Bionic update: upstream stable patchset 2020-10-23

Bug #1901257 reported by Kamal Mostafa on 2020-10-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Kamal Mostafa

Bug Description

SRU Justification

       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       upstream stable patchset 2020-10-23

                Ported from the following upstream stable releases:
                        v4.14.200, v4.19.148,

       from git://

af_key: pfkey_dump needs parameter validation
KVM: fix memory leak in kvm_io_bus_unregister_dev()
kprobes: fix kill kprobe which has been marked as gone
mm/thp: fix __split_huge_pmd_locked() for migration PMD
cxgb4: Fix offset when clearing filter byte counters
geneve: add transport ports in route lookup for geneve
hdlc_ppp: add range checks in ppp_cp_parse_cr()
ip: fix tos reflection in ack and reset packets
net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC
nfp: use correct define to return NONE fec
tipc: Fix memory leak in tipc_group_create_member()
tipc: fix shutdown() of connection oriented socket
tipc: use skb_unshare() instead in tipc_buf_append()
bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.
net: phy: Avoid NPD upon phy_detach() when driver is unbound
net: qrtr: check skb_put_padto() return value
net: add __must_check to skb_put_padto()
ipv4: Update exception handling for multipath routes via same device
Documentation/llvm: add documentation on building w/ Clang/LLVM
Documentation/llvm: fix the name of llvm-size
net: wan: wanxl: use allow to pass CROSS_COMPILE_M68k for rebuilding firmware
net: wan: wanxl: use $(M68KCC) instead of $(M68KAS) for rebuilding firmware
kbuild: replace AS=clang with LLVM_IAS=1
tcp_bbr: refactor bbr_target_cwnd() for general inflight provisioning
tcp_bbr: adapt cwnd based on ack aggregation estimation
serial: 8250: Avoid error message on reprobe
RDMA/ucma: ucma_context reference leak in error path
mm: fix double page fault on arm64 if PTE_AF is cleared
scsi: aacraid: fix illegal IO beyond last LBA
m68k: q40: Fix info-leak in rtc_ioctl
gma/gma500: fix a memory disclosure bug due to uninitialized bytes
ASoC: kirkwood: fix IRQ error handling
media: smiapp: Fix error handling at NVM reading
arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback
x86/ioapic: Unbreak check_timer()
ALSA: usb-audio: Add delay quirk for H570e USB headsets
ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged
PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out
scsi: fnic: fix use after free
clk/ti/adpll: allocate room for terminating null
mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup()
mfd: mfd-core: Protect against NULL call-back function pointer
tracing: Adding NULL checks for trace_array descriptor pointer
bcache: fix a lost wake-up problem caused by mca_cannibalize_lock
RDMA/i40iw: Fix potential use after free
xfs: fix attr leaf header freemap.size underflow
RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()'
mmc: core: Fix size overflow for mmc partitions
gfs2: clean up iopen glock mess in gfs2_create_inode
debugfs: Fix !DEBUG_FS debugfs_create_automount
CIFS: Properly process SMB3 lease breaks
kernel/sys.c: avoid copying possible padding bytes in copy_to_user
neigh_stat_seq_next() should increase position index
rt_cpu_seq_next should increase position index
seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier
media: ti-vpe: cal: Restrict DMA to avoid memory corruption
ACPI: EC: Reference count query handlers under lock
dmaengine: zynqmp_dma: fix burst length configuration
powerpc/eeh: Only dump stack once if an MMIO loop is detected
tracing: Set kernel_stack's caller size properly
ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter
selftests/ftrace: fix glob selftest
tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility
Bluetooth: Fix refcount use-after-free issue
mm: pagewalk: fix termination condition in walk_pte_range()
Bluetooth: prefetch channel before killing sock
ALSA: hda: Clear RIRB status before reading WP
skbuff: fix a data race in skb_queue_len()
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
selinux: sel_avc_get_stat_idx should increase position index
scsi: lpfc: Fix RQ buffer leakage when no IOCBs available
scsi: lpfc: Fix coverity errors in fmdi attribute handling
drm/omap: fix possible object reference leak
perf test: Fix test on s390
RDMA/rxe: Fix configuration of atomic queue pair attributes
KVM: x86: fix incorrect comparison in trace event
media: staging/imx: Missing assignment in imx_media_capture_device_register()
x86/pkeys: Add check for pkey "overflow"
bpf: Remove recursion prevention from rcu free callback
dmaengine: tegra-apb: Prevent race conditions on channel's freeing
media: go7007: Fix URB type for interrupt handling
Bluetooth: guard against controllers sending zero'd events
timekeeping: Prevent 32bit truncation in scale64_check_overflow()
ext4: fix a data race at inode->i_disksize
mm: avoid data corruption on CoW fault into PFN-mapped VMA
drm/amdgpu: increase atombios cmd timeout
ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read
scsi: aacraid: Disabling TM path and only processing IOP reset
Bluetooth: L2CAP: handle l2cap config request during open state
media: tda10071: fix unsigned sign extension overflow
xfs: don't ever return a stale pointer from __xfs_dir3_free_read
tpm: ibmvtpm: Wait for buffer to be set before proceeding
rtc: ds1374: fix possible race condition
tracing: Use address-of operator on section symbols
serial: 8250_port: Don't service RX FIFO if throttled
serial: 8250_omap: Fix sleeping function called from invalid context during probe
serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
perf cpumap: Fix snprintf overflow check
cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn
tools: gpio-hammer: Avoid potential overflow in main
RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()'
svcrdma: Fix leak of transport addresses
ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor
NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
mm/kmemleak.c: use address-of operator on section symbols
mm/filemap.c: clear page error before actual read
mm/vmscan.c: fix data races using kswapd_classzone_idx
mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area
scsi: qedi: Fix termination timeouts in session logout
serial: uartps: Wait for tx_empty in console setup
bdev: Reduce time holding bd_mutex in sync in blkdev_close()
drivers: char: tlclk.c: Avoid data race between init and interrupt handler
staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
sparc64: vcc: Fix error return code in vcc_probe()
arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]
dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
atm: fix a memory leak of vcc->user_back
power: supply: max17040: Correct voltage reading
phy: samsung: s5pv210-usb2: Add delay after reset
Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()
tty: serial: samsung: Correct clock selection logic
ALSA: hda: Fix potential race in unsol event handler
powerpc/traps: Make unrecoverable NMIs die instead of panic
fuse: don't check refcount after stealing page
USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register
e1000: Do not perform reset in reset_task if we are already down
drm/nouveau/debugfs: fix runtime pm imbalance on error
printk: handle blank console arguments passed in.
usb: dwc3: Increase timeout for CmdAct cleared by device controller
btrfs: don't force read-only after error in drop snapshot
vfio/pci: fix memory leaks of eventfd ctx
perf util: Fix memory leak of prefix_if_not_in
perf kcore_copy: Fix module map when there are no modules loaded
mtd: rawnand: omap_elm: Fix runtime PM imbalance on error
ceph: fix potential race in ceph_check_caps
mm/swap_state: fix a data race in swapin_nr_pages
rapidio: avoid data race between file operation callbacks and mport_cdev_add().
mtd: parser: cmdline: Support MTD names containing one or more colons
x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline
vfio/pci: Clear error and request eventfd ctx after releasing
cifs: Fix double add page to memcg when cifs_readpages
scsi: libfc: Handling of extra kref
scsi: libfc: Skip additional kref updating work event
selftests/x86/syscall_nt: Clear weird flags after each test
vfio/pci: fix racy on error and request eventfd ctx
btrfs: qgroup: fix data leak caused by race between writeback and truncate
s390/init: add missing __init annotations
i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()
objtool: Fix noreturn detection for ignored functions
ieee802154: fix one possible memleak in ca8210_dev_com_init
ieee802154/adf7242: check status of adf7242_read_reg
clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init()
batman-adv: bla: fix type misuse for backbone_gw hash indexing
atm: eni: fix the missed pci_disable_device() for eni_init_one()
batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
mac802154: tx: fix use-after-free
drm/vc4/vc4_hdmi: fill ASoC card owner
net: qed: RDMA personality shouldn't fail VF load
batman-adv: Add missing include for in_interrupt()
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
ALSA: asihpi: fix iounmap in error handler
MIPS: Add the missing 'CPU_1074K' into __get_cpu_type()
s390/dasd: Fix zero write for FBA devices
kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()
mm, THP, swap: fix allocating cluster for swapfile by mistake
lib/string.c: implement stpcpy
ata: define AC_ERR_OK
ata: make qc_prep return ata_completion_errors
ata: sata_mv, avoid trigerrable BUG_ON
media: mc-device.c: fix memleak in media_device_register_entity
tpm_crb: fix fTPM on AMD Zen+ CPUs
RDMA/qedr: Fix potential use after free
fix dget_parent() fastpath race
scsi: pm80xx: Cleanup command when a reset times out
ASoC: max98090: remove msleep in PLL unlocked workaround
ipv6_route_seq_next should increase position index
scsi: ufs: Fix a race condition in the tracing code
s390/cpum_sf: Use kzalloc and minor changes
ceph: ensure we have a new cap before continuing in fill_inode
mm/swapfile.c: swap_next should increase position index
dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic
firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp
random: fix data races at timer_rand_state
bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal
perf jevents: Fix leak of mapfile memory
xfs: mark dir corrupt when lookup-by-hash fails
rtc: sa1100: fix possible race condition
nfsd: Don't add locks to closed or closing open stateids
KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones
thermal: rcar_thermal: Handle probe error gracefully
nvme: Fix controller creation races with teardown flow
scsi: hpsa: correct race condition in offload enabled
PCI: Use ioremap(), not phys_to_virt() for platform ROM
KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
net: openvswitch: use u64 for meter bucket
scsi: aacraid: Fix error handling paths in aac_probe_one()
scsi: cxlflash: Fix error return code in cxlflash_probe()
drm/nouveau: fix runtime pm imbalance on error
perf evsel: Fix 2 memory leaks
perf stat: Fix duration_time value for higher intervals
perf metricgroup: Free metric_events on error
ASoC: img-i2s-out: Fix runtime PM imbalance on error
wlcore: fix runtime pm imbalance in wl1271_tx_work
nvme: fix possible deadlock when I/O is blocked
net: openvswitch: use div_u64() for 64-by-32 divisions
nvme: explicitly update mpath disk capacity on revalidation
ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
drm/amdkfd: fix a memory leak issue
batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
KVM: SVM: Add a dedicated INVD intercept routine
s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl
kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch
UBUNTU: upstream stable to v4.14.200, v4.19.149

CVE References

Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
description: updated
Ian (ian-may) on 2020-10-26
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (33.1 KiB)

This bug was fixed in the package linux - 4.15.0-126.129

linux (4.15.0-126.129) bionic; urgency=medium

  * bionic/linux: 4.15.0-126.129 -proposed tracker (LP: #1905305)

  * CVE-2020-4788
    - SAUCE: powerpc/64s: move some exception handlers out of line
    - powerpc/64s: flush L1D on kernel entry
    - SAUCE: powerpc: Add a framework for user access tracking
    - powerpc: Implement user_access_begin and friends
    - powerpc: Fix __clear_user() with KUAP enabled
    - powerpc/uaccess: Evaluate macro arguments once, before user access is
    - powerpc/64s: flush L1D after user accesses

linux (4.15.0-125.128) bionic; urgency=medium

  * bionic/linux: 4.15.0-125.128 -proposed tracker (LP: #1903137)

  * Update kernel packaging to support forward porting kernels (LP: #1902957)
    - [Debian] Update for leader included in BACKPORT_SUFFIX

  * Avoid double newline when running insertchanges (LP: #1903293)
    - [Packaging] insertchanges: avoid double newline

  * EFI: Fails when BootCurrent entry does not exist (LP: #1899993)
    - efivarfs: Replace invalid slashes with exclamation marks in dentries.

  * CVE-2020-14351
    - perf/core: Fix race in the perf_mmap_close() function

  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull codes that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout

  * Bionic: btrfs: kernel BUG at /build/linux-
    eTBZpZ/linux-4.15.0/fs/btrfs/ctree.c:3233! (LP: #1902254)
    - btrfs: use offset_in_page instead of open-coding it
    - btrfs: use BUG() instead of BUG_ON(1)
    - btrfs: drop unnecessary offset_in_page in extent buffer helpers
    - btrfs: extent_io: do extra check for extent buffer read write functions
    - btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
    - btrfs: extent-tree: kill the BUG_ON() in insert_inline_extent_backref()
    - btrfs: ctree: check key order before merging tree blocks

  * Bionic update: upstream stable patchset 2020-11-04 (LP: #1902943)
    - USB: gadget: f_ncm: Fix NDP16 datagram validation
    - gpio: tc35894: fix up tc35894 interrupt configuration
    - vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
    - vsock/virtio: stop workers during the .remove()
    - vsock/virtio: add transport parameter to the
    - net: virtio_vsock: Enhance connection semantics
    - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
    - ftrace: Move RCU is watching check after recursion check
    - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
    - drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices
    - drm/sun4i: mixer: Extend regmap max_register
    - net: dec: de2104x: Increase receive ring size for Tulip
    - rndis_host: increase sleep time in the query-response loop
    - nvme-core: get/put ctrl ...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers