Ubuntu
linux package

Xenial update: v4.4.235 upstream stable release

Bug #1895031 reported by Kamal Mostafa on 2020-09-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Undecided	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v4.4.235 upstream stable release
from git://git.kernel.org/

net: Fix potential wrong skb->protocol in skb_vlan_untag()
tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
ipvlan: fix device features
bonding: show saner speed for broadcast mode
bonding: fix a potential double-unregister
powerpc/pseries: Do not initiate shutdown when system is running on UPS
ALSA: pci: delete repeated words in comments
ASoC: tegra: Fix reference count leaks.
media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq()
scsi: target: tcmu: Fix crash on ARM during cmd completion
drm/amdkfd: Fix reference count leaks.
drm/radeon: fix multiple reference count leak
drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
scsi: lpfc: Fix shost refcount mismatch when deleting vport
selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
PCI: Fix pci_create_slot() reference count leak
rtlwifi: rtl8192cu: Prevent leaking urb
mips/vdso: Fix resource leaks in genvdso.c
drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
drm/nouveau: Fix reference count leak in nouveau_connector_detect
locking/lockdep: Fix overflow in presentation of average lock-time
scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
ceph: fix potential mdsc use-after-free crash
scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
EDAC/ie31200: Fallback if host bridge device is already initialized
media: davinci: vpif_capture: fix potential double free
powerpc/spufs: add CONFIG_COREDUMP dependency
USB: sisusbvga: Fix a potential UB casued by left shifting a negative value
Revert "ath10k: fix DMA related firmware crashes on multiple devices"
i2c: rcar: in slave mode, clear NACK earlier
jbd2: make sure jh have b_transaction set in refile/unfile_buffer
jbd2: abort journal if free a async write error metadata buffer
s390/cio: add cond_resched() in the slow_eval_known_fn() loop
scsi: ufs: Fix possible infinite loop in ufshcd_hold
net: gianfar: Add of_node_put() before goto statement
fbcon: prevent user font height or width change from causing potential out-of-bounds access
USB: lvtest: return proper error code in probe
vt: defer kfree() of vc_screenbuf in vc_do_resize()
vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
serial: samsung: Removes the IRQ not found warning
serial: pl011: Don't leak amba_ports entry on driver register error
serial: 8250: change lock order in serial8250_do_startup()
writeback: Protect inode->i_io_list with inode->i_lock
writeback: Avoid skipping inode writeback
writeback: Fix sync livelock due to b_dirty_time processing
XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.
xhci: Do warm-reset when both CAS and XDEV_RESUME are set
PM: sleep: core: Fix the handling of pending runtime resume requests
device property: Fix the secondary firmware node handling in set_primary_fwnode()
USB: yurex: Fix bad gfp argument
usb: uas: Add quirk for PNY Pro Elite
USB: quirks: Add no-lpm quirk for another Raydium touchscreen
USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
usb: storage: Add unusual_uas entry for Sony PSZ drives
btrfs: check the right error variable in btrfs_del_dir_entries_in_log
HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
ALSA: usb-audio: Update documentation comment for MS2109 quirk
Linux 4.4.235
UBUNTU: upstream stable to v4.4.235

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2020-09-09

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
description:	updated
Changed in linux (Ubuntu Xenial):
status:	New → In Progress
assignee:	nobody → Kamal Mostafa (kamalmostafa)

Stefan Bader (smb) on 2020-09-17

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-10-13:

Download full text (11.7 KiB)

This bug was fixed in the package linux - 4.4.0-193.224

---------------
linux (4.4.0-193.224) xenial; urgency=medium

* CVE-2020-16119
- SAUCE: dccp: avoid double free of ccid on child socket

linux (4.4.0-192.222) xenial; urgency=medium

* xenial/linux: 4.4.0-192.222 -proposed tracker (LP: #1897734)

* mwifiex stops working after kernel upgrade (LP: #1897299)
- mwifiex: Increase AES key storage size to 256 bits

  * xenial 4.4.0-191-generic in -proposed has a regression (LP: #1896725)
    - Revert "XEN uses irqdesc::irq_data_common::handler_data to store a per
      interrupt XEN data pointer which contains XEN specific information."

linux (4.4.0-191.221) xenial; urgency=medium

* xenial/linux: 4.4.0-191.221 -proposed tracker (LP: #1896067)

* Novalink (mkvterm command failure) (LP: #1892546)
- tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

This bug was fixed in the package linux - 4.4.0-193.224

---------------
linux (4.4.0-193.224) xenial; urgency=medium

* CVE-2020-16119
    - SAUCE: dccp: avoid double free of ccid on child socket

linux (4.4.0-192.222) xenial; urgency=medium

* xenial/linux: 4.4.0-192.222 -proposed tracker (LP: #1897734)

* mwifiex stops working after kernel upgrade (LP: #1897299)
    - mwifiex: Increase AES key storage size to 256 bits

linux (4.4.0-191.221) xenial; urgency=medium

* xenial/linux: 4.4.0-191.221 -proposed tracker (LP: #1896067)

* Novalink (mkvterm command failure) (LP: #1892546)
    - tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()

* Xenial update: v4.4.236 upstream stable release (LP: #1895891)
    - HID: core: Correctly handle ReportSize being zero
    - HID: core: Sanitize event code and type when mapping input
    - perf record/stat: Explicitly call out event modifiers in the documentation
    - mm, page_alloc: remove unnecessary variable from free_pcppages_bulk
    - hwmon: (applesmc) check status earlier.
    - ceph: don't allow setlease on cephfs
    - s390: don't trace preemption in percpu macros
    - xen/xenbus: Fix granting of vmalloc'd memory
    - dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
    - batman-adv: Avoid uninitialized chaddr when handling DHCP
    - batman-adv: bla: use netif_rx_ni when not in interrupt context
    - dmaengine: at_hdmac: check return value of of_find_device_by_node() in
      at_dma_xlate()
    - netfilter: nf_tables: incorrect enum nft_list_attributes definition
    - netfilter: nf_tables: fix destination register zeroing
    - dmaengine: pl330: Fix burst length if burst size is smaller than bus width
    - bnxt_en: Check for zero dir entries in NVRAM.
    - fix regression in "epoll: Keep a reference on files added to the check list"
    - tg3: Fix soft lockup when tg3_reset_task() fails.
    - iommu/vt-d: Serialize IOMMU GCMD register modifications
    - thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
    - include/linux/log2.h: add missing () around n in roundup_pow_of_two()
    - btrfs: drop path before adding new uuid tree entry
    - btrfs: Remove redundant extent_buffer_get in get_old_root
    - btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind
    - btrfs: set the lockdep class for log tree extent buffers
    - uaccess: Add non-pagefault user-space read functions
    - uaccess: Add non-pagefault user-space write function
    - btrfs: fix potential deadlock in the search ioctl
    - net: qmi_wwan: MDM9x30 specific power management
    - net: qmi_wwan: support "raw IP" mode
    - net: qmi_wwan: should hold RTNL while changing netdev type
    - net: qmi_wwan: ignore bogus CDC Union descriptors
    - Add Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card (rev3) to
      qmi_wwan
    - qmi_wwan: Added support for Gemalto's Cinterion PHxx WWAN interface
    - qmi_wwan: add support for Quectel EC21 and EC25
    - NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
    - drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201
    - usb: qmi_wwan: add D-Link DWM-222 A2 device ID
    - net: usb: qmi_wwan: add Telit ME910 support
    - net: usb: qmi_wwan: add Telit 0x1050 composition
    - ALSA: ca0106: fix error code handling
    - ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
    - dm cache metadata: Avoid returning cmd->bm wild pointer on error
    - dm thin metadata: Avoid returning cmd->bm wild pointer on error
    - net: refactor bind_bucket fastreuse into helper
    - net: initialize fastreuse on inet_inherit_port
    - checkpatch: fix the usage of capture group ( ... )
    - mm/hugetlb: fix a race between hugetlb sysctl handlers
    - cfg80211: regulatory: reject invalid hints
    - net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
    - ALSA: firewire-digi00x: add support for console models of Digi00x series
    - ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
    - ALSA; firewire-tascam: exclude Tascam FE-8 from detection
    - fs/affs: use octal for permissions
    - affs: fix basic permission bits to actually work
    - ravb: Fixed to be able to unload modules
    - net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
    - bnxt_en: Failure to update PHY is not fatal condition.
    - bnxt: don't enable NAPI until rings are ready
    - net: usb: dm9601: Add USB ID of Keenetic Plus DSL
    - sctp: not disable bh in the whole sctp_get_port_local()
    - net: disable netpoll on fresh napis
    - Linux 4.4.236

* clock: overriding the clocksource should select the requested clocksource
    (LP: #1894591)
    - clocksource: Defer override invalidation unless clock is unstable

* alsa/hdmi: the hdmi audio stops working from Ubuntu-4.4.0-155.182
    (LP: #1895603)
    - ALSA: hda/hdmi - Read the pin sense from register when repolling
    - SAUCE: ALSA: hda/hdmi - Check pin_eld->monitor_present

* Xenial update: v4.4.235 upstream stable release (LP: #1895031)
    - net: Fix potential wrong skb->protocol in skb_vlan_untag()
    - tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
    - ipvlan: fix device features
    - bonding: show saner speed for broadcast mode
    - bonding: fix a potential double-unregister
    - powerpc/pseries: Do not initiate shutdown when system is running on UPS
    - ALSA: pci: delete repeated words in comments
    - ASoC: tegra: Fix reference count leaks.
    - media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA
      value in debiirq()
    - scsi: target: tcmu: Fix crash on ARM during cmd completion
    - drm/amdkfd: Fix reference count leaks.
    - drm/radeon: fix multiple reference count leak
    - drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
    - drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
    - drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
    - drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
    - scsi: lpfc: Fix shost refcount mismatch when deleting vport
    - selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
    - PCI: Fix pci_create_slot() reference count leak
    - rtlwifi: rtl8192cu: Prevent leaking urb
    - mips/vdso: Fix resource leaks in genvdso.c
    - drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
    - drm/nouveau: Fix reference count leak in nouveau_connector_detect
    - locking/lockdep: Fix overflow in presentation of average lock-time
    - scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
    - ceph: fix potential mdsc use-after-free crash
    - scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
    - EDAC/ie31200: Fallback if host bridge device is already initialized
    - media: davinci: vpif_capture: fix potential double free
    - powerpc/spufs: add CONFIG_COREDUMP dependency
    - USB: sisusbvga: Fix a potential UB casued by left shifting a negative value
    - Revert "ath10k: fix DMA related firmware crashes on multiple devices"
    - i2c: rcar: in slave mode, clear NACK earlier
    - jbd2: make sure jh have b_transaction set in refile/unfile_buffer
    - jbd2: abort journal if free a async write error metadata buffer
    - s390/cio: add cond_resched() in the slow_eval_known_fn() loop
    - scsi: ufs: Fix possible infinite loop in ufshcd_hold
    - net: gianfar: Add of_node_put() before goto statement
    - fbcon: prevent user font height or width change from causing potential out-
      of-bounds access
    - USB: lvtest: return proper error code in probe
    - vt: defer kfree() of vc_screenbuf in vc_do_resize()
    - vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
    - serial: samsung: Removes the IRQ not found warning
    - serial: pl011: Don't leak amba_ports entry on driver register error
    - serial: 8250: change lock order in serial8250_do_startup()
    - writeback: Protect inode->i_io_list with inode->i_lock
    - writeback: Avoid skipping inode writeback
    - writeback: Fix sync livelock due to b_dirty_time processing
    - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN
      data pointer which contains XEN specific information.
    - xhci: Do warm-reset when both CAS and XDEV_RESUME are set
    - PM: sleep: core: Fix the handling of pending runtime resume requests
    - device property: Fix the secondary firmware node handling in
      set_primary_fwnode()
    - USB: yurex: Fix bad gfp argument
    - usb: uas: Add quirk for PNY Pro Elite
    - USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
    - usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
    - usb: storage: Add unusual_uas entry for Sony PSZ drives
    - btrfs: check the right error variable in btrfs_del_dir_entries_in_log
    - HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
    - ALSA: usb-audio: Update documentation comment for MS2109 quirk
    - Linux 4.4.235

* DELL LATITUDE 5491 touchscreen doesn't work (LP: #1889446) // Xenial update:
    v4.4.235 upstream stable release (LP: #1895031)
    - USB: quirks: Add no-lpm quirk for another Raydium touchscreen

* Xenial update: v4.4.234 upstream stable release (LP: #1893248)
    - cxl: Fix kobject memleak
    - drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
    - perf probe: Fix memory leakage when the probe point is not found
    - net/compat: Add missing sock updates for SCM_RIGHTS
    - watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in
      watchdog_info.options
    - watchdog: f71808e_wdt: remove use of wrong watchdog_info option
    - coredump: fix race condition between collapse_huge_page() and core dumping
    - khugepaged: khugepaged_test_exit() check mmget_still_valid()
    - khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
    - btrfs: export helpers for subvolume name/id resolution
    - btrfs: don't show full path of bind mounts in subvol=
    - romfs: fix uninitialized memory leak in romfs_dev_read()
    - mm: include CMA pages in lowmem_reserve at boot
    - mm, page_alloc: fix core hung in free_pcppages_bulk()
    - ext4: clean up ext4_match() and callers
    - ext4: fix checking of directory entry validity for inline directories
    - media: budget-core: Improve exception handling in budget_register()
    - media: vpss: clean up resources in init
    - Input: psmouse - add a newline when printing 'proto' by sysfs
    - m68knommu: fix overwriting of bits in ColdFire V3 cache control
    - xfs: fix inode quota reservation checks
    - jffs2: fix UAF problem
    - scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases
    - virtio_ring: Avoid loop when vq is broken in virtqueue_poll
    - xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
    - alpha: fix annotation of io{read,write}{16,32}be()
    - ext4: fix potential negative array index in do_split()
    - ASoC: intel: Fix memleak in sst_media_open
    - powerpc: Allow 4224 bytes of stack expansion for the signal frame
    - epoll: Keep a reference on files added to the check list
    - do_epoll_ctl(): clean the failure exits up a bit
    - mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible
    - xen: don't reschedule in preemption off sections
    - omapfb: dss: Fix max fclk divider for omap36xx
    - KVM: arm/arm64: Don't reschedule in unmap_stage2_range()
    - Linux 4.4.234

* CVE-2018-10322
    - libxfs: synchronize dinode_verify with userspace
    - xfs: sanity check directory inode di_size
    - xfs: move inode fork verifiers to xfs_dinode_verify
    - xfs: enhance dinode verifier

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Tue, 06 Oct 2020 12:24:31 -0300

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Po-Hsu Lin (cypressyew) on 2022-01-19

Changed in linux (Ubuntu):
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package