. Thanks.

Revision history for this message

deti (deti) wrote on 2009-01-08:

#29

Tested it, works for me. Thanks.

Deti

Ubuntu
linux package

kernel crash in iov_iter_advance (caused by nfs-kernel-server)

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Hardy	Fix Released	Medium	Stefan Bader

Changed in linux:
status:	New → Confirmed
status:	Confirmed → Fix Committed

Ubuntulinux package

kernel crash in iov_iter_advance (caused by nfs-kernel-server)

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
linux package