Bug #1852141 “CVE-2019-0155: incomplete fix for 64-bit x86 kerne...” : Bugs : linux package : Ubuntu

Tyler Hicks (tyhicks) on 2019-11-12

Changed in linux (Ubuntu Xenial):
status:	New → In Progress
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
Changed in linux (Ubuntu Disco):
status:	New → In Progress
Changed in linux (Ubuntu Eoan):
status:	New → In Progress
Changed in linux (Ubuntu Xenial):
importance:	Undecided → Critical
Changed in linux (Ubuntu Bionic):
importance:	Undecided → Critical
Changed in linux (Ubuntu Disco):
importance:	Undecided → Critical
Changed in linux (Ubuntu Eoan):
importance:	Undecided → Critical
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Disco):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Tyler Hicks (tyhicks)

Tyler Hicks (tyhicks) on 2019-11-12

summary:	- incomplete fix + CVE-2019-0155: incomplete fix for 64-bit x86 kernels
description:	updated

Stefan Bader (smb) on 2019-11-12

Changed in linux (Ubuntu Eoan):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Stefan Bader (smb) on 2019-11-12

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Tyler Hicks (tyhicks) on 2019-11-12

description:	updated
description:	updated
information type:	Private Security → Public Security

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-13:

#1

This bug was fixed in the package linux - 5.3.0-23.25

---------------
linux (5.3.0-23.25) eoan; urgency=medium

* Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
- SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

-- Stefan Bader <email address hidden> Tue, 12 Nov 2019 09:46:03 +0100

Changed in linux (Ubuntu Eoan):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-13:

#2

This bug was fixed in the package linux - 5.0.0-36.39

---------------
linux (5.0.0-36.39) disco; urgency=medium

  * Ubuntu-5.0.0-33.35 introduces KVM regression with old Intel CPUs and Linux
    guests (LP: #1851709)
    - Revert "KVM: x86: Manually calculate reserved bits when loading PDPTRS"

* Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
- SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

-- Stefan Bader <email address hidden> Tue, 12 Nov 2019 10:33:14 +0100

Changed in linux (Ubuntu Disco):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-13:

#3

This bug was fixed in the package linux - 4.15.0-70.79

---------------
linux (4.15.0-70.79) bionic; urgency=medium

  * Ubuntu-5.0.0-33.35 introduces KVM regression with old Intel CPUs and Linux
    guests (LP: #1851709)
    - Revert "KVM: x86: Manually calculate reserved bits when loading PDPTRS"

* Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
- SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

-- Stefan Bader <email address hidden> Tue, 12 Nov 2019 10:54:50 +0100

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-13:

#4

This bug was fixed in the package linux - 4.4.0-169.198

---------------
linux (4.4.0-169.198) xenial; urgency=medium

* Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
- SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

-- Stefan Bader <email address hidden> Tue, 12 Nov 2019 11:19:22 +0100

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-12-06:

#5

Download full text (33.2 KiB)

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

  * Eoan update: 5.3.9 upstream stable release (LP: #1851550)
    - io_uring: fix up O_NONBLOCK handling for sockets
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - btrfs: qgroup: Always free PREALLOC META reserve in
      btrfs_delalloc_release_extents()
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf jevents: Fix period for Intel fixed counters
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - perf annotate: Propagate the symbol__annotate() error return
    - perf annotate: Fix arch specific ->init() failure errors
    - perf annotate: Return appropriate error code for allocation failures
    - perf annotate: Don't return -1 for error when doing BPF disassembly
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/siw: Fix serialization issue in write_space()
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iw_cxgb4: fix SRQ access from dump_qp()
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - kselftest: exclude failed TARGETS from runlist
    - selftests/kselftest/runner.sh: Add 45 second timeout per test
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: cpufeature: Effectively expose FRINT capability to userspace
    - arm64: Fix incorrect irqflag restore for priority masking for compat
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
    - serial/sifive: select SERIAL_EARLYCON
    - tty: n_hdlc: fix build on SPARC
    - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
    - RDMA/core: Fix an error handling path in 'res_get_common_doit()'
    - RDMA/cm: Fix memory leak in cm_add/remove_one
    - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
    - RDMA/mlx5: Do not allow rereg of a ODP MR
    - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
    - RDMA/mlx5: Add missing synchronize_srcu() for MW cases
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - arm64: vdso32: Fix broken compat vDSO build warnings
    - arm64: vdso32: Detect binutils support for dmb ishld
    - serial: mctrl_gpio: Check for NULL pointer
    - serial: 8250_...

