Ubuntu
linux package

Focal update: v5.4.168 upstream stable release

Bug #1957991 reported by Kamal Mostafa on 2022-01-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Medium	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.4.168 upstream stable release
from git://git.kernel.org/

KVM: selftests: Make sure kvm_create_max_vcpus test won't hit RLIMIT_NOFILE
mac80211: mark TX-during-stop for TX in in_reconfig
mac80211: send ADDBA requests using the tid/queue of the aggregation session
firmware: arm_scpi: Fix string overflow in SCPI genpd driver
virtio_ring: Fix querying of maximum DMA mapping size for virtio device
recordmcount.pl: look for jgnop instruction as well as bcrl on s390
dm btree remove: fix use after free in rebalance_children()
audit: improve robustness of the audit queue handling
iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda
nfsd: fix use-after-free due to delegation race
arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
arm64: dts: rockchip: fix audio-supply for Rock Pi 4
mac80211: track only QoS data frames for admission control
ARM: socfpga: dts: fix qspi node compatible
clk: Don't parent clks until the parent is fully registered
selftests: net: Correct ping6 expected rc from 2 to 1
s390/kexec_file: fix error handling when applying relocations
sch_cake: do not call cake_destroy() from cake_init()
inet_diag: use jiffies_delta_to_msecs()
inet_diag: fix kernel-infoleak for UDP sockets
selftests: Fix raw socket bind tests with VRF
selftests: Fix IPv6 address bind tests
dmaengine: st_fdma: fix MODULE_ALIAS
selftest/net/forwarding: declare NETIFS p9 p10
mac80211: agg-tx: refactor sending addba
mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock
mac80211: accept aggregation sessions on 6 GHz
mac80211: fix lookup when adding AddBA extension element
net: sched: lock action when translating it to flow_action infra
flow_offload: return EOPNOTSUPP for the unsupported mpls action type
rds: memory leak in __rds_conn_create()
soc/tegra: fuse: Fix bitwise vs. logical OR warning
igb: Fix removal of unicast MAC filters of VFs
igbvf: fix double free in `igbvf_probe`
ixgbe: set X550 MDIO speed before talking to PHY
netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
net/packet: rx_owner_map depends on pg_vec
net: Fix double 0x prefix print in SKB dump
net/smc: Prevent smc_release() from long blocking
net: systemport: Add global locking for descriptor lifecycle
sit: do not call ipip6_dev_free() from sit_init_net()
USB: gadget: bRequestType is a bitfield, not a enum
USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
PCI/MSI: Mask MSI-X vectors only on success
usb: xhci: Extend support for runtime power management for AMD's Yellow carp.
USB: serial: cp210x: fix CP2105 GPIO registration
USB: serial: option: add Telit FN990 compositions
timekeeping: Really make sure wall_to_monotonic isn't positive
libata: if T_LENGTH is zero, dma direction should be DMA_NONE
drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
mac80211: validate extended element ID is present
mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
Input: touchscreen - avoid bitwise vs logical OR warning
ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
xsk: Do not sleep in poll() when need_wakeup set
media: mxl111sf: change mutex_init() location
fuse: annotate lock in fuse_reverse_inval_entry()
ovl: fix warning in ovl_create_real()
scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
rcu: Mark accesses to rcu_state.n_force_qs
mac80211: fix regression in SSN handling of addba tx
net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info
Revert "xsk: Do not sleep in poll() when need_wakeup set"
xen/blkfront: harden blkfront against event channel storms
xen/netfront: harden netfront against event channel storms
xen/console: harden hvc_xen against event channel storms
xen/netback: fix rx queue stall detection
xen/netback: don't queue unlimited number of packages
Linux 5.4.168
UBUNTU: upstream stable to v5.4.168

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2022-01-14

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug

Kamal Mostafa (kamalmostafa) on 2022-01-14

Changed in linux (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Kamal Mostafa (kamalmostafa)
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
description:	updated

Revision history for this message

Stefan Bader (smb) wrote on 2022-02-11:

Skipped (already applied):
- net/packet: rx_owner_map depends on pg_vec
- USB: gadget: bRequestType is a bitfield, not a enum

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-03-21:

Download full text (37.4 KiB)

This bug was fixed in the package linux - 5.4.0-105.119

---------------
linux (5.4.0-105.119) focal; urgency=medium

* CVE-2022-0847
- lib/iov_iter: initialize "flags" in new pipe_buffer

  * Broken network on some AWS instances with focal/impish kernels
    (LP: #1961968)
    - SAUCE: Revert "PCI/MSI: Mask MSI-X vectors only on success"

  * [UBUNTU 20.04] kernel: Add support for CPU-MF counter second version 7
    (LP: #1960182)
    - s390/cpumf: Support for CPU Measurement Facility CSVN 7
    - s390/cpumf: Support for CPU Measurement Sampling Facility LS bit

  * Hipersocket page allocation failure on Ubuntu 20.04 based SSC environments
    (LP: #1959529)
    - s390/qeth: use memory reserves to back RX buffers

* CVE-2022-0516
- KVM: s390: Return error on SIDA memop on normal guest

* CVE-2022-0435
- tipc: improve size validations for received domain records

* CVE-2022-0492
- cgroup-v1: Require capabilities to set release_agent

  * Recalled NFSv4 files delegations overwhelm server (LP: #1957986)
    - NFSv4: Fix delegation handling in update_open_stateid()
    - NFSv4: nfs4_callback_getattr() should ignore revoked delegations
    - NFSv4: Delegation recalls should not find revoked delegations
    - NFSv4: fail nfs4_refresh_delegation_stateid() when the delegation was
      revoked
    - NFS: Rename nfs_inode_return_delegation_noreclaim()
    - NFSv4: Don't remove the delegation from the super_list more than once
    - NFSv4: Hold the delegation spinlock when updating the seqid
    - NFSv4: Clear the NFS_DELEGATION_REVOKED flag in
      nfs_update_inplace_delegation()
    - NFSv4: Update the stateid seqid in nfs_revoke_delegation()
    - NFSv4: Revoke the delegation on success in nfs4_delegreturn_done()
    - NFSv4: Ignore requests to return the delegation if it was revoked
    - NFSv4: Don't reclaim delegations that have been returned or revoked
    - NFSv4: nfs4_return_incompatible_delegation() should check delegation
      validity
    - NFSv4: Fix nfs4_inode_make_writeable()
    - NFS: nfs_inode_find_state_and_recover() fix stateid matching
    - NFSv4: Fix races between open and delegreturn
    - NFSv4: Handle NFS4ERR_OLD_STATEID in delegreturn
    - NFSv4: Don't retry the GETATTR on old stateid in nfs4_delegreturn_done()
    - NFSv4: nfs_inode_evict_delegation() should set NFS_DELEGATION_RETURNING
    - NFS: Clear NFS_DELEGATION_RETURN_IF_CLOSED when the delegation is returned
    - NFSv4: Try to return the delegation immediately when marked for return on
      close
    - NFSv4: Add accounting for the number of active delegations held
    - NFSv4: Limit the total number of cached delegations
    - NFSv4: Ensure the delegation is pinned in nfs_do_return_delegation()
    - NFSv4: Ensure the delegation cred is pinned when we call delegreturn

This bug was fixed in the package linux - 5.4.0-105.119

---------------
linux (5.4.0-105.119) focal; urgency=medium

* CVE-2022-0847
    - lib/iov_iter: initialize "flags" in new pipe_buffer

* Broken network on some AWS instances with focal/impish kernels
    (LP: #1961968)
    - SAUCE: Revert "PCI/MSI: Mask MSI-X vectors only on success"

* Hipersocket page allocation failure on Ubuntu 20.04 based SSC environments
    (LP: #1959529)
    - s390/qeth: use memory reserves to back RX buffers

* CVE-2022-0516
    - KVM: s390: Return error on SIDA memop on normal guest

* CVE-2022-0435
    - tipc: improve size validations for received domain records

* CVE-2022-0492
    - cgroup-v1: Require capabilities to set release_agent

* Focal update: v5.4.174 upstream stable release (LP: #1960566)
    - HID: uhid: Fix worker destroying device without any protection
    - HID: wacom: Reset expected and received contact counts at the same time
    - HID: wacom: Ignore the confidence flag when a touch is removed
    - HID: wacom: Avoid using stale array indicies to read contact count
    - f2fs: fix to do sanity check in is_alive()
    - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed
      bind()
    - mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
    - mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
    - x86/gpu: Reserve stolen memory for first integrated Intel GPU
    - tools/nolibc: x86-64: Fix startup code bug
    - tools/nolibc: i386: fix initial stack alignment
    - tools/nolibc: fix incorrect truncation of exit code
    - rtc: cmos: take rtc_lock while reading from CMOS
    - media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE
    - media: flexcop-usb: fix control-message timeouts
    - media: mceusb: fix control-message timeouts
    - media: em28xx: fix control-message timeouts
    - media: cpia2: fix control-message timeouts
    - media: s2255: fix control-message timeouts
    - media: dib0700: fix undefined behavior in tuner shutdown
    - media: redrat3: fix control-message timeouts
    - media: pvrusb2: fix control-message timeouts
    - media: stk1160: fix control-message timeouts
    - can: softing_cs: softingcs_probe(): fix memleak on registration failure
    - lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
    - iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure
    - dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled()
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
    - mm_zone: add function to check if managed dma zone exists
    - mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed
      pages
    - shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
    - drm/rockchip: dsi: Hold pm-runtime across bind/unbind
    - drm/rockchip: dsi: Reconfigure hardware on resume()
    - drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure
    - drm/panel: innolux-p079zca: Delete panel on attach() failure
    - drm/rockchip: dsi: Fix unbalanced clock on probe error
    - Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
    - clk: bcm-2835: Pick the closest clock rate
    - clk: bcm-2835: Remove rounding up the dividers
    - wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
    - wcn36xx: Release DMA channel descriptor allocations
    - media: videobuf2: Fix the size printk format
    - media: aspeed: fix mode-detect always time out at 2nd run
    - media: em28xx: fix memory leak in em28xx_init_dev
    - media: aspeed: Update signal status immediately to ensure sane hw state
    - arm64: dts: meson-gxbb-wetek: fix HDMI in early boot
    - arm64: dts: meson-gxbb-wetek: fix missing GPIO binding
    - Bluetooth: stop proccessing malicious adv data
    - tee: fix put order in teedev_close_context()
    - media: dmxdev: fix UAF when dvb_register_device() fails
    - crypto: qce - fix uaf on qce_ahash_register_one
    - arm64: dts: ti: k3-j721e: correct cache-sets info
    - tty: serial: atmel: Check return code of dmaengine_submit()
    - tty: serial: atmel: Call dma_async_issue_pending()
    - media: rcar-csi2: Correct the selection of hsfreqrange
    - media: imx-pxp: Initialize the spinlock prior to using it
    - media: si470x-i2c: fix possible memory leak in si470x_i2c_probe()
    - media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released
    - media: venus: core: Fix a resource leak in the error handling path of
      'venus_probe()'
    - netfilter: bridge: add support for pppoe filtering
    - arm64: dts: qcom: msm8916: fix MMC controller aliases
    - ACPI: EC: Rework flushing of EC work while suspended to idle
    - drm/amdgpu: Fix a NULL pointer dereference in
      amdgpu_connector_lcd_native_mode()
    - drm/radeon/radeon_kms: Fix a NULL pointer dereference in
      radeon_driver_open_kms()
    - arm64: dts: ti: k3-j721e: Fix the L2 cache sets
    - tty: serial: uartlite: allow 64 bit address
    - serial: amba-pl011: do not request memory region twice
    - floppy: Fix hang in watchdog when disk is ejected
    - staging: rtl8192e: return error code from rtllib_softmac_init()
    - staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib()
    - Bluetooth: btmtksdio: fix resume failure
    - media: dib8000: Fix a memleak in dib8000_init()
    - media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
    - media: si2157: Fix "warm" tuner state detection
    - sched/rt: Try to restart rt period timer when rt runtime exceeded
    - rcu/exp: Mark current CPU as exp-QS in IPI loop second pass
    - mwifiex: Fix possible ABBA deadlock
    - xfrm: fix a small bug in xfrm_sa_len()
    - crypto: stm32/cryp - fix xts and race condition in crypto_engine requests
    - crypto: stm32/cryp - fix double pm exit
    - crypto: stm32/cryp - fix lrw chaining mode
    - ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors
    - media: dw2102: Fix use after free
    - media: msi001: fix possible null-ptr-deref in msi001_probe()
    - media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes
    - drm/msm/dpu: fix safe status debugfs file
    - drm/bridge: ti-sn65dsi86: Set max register for regmap
    - media: hantro: Fix probe func error path
    - xfrm: interface with if_id 0 should return error
    - xfrm: state and policy should fail if XFRMA_IF_ID 0
    - ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding
    - usb: ftdi-elan: fix memory leak on device disconnect
    - ARM: dts: armada-38x: Add generic compatible to UART nodes
    - mmc: meson-mx-sdio: add IRQ check
    - selinux: fix potential memleak in selinux_add_opt()
    - bpftool: Enable line buffering for stdout
    - x86/mce/inject: Avoid out-of-bounds write when setting flags
    - ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      __nonstatic_find_io_region()
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      nonstatic_find_mem_region()
    - netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
    - bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt().
    - ppp: ensure minimum packet size in ppp_write()
    - rocker: fix a sleeping in atomic bug
    - staging: greybus: audio: Check null pointer
    - fsl/fman: Check for null pointer after calling devm_ioremap
    - Bluetooth: hci_bcm: Check for error irq
    - HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init
    - HID: hid-uclogic-params: Invalid parameter check in
      uclogic_params_get_str_desc
    - HID: hid-uclogic-params: Invalid parameter check in
      uclogic_params_huion_init
    - HID: hid-uclogic-params: Invalid parameter check in
      uclogic_params_frame_init_v1_buttonpad
    - debugfs: lockdown: Allow reading debugfs files that are not world readable
    - net/mlx5e: Don't block routes with nexthop objects in SW
    - Revert "net/mlx5e: Block offload of outer header csum for UDP tunnels"
    - net/mlx5: Set command entry semaphore up once got index free
    - spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
    - tpm: add request_locality before write TPM_INT_ENABLE
    - can: softing: softing_startstop(): fix set but not used variable warning
    - can: xilinx_can: xcan_probe(): check for error irq
    - pcmcia: fix setting of kthread task states
    - net: mcs7830: handle usb read errors properly
    - ext4: avoid trim error on fs with small groups
    - ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
    - RDMA/hns: Validate the pkey index
    - clk: imx8mn: Fix imx8mn_clko1_sels
    - powerpc/prom_init: Fix improper check of prom_getprop()
    - ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA
    - ALSA: oss: fix compile error when OSS_DEBUG is enabled
    - char/mwave: Adjust io port register size
    - binder: fix handling of error during copy
    - iommu/io-pgtable-arm: Fix table descriptor paddr formatting
    - scsi: ufs: Fix race conditions related to driver data
    - PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()
    - powerpc/powermac: Add additional missing lockdep_register_key()
    - RDMA/core: Let ib_find_gid() continue search even after empty entry
    - RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry
    - ASoC: rt5663: Handle device_property_read_u32_array error codes
    - clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system
      enter shell
    - dmaengine: pxa/mmp: stop referencing config->slave_id
    - iommu/iova: Fix race between FQ timeout and teardown
    - phy: uniphier-usb3ss: fix unintended writing zeros to PHY register
    - ASoC: samsung: idma: Check of ioremap return value
    - misc: lattice-ecp3-config: Fix task hung when firmware load failed
    - mips: lantiq: add support for clk_set_parent()
    - mips: bcm63xx: add support for clk_set_parent()
    - RDMA/cxgb4: Set queue pair state when being queried
    - of: base: Fix phandle argument length mismatch error message
    - Bluetooth: Fix debugfs entry leak in hci_register_dev()
    - fs: dlm: filter user dlm messages for kernel locks
    - drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y
    - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
    - drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
    - ARM: shmobile: rcar-gen2: Add missing of_node_put()
    - batman-adv: allow netlink usage in unprivileged containers
    - usb: gadget: f_fs: Use stream_open() for endpoint files
    - drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L
    - HID: apple: Do not reset quirks when the Fn key is not found
    - media: b2c2: Add missing check in flexcop_pci_isr:
    - EDAC/synopsys: Use the quirk for version instead of ddr version
    - mlxsw: pci: Add shutdown method in PCI driver
    - drm/bridge: megachips: Ensure both bridges are probed before registration
    - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
    - HSI: core: Fix return freed object in hsi_new_client
    - mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
    - rsi: Fix use-after-free in rsi_rx_done_handler()
    - rsi: Fix out-of-bounds read in rsi_read_pkt()
    - usb: uhci: add aspeed ast2600 uhci support
    - floppy: Add max size check for user space request
    - x86/mm: Flush global TLB when switching to trampoline page-table
    - media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
    - media: saa7146: hexium_orion: Fix a NULL pointer dereference in
      hexium_attach()
    - media: m920x: don't use stack on USB reads
    - iwlwifi: mvm: synchronize with FW after multicast commands
    - ath10k: Fix tx hanging
    - net-sysfs: update the queue counts in the unregistration path
    - net: phy: prefer 1000baseT over 1000baseKX
    - gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock
    - x86/mce: Mark mce_panic() noinstr
    - x86/mce: Mark mce_end() noinstr
    - x86/mce: Mark mce_read_aux() noinstr
    - net: bonding: debug: avoid printing debug logs when bond is not notifying
      peers
    - bpf: Do not WARN in bpf_warn_invalid_xdp_action()
    - HID: quirks: Allow inverting the absolute X/Y values
    - media: igorplugusb: receiver overflow should be reported
    - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in
      hexium_attach()
    - mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
    - audit: ensure userspace is penalized the same as the kernel when under
      pressure
    - arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus
    - arm64: tegra: Adjust length of CCPLEX cluster MMIO region
    - cpufreq: Fix initialization of min and max frequency QoS requests
    - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
    - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
    - iwlwifi: fix leaks/bad data after failed firmware load
    - iwlwifi: remove module loading failure message
    - iwlwifi: mvm: Fix calculation of frame length
    - um: registers: Rename function names to avoid conflicts and build problems
    - jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
    - ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
    - ACPICA: Utilities: Avoid deleting the same object twice in a row
    - ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
    - ACPICA: Fix wrong interpretation of PCC address
    - ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
    - drm/amdgpu: fixup bad vram size on gmc v8
    - ACPI: battery: Add the ThinkPad "Not Charging" quirk
    - btrfs: remove BUG_ON() in find_parent_nodes()
    - btrfs: remove BUG_ON(!eie) in find_parent_nodes
    - net: mdio: Demote probed message to debug print
    - mac80211: allow non-standard VHT MCS-10/11
    - dm btree: add a defensive bounds check to insert_at()
    - dm space map common: add bounds check to sm_ll_lookup_bitmap()
    - net: phy: marvell: configure RGMII delays for 88E1118
    - net: gemini: allow any RGMII interface mode
    - regulator: qcom_smd: Align probe function with rpmh-regulator
    - serial: pl010: Drop CR register reset on set_termios
    - serial: core: Keep mctrl register state and cached copy in sync
    - random: do not throw away excess input to crng_fast_load
    - parisc: Avoid calling faulthandler_disabled() twice
    - powerpc/6xx: add missing of_node_put
    - powerpc/powernv: add missing of_node_put
    - powerpc/cell: add missing of_node_put
    - powerpc/btext: add missing of_node_put
    - powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
    - i2c: i801: Don't silently correct invalid transfer size
    - powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
    - i2c: mpc: Correct I2C reset procedure
    - clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB
    - powerpc/powermac: Add missing lockdep_register_key()
    - KVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST
    - w1: Misuse of get_user()/put_user() reported by sparse
    - scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup
    - ALSA: seq: Set upper limit of processed events
    - powerpc: handle kdump appropriately with crash_kexec_post_notifiers option
    - MIPS: OCTEON: add put_device() after of_find_device_by_node()
    - i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
    - MIPS: Octeon: Fix build errors using clang
    - scsi: sr: Don't use GFP_DMA
    - ASoC: mediatek: mt8173: fix device_node leak
    - power: bq25890: Enable continuous conversion for ADC at charging
    - rpmsg: core: Clean up resources on announce_create failure.
    - crypto: omap-aes - Fix broken pm_runtime_and_get() usage
    - crypto: stm32/crc32 - Fix kernel BUG triggered in probe()
    - crypto: caam - replace this_cpu_ptr with raw_cpu_ptr
    - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
    - fuse: Pass correct lend value to filemap_write_and_wait_range()
    - serial: Fix incorrect rs485 polarity on uart open
    - cputime, cpuacct: Include guest time in user time in cpuacct.stat
    - tracing/kprobes: 'nmissed' not showed correctly for kretprobe
    - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
    - s390/mm: fix 2KB pgtable release race
    - drm/etnaviv: limit submit sizes
    - drm/nouveau/kms/nv04: use vzalloc for nv04_display
    - drm/bridge: analogix_dp: Make PSR-exit block less
    - PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space
    - PCI: pci-bridge-emul: Correctly set PCIe capabilities
    - PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device
    - xfrm: fix policy lookup for ipv6 gre packets
    - btrfs: fix deadlock between quota enable and other quota operations
    - btrfs: check the root node for uptodate before returning it
    - btrfs: respect the max size in the header when activating swap file
    - ext4: make sure to reset inode lockdep class when quota enabling fails
    - ext4: make sure quota gets properly shutdown on error
    - ext4: set csum seed in tmp inode while migrating to extents
    - ext4: Fix BUG_ON in ext4_bread when write quota data
    - ext4: don't use the orphan list when migrating an inode
    - drm/radeon: fix error handling in radeon_driver_open_kms
    - of: base: Improve argument length mismatch error
    - firmware: Update Kconfig help text for Google firmware
    - media: rcar-csi2: Optimize the selection PHTW register
    - Documentation: dmaengine: Correctly describe dmatest with channel unset
    - Documentation: ACPI: Fix data node reference documentation
    - Documentation: refer to config RANDOMIZE_BASE for kernel address-space
      randomization
    - Documentation: fix firewire.rst ABI file path error
    - scsi: core: Show SCMD_LAST in text form
    - RDMA/hns: Modify the mapping attribute of doorbell to device
    - RDMA/rxe: Fix a typo in opcode name
    - dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK
    - Revert "net/mlx5: Add retry mechanism to the command entry index allocation"
    - powerpc/cell: Fix clang -Wimplicit-fallthrough warning
    - powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
    - bpftool: Remove inclusion of utilities.mak from Makefiles
    - ipv4: avoid quadratic behavior in netns dismantle
    - net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
    - parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
    - f2fs: fix to reserve space for IO align feature
    - af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
    - clk: si5341: Fix clock HW provider cleanup
    - net: axienet: limit minimum TX ring size
    - net: axienet: fix number of TX ring slots for available check
    - net: axienet: increase default TX ring size to 128
    - rtc: pxa: fix null pointer dereference
    - inet: frags: annotate races around fqdir->dead and fqdir->high_thresh
    - netns: add schedule point in ops_exit_list()
    - xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
    - gre: Don't accidentally set RTO_ONLINK in gre_fill_metadata_dst()
    - libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
    - perf script: Fix hex dump character output
    - dmaengine: at_xdmac: Don't start transactions at tx_submit level
    - dmaengine: at_xdmac: Print debug message after realeasing the lock
    - dmaengine: at_xdmac: Fix concurrency over xfers_list
    - dmaengine: at_xdmac: Fix lld view setting
    - dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
    - arm64: dts: qcom: msm8996: drop not documented adreno properties
    - net_sched: restore "mpu xxx" handling
    - bcmgenet: add WOL IRQ check
    - net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config()
    - dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property
    - dt-bindings: display: meson-vpu: Add missing amlogic,canvas property
    - scripts/dtc: dtx_diff: remove broken example from help text
    - lib82596: Fix IRQ check in sni_82596_probe
    - lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test
    - mtd: nand: bbt: Fix corner case in bad block table handling
    - Revert "ia64: kprobes: Use generic kretprobe trampoline handler"
    - Linux 5.4.174

* Focal update: v5.4.173 upstream stable release (LP: #1959701)
    - kbuild: Add $(KBUILD_HOSTLDFLAGS) to 'has_libelf' test
    - devtmpfs regression fix: reconfigure on each mount
    - orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()
    - perf: Protect perf_guest_cbs with RCU
    - KVM: s390: Clarify SIGP orders versus STOP/RESTART
    - media: uvcvideo: fix division by zero at stream start
    - rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with
      interrupts enabled
    - firmware: qemu_fw_cfg: fix sysfs information leak
    - firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
    - firmware: qemu_fw_cfg: fix kobject leak in probe error path
    - KVM: x86: remove PMU FIXED_CTR3 from msrs_to_save_all
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after
      reboot from Windows
    - mtd: fixup CFI on ixp4xx
    - ARM: 9025/1: Kconfig: CPU_BIG_ENDIAN depends on !LD_IS_LLD
    - Linux 5.4.173

* Focal update: v5.4.172 upstream stable release (LP: #1959698)
    - workqueue: Fix unbind_workers() VS wq_worker_running() race
    - Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
    - Bluetooth: bfusb: fix division by zero in send path
    - USB: core: Fix bug in resuming hub's handling of wakeup requests
    - USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
    - mmc: sdhci-pci: Add PCI ID for Intel ADL
    - veth: Do not record rx queue hint in veth_xmit
    - mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
    - drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...)
      functions
    - can: gs_usb: fix use of uninitialized variable, detach device on reception
      of invalid USB data
    - can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
    - random: fix data race on crng_node_pool
    - random: fix data race on crng init time
    - random: fix crash on multiple early calls to add_bootloader_randomness()
    - media: Revert "media: uvcvideo: Set unique vdev name based in type"
    - staging: wlan-ng: Avoid bitwise vs logical OR warning in
      hfa384x_usb_throttlefn()
    - drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
    - staging: greybus: fix stack size warning with UBSAN
    - Linux 5.4.172

* Focal update: v5.4.171 upstream stable release (LP: #1959437)
    - f2fs: quota: fix potential deadlock
    - Input: touchscreen - Fix backport of
      a02dcde595f7cbd240ccd64de96034ad91cffc40
    - selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv()
    - tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
    - tracing: Tag trace_percpu_buffer as a percpu pointer
    - ieee802154: atusb: fix uninit value in atusb_set_extended_addr
    - iavf: Fix limit of total number of queues to active queues of VF
    - RDMA/core: Don't infoleak GRH fields
    - RDMA/uverbs: Check for null return of kmalloc_array
    - mac80211: initialize variable have_higher_than_11mbit
    - i40e: fix use-after-free in i40e_sync_filters_subtask()
    - i40e: Fix for displaying message regarding NVM version
    - i40e: Fix incorrect netdev's real number of RX/TX queues
    - ipv4: Check attribute length for RTA_GATEWAY in multipath route
    - ipv4: Check attribute length for RTA_FLOW in multipath route
    - ipv6: Check attribute length for RTA_GATEWAY in multipath route
    - ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
    - lwtunnel: Validate RTA_ENCAP_TYPE attribute length
    - batman-adv: mcast: don't send link-local multicast to mcast routers
    - sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
    - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8081
    - power: supply: core: Break capacity loop
    - power: reset: ltc2952: Fix use of floating point literals
    - rndis_host: support Hytera digital radios
    - phonet: refcount leak in pep_sock_accep
    - ipv6: Continue processing multipath route even if gateway attribute is
      invalid
    - ipv6: Do cleanup if attribute validation fails in multipath route
    - usb: mtu3: fix interval value for intr and isoc
    - scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
    - ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
    - net: udp: fix alignment problem in udp4_seq_show()
    - atlantic: Fix buff_ring OOB in aq_ring_rx_clean
    - mISDN: change function names to avoid conflicts
    - Linux 5.4.171

* Focal update: v5.4.170 upstream stable release (LP: #1958898)
    - tee: handle lookup of shm with reference count 0
    - Input: i8042 - add deferred probe support
    - Input: i8042 - enable deferred probe quirk for ASUS UM325UA
    - tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok().
    - platform/x86: apple-gmux: use resource_size() with res
    - memblock: fix memblock_phys_alloc() section mismatch error
    - recordmcount.pl: fix typo in s390 mcount regex
    - selinux: initialize proto variable in selinux_ip_postroute_compat()
    - scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
    - net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources
    - sctp: use call_rcu to free endpoint
    - net: usb: pegasus: Do not drop long Ethernet frames
    - net: lantiq_xrx200: fix statistics of received bytes
    - NFC: st21nfca: Fix memory leak in device probe and remove
    - ionic: Initialize the 'lif->dbid_inuse' bitmap
    - net/mlx5e: Fix wrong features assignment in case of error
    - selftests/net: udpgso_bench_tx: fix dst ip argument
    - net/ncsi: check for error return from call to nla_put_u32
    - fsl/fman: Fix missing put_device() call in fman_port_probe
    - i2c: validate user data in compat ioctl
    - nfc: uapi: use kernel size_t to fix user-space builds
    - uapi: fix linux/nfc.h userspace compilation errors
    - xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
    - usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
    - usb: mtu3: add memory barrier before set GPD's HWO
    - usb: mtu3: fix list_head check warning
    - usb: mtu3: set interval of FS intr and isoc endpoint
    - binder: fix async_free_space accounting for empty parcels
    - scsi: vmw_pvscsi: Set residual data length conditionally
    - Input: appletouch - initialize work before device registration
    - Input: spaceball - fix parsing of movement data packets
    - net: fix use-after-free in tw_timer_handler
    - perf script: Fix CPU filtering of a script's switch events
    - Linux 5.4.170

* Focal update: v5.4.170 upstream stable release (LP: #1958898) // HID_ASUS
    should depend on USB_HID in stable v4.15 backports (LP: #1959762)
    - HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option

* Focal update: v5.4.169 upstream stable release (LP: #1958557)
    - net: usb: lan78xx: add Allied Telesis AT29M2-AF
    - serial: 8250_fintek: Fix garbled text for console
    - arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode
    - spi: change clk_disable_unprepare to clk_unprepare
    - IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
    - netfilter: fix regression in looped (broad|multi)cast's MAC handling
    - qlcnic: potential dereference null pointer of rx_queue->page_ring
    - net: accept UFOv6 packages in virtio_net_hdr_to_skb
    - net: skip virtio_net_hdr_set_proto if protocol already set
    - ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
    - bonding: fix ad_actor_system option setting to default
    - fjes: Check for error irq
    - drivers: net: smc911x: Check for error irq
    - sfc: falcon: Check null pointer of rx_queue->page_ring
    - Input: elantech - fix stack out of bound access in
      elantech_change_report_id()
    - hwmon: (lm90) Fix usage of CONFIG2 register in detect function
    - hwmon: (lm90) Add max6654 support to lm90 driver
    - hwmon: (lm90) Add basic support for TI TMP461
    - hwmon: (lm90) Introduce flag indicating extended temperature support
    - hwmon: (lm90) Drop critical attribute support for MAX6654
    - ALSA: jack: Check the return value of kstrdup()
    - ALSA: drivers: opl3: Fix incorrect use of vp->state
    - ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6
    - Input: atmel_mxt_ts - fix double free in mxt_read_info_block
    - ipmi: bail out if init_srcu_struct fails
    - ipmi: ssif: initialize ssif_info->client early
    - ipmi: fix initialization when workqueue allocation fails
    - parisc: Correct completer in lws start
    - x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
    - pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
    - mmc: sdhci-tegra: Fix switch to HS400ES mode
    - mmc: core: Disable card detect during shutdown
    - ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
    - tee: optee: Fix incorrect page free bug
    - f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
    - usb: gadget: u_ether: fix race in setting MAC address in setup phase
    - KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
    - mm: mempolicy: fix THP allocations escaping mempolicy restrictions
    - pinctrl: mediatek: fix global-out-of-bounds issue
    - hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681
    - hwmon: (lm90) Do not report 'busy' status bit as alarm
    - ax25: NPD bug when detaching AX25 device
    - hamradio: defer ax25 kfree after unregister_netdev
    - hamradio: improve the incomplete fix to avoid NPD
    - phonet/pep: refuse to enable an unbound pipe
    - Linux 5.4.169

* Focal update: v5.4.168 upstream stable release (LP: #1957991)
    - KVM: selftests: Make sure kvm_create_max_vcpus test won't hit RLIMIT_NOFILE
    - mac80211: mark TX-during-stop for TX in in_reconfig
    - mac80211: send ADDBA requests using the tid/queue of the aggregation session
    - firmware: arm_scpi: Fix string overflow in SCPI genpd driver
    - virtio_ring: Fix querying of maximum DMA mapping size for virtio device
    - recordmcount.pl: look for jgnop instruction as well as bcrl on s390
    - dm btree remove: fix use after free in rebalance_children()
    - audit: improve robustness of the audit queue handling
    - iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda
    - nfsd: fix use-after-free due to delegation race
    - arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-
      edge
    - arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
    - arm64: dts: rockchip: fix audio-supply for Rock Pi 4
    - mac80211: track only QoS data frames for admission control
    - ARM: socfpga: dts: fix qspi node compatible
    - clk: Don't parent clks until the parent is fully registered
    - selftests: net: Correct ping6 expected rc from 2 to 1
    - s390/kexec_file: fix error handling when applying relocations
    - sch_cake: do not call cake_destroy() from cake_init()
    - inet_diag: use jiffies_delta_to_msecs()
    - inet_diag: fix kernel-infoleak for UDP sockets
    - selftests: Fix raw socket bind tests with VRF
    - selftests: Fix IPv6 address bind tests
    - dmaengine: st_fdma: fix MODULE_ALIAS
    - selftest/net/forwarding: declare NETIFS p9 p10
    - mac80211: agg-tx: refactor sending addba
    - mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock
    - mac80211: accept aggregation sessions on 6 GHz
    - mac80211: fix lookup when adding AddBA extension element
    - net: sched: lock action when translating it to flow_action infra
    - flow_offload: return EOPNOTSUPP for the unsupported mpls action type
    - rds: memory leak in __rds_conn_create()
    - soc/tegra: fuse: Fix bitwise vs. logical OR warning
    - igb: Fix removal of unicast MAC filters of VFs
    - igbvf: fix double free in `igbvf_probe`
    - ixgbe: set X550 MDIO speed before talking to PHY
    - netdevsim: Zero-initialize memory for new map's value in function
      nsim_bpf_map_alloc
    - net: Fix double 0x prefix print in SKB dump
    - net/smc: Prevent smc_release() from long blocking
    - net: systemport: Add global locking for descriptor lifecycle
    - sit: do not call ipip6_dev_free() from sit_init_net()
    - USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
    - PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
    - PCI/MSI: Mask MSI-X vectors only on success
    - usb: xhci: Extend support for runtime power management for AMD's Yellow
      carp.
    - USB: serial: cp210x: fix CP2105 GPIO registration
    - USB: serial: option: add Telit FN990 compositions
    - timekeeping: Really make sure wall_to_monotonic isn't positive
    - libata: if T_LENGTH is zero, dma direction should be DMA_NONE
    - drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
    - mac80211: validate extended element ID is present
    - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
    - Input: touchscreen - avoid bitwise vs logical OR warning
    - ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
    - xsk: Do not sleep in poll() when need_wakeup set
    - media: mxl111sf: change mutex_init() location
    - fuse: annotate lock in fuse_reverse_inval_entry()
    - ovl: fix warning in ovl_create_real()
    - scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
    - rcu: Mark accesses to rcu_state.n_force_qs
    - mac80211: fix regression in SSN handling of addba tx
    - net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info
    - Revert "xsk: Do not sleep in poll() when need_wakeup set"
    - xen/blkfront: harden blkfront against event channel storms
    - xen/netfront: harden netfront against event channel storms
    - xen/console: harden hvc_xen against event channel storms
    - xen/netback: fix rx queue stall detection
    - xen/netback: don't queue unlimited number of packages
    - Linux 5.4.168

* Focal update: v5.4.167 upstream stable release (LP: #1957987)
    - nfc: fix segfault in nfc_genl_dump_devices_done
    - drm/msm/dsi: set default num_data_lanes
    - net/mlx4_en: Update reported link modes for 1/10G
    - parisc/agp: Annotate parisc agp init functions with __init
    - i2c: rk3x: Handle a spurious start completion interrupt flag
    - net: netlink: af_netlink: Prevent empty skb by adding a check on len.
    - drm/amd/display: Fix for the no Audio bug with Tiled Displays
    - drm/amd/display: add connector type check for CRC source set
    - tracing: Fix a kmemleak false positive in tracing_map
    - KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req
    - selinux: fix race condition when computing ocontext SIDs
    - bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
    - hwmon: (dell-smm) Fix warning on /proc/i8k creation error
    - memblock: free_unused_memmap: use pageblock units instead of MAX_ORDER
    - memblock: align freed memory map on pageblock boundaries with SPARSEMEM
    - memblock: ensure there is no overflow in memblock_overlaps_region()
    - arm: extend pfn_valid to take into account freed memory map alignment
    - arm: ioremap: don't abuse pfn_valid() to check if pfn is in RAM
    - Linux 5.4.167

* Packaging resync (LP: #1786013)
    - [Packaging] resync getabis

-- Stefan Bader <stefan.bader@canonical.com>  Mon, 07 Mar 2022 17:07:14 +0100

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-11-18:

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1019.22 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Focal update: v5.4.168 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package