Ubuntu
linux package

bpf_map_lookup_elem: BUG: unable to handle kernel paging request

Bug #1763454 reported by schu on 2018-04-12

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Medium	Unassigned
	Xenial	Fix Released	High	Seth Forshee

Bug Description

SRU Justification

Impact: Some unfortunate timing between the fix for CVE-2017-17862 being backported and some updates from upstream stable resulted in us not having some hunks from the CVE patch. This is causing oopses (see below).

Fix: Add in the missing hunks from the CVE patch.

Test case: See test results in comment #4.

Regression potential: This just updates the code to match the upstream patch, which has been upstream for months, so regression potential should be low.

---

Hey,

we are currently debugging an issue with Scope [1] where the initialization of the used tcptracer-bpf [2] leads to a kernel oops at the first call of `bpf_map_lookup_elem`. The OS is Ubuntu Xenial with kernel version `Ubuntu 4.4.0-119.143-generic 4.4.114`. `4.4.0-116.140` does not show the problem.

Example:

```
[ 58.763045] BUG: unable to handle kernel paging request at 000000003c0c41a8
[ 58.846450] IP: [<ffffffff8117cd76>] bpf_map_lookup_elem+0x6/0x20
[ 58.909436] PGD 800000003be04067 PUD 3bea1067 PMD 0
[ 58.914876] Oops: 0000 [#1] SMP
[ 58.915581] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack br_netfilter bridge stp llc overlay vboxsf isofs ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel vboxguest input_leds serio_raw parport_pc parport video ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear mptspi aesni_intel scsi_transport_spi mptscsih aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd mptbase psmouse e1000
[ 59.678145] CPU: 1 PID: 1810 Comm: scope Not tainted 4.4.0-119-generic #143-Ubuntu
[ 59.790501] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 59.846405] task: ffff88003ae23800 ti: ffff880022c84000 task.ti: ffff880022c84000
[ 60.000524] RIP: 0010:[<ffffffff8117cd76>] [<ffffffff8117cd76>] bpf_map_lookup_elem+0x6/0x20
[ 60.178029] RSP: 0018:ffff880022c87960 EFLAGS: 00010082
[ 60.257957] RAX: ffffffff8117cd70 RBX: ffffc9000022f090 RCX: 0000000000000000
[ 60.350704] RDX: 0000000000000000 RSI: ffff880022c87ba8 RDI: 000000003c0c4180
[ 60.449182] RBP: ffff880022c87be8 R08: 0000000000000000 R09: 0000000000000800
[ 60.547638] R10: ffff88003ae23800 R11: ffff88003ca12e10 R12: 0000000000000000
[ 60.570757] R13: ffff88003c601200 R14: ffff88003fd10020 R15: ffff880022c87d10
[ 60.678811] FS: 00007f95ba372700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[ 60.778636] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 60.866380] CR2: 000000003c0c41a8 CR3: 000000003aeae000 CR4: 0000000000060670
[ 60.963736] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 61.069195] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 61.187006] Stack:
[ 61.189256] ffff880022c87be8 ffffffff81177411 0000000000000000 0000000000000001
[ 61.253133] 000000003c0c4180 ffff880022c87ba8 0000000000000000 0000000000000000
[ 61.345334] 0000000000000000 ffff880022c87d10 0000000000000000 0000000000000001
[ 61.459069] Call Trace:
[ 61.505273] [<ffffffff81177411>] ? __bpf_prog_run+0x7a1/0x1360
[ 61.625511] [<ffffffff810b7939>] ? update_curr+0x79/0x170
[ 61.741423] [<ffffffff810b7b0c>] ? update_cfs_shares+0xbc/0x100
[ 61.837892] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 61.941349] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.073874] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.185260] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.186239] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.305193] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.399854] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.406219] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.407994] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.410491] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.431220] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.497078] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.559245] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.661493] [<ffffffff8184b04d>] ? __schedule+0x30d/0x7f0
[ 62.712927] [<ffffffff8184b041>] ? __schedule+0x301/0x7f0
[ 62.799216] [<ffffffff8116c4c7>] trace_call_bpf+0x37/0x50
[ 62.881570] [<ffffffff8116ca57>] kprobe_perf_func+0x37/0x250
[ 62.977365] [<ffffffff810ac186>] ? finish_task_switch+0x76/0x230
[ 62.981405] [<ffffffff810cd7b1>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
[ 63.092978] [<ffffffff8116e271>] kprobe_dispatcher+0x31/0x50
[ 63.184696] [<ffffffff817921d1>] ? tcp_close+0x1/0x440
[ 63.260350] [<ffffffff81061976>] kprobe_ftrace_handler+0xb6/0x120
[ 63.275694] [<ffffffff817921d5>] ? tcp_close+0x5/0x440
[ 63.278202] [<ffffffff81145108>] ftrace_ops_recurs_func+0x58/0xb0
[ 63.289826] [<ffffffffc00050d5>] 0xffffffffc00050d5
[ 63.291573] [<ffffffff817921d0>] ? tcp_check_oom+0x150/0x150
[ 63.299743] [<ffffffff817921d1>] ? tcp_close+0x1/0x440
[ 63.301658] [<ffffffff817921d5>] tcp_close+0x5/0x440
[ 63.340651] [<ffffffff817bbee2>] inet_release+0x42/0x70
[ 63.440655] [<ffffffff817921d5>] ? tcp_close+0x5/0x440
[ 63.549368] [<ffffffff817bbee2>] ? inet_release+0x42/0x70
[ 63.655199] [<ffffffff817ec580>] inet6_release+0x30/0x40
[ 63.657005] [<ffffffff817235c5>] sock_release+0x25/0x80
[ 63.658693] [<ffffffff81723632>] sock_close+0x12/0x20
[ 63.660735] [<ffffffff812162c7>] __fput+0xe7/0x230
[ 63.662210] [<ffffffff8121644e>] ____fput+0xe/0x10
[ 63.664371] [<ffffffff810a14c6>] task_work_run+0x86/0xb0
[ 63.667217] [<ffffffff81003242>] exit_to_usermode_loop+0xc2/0xd0
[ 63.669889] [<ffffffff81003c7e>] syscall_return_slowpath+0x4e/0x60
[ 63.673627] [<ffffffff8184f8b0>] int_ret_from_sys_call+0x25/0x9f
[ 63.704763] Code: 41 be 01 00 00 00 e8 fa bd ff ff 49 89 c5 eb 94 e8 f0 14 0a 00 4c 89 eb e9 e2 fe ff ff e8 a3 60 f0 ff 0f 1f 00 0f 1f 44 00 00 55 <48> 8b 47 28 48 89 e5 48 8b 40 18 e8 8a 83 6d 00 5d c3 0f 1f 84
[ 63.900088] RIP [<ffffffff8117cd76>] bpf_map_lookup_elem+0x6/0x20
[ 63.903014] RSP <ffff880022c87960>
[ 63.905151] CR2: 000000003c0c41a8
[ 63.906757] ---[ end trace dc24e8c214caa65b ]---
```

git bisect points to commit

68dd63b26223880d1b431b6bf54e45d93d04361a bpf: fix branch pruning logic

We tested with a simple kprobe that counts read syscalls and can reproduce the bug.

```
struct bpf_map_def SEC("maps/count") count = {
        .type = BPF_MAP_TYPE_HASH,
        .key_size = sizeof(__u32),
        .value_size = sizeof(__u64),
        .max_entries = 1,
        .map_flags = 0,
};

SEC("kprobe/SyS_read")
int kprobe(struct pt_regs *ctx)
{
u64 *count_ptr = NULL;
u64 zero = 0, one = 1, current_count = 1;

        count_ptr = bpf_map_lookup_elem(&count, &zero);
        if (count_ptr != NULL) {
                (*count_ptr)++;
                current_count = *count_ptr;
        } else {
                bpf_map_update_elem(&count, &zero, &one, BPF_ANY);
        }
        printt("current count %lu\n", current_count);

return 0;
}
```

You can find our test program here: https://files.schu.io/tmp/oops It should either trigger the oops or exit after 5 seconds and return the number of calls.

```
while true; do echo hello; sleep 1; done & # make sure there are read syscalls done
./oops
```

[1] https://github.com/weaveworks/scope/issues/3131
[2] https://github.com/weaveworks/tcptracer-bpf

See original description

Tags:

CVE References

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-04-12: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1763454

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: xenial

Joseph Salisbury (jsalisbury) on 2018-04-12

Changed in linux (Ubuntu):
importance:	Undecided → Medium
Changed in linux (Ubuntu Xenial):
status:	New → Incomplete
importance:	Undecided → Medium
status:	Incomplete → Triaged
Changed in linux (Ubuntu):
status:	Incomplete → Triaged

Revision history for this message

Alban Crequy (muadda) wrote on 2018-04-12:

I'm taking a guess at the cause of this kernel panic:

commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 was backported from upstream kernel into the Ubuntu kernel.

But this part was not backported:

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4213,6 +4216,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
        memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
        memcpy(new_data + off + cnt - 1, old_data + off,
               sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+ for (i = off; i < off + cnt - 1; i++)
+ new_data[i].seen = true;
        env->insn_aux_data = new_data;
        vfree(old_data);
        return 0;

The likely reason for omission is that the Ubuntu kernel does not have this function in kernel/bpf/verifier.c, so there was no place to apply the patch snippet above. In upstream kernel, adjust_insn_aux_data() is called from fixup_bpf_calls() and that function was not in kernel/bpf/verifier.c yet in Ubuntu kernel.

However, semantically, the patch should have been applied in kernel/bpf/syscall.c, which is the file where fixup_bpf_calls() was located before it got refactored by commit e245c5c6a5656.

As a result, the BPF_CALL instruction is mistakenly considered not seen by the verifier so the BPF instructions for array_map_lookup_elem() are not emitted.

Seth Forshee (sforshee) on 2018-04-12

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Seth Forshee (sforshee)

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-04-12:

Test build is at the link below, please let me know if it fixes the issue. Thanks!

http://people.canonical.com/~sforshee/lp1763454/

Revision history for this message

schu (schuio) wrote on 2018-04-13:

`Ubuntu 4.4.0-119.143+lp1763454v201804121433-generic 4.4.114` does fix the problem for us. Tested with Scope e2b4b3edf63a62836ca27024003cc38aa6b9c0b5

Thanks Seth!

Revision history for this message

schu (schuio) wrote on 2018-04-13:

Seth, can you give an ETA for when the update with the fix will be published?

If it's only a matter of a few days, adding a workaround might not be necessary..
(https://github.com/weaveworks/scope/pull/3141#discussion_r181340479)

Thanks again.

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-04-13: Re: [Bug 1763454] Re: bpf_map_lookup_elem: BUG: unable to handle kernel paging request

On Fri, Apr 13, 2018 at 12:19:26PM -0000, schu wrote:
> Seth, can you give an ETA for when the update with the fix will be
> published?
>
> If it's only a matter of a few days, adding a workaround might not be necessary..
> (https://github.com/weaveworks/scope/pull/3141#discussion_r181340479)

It will certainly be more than a few days. We release kernels on a
3-week cycle to allow time for testing and verifications, only in
extreme cases to we rush fixes out faster than that (and just a few days
is difficult in any case).

It looks like we're currently on week 2 of the current cycle. The patch
will get included in the next cycle, which would release about 4 weeks
from now.

description:

updated

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-04-13:

Note though that it should be in xenial-proposed within two weeks (at which point you'll be prompted to verify the fix there).

Revision history for this message

Alban Crequy (muadda) wrote on 2018-04-13:

> to allow time for testing and verifications

Is the testing process documented somewhere? Ideally we should add a step in the process to test @schuio's reproducer (or an equivalent) to avoid future similar regressions for software using eBPF.

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-04-13:

No it's not well documented, and it's a complicated mishmash of auto package tests (these do have documentation but not useful here) and autotests maintained by the kernel team. We do run some bpf autotests, we could see about adding them there.

http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/

Revision history for this message

s11-cloudstackers (cloudstackers-7) wrote on 2018-04-17:

#10

Seth, I reported the same issue in LP#1763352 (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763352).
My patch there does essentially the same as yours, so I will mention in that ticket that it's a duplicate.

But your patch does not remove the wrong "env->insn_aux_data[insn_idx].seen = true" from kernel/bpf/verifier.c line 1844. I think that "seen" shouldn't be set there. The line was probably added there by mistake. It should have been added for the LD IMM64 case in the first place.

Revision history for this message

Seth Forshee (sforshee) wrote on 2018-04-17:

#11

I've duped the other bug to this one.

I do agree that the "seen = true" you identified looks like a mistake, I will fix up the patch to remove that.

You also added some bounds checking. I see your point in adding that, I can't find anything which would guarantee that there is an additional instruction there. However the check_ld_imm() call before that can also assume that there's something after the current instruction, so either there is some guarantee that there's something after the current instruction or else that bounds check needs to be moved. As the upstream source still lacks a bounds check there too, it might be best to pursue this question upstream.

Revision history for this message

Bodo Petermann (bpetermann) wrote on 2018-04-17:

#12

(I used my team account cloudstackers-7 before, now with my own one)

The bounds check may not be necessary, because replace_map_fd_with_map_ptr is called before do_check and the relevant check is already in replace_map_fd_with_map_ptr. But it's not obvious, so at least a comment in do_check may be a good idea.

Revision history for this message

Steffen Neubauer (sneubauer) wrote on 2018-04-19:

#13

For us the importance of this issue would be High instead of Medium (not sure if there is an objective definition somewhere, could not find it). Reason is that we rely on BPF quite heavily in our infrastructure and servers just crash pretty much immediately once we install the current kernel version and reboot.

Revision history for this message

Alban Crequy (muadda) wrote on 2018-04-19:

#14

I was wondering about the 'Importance' definition too. It's also a panic-reboot loop just after booting when using Weave Scope in the Kubernetes cluster because Scope installs the BPF probe during initialization.

Seth Forshee (sforshee) on 2018-04-19

Changed in linux (Ubuntu Xenial):
importance:	Medium → High
Changed in linux (Ubuntu):
status:	Triaged → Invalid

Stefan Bader (smb) on 2018-04-20

Changed in linux (Ubuntu Xenial):
status:	Triaged → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-04-27:

#15

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Bodo Petermann (bpetermann) wrote on 2018-04-30:

#16

Tested with kernel 4.4.0-123.147. Issue is fixed there.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

schu (schuio) wrote on 2018-05-02:

#17

Ubuntu 4.4.0-123.147-generic 4.4.128 does fix it for us as well.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-05-22:

#18

Download full text (59.3 KiB)

This bug was fixed in the package linux - 4.4.0-127.153

---------------
linux (4.4.0-127.153) xenial; urgency=medium

  * CVE-2018-3639 (powerpc)
    - powerpc/pseries: Support firmware disable of RFI flush
    - powerpc/powernv: Support firmware disable of RFI flush
    - powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
    - powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
    - powerpc/rfi-flush: Always enable fallback flush on pseries
    - powerpc/rfi-flush: Differentiate enabled and patched flush types
    - powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
    - powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
    - powerpc: Add security feature flags for Spectre/Meltdown
    - powerpc/pseries: Set or clear security feature flags
    - powerpc/powernv: Set or clear security feature flags
    - powerpc/64s: Move cpu_show_meltdown()
    - powerpc/64s: Enhance the information in cpu_show_meltdown()
    - powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
    - powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
    - powerpc/64s: Wire up cpu_show_spectre_v1()
    - powerpc/64s: Wire up cpu_show_spectre_v2()
    - powerpc/pseries: Fix clearing of security feature flags
    - powerpc: Move default security feature flags
    - powerpc/pseries: Restore default security feature flags on setup
    - SAUCE: powerpc/64s: Add support for a store forwarding barrier at kernel
      entry/exit

This bug was fixed in the package linux - 4.4.0-127.153

---------------
linux (4.4.0-127.153) xenial; urgency=medium

* CVE-2018-3639 (x86)
    - SAUCE: Clean up IBPB and IBRS control functions and macros
    - SAUCE: Fix up IBPB and IBRS kernel parameters documentation
    - SAUCE: Remove #define X86_FEATURE_PTI
    - x86/cpufeature: Move some of the scattered feature bits to x86_capability
    - x86/cpufeature: Cleanup get_cpu_cap()
    - x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6
    - x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
    - x86/cpufeatures: Add Intel feature bits for Speculation Control
    - SAUCE: x86/kvm: Expose SPEC_CTRL from the leaf
    - x86/cpufeatures: Add AMD feature bits for Speculation Control
    - x86/msr: Add definitions for new speculation control MSRs
    - SAUCE: x86/msr: Rename MSR spec control feature bits
    - x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
    - x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
    - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
    - x86/speculation: Add <asm/msr-index.h> dependency
    - x86/cpufeatures: Clean up Spectre v2 related CPUID flags
    - x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
    - SAUCE: x86/speculation: Move vendor specific IBRS/IBPB control code
    - SAUCE: x86: Add alternative_msr_write
    - SAUCE: x86/nospec: Simplify alternative_msr_write()
    - SAUCE: x86/bugs: Concentrate bug detection into a separate function
    - SAUCE: x86/bugs: Concentrate bug reporting into a separate function
    - arch: Introduce post-init read-only memory
    - SAUCE: x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - SAUCE: x86/bugs, KVM: Support the combination of guest and host IBRS
    - SAUCE: x86/bugs: Expose /sys/../spec_store_bypass
    - SAUCE: x86/cpufeatures: Add X86_FEATURE_RDS
    - SAUCE: x86/bugs: Provide boot parameters for the spec_store_bypass_disable
      mitigation
    - SAUCE: x86/bugs/intel: Set proper CPU features and setup RDS
    - SAUCE: x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - SAUCE: x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if
      requested
    - SAUCE: x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - SAUCE: x86/speculation: Create spec-ctrl.h to avoid include hell
    - SAUCE: prctl: Add speculation control prctls
    - x86/process: Optimize TIF checks in __switch_to_xtra()
    - SAUCE: x86/process: Allow runtime control of Speculative Store Bypass
    - SAUCE: x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - SAUCE: nospec: Allow getting/setting on non-current task
    - SAUCE: proc: Provide details on speculation flaw mitigations
    - SAUCE: seccomp: Enable speculation flaw mitigations
    - SAUCE: x86/bugs: Honour SPEC_CTRL default
    - SAUCE: x86/bugs: Make boot modes __ro_after_init
    - SAUCE: prctl: Add force disable speculation
    - SAUCE: seccomp: Use PR_SPEC_FORCE_DISABLE
    - selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC
    - SAUCE: seccomp: Add filter flag to opt-out of SSB mitigation
    - SAUCE: seccomp: Move speculation migitation control to arch code
    - SAUCE: x86/speculation: Make "seccomp" the default mode for Speculative
      Store Bypass
    - SAUCE: x86/bugs: Rename _RDS to _SSBD
    - SAUCE: proc: Use underscores for SSBD in 'status'
    - SAUCE: Documentation/spec_ctrl: Do some minor cleanups
    - SAUCE: x86/bugs: Fix __ssb_select_mitigation() return type
    - SAUCE: x86/bugs: Make cpu_show_common() static
    - x86/entry: define _TIF_ALLWORK_MASK flags explicitly
    - Revert "x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
      microcodes"
    - SAUCE: kvm/cpuid: Fix CPUID_7_0.EDX handling

linux (4.4.0-125.150) xenial; urgency=medium

* linux: 4.4.0-125.150 -proposed tracker (LP: #1770011)

* Unable to insert test_bpf module on Xenial (LP: #1765698)
    - bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y
    - test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches

* virtio_scsi race can corrupt memory, panic kernel (LP: #1765241)
    - SAUCE: (no-up) virtio-scsi: Fix race in target free

* bpf_map_lookup_elem: BUG: unable to handle kernel paging request
    (LP: #1763454) // CVE-2017-17862
    - SAUCE: Add missing hunks from "bpf: fix branch pruning logic"

* Xenial: rfkill: fix missing return on rfkill_init  (LP: #1764810)
    - rfkill: fix missing return on rfkill_init

* "ip a" command on a guest VM shows UNKNOWN status (LP: #1761534)
    - virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS

* Xenial update to 4.4.128 stable release (LP: #1765010)
    - cfg80211: make RATE_INFO_BW_20 the default
    - md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock
    - rtc: snvs: fix an incorrect check of return value
    - x86/asm: Don't use RBP as a temporary register in
      csum_partial_copy_generic()
    - NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION
    - IB/srpt: Fix abort handling
    - af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
    - mac80211: bail out from prep_connection() if a reconfig is ongoing
    - bna: Avoid reading past end of buffer
    - qlge: Avoid reading past end of buffer
    - ipmi_ssif: unlock on allocation failure
    - net: cdc_ncm: Fix TX zero padding
    - net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control
    - lockd: fix lockd shutdown race
    - drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests
    - pidns: disable pid allocation if pid_ns_prepare_proc() is failed in
      alloc_pid()
    - s390: move _text symbol to address higher than zero
    - net/mlx4_en: Avoid adding steering rules with invalid ring
    - NFSv4.1: Work around a Linux server bug...
    - CIFS: silence lockdep splat in cifs_relock_file()
    - net: qca_spi: Fix alignment issues in rx path
    - netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
    - Input: elan_i2c - check if device is there before really probing
    - Input: elantech - force relative mode on a certain module
    - KVM: PPC: Book3S PR: Check copy_to/from_user return values
    - vmxnet3: ensure that adapter is in proper state during force_close
    - SMB2: Fix share type handling
    - bus: brcmstb_gisb: Use register offsets with writes too
    - bus: brcmstb_gisb: correct support for 64-bit address output
    - PowerCap: Fix an error code in powercap_register_zone()
    - ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin
    - staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before
      calling hfa384x_drvr_setconfig16, also fixes relative sparse warning
    - x86/tsc: Provide 'tsc=unstable' boot parameter
    - ARM: dts: imx6qdl-wandboard: Fix audio channel swap
    - ipv6: avoid dad-failures for addresses with NODAD
    - async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome()
    - usb: dwc3: keystone: check return value
    - btrfs: fix incorrect error return ret being passed to mapping_set_error
    - ata: libahci: properly propagate return value of platform_get_irq()
    - neighbour: update neigh timestamps iff update is effective
    - arp: honour gratuitous ARP _replies_
    - usb: chipidea: properly handle host or gadget initialization failure
    - USB: ene_usb6250: fix first command execution
    - net: x25: fix one potential use-after-free issue
    - USB: ene_usb6250: fix SCSI residue overwriting
    - serial: 8250: omap: Disable DMA for console UART
    - serial: sh-sci: Fix race condition causing garbage during shutdown
    - sh_eth: Use platform device for printing before register_netdev()
    - scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
    - powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
    - ath5k: fix memory leak on buf on failed eeprom read
    - selftests/powerpc: Fix TM resched DSCR test with some compilers
    - xfrm: fix state migration copy replay sequence numbers
    - iio: hi8435: avoid garbage event at first enable
    - iio: hi8435: cleanup reset gpio
    - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
    - md-cluster: fix potential lock issue in add_new_disk
    - ARM: davinci: da8xx: Create DSP device only when assigned memory
    - ray_cs: Avoid reading past end of buffer
    - leds: pca955x: Correct I2C Functionality
    - sched/numa: Use down_read_trylock() for the mmap_sem
    - net/mlx5: Tolerate irq_set_affinity_hint() failures
    - selinux: do not check open permission on sockets
    - block: fix an error code in add_partition()
    - mlx5: fix bug reading rss_hash_type from CQE
    - net: ieee802154: fix net_device reference release too early
    - libceph: NULL deref on crush_decode() error path
    - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
    - pNFS/flexfiles: missing error code in ff_layout_alloc_lseg()
    - ASoC: rsnd: SSI PIO adjust to 24bit mode
    - scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
    - fix race in drivers/char/random.c:get_reg()
    - ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
    - tcp: better validation of received ack sequences
    - net: move somaxconn init from sysctl code
    - Input: elan_i2c - clear INT before resetting controller
    - bonding: Don't update slave->link until ready to commit
    - KVM: nVMX: Fix handling of lmsw instruction
    - net: llc: add lock_sock in llc_ui_bind to avoid a race condition
    - ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
    - thermal: power_allocator: fix one race condition issue for thermal_instances
      list
    - perf probe: Add warning message if there is unexpected event name
    - l2tp: fix missing print session offset info
    - rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
    - hwmon: (ina2xx) Make calibration register value fixed
    - media: videobuf2-core: don't go out of the buffer range
    - ASoC: Intel: cht_bsw_rt5645: Analog Mic support
    - scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
    - vfb: fix video mode and line_length being set when loaded
    - gpio: label descriptors using the device name
    - ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
    - wl1251: check return from call to wl1251_acx_arp_ip_filter
    - hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
    - ovl: filter trusted xattr for non-admin
    - powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE]
    - dmaengine: imx-sdma: Handle return value of clk_prepare_enable
    - arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage
    - net/mlx5: avoid build warning for uniprocessor
    - cxgb4: FW upgrade fixes
    - rtc: opal: Handle disabled TPO in opal_get_tpo_time()
    - rtc: interface: Validate alarm-time before handling rollover
    - SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()
    - net: freescale: fix potential null pointer dereference
    - KVM: SVM: do not zero out segment attributes if segment is unusable or not
      present
    - clk: scpi: fix return type of __scpi_dvfs_round_rate
    - clk: Fix __set_clk_rates error print-string
    - powerpc/spufs: Fix coredump of SPU contexts
    - perf trace: Add mmap alias for s390
    - qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and
      qlcnic_82xx_hw_read_wx_2M
    - mISDN: Fix a sleep-in-atomic bug
    - drm/omap: fix tiled buffer stride calculations
    - cxgb4: fix incorrect cim_la output for T6
    - Fix serial console on SNI RM400 machines
    - bio-integrity: Do not allocate integrity context for bio w/o data
    - skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
    - sit: reload iphdr in ipip6_rcv
    - net/mlx4: Fix the check in attaching steering rules
    - net/mlx4: Check if Granular QoS per VF has been enabled before updating QP
      qos_vport
    - perf header: Set proper module name when build-id event found
    - perf report: Ensure the perf DSO mapping matches what libdw sees
    - tags: honor COMPILED_SOURCE with apart output directory
    - e1000e: fix race condition around skb_tstamp_tx()
    - cx25840: fix unchecked return values
    - mceusb: sporadic RX truncation corruption fix
    - net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support
    - ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull
    - e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
    - perf/core: Correct event creation with PERF_FORMAT_GROUP
    - MIPS: mm: fixed mappings: correct initialisation
    - MIPS: mm: adjust PKMAP location
    - MIPS: kprobes: flush_insn_slot should flush only if probe initialised
    - Fix loop device flush before configure v3
    - net: emac: fix reset timeout with AR8035 phy
    - skbuff: only inherit relevant tx_flags
    - xen: avoid type warning in xchg_xen_ulong
    - bnx2x: Allow vfs to disable txvlan offload
    - sctp: fix recursive locking warning in sctp_do_peeloff
    - sparc64: ldc abort during vds iso boot
    - iio: magnetometer: st_magn_spi: fix spi_device_id table
    - Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
    - cpuidle: dt: Add missing 'of_node_put()'
    - ACPICA: Events: Add runtime stub support for event APIs
    - ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
    - s390/dasd: fix hanging safe offline
    - vxlan: dont migrate permanent fdb entries during learn
    - bcache: stop writeback thread after detaching
    - bcache: segregate flash only volume write streams
    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()
    - scsi: libsas: fix error when getting phy events
    - scsi: libsas: initialize sas_phy status according to response of DISCOVER
    - blk-mq: fix kernel oops in blk_mq_tag_idle()
    - tty: n_gsm: Allow ADM response in addition to UA for control dlci
    - EDAC, mv64x60: Fix an error handling path
    - cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
    - perf tools: Fix copyfile_offset update of output offset
    - ipsec: check return value of skb_to_sgvec always
    - rxrpc: check return value of skb_to_sgvec always
    - virtio_net: check return value of skb_to_sgvec always
    - virtio_net: check return value of skb_to_sgvec in one more location
    - random: use lockless method of accessing and updating f->reg_idx
    - futex: Remove requirement for lock_page() in get_futex_key()
    - Kbuild: provide a __UNIQUE_ID for clang
    - arp: fix arp_filter on l3slave devices
    - net: fix possible out-of-bound read in skb_network_protocol()
    - net/ipv6: Fix route leaking between VRFs
    - netlink: make sure nladdr has correct size in netlink_connect()
    - net/sched: fix NULL dereference in the error path of tcf_bpf_init()
    - pptp: remove a buggy dst release in pptp_connect()
    - sctp: do not leak kernel memory to user space
    - sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
    - vhost: correctly remove wait queue during poll failure
    - vlan: also check phy_driver ts_info for vlan's real device
    - bonding: fix the err path for dev hwaddr sync in bond_enslave
    - bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
    - bonding: process the err returned by dev_set_allmulti properly in
      bond_enslave
    - net: fool proof dev_valid_name()
    - ip_tunnel: better validate user provided tunnel names
    - ipv6: sit: better validate user provided tunnel names
    - ip6_gre: better validate user provided tunnel names
    - ip6_tunnel: better validate user provided tunnel names
    - vti6: better validate user provided tunnel names
    - r8169: fix setting driver_data after register_netdev
    - net sched actions: fix dumping which requires several messages to user space
    - net/ipv6: Increment OUTxxx counters after netfilter hook
    - ipv6: the entire IPv6 header chain must fit the first fragment
    - vrf: Fix use after free and double free in vrf_finish_output
    - Revert "xhci: plat: Register shutdown for xhci_plat"
    - Linux 4.4.128

* sky2 gigabit ethernet driver sometimes stops working after lid-open resume
    from sleep (88E8055) (LP: #1758507) // Xenial update to 4.4.128 stable
    release (LP: #1765010)
    - sky2: Increase D3 delay to sky2 stops working after suspend

* Xenial update to 4.4.127 stable release (LP: #1765007)
    - mtd: jedec_probe: Fix crash in jedec_read_mfr()
    - ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
    - ALSA: pcm: potential uninitialized return values
    - partitions/msdos: Unable to mount UFS 44bsd partitions
    - usb: gadget: define free_ep_req as universal function
    - usb: gadget: change len to size_t on alloc_ep_req()
    - usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align
    - usb: gadget: align buffer size when allocating for OUT endpoint
    - usb: gadget: f_hid: fix: Prevent accessing released memory
    - kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
    - ACPI, PCI, irq: remove redundant check for null string pointer
    - writeback: fix the wrong congested state variable definition
    - PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant
    - dm ioctl: remove double parentheses
    - Input: mousedev - fix implicit conversion warning
    - netfilter: nf_nat_h323: fix logical-not-parentheses warning
    - genirq: Use cpumask_available() for check of cpumask variable
    - cpumask: Add helper cpumask_available()
    - selinux: Remove unnecessary check of array base in selinux_set_mapping()
    - fs: compat: Remove warning from COMPATIBLE_IOCTL
    - jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp
    - frv: declare jiffies to be located in the .data section
    - audit: add tty field to LOGIN event
    - tty: provide tty_name() even without CONFIG_TTY
    - netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch
    - selinux: Remove redundant check for unknown labeling behavior
    - arm64: avoid overflow in VA_START and PAGE_OFFSET
    - xfrm_user: uncoditionally validate esn replay attribute struct
    - RDMA/ucma: Check AF family prior resolving address
    - RDMA/ucma: Fix use-after-free access in ucma_close
    - RDMA/ucma: Ensure that CM_ID exists prior to access it
    - RDMA/ucma: Check that device is connected prior to access it
    - RDMA/ucma: Check that device exists prior to accessing it
    - RDMA/ucma: Don't allow join attempts for unsupported AF family
    - RDMA/ucma: Introduce safer rdma_addr_size() variants
    - net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
    - xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
    - netfilter: bridge: ebt_among: add more missing match size checks
    - netfilter: x_tables: add and use xt_check_proc_name
    - Bluetooth: Fix missing encryption refresh on Security Request
    - llist: clang: introduce member_address_is_nonnull()
    - scsi: virtio_scsi: always read VPD pages for multiqueue too
    - usb: dwc2: Improve gadget state disconnection handling
    - USB: serial: ftdi_sio: add RT Systems VX-8 cable
    - USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
    - USB: serial: cp210x: add ELDAT Easywave RX09 id
    - mei: remove dev_err message on an unsupported ioctl
    - media: usbtv: prevent double free in error case
    - parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
    - crypto: ahash - Fix early termination in hash walk
    - crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
    - fs/proc: Stop trying to report thread stacks
    - staging: comedi: ni_mio_common: ack ai fifo error interrupts.
    - Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
    - Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
    - vt: change SGR 21 to follow the standards
    - Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property
      definition
    - ARM: dts: dra7: Add power hold and power controller properties to palmas
    - ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property
    - md/raid10: reset the 'first' at the end of loop
    - net: hns: Fix ethtool private flags
    - Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()"
    - Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"
    - Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"
    - Revert "cpufreq: Fix governor module removal race"
    - Revert "mtip32xx: use runtime tag to initialize command header"
    - spi: davinci: fix up dma_mapping_error() incorrect patch
    - net: cavium: liquidio: fix up "Avoid dma_unmap_single on uninitialized
      ndata"
    - Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
    - Linux 4.4.127

* Xenial update to 4.4.126 stable release (LP: #1764999)
    - scsi: sg: don't return bogus Sg_requests
    - Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for
      shared IRQs"
    - net: Fix hlist corruptions in inet_evict_bucket()
    - dccp: check sk for closed state in dccp_sendmsg()
    - ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
    - l2tp: do not accept arbitrary sockets
    - net: ethernet: arc: Fix a potential memory leak if an optional regulator is
      deferred
    - net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY
      interface
    - net/iucv: Free memory obtained by kzalloc
    - netlink: avoid a double skb free in genlmsg_mcast()
    - net: Only honor ifindex in IP_PKTINFO if non-0
    - skbuff: Fix not waking applications when errors are enqueued
    - team: Fix double free in error path
    - s390/qeth: free netdevice when removing a card
    - s390/qeth: when thread completes, wake up all waiters
    - s390/qeth: lock read device while queueing next buffer
    - s390/qeth: on channel error, reject further cmd requests
    - ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
    - net: fec: Fix unbalanced PM runtime calls
    - net: systemport: Rewrite __bcm_sysport_tx_reclaim()
    - Linux 4.4.126

* Xenial update to 4.4.125 stable release (LP: #1764973)
    - MIPS: ralink: Remove ralink_halt()
    - iio: st_pressure: st_accel: pass correct platform data to init
    - ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
    - ALSA: aloop: Sync stale timer before release
    - ALSA: aloop: Fix access to not-yet-ready substream via cable
    - ALSA: hda/realtek - Always immediately update mute LED with pin VREF
    - mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs
    - PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
    - ahci: Add PCI-id for the Highpoint Rocketraid 644L card
    - clk: bcm2835: Protect sections updating shared registers
    - Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174
    - libata: fix length validation of ATAPI-relayed SCSI commands
    - libata: remove WARN() for DMA or PIO command without data
    - libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
    - libata: Enable queued TRIM for Samsung SSD 860
    - libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
    - libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
    - libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
    - mm/vmalloc: add interfaces to free unmapped page table
    - x86/mm: implement free pmd/pte page interfaces
    - drm/vmwgfx: Fix a destoy-while-held mutex problem.
    - drm/radeon: Don't turn off DP sink when disconnected
    - drm: udl: Properly check framebuffer mmap offsets
    - acpi, numa: fix pxm to online numa node associations
    - brcmfmac: fix P2P_DEVICE ethernet address generation
    - rtlwifi: rtl8723be: Fix loss of signal
    - tracing: probeevent: Fix to support minus offset from symbol
    - mtd: nand: fsl_ifc: Fix nand waitfunc return value
    - staging: ncpfs: memory corruption in ncp_read_kernel()
    - can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
    - can: cc770: Fix queue stall & dropped RTR reply
    - can: cc770: Fix use after free in cc770_tx_interrupt()
    - tty: vt: fix up tabstops properly
    - x86/build/64: Force the linker to use 2MB page size
    - x86/boot/64: Verify alignment of the LOAD segment
    - perf/x86/intel: Don't accidentally clear high bits in bdw_limit_period()
    - staging: lustre: ptlrpc: kfree used instead of kvfree
    - kbuild: disable clang's default use of -fmerge-all-constants
    - bpf: skip unnecessary capability check
    - bpf, x64: increase number of passes
    - Linux 4.4.125

* System fails to start (boot) on battery due to read-only root file-system
    (LP: #1726930) // Xenial update to 4.4.125 stable release (LP: #1764973)
    - libata: disable LPM for Crucial BX100 SSD 500GB drive

* Xenial update to 4.4.124 stable release (LP: #1764762)
    - tpm: fix potential buffer overruns caused by bit glitches on the bus
    - tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
    - staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
    - platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA
    - regulator: anatop: set default voltage selector for pcie
    - x86: i8259: export legacy_pic symbol
    - rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs
    - Input: ar1021_i2c - fix too long name in driver's device table
    - time: Change posix clocks ops interfaces to use timespec64
    - ACPI/processor: Fix error handling in __acpi_processor_start()
    - ACPI/processor: Replace racy task affinity logic
    - cpufreq/sh: Replace racy task affinity logic
    - genirq: Use irqd_get_trigger_type to compare the trigger type for shared
      IRQs
    - i2c: i2c-scmi: add a MS HID
    - net: ipv6: send unsolicited NA on admin up
    - media/dvb-core: Race condition when writing to CAM
    - spi: dw: Disable clock after unregistering the host
    - ath: Fix updating radar flags for coutry code India
    - clk: ns2: Correct SDIO bits
    - scsi: virtio_scsi: Always try to read VPD pages
    - KVM: PPC: Book3S PR: Exit KVM on failed mapping
    - ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER
    - iommu/omap: Register driver before setting IOMMU ops
    - md/raid10: wait up frozen array in handle_write_completed
    - NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete()
    - tcp: remove poll() flakes with FastOpen
    - e1000e: fix timing for 82579 Gigabit Ethernet controller
    - ALSA: hda - Fix headset microphone detection for ASUS N551 and N751
    - IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
    - IB/ipoib: Update broadcast object if PKey value was changed in index 0
    - HSI: ssi_protocol: double free in ssip_pn_xmit()
    - IB/mlx4: Take write semaphore when changing the vma struct
    - IB/mlx4: Change vma from shared to private
    - ASoC: Intel: Skylake: Uninitialized variable in probe_codec()
    - Fix driver usage of 128B WQEs when WQ_CREATE is V1.
    - netfilter: xt_CT: fix refcnt leak on error path
    - openvswitch: Delete conntrack entry clashing with an expectation.
    - mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR()
    - wan: pc300too: abort path on failure
    - qlcnic: fix unchecked return value
    - scsi: mac_esp: Replace bogus memory barrier with spinlock
    - infiniband/uverbs: Fix integer overflows
    - NFS: don't try to cross a mountpount when there isn't one there.
    - Revert "UBUNTU: SAUCE: (no-up) iio: st_pressure: st_accel: Initialise sensor
      platform data properly"
    - iio: st_pressure: st_accel: Initialise sensor platform data properly
    - mt7601u: check return value of alloc_skb
    - rndis_wlan: add return value validation
    - Btrfs: send, fix file hole not being preserved due to inline extent
    - mac80211: don't parse encrypted management frames in ieee80211_frame_acked
    - mfd: palmas: Reset the POWERHOLD mux during power off
    - mtip32xx: use runtime tag to initialize command header
    - staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK
      set to y
    - staging: wilc1000: fix unchecked return value
    - mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a
    - ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP
    - ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
    - ACPI / PMIC: xpower: Fix power_table addresses
    - drm/nouveau/kms: Increase max retries in scanout position queries.
    - bnx2x: Align RX buffers
    - power: supply: pda_power: move from timer to delayed_work
    - Input: twl4030-pwrbutton - use correct device for irq request
    - md/raid10: skip spare disk as 'first' disk
    - ia64: fix module loading for gcc-5.4
    - tcm_fileio: Prevent information leak for short reads
    - video: fbdev: udlfb: Fix buffer on stack
    - sm501fb: don't return zero on failure path in sm501fb_start()
    - net: hns: fix ethtool_get_strings overflow in hns driver
    - cifs: small underflow in cnvrtDosUnixTm()
    - rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks
    - rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL
    - perf tests kmod-path: Don't fail if compressed modules aren't supported
    - Bluetooth: hci_qca: Avoid setup failure on missing rampatch
    - media: c8sectpfe: fix potential NULL pointer dereference in
      c8sectpfe_timer_interrupt
    - drm/msm: fix leak in failed get_pages
    - RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
    - rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
    - media: bt8xx: Fix err 'bt878_probe()'
    - media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart
    - cros_ec: fix nul-termination for firmware build info
    - platform/chrome: Use proper protocol transfer function
    - mmc: avoid removing non-removable hosts during suspend
    - IB/ipoib: Avoid memory leak if the SA returns a different DGID
    - RDMA/cma: Use correct size when writing netlink stats
    - IB/umem: Fix use of npages/nmap fields
    - vgacon: Set VGA struct resource types
    - drm/omap: DMM: Check for DMM readiness after successful transaction commit
    - pty: cancel pty slave port buf's work in tty_release
    - coresight: Fix disabling of CoreSight TPIU
    - pinctrl: Really force states during suspend/resume
    - iommu/vt-d: clean up pr_irq if request_threaded_irq fails
    - ip6_vti: adjust vti mtu according to mtu of lower device
    - RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
    - nfsd4: permit layoutget of executable-only files
    - clk: si5351: Rename internal plls to avoid name collisions
    - dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63
    - RDMA/ucma: Fix access to non-initialized CM_ID object
    - Linux 4.4.124

* Xenial update to 4.4.123 stable release (LP: #1764666)
    - blkcg: fix double free of new_blkg in blkcg_init_queue
    - Input: tsc2007 - check for presence and power down tsc2007 during probe
    - staging: speakup: Replace BUG_ON() with WARN_ON().
    - staging: wilc1000: add check for kmalloc allocation failure.
    - HID: reject input outside logical range only if null state is set
    - drm: qxl: Don't alloc fbdev if emulation is not supported
    - ath10k: fix a warning during channel switch with multiple vaps
    - PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()
    - selinux: check for address length in selinux_socket_bind()
    - perf sort: Fix segfault with basic block 'cycles' sort dimension
    - i40e: Acquire NVM lock before reads on all devices
    - i40e: fix ethtool to get EEPROM data from X722 interface
    - perf tools: Make perf_event__synthesize_mmap_events() scale
    - drivers: net: xgene: Fix hardware checksum setting
    - drm: Defer disabling the vblank IRQ until the next interrupt (for instant-
      off)
    - ath10k: disallow DFS simulation if DFS channel is not enabled
    - perf probe: Return errno when not hitting any event
    - HID: clamp input to logical range if no null state
    - net/8021q: create device with all possible features in wanted_features
    - ARM: dts: Adjust moxart IRQ controller and flags
    - batman-adv: handle race condition for claims between gateways
    - of: fix of_device_get_modalias returned length when truncating buffers
    - solo6x10: release vb2 buffers in solo_stop_streaming()
    - scsi: ipr: Fix missed EH wakeup
    - media: i2c/soc_camera: fix ov6650 sensor getting wrong clock
    - timers, sched_clock: Update timeout for clock wrap
    - sysrq: Reset the watchdog timers while displaying high-resolution timers
    - Input: qt1070 - add OF device ID table
    - sched: act_csum: don't mangle TCP and UDP GSO packets
    - ASoC: rcar: ssi: don't set SSICR.CKDV = 000 with SSIWSR.CONT
    - spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer
    - tcp: sysctl: Fix a race to avoid unexpected 0 window from space
    - dmaengine: imx-sdma: add 1ms delay to ensure SDMA channel is stopped
    - driver: (adm1275) set the m,b and R coefficients correctly for power
    - mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative()
    - blk-throttle: make sure expire time isn't too big
    - f2fs: relax node version check for victim data in gc
    - bonding: refine bond_fold_stats() wrap detection
    - braille-console: Fix value returned by _braille_console_setup
    - drm/vmwgfx: Fixes to vmwgfx_fb
    - vxlan: vxlan dev should inherit lowerdev's gso_max_size
    - NFC: nfcmrvl: Include unaligned.h instead of access_ok.h
    - NFC: nfcmrvl: double free on error path
    - ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks
    - ARM: dts: r8a7791: Correct parent of SSI[0-9] clocks
    - powerpc: Avoid taking a data miss on every userspace instruction miss
    - net/faraday: Add missing include of of.h
    - ARM: dts: koelsch: Correct clock frequency of X2 DU clock input
    - reiserfs: Make cancel_old_flush() reliable
    - ALSA: firewire-digi00x: handle all MIDI messages on streaming packets
    - fm10k: correctly check if interface is removed
    - apparmor: Make path_max parameter readonly
    - iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
    - video: ARM CLCD: fix dma allocation size
    - drm/radeon: Fail fb creation from imported dma-bufs.
    - drm/amdgpu: Fail fb creation from imported dma-bufs. (v2)
    - coresight: Fixes coresight DT parse to get correct output port ID.
    - MIPS: BPF: Quit clobbering callee saved registers in JIT code.
    - MIPS: BPF: Fix multiple problems in JIT skb access helpers.
    - MIPS: r2-on-r6-emu: Fix BLEZL and BGTZL identification
    - MIPS: r2-on-r6-emu: Clear BLTZALL and BGEZALL debugfs counters
    - regulator: isl9305: fix array size
    - md/raid6: Fix anomily when recovering a single device in RAID6.
    - usb: dwc2: Make sure we disconnect the gadget state
    - usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in
      dummy_hub_control()
    - drivers/perf: arm_pmu: handle no platform_device
    - perf inject: Copy events when reordering events in pipe mode
    - perf session: Don't rely on evlist in pipe mode
    - scsi: sg: check for valid direction before starting the request
    - scsi: sg: close race condition in sg_remove_sfp_usercontext()
    - kprobes/x86: Fix kprobe-booster not to boost far call instructions
    - kprobes/x86: Set kprobes pages read-only
    - pwm: tegra: Increase precision in PWM rate calculation
    - wil6210: fix memory access violation in wil_memcpy_from/toio_32
    - drm/edid: set ELD connector type in drm_edid_to_eld()
    - video/hdmi: Allow "empty" HDMI infoframes
    - HID: elo: clear BTN_LEFT mapping
    - ARM: dts: exynos: Correct Trats2 panel reset line
    - sched: Stop switched_to_rt() from sending IPIs to offline CPUs
    - sched: Stop resched_cpu() from sending IPIs to offline CPUs
    - test_firmware: fix setting old custom fw path back on exit
    - net: xfrm: allow clearing socket xfrm policies.
    - mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]()
    - ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin
    - ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
    - ath10k: update tdls teardown state to target
    - cpufreq: Fix governor module removal race
    - clk: qcom: msm8916: fix mnd_width for codec_digcodec
    - ath10k: fix invalid STS_CAP_OFFSET_MASK
    - tools/usbip: fixes build with musl libc toolchain
    - spi: sun6i: disable/unprepare clocks on remove
    - scsi: core: scsi_get_device_flags_keyed(): Always return device flags
    - scsi: devinfo: apply to HP XP the same flags as Hitachi VSP
    - scsi: dh: add new rdac devices
    - media: cpia2: Fix a couple off by one bugs
    - veth: set peer GSO values
    - drm/amdkfd: Fix memory leaks in kfd topology
    - agp/intel: Flush all chipset writes after updating the GGTT
    - mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
    - mac80211: remove BUG() when interface type is invalid
    - ASoC: nuc900: Fix a loop timeout test
    - ipvlan: add L2 check for packets arriving via virtual devices
    - rcutorture/configinit: Fix build directory error message
    - ima: relax requiring a file signature for new files with zero length
    - selftests/x86/entry_from_vm86: Exit with 1 if we fail
    - selftests/x86: Add tests for User-Mode Instruction Prevention
    - selftests/x86: Add tests for the STR and SLDT instructions
    - selftests/x86/entry_from_vm86: Add test cases for POPF
    - x86/vm86/32: Fix POPF emulation
    - x86/mm: Fix vmalloc_fault to use pXd_large
    - ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
    - ALSA: hda - Revert power_save option default value
    - ALSA: seq: Fix possible UAF in snd_seq_check_queue()
    - ALSA: seq: Clear client entry before deleting else at closing
    - drm/amdgpu/dce: Don't turn off DP sink when disconnected
    - fs: Teach path_connected to handle nfs filesystems with multiple roots.
    - lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
    - fs/aio: Add explicit RCU grace period when freeing kioctx
    - fs/aio: Use RCU accessors for kioctx_table->table[]
    - irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
    - scsi: sg: fix SG_DXFER_FROM_DEV transfers
    - scsi: sg: fix static checker warning in sg_is_valid_dxfer
    - scsi: sg: only check for dxfer_len greater than 256M
    - ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
    - btrfs: alloc_chunk: fix DUP stripe size handling
    - btrfs: Fix use-after-free when cleaning up fs_devs with a single stale
      device
    - USB: gadget: udc: Add missing platform_device_put() on error in
      bdc_pci_probe()
    - usb: gadget: bdc: 64-bit pointer capability check
    - Linux 4.4.123

* Xenial update to 4.4.123 stable release (LP: #1764666) // CVE-2017-16995
    - Revert "bpf: fix incorrect sign extension in check_alu_op()"
    - bpf: fix incorrect sign extension in check_alu_op()

* Xenial update to 4.4.122 stable release (LP: #1764627)
    - RDMA/ucma: Limit possible option size
    - RDMA/ucma: Check that user doesn't overflow QP state
    - RDMA/mlx5: Fix integer overflow while resizing CQ
    - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
    - workqueue: Allow retrieval of current task's work struct
    - drm: Allow determining if current task is output poll worker
    - drm/nouveau: Fix deadlock on runtime suspend
    - drm/radeon: Fix deadlock on runtime suspend
    - drm/amdgpu: Fix deadlock on runtime suspend
    - drm/amdgpu: Notify sbios device ready before send request
    - drm/radeon: fix KV harvesting
    - drm/amdgpu: fix KV harvesting
    - MIPS: BMIPS: Do not mask IPIs during suspend
    - MIPS: ath25: Check for kzalloc allocation failure
    - MIPS: OCTEON: irq: Check for null return on kzalloc allocation
    - Input: matrix_keypad - fix race when disabling interrupts
    - loop: Fix lost writes caused by missing flag
    - kbuild: Handle builtin dtb file names containing hyphens
    - bcache: don't attach backing with duplicate UUID
    - x86/MCE: Serialize sysfs changes
    - ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
    - ALSA: seq: More protection for concurrent write and ioctl races
    - ALSA: hda: add dock and led support for HP EliteBook 820 G3
    - ALSA: hda: add dock and led support for HP ProBook 640 G2
    - watchdog: hpwdt: SMBIOS check
    - watchdog: hpwdt: Check source of NMI
    - watchdog: hpwdt: fix unused variable warning
    - netfilter: nfnetlink_queue: fix timestamp attribute
    - Input: tca8418_keypad - remove double read of key event register
    - tc358743: fix register i2c_rd/wr function fix
    - netfilter: add back stackpointer size checks
    - netfilter: x_tables: fix missing timer initialization in xt_LED
    - netfilter: nat: cope with negative port range
    - netfilter: IDLETIMER: be syzkaller friendly
    - netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
    - netfilter: bridge: ebt_among: add missing match size checks
    - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
    - netfilter: use skb_to_full_sk in ip_route_me_harder
    - ext4: inplace xattr block update fails to deduplicate blocks
    - ubi: Fix race condition between ubi volume creation and udev
    - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
    - NFS: Fix an incorrect type in struct nfs_direct_req
    - Revert "ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux"
    - x86/module: Detect and skip invalid relocations
    - x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
    - serial: sh-sci: prevent lockup on full TTY buffers
    - tty/serial: atmel: add new version check for usart
    - uas: fix comparison for error code
    - staging: comedi: fix comedi_nsamples_left.
    - staging: android: ashmem: Fix lockdep issue during llseek
    - USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
    - usb: quirks: add control message delay for 1b1c:1b20
    - USB: usbmon: remove assignment from IS_ERR argument
    - usb: usbmon: Read text within supplied buffer size
    - usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
    - serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
    - fixup: sctp: verify size of a new chunk in _sctp_make_chunk()
    - Linux 4.4.122

* Xenial update to 4.4.122 stable release (LP: #1764627) // CVE-2018-1000004.
    - ALSA: seq: Don't allow resizing pool in use

* Xenial update to 4.4.121 stable release (LP: #1764367)
    - tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the
      bus
    - tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on
      the bus
    - tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the
      bus
    - ALSA: usb-audio: Add a quirck for B&W PX headphones
    - ALSA: hda: Add a power_save blacklist
    - cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
    - media: m88ds3103: don't call a non-initalized function
    - ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
    - KVM: mmu: Fix overlap between public and private memslots
    - btrfs: Don't clear SGID when inheriting ACLs
    - ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
    - x86/apic/vector: Handle legacy irq data correctly
    - leds: do not overflow sysfs buffer in led_trigger_show
    - x86/spectre: Fix an error message
    - bridge: check brport attr show in brport_show
    - fib_semantics: Don't match route with mismatching tclassid
    - hdlc_ppp: carrier detect ok, don't turn off negotiation
    - ipv6 sit: work around bogus gcc-8 -Wrestrict warning
    - net: fix race on decreasing number of TX queues
    - net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
    - netlink: ensure to loop over all netns in genlmsg_multicast_allns()
    - ppp: prevent unregistered channels from connecting to PPP units
    - udplite: fix partial checksum initialization
    - sctp: fix dst refcnt leak in sctp_v4_get_dst
    - sctp: fix dst refcnt leak in sctp_v6_get_dst()
    - s390/qeth: fix SETIP command handling
    - s390/qeth: fix IPA command submission race
    - sctp: verify size of a new chunk in _sctp_make_chunk()
    - net: mpls: Pull common label check into helper
    - dm io: fix duplicate bio completion due to missing ref count
    - bpf, x64: implement retpoline for tail call
    - btrfs: preserve i_mode if __btrfs_set_acl() fails
    - Linux 4.4.121

* Xenial update to 4.4.120 stable release (LP: #1764316)
    - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
    - f2fs: fix a bug caused by NULL extent tree
    - mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
    - ipv6: icmp6: Allow icmp messages to be looped back
    - ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
    - sget(): handle failures of register_shrinker()
    - drm/nouveau/pci: do a msi rearm on init
    - spi: atmel: fixed spin_lock usage inside atmel_spi_remove
    - net: arc_emac: fix arc_emac_rx() error paths
    - scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
    - ARM: dts: ls1021a: fix incorrect clock references
    - lib/mpi: Fix umul_ppmm() for MIPS64r6
    - tg3: Add workaround to restrict 5762 MRRS to 2048
    - tg3: Enable PHY reset in MTU change path for 5720
    - bnx2x: Improve reliability in case of nested PCI errors
    - s390/dasd: fix wrongly assigned configuration data
    - IB/mlx4: Fix mlx4_ib_alloc_mr error flow
    - IB/ipoib: Fix race condition in neigh creation
    - xfs: quota: fix missed destroy of qi_tree_lock
    - xfs: quota: check result of register_shrinker()
    - e1000: fix disabling already-disabled warning
    - drm/ttm: check the return value of kzalloc
    - mac80211: mesh: drop frames appearing to be from us
    - can: flex_can: Correct the checking for frame length in flexcan_start_xmit()
    - bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
    - xen-netfront: enable device after manual module load
    - mdio-sun4i: Fix a memory leak
    - SolutionEngine771x: fix Ether platform data
    - xen/gntdev: Fix off-by-one error when unmapping with holes
    - xen/gntdev: Fix partial gntdev_mmap() cleanup
    - sctp: make use of pre-calculated len
    - net: gianfar_ptp: move set_fipers() to spinlock protecting area
    - MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
    - Linux 4.4.120

* Xenial update to 4.4.119 stable release (LP: #1762453)
    - netfilter: drop outermost socket lock in getsockopt()
    - powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR
    - PCI: keystone: Fix interrupt-controller-node lookup
    - ip_tunnel: replace dst_cache with generic implementation
    - ip_tunnel: fix preempt warning in ip tunnel creation/updating
    - scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
    - cfg80211: fix cfg80211_beacon_dup
    - iio: buffer: check if a buffer has been set up when poll is called
    - iio: adis_lib: Initialize trigger before requesting interrupt
    - x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
    - irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
    - usb: ohci: Proper handling of ed_rm_list to handle race condition between
      usb_kill_urb() and finish_unlinks()
    - arm64: Disable unhandled signal log messages by default
    - Add delay-init quirk for Corsair K70 RGB keyboards
    - usb: dwc3: gadget: Set maxpacket size for ep0 IN
    - usb: ldusb: add PIDs for new CASSY devices supported by this driver
    - usb: gadget: f_fs: Process all descriptors during bind
    - usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
    - drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
    - binder: add missing binder_unlock()
    - Linux 4.4.119

* [regression] Colour banding and artefacts appear system-wide on an Asus
    Zenbook UX303LA with Intel HD 4400 graphics (LP: #1749420) // Xenial update
    to 4.4.119 stable release (LP: #1762453)
    - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA

* Xenial update to 4.4.118 stable release (LP: #1756866)
    - net: add dst_cache support
    - [Config] Add CONFIG_DST_CACHE=y
    - net: replace dst_cache ip6_tunnel implementation with the generic one
    - cfg80211: check dev_set_name() return value
    - mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
    - xfrm: Fix stack-out-of-bounds read on socket policy lookup.
    - xfrm: check id proto in validate_tmpl()
    - blktrace: fix unlocked registration of tracepoints
    - drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
    - Provide a function to create a NUL-terminated string from unterminated data
    - selinux: ensure the context is NUL terminated in
      security_context_to_sid_core()
    - selinux: skip bounded transition processing if the policy isn't loaded
    - crypto: x86/twofish-3way - Fix %rbp usage
    - KVM: x86: fix escape of guest dr6 to the host
    - netfilter: x_tables: fix int overflow in xt_alloc_table_info()
    - netfilter: x_tables: avoid out-of-bounds reads in
      xt_request_find_{match|target}
    - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
    - netfilter: on sockopt() acquire sock lock only in the required scope
    - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
    - net: avoid skb_warn_bad_offload on IS_ERR
    - ASoC: ux500: add MODULE_LICENSE tag
    - video: fbdev/mmp: add MODULE_LICENSE
    - arm64: dts: add #cooling-cells to CPU nodes
    - Make DST_CACHE a silent config option
    - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
    - staging: android: ashmem: Fix a race condition in pin ioctls
    - binder: check for binder_thread allocation failure in binder_poll()
    - staging: iio: adc: ad7192: fix external frequency setting
    - usbip: keep usbip_device sockfd state in sync with tcp_socket
    - usb: build drivers/usb/common/ when USB_SUPPORT is set
    - ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
    - ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
    - ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
    - ARM: dts: am4372: Correct the interrupts_properties of McASP
    - perf top: Fix window dimensions change handling
    - perf bench numa: Fixup discontiguous/sparse numa nodes
    - media: s5k6aa: describe some function parameters
    - pinctrl: sunxi: Fix A80 interrupt pin bank
    - RDMA/cma: Make sure that PSN is not over max allowed
    - scripts/kernel-doc: Don't fail with status != 0 if error encountered with
      -none
    - ipvlan: Add the skb->mark as flow4's member to lookup route
    - powerpc/perf: Fix oops when grouping different pmu events
    - s390/dasd: prevent prefix I/O error
    - gianfar: fix a flooded alignment reports because of padding issue.
    - net_sched: red: Avoid devision by zero
    - net_sched: red: Avoid illegal values
    - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
    - 509: fix printing uninitialized stack memory when OID is empty
    - dmaengine: ioat: Fix error handling path
    - dmaengine: at_hdmac: fix potential NULL pointer dereference in
      atc_prep_dma_interleaved
    - clk: fix a panic error caused by accessing NULL pointer
    - ASoC: rockchip: disable clock on error
    - spi: sun4i: disable clocks in the remove function
    - xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
    - drm/armada: fix leak of crtc structure
    - dmaengine: jz4740: disable/unprepare clk if probe fails
    - mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
    - x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
    - xen: XEN_ACPI_PROCESSOR is Dom0-only
    - hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
    - virtio_balloon: prevent uninitialized variable use
    - isdn: icn: remove a #warning
    - vmxnet3: prevent building with 64K pages
    - [Config] ppc64el: Drop vmxnet3 module
    - gpio: intel-mid: Fix build warning when !CONFIG_PM
    - platform/x86: intel_mid_thermal: Fix suspend handlers unused warning
    - video: fbdev: via: remove possibly unused variables
    - scsi: advansys: fix build warning for PCI=n
    - x86/ras/inject: Make it depend on X86_LOCAL_APIC=y
    - arm64: define BUG() instruction without CONFIG_BUG
    - x86/fpu/math-emu: Fix possible uninitialized variable use
    - tools build: Add tools tree support for 'make -s'
    - x86/build: Silence the build with "make -s"
    - thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies
    - x86: add MULTIUSER dependency for KVM
    - x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG
    - scsi: advansys: fix uninitialized data access
    - arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set
    - ALSA: hda/ca0132 - fix possible NULL pointer use
    - reiserfs: avoid a -Wmaybe-uninitialized warning
    - ssb: mark ssb_bus_register as __maybe_unused
    - thermal: spear: use __maybe_unused for PM functions
    - x86/boot: Avoid warning for zero-filling .bss
    - scsi: sim710: fix build warning
    - drivers/net: fix eisa_driver probe section mismatch
    - dpt_i2o: fix build warning
    - profile: hide unused functions when !CONFIG_PROC_FS
    - md: avoid warning for 32-bit sector_t
    - mtd: ichxrom: maybe-uninitialized with gcc-4.9
    - mtd: maps: add __init attribute
    - mptfusion: hide unused seq_mpt_print_ioc_summary function
    - scsi: fdomain: drop fdomain_pci_tbl when built-in
    - video: fbdev: sis: remove unused variable
    - staging: ste_rmi4: avoid unused function warnings
    - fbdev: sis: enforce selection of at least one backend
    - video: Use bool instead int pointer for get_opt_bool() argument
    - scsi: mvumi: use __maybe_unused to hide pm functions
    - SCSI: initio: remove duplicate module device table
    - pwc: hide unused label
    - usb: musb/ux500: remove duplicate check for dma_is_compatible
    - tty: hvc_xen: hide xen_console_remove when unused
    - target/user: Fix cast from pointer to phys_addr_t
    - driver-core: use 'dev' argument in dev_dbg_ratelimited stub
    - fbdev: auo_k190x: avoid unused function warnings
    - amd-xgbe: Fix unused suspend handlers build warning
    - mtd: sh_flctl: pass FIFO as physical address
    - mtd: cfi: enforce valid geometry configuration
    - fbdev: s6e8ax0: avoid unused function warnings
    - modsign: hide openssl output in silent builds
    - fbdev: sm712fb: avoid unused function warnings
    - hwrng: exynos - use __maybe_unused to hide pm functions
    - USB: cdc_subset: only build when one driver is enabled
    - [Config] Add CONFIG_USB_NET_CDC_SUBSET_ENABLE=m
    - rtlwifi: fix gcc-6 indentation warning
    - staging: wilc1000: fix kbuild test robot error
    - x86/platform/olpc: Fix resume handler build warning
    - netfilter: ipvs: avoid unused variable warnings
    - ipv4: ipconfig: avoid unused ic_proto_used symbol
    - tc1100-wmi: fix build warning when CONFIG_PM not enabled
    - tlan: avoid unused label with PCI=n
    - drm/vmwgfx: use *_32_bits() macros
    - tty: cyclades: cyz_interrupt is only used for PCI
    - genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg
    - ASoC: mediatek: add i2c dependency
    - iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels
    - infiniband: cxgb4: use %pR format string for printing resources
    - b2c2: flexcop: avoid unused function warnings
    - i2c: remove __init from i2c_register_board_info()
    - staging: unisys: visorinput depends on INPUT
    - tc358743: fix register i2c_rd/wr functions
    - drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized
    - Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
    - KVM: add X86_LOCAL_APIC dependency
    - go7007: add MEDIA_CAMERA_SUPPORT dependency
    - em28xx: only use mt9v011 if camera support is enabled
    - ISDN: eicon: reduce stack size of sig_ind function
    - ASoC: rockchip: use __maybe_unused to hide st_irq_syscfg_resume
    - serial: 8250_mid: fix broken DMA dependency
    - drm/gma500: Sanity-check pipe index
    - hdpvr: hide unused variable
    - v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER
    - cw1200: fix bogus maybe-uninitialized warning
    - wireless: cw1200: use __maybe_unused to hide pm functions_
    - perf/x86: Shut up false-positive -Wmaybe-uninitialized warning
    - dmaengine: zx: fix build warning
    - net: hp100: remove unnecessary #ifdefs
    - gpio: xgene: mark PM functions as __maybe_unused
    - ncpfs: fix unused variable warning
    - Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig"
    - power: bq27xxx_battery: mark some symbols __maybe_unused
    - isdn: sc: work around type mismatch warning
    - binfmt_elf: compat: avoid unused function warning
    - idle: i7300: add PCI dependency
    - usb: phy: msm add regulator dependency
    - ncr5380: shut up gcc indentation warning
    - ARM: tegra: select USB_ULPI from EHCI rather than platform
    - ASoC: Intel: Kconfig: fix build when ACPI is not enabled
    - netlink: fix nla_put_{u8,u16,u32} for KASAN
    - dell-wmi, dell-laptop: depends DMI
    - genksyms: Fix segfault with invalid declarations
    - x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix
      preemptibility bug
    - drm/gma500: remove helper function
    - kasan: rework Kconfig settings
    - KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"
      exceptions simultaneously
    - x86/retpoline: Remove the esp/rsp thunk
    - module/retpoline: Warn about missing retpoline in module
    - x86/nospec: Fix header guards names
    - x86/bugs: Drop one "mitigation" from dmesg
    - x86/cpu/bugs: Make retpoline module warning conditional
    - x86/spectre: Check CONFIG_RETPOLINE in command line parser
    - x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
    - x86/paravirt: Remove 'noreplace-paravirt' cmdline option
    - x86/retpoline: Avoid retpolines for built-in __init functions
    - x86/spectre: Simplify spectre_v2 command line parsing
    - x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
    - KVM: nVMX: kmap() can't fail
    - KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail
    - kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
    - KVM: VMX: clean up declaration of VPID/EPT invalidation types
    - KVM: nVMX: invvpid handling improvements
    - crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
    - net: dst_cache_per_cpu_dst_set() can be static
    - ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
    - Linux 4.4.118

* ibrs/ibpb fixes result in excessive kernel logging  (LP: #1755627)
    - SAUCE: remove ibrs_dump sysctl interface

-- Stefan Bader <stefan.bader@canonical.com>  Sat, 19 May 2018 11:58:02 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1763352

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

bpf_map_lookup_elem: BUG: unable to handle kernel paging request

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
linux package