This bug was fixed in the package linux - 4.4.0-143.169 --------------- linux (4.4.0-143.169) xenial; urgency=medium * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647) * x86/kvm: Backport fixup and missing commits (LP: #1811646) - KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID - kvm: nVMX: VMCLEAR an active shadow VMCS after last use - X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() - kvm: x86: IA32_ARCH_CAPABILITIES is always supported - KVM: SVM: Add MSR-based feature support for serializing LFENCE - KVM: X86: Allow userspace to define the microcode version - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled - KVM: VMX: fixes for vmentry_l1d_flush module parameter - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb - kvm: vmx: Scrub hardware GPRs at VM-exit - SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic - SAUCE: KVM: Move code fragments, cleanup and re-indent * linux-buildinfo: pull out ABI information into its own package (LP: #1806380) - [Packaging] limit preparation to linux-libc-dev in headers - [Packaging] commonise debhelper invocation - [Packaging] ABI -- accumulate abi information at the end of the build - [Packaging] buildinfo -- add basic build information - [Packaging] buildinfo -- add firmware information to the flavour ABI - [Packaging] buildinfo -- add compiler information to the flavour ABI - [Packaging] buildinfo -- add buildinfo support to getabis - [Config] buildinfo -- add retpoline version markers - [Packaging] getabis -- handle all known package combinations - [Packaging] getabis -- support parsing a simple version * signing: only install a signed kernel (LP: #1764794) - [Packaging] update to Debian like control scripts - [Packaging] switch to triggers for postinst.d postrm.d handling - [Packaging] signing -- switch to raw-signing tarballs - [Packaging] signing -- switch to linux-image as signed when available - [Packaging] printenv -- add signing options - [Packaging] fix invocation of header postinst hooks - [Packaging] signing -- add support for signing Opal kernel binaries - [Debian] Use src_pkg_name when constructing udeb control files - [Debian] Dynamically determine linux udebs package name - [Packaging] handle both linux-lts* and linux-hwe* as backports - [Config] linux-source-* is in the primary linux namespace - [Packaging] lookup the upstream tag - [Packaging] zfs/spl -- enhance provides information - [Packaging] switch up to debhelper 9 - [Packaging] autopkgtest -- disable d-i when dropping flavours - [debian] support for ship_extras_package=false - [Debian] do_common_tools should always be on - [debian] do not force do_tools_common - [Packaging] Add linux-tools-host package for VM host tools - [Packaging] signing should be conditional - [Packaging] skip cloud tools packaging when not building package - [Packaging] add acpidbg - [debian] prep linux-libc-dev only if do_libc_dev_package=true - [Packaging] Only install cloud init files when do_tools_common=true * Redpine: Driver crash with network-manager 1.10 and above (LP: #1813869) - SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash * Guests using IBRS incur a large performance penalty (LP: #1764956) - SAUCE: Restore the IBRS host state on VMEXIT * Xenial update: 4.4.170 upstream stable release (LP: #1811647) - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data - xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only - USB: serial: option: add GosunCn ZTE WeLink ME3630 - USB: serial: option: add HP lt4132 - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) - USB: serial: option: add Fibocom NL668 series - USB: serial: option: add Telit LN940 series - mmc: core: Reset HPI enabled state during re-init and in case of errors - mmc: omap_hsmmc: fix DMA API warning - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK - Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels - x86/mtrr: Don't copy uninitialized gentry fields back to userspace - drm/ioctl: Fix Spectre v1 vulnerabilities - ip6mr: Fix potential Spectre v1 vulnerability - ipv4: Fix potential Spectre v1 vulnerability - ax25: fix a use-after-free in ax25_fillin_cb() - ibmveth: fix DMA unmap error in ibmveth_xmit_start error path - ieee802154: lowpan_header_create check must check daddr - ipv6: explicitly initialize udp6_addr in udp_sock_create6() - isdn: fix kernel-infoleak in capi_unlocked_ioctl - netrom: fix locking in nr_find_socket() - packet: validate address length - packet: validate address length if non-zero - sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event - vhost: make sure used idx is seen before log in vhost_add_used_n() - VSOCK: Send reset control packet when socket is partially bound - xen/netfront: tolerate frags with no data - gro_cell: add napi_disable in gro_cells_destroy - sock: Make sock->sk_stamp thread-safe - ALSA: rme9652: Fix potential Spectre v1 vulnerability - ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities - ALSA: pcm: Fix potential Spectre v1 vulnerability - ALSA: emux: Fix potential Spectre v1 vulnerabilities - ALSA: hda: add mute LED support for HP EliteBook 840 G4 - ALSA: hda/tegra: clear pending irq handlers - USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays - USB: serial: option: add Fibocom NL678 series - usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() - Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G - KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup - perf pmu: Suppress potential format-truncation warning - ext4: fix possible use after free in ext4_quota_enable - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() - ext4: fix EXT4_IOC_GROUP_ADD ioctl - ext4: force inode writes when nfsd calls commit_metadata() - spi: bcm2835: Fix race on DMA termination - spi: bcm2835: Fix book-keeping of DMA termination - spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode - cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. - media: vivid: free bitmap_cap when updating std/timings/etc. - MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() - MIPS: Align kernel load address to 64KB - CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem - x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested - spi: bcm2835: Unbreak the build of esoteric configs - powerpc: Fix COFF zImage booting on old powermacs - ARM: imx: update the cpu power up timing setting on i.mx6sx - Input: restore EV_ABS ABS_RESERVED - checkstack.pl: fix for aarch64 - xfrm: Fix bucket count reported to userspace - scsi: bnx2fc: Fix NULL dereference in error handling - Input: omap-keypad - fix idle configuration to not block SoC idle states - scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown - hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined - mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL - mm, devm_memremap_pages: kill mapping "System RAM" support - sunrpc: fix cache_head leak due to queued request - sunrpc: use SVC_NET() in svcauth_gss_* functions - crypto: x86/chacha20 - avoid sleeping with preemption disabled - ALSA: cs46xx: Potential NULL dereference in probe - ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() - ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks - dlm: fixed memory leaks after failed ls_remove_names allocation - dlm: possible memory leak on error path in create_lkb() - dlm: lost put_lkb on error path in receive_convert() and receive_unlock() - dlm: memory leaks on error path in dlm_user_request() - gfs2: Fix loop in gfs2_rbm_find - b43: Fix error in cordic routine - 9p/net: put a lower bound on msize - iommu/vt-d: Handle domain agaw being less than iommu agaw - ceph: don't update importing cap's mseq when handing cap export - genwqe: Fix size check - intel_th: msu: Fix an off-by-one in attribute store - power: supply: olpc_battery: correct the temperature units - Linux 4.4.170 * Xenial update: 4.4.169 upstream stable release (LP: #1811252) - lib/interval_tree_test.c: make test options module parameters - lib/interval_tree_test.c: allow full tree search - lib/rbtree_test.c: make input module parameters - lib/rbtree-test: lower default params - lib/interval_tree_test.c: allow users to limit scope of endpoint - timer/debug: Change /proc/timer_list from 0444 to 0400 - powerpc/boot: Fix random libfdt related build errors - pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 - aio: fix spectre gadget in lookup_ioctx - MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 - tracing: Fix memory leak in set_trigger_filter() - tracing: Fix memory leak of instance function hash filters - powerpc/msi: Fix NULL pointer access in teardown code - Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" - f2fs: fix a panic caused by NULL flush_cmd_control - mac80211: don't WARN on bad WMM parameters from buggy APs - mac80211: Fix condition validating WMM IE - mac80211_hwsim: fix module init error paths for netlink - scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset - scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload - x86/earlyprintk/efi: Fix infinite loop on some screen widths - drm/msm: Grab a vblank reference when waiting for commit_done - ARC: io.h: Implement reads{x}()/writes{x}() - bonding: fix 802.3ad state sent to partner when unbinding slave - SUNRPC: Fix a potential race in xprt_connect() - sbus: char: add of_node_put() - drivers/sbus/char: add of_node_put() - drivers/tty: add missing of_node_put() - ide: pmac: add of_node_put() - clk: mmp: Off by one in mmp_clk_add() - Input: omap-keypad - fix keyboard debounce configuration - libata: whitelist all SAMSUNG MZ7KM* solid-state disks - mv88e6060: disable hardware level MAC learning - ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) - [Config] Remove CONFIG_CIFS_POSIX=y - i2c: axxia: properly handle master timeout - i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node - rtc: snvs: add a missing write sync - rtc: snvs: Add timeouts to avoid kernel lockups - ALSA: isa/wavefront: prevent some out of bound writes - Linux 4.4.169 * Xenial update: 4.4.168 upstream stable release (LP: #1811080) - ipv6: Check available headroom in ip6_xmit() even without options - net: 8139cp: fix a BUG triggered by changing mtu with network traffic - net: phy: don't allow __set_phy_supported to add unsupported modes - net: Prevent invalid access to skb->prev in __qdisc_drop_all - rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices - tcp: fix NULL ref in tail loss probe - tun: forbid iface creation with rtnl ops - neighbour: Avoid writing before skb->head in neigh_hh_output() - ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup - ARM: OMAP1: ams-delta: Fix possible use of uninitialized field - sysv: return 'err' instead of 0 in __sysv_write_inode - s390/cpum_cf: Reject request for sampling in event initialization - hwmon: (ina2xx) Fix current value calculation - ASoC: dapm: Recalculate audio map forcely when card instantiated - hwmon: (w83795) temp4_type has writable permission - Btrfs: send, fix infinite loop due to directory rename dependencies - ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE - ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE - exportfs: do not read dentry after free - bpf: fix check of allowed specifiers in bpf_trace_printk - USB: omap_udc: use devm_request_irq() - USB: omap_udc: fix crashes on probe error and module removal - USB: omap_udc: fix omap_udc_start() on 15xx machines - USB: omap_udc: fix USB gadget functionality on Palm Tungsten E - KVM: x86: fix empty-body warnings - net: thunderx: fix NULL pointer dereference in nic_remove - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps - net: hisilicon: remove unexpected free_netdev - drm/ast: fixed reading monitor EDID not stable issue - xen: xlate_mmu: add missing header to fix 'W=1' warning - fscache: fix race between enablement and dropping of object - fscache, cachefiles: remove redundant variable 'cache' - ocfs2: fix deadlock caused by ocfs2_defrag_extent() - hfs: do not free node before using - hfsplus: do not free node before using - debugobjects: avoid recursive calls with kmemleak - ocfs2: fix potential use after free - pstore: Convert console write to use ->write_buf - ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC - KVM: nVMX: mark vmcs12 pages dirty on L2 exit - KVM: nVMX: Eliminate vmcs02 pool - KVM: VMX: introduce alloc_loaded_vmcs - KVM: VMX: make MSR bitmaps per-VCPU - KVM/x86: Add IBPB support - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL - KVM/x86: Remove indirect MSR op calls from SPEC_CTRL - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec - KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD - bpf: support 8-byte metafield access - bpf/verifier: Add spi variable to check_stack_write() - bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() - bpf: Prevent memory disambiguation attack - wil6210: missing length check in wmi_set_ie - mm/hugetlb.c: don't call region_abort if region_chg fails - hugetlbfs: fix offset overflow in hugetlbfs mmap - hugetlbfs: check for pgoff value overflow - hugetlbfs: fix bug in pgoff overflow checking - swiotlb: clean up reporting - sr: pass down correctly sized SCSI sense buffer - mm: remove write/force parameters from __get_user_pages_locked() - mm: remove write/force parameters from __get_user_pages_unlocked() - mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages() - mm: replace get_user_pages_unlocked() write/force parameters with gup_flags - mm: replace get_user_pages_locked() write/force parameters with gup_flags - mm: replace get_vaddr_frames() write/force parameters with gup_flags - mm: replace get_user_pages() write/force parameters with gup_flags - mm: replace __access_remote_vm() write parameter with gup_flags - mm: replace access_remote_vm() write parameter with gup_flags - proc: don't use FOLL_FORCE for reading cmdline and environment - proc: do not access cmdline nor environ from file-backed areas - media: dvb-frontends: fix i2c access helpers for KASAN - matroxfb: fix size of memcpy - staging: speakup: Replace strncpy with memcpy - rocker: fix rocker_tlv_put_* functions for KASAN - selftests: Move networking/timestamping from Documentation - Linux 4.4.168 * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation * Userspace break as a result of missing patch backport (LP: #1813873) - tty: Don't hold ldisc lock in tty_reopen() if ldisc present * CVE-2019-6133 - fork: record start_time late * Crash on "ip link add foo type ipip" (LP: #1811803) - SAUCE: fan: Fix NULL pointer dereference -- Juerg Haefliger