Cosmic update to v4.18.8 stable release

Bug #1793069 reported by Seth Forshee on 2018-09-18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Seth Forshee

Bug Description

SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The v4.18.8 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.



       The following patches from the v4.18.8 stable release shall be applied:

act_ife: fix a potential use-after-free
ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state
net: bcmgenet: use MAC link status for fixed phy
net: macb: do not disable MDIO bus at open/close time
net: sched: Fix memory exposure from short TCA_U32_SEL
qlge: Fix netdev features configuration.
r8169: add support for NCube 8168 network card
tcp: do not restart timewait timer on rst reception
vti6: remove !skb->ignore_df check from vti6_xmit()
act_ife: move tcfa_lock down to where necessary
act_ife: fix a potential deadlock
net: sched: action_ife: take reference to meta module
bnxt_en: Clean up unused functions.
bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA.
net/sched: act_pedit: fix dump of extended layered op
tipc: fix a missing rhashtable_walk_exit()
hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe()
tipc: fix the big/little endian issue in tipc_dest
sctp: remove useless start_fail from sctp_ht_iter in proc
erspan: set erspan_ver to 1 by default when adding an erspan dev
net: macb: Fix regression breaking non-MDIO fixed-link PHYs
ipv6: don't get lwtstate twice in ip6_rt_copy_init()
net/ipv6: init ip6 anycast rt->dst.input as ip6_input
net/ipv6: Only update MTU metric if it set
net/ipv6: Put lwtstate when destroying fib6_info
net/mlx5: Fix SQ offset in QPs with small RQ
r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices
Revert "net: stmmac: Do not keep rearming the coalesce timer in stmmac_xmit"
ip6_vti: fix creating fallback tunnel device for vti6
ip6_vti: fix a null pointer deference when destroy vti6 tunnel
nfp: wait for posted reconfigs when disabling the device
sctp: hold transport before accessing its asoc in sctp_transport_get_next
mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge
vhost: correctly check the iova range when waking virtqueue
hv_netvsc: ignore devices that are not PCI
cifs: check if SMB2 PDU size has been padded and suppress the warning
hfsplus: don't return 0 when fill_super() failed
hfs: prevent crash on exit from failed search
sunrpc: Don't use stack buffer with scatterlist
fork: don't copy inconsistent signal handler state to child
fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds
reiserfs: change j_timestamp type to time64_t
iommu/rockchip: Handle errors returned from PM framework
hfsplus: fix NULL dereference in hfsplus_lookup()
iommu/rockchip: Move irq request past pm_runtime_enable
fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries
fat: validate ->i_start before using
workqueue: skip lockdep wq dependency in cancel_work_sync()
workqueue: re-add lockdep dependencies for flushing
scripts: modpost: check memory allocation results
apparmor: fix an error code in __aa_create_ns()
virtio: pci-legacy: Validate queue pfn
x86/mce: Add notifier_block forward declaration
i2c: core: ACPI: Make acpi_gsb_i2c_read_bytes() check i2c_transfer return value
IB/hfi1: Invalid NUMA node information can cause a divide by zero
pwm: meson: Fix mux clock names
powerpc/topology: Get topology for shared processors at boot
mm/fadvise.c: fix signed overflow UBSAN complaint
mm: make DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
platform/x86: intel_punit_ipc: fix build errors
bpf, sockmap: fix map elem deletion race with smap_stop_sock
tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach
bpf, sockmap: fix sock_map_ctx_update_elem race with exist/noexist
net/xdp: Fix suspicious RCU usage warning
bpf, sockmap: fix leakage of smap_psock_map_entry
samples/bpf: all XDP samples should unload xdp/bpf prog on SIGTERM
netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses
s390/kdump: Fix memleak in nt_vmcoreinfo
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
mfd: sm501: Set coherent_dma_mask when creating subdevices
netfilter: x_tables: do not fail xt_alloc_table_info too easilly
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
netfilter: fix memory leaks on netlink_dump_start error
tcp, ulp: add alias for all ulp modules
ubi: Initialize Fastmap checkmapping correctly
RDMA/hns: Fix usage of bitmap allocation functions return values
ACPICA: ACPICA: add status check for acpi_hw_read before assigning return value
perf arm spe: Fix uninitialized record error variable
net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero
block: don't warn for flush on read-only device
PCI: Match Root Port's MPS to endpoint's MPSS as necessary
drm/amd/display: Guard against null crtc in CRC IRQ
coccicheck: return proper error code on fail
perf tools: Check for null when copying nsinfo.
f2fs: avoid race between zero_range and background GC
f2fs: fix avoid race between truncate and background GC
RISC-V: Use KBUILD_CFLAGS instead of KCFLAGS when building the vDSO
irqchip/stm32: Fix init error handling
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
net/9p/trans_fd.c: fix race by holding the lock
net/9p: fix error path of p9_virtio_probe
f2fs: fix to clear PG_checked flag in set_page_dirty()
pinctrl: axp209: Fix NULL pointer dereference after allocation
bpf: fix bpffs non-array map seq_show issue
powerpc/uaccess: Enable get_user(u64, *p) on 32-bit
powerpc: Fix size calculation using resource_size()
perf probe powerpc: Fix trace event post-processing
block: bvec_nr_vecs() returns value for wrong slab
brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference
s390/dasd: fix hanging offline processing due to canceled worker
s390/dasd: fix panic for failed online processing
ACPI / scan: Initialize status to ACPI_STA_DEFAULT
blk-mq: count the hctx as active before allocating tag
scsi: aic94xx: fix an error code in aic94xx_init()
NFSv4: Fix error handling in nfs4_sp4_select_mode()
Input: do not use WARN() in input_alloc_absinfo()
xen/balloon: fix balloon initialization for PVH Dom0
PCI: mvebu: Fix I/O space end address calculation
dm kcopyd: avoid softlockup in run_complete_job
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
ASoC: rt5677: Fix initialization of
iommu/omap: Fix cache flushes on L2 table entries
selftests/powerpc: Kill child processes on SIGINT
selinux: cleanup dentry and inodes on error in selinuxfs
RDS: IB: fix 'passing zero to ERR_PTR()' warning
cfq: Suppress compiler warnings about comparisons
smb3: fix reset of bytes read and written stats
CIFS: fix memory leak and remove dead code
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
smb3: if server does not support posix do not allow posix mount option
powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning
powerpc/64s: Make rfi_flush_fallback a little more robust
um: fix parallel building with O= option
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399
drm/amd/display: Read back max backlight value at boot
KVM: vmx: track host_state.loaded using a loaded_vmcs pointer
kvm: nVMX: Fix fault vector for VMX operation at CPL > 0
drm/etnaviv: fix crash in GPU suspend when init failed due to buffer placement
btrfs: Exit gracefully when chunk map cannot be inserted to the tree
btrfs: replace: Reset on-disk dev stats value after replace
btrfs: fix in-memory value of total_devices after seed device deletion
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: tree-checker: Detect invalid and empty essential trees
btrfs: check-integrity: Fix NULL pointer dereference for degraded mount
btrfs: lift uuid_mutex to callers of btrfs_open_devices
btrfs: Don't remove block group that still has pinned down bytes
btrfs: Fix a C compliance issue
arm64: rockchip: Force CONFIG_PM on Rockchip systems
ARM: rockchip: Force CONFIG_PM on Rockchip systems
btrfs: do btrfs_free_stale_devices outside of device_list_add
btrfs: extend locked section when adding a new device in device_list_add
btrfs: rename local devices for fs_devices in btrfs_free_stale_devices(
btrfs: use device_list_mutex when removing stale devices
btrfs: lift uuid_mutex to callers of btrfs_scan_one_device
btrfs: lift uuid_mutex to callers of btrfs_parse_early_options
btrfs: reorder initialization before the mount locks uuid_mutex
btrfs: fix mount and ioctl device scan ioctl race
drm/i915/lpe: Mark LPE audio runtime pm as "no callbacks"
drm/i915: Nuke the LVDS lid notifier
drm/i915: Increase LSPCON timeout
drm/i915: Free write_buf that we allocated with kzalloc.
drm/amdgpu: update uvd_v6_0_ring_vm_funcs to use new nop packet
drm/amdgpu: fix a reversed condition
drm/amdgpu: Fix RLC safe mode test in gfx_v9_0_enter_rlc_safe_mode
drm/amd/pp: Convert voltage unit in mV*4 to mV on CZ/ST
drm/amd/powerplay: fixed uninitialized value
drm/amd/pp/Polaris12: Fix a chunk of registers missed to program
drm/edid: Quirk Vive Pro VR headset non-desktop.
drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80
drm/amd/display: fix type of variable
drm/amd/display: Don't share clk source between DP and HDMI
drm/amd/display: update clk for various HDMI color depths
drm/amd/display: Use requested HDMI aspect ratio
drm/amd/display: Report non-DP display as disconnected without EDID
drm/rockchip: lvds: add missing of_node_put
drm/rockchip: vop: split out core clock enablement into separate functions
drm/rockchip: vop: fix irq disabled after vop driver probed
drm/amd/display: Pass connector id when executing VBIOS CT
drm/amd/display: Check if clock source in use before disabling
drm/amdgpu: update tmr mc address
drm/amdgpu:add tmr mc address into amdgpu_firmware_info
drm/amdgpu:add new firmware id for VCN
drm/amdgpu:add VCN support in PSP driver
drm/amdgpu:add VCN booting with firmware loaded by PSP
drm/amdgpu: fix incorrect use of fcheck
drm/amdgpu: fix incorrect use of drm_file->pid
drm/i915: Re-apply "Perform link quality check, unconditionally during long pulse"
uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name
mm: respect arch_dup_mmap() return value
drm/i915: set DP Main Stream Attribute for color range on DDI platforms
x86/tsc: Prevent result truncation on 32bit
drm/amdgpu: Keep track of amount of pinned CPU visible VRAM
drm/amdgpu: Make pin_size values atomic
drm/amdgpu: Warn and update pin_size values when destroying a pinned BO
drm/amdgpu: Don't warn on destroying a pinned BO
debugobjects: Make stack check warning more informative
x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
x86/xen: don't write ptes directly in 32-bit PV guests
kbuild: make missing $DEPMOD a Warning instead of an Error
kvm: x86: Set highest physical address bits in non-present/reserved SPTEs
x86: kvm: avoid unused variable warning
HID: redragon: fix num lock and caps lock LEDs
ASoC: wm8994: Fix missing break in switch
Linux 4.18.8

       The following patches from the v4.18.8 stable release shall be applied:

r8152: disable RX aggregation on new Dell TB16 dock
net: hns3: Fix for phy link issue when using marvell phy driver

CVE References

Seth Forshee (sforshee) on 2018-09-18
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → Medium
status: New → In Progress
description: updated
Seth Forshee (sforshee) on 2018-09-18
description: updated
Seth Forshee (sforshee) on 2018-09-18
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (60.2 KiB)

This bug was fixed in the package linux - 4.18.0-9.10

linux (4.18.0-9.10) cosmic; urgency=medium

  * linux: 4.18.0-9.10 -proposed tracker (LP: #1796346)

  * Cosmic update: v4.18.12 upstream stable release (LP: #1796139)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
    - tsl2550: fix lux1_input error in low light
    - misc: ibmvmc: Use GFP_ATOMIC under spin lock
    - vmci: type promotion bug in qp_host_get_user_memory()
    - siox: don't create a thread without starting it
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - power: supply: axp288_charger: Fix initial constant_charge_current value
    - misc: sram: enable clock before registering regions
    - serial: sh-sci: Stop RX FIFO timer during port shutdown
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - iommu/amd: make sure TLB to be flushed before IOVA freed
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - iommu/msm: Don't call iommu_device_{,un}link from atomic context
    - s390/mm: correct allocate_pgste proc_handler callback
    - power: remove possible deadlock when unregistering power_supply
    - drm/amd/display/dc/dce: Fix multiple potential integer overflows
    - drm/amd/display: fix use of uninitialized memory
    - md-cluster: clear another node's suspend_area after the copy is finished
    - cxgb4: Fix the condition to check if the card is T5
    - RDMA/bnxt_re: Fix a couple off by one bugs
    - RDMA/i40w: Hold read semaphore while looking after VMA
    - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
    - IB/core: type promotion bug in rdma_rw_init_one_mr()
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - IB/mlx4: Test port number before querying type.
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - vhost_net: Avoid tx vring kicks during busyloop
    - media: staging/imx: fill vb2_v4l2_buffer field entry
    - IB/mlx5: Fix GRE flow specification
    - include/rdma/opa_addr.h: Fix an endianness issue
    - x86/tsc: Add missing header to tsc_msr.c
    - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
    - x86/entry/64: Add two more instruction suffixes
    - ARM: dts: ls1021a: Add missing cooling device properties for CPUs
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - thermal: i.MX: Allow thermal probe to fail gracefully in case of bad
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
    - usb: wusbcore: security: cast sizeof to int for comparison
    - ath10k: sdio: use same endpoint id for all packets...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers