Xenial update: 4.4.160 upstream stable release

Bug #1798770 reported by Stefan Bader on 2018-10-19
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Stefan Bader

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       4.4.160 upstream stable release
       from git://git.kernel.org/

The following patches will be applied:
* crypto: skcipher - Fix -Wstringop-truncation warnings
* tsl2550: fix lux1_input error in low light
* vmci: type promotion bug in qp_host_get_user_memory()
* x86/numa_emulation: Fix emulated-to-physical node mapping
* staging: rts5208: fix missing error check on call to rtsx_write_register
* uwb: hwa-rc: fix memory leak at probe
* power: vexpress: fix corruption in notifier registration
* Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
* USB: serial: kobil_sct: fix modem-status error handling
* 6lowpan: iphc: reset mac_header after decompress to fix panic
* md-cluster: clear another node's suspend_area after the copy is finished
* media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
* powerpc/kdump: Handle crashkernel memory reservation failure
* media: fsl-viu: fix error handling in viu_of_probe()
* x86/tsc: Add missing header to tsc_msr.c
* x86/entry/64: Add two more instruction suffixes
* scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
* scsi: klist: Make it safe to use klists in atomic context
* scsi: ibmvscsi: Improve strings handling
* usb: wusbcore: security: cast sizeof to int for comparison
* powerpc/powernv/ioda2: Reduce upper limit for DMA window size
* alarmtimer: Prevent overflow for relative nanosleep
* s390/extmem: fix gcc 8 stringop-overflow warning
* ALSA: snd-aoa: add of_node_put() in error path
* media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
* media: soc_camera: ov772x: correct setting of banding filter
* media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
* staging: android: ashmem: Fix mmap size validation
* drivers/tty: add error handling for pcmcia_loop_config
* media: tm6000: add error handling for dvb_register_adapter
* ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
* ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
* rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
* wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
* ARM: mvebu: declare asm symbols as character arrays in pmsu.c
* HID: hid-ntrig: add error handling for sysfs_create_group
* scsi: bnx2i: add error handling for ioremap_nocache
* EDAC, i7core: Fix memleaks and use-after-free on probe and remove
* ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
* module: exclude SHN_UNDEF symbols from kallsyms api
* nfsd: fix corrupted reply to badly ordered compound
* ARM: dts: dra7: fix DCAN node addresses
* floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
* serial: cpm_uart: return immediately from console poll
* spi: tegra20-slink: explicitly enable/disable clock
* spi: sh-msiof: Fix invalid SPI use during system suspend
* spi: sh-msiof: Fix handling of write value for SISTR register
* spi: rspi: Fix invalid SPI use during system suspend
* spi: rspi: Fix interrupted DMA transfers
* USB: fix error handling in usb_driver_claim_interface()
* USB: handle NULL config in usb_find_alt_setting()
* slub: make ->cpu_partial unsigned int
* Revert "UBUNTU: SAUCE: media: uvcvideo: Support realtek's UVC 1.5 device"
* media: uvcvideo: Support realtek's UVC 1.5 device
* USB: usbdevfs: sanitize flags more
* USB: usbdevfs: restore warning for nonsensical flags
* Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
  service_outstanding_interrupt()"
* USB: remove LPM management from usb_driver_claim_interface()
* Input: elantech - enable middle button of touchpad on ThinkPad P72
* IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
* scsi: target: iscsi: Use bin2hex instead of a re-implementation
* serial: imx: restore handshaking irq for imx1
* arm64: KVM: Tighten guest core register access from userspace
* ext4: never move the system.data xattr out of the inode body
* thermal: of-thermal: disable passive polling when thermal zone is disabled
* net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
* e1000: check on netif_running() before calling e1000_up()
* e1000: ensure to free old tx/rx rings in set_ringparam()
* hwmon: (ina2xx) fix sysfs shunt resistor read access
* hwmon: (adt7475) Make adt7475_read_word() return errors
* i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
* arm64: cpufeature: Track 32bit EL0 support
* arm64: KVM: Sanitize PSTATE.M when being set from userspace
* media: v4l: event: Prevent freeing event subscriptions while accessed
* KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
* mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
* mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
* gpio: adp5588: Fix sleep-in-atomic-context bug
* mac80211: mesh: fix HWMP sequence numbering to follow standard
* cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
* RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
* i2c: uniphier: issue STOP only for last message or I2C_M_STOP
* i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
* net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
* fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
* cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
* mac80211: fix a race between restart and CSA flows
* mac80211: Fix station bandwidth setting after channel switch
* mac80211: shorten the IBSS debug messages
* tools/vm/slabinfo.c: fix sign-compare warning
* tools/vm/page-types.c: fix "defined but not used" warning
* mm: madvise(MADV_DODUMP): allow hugetlbfs pages
* usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
* perf probe powerpc: Ignore SyS symbols irrespective of endianness
* RDMA/ucma: check fd type in ucma_migrate_id()
* USB: yurex: Check for truncation in yurex_read()
* drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
* fs/cifs: suppress a string overflow warning
* dm thin metadata: try to avoid ever aborting transactions
* arch/hexagon: fix kernel/dma.c build warning
* hexagon: modify ffs() and fls() to return int
* arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
* r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
* s390/qeth: don't dump past end of unknown HW header
* cifs: read overflow in is_valid_oplock_break()
* xen/manage: don't complain about an empty value in control/sysrq node
* xen: avoid crash in disable_hotplug_cpu
* xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
* smb2: fix missing files in root share directory listing
* ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
* crypto: mxs-dcp - Fix wait logic on chan threads
* proc: restrict kernel stack dumps to root
* ocfs2: fix locking for res->tracking and dlm->tracking_list
* dm thin metadata: fix __udivdi3 undefined on 32-bit
* Linux 4.4.160

CVE References

Stefan Bader (smb) on 2018-10-19
tags: added: kernel-stable-tracking-bug
Stefan Bader (smb) on 2018-10-19
Changed in linux (Ubuntu Xenial):
assignee: nobody → Stefan Bader (smb)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Invalid
Stefan Bader (smb) wrote :

Modified "floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl" to only make the change for the "too long line" that got added by upstream. Otherwise we already carry the change for CVE-2018-7755.

Modified "arm64: cpufeature: Track 32bit EL0 support" to make up for us already having an additional feature defined.

Stefan Bader (smb) wrote :

Did replace the SAUCE patch we had for "media: uvcvideo: Support realtek's UVC 1.5 device" by this upstream stable version.

Stefan Bader (smb) on 2018-10-19
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (21.0 KiB)

This bug was fixed in the package linux - 4.4.0-139.165

---------------
linux (4.4.0-139.165) xenial; urgency=medium

  * linux: 4.4.0-139.165 -proposed tracker (LP: #1799401)

  * Kernel panic after the ubuntu_nbd_smoke_test on Xenial kernel (LP: #1793464)
    - nbd: Remove signal usage
    - nbd: Timeouts are not user requested disconnects
    - nbd: Cleanup reset of nbd and bdev after a disconnect
    - nbd: don't shutdown sock with irq's disabled
    - nbd: fix race in ioctl

  * fscache: bad refcounting in fscache_op_complete leads to OOPS (LP: #1797314)
    - SAUCE: fscache: Fix race in decrementing refcount of op->npages

  * xenial: virtio-scsi: CPU soft lockup due to loop in
    virtscsi_target_destroy() (LP: #1798110)
    - SAUCE: (no-up) virtio-scsi: Decrement reqs counter before SCSI command
      requeue

  * Error reported when creating ZFS pool with "-t" option, despite successful
    pool creation (LP: #1769937)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu26

  * Xenial update: 4.4.160 upstream stable release (LP: #1798770)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - tsl2550: fix lux1_input error in low light
    - vmci: type promotion bug in qp_host_get_user_memory()
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - md-cluster: clear another node's suspend_area after the copy is finished
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - x86/tsc: Add missing header to tsc_msr.c
    - x86/entry/64: Add two more instruction suffixes
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - usb: wusbcore: security: cast sizeof to int for comparison
    - powerpc/powernv/ioda2: Reduce upper limit for DMA window size
    - alarmtimer: Prevent overflow for relative nanosleep
    - s390/extmem: fix gcc 8 stringop-overflow warning
    - ALSA: snd-aoa: add of_node_put() in error path
    - media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
    - media: soc_camera: ov772x: correct setting of banding filter
    - media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
    - staging: android: ashmem: Fix mmap size validation
    - drivers/tty: add error handling for pcmcia_loop_config
    - media: tm6000: add error handling for dvb_register_adapter
    - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
    - wlcore: Add missing PM call fo...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers