kernel crash : net_sched race condition in tcindex_destroy()

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1825942

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

I should have added that there were a couple of other commits related to this issue (memory leaks in cls_tcindex) that were also merged in.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1825942

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Log files should not be required, as this issue is already confirmed and also fixed in the Linux kernel.

I could have been more explicit. The thread linked to in the initial bug description also contains a simplified script by Ben Hutchings <email address hidden> that triggers the kernel crash (included below for the reference):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542#10

The script triggers the kernel crash in the latest available Ubuntu kernel, that is 4.15.0.48, which affects bionic and xenial linux-hwe.

--- BEGIN ---
#!/bin/sh -ex

modprobe ifb

while true; do
    tc qdisc add dev ifb0 root handle 2:0 prio bands 5
    tc qdisc add dev ifb0 parent 2:5 sfq
    tc filter add dev ifb0 parent 2:0 protocol ip prio 5 handle 0 tcindex mask 0 classid 2:5 pass_on
    tc qdisc del dev ifb0 root || true
done
--- END ---

This crash is currently critical when using traffic control (tc) in one of the Ubuntu LTS releases, bionic and xenial linux-hwe.

I referred to a simple script in the debian bug tracking system that triggers the kernel crash. In my case a normal shutdown/reboot triggers the crash, when the kernel tries to perform cleanup for tc. This leaves the system hanging in a crashed state.

In the debian bug reporting system this bug had severity critical and it was fixed March 12th 2019.

Is there anything that can be done in order to get this fixed for Ubuntu LTS (bionic and xenial linux-hwe) during the SRU cycle 13-May through 02-June ?

Thanks a lot. That's great.

Fix against bionic submitted to the kernel ML: https://lists.ubuntu.com/archives/kernel-team/2019-May/100741.html

I did expect a change in status to "Fix Committed", indicating that the fix had been applied?

As I understood it, the fix was unfortunately some days to late for the he previous Kernel SRU cycle. I then expected the fix to be applied for the current SRU cycle, that is, 03-Jun through 30-Jun. I still assume that is the case?

Hi Viktor,

These patches were not applied for the SRU cycle "03-Jun through 30-Jun", they are committed now for the cycle starting next week ("01-Jul through 21-Jul"). Please check https://kernel.ubuntu.com/ for the current schedules.

Thank you.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

I have now tested the updated Linux kernel from bionic proposed. The
new kernel seems to solve the problem and the fix appears OK for :

linux-image-generic 4.15.0.55.57 amd64 Generic Linux kernel image
Linux 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Hence, I change the tag to verification-done-bionic

This bug was fixed in the package linux - 4.15.0-55.60

---------------
linux (4.15.0-55.60) bionic; urgency=medium

  * linux: 4.15.0-55.60 -proposed tracker (LP: #1834954)

  * Request backport of ceph commits into bionic (LP: #1834235)
    - ceph: use atomic_t for ceph_inode_info::i_shared_gen
    - ceph: define argument structure for handle_cap_grant
    - ceph: flush pending works before shutdown super
    - ceph: send cap releases more aggressively
    - ceph: single workqueue for inode related works
    - ceph: avoid dereferencing invalid pointer during cached readdir
    - ceph: quota: add initial infrastructure to support cephfs quotas
    - ceph: quota: support for ceph.quota.max_files
    - ceph: quota: don't allow cross-quota renames
    - ceph: fix root quota realm check
    - ceph: quota: support for ceph.quota.max_bytes
    - ceph: quota: update MDS when max_bytes is approaching
    - ceph: quota: add counter for snaprealms with quota
    - ceph: avoid iput_final() while holding mutex or in dispatch thread

  * QCA9377 isn't being recognized sometimes (LP: #1757218)
    - SAUCE: USB: Disable USB2 LPM at shutdown

  * hns: fix ICMP6 neighbor solicitation messages discard problem (LP: #1833140)
    - net: hns: fix ICMP6 neighbor solicitation messages discard problem
    - net: hns: fix unsigned comparison to less than zero

  * Fix occasional boot time crash in hns driver (LP: #1833138)
    - net: hns: Fix probabilistic memory overwrite when HNS driver initialized

  * use-after-free in hns_nic_net_xmit_hw (LP: #1833136)
    - net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()

  * hns: attempt to restart autoneg when disabled should report error
    (LP: #1833147)
    - net: hns: Restart autoneg need return failed when autoneg off

  * systemd 237-3ubuntu10.14 ADT test failure on Bionic ppc64el (test-seccomp)
    (LP: #1821625)
    - powerpc: sys_pkey_alloc() and sys_pkey_free() system calls
    - powerpc: sys_pkey_mprotect() system call

  * [UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different
    (LP: #1832625)
    - pkey: Indicate old mkvp only if old and current mkvp are different

  * [UBUNTU] kernel: Fix gcm-aes-s390 wrong scatter-gather list processing
    (LP: #1832623)
    - s390/crypto: fix gcm-aes-s390 selftest failures

  * System crashes on hot adding a core with drmgr command (4.15.0-48-generic)
    (LP: #1833716)
    - powerpc/numa: improve control of topology updates
    - powerpc/numa: document topology_updates_enabled, disable by default

  * Kernel modules generated incorrectly when system is localized to a non-
    English language (LP: #1828084)
    - scripts: override locale from environment when running recordmcount.pl

  * [UBUNTU] kernel: Fix wrong dispatching for control domain CPRBs
    (LP: #1832624)
    - s390/zcrypt: Fix wrong dispatching for control domain CPRBs

  * CVE-2019-11815
    - net: rds: force to destroy connection if t_sock is NULL in
      rds_tcp_kill_sock().

  * Sound device not detected after resume from hibernate (LP: #1826868)
    - drm/i915: Force 2*96 MHz cdclk on glk/cnl when audio power is enabled
    - drm/i915: Save the old CDCLK atomic state
...

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!