Linux netfilter IPT_SO_SET_REPLACE memory corruption

Bug #1555338 reported by Steve Beattie on 2016-03-09
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Tim Gardner
Precise
High
Chris J Arges
Trusty
High
Chris J Arges
Vivid
Critical
Chris J Arges
Wily
High
Chris J Arges
Xenial
High
Tim Gardner
Yakkety
High
Tim Gardner
linux-armadaxp (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-flo (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-keystone (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Critical
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
linux-lts-quantal (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-raring (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-saucy (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-trusty (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-utopic (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Chris J Arges
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-vivid (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-wily (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-xenial (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-raspi2 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-snapdragon (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-ti-omap4 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned

Bug Description

[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset:

newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;

This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero.

This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well.

[Fix]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

[Test Case]
Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
gcc net*v3.c -o v3
./v3

Steve Beattie (sbeattie) on 2016-03-09
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Steve Beattie (sbeattie) wrote :
information type: Private Security → Public Security
Tim Gardner (timg-tpi) on 2016-03-10
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → In Progress
Chris J Arges (arges) on 2016-03-10
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
Chris J Arges (arges) on 2016-03-10
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
Tim Gardner (timg-tpi) on 2016-03-10
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Chris J Arges (arges) on 2016-03-10
Changed in linux (Ubuntu Wily):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Chris J Arges (arges) on 2016-03-10
Changed in linux (Ubuntu Trusty):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Changed in linux (Ubuntu Vivid):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Changed in linux-lts-utopic (Ubuntu Trusty):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
description: updated
Chris J Arges (arges) on 2016-03-10
Changed in linux (Ubuntu Trusty):
assignee: Chris J Arges (arges) → nobody
status: In Progress → New
Chris J Arges (arges) on 2016-03-10
Changed in linux (Ubuntu Vivid):
status: In Progress → New
Changed in linux-lts-utopic (Ubuntu Trusty):
assignee: Chris J Arges (arges) → nobody
status: In Progress → New
Chris J Arges (arges) on 2016-03-10
Changed in linux (Ubuntu Trusty):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Changed in linux (Ubuntu Vivid):
status: New → In Progress
Changed in linux-lts-utopic (Ubuntu Trusty):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Brad Figg (brad-figg) on 2016-03-10
Changed in linux (Ubuntu Precise):
status: New → Fix Committed
Brad Figg (brad-figg) on 2016-03-10
Changed in linux (Ubuntu Wily):
status: In Progress → Fix Committed
Brad Figg (brad-figg) on 2016-03-10
Changed in linux (Ubuntu Vivid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Steve Beattie (sbeattie) on 2016-03-11
tags: added: kernel-cve-skip-description
Andy Whitcroft (apw) on 2016-03-11
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux (Ubuntu Wily):
importance: Undecided → Critical
Changed in linux (Ubuntu Vivid):
importance: Undecided → Critical
Changed in linux (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux (Ubuntu Precise):
assignee: nobody → Chris J Arges (arges)
importance: Undecided → Critical
Andy Whitcroft (apw) on 2016-03-11
Changed in linux-lts-utopic (Ubuntu Trusty):
status: In Progress → Fix Committed
Andy Whitcroft (apw) on 2016-03-12
Changed in linux-keystone (Ubuntu Xenial):
status: New → Invalid
Changed in linux-keystone (Ubuntu Precise):
status: New → Invalid
Changed in linux-keystone (Ubuntu Wily):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
Changed in linux-keystone (Ubuntu Vivid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
Changed in linux-keystone (Ubuntu Trusty):
status: New → Fix Committed
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-keystone (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Critical
Steve Beattie (sbeattie) wrote :

This has been assigned CVE-2016-3134 ( http://www.openwall.com/lists/oss-security/2016/03/14/1 ).

Launchpad Janitor (janitor) wrote :
Download full text (7.7 KiB)

This bug was fixed in the package linux - 4.2.0-34.39

---------------
linux (4.2.0-34.39) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555821

  [ Florian Westphal ]

  * SAUCE: [nf] netfilter: x_tables: check for size overflow
    - LP: #1555353
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (4.2.0-33.38) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554649

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608
  * cxl: Fix PSL timebase synchronization detection
    - LP: #1532914

linux (4.2.0-32.37) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550045

  [ Kamal Mostafa ]

  * Merged back Ubuntu-4.2.0-31.36

linux (4.2.0-31.36) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548579

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
    - LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
    - LP: #1540586

  [ Carol L Soto ]

  * SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb
    - LP: #1541326

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Tim Gardner ]

  * Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover
    failure"
    - LP: #1541635
  * Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port
    1"
    - LP: #1541635
  * [Config] ARMV8_DEPRECATED=y
    - LP: #1545542

  [ Upstream Kernel Changes ]

  * x86/xen/p2m: hint at the last populated P2M entry
    - LP: #1542941
  * mm: add dma_pool_zalloc() call to DMA API
    - LP: #1543737
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
    event
    - LP: #1543737
  * xen-netback: respect user provided max_queues
    - LP: #1543737
  * xen-netfront: respect user provided max_queues
    - LP: #1543737
  * xen-netfront: update num_queues to real created
    - LP: #1543737
  * iio: adis_buffer: Fix out-of-bounds memory access
    - LP: #1543737
  * KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
    - LP: #1543737
  * KVM: PPC: Fix ONE_REG AltiVec support
    - LP: #1543737
  * x86/irq: Call chip->irq_set_affinity in proper context
    - LP: #1543737
  * drm/amdgpu: fix tonga smu resume
    - LP: #1543737
  * perf kvm record/report: 'unprocessable sample' error while
    recording/reporting guest data
    - LP: #1543737
  * hrtimer: Handle remaining time proper for TIME_LOW_RES
    - LP: #1543737
  * timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * drm/amdgpu: Use drm_calloc_large for VM page_tables array
    - LP: #1543737
  * drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
    - LP: #1543737
  * drm/radeon: properly byte swap vce firmware setup
    - LP: #1543737
  ...

Read more...

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-101.141

---------------
linux (3.2.0-101.141) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555809

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.2.0-100.140) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548504

  [ Upstream Kernel Changes ]

  * veth: don’t modify ip_summed; doing so treats packets with bad
    checksums as good.
    - LP: #1547207
  * ALSA: usb-audio: avoid freeing umidi object twice
    - LP: #1546177
    - CVE-2016-2384

 -- Brad Figg <email address hidden> Thu, 10 Mar 2016 13:05:32 -0800

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (21.3 KiB)

This bug was fixed in the package linux - 3.19.0-56.62

---------------
linux (3.19.0-56.62) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555832

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.19.0-55.61) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554708

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608

linux (3.19.0-54.60) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552337

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419

linux (3.19.0-53.59) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550576

  [ Kamal Mostafa ]

  * Merged back 3.19.0-52.58

linux (3.19.0-52.58) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548548

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1542457
  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * net: ipmr: fix static mfc/dev leaks on table destruction
    - LP: #1542457
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
    - LP: #1542457
  * ovl: allow zero size xattr
    - LP: #1542457
  * ovl: use a minimal buffer in ovl_copy_xattr
    - LP: #1542457
  * [media] vb2: fix a regression in poll() behavior for output,streams
    - LP: #1542457
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1542457
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
    - LP: #1542457
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
    bit machines
    - LP: #1542457
  * KVM: x86: expose MSR_TSC_AUX to userspace
    - LP: #1542457
  * KVM: x86: correctly print #AC in traces
    - LP: #1542457
  * drm/radeon: call hpd_irq_event on resume
    - LP: #1542457
  * xhci: refuse loading if nousb is used
    - LP: #1542457
  * arm64: Clear out any singlestep state on a ptrace detach operation
    - LP: #1542457
  * time: Avoid signed overflow in timekeeping_get_ns()
    - LP: #1542457
  * ovl: root: copy attr
    - LP: #1542457
  * Bluetooth: Add support of Toshiba Broadcom based devices
    - LP: #1522949, #1542457
  * rtlwifi: fix memory leak for USB device
    - LP: #1542457
  * wlcore/wl12xx: spi: fix oops on firmware load
    - LP: #1542457
  * ovl: check dentry positiveness in ovl_cleanup_whiteouts()
    - LP: #1542457
  * EDAC, mc_sysfs: Fix freeing bus' name
    - LP: #1542457
  * EDAC: Robustify workqueues destruction
    - LP: #1542457
  * arm64: mm: ensure that the zero page is visible to the page table
    walker
    - LP: #1542457
  * powerpc: Make value-returning atomics fully ordered
    - LP: #1542457
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
    - LP: #1542457
  * dm space map metadata: remove unused variable in brb_pop()
    - LP: #1542457
  * dm thi...

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.5 KiB)

This bug was fixed in the package linux - 3.13.0-83.127

---------------
linux (3.13.0-83.127) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555839

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.13.0-82.126) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554732

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608
  * net: generic dev_disable_lro() stacked device handling
    - LP: #1547680

linux (3.13.0-81.125) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552316

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419
  * bcache: Fix a lockdep splat in an error path
    - LP: #1551327

linux (3.13.0-80.124) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548519

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
    - LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
    - LP: #1540586

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1542497
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
    - LP: #1542497
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
    bit machines
    - LP: #1542497
  * KVM: x86: correctly print #AC in traces
    - LP: #1542497
  * drm/radeon: call hpd_irq_event on resume
    - LP: #1542497
  * xhci: refuse loading if nousb is used
    - LP: #1542497
  * arm64: Clear out any singlestep state on a ptrace detach operation
    - LP: #1542497
  * time: Avoid signed overflow in timekeeping_get_ns()
    - LP: #1542497
  * rtlwifi: fix memory leak for USB device
    - LP: #1542497
  * wlcore/wl12xx: spi: fix oops on firmware load
    - LP: #1542497
  * EDAC, mc_sysfs: Fix freeing bus' name
    - LP: #1542497
  * EDAC: Don't try to cancel workqueue when it's never setup
    - LP: #1542497
  * EDAC: Robustify workqueues destruction
    - LP: #1542497
  * powerpc: Make value-returning atomics fully ordered
    - LP: #1542497
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
    - LP: #1542497
  * dm space map metadata: remove unused variable in brb_pop()
    - LP: #1542497
  * dm thin: fix race condition when destroying thin pool workqueue
    - LP: #1542497
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
    - LP: #1542497
  * drm/radeon: clean up fujitsu quirks
    - LP: #1542497
  * mmc: sdio: Fix invalid vdd in voltage switch power cycle
    - LP: #1542497
  * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
    - LP: #1542497
  * udf: limit the maximum number of indirect extents in a row
    - LP: #1542497
  * nfs: Fix race in __update_open_stateid...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package linux-lts-utopic - 3.16.0-67.87~14.04.1

---------------
linux-lts-utopic (3.16.0-67.87~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555847

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux-lts-utopic (3.16.0-66.86~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555277

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608

linux-lts-utopic (3.16.0-65.85~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552352

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419

linux-lts-utopic (3.16.0-64.84~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550605

  [ Kamal Mostafa ]

  * Merged back 3.16.0-63.83~14.04.1

linux-lts-utopic (3.16.0-63.83~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548934

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
    - LP: #1543126
  * veth: don’t modify ip_summed; doing so treats packets with bad
    checksums as good.
    - LP: #1543126
  * sctp: sctp should release assoc when sctp_make_abort_user return NULL
    in sctp_close
    - LP: #1543126
  * connector: bump skb->users before callback invocation
    - LP: #1543126
  * unix: properly account for FDs passed over unix sockets
    - LP: #1543126
  * bridge: Only call /sbin/bridge-stp for the initial network namespace
    - LP: #1543126
  * vxlan: fix test which detect duplicate vxlan iface
    - LP: #1543126
  * net: sctp: prevent writes to cookie_hmac_alg from accessing invalid
    memory
    - LP: #1543126
  * tcp_yeah: don't set ssthresh below 2
    - LP: #1543126
  * bonding: Prevent IPv6 link local address on enslaved devices
    - LP: #1543126
  * phonet: properly unshare skbs in phonet_rcv()
    - LP: #1543126
  * net: bpf: reject invalid shifts
    - LP: #1543126
  * ipv6: update skb->csum when CE mark is propagated
    - LP: #1543126
  * team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
    - LP: #1543126
  * xen-netback: respect user provided max_queues
    - LP: #1543126
  * xen-netfront: respect user provided max_queues
    - LP: #1543126
  * xen-netfront: print correct number of queues
    - LP: #1543126
  * xen-netfront: update num_queues to real created
    - LP: #1543126
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
    event
    - LP: #1543126
  * sctp: convert sack_needed and sack_generation to bits
    - LP: #1543126
  * sctp: start t5 timer only when peer rwnd is 0 and local state is
    SHUTDOWN_PENDING
    - LP: #1543126
  * nfs: Fix unused variable error
    - LP: #1543126
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1543126
  * [me...

Changed in linux-lts-utopic (Ubuntu Trusty):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) on 2016-03-15
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Fix Released
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
importance: Critical → High
Changed in linux (Ubuntu Wily):
importance: Critical → High
Changed in linux (Ubuntu Trusty):
importance: Critical → High
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Fix Released
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
importance: Critical → High
Changed in linux-armadaxp (Ubuntu Wily):
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-03-15
Changed in linux-lts-vivid (Ubuntu Wily):
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Critical → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-armadaxp - 3.2.0-1664.88

---------------
linux-armadaxp (3.2.0-1664.88) precise; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1555919
  * Rebase to Ubuntu-3.2.0-101.141

  [ Ubuntu: 3.2.0-101.141 ]

  * Release Tracking Bug
    - LP: #1555809
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

 -- Ike Panhc <email address hidden> Sat, 12 Mar 2016 10:40:37 +0800

Changed in linux-armadaxp (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-keystone - 3.13.0-53.78

---------------
linux-keystone (3.13.0-53.78) trusty; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1555956
  * Rebase to Ubuntu-3.13.0-83.127

  [ Ubuntu: 3.13.0-83.127 ]

  * Release Tracking Bug
    - LP: #1555839
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

 -- Ike Panhc <email address hidden> Sat, 12 Mar 2016 10:03:08 +0800

Changed in linux-keystone (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux - 4.4.0-13.29

---------------
linux (4.4.0-13.29) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
    - s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
    - hv_netvsc: use skb_get_hash() instead of a homegrown implementation
    - hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
    - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
      case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
    - ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
    - cpufreq: powernv: Free 'chips' on module exit
    - cpufreq: powernv: Hot-plug safe the kworker thread
    - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
    - cpufreq: powernv/tracing: Add powernv_throttle tracepoint
    - cpufreq: powernv: Replace pr_info with trace print for throttle event
    - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Config] reconstruct -- update to autoreconstruct output
    - [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
    - use ->d_seq to get coherency between ->d_inode and ->d_flags
    - drivers: sh: Restore legacy clock domain on SuperH platforms
    - Btrfs: fix deadlock running delayed iputs at transaction commit time
    - btrfs: Fix no_space in write and rm loop
    - btrfs: async-thread: Fix a use-after-free error for trace
    - block: Initialize max_dev_sectors to 0
    - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
    - parisc: Fix ptrace syscall number and return value modification
    - mips/kvm: fix ioctl error handling
    - kvm: x86: Update tsc multiplier on change.
    - fbcon: set a default value to blink interval
    - cifs: fix out-of-bounds access in lease parsing
    - CIFS: Fix SMB2+ interim response processing for read requests
    - Fix cifs_uniqueid_to_ino_t() function for s390x
    - vfio: fix ioctl error handling
    - KVM: x86: fix root cause for missed hardware breakpoints
    - arm/arm64: KVM: Fix ioctl error handling
    - iommu/amd: Apply workaround for ATS write permission check
    - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
    - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
    - drm/ast: Fix incorrect register check for DRAM width
    - d...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1

---------------
linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
    - s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
    - hv_netvsc: use skb_get_hash() instead of a homegrown implementation
    - hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
    - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
      case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
    - ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
    - cpufreq: powernv: Free 'chips' on module exit
    - cpufreq: powernv: Hot-plug safe the kworker thread
    - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
    - cpufreq: powernv/tracing: Add powernv_throttle tracepoint
    - cpufreq: powernv: Replace pr_info with trace print for throttle event
    - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Config] reconstruct -- update to autoreconstruct output
    - [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
    - use ->d_seq to get coherency between ->d_inode and ->d_flags
    - drivers: sh: Restore legacy clock domain on SuperH platforms
    - Btrfs: fix deadlock running delayed iputs at transaction commit time
    - btrfs: Fix no_space in write and rm loop
    - btrfs: async-thread: Fix a use-after-free error for trace
    - block: Initialize max_dev_sectors to 0
    - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
    - parisc: Fix ptrace syscall number and return value modification
    - mips/kvm: fix ioctl error handling
    - kvm: x86: Update tsc multiplier on change.
    - fbcon: set a default value to blink interval
    - cifs: fix out-of-bounds access in lease parsing
    - CIFS: Fix SMB2+ interim response processing for read requests
    - Fix cifs_uniqueid_to_ino_t() function for s390x
    - vfio: fix ioctl error handling
    - KVM: x86: fix root cause for missed hardware breakpoints
    - arm/arm64: KVM: Fix ioctl error handling
    - iommu/amd: Apply workaround for ATS write permission check
    - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
    - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
    - drm/ast: Fix incorrect...

Read more...

Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Fix Released
Steve Beattie (sbeattie) on 2016-03-17
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
Changed in linux-lts-xenial (Ubuntu Trusty):
status: Fix Released → New
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-xenial - 4.4.0-14.30~14.04.2

---------------
linux-lts-xenial (4.4.0-14.30~14.04.2) trusty; urgency=low

  * Release Tracking Bug (LP: #1558247)

  * Current 4.4 kernel won't boot on powerpc (LP: #1557130)
    - powerpc: Fix dedotify for binutils >= 2.26

  * ZFS: send fails to transmit some holes [corruption] (LP: #1557151)
    - Illumos 6370 - ZFS send fails to transmit some holes

  * Request to cherry-pick uvcvideo patch for Xenial kernel support of RealSense
    camera (LP: #1557138)
    - UVC: Add support for ds4 depth camera

  * use after free of task_struct->numa_faults in task_numa_find_cpu (LP: #1527643)
    - sched/numa: Fix use-after-free bug in the task_numa_compare

  * overlay fs regression: chmod fails with "Operation not permitted" on chowned
    files (LP: #1555997)
    - ovl: copy new uid/gid into overlayfs runtime inode

  * Miscellaneous Ubuntu changes
    - SAUCE: Dump stack when X.509 certificates cannot be loaded

 -- Brad Figg <email address hidden> Thu, 17 Mar 2016 09:18:22 -0700

Changed in linux-lts-xenial (Ubuntu Trusty):
status: Invalid → Fix Released
Steve Beattie (sbeattie) on 2016-04-19
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-04-19
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-needed-vivid
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-wily
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (26.2 KiB)

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---------------
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for R...

Changed in linux-snapdragon (Ubuntu Yakkety):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (26.3 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---------------
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
    - LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave...

Changed in linux-raspi2 (Ubuntu Xenial):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (26.3 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---------------
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
    - LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave...

Changed in linux-raspi2 (Ubuntu Xenial):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (26.2 KiB)

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---------------
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for R...

Changed in linux-snapdragon (Ubuntu Xenial):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (26.2 KiB)

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---------------
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for R...

Changed in linux-snapdragon (Ubuntu Xenial):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (26.3 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---------------
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
    - LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave...

Changed in linux-raspi2 (Ubuntu Yakkety):
status: Invalid → Fix Released
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Seth Forshee (sforshee) on 2016-08-04
tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification-done-precise verification-done-trusty verification-done-vivid verification-done-wily
removed: verification-needed-precise verification-needed-trusty verification-needed-vivid verification-needed-wily

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux-flo (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-lts-saucy (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-mako (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers