Ubuntu
linux package

Fix potential null pointer dereference on kernfs

Bug #1874221 reported by Kai-Heng Feng on 2020-04-22

This bug affects 1 person

	Status	Importance	Assigned to
HWE Next	Fix Released	Undecided	Unassigned
linux (Ubuntu)	Fix Released	Undecided	Unassigned
Eoan	Fix Released	Undecided	Unassigned

Bug Description

[Impact]
We are seeing a null kernel dereference on kernfs during system sleep
stress.

[Fix]
Make sure kernfs root is not null.

[Test]
Run sleep stress. Not seeing the issue after the fix is applied.

[Regression Potential]
Low. Fix limits to kernfs, also the it has been in upstream kernel for
quite a while.

Tags:

CVE References

Kai-Heng Feng (kaihengfeng) on 2020-04-22

tags:

added: busan oem-priority originate-from-1865972

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-04-22: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1874221

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
Changed in linux (Ubuntu Eoan):
status:	New → Incomplete

Kelsey Steele (kelsey-steele) on 2020-04-24

Changed in linux (Ubuntu Eoan):
status:	Incomplete → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-05-01:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-eoan

Kai-Heng Feng (kaihengfeng) on 2020-05-11

tags:

added: verification-done-eoan
removed: verification-needed-eoan

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-05-19:

Download full text (38.1 KiB)

This bug was fixed in the package linux - 5.3.0-53.47

---------------
linux (5.3.0-53.47) eoan; urgency=medium

* eoan/linux: 5.3.0-53.47 -proposed tracker (LP: #1877257)

* Intermittent display blackouts on event (LP: #1875254)
- drm/i915: Limit audio CDCLK>=2*BCLK constraint back to GLK only

  * Unable to handle kernel pointer dereference in virtual kernel address space
    on Eoan (LP: #1876645)
    - SAUCE: overlayfs: fix shitfs special-casing

linux (5.3.0-52.46) eoan; urgency=medium

* eoan/linux: 5.3.0-52.46 -proposed tracker (LP: #1874752)

  * alsa: make the dmic detection align to the mainline kernel-5.6
    (LP: #1871284)
    - ALSA: hda: add Intel DSP configuration / probe code
    - ALSA: hda: fix intel DSP config
    - ALSA: hda: Allow non-Intel device probe gracefully
    - ALSA: hda: More constifications
    - ALSA: hda: Rename back to dmic_detect option
    - [Config] SND_INTEL_DSP_CONFIG=m
    - [packaging] Remove snd-intel-nhlt from modules

* built-using constraints preventing uploads (LP: #1875601)
- temporarily drop Built-Using data

  * ubuntu/focal64 fails to mount Vagrant shared folders (LP: #1873506)
    - [Packaging] Move virtualbox modules to linux-modules
    - [Packaging] Remove vbox and zfs modules from generic.inclusion-list

  * linux-image-5.0.0-35-generic breaks checkpointing of container
    (LP: #1857257)
    - SAUCE: overlayfs: use shiftfs hacks only with shiftfs as underlay

* shiftfs: broken shiftfs nesting (LP: #1872094)
- SAUCE: shiftfs: record correct creator credentials

* Add debian/rules targets to compile/run kernel selftests (LP: #1874286)
- [Packaging] add support to compile/run selftests

* shiftfs: O_TMPFILE reports ESTALE (LP: #1872757)
- SAUCE: shiftfs: fix dentry revalidation

* getitimer returns it_value=0 erroneously (LP: #1349028)
- [Config] CONTEXT_TRACKING_FORCE policy should be unset

  * 5.3.0-46-generic - i915 - frequent GPU hangs / resets rcs0 (LP: #1872001)
    - drm/i915/execlists: Preempt-to-busy
    - drm/i915/gt: Detect if we miss WaIdleLiteRestore
    - drm/i915/execlists: Always force a context reload when rewinding RING_TAIL

  * alsa/sof: external mic can't be deteced on Lenovo and HP laptops
    (LP: #1872569)
    - SAUCE: ASoC: intel/skl/hda - set autosuspend timeout for hda codecs

This bug was fixed in the package linux - 5.3.0-53.47

---------------
linux (5.3.0-53.47) eoan; urgency=medium

* eoan/linux: 5.3.0-53.47 -proposed tracker (LP: #1877257)

* Intermittent display blackouts on event (LP: #1875254)
    - drm/i915: Limit audio CDCLK>=2*BCLK constraint back to GLK only

* Unable to handle kernel pointer dereference in virtual kernel address space
    on Eoan (LP: #1876645)
    - SAUCE: overlayfs: fix shitfs special-casing

linux (5.3.0-52.46) eoan; urgency=medium

* eoan/linux: 5.3.0-52.46 -proposed tracker (LP: #1874752)

* built-using constraints preventing uploads (LP: #1875601)
    - temporarily drop Built-Using data

* ubuntu/focal64 fails to mount Vagrant shared folders  (LP: #1873506)
    - [Packaging] Move virtualbox modules to linux-modules
    - [Packaging] Remove vbox and zfs modules from generic.inclusion-list

* linux-image-5.0.0-35-generic breaks checkpointing of container
    (LP: #1857257)
    - SAUCE: overlayfs: use shiftfs hacks only with shiftfs as underlay

* shiftfs: broken shiftfs nesting (LP: #1872094)
    - SAUCE: shiftfs: record correct creator credentials

* Add debian/rules targets to compile/run kernel selftests (LP: #1874286)
    - [Packaging] add support to compile/run selftests

* shiftfs: O_TMPFILE reports ESTALE (LP: #1872757)
    - SAUCE: shiftfs: fix dentry revalidation

* getitimer returns it_value=0 erroneously (LP: #1349028)
    - [Config] CONTEXT_TRACKING_FORCE policy should be unset

* 5.3.0-46-generic - i915 - frequent GPU hangs  / resets rcs0 (LP: #1872001)
    - drm/i915/execlists: Preempt-to-busy
    - drm/i915/gt: Detect if we miss WaIdleLiteRestore
    - drm/i915/execlists: Always force a context reload when rewinding RING_TAIL

* alsa/sof: external mic can't be deteced on Lenovo and HP laptops
    (LP: #1872569)
    - SAUCE: ASoC: intel/skl/hda - set autosuspend timeout for hda codecs

* Eoan update: upstream stable patchset 2020-04-22 (LP: #1874325)
    - ARM: dts: sun8i-a83t-tbs-a711: HM5065 doesn't like such a high voltage
    - bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads
    - net: vxge: fix wrong __VA_ARGS__ usage
    - hinic: fix a bug of waitting for IO stopped
    - hinic: fix wrong para of wait_for_completion_timeout
    - cxgb4/ptp: pass the sign of offset delta in FW CMD
    - qlcnic: Fix bad kzalloc null test
    - i2c: st: fix missing struct parameter description
    - cpufreq: imx6q: Fixes unwanted cpu overclocking on i.MX6ULL
    - media: venus: hfi_parser: Ignore HEVC encoding for V1
    - firmware: arm_sdei: fix double-lock on hibernate with shared events
    - null_blk: Fix the null_add_dev() error path
    - null_blk: Handle null_add_dev() failures properly
    - null_blk: fix spurious IO errors after failed past-wp access
    - xhci: bail out early if driver can't accress host in resume
    - x86: Don't let pgprot_modify() change the page encryption bit
    - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices
    - irqchip/versatile-fpga: Handle chained IRQs properly
    - sched: Avoid scale real weight down to zero
    - selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault
    - PCI/switchtec: Fix init_completion race condition with poll_wait()
    - media: i2c: video-i2c: fix build errors due to 'imply hwmon'
    - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts()
    - pstore/platform: fix potential mem leak if pstore_init_fs failed
    - gfs2: Don't demote a glock until its revokes are written
    - x86/boot: Use unsigned comparison for addresses
    - efi/x86: Ignore the memory attributes table on i386
    - genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy()
    - block: Fix use-after-free issue accessing struct io_cq
    - media: i2c: ov5695: Fix power on and off sequences
    - usb: dwc3: core: add support for disabling SS instances in park mode
    - irqchip/gic-v4: Provide irq_retrigger to avoid circular locking dependency
    - md: check arrays is suspended in mddev_detach before call quiesce operations
    - firmware: fix a double abort case with fw_load_sysfs_fallback
    - locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps()
    - block, bfq: fix use-after-free in bfq_idle_slice_timer_body
    - btrfs: qgroup: ensure qgroup_rescan_running is only set when the worker is
      at least queued
    - btrfs: remove a BUG_ON() from merge_reloc_roots()
    - btrfs: track reloc roots based on their commit root bytenr
    - ASoC: fix regwmask
    - ASoC: dapm: connect virtual mux with default value
    - ASoC: dpcm: allow start or stop during pause for backend
    - ASoC: topology: use name_prefix for new kcontrol
    - usb: gadget: f_fs: Fix use after free issue as part of queue failure
    - usb: gadget: composite: Inform controller driver of self-powered
    - ALSA: usb-audio: Add mixer workaround for TRX40 and co
    - ALSA: hda: Add driver blacklist
    - ALSA: hda: Fix potential access overflow in beep helper
    - ALSA: ice1724: Fix invalid access for enumerated ctl items
    - ALSA: pcm: oss: Fix regression by buffer overflow fix
    - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256
    - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256
    - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups
    - ALSA: hda/realtek - Add quirk for MSI GL63
    - media: ti-vpe: cal: fix disable_irqs to only the intended target
    - acpi/x86: ignore unspecified bit positions in the ACPI global lock field
    - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n
    - nvme-fc: Revert "add module to ops template to allow module references"
    - nvme: Treat discovery subsystems as unique subsystems
    - PCI: pciehp: Fix indefinite wait on sysfs requests
    - PCI/ASPM: Clear the correct bits when enabling L1 substates
    - PCI: Add boot interrupt quirk mechanism for Xeon chipsets
    - PCI: endpoint: Fix for concurrent memory allocation in OB address region
    - tpm: Don't make log failures fatal
    - tpm: tpm1_bios_measurements_next should increase position index
    - tpm: tpm2_bios_measurements_next should increase position index
    - irqchip/versatile-fpga: Apply clear-mask earlier
    - pstore: pstore_ftrace_seq_next should increase position index
    - MIPS/tlbex: Fix LDDIR usage in setup_pw() for Loongson-3
    - MIPS: OCTEON: irq: Fix potential NULL pointer dereference
    - ath9k: Handle txpower changes even when TPC is disabled
    - signal: Extend exec_id to 64bits
    - x86/entry/32: Add missing ASM_CLAC to general_protection entry
    - KVM: nVMX: Properly handle userspace interrupt window request
    - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks
    - KVM: s390: vsie: Fix delivery of addressing exceptions
    - KVM: x86: Allocate new rmap and large page tracking when moving memslot
    - KVM: VMX: Always VMCLEAR in-use VMCSes during crash with kexec support
    - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation
    - KVM: VMX: fix crash cleanup when KVM wasn't used
    - CIFS: Fix bug which the return value by asynchronous read is error
    - mtd: spinand: Stop using spinand->oobbuf for buffering bad block markers
    - mtd: spinand: Do not erase the block before writing a bad block marker
    - Btrfs: fix crash during unmount due to race with delayed inode workers
    - btrfs: set update the uuid generation as soon as possible
    - btrfs: drop block from cache on error in relocation
    - btrfs: fix missing file extent item for hole after ranged fsync
    - btrfs: fix missing semaphore unlock in btrfs_sync_file
    - crypto: mxs-dcp - fix scatterlist linearization for hash
    - erofs: correct the remaining shrink objects
    - powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init()
    - tools: gpio: Fix out-of-tree build regression
    - net: qualcomm: rmnet: Allow configuration updates to existing devices
    - arm64: dts: allwinner: h6: Fix PMU compatible
    - dm writecache: add cond_resched to avoid CPU hangs
    - dm verity fec: fix memory leak in verity_fec_dtr
    - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point
    - arm64: armv8_deprecated: Fix undef_hook mask for thumb setend
    - selftests: vm: drop dependencies on page flags from mlock2 tests
    - drm/etnaviv: rework perfmon query infrastructure
    - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable
    - NFS: Fix a page leak in nfs_destroy_unlinked_subrequests()
    - ext4: fix a data race at inode->i_blocks
    - fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once()
    - ocfs2: no need try to truncate file beyond i_size
    - perf tools: Support Python 3.8+ in Makefile
    - s390/diag: fix display of diagnose call statistics
    - Input: i8042 - add Acer Aspire 5738z to nomux list
    - clk: ingenic/jz4770: Exit with error if CGU init failed
    - kmod: make request_module() return an error when autoloading is disabled
    - cpufreq: powernv: Fix use-after-free
    - hfsplus: fix crash and filesystem corruption when deleting files
    - ipmi: fix hung processes in __get_guid()
    - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect()
    - powerpc/64/tm: Don't let userspace set regs->trap via sigreturn
    - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE
      entries
    - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs
    - powerpc/kprobes: Ignore traps that happened in real mode
    - scsi: mpt3sas: Fix kernel panic observed on soft HBA unplug
    - powerpc: Add attributes for setjmp/longjmp
    - powerpc: Make setjmp/longjmp signature standard
    - btrfs: use nofs allocations for running delayed items
    - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone()
    - crypto: caam - update xts sector size for large input length
    - crypto: ccree - dec auth tag size from cryptlen map
    - crypto: ccree - only try to map auth tag if needed
    - Revert "drm/dp_mst: Remove VCPI while disabling topology mgr"
    - drm/dp_mst: Fix clearing payload state on topology disable
    - drm: Remove PageReserved manipulation from drm_pci_alloc
    - ftrace/kprobe: Show the maxactive number on kprobe_events
    - powerpc/fsl_booke: Avoid creating duplicate tlb1 entry
    - etnaviv: perfmon: fix total and idle HI cyleces readout
    - mfd: dln2: Fix sanity checking for endpoints
    - efi/x86: Fix the deletion of variables in mixed mode
    - ARM: dts: Fix dm814x Ethernet by changing to use rgmii-id mode
    - bpf: Fix deadlock with rq_lock in bpf_send_signal()
    - Input: tm2-touchkey - add support for Coreriver TC360 variant
    - soc: fsl: dpio: register dpio irq handlers after dpio create
    - rxrpc: Abstract out the calculation of whether there's Tx space
    - rxrpc: Fix call interruptibility handling
    - hinic: fix the bug of clearing event queue
    - hinic: fix out-of-order excution in arm cpu
    - hinic: fix wrong value of MIN_SKB_LEN
    - selftests/net: add definition for SOL_DCCP to fix compilation errors for old
      libc
    - drm/scheduler: fix rare NULL ptr race
    - staging: wilc1000: avoid double unlocking of 'wilc->hif_cs' mutex
    - media: imx: imx7_mipi_csis: Power off the source when stopping streaming
    - media: imx: imx7-media-csi: Fix video field handling
    - dma-mapping: Fix dma_pgprot() for unencrypted coherent pages
    - debugfs: Check module state before warning in {full/open}_proxy_open()
    - media: allegro: fix type of gop_length in channel_create message
    - block, bfq: move forward the getting of an extra ref in bfq_bfqq_move
    - gfs2: Do log_flush in gfs2_ail_empty_gl even if ail list is empty
    - cpufreq: imx6q: fix error handling
    - btrfs: restart relocate_tree_blocks properly
    - ALSA: hda/realtek: Enable mute LED on an HP system
    - ALSA: hda/realtek - a fake key event is triggered by running shutup
    - ALSA: hda/realtek - Add quirk for Lenovo Carbon X1 8th gen
    - media: venus: firmware: Ignore secure call error on first resume
    - media: hantro: Read be32 words starting at every fourth byte
    - media: ti-vpe: cal: fix a kernel oops when unloading module
    - seccomp: Add missing compat_ioctl for notify
    - nvmet-tcp: fix maxh2cdata icresp parameter
    - PCI: qcom: Fix the fixup of PCI_VENDOR_ID_QCOM
    - sched/fair: Fix enqueue_task_fair warning
    - cpu/hotplug: Ignore pm_wakeup_pending() for disable_nonboot_cpus()
    - genirq/debugfs: Add missing sanity checks to interrupt injection
    - io_uring: remove bogus RLIMIT_NOFILE check in file registration
    - PM / Domains: Allow no domain-idle-states DT property in genpd when parsing
    - x86/tsc_msr: Use named struct initializers
    - x86/tsc_msr: Fix MSR_FSB_FREQ mask for Cherry Trail devices
    - x86/tsc_msr: Make MSR derived TSC frequency more accurate
    - btrfs: Don't submit any btree write bio if the fs has errors
    - btrfs: reloc: clean dirty subvols if we fail to start a transaction
    - btrfs: unset reloc control if we fail to recover
    - remoteproc: qcom_q6v5_mss: Don't reassign mpss region on shutdown
    - remoteproc: qcom_q6v5_mss: Reload the mba region on coredump
    - remoteproc: Fix NULL pointer dereference in rproc_virtio_notify
    - crypto: rng - Fix a refcounting bug in crypto_rng_reset()
    - io_uring: honor original task RLIMIT_FSIZE
    - mmc: sdhci-of-esdhc: fix esdhc_reset() for different controller versions
    - sched/core: Remove duplicate assignment in sched_tick_remote()
    - arm64: dts: allwinner: h5: Fix PMU compatible
    - dm integrity: fix a crash with unusually large tag size
    - XArray: Fix xas_pause for large multi-index entries
    - xarray: Fix early termination of xas_for_each_marked
    - crypto: caam/qi2 - fix chacha20 data size error
    - crypto: ccree - protect against empty or NULL scatterlists
    - scsi: ufs: fix Auto-Hibern8 error detection
    - ARM: dts: exynos: Fix polarity of the LCD SPI bus on UniversalC210 board
    - selftests/vm: fix map_hugetlb length used for testing read and write
    - selftests/powerpc: Add tlbie_test in .gitignore
    - drm/i915/gem: Flush all the reloc_gpu batch
    - drm/amdgpu: unify fw_write_wait for new gfx9 asics
    - nfsd: fsnotify on rmdir under nfsd/clients/
    - NFS: Fix use-after-free issues in nfs_pageio_add_request()
    - powerpc/64: Setup a paca before parsing device tree etc.
    - powerpc/64: Prevent stack protection in early boot
    - arm64: Always force a branch protection mode when the compiler has one
    - scsi: lpfc: Add registration for CPU Offline/Online events
    - scsi: lpfc: Fix Fabric hostname registration if system hostname changes
    - scsi: lpfc: Fix configuration of BB credit recovery in service parameters
    - scsi: lpfc: Fix broken Credit Recovery after driver load
    - drm/amdgpu: fix gfx hang during suspend with video playback (v2)
    - powerpc/kasan: Fix kasan_remap_early_shadow_ro()
    - mmc: sdhci: Convert sdhci_set_timeout_irq() to non-static
    - mmc: sdhci: Refactor sdhci_set_timeout()
    - bpf: Fix tnum constraints for 32-bit comparisons
    - ASoC: stm32: sai: Add missing cleanup
    - scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list()

* Panic on suspend/resume Kernel panic - not syncing: stack-protector: Kernel
    stack is corrupted in: sata_pmp_eh_recover+0xa2b/0xa40 (LP: #1821434) //
    Eoan update: upstream stable patchset 2020-04-22 (LP: #1874325)
    - libata: Return correct status in sata_pmp_eh_recover_pm() when
      ATA_DFLAG_DETACH is set

* Eoan update: upstream stable patchset 2020-04-13 (LP: #1872533)
    - ipv4: fix a RCU-list lock in fib_triestat_seq_show
    - net, ip_tunnel: fix interface lookup with no key
    - sctp: fix refcount bug in sctp_wfree
    - sctp: fix possibly using a bad saddr with a given dst
    - nvme-rdma: Avoid double freeing of async event data
    - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017
    - drm/bochs: downgrade pci_request_region failure from error to warning
    - initramfs: restore default compression behavior
    - drm/amdgpu: fix typo for vcn1 idle check
    - tools/power turbostat: Fix gcc build warnings
    - tools/power turbostat: Fix missing SYS_LPI counter on some Chromebooks
    - drm/etnaviv: replace MMU flush marker with flush sequence
    - misc: rtsx: set correct pcr_ops for rts522A
    - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices
    - misc: pci_endpoint_test: Avoid using module parameter to determine irqtype
    - coresight: do not use the BIT() macro in the UAPI header
    - mei: me: add cedar fork device ids
    - extcon: axp288: Add wakeup support
    - power: supply: axp288_charger: Add special handling for HP Pavilion x2 10
    - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99
      Classified motherboard
    - rxrpc: Fix sendmsg(MSG_WAITALL) handling
    - net: Fix Tx hash bound checking
    - padata: always acquire cpu_hotplug_lock before pinst->lock
    - mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
    - ipv6: don't auto-add link-local address to lag ports
    - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF
    - net: dsa: bcm_sf2: Ensure correct sub-node is parsed
    - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before
      accessing PHY registers
    - net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting
    - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE
    - random: always use batched entropy for get_random_u{32,64}
    - usb: dwc3: gadget: Wrap around when skip TRBs
    - tools/accounting/getdelays.c: fix netlink attribute length
    - hwrng: imx-rngc - fix an error path
    - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register
    - IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
    - IB/hfi1: Fix memory leaks in sysfs registration and unregistration
    - ceph: remove the extra slashes in the server path
    - ceph: canonicalize server path in place
    - RDMA/ucma: Put a lock around every call to the rdma_cm layer
    - RDMA/cma: Teach lockdep about the order of rtnl and lock
    - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
    - RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
    - fbcon: fix null-ptr-deref in fbcon_switch
    - clk: qcom: rcg: Return failure for RCG update
    - usb: dwc3: don't set gadget->is_otg flag
    - kconfig: introduce m32-flag and m64-flag
    - tools/power turbostat: Fix 32-bit capabilities warning
    - XArray: Fix xa_find_next for large multi-index entries
    - brcmfmac: abort and release host after error
    - nvmem: check for NULL reg_read and reg_write before dereferencing
    - Revert "dm: always call blk_queue_split() in dm_process_bio()"
    - soc: mediatek: knows_txdone needs to be set in Mediatek CMDQ helper
    - net/mlx5e: kTLS, Fix wrong value in record tracker enum
    - iwlwifi: consider HE capability when setting LDPC
    - iwlwifi: yoyo: don't add TLV offset when reading FIFOs
    - IB/hfi1: Ensure pq is not left on waitlist
    - tcp: fix TFO SYNACK undo to avoid double-timestamp-undo
    - watchdog: iTCO_wdt: Export vendorsupport
    - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional
    - net: phy: realtek: fix handling of RTL8105e-integrated PHY
    - cxgb4: fix MPS index overwrite when setting MAC address
    - net_sched: add a temporary refcnt for struct tcindex_data
    - net_sched: fix a missing refcnt in tcindex_init()
    - tun: Don't put_page() for all negative return values from XDP program
    - s390: prevent leaking kernel address in BEAR
    - uapi: rename ext2_swab() to swab() and share globally in swab.h
    - slub: improve bit diffusion for freelist ptr obfuscation
    - ARM: imx: Enable ARM_ERRATA_814220 for i.MX6UL and i.MX7D
    - ARM: imx: only select ARM_ERRATA_814220 for ARMv7-A
    - include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for
      swap
    - RDMA/siw: Fix passive connection establishment
    - blk-mq: Keep set->nr_hw_queues and set->map[].nr_queues in sync
    - iommu/vt-d: Allow devices with RMRRs to use identity domain
    - SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize

* Disco update: upstream stable patchset 2020-04-13 (LP: #1872500) // Eoan
    update: upstream stable patchset 2020-04-13 (LP: #1872533)
    - [Packaging] add libcap-dev dependency

* CVE-2020-11608
    - media: ov519: add missing endpoint sanity checks

* Add hw timestamps to received skbs in peak_canfd (LP: #1874124)
    - can: peak_canfd: provide hw timestamps in rx skbs

* dscr_sysfs_test / futex_bench / tm-unavailable  in powerpc from
    ubuntu_kernel_selftests timeout on PowerPC nodes with B-5.3 (LP: #1864642)
    - selftests/powerpc: Turn off timeout setting for benchmarks, dscr, signal, tm

* Fix potential null pointer dereference on kernfs (LP: #1874221)
    - kernfs: fix potential null pointer dereference

* alsa/sof: headphone can't be detected when sof driver enters rt_suspend
    (LP: #1872380)
    - ASoC: SOF: remove unused state variable in suspend function
    - ASoC: SOF: Intel: hda: correct ROM state mask
    - ASoC: SOF: Intel: hda: reduce ifdef usage for hda
    - ASoC: SOF: Intel: hda: Enable jack detection

* kselftest: seccomp kill_after_ptrace() timeout (LP: #1872047)
    - SAUCE: kselftest/runner: allow to properly deliver signals to tests

* [Selftests] Apply various fixes and improvements (LP: #1870543)
    - SAUCE: kselftest/runner: avoid using timeout if timeout is disabled

* Kernel Oops - general protection fault: 0000 [#1] SMP PTI after
    disconnecting thunderbolt docking station (LP: #1864754)
    - igb/igc: Don't warn on fatal read failures when the device is removed

* user_notification_basic in seccomp of ubuntu_kernel_selftest failed on
    Bionic-5.0 Kernels (LP: #1862588)
    - Revert "selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV"

* CVE-2020-11494
    - slcan: Don't transmit uninitialized stack data in padding

* add_key05 from ubuntu_ltp_syscalls failed (LP: #1869644)
    - KEYS: reaching the keys quotas correctly

* Eoan update: upstream stable patchset 2020-04-08 (LP: #1871697)
    - mmc: core: Allow host controllers to require R1B for CMD6
    - mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard
    - mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command
    - mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
    - mmc: sdhci-tegra: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
    - geneve: move debug check after netdev unregister
    - hsr: fix general protection fault in hsr_addr_is_self()
    - macsec: restrict to ethernet devices
    - mlxsw: spectrum_mr: Fix list iteration in error path
    - net: cbs: Fix software cbs to consider packet sending time
    - net: dsa: Fix duplicate frames flooded by learning
    - net: mvneta: Fix the case where the last poll did not process all rx
    - net/packet: tpacket_rcv: avoid a producer race condition
    - net: qmi_wwan: add support for ASKEY WWHC050
    - net_sched: cls_route: remove the right filter from hashtable
    - net_sched: keep alloc_hash updated after hash allocation
    - net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
    - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
    - slcan: not call free_netdev before rtnl_unlock in slcan_open
    - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
    - bnxt_en: Reset rings if ring reservation fails during open()
    - net: ip_gre: Separate ERSPAN newlink / changelink callbacks
    - net: ip_gre: Accept IFLA_INFO_DATA-less configuration
    - net: dsa: mt7530: Change the LINK bit to reflect the link status
    - net: phy: mdio-mux-bcm-iproc: check clk_prepare_enable() return value
    - r8169: re-enable MSI on RTL8168c
    - tcp: repair: fix TCP_QUEUE_SEQ implementation
    - vxlan: check return value of gro_cells_init()
    - hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
    - hsr: add restart routine into hsr_get_node_list()
    - hsr: set .netnsok flag
    - cgroup-v1: cgroup_pidlist_next should update position index
    - nfs: add minor version to nfs_server_key for fscache
    - cpupower: avoid multiple definition with gcc -fno-common
    - drivers/of/of_mdio.c:fix of_mdiobus_register()
    - cgroup1: don't call release_agent when it is ""
    - [Config] updateconfigs for DPAA_ERRATUM_A050385
    - dt-bindings: net: FMan erratum A050385
    - arm64: dts: ls1043a: FMan erratum A050385
    - fsl/fman: detect FMan erratum A050385
    - s390/qeth: handle error when backing RX buffer
    - scsi: ipr: Fix softlockup when rescanning devices in petitboot
    - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
    - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom
    - sxgbe: Fix off by one in samsung driver strncpy size arg
    - i2c: hix5hd2: add missed clk_disable_unprepare in remove
    - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
    - Input: synaptics - enable RMI on HP Envy 13-ad105ng
    - Input: avoid BIT() macro usage in the serio.h UAPI header
    - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL
    - ARM: dts: dra7: Add bus_dma_limit for L3 bus
    - ARM: dts: omap5: Add bus_dma_limit for L3 bus
    - perf probe: Do not depend on dwfl_module_addrsym()
    - tools: Let O= makes handle a relative path with -C option
    - scripts/dtc: Remove redundant YYLOC global declaration
    - scsi: sd: Fix optimal I/O size for devices that change reported values
    - nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type
    - mac80211: mark station unauthorized before key removal
    - gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
    - gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
    - gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model
    - RDMA/core: Ensure security pkey modify is not lost
    - genirq: Fix reference leaks on irq affinity notifiers
    - xfrm: handle NETDEV_UNREGISTER for xfrm device
    - vti[6]: fix packet tx through bpf_redirect() in XinY cases
    - RDMA/mlx5: Block delay drop to unprivileged users
    - xfrm: fix uctx len check in verify_sec_ctx_len
    - xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
    - xfrm: policy: Fix doulbe free in xfrm_policy_timer
    - afs: Fix some tracing details
    - netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6}
    - netfilter: nft_fwd_netdev: validate family and chain type
    - bpf/btf: Fix BTF verification of enum members in struct/union
    - vti6: Fix memory leak of skb if input policy check fails
    - Revert "r8169: check that Realtek PHY driver module is loaded"
    - mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX
    - USB: serial: option: add support for ASKEY WWHC050
    - USB: serial: option: add BroadMobi BM806U
    - USB: serial: option: add Wistron Neweb D19Q1
    - USB: cdc-acm: restore capability check order
    - USB: serial: io_edgeport: fix slab-out-of-bounds read in
      edge_interrupt_callback
    - usb: musb: fix crash with highmen PIO and usbmon
    - media: flexcop-usb: fix endpoint sanity check
    - media: usbtv: fix control-message timeouts
    - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table
    - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb
    - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
    - ahci: Add Intel Comet Lake H RAID PCI ID
    - libfs: fix infoleak in simple_attr_read()
    - media: ov519: add missing endpoint sanity checks
    - media: dib0700: fix rc endpoint lookup
    - media: stv06xx: add missing descriptor sanity checks
    - media: xirlink_cit: add missing descriptor sanity checks
    - mac80211: Check port authorization in the ieee80211_tx_dequeue() case
    - mac80211: fix authentication with iwlwifi/mvm
    - vt: selection, introduce vc_is_sel
    - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
    - vt: switch vt_dont_switch to bool
    - vt: vt_ioctl: remove unnecessary console allocation checks
    - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
    - vt: vt_ioctl: fix use-after-free in vt_in_use()
    - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table
    - bpf: Explicitly memset the bpf_attr structure
    - bpf: Explicitly memset some bpf info structures declared on the stack
    - gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model
    - net: ks8851-ml: Fix IO operations, again
    - arm64: alternative: fix build with clang integrated assembler
    - perf map: Fix off by one in strncpy() size argument
    - ARM: dts: oxnas: Fix clear-mask property
    - ARM: bcm2835-rpi-zero-w: Add missing pinctrl name
    - ARM: dts: imx6: phycore-som: fix arm and soc minimum voltage
    - ARM: dts: N900: fix onenand timings
    - arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id
    - arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode
    - ACPI: PM: s2idle: Rework ACPI events synchronization
    - cxgb4: fix throughput drop during Tx backpressure
    - cxgb4: fix Txq restart check during backpressure
    - ipv4: fix a RCU-list lock in inet_dump_fib()
    - mlxsw: pci: Only issue reset when system is ready
    - net/bpfilter: fix dprintf usage for /dev/kmsg
    - net: dsa: tag_8021q: replace dsa_8021q_remove_header with __skb_vlan_pop
    - net: phy: dp83867: w/a for fld detect threshold bootstrapping issue
    - net: phy: mdio-bcm-unimac: Fix clock handling
    - net/sched: act_ct: Fix leak of ct zone template on replace
    - net_sched: hold rtnl lock in tcindex_partial_destroy_work()
    - tcp: also NULL skb->dev when copy was needed
    - tcp: ensure skb->dev is NULL before leaving TCP stack
    - bnxt_en: Fix Priority Bytes and Packets counters in ethtool -S.
    - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails.
    - bnxt_en: Free context memory after disabling PCI in probe error path.
    - net/mlx5e: Enhance ICOSQ WQE info fields
    - net/mlx5e: Fix missing reset of SW metadata in Striding RQ reset
    - drm/exynos: Fix cleanup of IOMMU related objects
    - s390/qeth: don't reset default_out_queue
    - net: hns3: fix "tc qdisc del" failed issue
    - iommu/vt-d: Fix debugfs register reads
    - iommu/vt-d: Populate debugfs if IOMMUs are detected
    - IB/rdmavt: Free kernel completion queue when done
    - RDMA/core: Fix missing error check on dev_set_name()
    - gpiolib: Fix irq_disable() semantics
    - RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET
    - RDMA/mad: Do not crash if the rdma device does not have a umad interface
    - ceph: fix memory leak in ceph_cleanup_snapid_map()
    - x86/ioremap: Fix CONFIG_EFI=n build
    - perf probe: Fix to delete multiple probe event
    - mm/sparse: fix kernel crash with pfn_section_valid check
    - mm: fork: fix kernel_stack memcg stats for various stack implementations
    - bpf: Fix cgroup ref leak in cgroup_bpf_inherit on out-of-memory
    - afs: Fix handling of an abort from a service handler
    - RDMA/mlx5: Fix access to wrong pointer while performing flush due to error
    - afs: Fix client call Rx-phase signal handling
    - afs: Fix unpinned address list during probing
    - netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
    - bpf, x32: Fix bug with JMP32 JSET BPF_X checking upper bits
    - bpf: Initialize storage pointers to NULL to prevent freeing garbage pointer
    - bpf, sockmap: Remove bucket->lock from sock_{hash|map}_free
    - ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection
    - staging: kpc2000: prevent underflow in cpld_reconfigure()
    - media: v4l2-core: fix a use-after-free bug of sd->devnode
    - [Config] updateconfigs for NET_REDIRECT
    - net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
    - serial: sprd: Fix a dereference warning
    - clk: imx: Align imx sc clock msg structs to 4
    - clk: imx: Align imx sc clock parent msg structs to 4
    - clk: ti: am43xx: Fix clock parent for RTC clock
    - libceph: fix alloc_msg_with_page_vector() memory leaks
    - ARM: dts: sun8i: r40: Move AHCI device node based on address order

* Eoan update: upstream stable patchset 2020-04-06 (LP: #1871225)
    - drm/mediatek: Find the cursor plane instead of hard coding it
    - spi: qup: call spi_qup_pm_resume_runtime before suspending
    - powerpc: Include .BTF section
    - ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
    - spi: pxa2xx: Add CS control clock quirk
    - spi/zynqmp: remove entry that causes a cs glitch
    - drm/exynos: dsi: propagate error value and silence meaningless warning
    - drm/exynos: dsi: fix workaround for the legacy clock name
    - drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
    - altera-stapl: altera_get_note: prevent write beyond end of 'key'
    - dm bio record: save/restore bi_end_io and bi_integrity
    - dm integrity: use dm_bio_record and dm_bio_restore
    - riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
    - drm/amd/display: Clear link settings on MST disable connector
    - drm/amd/display: fix dcc swath size calculations on dcn1
    - xenbus: req->body should be updated before req->state
    - xenbus: req->err should be updated before req->state
    - block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
    - parse-maintainers: Mark as executable
    - usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
    - USB: serial: option: add ME910G1 ECM composition 0x110b
    - usb: host: xhci-plat: add a shutdown
    - USB: serial: pl2303: add device-id for HP LD381
    - usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
    - ALSA: line6: Fix endless MIDI read loop
    - ALSA: seq: virmidi: Fix running status after receiving sysex
    - ALSA: seq: oss: Fix running status after receiving sysex
    - ALSA: pcm: oss: Avoid plugin buffer overflow
    - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
    - iio: trigger: stm32-timer: disable master mode when stopping
    - iio: magnetometer: ak8974: Fix negative raw values in sysfs
    - iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode
    - mmc: rtsx_pci: Fix support for speed-modes that relies on tuning
    - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2
    - staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
    - staging: greybus: loopback_test: fix poll-mask build breakage
    - staging/speakup: fix get_word non-space look-ahead
    - intel_th: Fix user-visible error codes
    - intel_th: pci: Add Elkhart Lake CPU support
    - rtc: max8907: add missing select REGMAP_IRQ
    - xhci: Do not open code __print_symbolic() in xhci trace events
    - btrfs: fix log context list corruption after rename whiteout error
    - drm/amd/amdgpu: Fix GPR read from debugfs (v2)
    - drm/lease: fix WARNING in idr_destroy
    - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
    - mm: slub: be more careful about the double cmpxchg of freelist
    - mm, slub: prevent kmalloc_node crashes and memory leaks
    - page-flags: fix a crash at SetPageError(THP_SWAP)
    - x86/mm: split vmalloc_sync_all()
    - USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
    - USB: cdc-acm: fix rounding error in TIOCSSERIAL
    - iio: light: vcnl4000: update sampling periods for vcnl4200
    - kbuild: Disable -Wpointer-to-enum-cast
    - futex: Fix inode life-time issue
    - futex: Unbreak futex hashing
    - arm64: smp: fix smp_send_stop() behaviour
    - arm64: smp: fix crash_smp_send_stop() behaviour
    - drm/bridge: dw-hdmi: fix AVI frame colorimetry
    - staging: greybus: loopback_test: fix potential path truncation
    - staging: greybus: loopback_test: fix potential path truncations
    - locks: fix a potential use-after-free problem when wakeup a waiter
    - locks: reinstate locks_delete_block optimization
    - spi: spi-omap2-mcspi: Support probe deferral for DMA channels
    - phy: ti: gmii-sel: fix set of copy-paste errors
    - phy: ti: gmii-sel: do not fail in case of gmii
    - ARM: dts: dra7-l4: mark timer13-16 as pwm capable
    - cifs: fix potential mismatch of UNC paths
    - drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails
    - drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
    - ASoC: stm32: sai: manage rebind issue
    - spi: spi_register_controller(): free bus id on error paths
    - riscv: Fix range looking for kernel image memblock
    - drm/amdgpu: clean wptr on wb when gpu recovery
    - binderfs: use refcount for binder control devices too
    - Revert "drm/fbdev: Fallback to non tiled mode if all tiles not present"
    - usb: typec: ucsi: displayport: Fix NULL pointer dereference
    - usb: typec: ucsi: displayport: Fix a potential race during registration
    - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662
    - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662
    - tty: fix compat TIOCGSERIAL leaking uninitialized memory
    - tty: fix compat TIOCGSERIAL checking wrong function ptr
    - iio: chemical: sps30: fix missing triggered buffer dependency
    - iio: accel: adxl372: Set iio_chan BE
    - iio: adc: stm32-dfsdm: fix sleep in atomic context
    - iio: light: vcnl4000: update sampling periods for vcnl4040
    - mmc: sdhci-cadence: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN for UniPhier
    - CIFS: fiemap: do not return EINVAL if get nothing
    - arm64: compat: Fix syscall number of compat_clock_getres
    - stm class: sys-t: Fix the use of time_after()
    - mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case
    - epoll: fix possible lost wakeup on epoll_ctl() path
    - nvmet-tcp: set MSG_MORE only if we actually have more to send

* Pop sound from build-in speaker during cold boot and resume from S3
    (LP: #1866357) // Eoan update: upstream stable patchset 2020-04-06
    (LP: #1871225)
    - ALSA: hda/realtek: Fix pop noise on ALC225

-- Stefan Bader <stefan.bader@canonical.com>  Thu, 07 May 2020 13:54:27 +0200

Changed in linux (Ubuntu Eoan):
status:	Fix Committed → Fix Released

Timo Aaltonen (tjaalton) on 2022-09-02

Changed in linux (Ubuntu):
status:	Incomplete → Fix Released
Changed in hwe-next:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Fix potential null pointer dereference on kernfs

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package