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

* Eoan update: 5.3.9 upstream stable release (LP: #1851550)
    - io_uring: fix up O_NONBLOCK handling for sockets
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - btrfs: qgroup: Always free PREALLOC META reserve in
      btrfs_delalloc_release_extents()
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf jevents: Fix period for Intel fixed counters
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - perf annotate: Propagate the symbol__annotate() error return
    - perf annotate: Fix arch specific ->init() failure errors
    - perf annotate: Return appropriate error code for allocation failures
    - perf annotate: Don't return -1 for error when doing BPF disassembly
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/siw: Fix serialization issue in write_space()
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iw_cxgb4: fix SRQ access from dump_qp()
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - kselftest: exclude failed TARGETS from runlist
    - selftests/kselftest/runner.sh: Add 45 second timeout per test
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: cpufeature: Effectively expose FRINT capability to userspace
    - arm64: Fix incorrect irqflag restore for priority masking for compat
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
    - serial/sifive: select SERIAL_EARLYCON
    - tty: n_hdlc: fix build on SPARC
    - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
    - RDMA/core: Fix an error handling path in 'res_get_common_doit()'
    - RDMA/cm: Fix memory leak in cm_add/remove_one
    - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
    - RDMA/mlx5: Do not allow rereg of a ODP MR
    - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
    - RDMA/mlx5: Add missing synchronize_srcu() for MW cases
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - arm64: vdso32: Fix broken compat vDSO build warnings
    - arm64: vdso32: Detect binutils support for dmb ishld
    - serial: mctrl_gpio: Check for NULL pointer
    - serial: 8250_omap: Fix gpio check for auto RTS/CTS
    - arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG
    - arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally
    - efi/cper: Fix endianness of PCIe class code
    - efi/x86: Do not clean dummy variable in kexec path
    - MIPS: include: Mark __cmpxchg as __always_inline
    - riscv: avoid kernel hangs when trapped in BUG()
    - riscv: avoid sending a SIGTRAP to a user thread trapped in WARN()
    - riscv: Correct the handling of unexpected ebreak in do_trap_break()
    - x86/xen: Return from panic notifier
    - ocfs2: clear zero in unaligned direct IO
    - fs: ocfs2: fix possible null-pointer dereferences in
      ocfs2_xa_prepare_entry()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_write_end_nolock()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_info_scan_inode_alloc()
    - btrfs: silence maybe-uninitialized warning in clone_range
    - arm64: armv8_deprecated: Checking return value for memory allocation
    - sched/fair: Scale bandwidth quota and period without losing quota/period
      ratio precision
    - sched/vtime: Fix guest/system mis-accounting on task switch
    - perf/core: Rework memory accounting in perf_mmap()
    - perf/core: Fix corner case in perf_rotate_context()
    - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
    - drm/amdgpu: fix memory leak
    - iio: imu: adis16400: release allocated memory on failure
    - iio: imu: adis16400: fix memory leak
    - iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
    - MIPS: include: Mark __xchg as __always_inline
    - MIPS: fw: sni: Fix out of bounds init of o32 stack
    - s390/cio: fix virtio-ccw DMA without PV
    - virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
    - nbd: fix possible sysfs duplicate warning
    - NFSv4: Fix leak of clp->cl_acceptor string
    - SUNRPC: fix race to sk_err after xs_error_report
    - s390/uaccess: avoid (false positive) compiler warnings
    - tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
    - perf annotate: Fix multiple memory and file descriptor leaks
    - perf/aux: Fix tracking of auxiliary trace buffer allocation
    - USB: legousbtower: fix a signedness bug in tower_probe()
    - nbd: verify socket is supported during setup
    - fuse: flush dirty data/metadata before non-truncate setattr
    - fuse: truncate pending writes on O_TRUNC
    - ALSA: bebob: Fix prototype of helper function to return negative value
    - ALSA: timer: Fix mutex deadlock at releasing card
    - ath10k: fix latency issue for QCA988x
    - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather
      segments")
    - nl80211: fix validation of mesh path nexthop
    - USB: gadget: Reject endpoints with 0 maxpacket value
    - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set
      virt_boundary_mask to avoid SG overflows")
    - USB: ldusb: fix ring-buffer locking
    - USB: ldusb: fix control-message timeout
    - usb: xhci: fix Immediate Data Transfer endianness
    - usb: xhci: fix __le32/__le64 accessors in debugfs code
    - USB: serial: whiteheat: fix potential slab corruption
    - USB: serial: whiteheat: fix line-speed endianness
    - xhci: Fix use-after-free regression in xhci clear hub TT implementation
    - scsi: qla2xxx: Fix partial flash write of MBI
    - scsi: target: cxgbit: Fix cxgbit_fw4_ack()
    - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
    - HID: Fix assumption that devices have inputs
    - HID: fix error message in hid_open_report()
    - HID: logitech-hidpp: split g920_get_config()
    - HID: logitech-hidpp: rework device validation
    - HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy()
    - um-ubd: Entrust re-queue to the upper layers
    - s390/unwind: fix mixing regs and sp
    - s390/cmm: fix information leak in cmm_timeout_handler()
    - s390/idle: fix cpu idle time calculation
    - ARC: perf: Accommodate big-endian CPU
    - IB/hfi1: Avoid excessive retry for TID RDMA READ request
    - arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
    - arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003
    - virtio_ring: fix stalls for packed rings
    - rtlwifi: rtl_pci: Fix problem of too small skb->len
    - dmaengine: qcom: bam_dma: Fix resource leak
    - dmaengine: tegra210-adma: fix transfer failure
    - dmaengine: imx-sdma: fix size check for sdma script_number
    - dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
    - drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE
    - drm/i915: Fix PCH reference clock for FDI on HSW/BDW
    - drm/amdgpu/gfx10: update gfx golden settings
    - drm/amdgpu/powerplay/vega10: allow undervolting in p7
    - drm/amdgpu: Fix SDMA hang when performing VKexample test
    - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
    - io_uring: ensure we clear io_kiocb->result before each issue
    - iommu/vt-d: Fix panic after kexec -p for kdump
    - batman-adv: Avoid free/alloc race when handling OGM buffer
    - llc: fix sk_buff leak in llc_sap_state_process()
    - llc: fix sk_buff leak in llc_conn_service()
    - rxrpc: Fix call ref leak
    - rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
    - rxrpc: Fix trace-after-put looking at the put peer record
    - NFC: pn533: fix use-after-free and memleaks
    - bonding: fix potential NULL deref in bond_update_slave_arr
    - netfilter: conntrack: avoid possible false sharing
    - net: usb: sr9800: fix uninitialized local variable
    - sch_netem: fix rcu splat in netem_enqueue()
    - net: sched: sch_sfb: don't call qdisc_put() while holding tree lock
    - iwlwifi: exclude GEO SAR support for 3168
    - sched/fair: Fix low cpu usage with high throttling by removing expiration of
      cpu-local slices
    - ALSA: usb-audio: DSD auto-detection for Playback Designs
    - ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
    - ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
    - RDMA/mlx5: Use irq xarray locking for mkey_table
    - sched/fair: Fix -Wunused-but-set-variable warnings
    - powerpc/powernv: Fix CPU idle to be called with IRQs disabled
    - Revert "nvme: allow 64-bit results in passthru commands"
    - Revert "ALSA: hda: Flush interrupts on disabling"
    - Linux 5.3.9
    - [Config] Remove CONFIG_GENERIC_COMPAT_VDSO and
      CONFIG_CROSS_COMPILE_COMPAT_VDSO

* Eoan update: v5.3.8 upstream stable release (LP: #1850456)
    - drm: Free the writeback_job when it with an empty fb
    - drm: Clear the fence pointer when writeback job signaled
    - clk: ti: dra7: Fix mcasp8 clock bits
    - ARM: dts: Fix wrong clocks for dra7 mcasp
    - nvme-pci: Fix a race in controller removal
    - scsi: ufs: skip shutdown if hba is not powered
    - scsi: megaraid: disable device when probe failed after enabled device
    - scsi: qla2xxx: Silence fwdump template message
    - scsi: qla2xxx: Fix unbound sleep in fcport delete path.
    - scsi: qla2xxx: Fix stale mem access on driver unload
    - scsi: qla2xxx: Fix N2N link reset
    - scsi: qla2xxx: Fix N2N link up fail
    - ARM: dts: Fix gpio0 flags for am335x-icev2
    - ARM: OMAP2+: Fix missing reset done flag for am3 and am43
    - ARM: OMAP2+: Add missing LCDC midlemode for am335x
    - ARM: OMAP2+: Fix warnings with broken omap2_set_init_voltage()
    - nvme-tcp: fix wrong stop condition in io_work
    - nvme-pci: Save PCI state before putting drive into deepest state
    - nvme: fix an error code in nvme_init_subsystem()
    - nvme-rdma: Fix max_hw_sectors calculation
    - Added QUIRKs for ADATA XPG SX8200 Pro 512GB
    - nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T
    - nvme: allow 64-bit results in passthru commands
    - drm/komeda: prevent memory leak in komeda_wb_connector_add
    - nvme-rdma: fix possible use-after-free in connect timeout
    - blk-mq: honor IO scheduler for multiqueue devices
    - ieee802154: ca8210: prevent memory leak
    - ARM: dts: am4372: Set memory bandwidth limit for DISPC
    - net: dsa: qca8k: Use up to 7 ports for all operations
    - MIPS: dts: ar9331: fix interrupt-controller size
    - xen/efi: Set nonblocking callbacks
    - loop: change queue block size to match when using DIO
    - nl80211: fix null pointer dereference
    - mac80211: fix txq null pointer dereference
    - netfilter: nft_connlimit: disable bh on garbage collection
    - net: mscc: ocelot: add missing of_node_put after calling
      of_get_child_by_name
    - net: dsa: rtl8366rb: add missing of_node_put after calling
      of_get_child_by_name
    - net: stmmac: xgmac: Not all Unicast addresses may be available
    - net: stmmac: dwmac4: Always update the MAC Hash Filter
    - net: stmmac: Correctly take timestamp for PTPv2
    - net: stmmac: Do not stop PHY if WoL is enabled
    - net: ag71xx: fix mdio subnode support
    - RISC-V: Clear load reservations while restoring hart contexts
    - riscv: Fix memblock reservation for device tree blob
    - drm/amdgpu: fix multiple memory leaks in acp_hw_init
    - drm/amd/display: memory leak
    - mips: Loongson: Fix the link time qualifier of 'serial_exit()'
    - net: hisilicon: Fix usage of uninitialized variable in function
      mdio_sc_cfg_reg_write()
    - net: stmmac: Avoid deadlock on suspend/resume
    - selftests: kvm: Fix libkvm build error
    - lib: textsearch: fix escapes in example code
    - s390/mm: fix -Wunused-but-set-variable warnings
    - net: phy: allow for reset line to be tied to a sleepy GPIO controller
    - net: phy: fix write to mii-ctrl1000 register
    - namespace: fix namespace.pl script to support relative paths
    - Convert filldir[64]() from __put_user() to unsafe_put_user()
    - elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
    - Make filldir[64]() verify the directory entry filename is valid
    - uaccess: implement a proper unsafe_copy_to_user() and switch filldir over to
      it
    - filldir[64]: remove WARN_ON_ONCE() for bad directory entries
    - net_sched: fix backward compatibility for TCA_KIND
    - net_sched: fix backward compatibility for TCA_ACT_KIND
    - libata/ahci: Fix PCS quirk application
    - Revert "drm/radeon: Fix EEH during kexec"
    - ocfs2: fix panic due to ocfs2_wq is null
    - nvme-pci: Set the prp2 correctly when using more than 4k page
    - ipv4: fix race condition between route lookup and invalidation
    - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
    - net: avoid potential infinite loop in tc_ctl_action()
    - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
    - net: bcmgenet: Set phydev->dev_flags only for internal PHYs
    - net: i82596: fix dma_alloc_attr for sni_82596
    - net/ibmvnic: Fix EOI when running in XIVE mode.
    - net: ipv6: fix listify ip6_rcv_finish in case of forwarding
    - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow
    - rxrpc: Fix possible NULL pointer access in ICMP handling
    - sched: etf: Fix ordering of packets with same txtime
    - sctp: change sctp_prot .no_autobind with true
    - net: aquantia: temperature retrieval fix
    - net: aquantia: when cleaning hw cache it should be toggled
    - net: aquantia: do not pass lro session with invalid tcp checksum
    - net: aquantia: correctly handle macvlan and multicast coexistence
    - net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs
    - net: phy: micrel: Update KSZ87xx PHY name
    - net: avoid errors when trying to pop MLPS header on non-MPLS packets
    - net/sched: fix corrupted L2 header with MPLS 'push' and 'pop' actions
    - netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit
    - net: ethernet: broadcom: have drivers select DIMLIB as needed
    - net: phy: Fix "link partner" information disappear issue
    - rxrpc: use rcu protection while reading sk->sk_user_data
    - io_uring: fix bad inflight accounting for SETUP_IOPOLL|SETUP_SQTHREAD
    - io_uring: Fix corrupted user_data
    - USB: legousbtower: fix memleak on disconnect
    - ALSA: hda/realtek - Add support for ALC711
    - ALSA: hda/realtek - Enable headset mic on Asus MJ401TA
    - ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers
    - ALSA: hda - Force runtime PM on Nvidia HDMI codecs
    - usb: udc: lpc32xx: fix bad bit shift operation
    - USB: serial: ti_usb_3410_5052: fix port-close races
    - USB: ldusb: fix memleak on disconnect
    - USB: usblp: fix use-after-free on disconnect
    - USB: ldusb: fix read info leaks
    - binder: Don't modify VMA bounds in ->mmap handler
    - MIPS: tlbex: Fix build_restore_pagemask KScratch restore
    - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
    - scsi: zfcp: fix reaction on bit error threshold notification
    - scsi: sd: Ignore a failure to sync cache due to lack of authorization
    - scsi: core: save/restore command resid for error handling
    - scsi: core: try to get module before removing device
    - scsi: ch: Make it possible to open a ch device multiple times again
    - Revert "Input: elantech - enable SMBus on new (2018+) systems"
    - Input: da9063 - fix capability and drop KEY_SLEEP
    - Input: synaptics-rmi4 - avoid processing unknown IRQs
    - Input: st1232 - fix reporting multitouch coordinates
    - ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
    - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
    - ACPI: NFIT: Fix unlock on error in scrub_show()
    - iwlwifi: pcie: change qu with jf devices to use qu configuration
    - cfg80211: wext: avoid copying malformed SSIDs
    - mac80211: Reject malformed SSID elements
    - drm/ttm: Restore ttm prefaulting
    - drm/panfrost: Handle resetting on timeout better
    - drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1
    - drm/amdgpu/sdma5: fix mask value of POLL_REGMEM packet for pipe sync
    - drm/i915/userptr: Never allow userptr into the mappable GGTT
    - drm/i915: Favor last VBT child device with conflicting AUX ch/DDC pin
    - drm/amdgpu/vce: fix allocation size in enc ring test
    - drm/amdgpu/vcn: fix allocation size in enc ring test
    - drm/amdgpu/uvd6: fix allocation size in enc ring test (v2)
    - drm/amdgpu/uvd7: fix allocation size in enc ring test (v2)
    - drm/amdgpu: user pages array memory leak fix
    - drivers/base/memory.c: don't access uninitialized memmaps in
      soft_offline_page_store()
    - fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c
    - io_uring: Fix broken links with offloading
    - io_uring: Fix race for sqes with userspace
    - io_uring: used cached copies of sq->dropped and cq->overflow
    - mmc: mxs: fix flags passed to dmaengine_prep_slave_sg
    - mmc: cqhci: Commit descriptors before setting the doorbell
    - mmc: sdhci-omap: Fix Tuning procedure for temperatures < -20C
    - mm/memory-failure.c: don't access uninitialized memmaps in memory_failure()
    - mm/slub: fix a deadlock in show_slab_objects()
    - mm/page_owner: don't access uninitialized memmaps when reading
      /proc/pagetypeinfo
    - mm/memunmap: don't access uninitialized memmap in memunmap_pages()
    - mm: memcg/slab: fix panic in __free_slab() caused by premature memcg pointer
      release
    - mm, compaction: fix wrong pfn handling in __reset_isolation_pfn()
    - mm: memcg: get number of pages on the LRU list in memcgroup base on
      lru_zone_size
    - mm: memblock: do not enforce current limit for memblock_phys* family
    - hugetlbfs: don't access uninitialized memmaps in pfn_range_valid_gigantic()
    - mm/memory-failure: poison read receives SIGKILL instead of SIGBUS if mmaped
      more than once
    - zram: fix race between backing_dev_show and backing_dev_store
    - xtensa: drop EXPORT_SYMBOL for outs*/ins*
    - xtensa: fix change_bit in exclusive access option
    - s390/zcrypt: fix memleak at release
    - s390/kaslr: add support for R_390_GLOB_DAT relocation type
    - lib/vdso: Make clock_getres() POSIX compliant again
    - parisc: Fix vmap memory leak in ioremap()/iounmap()
    - EDAC/ghes: Fix Use after free in ghes_edac remove path
    - arm64: KVM: Trap VM ops when ARM64_WORKAROUND_CAVIUM_TX2_219_TVM is set
    - arm64: Avoid Cavium TX2 erratum 219 when switching TTBR
    - arm64: Enable workaround for Cavium TX2 erratum 219 when running SMT
    - arm64: Allow CAVIUM_TX2_ERRATUM_219 to be selected
    - CIFS: avoid using MID 0xFFFF
    - cifs: Fix missed free operations
    - CIFS: Fix use after free of file info structures
    - perf/aux: Fix AUX output stopping
    - tracing: Fix race in perf_trace_buf initialization
    - fs/dax: Fix pmd vs pte conflict detection
    - dm cache: fix bugs when a GFP_NOWAIT allocation fails
    - irqchip/sifive-plic: Switch to fasteoi flow
    - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area
    - x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu
    - x86/hyperv: Make vapic support x2apic mode
    - pinctrl: cherryview: restore Strago DMI workaround for all versions
    - pinctrl: armada-37xx: fix control of pins 32 and up
    - pinctrl: armada-37xx: swap polarity on LED group
    - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group()
    - Btrfs: add missing extents release on file extent cluster relocation error
    - btrfs: don't needlessly create extent-refs kernel thread
    - Btrfs: fix qgroup double free after failure to reserve metadata for delalloc
    - Btrfs: check for the full sync flag while holding the inode lock during
      fsync
    - btrfs: tracepoints: Fix wrong parameter order for qgroup events
    - btrfs: tracepoints: Fix bad entry members of qgroup events
    - KVM: PPC: Book3S HV: XIVE: Ensure VP isn't already in use
    - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
    - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
    - ceph: just skip unrecognized info in ceph_reply_info_extra
    - xen/netback: fix error path of xenvif_connect_data()
    - PCI: PM: Fix pci_power_up()
    - opp: of: drop incorrect lockdep_assert_held()
    - of: reserved_mem: add missing of_node_put() for proper ref-counting
    - blk-rq-qos: fix first node deletion of rq_qos_del()
    - RDMA/cxgb4: Do not dma memory off of the stack
    - Linux 5.3.8
    - [Config] CONFIG_CAVIUM_TX2_ERRATUM_219=y

* Eoan update: 5.3.10 upstream stable release (LP: #1852111)
    - regulator: of: fix suspend-min/max-voltage parsing
    - ASoC: samsung: arndale: Add missing OF node dereferencing
    - ASoC: wm8994: Do not register inapplicable controls for WM1811
    - regulator: da9062: fix suspend_enable/disable preparation
    - ASoC: topology: Fix a signedness bug in soc_tplg_dapm_widget_create()
    - arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay
    - arm64: dts: allwinner: a64: Drop PMU node
    - arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay
    - arm64: dts: Fix gpio to pinmux mapping
    - regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone
    - pinctrl: intel: Allocate IRQ chip dynamic
    - ASoC: SOF: loader: fix kernel oops on firmware boot failure
    - ASoC: SOF: topology: fix parse fail issue for byte/bool tuple types
    - ASoC: SOF: Intel: hda: fix warnings during FW load
    - ASoC: SOF: Intel: initialise and verify FW crash dump data.
    - ASoC: SOF: Intel: hda: Disable DMI L1 entry during capture
    - ASoC: rt5682: add NULL handler to set_jack function
    - ASoC: intel: sof_rt5682: add remove function to disable jack
    - ASoC: intel: bytcr_rt5651: add null check to support_button_press
    - regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe()
      could be uninitialized
    - ASoC: wm_adsp: Don't generate kcontrols without READ flags
    - ASoc: rockchip: i2s: Fix RPM imbalance
    - arm64: dts: rockchip: fix Rockpro64 RK808 interrupt line
    - ARM: dts: logicpd-torpedo-som: Remove twl_keypad
    - arm64: dts: rockchip: fix RockPro64 vdd-log regulator settings
    - arm64: dts: rockchip: fix RockPro64 sdhci settings
    - pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable()
    - pinctrl: stmfx: fix null pointer on remove
    - arm64: dts: zii-ultra: fix ARM regulator states
    - ARM: dts: am3874-iceboard: Fix 'i2c-mux-idle-disconnect' usage
    - ASoC: msm8916-wcd-digital: add missing MIX2 path for RX1/2
    - ASoC: simple_card_utils.h: Fix potential multiple redefinition error
    - ARM: dts: Use level interrupt for omap4 & 5 wlcore
    - ARM: mm: fix alignment handler faults under memory pressure
    - scsi: qla2xxx: fix a potential NULL pointer dereference
    - scsi: scsi_dh_alua: handle RTPG sense code correctly during state
      transitions
    - scsi: sni_53c710: fix compilation error
    - scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE
    - ARM: 8908/1: add __always_inline to functions called from __get_user_check()
    - ARM: 8914/1: NOMMU: Fix exc_ret for XIP
    - arm64: dts: rockchip: fix RockPro64 sdmmc settings
    - arm64: dts: rockchip: Fix usb-c on Hugsun X99 TV Box
    - arm64: dts: lx2160a: Correct CPU core idle state name
    - ARM: dts: imx6q-logicpd: Re-Enable SNVS power key
    - ARM: dts: vf610-zii-scu4-aib: Specify 'i2c-mux-idle-disconnect'
    - ARM: dts: imx7s: Correct GPT's ipg clock source
    - arm64: dts: imx8mq: Use correct clock for usdhc's ipg clk
    - arm64: dts: imx8mm: Use correct clock for usdhc's ipg clk
    - perf tools: Fix resource leak of closedir() on the error paths
    - perf c2c: Fix memory leak in build_cl_output()
    - 8250-men-mcb: fix error checking when get_num_ports returns -ENODEV
    - perf kmem: Fix memory leak in compact_gfp_flags()
    - ARM: davinci: dm365: Fix McBSP dma_slave_map entry
    - drm/amdgpu: fix potential VM faults
    - drm/amdgpu: fix error handling in amdgpu_bo_list_create
    - scsi: target: core: Do not overwrite CDB byte 1
    - scsi: hpsa: add missing hunks in reset-patch
    - ASoC: Intel: sof-rt5682: add a check for devm_clk_get
    - ASoC: SOF: control: return true when kcontrol values change
    - tracing: Fix "gfp_t" format for synthetic events
    - ARM: dts: bcm2837-rpi-cm3: Avoid leds-gpio probing issue
    - i2c: aspeed: fix master pending state handling
    - drm/komeda: Don't flush inactive pipes
    - ARM: 8926/1: v7m: remove register save to stack before svc
    - selftests: kvm: vmx_set_nested_state_test: don't check for VMX support twice
    - selftests: kvm: fix sync_regs_test with newer gccs
    - ALSA: hda: Add Tigerlake/Jasperlake PCI ID
    - of: unittest: fix memory leak in unittest_data_add
    - MIPS: bmips: mark exception vectors as char arrays
    - irqchip/gic-v3-its: Use the exact ITSList for VMOVP
    - i2c: mt65xx: fix NULL ptr dereference
    - i2c: stm32f7: fix first byte to send in slave mode
    - i2c: stm32f7: fix a race in slave mode with arbitration loss irq
    - i2c: stm32f7: remove warning when compiling with W=1
    - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
    - irqchip/sifive-plic: Skip contexts except supervisor in plic_init()
    - nbd: protect cmd->status with cmd->lock
    - nbd: handle racing with error'ed out commands
    - cxgb4: fix panic when attaching to ULD fail
    - cxgb4: request the TX CIDX updates to status page
    - dccp: do not leak jiffies on the wire
    - erspan: fix the tun_info options_len check for erspan
    - inet: stop leaking jiffies on the wire
    - net: annotate accesses to sk->sk_incoming_cpu
    - net: annotate lockless accesses to sk->sk_napi_id
    - net: dsa: bcm_sf2: Fix IMP setup for port different than 8
    - net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum
    - net: fix sk_page_frag() recursion from memory reclaim
    - net: hisilicon: Fix ping latency when deal with high throughput
    - net/mlx4_core: Dynamically set guaranteed amount of counters per VF
    - netns: fix GFP flags in rtnl_net_notifyid()
    - net: rtnetlink: fix a typo fbd -> fdb
    - net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
    - SAUCE: Revert "UBUNTU: SAUCE: (no-up) net: Zeroing the structure
      ethtool_wolinfo in ethtool_get_wol()"
    - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
    - selftests: net: reuseport_dualstack: fix uninitalized parameter
    - udp: fix data-race in udp_set_dev_scratch()
    - vxlan: check tun_info options_len properly
    - net: add skb_queue_empty_lockless()
    - udp: use skb_queue_empty_lockless()
    - net: use skb_queue_empty_lockless() in poll() handlers
    - net: use skb_queue_empty_lockless() in busy poll contexts
    - net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
    - ipv4: fix route update on metric change.
    - selftests: fib_tests: add more tests for metric update
    - net/smc: fix closing of fallback SMC sockets
    - net/smc: keep vlan_id for SMC-R in smc_listen_work()
    - keys: Fix memory leak in copy_net_ns
    - net: phylink: Fix phylink_dbg() macro
    - rxrpc: Fix handling of last subpacket of jumbo packet
    - net/mlx5e: Determine source port properly for vlan push action
    - net/mlx5e: Remove incorrect match criteria assignment line
    - net/mlx5e: Initialize on stack link modes bitmap
    - net/mlx5: Fix flow counter list auto bits struct
    - net/smc: fix refcounting for non-blocking connect()
    - net/mlx5: Fix rtable reference leak
    - mlxsw: core: Unpublish devlink parameters during reload
    - r8169: fix wrong PHY ID issue with RTL8168dp
    - net/mlx5e: Fix ethtool self test: link speed
    - net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget
    - ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation
    - net: bcmgenet: don't set phydev->link from MAC
    - net: dsa: b53: Do not clear existing mirrored port mask
    - net: dsa: fix switch tree list
    - net: ensure correct skb->tstamp in various fragmenters
    - net: hns3: fix mis-counting IRQ vector numbers issue
    - net: netem: fix error path for corrupted GSO frames
    - net: reorder 'struct net' fields to avoid false sharing
    - net: usb: lan78xx: Connect PHY before registering MAC
    - r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2
    - net: netem: correct the parent's backlog when corrupted packet was dropped
    - net: phy: bcm7xxx: define soft_reset for 40nm EPHY
    - net: bcmgenet: reset 40nm EPHY on energy detect
    - net/flow_dissector: switch to siphash
    - platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI
      table
    - CIFS: Fix retry mid list corruption on reconnects
    - selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue
    - selftests/powerpc: Fix compile error on tlbie_test due to newer gcc
    - ASoC: pcm3168a: The codec does not support S32_LE
    - arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address
    - usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending
      driver fails
    - Linux 5.3.10
    - [Config] SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1=n

* Some EFI systems fail to boot in efi_init() when booted via maas
    (LP: #1851810)
    - efi: efi_get_memory_map -- increase map headroom

* dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] dkms -- try launchpad librarian for pool downloads
    - [Packaging] dkms -- dkms-build quieten wget verbiage

* update ENA driver to version 2.1.0 (LP: #1850175)
    - net: ena: don't wake up tx queue when down
    - net: ena: clean up indentation issue

* drm/i915: Add support for another CMP-H PCH (LP: #1848491)
    - drm/i915/cml: Add second PCH ID for CMP

* Add Intel Comet Lake ethernet support (LP: #1848555)
    - SAUCE: e1000e: Add support for Comet Lake

* seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test (LP: #1849281)
    - SAUCE: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
    - SAUCE: seccomp: avoid overflow in implicit constant conversion
    - SAUCE: seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test

* tsc marked unstable after entered PC10 on Intel CoffeeLake (LP: #1840239)
    - SAUCE: x86/intel: Disable HPET on Intel Coffe Lake platforms
    - SAUCE: x86/intel: Disable HPET on Intel Ice Lake platforms

* cloudimg: no iavf/i40evf module so no network available with SR-IOV enabled
    cloud (LP: #1848481)
    - [Packaging] include iavf/i40evf in generic

* High power consumption using 5.0.0-25-generic (LP: #1840835)
    - PCI: Add a helper to check Power Resource Requirements _PR3 existence
    - ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a
      driver
    - PCI: Fix missing inline for pci_pr3_present()

* CML CPUIDs (LP: #1843794)
    - x86/cpu: Add Comet Lake to the Intel CPU models header

* shiftfs: prevent exceeding project quotas (LP: #1849483)
    - SAUCE: shiftfs: drop CAP_SYS_RESOURCE from effective capabilities

* shiftfs: fix fallocate() (LP: #1849482)
    - SAUCE: shiftfs: setup correct s_maxbytes limit

* Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
    (LP: #1850443)
    - Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message

* [SRU][B/OEM-B/OEM-OSP1/D/E] UBUNTU: SAUCE: add rtl623 codec support and fix
    mic issues (LP: #1850599)
    - SAUCE: ALSA: hda/realtek - Add support for ALC623
    - SAUCE: ALSA: hda/realtek - Fix 2 front mics of codec 0x623

* Suppress "hid_field_extract() called with n (192) > 32!" message floods
    (LP: #1850600)
    - HID: core: reformat and reduce hid_printk macros
    - HID: core: Add printk_once variants to hid_warn() etc
    - HID: core: fix dmesg flooding if report field larger than 32bit

* ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs
    error path (LP: #1850994) // CVE-2019-15794
    - SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
    - SAUCE: ovl: Restore vm_file value when lower fs mmap fails

* s_iflags overlap prevents unprivileged overlayfs mounts (LP: #1851677)
    - SAUCE: fs: Move SB_I_NOSUID to the top of s_iflags

* root can lift kernel lockdown (LP: #1851380)
    - SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace

* Colour banding in Lenovo G50-80 laptop display (i915) (LP: #1819968) // Eoan
    update: v5.3.8 upstream stable release (LP: #1850456)
    - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50

-- Connor Kuehl <connor.kuehl@canonical.com>  Wed, 13 Nov 2019 14:41:52 -0800

Changed in linux (Ubuntu):
status:	Triaged → Fix Released

Ubuntu
linux package

CVE-2019-0155: incomplete fix for 64-bit x86 kernels

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Critical	Unassigned
Xenial	Fix Released	Critical	Tyler Hicks
Bionic	Fix Released	Critical	Tyler Hicks
Disco	Fix Released	Critical	Tyler Hicks
Eoan	Fix Released	Critical	Tyler Hicks

Ubuntulinux package

CVE-2019-0155: incomplete fix for 64-bit x86 kernels

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package