Ubuntu
linux package

Bionic update: upstream stable patchset 2022-02-01

Bug #1959709 reported by Kamal Mostafa on 2022-02-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Bionic	Fix Released	Medium	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

upstream stable patchset 2022-02-01

Ported from the following upstream stable releases:
v4.14.262, v4.19.225

from git://git.kernel.org/

tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
tracing: Tag trace_percpu_buffer as a percpu pointer
virtio_pci: Support surprise removal of virtio pci device
ieee802154: atusb: fix uninit value in atusb_set_extended_addr
RDMA/core: Don't infoleak GRH fields
mac80211: initialize variable have_higher_than_11mbit
i40e: fix use-after-free in i40e_sync_filters_subtask()
i40e: Fix incorrect netdev's real number of RX/TX queues
ipv6: Check attribute length for RTA_GATEWAY in multipath route
ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
power: reset: ltc2952: Fix use of floating point literals
rndis_host: support Hytera digital radios
phonet: refcount leak in pep_sock_accep
ipv6: Continue processing multipath route even if gateway attribute is invalid
ipv6: Do cleanup if attribute validation fails in multipath route
scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
net: udp: fix alignment problem in udp4_seq_show()
mISDN: change function names to avoid conflicts
usb: mtu3: fix interval value for intr and isoc
UBUNTU: upstream stable to v4.14.262, v4.19.225

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2022-02-01

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Kamal Mostafa (kamalmostafa)
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
description:	updated

Kleber Sacilotto de Souza (kleber-souza) on 2022-02-11

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-03-21:

Download full text (15.8 KiB)

This bug was fixed in the package linux - 4.15.0-173.182

---------------
linux (4.15.0-173.182) bionic; urgency=medium

* bionic/linux: 4.15.0-173.182 -proposed tracker (LP: #1965552)

  * Pick fixup from upstream stable patchset 2022-03-04 to address cert
    failure with clock jitter test on NUC7i3DNHE (LP: #1964213)
    - Bluetooth: refactor malicious adv data check

linux (4.15.0-172.181) bionic; urgency=medium

* CVE-2022-0847
- lib/iov_iter: initialize "flags" in new pipe_buffer

This bug was fixed in the package linux - 4.15.0-173.182

---------------
linux (4.15.0-173.182) bionic; urgency=medium

* bionic/linux: 4.15.0-173.182 -proposed tracker (LP: #1965552)

* Pick fixup from upstream stable patchset 2022-03-04 to address cert
    failure with clock jitter test on NUC7i3DNHE (LP: #1964213)
    - Bluetooth: refactor malicious adv data check

linux (4.15.0-172.181) bionic; urgency=medium

* CVE-2022-0847
    - lib/iov_iter: initialize "flags" in new pipe_buffer

* Bionic update: upstream stable patchset 2022-02-11 (LP: #1960681)
    - Bluetooth: bfusb: fix division by zero in send path
    - USB: core: Fix bug in resuming hub's handling of wakeup requests
    - USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
    - mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
    - can: gs_usb: fix use of uninitialized variable, detach device on reception
      of invalid USB data
    - can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
    - random: fix data race on crng_node_pool
    - random: fix data race on crng init time
    - staging: wlan-ng: Avoid bitwise vs logical OR warning in
      hfa384x_usb_throttlefn()
    - drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
    - orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()
    - media: uvcvideo: fix division by zero at stream start
    - rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with
      interrupts enabled
    - Bluetooth: schedule SCO timeouts with delayed_work
    - Bluetooth: fix init and cleanup of sco_conn.timeout_work
    - HID: uhid: Fix worker destroying device without any protection
    - HID: wacom: Ignore the confidence flag when a touch is removed
    - HID: wacom: Avoid using stale array indicies to read contact count
    - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed
      bind()
    - rtc: cmos: take rtc_lock while reading from CMOS
    - media: flexcop-usb: fix control-message timeouts
    - media: mceusb: fix control-message timeouts
    - media: em28xx: fix control-message timeouts
    - media: cpia2: fix control-message timeouts
    - media: s2255: fix control-message timeouts
    - media: dib0700: fix undefined behavior in tuner shutdown
    - media: redrat3: fix control-message timeouts
    - media: pvrusb2: fix control-message timeouts
    - media: stk1160: fix control-message timeouts
    - can: softing_cs: softingcs_probe(): fix memleak on registration failure
    - shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
    - Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
    - clk: bcm-2835: Pick the closest clock rate
    - clk: bcm-2835: Remove rounding up the dividers
    - wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
    - media: em28xx: fix memory leak in em28xx_init_dev
    - Bluetooth: stop proccessing malicious adv data
    - media: dmxdev: fix UAF when dvb_register_device() fails
    - crypto: qce - fix uaf on qce_ahash_register_one
    - tty: serial: atmel: Check return code of dmaengine_submit()
    - tty: serial: atmel: Call dma_async_issue_pending()
    - media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released
    - netfilter: bridge: add support for pppoe filtering
    - arm64: dts: qcom: msm8916: fix MMC controller aliases
    - drm/amdgpu: Fix a NULL pointer dereference in
      amdgpu_connector_lcd_native_mode()
    - drm/radeon/radeon_kms: Fix a NULL pointer dereference in
      radeon_driver_open_kms()
    - serial: amba-pl011: do not request memory region twice
    - floppy: Fix hang in watchdog when disk is ejected
    - media: dib8000: Fix a memleak in dib8000_init()
    - media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
    - media: si2157: Fix "warm" tuner state detection
    - sched/rt: Try to restart rt period timer when rt runtime exceeded
    - media: dw2102: Fix use after free
    - media: msi001: fix possible null-ptr-deref in msi001_probe()
    - usb: ftdi-elan: fix memory leak on device disconnect
    - x86/mce/inject: Avoid out-of-bounds write when setting flags
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      __nonstatic_find_io_region()
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      nonstatic_find_mem_region()
    - ppp: ensure minimum packet size in ppp_write()
    - fsl/fman: Check for null pointer after calling devm_ioremap
    - spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
    - tpm: add request_locality before write TPM_INT_ENABLE
    - can: softing: softing_startstop(): fix set but not used variable warning
    - can: xilinx_can: xcan_probe(): check for error irq
    - pcmcia: fix setting of kthread task states
    - net: mcs7830: handle usb read errors properly
    - ext4: avoid trim error on fs with small groups
    - ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
    - RDMA/hns: Validate the pkey index
    - powerpc/prom_init: Fix improper check of prom_getprop()
    - ALSA: oss: fix compile error when OSS_DEBUG is enabled
    - char/mwave: Adjust io port register size
    - scsi: ufs: Fix race conditions related to driver data
    - RDMA/core: Let ib_find_gid() continue search even after empty entry
    - dmaengine: pxa/mmp: stop referencing config->slave_id
    - iommu/iova: Fix race between FQ timeout and teardown
    - ASoC: samsung: idma: Check of ioremap return value
    - misc: lattice-ecp3-config: Fix task hung when firmware load failed
    - mips: lantiq: add support for clk_set_parent()
    - mips: bcm63xx: add support for clk_set_parent()
    - RDMA/cxgb4: Set queue pair state when being queried
    - Bluetooth: Fix debugfs entry leak in hci_register_dev()
    - fs: dlm: filter user dlm messages for kernel locks
    - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
    - drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
    - usb: gadget: f_fs: Use stream_open() for endpoint files
    - HID: apple: Do not reset quirks when the Fn key is not found
    - media: b2c2: Add missing check in flexcop_pci_isr:
    - mlxsw: pci: Add shutdown method in PCI driver
    - drm/bridge: megachips: Ensure both bridges are probed before registration
    - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
    - HSI: core: Fix return freed object in hsi_new_client
    - mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
    - usb: uhci: add aspeed ast2600 uhci support
    - floppy: Add max size check for user space request
    - media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
    - media: saa7146: hexium_orion: Fix a NULL pointer dereference in
      hexium_attach()
    - media: m920x: don't use stack on USB reads
    - iwlwifi: mvm: synchronize with FW after multicast commands
    - ath10k: Fix tx hanging
    - net: bonding: debug: avoid printing debug logs when bond is not notifying
      peers
    - bpf: Do not WARN in bpf_warn_invalid_xdp_action()
    - media: igorplugusb: receiver overflow should be reported
    - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in
      hexium_attach()
    - mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
    - arm64: tegra: Adjust length of CCPLEX cluster MMIO region
    - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
    - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
    - iwlwifi: fix leaks/bad data after failed firmware load
    - iwlwifi: remove module loading failure message
    - um: registers: Rename function names to avoid conflicts and build problems
    - jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
    - ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
    - ACPICA: Utilities: Avoid deleting the same object twice in a row
    - ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
    - ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
    - btrfs: remove BUG_ON() in find_parent_nodes()
    - btrfs: remove BUG_ON(!eie) in find_parent_nodes
    - net: mdio: Demote probed message to debug print
    - mac80211: allow non-standard VHT MCS-10/11
    - dm btree: add a defensive bounds check to insert_at()
    - dm space map common: add bounds check to sm_ll_lookup_bitmap()
    - net: phy: marvell: configure RGMII delays for 88E1118
    - serial: pl010: Drop CR register reset on set_termios
    - serial: core: Keep mctrl register state and cached copy in sync
    - parisc: Avoid calling faulthandler_disabled() twice
    - powerpc/6xx: add missing of_node_put
    - powerpc/powernv: add missing of_node_put
    - powerpc/cell: add missing of_node_put
    - powerpc/btext: add missing of_node_put
    - powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
    - i2c: i801: Don't silently correct invalid transfer size
    - powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
    - i2c: mpc: Correct I2C reset procedure
    - w1: Misuse of get_user()/put_user() reported by sparse
    - ALSA: seq: Set upper limit of processed events
    - MIPS: OCTEON: add put_device() after of_find_device_by_node()
    - i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
    - MIPS: Octeon: Fix build errors using clang
    - scsi: sr: Don't use GFP_DMA
    - ASoC: mediatek: mt8173: fix device_node leak
    - power: bq25890: Enable continuous conversion for ADC at charging
    - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
    - serial: Fix incorrect rs485 polarity on uart open
    - cputime, cpuacct: Include guest time in user time in cpuacct.stat
    - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
    - ext4: make sure quota gets properly shutdown on error
    - ext4: set csum seed in tmp inode while migrating to extents
    - ext4: Fix BUG_ON in ext4_bread when write quota data
    - ext4: don't use the orphan list when migrating an inode
    - crypto: stm32/crc32 - Fix kernel BUG triggered in probe()
    - drm/radeon: fix error handling in radeon_driver_open_kms
    - firmware: Update Kconfig help text for Google firmware
    - Documentation: refer to config RANDOMIZE_BASE for kernel address-space
      randomization
    - RDMA/hns: Modify the mapping attribute of doorbell to device
    - RDMA/rxe: Fix a typo in opcode name
    - powerpc/cell: Fix clang -Wimplicit-fallthrough warning
    - powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
    - net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
    - parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
    - af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
    - net: axienet: Wait for PhyRstCmplt after core reset
    - net: axienet: fix number of TX ring slots for available check
    - netns: add schedule point in ops_exit_list()
    - libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
    - dmaengine: at_xdmac: Don't start transactions at tx_submit level
    - dmaengine: at_xdmac: Print debug message after realeasing the lock
    - dmaengine: at_xdmac: Fix lld view setting
    - dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
    - net_sched: restore "mpu xxx" handling
    - bcmgenet: add WOL IRQ check
    - scripts/dtc: dtx_diff: remove broken example from help text
    - lib82596: Fix IRQ check in sni_82596_probe
    - mips,s390,sh,sparc: gup: Work around the "COW can break either way" issue
    - gianfar: simplify FCS handling and fix memory leak
    - firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
    - firmware: qemu_fw_cfg: fix kobject leak in probe error path
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after
      reboot from Windows
    - wcn36xx: Release DMA channel descriptor allocations
    - tty: serial: uartlite: allow 64 bit address
    - xfrm: fix a small bug in xfrm_sa_len()
    - mmc: meson-mx-sdio: add IRQ check
    - netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
    - staging: greybus: audio: Check null pointer
    - Bluetooth: hci_bcm: Check for error irq
    - ASoC: rt5663: Handle device_property_read_u32_array error codes
    - rpmsg: Only invoke announce_create for rpdev with endpoints
    - rpmsg: core: Clean up resources on announce_create failure.
    - dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK
    - rtc: pxa: fix null pointer dereference

* CVE-2022-0435
    - tipc: improve size validations for received domain records

* CVE-2022-0492
    - cgroup-v1: Require capabilities to set release_agent

* CVE-2021-3506
    - f2fs: fix to avoid out-of-bounds memory access

* Bionic update: upstream stable patchset 2022-02-01 (LP: #1959709)
    - tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
    - tracing: Tag trace_percpu_buffer as a percpu pointer
    - virtio_pci: Support surprise removal of virtio pci device
    - ieee802154: atusb: fix uninit value in atusb_set_extended_addr
    - RDMA/core: Don't infoleak GRH fields
    - mac80211: initialize variable have_higher_than_11mbit
    - i40e: fix use-after-free in i40e_sync_filters_subtask()
    - i40e: Fix incorrect netdev's real number of RX/TX queues
    - ipv6: Check attribute length for RTA_GATEWAY in multipath route
    - ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
    - sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
    - power: reset: ltc2952: Fix use of floating point literals
    - rndis_host: support Hytera digital radios
    - phonet: refcount leak in pep_sock_accep
    - ipv6: Continue processing multipath route even if gateway attribute is
      invalid
    - ipv6: Do cleanup if attribute validation fails in multipath route
    - scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
    - ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
    - net: udp: fix alignment problem in udp4_seq_show()
    - mISDN: change function names to avoid conflicts
    - usb: mtu3: fix interval value for intr and isoc

* Bionic update: upstream stable patchset 2022-01-27 (LP: #1959335)
    - tee: handle lookup of shm with reference count 0
    - platform/x86: apple-gmux: use resource_size() with res
    - selinux: initialize proto variable in selinux_ip_postroute_compat()
    - scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
    - net: usb: pegasus: Do not drop long Ethernet frames
    - NFC: st21nfca: Fix memory leak in device probe and remove
    - fsl/fman: Fix missing put_device() call in fman_port_probe
    - nfc: uapi: use kernel size_t to fix user-space builds
    - uapi: fix linux/nfc.h userspace compilation errors
    - xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
    - usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
    - binder: fix async_free_space accounting for empty parcels
    - scsi: vmw_pvscsi: Set residual data length conditionally
    - Input: appletouch - initialize work before device registration
    - Input: spaceball - fix parsing of movement data packets
    - net: fix use-after-free in tw_timer_handler
    - sctp: use call_rcu to free endpoint
    - Input: i8042 - add deferred probe support
    - Input: i8042 - enable deferred probe quirk for ASUS UM325UA
    - i2c: validate user data in compat ioctl
    - usb: mtu3: set interval of FS intr and isoc endpoint

* Bionic update: upstream stable patchset 2022-01-27 (LP: #1959335) //
    HID_ASUS should depend on USB_HID in stable v4.15 backports (LP: #1959762)
    - HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option

* Packaging resync (LP: #1786013)
    - [Packaging] resync getabis

-- Stefan Bader <stefan.bader@canonical.com>  Fri, 18 Mar 2022 16:36:32 +0100

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package