This bug was fixed in the package linux-gcp-4.15 - 4.15.0-1134.150 --------------- linux-gcp-4.15 (4.15.0-1134.150) bionic; urgency=medium [ Ubuntu: 4.15.0-191.202 ] * CVE-2022-2586 - SAUCE: netfilter: nf_tables: do not allow SET_ID to refer to another table - SAUCE: netfilter: nf_tables: do not allow RULE_ID to refer to another chain * CVE-2022-2588 - SAUCE: net_sched: cls_route: remove from list when handle is 0 * CVE-2022-34918 - netfilter: nf_tables: stricter validation of element data * BUG: kernel NULL pointer dereference, address: 0000000000000008 (LP: #1981658) - tcp: make sure treq->af_specific is initialized linux-gcp-4.15 (4.15.0-1133.149) bionic; urgency=medium * bionic/linux-gcp-4.15: 4.15.0-1133.149 -proposed tracker (LP: #1981311) * Bionic update: upstream stable patchset 2022-06-21 (LP: #1979355) - [Config] gcp: updateconfigs for NVM, NVM_PBLK [ Ubuntu: 4.15.0-190.201 ] * bionic/linux: 4.15.0-190.201 -proposed tracker (LP: #1981321) * CVE-2022-1679 - SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb * Bionic update: upstream stable patchset 2022-07-06 (LP: #1980879) - MIPS: Use address-of operator on section symbols - block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit - can: grcan: grcan_probe(): fix broken system id check for errata workaround needs - can: grcan: only use the NAPI poll budget for RX - Bluetooth: Fix the creation of hdev->name - mmc: rtsx: add 74 Clocks in power on flow - mm: hugetlb: fix missing cache flush in copy_huge_page_from_user() - mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic() - ALSA: pcm: Fix races among concurrent hw_params and hw_free calls - ALSA: pcm: Fix races among concurrent read/write and buffer changes - ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls - ALSA: pcm: Fix races among concurrent prealloc proc writes - ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock - VFS: Fix memory leak caused by concurrently mounting fs with subtype - batman-adv: Don't skb_split skbuffs with frag_list - net: Fix features skip in for_each_netdev_feature() - ipv4: drop dst in multicast routing path - netlink: do not reset transport header in netlink_recvmsg() - mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection - hwmon: (ltq-cputemp) restrict it to SOC_XWAY - s390/ctcm: fix variable dereferenced before check - s390/ctcm: fix potential memory leak - s390/lcs: fix variable dereferenced before check - net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending - net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() - hwmon: (f71882fg) Fix negative temperature - ASoC: max98090: Reject invalid values in custom control put() - ASoC: max98090: Generate notifications on changes for custom control - ASoC: ops: Validate input values in snd_soc_put_volsw_range() - tcp: resalt the secret every 10 seconds - usb: cdc-wdm: fix reading stuck on device close - USB: serial: pl2303: add device id for HP LM930 Display - USB: serial: qcserial: add support for Sierra Wireless EM7590 - USB: serial: option: add Fibocom L610 modem - USB: serial: option: add Fibocom MA510 modem - cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() - drm/vmwgfx: Initialize drm_mode_fb_cmd2 - ping: fix address binding wrt vrf - tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() - net/sched: act_pedit: really ensure the skb is writable - um: Cleanup syscall_handler_t definition/cast, fix warning - Input: add bounds checking to input_set_capability() - Input: stmfts - fix reference leak in stmfts_input_open - MIPS: lantiq: check the return value of kzalloc() - drbd: remove usage of list iterator variable after loop - ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame() - ALSA: wavefront: Proper check of get_user() error - perf: Fix sys_perf_event_open() race against self - drm/dp/mst: fix a possible memory leak in fetch_monitor_name() - mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC - mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD - mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() - net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf() - net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() - clk: at91: generated: consider range when calculating best rate - net/qla3xxx: Fix a test in ql_reset_work() - NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc - ARM: 9196/1: spectre-bhb: enable for Cortex-A15 - ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 - igb: skip phy status check where unavailable - net: bridge: Clear offload_fwd_mark when passing frame up bridge interface. - gpio: gpio-vf610: do not touch other bits when set the target bit - gpio: mvebu/pwm: Refuse requests with inverted polarity - perf bench numa: Address compiler error on s390 - scsi: qla2xxx: Fix missed DMA unmap for aborted commands - mac80211: fix rx reordering with non explicit / psmp ack policy - ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() - net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() - net: atlantic: verify hw_head_ lies within TX buffer ring - swiotlb: fix info leak with DMA_FROM_DEVICE - Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" - net: macb: Increment rx bd head after allocating skb and buffer - net/sched: act_pedit: sanitize shift argument before usage - afs: Fix afs_getattr() to refetch file status if callback break occurred - x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests - staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() - tcp: change source port randomizarion at connect() time - secure_seq: use the 64 bits of the siphash for port offset calculation - ACPI: sysfs: Make sparse happy about address space in use - Revert "UBUNTU: SAUCE: ACPI: sysfs: copy ACPI data using io memory copying" - ACPI: sysfs: Fix BERT error region memory mapping - net: af_key: check encryption module availability consistency - net: ftgmac100: Disable hardware checksum on AST2600 - drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI controllers - assoc_array: Fix BUG_ON during garbage collect - drm/i915: Fix -Wstringop-overflow warning in call to intel_read_wm_latency() - block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern - exec: Force single empty string when argv is empty - netfilter: conntrack: re-fetch conntrack after insertion - zsmalloc: fix races between asynchronous zspage free and page migration - dm integrity: fix error code in dm_integrity_ctr() - dm crypt: make printing of the key constant-time - dm stats: add cond_resched when looping over entries - dm verity: set DM_TARGET_IMMUTABLE feature flag - tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe() - docs: submitting-patches: Fix crossref to 'The canonical patch format' - NFSD: Fix possible sleep during nfsd4_release_lockowner() - bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes * Bionic update: upstream stable patchset 2022-06-21 (LP: #1979355) - floppy: disable FDRAWCMD by default - [Config] updateconfigs for BLK_DEV_FD_RAWCMD - hamradio: defer 6pack kfree after unregister_netdev - hamradio: remove needs_free_netdev to avoid UAF - lightnvm: disable the subsystem - [Config] updateconfigs for NVM, NVM_PBLK - usb: mtu3: fix USB 3.0 dual-role-switch from device to host - USB: quirks: add a Realtek card reader - USB: quirks: add STRING quirk for VCOM device - USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS - USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader - USB: serial: option: add support for Cinterion MV32-WA/MV32-WB - USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions - xhci: stop polling roothubs after shutdown - iio: dac: ad5592r: Fix the missing return value. - iio: dac: ad5446: Fix read_raw not returning set value - iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on() - usb: misc: fix improper handling of refcount in uss720_probe() - usb: gadget: uvc: Fix crash when encoding data for usb request - usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind() - serial: 8250: Also set sticky MCR bits in console restoration - serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device - hex2bin: make the function hex_to_bin constant-time - hex2bin: fix access beyond string end - USB: Fix xhci event ring dequeue pointer ERDP update issue - ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue - phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe - phy: samsung: exynos5250-sata: fix missing device put in probe error paths - ARM: OMAP2+: Fix refcount leak in omap_gic_of_init - ARM: dts: Fix mmc order for omap3-gta04 - ipvs: correctly print the memory size of ip_vs_conn_tab - mtd: rawnand: Fix return value check of wait_for_completion_timeout - sctp: check asoc strreset_chunk in sctp_generate_reconf_event - pinctrl: pistachio: fix use of irq_of_parse_and_map() - ip_gre: Make o_seqno start from 0 in native mode - tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT - bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() - clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() - net: bcmgenet: hide status block before TX timestamping - bnx2x: fix napi API usage sequence - ASoC: wm8731: Disable the regulator when probing fails - x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 - cifs: destage any unwritten data to the server before calling copychunk_write - drivers: net: hippi: Fix deadlock in rr_close() - x86/cpu: Load microcode during restore_processor_state() - tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2 - tty: n_gsm: fix malformed counter for out of frame data - tty: n_gsm: fix insufficient txframe size - tty: n_gsm: fix missing explicit ldisc flush - tty: n_gsm: fix wrong command retry handling - tty: n_gsm: fix wrong command frame length field encoding - tty: n_gsm: fix incorrect UA handling - MIPS: Fix CP0 counter erratum detection for R4k CPUs - parisc: Merge model and model name into one line in /proc/cpuinfo - ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes - Revert "SUNRPC: attempt AF_LOCAL connect on setup" - firewire: fix potential uaf in outbound_phy_packet_callback() - firewire: remove check of list iterator against head past the loop body - firewire: core: extend card->lock in fw_core_handle_bus_reset - ASoC: wm8958: Fix change notifications for DSP controls - can: grcan: grcan_close(): fix deadlock - can: grcan: use ofdev->dev when allocating DMA memory - nfc: replace improper check device_is_registered() in netlink related functions - NFC: netlink: fix sleep in atomic bug when firmware download timeout - hwmon: (adt7470) Fix warning on module removal - ASoC: dmaengine: Restore NULL prepare_slave_config() callback - net: emaclite: Add error handling for of_address_to_resource() - smsc911x: allow using IRQ0 - btrfs: always log symlinks in full mode - net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter() - kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU - net: ipv6: ensure we call ipv6_mc_down() at most once - dm: fix mempool NULL pointer race when completing IO - dm: interlock pending dm_io and dm_wait_for_bios_completion - PCI: aardvark: Clear all MSIs at setup - PCI: aardvark: Fix reading MSI interrupt number - tcp: md5: incorrect tcp_header_len for incoming connections - net: hns3: add validity check for message data length - genirq: Synchronize interrupt thread startup - net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux() - mm: fix unexpected zeroed page mapping with zram swap * unprivileged tests in test_verifier from ubuntu_bpf failed with "Failed to load prog 'Operation not permitted'" on B-4.15 (LP: #1980648) - selftests/bpf: Count tests skipped by unpriv - selftests/bpf: Only run tests if !bpf_disabled * CVE-2022-1734 - nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs * CVE-2022-1652 - floppy: use a statically allocated error counter -- Thadeu Lima de Souza Cascardo