Xenial update: 4.4.195 upstream stable release

Bug #1848589 reported by Connor Kuehl on 2019-10-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Connor Kuehl

Bug Description

SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

* Revert "Bluetooth: validate BLE connection interval updates"
* HID: prodikeys: Fix general protection fault during probe
* HID: lg: make transfer buffers DMA capable
* HID: logitech: Fix general protection fault caused by Logitech driver
* HID: hidraw: Fix invalid read in hidraw_ioctl
* mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
* crypto: talitos - fix missing break in switch statement
* net: rds: Fix NULL ptr use in rds_tcp_kill_sock
* ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
* ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
* UBUNTU: SAUCE: Revert "mac80211: handle deauthentication/disassociation from TDLS peer"
* mac80211: Print text for disassociation reason
* mac80211: handle deauthentication/disassociation from TDLS peer
* locking/lockdep: Add debug_locks check in __lock_downgrade()
* irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
* f2fs: check all the data segments against all node ones
* Revert "f2fs: avoid out-of-range memory access"
* f2fs: fix to do sanity check on segment bitmap of LFS curseg
* drm: Flush output polling on shutdown
* Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
* arcnet: provide a buffer big enough to actually receive packets
* cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
* net/phy: fix DP83865 10 Mbps HDX loopback disable function
* openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
* sch_netem: fix a divide by zero in tabledist()
* skge: fix checksum byte order
* usbnet: ignore endpoints with invalid wMaxPacketSize
* usbnet: sanity checking of packet sizes and device mtu
* ALSA: hda: Flush interrupts on disabling
* ASoC: sgtl5000: Fix charge pump source assignment
* dmaengine: bcm2835: Print error in case setting DMA mask fails
* leds: leds-lp5562 allow firmware files up to the maximum length
* media: dib0700: fix link error for dibx000_i2c_set_speed
* media: hdpvr: Add device num check and handling
* sched/fair: Fix imbalance due to CPU affinity
* sched/core: Fix CPU controller for !RT_GROUP_SCHED
* x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails
* x86/apic: Soft disable APIC before initializing it
* ALSA: hda - Show the fatal CORB/RIRB error more clearly
* ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls()
* media: iguanair: add sanity checks
* base: soc: Export soc_device_register/unregister APIs
* ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
* ia64:unwind: fix double free for mod->arch.init_unw_table
* md: don't call spare_active in md_reap_sync_thread if all member devices can't work
* md: don't set In_sync if array is frozen
* efi: cper: print AER info of PCIe fatal error
* media: gspca: zero usb_buf on error
* dmaengine: iop-adma: use correct printk format strings
* media: omap3isp: Don't set streaming state on random subdevs
* net: lpc-enet: fix printk format strings
* media: radio/si470x: kill urb on error
* media: hdpvr: add terminating 0 at end of string
* media: saa7146: add cleanup in hexium_attach()
* media: cpia2_usb: fix memory leaks
* media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
* media: ov9650: add a sanity check
* ACPI / CPPC: do not require the _PSD method
* libtraceevent: Change users plugin directory
* ACPI: custom_method: fix memory leaks
* hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
* md/raid1: fail run raid1 array when active disk less than one
* dmaengine: ti: edma: Do not reset reserved paRAM slots
* kprobes: Prohibit probing on BUG() and WARN() address
* ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
* mmc: sdhci: Fix incorrect switch to HS mode
* libertas: Add missing sentinel at end of if_usb.c fw_table
* media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
* ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
* btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type
* media: omap3isp: Set device on omap3isp subdevs
* ALSA: firewire-tascam: handle error code when getting current source of clock
* ALSA: firewire-tascam: check intermediate state of clock status and retry
* printk: Do not lose last line in kmsg buffer dump
* fuse: fix missing unlock_page in fuse_writepage()
* parisc: Disable HP HSC-PCI Cards to prevent kernel crash
* KVM: x86: always stop emulation on page fault
* KVM: x86: set ctxt->have_exception in x86_decode_insn()
* KVM: x86: Manually calculate reserved bits when loading PDPTRS
* media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
* ASoC: Intel: Fix use of potentially uninitialized variable
* ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
* alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
* md/raid6: Set R5_ReadError when there is read failure on parity disk
* cfg80211: Purge frame registrations on iftype change
* /dev/mem: Bail out upon SIGKILL.
* ext4: fix punch hole for inline_data file systems
* quota: fix wrong condition in is_quota_modification()
* hwrng: core - don't wait on add_early_randomness()
* i2c: riic: Clear NACK in tend isr
* CIFS: Fix oplock handling for SMB 2.1+ protocols
* ovl: filter of trusted xattr results in audit
* Btrfs: fix use-after-free when using the tree modification log
* btrfs: Relinquish CPUs in btrfs_compare_trees
* Btrfs: fix race setting up and completing qgroup rescan workers
* Linux 4.4.195

       4.4.195 upstream stable release
       from git://git.kernel.org/

Connor Kuehl (connork) on 2019-10-17
Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Connor Kuehl (connork)
importance: Undecided → Medium
Connor Kuehl (connork) wrote :

The following patches were skipped because they have already been applied:

* mISDN: enforce CAP_NET_RAW for raw sockets
* appletalk: enforce CAP_NET_RAW for raw sockets
* ax25: enforce CAP_NET_RAW for raw sockets
* ieee802154: enforce CAP_NET_RAW for raw sockets

Note: the following patch was applied (after reverting our backport) as it is now a clean cherry pick.

* mac80211: handle deauthentication/disassociation from TDLS peer

Connor Kuehl (connork) on 2019-10-17
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (18.6 KiB)

This bug was fixed in the package linux - 4.4.0-168.197

linux (4.4.0-168.197) xenial; urgency=medium

  * CVE-2018-12207
    - KVM: x86: MMU: Encapsulate the type of rmap-chain head in a new struct
    - KVM: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault()
    - KVM: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault()
    - KVM: MMU: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed
    - KVM: MMU: introduce kvm_mmu_gfn_{allow,disallow}_lpage
    - KVM: x86: MMU: Make mmu_set_spte() return emulate value
    - KVM: x86: MMU: Move initialization of parent_ptes out from
    - KVM: x86: MMU: always set accessed bit in shadow PTEs
    - KVM: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to
    - KVM: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page()
    - KVM: x86: simplify ept_misconfig
    - KVM: x86: extend usage of RET_MMIO_PF_* constants
    - KVM: MMU: drop vcpu param in gpte_access
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - SAUCE: x86/cpu: Include cpu header from bugs.c
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: i915_bpo: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: i915_bpo: drm/i915/gen8+: Add RC6 CTX corruption WA
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: i915_bpo: drm/i915/gtt: Add read only pages to gen8_pte_encode
    - SAUCE: i915_bpo: drm/i915/gtt: Read-only pages for insert_entries on bdw+
    - SAUCE: i915_bpo: drm/i915/gtt: Disable read-on...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers