Ubuntu
linux-oem-5.14 package

Focal update: v5.14.15 upstream stable release

Bug #1950160 reported by Timo Aaltonen on 2021-11-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux-oem-5.14 (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Undecided	Unassigned

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.14.15 upstream stable release
from git://git.kernel.org/

Linux 5.14.15
pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume()
ARM: 9122/1: select HAVE_FUTEX_CMPXCHG
e1000e: Separate TGP board type from SPT
net: mdiobus: Fix memory leak in __mdiobus_register
bpf, test, cgroup: Use sk_{alloc,free} for test cases
s390/pci: fix zpci_zdev_put() on reserve
s390/pci: cleanup resources only if necessary
scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
autofs: fix wait name hash calculation in autofs_wait()
drm/kmb: Limit supported mode to 1080p
drm/kmb: Enable alpha blended second plane
net/mlx5: Lag, change multipath and bonding to be mutually exclusive
net/mlx5: Lag, move lag destruction to a workqueue
net: hns3: fix for miscalculation of rx unused desc
sched/scs: Reset the shadow stack when idle_task_exit
mm/thp: decrease nr_thps in file's mapping on THP split
scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()
scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs
scsi: storvsc: Fix validation for unsolicited incoming packets
scsi: iscsi: Fix set_param() handling
ASoC: codec: wcd938x: Add irq config support
Input: snvs_pwrkey - add clk handling
perf/x86/msr: Add Sapphire Rapids CPU support
libperf tests: Fix test_stat_cpu
libperf test evsel: Fix build error on !x86 architectures
spi-mux: Fix false-positive lockdep splats
spi: Fix deadlock when adding SPI controllers on SPI buses
ALSA: hda: avoid write to STATESTS if controller is in reset
platform/x86: intel_scu_ipc: Update timeout value in comment
platform/x86: intel_scu_ipc: Increase virtual timeout to 10s
isdn: mISDN: Fix sleeping function called from invalid context
ARM: dts: spear3xx: Fix gmac node
net: stmmac: add support for dwmac 3.40a
btrfs: deal with errors when checking if a dir entry exists during log replay
ALSA: hda: intel: Allow repeatedly probing on codec configuration errors
objtool: Update section header before relocations
objtool: Check for gelf_update_rel[a] failures
bitfield: build kunit tests without structleak plugin
thunderbolt: build kunit tests without structleak plugin
device property: build kunit tests without structleak plugin
iio/test-format: build kunit tests without structleak plugin
gcc-plugins/structleak: add makefile var for disabling structleak
drm/msm/a6xx: Serialize GMU communication
kunit: fix reference count leak in kfree_at_end
KVM: MMU: Reset mmu->pkru_mask to avoid stale data
net: hns3: fix the max tx size according to user manual
drm: mxsfb: Fix NULL pointer dereference crash on unload
KVM: SEV-ES: Set guest_state_protected after VMSA update
net: bridge: mcast: use multicast_membership_interval for IGMPv3
selftests: netfilter: remove stray bash debug line
netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
isdn: cpai: check ctr->cnr to avoid array index out of bound
nfc: nci: fix the UAF of rf_conn_info object
KVM: x86: remove unnecessary arguments from complete_emulator_pio_in
KVM: x86: split the two parts of emulator_pio_in
KVM: x86: check for interrupts before deciding whether to exit the fast path
KVM: x86: leave vcpu->arch.pio.count alone in emulator_pio_in_out
KVM: SEV-ES: reduce ghcb_sa_len to 32 bits
KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed
KVM: SEV-ES: fix length of string I/O
KVM: SEV-ES: keep INS functions together
KVM: SEV-ES: clean up kvm_sev_es_ins/outs
KVM: SEV-ES: rename guest_ins_data to sev_pio_data
KVM: SEV: Flush cache on non-coherent systems before RECEIVE_UPDATE_DATA
KVM: nVMX: promptly process interrupts delivered while in guest mode
mm, slub: fix incorrect memcg slab count for bulk free
mm, slub: fix potential use-after-free in slab_debugfs_fops
mm, slub: fix potential memoryleak in kmem_cache_open()
mm, slub: fix mismatch between reconstructed freelist depth and cnt
powerpc/idle: Don't corrupt back chain when going idle
KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest
KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest()
ucounts: Fix signal ucount refcounting
ucounts: Proper error handling in set_cred_ucounts
ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds
ucounts: Move get_ucounts from cred_alloc_blank to key_change_session_keyring
net: dsa: mt7530: correct ds->num_ports
audit: fix possible null-pointer dereference in audit_filter_rules
blk-cgroup: blk_cgroup_bio_start() should use irq-safe operations on blkg->iostat_cpu
ASoC: nau8824: Fix headphone vs headset, button-press detection no longer working
ASoC: DAPM: Fix missing kctl change notifications
ALSA: hda/realtek: Add quirk for Clevo PC50HS
ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
mm/secretmem: fix NULL page->mapping dereference in page_is_secretmem()
vfs: check fd has read access in kernel_read_file_from_fd()
elfcore: correct reference to CONFIG_UML
mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in mbind()
userfaultfd: fix a race between writeprotect and exit_mmap()
mm/userfaultfd: selftests: fix memory corruption with thp enabled
ocfs2: mount fails with buffer overflow in strlen
ocfs2: fix data corruption after conversion from inline format
tracing: Have all levels of checks prevent recursion
ceph: fix handling of "meta" errors
ceph: skip existing superblocks that are blocklisted or shut down when mounting
can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer
can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()
can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path
can: peak_pci: peak_pci_remove(): fix UAF
can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification
can: rcar_can: fix suspend/resume
net: enetc: make sure all traffic classes can send large frames
net: enetc: fix ethtool counter name for PM0_TERR
drm/kmb: Enable ADV bridge after modeset
drm/kmb: Corrected typo in handle_lcd_irq
drm/kmb: Disable change of plane parameters
drm/kmb: Remove clearing DPHY regs
drm/kmb: Work around for higher system clock
drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel
net/mlx5e: IPsec: Fix work queue entry ethernet segment checksum flags
net/mlx5e: IPsec: Fix a misuse of the software parser's fields
ice: Add missing E810 device ids
igc: Update I226_K device ID
e1000e: Fix packet loss on Tiger Lake and later
ptp: Fix possible memory leak in ptp_clock_register()
net: stmmac: Fix E2E delay mechanism
net: hns3: disable sriov before unload hclge layer
net: hns3: fix vf reset workqueue cannot exit
net: hns3: schedule the polling again when allocation fails
net: hns3: add limit ets dwrr bandwidth cannot be 0
net: hns3: reset DWRR of unused tc to zero
net: hns3: Add configuration of TM QCN error event
powerpc/smp: do not decrement idle task preempt count in CPU offline
net: dsa: Fix an error handling path in 'dsa_switch_parse_ports_of()'
NIOS2: irqflags: rename a redefined register name
net/sched: act_ct: Fix byte count on fragmented packets
net: dsa: lantiq_gswip: fix register definition
hamradio: baycom_epp: fix build for UML
ipv6: When forwarding count rx stats on the orig netdev
tcp: md5: Fix overlap between vrf and non-vrf keys
lan78xx: select CRC32
sctp: fix transport encap_port update in sctp_vtag_verify
netfilter: ipvs: make global sysctl readonly in non-init netns
netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
ice: Print the api_patch as part of the fw.mgmt.api
ice: fix getting UDP tunnel entry
ice: Avoid crash from unnecessary IDA free
ice: Fix failure to re-add LAN/RDMA Tx queues
ASoC: wm8960: Fix clock configuration on slave mode
dma-debug: fix sg checks in debug_dma_map_sg()
netfilter: nf_tables: skip netdev events generated on netns removal
netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
KVM: arm64: Release mmap_lock when using VM_SHARED with MTE
KVM: arm64: Fix host stage-2 PGD refcount
ASoC: cs4341: Add SPI device ID table
ASoC: pcm179x: Add missing entries SPI to device ID table
ASoC: fsl_xcvr: Fix channel swap issue with ARC
ASoC: pcm512x: Mend accesses to the I2S_1 and I2S_2 registers
powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
powerpc/security: Add a helper to query stf_barrier type
powerpc/bpf: Validate branch ranges
powerpc/lib: Add helper to check if offset is within conditional branch range
NFSD: Keep existing listeners on portlist error
xtensa: xtfpga: Try software restart before simulating CPU reset
xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF
drm/amdgpu: init iommu after amdkfd device init
drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI
r8152: avoid to resubmit rx immediately
xen/x86: prevent PVH type from getting clobbered
block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output
ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default
arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address
sh: pgtable-3level: fix cast to pointer from integer of different size
parisc: math-emu: Fix fall-through warnings
block/mq-deadline: Move dd_queued() to fix defined but not used warning

Tags:

CVE References

2021-42327

Timo Aaltonen (tjaalton) on 2021-11-08

Changed in linux-oem-5.14 (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug

Timo Aaltonen (tjaalton) on 2021-11-10

Changed in linux-oem-5.14 (Ubuntu):
status:	Confirmed → Invalid
Changed in linux-oem-5.14 (Ubuntu Focal):
status:	New → Fix Committed

Timo Aaltonen (tjaalton) on 2021-11-25

tags:

added: verification-done-focal

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-11-29:

Download full text (21.0 KiB)

This bug was fixed in the package linux-oem-5.14 - 5.14.0-1008.8

---------------
linux-oem-5.14 (5.14.0-1008.8) focal; urgency=medium

* focal/linux-oem-5.14: 5.14.0-1008.8 -proposed tracker (LP: #1949844)

  * Packaging resync (LP: #1786013)
    - [Packaging] update update.conf
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * Let NVMe with HMB use native power control again (LP: #1950042)
    - nvme-pci: use attribute group for cmb sysfs
    - nvme-pci: cmb sysfs: one file, one value
    - nvme-pci: disable hmb on idle suspend
    - nvme: allow user toggling hmb usage

  * Add s0i3 RTC wake up for AMD systems (LP: #1950013)
    - platform/x86: amd-pmc: Export Idlemask values based on the APU
    - platform/x86: amd-pmc: adjust arguments for `amd_pmc_send_cmd`
    - platform/x86: amd-pmc: Add special handling for timer based S0i3 wakeup

* require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
- Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * AMD ACP 6.x DMIC Supports (LP: #1949245)
    - ASoC: amd: add Yellow Carp ACP6x IP register header
    - ASoC: amd: add Yellow Carp ACP PCI driver
    - ASoC: amd: add acp6x init/de-init functions
    - ASoC: amd: add platform devices for acp6x pdm driver and dmic driver
    - ASoC: amd: add acp6x pdm platform driver
    - ASoC: amd: add acp6x irq handler
    - ASoC: amd: add acp6x pdm driver dma ops
    - ASoC: amd: add acp6x pci driver pm ops
    - ASoC: amd: add acp6x pdm driver pm ops
    - ASoC: amd: enable Yellow carp acp6x drivers build
    - ASoC: amd: create platform device for acp6x machine driver
    - ASoC: amd: add YC machine driver using dmic
    - ASoC: amd: enable Yellow Carp platform machine driver build
    - [Config] Enable AMD ACP 6 DMIC Support

  * Focal update: v5.14.17 upstream stable release (LP: #1950165)
    - scsi: core: Put LLD module refcnt after SCSI device is released
    - sfc: Fix reading non-legacy supported link modes
    - vrf: Revert "Reset skb conntrack connection..."
    - media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
    - Revert "xhci: Set HCD flag to defer primary roothub registration"
    - Revert "usb: core: hcd: Add support for deferring roothub registration"
    - drm/amdkfd: fix boot failure when iommu is disabled in Picasso.
    - drm/i915: Remove memory frequency calculation
    - Revert "soc: imx: gpcv2: move reset assert after requesting domain power up"
    - ARM: 9120/1: Revert "amba: make use of -1 IRQs warn"
    - Revert "wcn36xx: Disable bmps when encryption is disabled"
    - drm/amdgpu: revert "Add autodump debugfs node for gpu reset v8"
    - drm/amd/display: Revert "Directly retrain link from debugfs"
    - Revert "drm/i915/gt: Propagate change in error status to children on unhold"
    - ALSA: usb-audio: Add Schiit Hel device to mixer map quirk table
    - ALSA: usb-audio: Add Audient iD14 to mixer map quirk table
    - Linux 5.14.17

This bug was fixed in the package linux-oem-5.14 - 5.14.0-1008.8

---------------
linux-oem-5.14 (5.14.0-1008.8) focal; urgency=medium

* focal/linux-oem-5.14: 5.14.0-1008.8 -proposed tracker (LP: #1949844)

* Packaging resync (LP: #1786013)
    - [Packaging] update update.conf
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

* require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

* Focal update: v5.14.16 upstream stable release (LP: #1950164)
    - ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images
    - ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
    - ARM: 9134/1: remove duplicate memcpy() definition
    - ARM: 9138/1: fix link warning with XIP + frame-pointer
    - ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
    - ARM: 9141/1: only warn about XIP address when not compile testing
    - ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S
    - usbnet: sanity check for maxpacket
    - usbnet: fix error return code in usbnet_probe()
    - Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
    - pinctrl: amd: disable and mask interrupts on probe
    - ata: sata_mv: Fix the error handling of mv_chip_id()
    - tipc: fix size validations for the MSG_CRYPTO type
    - nfc: port100: fix using -ERRNO as command type mask
    - Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
    - net/tls: Fix flipped sign in tls_err_abort() calls
    - mmc: vub300: fix control-message timeouts
    - mmc: cqhci: clear HALT state after CQE enable
    - mmc: mediatek: Move cqhci init behind ungate clock
    - mmc: tmio: reenable card irqs after the reset callback
    - mmc: dw_mmc: exynos: fix the finding clock sample value
    - mmc: sdhci: Map more voltage level to SDHCI_POWER_330
    - mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield
    - mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning
      circuit
    - block: Fix partition check for host-aware zoned block devices
    - ocfs2: fix race between searching chunks and release journal_head from
      buffer_head
    - nvme-tcp: fix H2CData PDU send accounting (again)
    - ftrace/nds32: Update the proto for ftrace_trace_function to match
      ftrace_stub
    - cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
    - cfg80211: fix management registrations locking
    - net: lan78xx: fix division by zero in send path
    - drm/amd/display: Require immediate flip support for DCN3.1 planes
    - mm: hwpoison: remove the unnecessary THP check
    - mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
    - mm, thp: bail out early in collapse_file for writeback page
    - mm: khugepaged: skip huge page collapse for special files
    - arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2
    - arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency
    - arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY
    - arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV
    - arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are
      correct
    - mac80211: mesh: fix HE operation element length check
    - drm/ttm: fix memleak in ttm_transfered_destroy
    - drm/i915: Convert unconditional clflush to drm_clflush_virt_range()
    - drm/i915: Catch yet another unconditioal clflush
    - drm/i915/dp: Skip the HW readout of DPCD on disabled encoders
    - drm/amdgpu: fix out of bounds write
    - drm/amdgpu: support B0&B1 external revision id for yellow carp
    - drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1
    - drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1
    - drm/amd/display: increase Z9 latency to workaround underflow in Z9
    - drm/amd/display: Increase watermark latencies for DCN3.1
    - drm/amd/display: Moved dccg init to after bios golden init
    - drm/amd/display: Fallback to clocks which meet requested voltage on DCN31
    - drm/amd/display: Fix deadlock when falling back to v2 from v3
    - Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
    - cgroup: Fix memory leak caused by missing cgroup_bpf_offline
    - riscv, bpf: Fix potential NULL dereference
    - tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function
    - bpf: Fix potential race in tail call compatibility check
    - bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch()
    - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
    - IB/hfi1: Fix abba locking issue with sc_disable()
    - nvmet-tcp: fix data digest pointer calculation
    - nvme-tcp: fix data digest pointer calculation
    - nvme-tcp: fix possible req->offset corruption
    - octeontx2-af: Display all enabled PF VF rsrc_alloc entries.
    - octeontx2-af: Fix possible null pointer dereference.
    - ice: Respond to a NETDEV_UNREGISTER event for LAG
    - RDMA/mlx5: Set user priority for DCT
    - ice: check whether PTP is initialized in ice_ptp_release()
    - arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
    - reset: brcmstb-rescal: fix incorrect polarity of status bit
    - regmap: Fix possible double-free in regcache_rbtree_exit()
    - net: batman-adv: fix error handling
    - net-sysfs: initialize uid and gid before calling net_ns_get_ownership
    - cfg80211: correct bridge/4addr mode check
    - net: Prevent infinite while loop in skb_tx_hash()
    - RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR
    - RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string
    - gpio: xgs-iproc: fix parsing of ngpios property
    - nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
    - mlxsw: pci: Recycle received packet upon allocation failure
    - net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume
      fails
    - net: ethernet: microchip: lan743x: Fix dma allocation failure by using
      dma_set_mask_and_coherent
    - net: nxp: lpc_eth.c: avoid hang when bringing interface down
    - net: hns3: fix pause config problem after autoneg disabled
    - net: hns3: fix data endian problem of some functions of debugfs
    - net: ethernet: microchip: lan743x: Fix skb allocation failure
    - net/tls: Fix flipped sign in async_wait.err assignment
    - phy: phy_ethtool_ksettings_get: Lock the phy for consistency
    - phy: phy_ethtool_ksettings_set: Move after phy_start_aneg
    - phy: phy_start_aneg: Add an unlocked version
    - phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings
    - RDMA/irdma: Process extended CQ entries correctly
    - RDMA/irdma: Set VLAN in UD work completion correctly
    - RDMA/irdma: Do not hold qos mutex twice on QP resume
    - sctp: use init_tag from inithdr for ABORT chunk
    - sctp: fix the processing for INIT chunk
    - sctp: fix the processing for INIT_ACK chunk
    - sctp: fix the processing for COOKIE_ECHO chunk
    - sctp: add vtag check in sctp_sf_violation
    - sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
    - sctp: add vtag check in sctp_sf_ootb
    - bpf: Use kvmalloc for map values in syscall
    - watchdog: sbsa: only use 32-bit accessors
    - bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of
      CONFIG_NET
    - net: hns3: add more string spaces for dumping packets number of queue info
      in debugfs
    - net: hns3: expand buffer len for some debugfs command
    - virtio-ring: fix DMA metadata flags
    - octeontx2-af: Check whether ipolicers exists
    - KVM: s390: clear kicked_mask before sleeping again
    - KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu
    - scsi: ufs: ufs-exynos: Correct timeout value setting registers
    - perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support
    - scsi: ibmvfc: Fix up duplicate response detection
    - riscv: fix misalgned trap vector base address
    - riscv: Do not re-populate shadow memory with kasan_populate_early_shadow
    - riscv: Fix asan-stack clang build
    - perf script: Check session->header.env.arch before using it
    - KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block()
    - KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock
    - KVM: SEV-ES: fix another issue with string I/O VMGEXITs
    - KVM: x86: Take srcu lock in post_kvm_run_save()
    - Linux 5.14.16

* Focal update: v5.14.16 upstream stable release (LP: #1950164) //
    CVE-2021-42327 was fixed by:
    - drm/amdgpu: Fix even more out of bound writes from debugfs

* Focal update: v5.14.15 upstream stable release (LP: #1950160)
    - block/mq-deadline: Move dd_queued() to fix defined but not used warning
    - parisc: math-emu: Fix fall-through warnings
    - sh: pgtable-3level: fix cast to pointer from integer of different size
    - arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address
    - ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default
    - block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output
    - xen/x86: prevent PVH type from getting clobbered
    - r8152: avoid to resubmit rx immediately
    - drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI
    - drm/amdgpu: init iommu after amdkfd device init
    - xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF
    - xtensa: xtfpga: Try software restart before simulating CPU reset
    - NFSD: Keep existing listeners on portlist error
    - powerpc/lib: Add helper to check if offset is within conditional branch
      range
    - powerpc/bpf: Validate branch ranges
    - powerpc/security: Add a helper to query stf_barrier type
    - powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
    - ASoC: pcm512x: Mend accesses to the I2S_1 and I2S_2 registers
    - ASoC: fsl_xcvr: Fix channel swap issue with ARC
    - ASoC: pcm179x: Add missing entries SPI to device ID table
    - ASoC: cs4341: Add SPI device ID table
    - KVM: arm64: Fix host stage-2 PGD refcount
    - KVM: arm64: Release mmap_lock when using VM_SHARED with MTE
    - netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage
      value
    - netfilter: nf_tables: skip netdev events generated on netns removal
    - dma-debug: fix sg checks in debug_dma_map_sg()
    - ASoC: wm8960: Fix clock configuration on slave mode
    - ice: Fix failure to re-add LAN/RDMA Tx queues
    - ice: Avoid crash from unnecessary IDA free
    - ice: fix getting UDP tunnel entry
    - ice: Print the api_patch as part of the fw.mgmt.api
    - netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
    - netfilter: ipvs: make global sysctl readonly in non-init netns
    - sctp: fix transport encap_port update in sctp_vtag_verify
    - lan78xx: select CRC32
    - tcp: md5: Fix overlap between vrf and non-vrf keys
    - ipv6: When forwarding count rx stats on the orig netdev
    - hamradio: baycom_epp: fix build for UML
    - net: dsa: lantiq_gswip: fix register definition
    - net/sched: act_ct: Fix byte count on fragmented packets
    - NIOS2: irqflags: rename a redefined register name
    - net: dsa: Fix an error handling path in 'dsa_switch_parse_ports_of()'
    - powerpc/smp: do not decrement idle task preempt count in CPU offline
    - net: hns3: Add configuration of TM QCN error event
    - net: hns3: reset DWRR of unused tc to zero
    - net: hns3: add limit ets dwrr bandwidth cannot be 0
    - net: hns3: schedule the polling again when allocation fails
    - net: hns3: fix vf reset workqueue cannot exit
    - net: hns3: disable sriov before unload hclge layer
    - net: stmmac: Fix E2E delay mechanism
    - ptp: Fix possible memory leak in ptp_clock_register()
    - igc: Update I226_K device ID
    - ice: Add missing E810 device ids
    - net/mlx5e: IPsec: Fix a misuse of the software parser's fields
    - net/mlx5e: IPsec: Fix work queue entry ethernet segment checksum flags
    - drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel
    - drm/kmb: Work around for higher system clock
    - drm/kmb: Remove clearing DPHY regs
    - drm/kmb: Disable change of plane parameters
    - drm/kmb: Corrected typo in handle_lcd_irq
    - drm/kmb: Enable ADV bridge after modeset
    - net: enetc: fix ethtool counter name for PM0_TERR
    - net: enetc: make sure all traffic classes can send large frames
    - can: rcar_can: fix suspend/resume
    - can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state
      notification
    - can: peak_pci: peak_pci_remove(): fix UAF
    - can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path
    - can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
    - can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in
      isotp_sendmsg()
    - can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer
    - can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
    - can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with
      error length
    - can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
    - ceph: skip existing superblocks that are blocklisted or shut down when
      mounting
    - ceph: fix handling of "meta" errors
    - tracing: Have all levels of checks prevent recursion
    - ocfs2: fix data corruption after conversion from inline format
    - ocfs2: mount fails with buffer overflow in strlen
    - mm/userfaultfd: selftests: fix memory corruption with thp enabled
    - userfaultfd: fix a race between writeprotect and exit_mmap()
    - mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in
      mbind()
    - elfcore: correct reference to CONFIG_UML
    - vfs: check fd has read access in kernel_read_file_from_fd()
    - mm/secretmem: fix NULL page->mapping dereference in page_is_secretmem()
    - ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
    - ALSA: hda/realtek: Add quirk for Clevo PC50HS
    - ASoC: DAPM: Fix missing kctl change notifications
    - ASoC: nau8824: Fix headphone vs headset, button-press detection no longer
      working
    - blk-cgroup: blk_cgroup_bio_start() should use irq-safe operations on
      blkg->iostat_cpu
    - audit: fix possible null-pointer dereference in audit_filter_rules
    - net: dsa: mt7530: correct ds->num_ports
    - ucounts: Move get_ucounts from cred_alloc_blank to
      key_change_session_keyring
    - ucounts: Pair inc_rlimit_ucounts with dec_rlimit_ucoutns in commit_creds
    - ucounts: Proper error handling in set_cred_ucounts
    - ucounts: Fix signal ucount refcounting
    - KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest()
    - KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to
      guest
    - powerpc/idle: Don't corrupt back chain when going idle
    - mm, slub: fix mismatch between reconstructed freelist depth and cnt
    - mm, slub: fix potential memoryleak in kmem_cache_open()
    - mm, slub: fix potential use-after-free in slab_debugfs_fops
    - mm, slub: fix incorrect memcg slab count for bulk free
    - KVM: nVMX: promptly process interrupts delivered while in guest mode
    - KVM: SEV: Flush cache on non-coherent systems before RECEIVE_UPDATE_DATA
    - KVM: SEV-ES: rename guest_ins_data to sev_pio_data
    - KVM: SEV-ES: clean up kvm_sev_es_ins/outs
    - KVM: SEV-ES: keep INS functions together
    - KVM: SEV-ES: fix length of string I/O
    - KVM: SEV-ES: go over the sev_pio_data buffer in multiple passes if needed
    - KVM: SEV-ES: reduce ghcb_sa_len to 32 bits
    - KVM: x86: leave vcpu->arch.pio.count alone in emulator_pio_in_out
    - KVM: x86: check for interrupts before deciding whether to exit the fast path
    - KVM: x86: split the two parts of emulator_pio_in
    - KVM: x86: remove unnecessary arguments from complete_emulator_pio_in
    - nfc: nci: fix the UAF of rf_conn_info object
    - isdn: cpai: check ctr->cnr to avoid array index out of bound
    - netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
    - selftests: netfilter: remove stray bash debug line
    - net: bridge: mcast: use multicast_membership_interval for IGMPv3
    - KVM: SEV-ES: Set guest_state_protected after VMSA update
    - drm: mxsfb: Fix NULL pointer dereference crash on unload
    - net: hns3: fix the max tx size according to user manual
    - KVM: MMU: Reset mmu->pkru_mask to avoid stale data
    - kunit: fix reference count leak in kfree_at_end
    - drm/msm/a6xx: Serialize GMU communication
    - gcc-plugins/structleak: add makefile var for disabling structleak
    - iio/test-format: build kunit tests without structleak plugin
    - device property: build kunit tests without structleak plugin
    - thunderbolt: build kunit tests without structleak plugin
    - bitfield: build kunit tests without structleak plugin
    - objtool: Check for gelf_update_rel[a] failures
    - objtool: Update section header before relocations
    - btrfs: deal with errors when checking if a dir entry exists during log
      replay
    - net: stmmac: add support for dwmac 3.40a
    - ARM: dts: spear3xx: Fix gmac node
    - isdn: mISDN: Fix sleeping function called from invalid context
    - platform/x86: intel_scu_ipc: Increase virtual timeout to 10s
    - platform/x86: intel_scu_ipc: Update timeout value in comment
    - ALSA: hda: avoid write to STATESTS if controller is in reset
    - spi: Fix deadlock when adding SPI controllers on SPI buses
    - spi-mux: Fix false-positive lockdep splats
    - libperf test evsel: Fix build error on !x86 architectures
    - libperf tests: Fix test_stat_cpu
    - perf/x86/msr: Add Sapphire Rapids CPU support
    - Input: snvs_pwrkey - add clk handling
    - ASoC: codec: wcd938x: Add irq config support
    - scsi: iscsi: Fix set_param() handling
    - scsi: storvsc: Fix validation for unsolicited incoming packets
    - scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs
    - scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()
    - mm/thp: decrease nr_thps in file's mapping on THP split
    - sched/scs: Reset the shadow stack when idle_task_exit
    - net: hns3: fix for miscalculation of rx unused desc
    - net/mlx5: Lag, move lag destruction to a workqueue
    - net/mlx5: Lag, change multipath and bonding to be mutually exclusive
    - drm/kmb: Enable alpha blended second plane
    - drm/kmb: Limit supported mode to 1080p
    - autofs: fix wait name hash calculation in autofs_wait()
    - scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
    - s390/pci: cleanup resources only if necessary
    - s390/pci: fix zpci_zdev_put() on reserve
    - bpf, test, cgroup: Use sk_{alloc,free} for test cases
    - net: mdiobus: Fix memory leak in __mdiobus_register
    - ARM: 9122/1: select HAVE_FUTEX_CMPXCHG
    - pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume()
    - Linux 5.14.15

-- Timo Aaltonen <timo.aaltonen@canonical.com>  Wed, 10 Nov 2021 12:01:10 +0200

Changed in linux-oem-5.14 (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-oem-5.14 package