Xenial update: 4.4.195 upstream stable release

Bug #1848589 reported by Connor Kuehl on 2019-10-17
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Connor Kuehl

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

* Revert "Bluetooth: validate BLE connection interval updates"
* HID: prodikeys: Fix general protection fault during probe
* HID: lg: make transfer buffers DMA capable
* HID: logitech: Fix general protection fault caused by Logitech driver
* HID: hidraw: Fix invalid read in hidraw_ioctl
* mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
* crypto: talitos - fix missing break in switch statement
* net: rds: Fix NULL ptr use in rds_tcp_kill_sock
* ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
* ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
* UBUNTU: SAUCE: Revert "mac80211: handle deauthentication/disassociation from TDLS peer"
* mac80211: Print text for disassociation reason
* mac80211: handle deauthentication/disassociation from TDLS peer
* locking/lockdep: Add debug_locks check in __lock_downgrade()
* irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
* f2fs: check all the data segments against all node ones
* Revert "f2fs: avoid out-of-range memory access"
* f2fs: fix to do sanity check on segment bitmap of LFS curseg
* drm: Flush output polling on shutdown
* Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
* arcnet: provide a buffer big enough to actually receive packets
* cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
* net/phy: fix DP83865 10 Mbps HDX loopback disable function
* openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
* sch_netem: fix a divide by zero in tabledist()
* skge: fix checksum byte order
* usbnet: ignore endpoints with invalid wMaxPacketSize
* usbnet: sanity checking of packet sizes and device mtu
* ALSA: hda: Flush interrupts on disabling
* ASoC: sgtl5000: Fix charge pump source assignment
* dmaengine: bcm2835: Print error in case setting DMA mask fails
* leds: leds-lp5562 allow firmware files up to the maximum length
* media: dib0700: fix link error for dibx000_i2c_set_speed
* media: hdpvr: Add device num check and handling
* sched/fair: Fix imbalance due to CPU affinity
* sched/core: Fix CPU controller for !RT_GROUP_SCHED
* x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails
* x86/apic: Soft disable APIC before initializing it
* ALSA: hda - Show the fatal CORB/RIRB error more clearly
* ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls()
* media: iguanair: add sanity checks
* base: soc: Export soc_device_register/unregister APIs
* ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
* ia64:unwind: fix double free for mod->arch.init_unw_table
* md: don't call spare_active in md_reap_sync_thread if all member devices can't work
* md: don't set In_sync if array is frozen
* efi: cper: print AER info of PCIe fatal error
* media: gspca: zero usb_buf on error
* dmaengine: iop-adma: use correct printk format strings
* media: omap3isp: Don't set streaming state on random subdevs
* net: lpc-enet: fix printk format strings
* media: radio/si470x: kill urb on error
* media: hdpvr: add terminating 0 at end of string
* media: saa7146: add cleanup in hexium_attach()
* media: cpia2_usb: fix memory leaks
* media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
* media: ov9650: add a sanity check
* ACPI / CPPC: do not require the _PSD method
* libtraceevent: Change users plugin directory
* ACPI: custom_method: fix memory leaks
* hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
* md/raid1: fail run raid1 array when active disk less than one
* dmaengine: ti: edma: Do not reset reserved paRAM slots
* kprobes: Prohibit probing on BUG() and WARN() address
* ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
* mmc: sdhci: Fix incorrect switch to HS mode
* libertas: Add missing sentinel at end of if_usb.c fw_table
* media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
* ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
* btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type
* media: omap3isp: Set device on omap3isp subdevs
* ALSA: firewire-tascam: handle error code when getting current source of clock
* ALSA: firewire-tascam: check intermediate state of clock status and retry
* printk: Do not lose last line in kmsg buffer dump
* fuse: fix missing unlock_page in fuse_writepage()
* parisc: Disable HP HSC-PCI Cards to prevent kernel crash
* KVM: x86: always stop emulation on page fault
* KVM: x86: set ctxt->have_exception in x86_decode_insn()
* KVM: x86: Manually calculate reserved bits when loading PDPTRS
* media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
* ASoC: Intel: Fix use of potentially uninitialized variable
* ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
* alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
* md/raid6: Set R5_ReadError when there is read failure on parity disk
* cfg80211: Purge frame registrations on iftype change
* /dev/mem: Bail out upon SIGKILL.
* ext4: fix punch hole for inline_data file systems
* quota: fix wrong condition in is_quota_modification()
* hwrng: core - don't wait on add_early_randomness()
* i2c: riic: Clear NACK in tend isr
* CIFS: Fix oplock handling for SMB 2.1+ protocols
* ovl: filter of trusted xattr results in audit
* Btrfs: fix use-after-free when using the tree modification log
* btrfs: Relinquish CPUs in btrfs_compare_trees
* Btrfs: fix race setting up and completing qgroup rescan workers
* Linux 4.4.195

       4.4.195 upstream stable release
       from git://git.kernel.org/

Connor Kuehl (connork) on 2019-10-17
Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Connor Kuehl (connork)
importance: Undecided → Medium
Connor Kuehl (connork) wrote :

The following patches were skipped because they have already been applied:

* mISDN: enforce CAP_NET_RAW for raw sockets
* appletalk: enforce CAP_NET_RAW for raw sockets
* ax25: enforce CAP_NET_RAW for raw sockets
* ieee802154: enforce CAP_NET_RAW for raw sockets

Note: the following patch was applied (after reverting our backport) as it is now a clean cherry pick.

* mac80211: handle deauthentication/disassociation from TDLS peer

Connor Kuehl (connork) on 2019-10-17
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (18.6 KiB)

This bug was fixed in the package linux - 4.4.0-168.197

---------------
linux (4.4.0-168.197) xenial; urgency=medium

  * CVE-2018-12207
    - KVM: x86: MMU: Encapsulate the type of rmap-chain head in a new struct
    - KVM: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault()
    - KVM: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault()
    - KVM: MMU: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed
    - KVM: MMU: introduce kvm_mmu_gfn_{allow,disallow}_lpage
    - KVM: x86: MMU: Make mmu_set_spte() return emulate value
    - KVM: x86: MMU: Move initialization of parent_ptes out from
      kvm_mmu_alloc_page()
    - KVM: x86: MMU: always set accessed bit in shadow PTEs
    - KVM: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to
      link_shadow_page()
    - KVM: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page()
    - KVM: x86: simplify ept_misconfig
    - KVM: x86: extend usage of RET_MMIO_PF_* constants
    - KVM: MMU: drop vcpu param in gpte_access
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
      code
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - SAUCE: x86/cpu: Include cpu header from bugs.c
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: i915_bpo: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: i915_bpo: drm/i915/gen8+: Add RC6 CTX corruption WA
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: i915_bpo: drm/i915/gtt: Add read only pages to gen8_pte_encode
    - SAUCE: i915_bpo: drm/i915/gtt: Read-only pages for insert_entries on bdw+
    - SAUCE: i915_bpo: drm/i915/gtt: Disable read-on...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers