Cosmic update: v4.18.12 upstream stable release

Bug #1796139 reported by Seth Forshee on 2018-10-04
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Seth Forshee
Cosmic
Medium
Seth Forshee

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       v4.18.12 upstream stable release
       from git://git.kernel.org/

       The following patches from the v4.18.12 stable release shall be applied:

crypto: skcipher - Fix -Wstringop-truncation warnings
iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
tsl2550: fix lux1_input error in low light
misc: ibmvmc: Use GFP_ATOMIC under spin lock
vmci: type promotion bug in qp_host_get_user_memory()
siox: don't create a thread without starting it
x86/numa_emulation: Fix emulated-to-physical node mapping
staging: rts5208: fix missing error check on call to rtsx_write_register
power: supply: axp288_charger: Fix initial constant_charge_current value
misc: sram: enable clock before registering regions
serial: sh-sci: Stop RX FIFO timer during port shutdown
uwb: hwa-rc: fix memory leak at probe
power: vexpress: fix corruption in notifier registration
iommu/amd: make sure TLB to be flushed before IOVA freed
Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
USB: serial: kobil_sct: fix modem-status error handling
6lowpan: iphc: reset mac_header after decompress to fix panic
iommu/msm: Don't call iommu_device_{,un}link from atomic context
s390/mm: correct allocate_pgste proc_handler callback
power: remove possible deadlock when unregistering power_supply
drm/amd/display/dc/dce: Fix multiple potential integer overflows
drm/amd/display: fix use of uninitialized memory
md-cluster: clear another node's suspend_area after the copy is finished
cxgb4: Fix the condition to check if the card is T5
RDMA/bnxt_re: Fix a couple off by one bugs
RDMA/i40w: Hold read semaphore while looking after VMA
RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
IB/core: type promotion bug in rdma_rw_init_one_mr()
media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
IB/mlx4: Test port number before querying type.
powerpc/kdump: Handle crashkernel memory reservation failure
media: fsl-viu: fix error handling in viu_of_probe()
vhost_net: Avoid tx vring kicks during busyloop
media: staging/imx: fill vb2_v4l2_buffer field entry
IB/mlx5: Fix GRE flow specification
include/rdma/opa_addr.h: Fix an endianness issue
x86/tsc: Add missing header to tsc_msr.c
ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
x86/entry/64: Add two more instruction suffixes
ARM: dts: ls1021a: Add missing cooling device properties for CPUs
scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
thermal: i.MX: Allow thermal probe to fail gracefully in case of bad calibration.
scsi: klist: Make it safe to use klists in atomic context
scsi: ibmvscsi: Improve strings handling
scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
usb: wusbcore: security: cast sizeof to int for comparison
ath10k: sdio: use same endpoint id for all packets in a bundle
ath10k: sdio: set skb len for all rx packets
powerpc/powernv/ioda2: Reduce upper limit for DMA window size
platform/x86: asus-wireless: Fix uninitialized symbol usage
ACPI / button: increment wakeup count only when notified
s390/sysinfo: add missing #ifdef CONFIG_PROC_FS
alarmtimer: Prevent overflow for relative nanosleep
s390/dasd: correct numa_node in dasd_alloc_queue
s390/scm_blk: correct numa_node in scm_blk_dev_setup
s390/extmem: fix gcc 8 stringop-overflow warning
mtd: rawnand: atmel: add module param to avoid using dma
iio: accel: adxl345: convert address field usage in iio_chan_spec
posix-timers: Make forward callback return s64
posix-timers: Sanitize overrun handling
ALSA: snd-aoa: add of_node_put() in error path
selftests: forwarding: Tweak tc filters for mirror-to-gretap tests
ath10k: use locked skb_dequeue for rx completions
media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
media: soc_camera: ov772x: correct setting of banding filter
media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
media: ov772x: add checks for register read errors
staging: android: ashmem: Fix mmap size validation
media: ov772x: allow i2c controllers without I2C_FUNC_PROTOCOL_MANGLING
staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path
drivers/tty: add error handling for pcmcia_loop_config
arm64: dts: renesas: salvator-common: Fix adv7482 decimal unit addresses
serial: pxa: Fix an error handling path in 'serial_pxa_probe()'
staging: mt7621-dts: Fix remaining pcie warnings
media: tm6000: add error handling for dvb_register_adapter
ASoC: qdsp6: qdafe: fix some off by one bugs
net: phy: xgmiitorgmii: Check read_status results
ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
drm/sun4i: Enable DW HDMI PHY clock
net: phy: xgmiitorgmii: Check phy_driver ready before accessing
drm/sun4i: Fix releasing node when enumerating enpoints
ath10k: transmit queued frames after processing rx packets
mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status()
rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
brcmsmac: fix wrap around in conversion from constant to s16
bitfield: fix *_encode_bits()
wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
drm/omap: gem: Fix mm_list locking
ARM: mvebu: declare asm symbols as character arrays in pmsu.c
RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR
Documentation/process: fix reST table border error
perf/hw_breakpoint: Split attribute parse and commit
arm: dts: mediatek: Add missing cooling device properties for CPUs
HID: hid-ntrig: add error handling for sysfs_create_group
HID: i2c-hid: Use devm to allocate i2c_hid struct
MIPS: boot: fix build rule of vmlinux.its.S
arm64: dts: renesas: Fix VSPD registers range
drm/v3d: Take a lock across GPU scheduler job creation and queuing.
perf/x86/intel/lbr: Fix incomplete LBR call stack
scsi: bnx2i: add error handling for ioremap_nocache
iomap: complete partial direct I/O writes synchronously
spi: orion: fix CS GPIO handling again
scsi: megaraid_sas: Update controller info during resume
ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect threshold
ASoC: rt1305: Use ULL suffixes for 64-bit constants
ASoC: rsnd: SSI parent cares SWSP bit
EDAC, i7core: Fix memleaks and use-after-free on probe and remove
ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
module: exclude SHN_UNDEF symbols from kallsyms api
gpio: Fix wrong rounding in gpio-menz127
nfsd: fix corrupted reply to badly ordered compound
EDAC: Fix memleak in module init error path
EDAC, altera: Fix an error handling path in altr_s10_sdram_probe()
staging: pi433: fix race condition in pi433_ioctl
ath10k: fix incorrect size of dma_free_coherent in ath10k_ce_alloc_src_ring_64
ath10k: snoc: use correct bus-specific pointer in RX retry
fs/lock: skip lock owner pid translation in case we are in init_pid_ns
ath10k: fix memory leak of tpc_stats
Input: xen-kbdfront - fix multi-touch XenStore node's locations
iio: 104-quad-8: Fix off-by-one error in register selection
drm/vc4: Add missing formats to vc4_format_mod_supported().
ARM: dts: dra7: fix DCAN node addresses
drm/vc4: plane: Expand the lower bits by repeating the higher bits
perf tests: Fix indexing when invoking subtests
gpio: tegra: Fix tegra_gpio_irq_set_type()
block: fix deadline elevator drain for zoned block devices
x86/mm: Expand static page table for fixmap space
tty: serial: lpuart: avoid leaking struct tty_struct
serial: imx: restore handshaking irq for imx1
serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
serial: cpm_uart: return immediately from console poll
intel_th: Fix device removal logic
intel_th: Fix resource handling for ACPI glue layer
spi: tegra20-slink: explicitly enable/disable clock
spi: sh-msiof: Fix invalid SPI use during system suspend
spi: sh-msiof: Fix handling of write value for SISTR register
spi: rspi: Fix invalid SPI use during system suspend
spi: rspi: Fix interrupted DMA transfers
regulator: fix crash caused by null driver data
regulator: Fix 'do-nothing' value for regulators without suspend state
USB: fix error handling in usb_driver_claim_interface()
USB: handle NULL config in usb_find_alt_setting()
usb: roles: Take care of driver module reference counting
usb: musb: dsps: do not disable CPPI41 irq in driver teardown
USB: usbdevfs: sanitize flags more
USB: usbdevfs: restore warning for nonsensical flags
Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
USB: remove LPM management from usb_driver_claim_interface()
uaccess: Fix is_source param for check_copy_size() in copy_to_iter_mcsafe()
ext2, dax: set ext2_dax_aops for dax files
filesystem-dax: Fix use of zero page
IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
IB/hfi1: Fix SL array bounds check
IB/hfi1: Invalid user input can result in crash
IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
IB/hfi1: Fix destroy_qp hang after a link down
ACPI / hotplug / PCI: Don't scan for non-hotplug bridges if slot is not bridge
RDMA/uverbs: Atomically flush and mark closed the comp event queue
arm64: KVM: Tighten guest core register access from userspace
ARM: OMAP2+: Fix null hwmod for ti-sysc debug
ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
bus: ti-sysc: Fix module register ioremap for larger offsets
qed: Wait for ready indication before rereading the shmem
qed: Wait for MCP halt and resume commands to take place
qed: Prevent a possible deadlock during driver load and unload
qed: Avoid sending mailbox commands when MFW is not responsive
thermal: of-thermal: disable passive polling when thermal zone is disabled
isofs: reject hardware sector size > 2048 bytes
mmc: atmel-mci: fix bad logic of sg_copy_{from,to}_buffer conversion
mmc: android-goldfish: fix bad logic of sg_copy_{from,to}_buffer conversion
bus: ti-sysc: Fix no_console_suspend handling
ARM: dts: omap4-droid4: fix vibrations on Droid 4
bpf, sockmap: fix sock_hash_alloc and reject zero-sized keys
bpf, sockmap: fix sock hash count in alloc_sock_hash_elem
tls: possible hang when do_tcp_sendpages hits sndbuf is full case
bpf: sockmap: write_space events need to be passed to TCP handler
drm/amdgpu: fix VM clearing for the root PD
drm/amdgpu: fix preamble handling
amdgpu: fix multi-process hang issue
net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler
tcp_bbr: add bbr_check_probe_rtt_done() helper
tcp_bbr: in restart from idle, see if we should exit PROBE_RTT
net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
net: hns: fix skb->truesize underestimation
net: hns3: fix page_offset overflow when CONFIG_ARM64_64K_PAGES
ice: Fix multiple static analyser warnings
ice: Report stats for allocated queues via ethtool stats
ice: Clean control queues only when they are initialized
ice: Fix bugs in control queue processing
ice: Use order_base_2 to calculate higher power of 2
ice: Set VLAN flags correctly
tools: bpftool: return from do_event_pipe() on bad arguments
ice: Fix a few null pointer dereference issues
ice: Fix potential return of uninitialized value
e1000: check on netif_running() before calling e1000_up()
e1000: ensure to free old tx/rx rings in set_ringparam()
ixgbe: fix driver behaviour after issuing VFLR
i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled
i40e: fix condition of WARN_ONCE for stat strings
crypto: chtls - fix null dereference chtls_free_uld()
crypto: cavium/nitrox - fix for command corruption in queue full case with backlog submissions.
hwmon: (ina2xx) fix sysfs shunt resistor read access
hwmon: (adt7475) Make adt7475_read_word() return errors
Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
drm/amdgpu: Update power state at the end of smu hw_init.
ata: ftide010: Add a quirk for SQ201
nvme-fcloop: Fix dropped LS's to removed target port
ARM: dts: omap4-droid4: Fix emmc errors seen on some devices
drm/amdgpu: Need to set moved to true when evict bo
arm/arm64: smccc-1.1: Make return values unsigned long
arm/arm64: smccc-1.1: Handle function result as parameters
i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
clk: x86: Set default parent to 48Mhz
x86/pti: Fix section mismatch warning/error
KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM workarounds
powerpc: fix csum_ipv6_magic() on little endian platforms
powerpc/pkeys: Fix reading of ibm, processor-storage-keys property
powerpc/pseries: Fix unitialized timer reset on migration
arm64: KVM: Sanitize PSTATE.M when being set from userspace
media: v4l: event: Prevent freeing event subscriptions while accessed
Linux 4.18.12

       The following patches from the v4.18.12 stable release have already been applied:

net: hns3: Fix for mailbox message truncated problem
net: hns3: Fix for mac pause not disable in pfc mode
net: hns3: Fix warning bug when doing lp selftest
net: hns3: Fix get_vector ops in hclgevf_main module
ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
scsi: hisi_sas: Fix the conflict between dev gone and host reset
floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
usb: core: safely deal with the dynamic quirk lists
Input: elantech - enable middle button of touchpad on ThinkPad P72

CVE References

Seth Forshee (sforshee) on 2018-10-04
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Cosmic):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → Medium
status: New → In Progress
Seth Forshee (sforshee) on 2018-10-04
description: updated
Changed in linux (Ubuntu Cosmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (60.2 KiB)

This bug was fixed in the package linux - 4.18.0-9.10

---------------
linux (4.18.0-9.10) cosmic; urgency=medium

  * linux: 4.18.0-9.10 -proposed tracker (LP: #1796346)

  * Cosmic update: v4.18.12 upstream stable release (LP: #1796139)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
    - tsl2550: fix lux1_input error in low light
    - misc: ibmvmc: Use GFP_ATOMIC under spin lock
    - vmci: type promotion bug in qp_host_get_user_memory()
    - siox: don't create a thread without starting it
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - power: supply: axp288_charger: Fix initial constant_charge_current value
    - misc: sram: enable clock before registering regions
    - serial: sh-sci: Stop RX FIFO timer during port shutdown
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - iommu/amd: make sure TLB to be flushed before IOVA freed
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - iommu/msm: Don't call iommu_device_{,un}link from atomic context
    - s390/mm: correct allocate_pgste proc_handler callback
    - power: remove possible deadlock when unregistering power_supply
    - drm/amd/display/dc/dce: Fix multiple potential integer overflows
    - drm/amd/display: fix use of uninitialized memory
    - md-cluster: clear another node's suspend_area after the copy is finished
    - cxgb4: Fix the condition to check if the card is T5
    - RDMA/bnxt_re: Fix a couple off by one bugs
    - RDMA/i40w: Hold read semaphore while looking after VMA
    - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
    - IB/core: type promotion bug in rdma_rw_init_one_mr()
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - IB/mlx4: Test port number before querying type.
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - vhost_net: Avoid tx vring kicks during busyloop
    - media: staging/imx: fill vb2_v4l2_buffer field entry
    - IB/mlx5: Fix GRE flow specification
    - include/rdma/opa_addr.h: Fix an endianness issue
    - x86/tsc: Add missing header to tsc_msr.c
    - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
    - x86/entry/64: Add two more instruction suffixes
    - ARM: dts: ls1021a: Add missing cooling device properties for CPUs
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - thermal: i.MX: Allow thermal probe to fail gracefully in case of bad
      calibration.
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
    - usb: wusbcore: security: cast sizeof to int for comparison
    - ath10k: sdio: use same endpoint id for all packets...

Changed in linux (Ubuntu Cosmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers