Bionic update: upstream stable patchset 2020-10-23

Bug #1901257 reported by Kamal Mostafa on 2020-10-23
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       upstream stable patchset 2020-10-23

                Ported from the following upstream stable releases:
                        v4.14.200, v4.19.148,
                                   v4.19.149

       from git://git.kernel.org/

af_key: pfkey_dump needs parameter validation
KVM: fix memory leak in kvm_io_bus_unregister_dev()
kprobes: fix kill kprobe which has been marked as gone
mm/thp: fix __split_huge_pmd_locked() for migration PMD
cxgb4: Fix offset when clearing filter byte counters
geneve: add transport ports in route lookup for geneve
hdlc_ppp: add range checks in ppp_cp_parse_cr()
ip: fix tos reflection in ack and reset packets
net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC
nfp: use correct define to return NONE fec
tipc: Fix memory leak in tipc_group_create_member()
tipc: fix shutdown() of connection oriented socket
tipc: use skb_unshare() instead in tipc_buf_append()
bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.
net: phy: Avoid NPD upon phy_detach() when driver is unbound
net: qrtr: check skb_put_padto() return value
net: add __must_check to skb_put_padto()
ipv4: Update exception handling for multipath routes via same device
MAINTAINERS: add CLANG/LLVM BUILD SUPPORT info
Documentation/llvm: add documentation on building w/ Clang/LLVM
Documentation/llvm: fix the name of llvm-size
net: wan: wanxl: use allow to pass CROSS_COMPILE_M68k for rebuilding firmware
net: wan: wanxl: use $(M68KCC) instead of $(M68KAS) for rebuilding firmware
kbuild: replace AS=clang with LLVM_IAS=1
tcp_bbr: refactor bbr_target_cwnd() for general inflight provisioning
tcp_bbr: adapt cwnd based on ack aggregation estimation
serial: 8250: Avoid error message on reprobe
RDMA/ucma: ucma_context reference leak in error path
mm: fix double page fault on arm64 if PTE_AF is cleared
scsi: aacraid: fix illegal IO beyond last LBA
m68k: q40: Fix info-leak in rtc_ioctl
gma/gma500: fix a memory disclosure bug due to uninitialized bytes
ASoC: kirkwood: fix IRQ error handling
media: smiapp: Fix error handling at NVM reading
arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback
x86/ioapic: Unbreak check_timer()
ALSA: usb-audio: Add delay quirk for H570e USB headsets
ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged
PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out
scsi: fnic: fix use after free
clk/ti/adpll: allocate room for terminating null
mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup()
mfd: mfd-core: Protect against NULL call-back function pointer
tracing: Adding NULL checks for trace_array descriptor pointer
bcache: fix a lost wake-up problem caused by mca_cannibalize_lock
RDMA/i40iw: Fix potential use after free
xfs: fix attr leaf header freemap.size underflow
RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()'
mmc: core: Fix size overflow for mmc partitions
gfs2: clean up iopen glock mess in gfs2_create_inode
debugfs: Fix !DEBUG_FS debugfs_create_automount
CIFS: Properly process SMB3 lease breaks
kernel/sys.c: avoid copying possible padding bytes in copy_to_user
neigh_stat_seq_next() should increase position index
rt_cpu_seq_next should increase position index
seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier
media: ti-vpe: cal: Restrict DMA to avoid memory corruption
ACPI: EC: Reference count query handlers under lock
dmaengine: zynqmp_dma: fix burst length configuration
powerpc/eeh: Only dump stack once if an MMIO loop is detected
tracing: Set kernel_stack's caller size properly
ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter
selftests/ftrace: fix glob selftest
tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility
Bluetooth: Fix refcount use-after-free issue
mm: pagewalk: fix termination condition in walk_pte_range()
Bluetooth: prefetch channel before killing sock
ALSA: hda: Clear RIRB status before reading WP
skbuff: fix a data race in skb_queue_len()
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
selinux: sel_avc_get_stat_idx should increase position index
scsi: lpfc: Fix RQ buffer leakage when no IOCBs available
scsi: lpfc: Fix coverity errors in fmdi attribute handling
drm/omap: fix possible object reference leak
perf test: Fix test trace+probe_vfs_getname.sh on s390
RDMA/rxe: Fix configuration of atomic queue pair attributes
KVM: x86: fix incorrect comparison in trace event
media: staging/imx: Missing assignment in imx_media_capture_device_register()
x86/pkeys: Add check for pkey "overflow"
bpf: Remove recursion prevention from rcu free callback
dmaengine: tegra-apb: Prevent race conditions on channel's freeing
media: go7007: Fix URB type for interrupt handling
Bluetooth: guard against controllers sending zero'd events
timekeeping: Prevent 32bit truncation in scale64_check_overflow()
ext4: fix a data race at inode->i_disksize
mm: avoid data corruption on CoW fault into PFN-mapped VMA
drm/amdgpu: increase atombios cmd timeout
ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read
scsi: aacraid: Disabling TM path and only processing IOP reset
Bluetooth: L2CAP: handle l2cap config request during open state
media: tda10071: fix unsigned sign extension overflow
xfs: don't ever return a stale pointer from __xfs_dir3_free_read
tpm: ibmvtpm: Wait for buffer to be set before proceeding
rtc: ds1374: fix possible race condition
tracing: Use address-of operator on section symbols
serial: 8250_port: Don't service RX FIFO if throttled
serial: 8250_omap: Fix sleeping function called from invalid context during probe
serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
perf cpumap: Fix snprintf overflow check
cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn
tools: gpio-hammer: Avoid potential overflow in main
RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()'
svcrdma: Fix leak of transport addresses
ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor
NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
mm/kmemleak.c: use address-of operator on section symbols
mm/filemap.c: clear page error before actual read
mm/vmscan.c: fix data races using kswapd_classzone_idx
mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area
scsi: qedi: Fix termination timeouts in session logout
serial: uartps: Wait for tx_empty in console setup
KVM: Remove CREATE_IRQCHIP/SET_PIT2 race
bdev: Reduce time holding bd_mutex in sync in blkdev_close()
drivers: char: tlclk.c: Avoid data race between init and interrupt handler
staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
sparc64: vcc: Fix error return code in vcc_probe()
arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]
dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
atm: fix a memory leak of vcc->user_back
power: supply: max17040: Correct voltage reading
phy: samsung: s5pv210-usb2: Add delay after reset
Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()
tty: serial: samsung: Correct clock selection logic
ALSA: hda: Fix potential race in unsol event handler
powerpc/traps: Make unrecoverable NMIs die instead of panic
fuse: don't check refcount after stealing page
USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register
e1000: Do not perform reset in reset_task if we are already down
drm/nouveau/debugfs: fix runtime pm imbalance on error
printk: handle blank console arguments passed in.
usb: dwc3: Increase timeout for CmdAct cleared by device controller
btrfs: don't force read-only after error in drop snapshot
vfio/pci: fix memory leaks of eventfd ctx
perf util: Fix memory leak of prefix_if_not_in
perf kcore_copy: Fix module map when there are no modules loaded
mtd: rawnand: omap_elm: Fix runtime PM imbalance on error
ceph: fix potential race in ceph_check_caps
mm/swap_state: fix a data race in swapin_nr_pages
rapidio: avoid data race between file operation callbacks and mport_cdev_add().
mtd: parser: cmdline: Support MTD names containing one or more colons
x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline
vfio/pci: Clear error and request eventfd ctx after releasing
cifs: Fix double add page to memcg when cifs_readpages
scsi: libfc: Handling of extra kref
scsi: libfc: Skip additional kref updating work event
selftests/x86/syscall_nt: Clear weird flags after each test
vfio/pci: fix racy on error and request eventfd ctx
btrfs: qgroup: fix data leak caused by race between writeback and truncate
s390/init: add missing __init annotations
i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()
objtool: Fix noreturn detection for ignored functions
ieee802154: fix one possible memleak in ca8210_dev_com_init
ieee802154/adf7242: check status of adf7242_read_reg
clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init()
batman-adv: bla: fix type misuse for backbone_gw hash indexing
atm: eni: fix the missed pci_disable_device() for eni_init_one()
batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
mac802154: tx: fix use-after-free
drm/vc4/vc4_hdmi: fill ASoC card owner
net: qed: RDMA personality shouldn't fail VF load
batman-adv: Add missing include for in_interrupt()
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
ALSA: asihpi: fix iounmap in error handler
MIPS: Add the missing 'CPU_1074K' into __get_cpu_type()
s390/dasd: Fix zero write for FBA devices
kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()
mm, THP, swap: fix allocating cluster for swapfile by mistake
lib/string.c: implement stpcpy
ata: define AC_ERR_OK
ata: make qc_prep return ata_completion_errors
ata: sata_mv, avoid trigerrable BUG_ON
media: mc-device.c: fix memleak in media_device_register_entity
tpm_crb: fix fTPM on AMD Zen+ CPUs
RDMA/qedr: Fix potential use after free
fix dget_parent() fastpath race
scsi: pm80xx: Cleanup command when a reset times out
ASoC: max98090: remove msleep in PLL unlocked workaround
ipv6_route_seq_next should increase position index
scsi: ufs: Fix a race condition in the tracing code
s390/cpum_sf: Use kzalloc and minor changes
ceph: ensure we have a new cap before continuing in fill_inode
mm/swapfile.c: swap_next should increase position index
dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic
firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp
random: fix data races at timer_rand_state
bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal
perf jevents: Fix leak of mapfile memory
xfs: mark dir corrupt when lookup-by-hash fails
rtc: sa1100: fix possible race condition
nfsd: Don't add locks to closed or closing open stateids
KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones
thermal: rcar_thermal: Handle probe error gracefully
nvme: Fix controller creation races with teardown flow
scsi: hpsa: correct race condition in offload enabled
PCI: Use ioremap(), not phys_to_virt() for platform ROM
KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
net: openvswitch: use u64 for meter bucket
scsi: aacraid: Fix error handling paths in aac_probe_one()
scsi: cxlflash: Fix error return code in cxlflash_probe()
drm/nouveau: fix runtime pm imbalance on error
perf evsel: Fix 2 memory leaks
perf stat: Fix duration_time value for higher intervals
perf metricgroup: Free metric_events on error
ASoC: img-i2s-out: Fix runtime PM imbalance on error
wlcore: fix runtime pm imbalance in wl1271_tx_work
nvme: fix possible deadlock when I/O is blocked
net: openvswitch: use div_u64() for 64-by-32 divisions
nvme: explicitly update mpath disk capacity on revalidation
ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
drm/amdkfd: fix a memory leak issue
batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
KVM: SVM: Add a dedicated INVD intercept routine
s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl
kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch
UBUNTU: upstream stable to v4.14.200, v4.19.149

CVE References

Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
description: updated
Ian (ian-may) on 2020-10-26
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (33.1 KiB)

This bug was fixed in the package linux - 4.15.0-126.129

---------------
linux (4.15.0-126.129) bionic; urgency=medium

  * bionic/linux: 4.15.0-126.129 -proposed tracker (LP: #1905305)

  * CVE-2020-4788
    - SAUCE: powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
    - SAUCE: powerpc/64s: move some exception handlers out of line
    - powerpc/64s: flush L1D on kernel entry
    - SAUCE: powerpc: Add a framework for user access tracking
    - powerpc: Implement user_access_begin and friends
    - powerpc: Fix __clear_user() with KUAP enabled
    - powerpc/uaccess: Evaluate macro arguments once, before user access is
      allowed
    - powerpc/64s: flush L1D after user accesses

linux (4.15.0-125.128) bionic; urgency=medium

  * bionic/linux: 4.15.0-125.128 -proposed tracker (LP: #1903137)

  * Update kernel packaging to support forward porting kernels (LP: #1902957)
    - [Debian] Update for leader included in BACKPORT_SUFFIX

  * Avoid double newline when running insertchanges (LP: #1903293)
    - [Packaging] insertchanges: avoid double newline

  * EFI: Fails when BootCurrent entry does not exist (LP: #1899993)
    - efivarfs: Replace invalid slashes with exclamation marks in dentries.

  * CVE-2020-14351
    - perf/core: Fix race in the perf_mmap_close() function

  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull codes that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout

  * Bionic: btrfs: kernel BUG at /build/linux-
    eTBZpZ/linux-4.15.0/fs/btrfs/ctree.c:3233! (LP: #1902254)
    - btrfs: use offset_in_page instead of open-coding it
    - btrfs: use BUG() instead of BUG_ON(1)
    - btrfs: drop unnecessary offset_in_page in extent buffer helpers
    - btrfs: extent_io: do extra check for extent buffer read write functions
    - btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
    - btrfs: extent-tree: kill the BUG_ON() in insert_inline_extent_backref()
    - btrfs: ctree: check key order before merging tree blocks

  * Bionic update: upstream stable patchset 2020-11-04 (LP: #1902943)
    - USB: gadget: f_ncm: Fix NDP16 datagram validation
    - gpio: tc35894: fix up tc35894 interrupt configuration
    - vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
    - vsock/virtio: stop workers during the .remove()
    - vsock/virtio: add transport parameter to the
      virtio_transport_reset_no_sock()
    - net: virtio_vsock: Enhance connection semantics
    - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
    - ftrace: Move RCU is watching check after recursion check
    - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
    - drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices
    - drm/sun4i: mixer: Extend regmap max_register
    - net: dec: de2104x: Increase receive ring size for Tulip
    - rndis_host: increase sleep time in the query-response loop
    - nvme-core: get/put ctrl ...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers