Xenial update to 4.4.133 stable release

Bug #1775477 reported by Stefan Bader on 2018-06-06
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.133 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.



The following patches from the 4.4.133 stable release shall be applied:
* 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
* bridge: check iface upper dev when setting master via ioctl
* dccp: fix tasklet usage
* ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
* llc: better deal with too small mtu
* net: ethernet: sun: niu set correct packet size in skb
* net/mlx4_en: Verify coalescing parameters are in range
* net_sched: fq: take care of throttled flows before reuse
* net: support compat 64-bit time in {s,g}etsockopt
* openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
* qmi_wwan: do not steal interfaces from class drivers
* r8169: fix powering up RTL8168h
* sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
* sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
* tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
* bonding: do not allow rlb updates to invalid mac
* tcp: ignore Fast Open on repair mode
* sctp: fix the issue that the cookie-ack with auth can't get processed
* sctp: delay the authentication for the duplicated cookie-echo chunk
* ALSA: timer: Call notifier in the same spinlock
* audit: move calcs after alloc and check when logging set loginuid
* arm64: introduce mov_q macro to move a constant into a 64-bit register
* arm64: Add work around for Arm Cortex-A55 Erratum 1024718
* futex: Remove unnecessary warning from get_futex_key
* futex: Remove duplicated code and fix undefined behaviour
* xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM)
* lockd: lost rollback of set_grace_period() in lockd_down_net()
* Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap"
* l2tp: revert "l2tp: fix missing print session offset info"
* pipe: cap initial pipe capacity according to pipe-max-size limit
* futex: futex_wake_op, fix sign_extend32 sign bits
* kernel/exit.c: avoid undefined behaviour when calling wait4()
* usbip: usbip_host: refine probe and disconnect debug msgs to be useful
* usbip: usbip_host: delete device from busid_table after rebind
* usbip: usbip_host: run rebind from exit when module is removed
* usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
* usbip: usbip_host: fix bad unlock balance during stub_probe()
* ALSA: usb: mixer: volume quirk for CM102-A+/102S+
* ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
* ALSA: control: fix a redundant-copy issue
* spi: pxa2xx: Allow 64-bit DMA
* powerpc/powernv: panic() on OPAL < V3
* powerpc/powernv: Remove OPALv2 firmware define and references
* powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL
* cpuidle: coupled: remove unused define cpuidle_coupled_lock
* powerpc: Don't preempt_disable() in show_cpuinfo()
* vmscan: do not force-scan file lru if its absolute size is small
* mm: filemap: remove redundant code in do_read_cache_page
* mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete
  during a read
* signals: avoid unnecessary taking of sighand->siglock
* tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}
* proc read mm's {arg,env}_{start,end} with mmap semaphore taken.
* powerpc/powernv: Fix NVRAM sleep in invalid context when crashing
* mm: don't allow deferred pages with NEED_PER_CPU_KM
* s390/qdio: fix access to uninitialized qdio_q fields
* s390/qdio: don't release memory in qdio_setup_irq()
* s390: remove indirect branch from do_softirq_own_stack
* efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition
  for mixed mode
* ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
* tick/broadcast: Use for_each_cpu() specially on UP kernels
* ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
* ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
* ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
* Btrfs: fix xattr loss after power failure
* btrfs: fix crash when trying to resume balance without the resume flag
* btrfs: fix reading stale metadata blocks after degraded raid1 mounts
* net: test tailroom before appending to linear skb
* packet: in packet_snd start writing at link layer allocation
* sock_diag: fix use-after-free read in __sk_free
* tcp: purge write queue in tcp_connect_init()
* ext2: fix a block leak
* s390: add assembler macros for CPU alternatives
* s390: move expoline assembler macros to a header
* s390/lib: use expoline for indirect branches
* s390/kernel: use expoline for indirect branches
* s390: move spectre sysfs attribute code
* s390: extend expoline to BC instructions
* s390: use expoline thunks in the BPF JIT
* scsi: libsas: defer ata device eh commands to libata
* scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
* scsi: zfcp: fix infinite iteration on ERP ready list
* dmaengine: ensure dmaengine helpers check valid callback
* time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
* gpio: rcar: Add Runtime PM handling for interrupts
* cfg80211: limit wiphy names to 128 bytes
* hfsplus: stop workqueue when fill_super() failed
* x86/kexec: Avoid double free_page() upon do_kexec_load() failure
* Linux 4.4.133

CVE References

Stefan Bader (smb) on 2018-06-06
tags: added: kernel-stable-tracking-bug
Stefan Bader (smb) wrote :

* arm64: Add work around for Arm Cortex-A55 Erratum 1024718
  -> needed some backport which should be sanity checked
* proc: meminfo: estimate available memory more conservatively
  -> the conversion done was silently added when backporting
  mm/page_alloc.c: calculate 'available' memory in a separate function
* cpufreq: intel_pstate: Enable HWP by default
  -> already applied for bug 1674390
* procfs: fix pthread cross-thread naming if !PR_DUMPABLE
  -> already applied for bug 1690225
* s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero
  -> already applied for bug 1772593

Stefan Bader (smb) on 2018-06-07
description: updated
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Invalid
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Simon Arlott (sa.me.uk) wrote :

4.4.131 includes "sctp: do not check port in sctp_inet6_cmp_addr" that breaks combined AF_INET and AF_INET6 support in SCTP, it should be fixed in 4.4.133 with "sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr".

Stefan Bader (smb) wrote :

This (including stable up to 4.4.134) should be fixed in the current cycle: kernel version 4.4.0-129.155 or higher.

Launchpad Janitor (janitor) wrote :
Download full text (29.8 KiB)

This bug was fixed in the package linux - 4.4.0-130.156

linux (4.4.0-130.156) xenial; urgency=medium

  * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

  * CVE-2018-3665 (x86)
    - x86/fpu: Fix early FPU command-line parsing
    - x86/fpu: Fix 'no387' regression
    - x86/fpu: Disable MPX when eagerfpu is off
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix FNSAVE usage in eagerfpu mode
    - x86/fpu: Fix math emulation in eager fpu mode
    - x86/fpu: Fix eager-FPU handling on legacy FPU machines

linux (4.4.0-129.155) xenial; urgency=medium

  * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

  * Xenial update to 4.4.134 stable release (LP: #1775771)
    - MIPS: ptrace: Expose FIR register through FP regset
    - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
    - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
    - affs_lookup(): close a race with affs_remove_link()
    - aio: fix io_destroy(2) vs. lookup_ioctx() race
    - ALSA: timer: Fix pause event notification
    - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
    - libata: Blacklist some Sandisk SSDs for NCQ
    - libata: blacklist Micron 500IT SSD with MU01 firmware
    - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
    - ipc/shm: fix shmat() nil address after round-down when remapping
    - kasan: fix memory hotplug during boot
    - kernel/sys.c: fix potential Spectre v1 issue
    - kernel/signal.c: avoid undefined behaviour in kill_something_info
    - xfs: remove racy hasattr check from attr ops
    - do d_instantiate/unlock_new_inode combinations safely
    - firewire-ohci: work around oversized DMA reads on JMicron controllers
    - NFSv4: always set NFS_LOCK_LOST when a lock is lost.
    - ALSA: hda - Use IS_REACHABLE() for dependency on input
    - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
    - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
    - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
    - PCI: Add function 1 DMA alias quirk for Marvell 9128
    - tools lib traceevent: Simplify pointer print logic and fix %pF
    - perf callchain: Fix attr.sample_max_stack setting
    - tools lib traceevent: Fix get_field_str() for dynamic strings
    - dm thin: fix documentation relative to low water mark threshold
    - nfs: Do not convert nfs_idmap_cache_timeout to jiffies
    - watchdog: sp5100_tco: Fix watchdog disable bit
    - kconfig: Don't leak main menus during parsing
    - kconfig: Fix automatic menu creation mem leak
    - kconfig: Fix expr_free() E_NOT leak
    - ipmi/powernv: Fix error return code in ipmi_powernv_probe()
    - Btrfs: set plug for fsync
    - btrfs: Fix out of bounds access in btrfs_search_slot
    - Btrfs: fix scrub to repair raid6 corruption
    - scsi: fas216: fix sense buffer initialization
    - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
    - powerpc/numa: Use ibm,max-associativity-domains to discover possib...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers