Xenial update: 4.4.168 upstream stable release

Bug #1811080 reported by Juerg Haefliger on 2019-01-09
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned

Bug Description

    SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       4.4.168 upstream stable release
       from git://git.kernel.org/

Linux 4.4.168
selftests: Move networking/timestamping from Documentation
rocker: fix rocker_tlv_put_* functions for KASAN
staging: speakup: Replace strncpy with memcpy
matroxfb: fix size of memcpy
media: dvb-frontends: fix i2c access helpers for KASAN
proc: do not access cmdline nor environ from file-backed areas
proc: don't use FOLL_FORCE for reading cmdline and environment
mm: replace access_remote_vm() write parameter with gup_flags
mm: replace __access_remote_vm() write parameter with gup_flags
mm: replace get_user_pages() write/force parameters with gup_flags
mm: replace get_vaddr_frames() write/force parameters with gup_flags
mm: replace get_user_pages_locked() write/force parameters with gup_flags
mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages()
mm: remove write/force parameters from __get_user_pages_unlocked()
mm: remove write/force parameters from __get_user_pages_locked()
sr: pass down correctly sized SCSI sense buffer
swiotlb: clean up reporting
hugetlbfs: fix bug in pgoff overflow checking
hugetlbfs: check for pgoff value overflow
hugetlbfs: fix offset overflow in hugetlbfs mmap
mm/hugetlb.c: don't call region_abort if region_chg fails
posix-timers: Sanitize overrun handling
wil6210: missing length check in wmi_set_ie
bpf: Prevent memory disambiguation attack
bpf/verifier: Pass instruction index to check_mem_access() and check_xadd()
bpf/verifier: Add spi variable to check_stack_write()
bpf: support 8-byte metafield access
KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
KVM: SVM: Move spec control call after restore of GS
x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
x86/bugs, KVM: Support the combination of guest and host IBRS
x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
x86: fix SMAP in 32-bit environments
x86: reorganize SMAP handling in user space accesses
KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
KVM/x86: Add IBPB support
KVM: VMX: make MSR bitmaps per-VCPU
KVM: VMX: introduce alloc_loaded_vmcs
KVM: nVMX: Eliminate vmcs02 pool
KVM: nVMX: mark vmcs12 pages dirty on L2 exit
KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
pstore: Convert console write to use ->write_buf
ocfs2: fix potential use after free
debugobjects: avoid recursive calls with kmemleak
hfsplus: do not free node before using
hfs: do not free node before using
ocfs2: fix deadlock caused by ocfs2_defrag_extent()
fscache, cachefiles: remove redundant variable 'cache'
fscache: fix race between enablement and dropping of object
xen: xlate_mmu: add missing header to fix 'W=1' warning
drm/ast: fixed reading monitor EDID not stable issue
net: hisilicon: remove unexpected free_netdev
ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
net: thunderx: fix NULL pointer dereference in nic_remove
KVM: x86: fix empty-body warnings
USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
USB: omap_udc: fix omap_udc_start() on 15xx machines
USB: omap_udc: fix crashes on probe error and module removal
USB: omap_udc: use devm_request_irq()
bpf: fix check of allowed specifiers in bpf_trace_printk
exportfs: do not read dentry after free
ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
Btrfs: send, fix infinite loop due to directory rename dependencies
hwmon: (w83795) temp4_type has writable permission
ASoC: dapm: Recalculate audio map forcely when card instantiated
hwmon: (ina2xx) Fix current value calculation
s390/cpum_cf: Reject request for sampling in event initialization
sysv: return 'err' instead of 0 in __sysv_write_inode
ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup
neighbour: Avoid writing before skb->head in neigh_hh_output()
tun: forbid iface creation with rtnl ops
tcp: fix NULL ref in tail loss probe
rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
net: Prevent invalid access to skb->prev in __qdisc_drop_all
net: phy: don't allow __set_phy_supported to add unsupported modes
net: 8139cp: fix a BUG triggered by changing mtu with network traffic
ipv6: Check available headroom in ip6_xmit() even without options

CVE References

Juerg Haefliger (juergh) wrote :

List of already applied patches:
  * posix-timers: Sanitize overrun handling
  * KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
  * x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
  * x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
  * x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
  * x86: fix SMAP in 32-bit environments
  * x86: reorganize SMAP handling in user space accesses
  * KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
  * x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
  * x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
  * KVM: SVM: Move spec control call after restore of GS

Changed in linux (Ubuntu):
status: New → Invalid
tags: added: kernel-stable-tracking-bug
Juerg Haefliger (juergh) wrote :

The modifications from the following patches are already present (from previous SAUCE/embargoed patches):
  * x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
  * x86/bugs, KVM: Support the combination of guest and host IBRS

Juerg Haefliger (juergh) wrote :

The following already present commits are incomplete and need fixing:
  * KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
  * x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec

Stefan Bader (smb) on 2019-02-01
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
Stefan Bader (smb) on 2019-02-01
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Stefan Bader (smb) on 2019-02-01
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (16.2 KiB)

This bug was fixed in the package linux - 4.4.0-143.169

---------------
linux (4.4.0-143.169) xenial; urgency=medium

  * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)

  * x86/kvm: Backport fixup and missing commits (LP: #1811646)
    - KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
    - kvm: nVMX: VMCLEAR an active shadow VMCS after last use
    - X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
    - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
      path as unlikely()
    - kvm: x86: IA32_ARCH_CAPABILITIES is always supported
    - KVM: SVM: Add MSR-based feature support for serializing LFENCE
    - KVM: X86: Allow userspace to define the microcode version
    - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
    - KVM: VMX: fixes for vmentry_l1d_flush module parameter
    - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
    - kvm: vmx: Scrub hardware GPRs at VM-exit
    - SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
    - SAUCE: KVM: Move code fragments, cleanup and re-indent

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] zfs/spl -- enhance provides information
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] Add linux-tools-host package for VM host tools
    - [Packaging] signing should be conditional
    - [Packaging] skip cloud tools packaging when not building package
    - [Packaging] add acpidbg
    - [debian] prep linu...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers