Bug #1779923 “other users' coredumps can be read via setgid dire...” : Trusty (14.04) : Bugs : linux package : Ubuntu

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2018-07-06:

#1

This is now fixed upstream in Linus' tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Note that this fix does not have a CC stable marker.

Revision history for this message

Alex Murray (alexmurray) wrote on 2018-07-06:

#2

Hi Jann - thanks for reporting this - I noticed the commit earlier today and have been in the process of testing it here against your PoC's above (still waiting on builds to complete to report final results which I hope to do soon).

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-07-09:

#3

Hello Jann, have you taken steps to publicize this issue further? I think we'd like to keep the PoC secret until our kernels can include the upstream fix but if this PoC is currently visible elsewhere then it serves no purpose to keep this bug closed any longer.

Thanks

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2018-07-09:

#4

So far, I have only notified <email address hidden> and you. However, our policy is to make issue reports public soon after a patch has been released, so I'm planning to drop the view restriction on our bugtracker entry on Friday.

Revision history for this message

Jann Horn (corp account) (jannh) wrote on 2018-07-13:

#5

Our bugtracker entry is public now: https://bugs.chromium.org/p/project-zero/issues/detail?id=1611

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-07-13:

#6

Thanks Jann!

information type:

Private Security → Public Security

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-07-16:

#7

Fix submitted for the Ubuntu kernel: https://lists.ubuntu.com/archives/kernel-team/2018-July/093863.html

Changed in linux (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Tyler Hicks (tyhicks)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Tyler Hicks (tyhicks)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu Trusty):
assignee:	nobody → Tyler Hicks (tyhicks)
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-07-16:

#8

I don't think the Security or Foundations teams plan to make any changes in Whoopsie so I'm marking these tasks as invalid.

Changed in whoopsie (Ubuntu Trusty):
status:	New → Invalid
Changed in whoopsie (Ubuntu Xenial):
status:	New → Invalid
Changed in whoopsie (Ubuntu Bionic):
status:	New → Invalid
Changed in whoopsie (Ubuntu Cosmic):
status:	New → Invalid

Mathew Hodson (mhodson) on 2018-07-27

no longer affects:	whoopsie (Ubuntu)
no longer affects:	whoopsie (Ubuntu Trusty)
no longer affects:	whoopsie (Ubuntu Xenial)
no longer affects:	whoopsie (Ubuntu Bionic)
no longer affects:	whoopsie (Ubuntu Cosmic)

Kleber Sacilotto de Souza (kleber-souza) on 2018-07-31

Changed in linux (Ubuntu Trusty):
status:	In Progress → Fix Committed

Kleber Sacilotto de Souza (kleber-souza) on 2018-08-02

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Stefan Bader (smb) on 2018-08-02

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-08-02:

#9

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-trusty

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-08-03:

#10

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-08-07:

#11

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2018-08-21:

#12

Hi @jannh,

Could you please verify if the kernels currently in -proposed fix the issue?

Thank you.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-08-21:

#13

I've verified the fix by testing the following kernels:

4.17.0-7.8-generic
4.15.0-33.36-generic
4.4.0-134.160-generic
3.13.0-157.207-generic

tags:

added: verification-done-bionic verification-done-trusty verification-done-xenial
removed: verification-needed-bionic verification-needed-trusty verification-needed-xenial

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-08-21:

#14

@jannh you can ignore the request in comment #12 to verify the fixes in the -proposed kernels. Thanks again for bringing this to our attention.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-08-23:

#15

Download full text (35.6 KiB)

This bug was fixed in the package linux - 4.15.0-33.36

---------------
linux (4.15.0-33.36) bionic; urgency=medium

* linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)

  * RTNL assertion failure on ipvlan (LP: #1776927)
    - ipvlan: drop ipv6 dependency
    - ipvlan: use per device spinlock to protect addrs list updates
    - SAUCE: fix warning from "ipvlan: drop ipv6 dependency"

* ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941)
- test_bpf: flag tests that cannot be jited on s390

  * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689)
    - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type
    - drm/radeon: fix radeon_atpx_get_client_id()'s return type
    - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type
    - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type
    - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA
    - vga_switcheroo: set audio client id according to bound GPU id

  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

* Update2 for ocxl driver (LP: #1781436)
- ocxl: Fix page fault handler in case of fault on dying process

  * netns: unable to follow an interface that moves to another netns
    (LP: #1774225)
    - net: core: Expose number of link up/down transitions
    - dev: always advertise the new nsid when the netns iface changes
    - dev: advertise the new ifindex when the netns iface changes

  * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066)
    - block, bfq: fix occurrences of request finish method's old name
    - block, bfq: remove batches of confusing ifdefs
    - block, bfq: add requeue-request hook

* HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763)
- ALSA: hda: add mute led support for HP ProBook 455 G5

  * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver
    (LP: #1781476)
    - i2c: xlp9xx: Fix issue seen when updating receive length
    - i2c: xlp9xx: Make sure the transfer size is not more than
      I2C_SMBUS_BLOCK_SIZE

* x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486)
- x86/kvm: fix LAPIC timer drift when guest uses periodic mode

* Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823)
- [Config:] d-i: Add ax88179_178a and r8152 to nic-modules

* Nvidia fails after switching its mode (LP: #1778658)
- PCI: Restore config space on runtime resume despite being unbound

* Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
- SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3

  * CVE-2018-12232
    - PATCH 1/1] socket: close race condition between sock_close() and
      sockfs_setattr()

* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_extents_to_btree

  * change front mic location for more lenovo m7/8/9xx machines (LP: #1781316)
    - ALSA: hda/realtek - Fix the problem of two front mics on more machines
    - ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION

* Cephfs + fscache: unab...

This bug was fixed in the package linux - 4.15.0-33.36

---------------
linux (4.15.0-33.36) bionic; urgency=medium

* linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)

* RTNL assertion failure on ipvlan (LP: #1776927)
    - ipvlan: drop ipv6 dependency
    - ipvlan: use per device spinlock to protect addrs list updates
    - SAUCE: fix warning from "ipvlan: drop ipv6 dependency"

* ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941)
    - test_bpf: flag tests that cannot be jited on s390

* HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689)
    - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type
    - drm/radeon: fix radeon_atpx_get_client_id()'s return type
    - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type
    - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type
    - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA
    - vga_switcheroo: set audio client id according to bound GPU id

* locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

* Update2 for ocxl driver (LP: #1781436)
    - ocxl: Fix page fault handler in case of fault on dying process

* netns: unable to follow an interface that moves to another netns
    (LP: #1774225)
    - net: core: Expose number of link up/down transitions
    - dev: always advertise the new nsid when the netns iface changes
    - dev: advertise the new ifindex when the netns iface changes

* [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066)
    - block, bfq: fix occurrences of request finish method's old name
    - block, bfq: remove batches of confusing ifdefs
    - block, bfq: add requeue-request hook

* HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763)
    - ALSA: hda: add mute led support for HP ProBook 455 G5

* [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver
    (LP: #1781476)
    - i2c: xlp9xx: Fix issue seen when updating receive length
    - i2c: xlp9xx: Make sure the transfer size is not more than
      I2C_SMBUS_BLOCK_SIZE

* x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486)
    - x86/kvm: fix LAPIC timer drift when guest uses periodic mode

* Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823)
    - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules

* Nvidia fails after switching its mode (LP: #1778658)
    - PCI: Restore config space on runtime resume despite being unbound

* Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3

* CVE-2018-12232
    - PATCH 1/1] socket: close race condition between sock_close() and
      sockfs_setattr()

* CVE-2018-10323
    - xfs: set format back to extents if xfs_bmap_extents_to_btree

* change front mic location for more lenovo m7/8/9xx machines (LP: #1781316)
    - ALSA: hda/realtek - Fix the problem of two front mics on more machines
    - ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION

* Cephfs + fscache: unable to handle kernel NULL pointer dereference at
    0000000000000000 IP: jbd2__journal_start+0x22/0x1f0 (LP: #1783246)
    - ceph: track read contexts in ceph_file_info

* Touchpad of ThinkPad P52 failed to work with message "lost sync at byte"
    (LP: #1779802)
    - Input: elantech - fix V4 report decoding for module with middle key
    - Input: elantech - enable middle button of touchpads on ThinkPad P52

* xhci_hcd 0000:00:14.0: Root hub is not suspended (LP: #1779823)
    - usb: xhci: dbc: Fix lockdep warning
    - usb: xhci: dbc: Don't decrement runtime PM counter if DBC is not started

* CVE-2018-13406
    - video: uvesafb: Fix integer overflow in allocation

* CVE-2018-10840
    - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs

* CVE-2018-11412
    - ext4: do not allow external inodes for inline data

* CVE-2018-10881
    - ext4: clear i_data in ext4_inode_info when removing inline data

* CVE-2018-12233
    - jfs: Fix inconsistency between memory allocation and ea_buf->max_size

* CVE-2018-12904
    - kvm: nVMX: Enforce cpl=0 for VMX instructions

* Error parsing PCC subspaces from PCCT (LP: #1528684)
    - mailbox: PCC: erroneous error message when parsing ACPI PCCT

* CVE-2018-13094
    - xfs: don't call xfs_da_shrink_inode with NULL bp

* other users' coredumps can be read via setgid directory and killpriv bypass
    (LP: #1779923) // CVE-2018-13405
    - Fix up non-directory creation in SGID directories

* Invoking obsolete 'firmware_install' target breaks snap build (LP: #1782166)
    - snapcraft.yaml: stop invoking the obsolete (and non-existing)
      'firmware_install' target

* snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build
    (LP: #1782116)
    - snapcraft.yaml: copy retpoline-extract-one to scripts before build

* Allow Raven Ridge's audio controller to be runtime suspended (LP: #1782540)
    - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge

* CVE-2018-11506
    - sr: pass down correctly sized SCSI sense buffer

* Bionic update: upstream stable patchset 2018-07-24 (LP: #1783418)
    - net: Fix a bug in removing queues from XPS map
    - net/mlx4_core: Fix error handling in mlx4_init_port_info.
    - net/sched: fix refcnt leak in the error path of tcf_vlan_init()
    - net: sched: red: avoid hashing NULL child
    - net/smc: check for missing nlattrs in SMC_PNETID messages
    - net: test tailroom before appending to linear skb
    - packet: in packet_snd start writing at link layer allocation
    - sock_diag: fix use-after-free read in __sk_free
    - tcp: purge write queue in tcp_connect_init()
    - vmxnet3: set the DMA mask before the first DMA map operation
    - vmxnet3: use DMA memory barriers where required
    - hv_netvsc: empty current transmit aggregation if flow blocked
    - hv_netvsc: Use the num_online_cpus() for channel limit
    - hv_netvsc: avoid retry on send during shutdown
    - hv_netvsc: only wake transmit queue if link is up
    - hv_netvsc: fix error unwind handling if vmbus_open fails
    - hv_netvsc: cancel subchannel setup before halting device
    - hv_netvsc: fix race in napi poll when rescheduling
    - hv_netvsc: defer queue selection to VF
    - hv_netvsc: disable NAPI before channel close
    - hv_netvsc: use RCU to fix concurrent rx and queue changes
    - hv_netvsc: change GPAD teardown order on older versions
    - hv_netvsc: common detach logic
    - hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown
    - hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl()
    - hv_netvsc: Ensure correct teardown message sequence order
    - hv_netvsc: Fix a network regression after ifdown/ifup
    - sparc: vio: use put_device() instead of kfree()
    - ext2: fix a block leak
    - s390: add assembler macros for CPU alternatives
    - s390: move expoline assembler macros to a header
    - s390/crc32-vx: use expoline for indirect branches
    - s390/lib: use expoline for indirect branches
    - s390/ftrace: use expoline for indirect branches
    - s390/kernel: use expoline for indirect branches
    - s390: move spectre sysfs attribute code
    - s390: extend expoline to BC instructions
    - s390: use expoline thunks in the BPF JIT
    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
    - scsi: zfcp: fix infinite iteration on ERP ready list
    - loop: don't call into filesystem while holding lo_ctl_mutex
    - loop: fix LOOP_GET_STATUS lock imbalance
    - cfg80211: limit wiphy names to 128 bytes
    - hfsplus: stop workqueue when fill_super() failed
    - x86/kexec: Avoid double free_page() upon do_kexec_load() failure
    - usb: gadget: f_uac2: fix bFirstInterface in composite gadget
    - usb: dwc3: Undo PHY init if soft reset fails
    - usb: dwc3: omap: don't miss events during suspend/resume
    - usb: gadget: core: Fix use-after-free of usb_request
    - usb: gadget: fsl_udc_core: fix ep valid checks
    - usb: dwc2: Fix dwc2_hsotg_core_init_disconnected()
    - usb: cdc_acm: prevent race at write to acm while system resumes
    - net: usbnet: fix potential deadlock on 32bit hosts
    - ARM: dts: imx7d-sdb: Fix regulator-usb-otg2-vbus node name
    - usb: host: xhci-plat: revert "usb: host: xhci-plat: enable clk in resume
      timing"
    - USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
    - net/usb/qmi_wwan.c: Add USB id for lt4120 modem
    - net-usb: add qmi_wwan if on lte modem wistron neweb d18q1
    - Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB
    - ALSA: usb-audio: Add native DSD support for Luxman DA-06
    - usb: dwc3: Add SoftReset PHY synchonization delay
    - usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
    - usb: dwc3: Makefile: fix link error on randconfig
    - xhci: zero usb device slot_id member when disabling and freeing a xhci slot
    - usb: dwc2: Fix interval type issue
    - usb: dwc2: hcd: Fix host channel halt flow
    - usb: dwc2: host: Fix transaction errors in host mode
    - usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
    - usb: gadget: ffs: Execute copy_to_user() with USER_DS set
    - usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS
    - usb: gadget: udc: change comparison to bitshift when dealing with a mask
    - usb: gadget: composite: fix incorrect handling of OS desc requests
    - media: lgdt3306a: Fix module count mismatch on usb unplug
    - media: em28xx: USB bulk packet size fix
    - Bluetooth: btusb: Add device ID for RTL8822BE
    - xhci: Show what USB release number the xHC supports from protocol capablity
    - staging: bcm2835-audio: Release resources on module_exit()
    - staging: lustre: fix bug in osc_enter_cache_try
    - staging: fsl-dpaa2/eth: Fix incorrect casts
    - staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
    - staging: ks7010: Use constants from ieee80211_eid instead of literal ints.
    - staging: lustre: lmv: correctly iput lmo_root
    - crypto: inside-secure - wait for the request to complete if in the backlog
    - crypto: atmel-aes - fix the keys zeroing on errors
    - crypto: ccp - don't disable interrupts while setting up debugfs
    - crypto: inside-secure - do not process request if no command was issued
    - crypto: inside-secure - fix the cache_len computation
    - crypto: inside-secure - fix the extra cache computation
    - crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
    - crypto: inside-secure - fix the invalidation step during cra_exit
    - scsi: mpt3sas: fix an out of bound write
    - scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
    - scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
    - scsi: sym53c8xx_2: iterator underflow in sym_getsync()
    - scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
    - scsi: qla2xxx: Avoid triggering undefined behavior in
      qla2x00_mbx_completion()
    - scsi: storvsc: Increase cmd_per_lun for higher speed devices
    - scsi: qedi: Fix truncation of CHAP name and secret
    - scsi: aacraid: fix shutdown crash when init fails
    - scsi: qla4xxx: skip error recovery in case of register disconnect.
    - scsi: qedi: Fix kernel crash during port toggle
    - scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM
    - scsi: sd: Keep disk read-only when re-reading partition
    - scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data digest enabled
    - scsi: aacraid: Insure command thread is not recursively stopped
    - scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD
    - scsi: mvsas: fix wrong endianness of sgpio api
    - ASoC: hdmi-codec: Fix module unloading caused kernel crash
    - ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs
    - ASoC: samsung: odroid: Fix 32000 sample rate handling
    - ASoC: topology: create TLV data for dapm widgets
    - ASoC: samsung: i2s: Ensure the RCLK rate is properly determined
    - clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228
    - clk: Don't show the incorrect clock phase
    - clk: hisilicon: mark wdt_mux_p[] as const
    - clk: tegra: Fix pll_u rate configuration
    - clk: rockchip: Prevent calculating mmc phase if clock rate is zero
    - clk: samsung: s3c2410: Fix PLL rates
    - clk: samsung: exynos7: Fix PLL rates
    - clk: samsung: exynos5260: Fix PLL rates
    - clk: samsung: exynos5433: Fix PLL rates
    - clk: samsung: exynos5250: Fix PLL rates
    - clk: samsung: exynos3250: Fix PLL rates
    - media: dmxdev: fix error code for invalid ioctls
    - media: Don't let tvp5150_get_vbi() go out of vbi_ram_default array
    - media: ov5645: add missing of_node_put() in error path
    - media: cx23885: Override 888 ImpactVCBe crystal frequency
    - media: cx23885: Set subdev host data to clk_freq pointer
    - media: s3c-camif: fix out-of-bounds array access
    - media: lgdt3306a: Fix a double kfree on i2c device remove
    - media: em28xx: Add Hauppauge SoloHD/DualHD bulk models
    - media: v4l: vsp1: Fix display stalls when requesting too many inputs
    - media: i2c: adv748x: fix HDMI field heights
    - media: vb2: Fix videobuf2 to map correct area
    - media: vivid: fix incorrect capabilities for radio
    - media: cx25821: prevent out-of-bounds read on array card
    - serial: xuartps: Fix out-of-bounds access through DT alias
    - serial: sh-sci: Fix out-of-bounds access through DT alias
    - serial: samsung: Fix out-of-bounds access through serial port index
    - serial: mxs-auart: Fix out-of-bounds access through serial port index
    - serial: imx: Fix out-of-bounds access through serial port index
    - serial: fsl_lpuart: Fix out-of-bounds access through DT alias
    - serial: arc_uart: Fix out-of-bounds access through DT alias
    - serial: 8250: Don't service RX FIFO if interrupts are disabled
    - serial: altera: ensure port->regshift is honored consistently
    - rtc: snvs: Fix usage of snvs_rtc_enable
    - rtc: hctosys: Ensure system time doesn't overflow time_t
    - rtc: rk808: fix possible race condition
    - rtc: m41t80: fix race conditions
    - rtc: tx4939: avoid unintended sign extension on a 24 bit shift
    - rtc: rp5c01: fix possible race condition
    - rtc: goldfish: Add missing MODULE_LICENSE
    - cxgb4: Correct ntuple mask validation for hash filters
    - net: dsa: bcm_sf2: Fix RX_CLS_LOC_ANY overwrite for last rule
    - net: dsa: Do not register devlink for unused ports
    - net: dsa: bcm_sf2: Fix IPv6 rules and chain ID
    - net: dsa: bcm_sf2: Fix IPv6 rule half deletion
    - 3c59x: convert to generic DMA API
    - net: ip6_gre: Request headroom in __gre6_xmit()
    - net: ip6_gre: Split up ip6gre_tnl_link_config()
    - net: ip6_gre: Split up ip6gre_tnl_change()
    - net: ip6_gre: Split up ip6gre_newlink()
    - net: ip6_gre: Split up ip6gre_changelink()
    - qed: LL2 flush isles when connection is closed
    - qed: Fix possibility of list corruption during rmmod flows
    - qed: Fix LL2 race during connection terminate
    - powerpc: Move default security feature flags
    - Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026]
    - staging: fsl-dpaa2/eth: Fix incorrect kfree
    - crypto: inside-secure - move the digest to the request context
    - scsi: lpfc: Fix NVME Initiator FirstBurst
    - serial: mvebu-uart: fix tx lost characters

* Bionic update: upstream stable patchset 2018-07-20 (LP: #1782846)
    - usbip: usbip_host: refine probe and disconnect debug msgs to be useful
    - usbip: usbip_host: delete device from busid_table after rebind
    - usbip: usbip_host: run rebind from exit when module is removed
    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
    - usbip: usbip_host: fix bad unlock balance during stub_probe()
    - ALSA: usb: mixer: volume quirk for CM102-A+/102S+
    - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
    - ALSA: control: fix a redundant-copy issue
    - spi: pxa2xx: Allow 64-bit DMA
    - spi: bcm-qspi: Avoid setting MSPI_CDRAM_PCS for spi-nor master
    - spi: bcm-qspi: Always read and set BSPI_MAST_N_BOOT_CTRL
    - KVM: arm/arm64: VGIC/ITS save/restore: protect kvm_read_guest() calls
    - KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock
    - vfio: ccw: fix cleanup if cp_prefetch fails
    - tracing/x86/xen: Remove zero data size trace events
      trace_xen_mmu_flush_tlb{_all}
    - tee: shm: fix use-after-free via temporarily dropped reference
    - netfilter: nf_tables: free set name in error path
    - netfilter: nf_tables: can't fail after linking rule into active rule list
    - netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}
    - i2c: designware: fix poll-after-enable regression
    - powerpc/powernv: Fix NVRAM sleep in invalid context when crashing
    - drm: Match sysfs name in link removal to link creation
    - lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly
    - radix tree: fix multi-order iteration race
    - mm: don't allow deferred pages with NEED_PER_CPU_KM
    - drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
    - s390/qdio: fix access to uninitialized qdio_q fields
    - s390/qdio: don't release memory in qdio_setup_irq()
    - s390: remove indirect branch from do_softirq_own_stack
    - x86/pkeys: Override pkey when moving away from PROT_EXEC
    - x86/pkeys: Do not special case protection key 0
    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
      definition for mixed mode
    - ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
    - x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
    - tick/broadcast: Use for_each_cpu() specially on UP kernels
    - ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
    - ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
    - ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
    - Btrfs: fix xattr loss after power failure
    - Btrfs: send, fix invalid access to commit roots due to concurrent
      snapshotting
    - btrfs: property: Set incompat flag if lzo/zstd compression is set
    - btrfs: fix crash when trying to resume balance without the resume flag
    - btrfs: Split btrfs_del_delalloc_inode into 2 functions
    - btrfs: Fix delalloc inodes invalidation during transaction abort
    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
    - KVM: arm/arm64: Properly protect VGIC locks from IRQs
    - KVM: arm/arm64: VGIC/ITS: Promote irq_lock() in update_affinity
    - hwmon: (k10temp) Fix reading critical temperature register
    - hwmon: (k10temp) Use API function to access System Management Network
    - vsprintf: Replace memory barrier with static_key for random_ptr_key update
    - x86/amd_nb: Add support for Raven Ridge CPUs
    - x86/apic/x2apic: Initialize cluster ID properly

* Bionic update: upstream stable patchset 2018-07-09 (LP: #1780858)
    - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
    - bridge: check iface upper dev when setting master via ioctl
    - dccp: fix tasklet usage
    - ipv4: fix fnhe usage by non-cached routes
    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
    - llc: better deal with too small mtu
    - net: ethernet: sun: niu set correct packet size in skb
    - net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
    - net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
    - net/mlx4_en: Verify coalescing parameters are in range
    - net/mlx5e: Err if asked to offload TC match on frag being first
    - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
    - net sched actions: fix refcnt leak in skbmod
    - net_sched: fq: take care of throttled flows before reuse
    - net: support compat 64-bit time in {s,g}etsockopt
    - net/tls: Don't recursively call push_record during tls_write_space callbacks
    - net/tls: Fix connection stall on partial tls record
    - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
    - qmi_wwan: do not steal interfaces from class drivers
    - r8169: fix powering up RTL8168h
    - rds: do not leak kernel memory to user land
    - sctp: delay the authentication for the duplicated cookie-echo chunk
    - sctp: fix the issue that the cookie-ack with auth can't get processed
    - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
    - sctp: remove sctp_chunk_put from fail_mark err path in
      sctp_ulpevent_make_rcvmsg
    - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
    - tcp_bbr: fix to zero idle_restart only upon S/ACKed data
    - tcp: ignore Fast Open on repair mode
    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
    - bonding: do not allow rlb updates to invalid mac
    - bonding: send learning packets for vlans on slave
    - net: sched: fix error path in tcf_proto_create() when modules are not
      configured
    - net/mlx5e: TX, Use correct counter in dma_map error flow
    - net/mlx5: Avoid cleaning flow steering table twice during error flow
    - hv_netvsc: set master device
    - ipv6: fix uninit-value in ip6_multipath_l3_keys()
    - net/mlx5e: Allow offloading ipv4 header re-write for icmp
    - nsh: fix infinite loop
    - udp: fix SO_BINDTODEVICE
    - l2tp: revert "l2tp: fix missing print session offset info"
    - proc: do not access cmdline nor environ from file-backed areas
    - net/smc: restrict non-blocking connect finish
    - mlxsw: spectrum_switchdev: Do not remove mrouter port from MDB's ports list
    - net/mlx5e: DCBNL fix min inline header size for dscp
    - net: systemport: Correclty disambiguate driver instances
    - sctp: clear the new asoc's stream outcnt in sctp_stream_update
    - tcp: restore autocorking
    - tipc: fix one byte leak in tipc_sk_set_orig_addr()
    - hv_netvsc: Fix net device attach on older Windows hosts

* Bionic update: upstream stable patchset 2018-07-06 (LP: #1780499)
    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
    - netfilter: ebtables: don't attempt to allocate 0-sized compat array
    - kcm: Call strp_stop before strp_done in kcm_attach
    - crypto: af_alg - fix possible uninit-value in alg_bind()
    - netlink: fix uninit-value in netlink_sendmsg
    - net: fix rtnh_ok()
    - net: initialize skb->peeked when cloning
    - net: fix uninit-value in __hw_addr_add_ex()
    - dccp: initialize ireq->ir_mark
    - ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
    - soreuseport: initialise timewait reuseport field
    - inetpeer: fix uninit-value in inet_getpeer
    - memcg: fix per_node_info cleanup
    - perf: Remove superfluous allocation error check
    - tcp: fix TCP_REPAIR_QUEUE bound checking
    - bdi: wake up concurrent wb_shutdown() callers.
    - bdi: Fix oops in wb_workfn()
    - gpioib: do not free unrequested descriptors
    - gpio: fix aspeed_gpio unmask irq
    - gpio: fix error path in lineevent_create
    - rfkill: gpio: fix memory leak in probe error path
    - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
    - dm integrity: use kvfree for kvmalloc'd memory
    - tracing: Fix regex_match_front() to not over compare the test string
    - z3fold: fix reclaim lock-ups
    - mm: sections are not offlined during memory hotremove
    - mm, oom: fix concurrent munlock and oom reaper unmap, v3
    - ceph: fix rsize/wsize capping in ceph_direct_read_write()
    - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
    - can: hi311x: Acquire SPI lock on ->do_get_berr_counter
    - can: hi311x: Work around TX complete interrupt erratum
    - drm/vc4: Fix scaling of uni-planar formats
    - drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
    - drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
    - drm/atomic: Clean private obj old_state/new_state in
      drm_atomic_state_default_clear()
    - net: atm: Fix potential Spectre v1
    - atm: zatm: Fix potential Spectre v1
    - cpufreq: schedutil: Avoid using invalid next_freq
    - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
    - Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome
      chipsets
    - thermal: exynos: Reading temperature makes sense only when TMU is turned on
    - thermal: exynos: Propagate error value from tmu_read()
    - nvme: add quirk to force medium priority for SQ creation
    - smb3: directory sync should not return an error
    - sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
    - tracing/uprobe_event: Fix strncpy corner case
    - perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
    - perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
    - perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    - perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
    - i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
    - bdi: Fix use after free bug in debugfs_remove()
    - drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
    - drm/i915: Adjust eDP's logical vco in a reliable place.
    - drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
    - sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]

* Bionic update: upstream stable patchset 2018-06-26 (LP: #1778759)
    - percpu: include linux/sched.h for cond_resched()
    - ACPI / button: make module loadable when booted in non-ACPI mode
    - USB: serial: option: Add support for Quectel EP06
    - ALSA: hda - Fix incorrect usage of IS_REACHABLE()
    - ALSA: pcm: Check PCM state at xfern compat ioctl
    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
    - ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation
      for array index
    - ALSA: aloop: Mark paused device as inactive
    - ALSA: aloop: Add missing cable lock to ctl API callbacks
    - tracepoint: Do not warn on ENOMEM
    - scsi: target: Fix fortify_panic kernel exception
    - Input: leds - fix out of bound access
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
    - rtlwifi: btcoex: Add power_on_setting routine
    - rtlwifi: cleanup 8723be ant_sel definition
    - xfs: prevent creating negative-sized file via INSERT_RANGE
    - RDMA/cxgb4: release hw resources on device removal
    - RDMA/ucma: Allow resolving address w/o specifying source address
    - RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
    - RDMA/mlx5: Protect from shift operand overflow
    - NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
    - IB/mlx5: Use unlimited rate when static rate is not supported
    - IB/hfi1: Fix handling of FECN marked multicast packet
    - IB/hfi1: Fix loss of BECN with AHG
    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
    - iw_cxgb4: Atomically flush per QP HW CQEs
    - drm/vmwgfx: Fix a buffer object leak
    - drm/bridge: vga-dac: Fix edid memory leak
    - test_firmware: fix setting old custom fw path back on exit, second try
    - errseq: Always report a writeback error once
    - USB: serial: visor: handle potential invalid device configuration
    - usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue
    - USB: Accept bulk endpoints with 1024-byte maxpacket
    - USB: serial: option: reimplement interface masking
    - USB: serial: option: adding support for ublox R410M
    - usb: musb: host: fix potential NULL pointer dereference
    - usb: musb: trace: fix NULL pointer dereference in musb_g_tx()
    - platform/x86: asus-wireless: Fix NULL pointer dereference
    - irqchip/qcom: Fix check for spurious interrupts
    - tracing: Fix bad use of igrab in trace_uprobe.c
    - [Config] CONFIG_ARM64_ERRATUM_1024718=y
    - arm64: Add work around for Arm Cortex-A55 Erratum 1024718
    - Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
    - infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m
    - btrfs: Take trans lock before access running trans in check_delayed_ref
    - drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are balanced
    - xhci: Fix use-after-free in xhci_free_virt_device
    - platform/x86: Kconfig: Fix dell-laptop dependency chain.
    - KVM: x86: remove APIC Timer periodic/oneshot spikes
    - clocksource: Allow clocksource_mark_unstable() on unregistered clocksources
    - clocksource: Initialize cs->wd_list
    - clocksource: Consistent de-rate when marking unstable

* Bionic update: upstream stable patchset 2018-06-22 (LP: #1778265)
    - ext4: set h_journal if there is a failure starting a reserved handle
    - ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
    - ext4: add validity checks for bitmap block numbers
    - ext4: fix bitmap position validation
    - random: fix possible sleeping allocation from irq context
    - random: rate limit unseeded randomness warnings
    - usbip: usbip_event: fix to not print kernel pointer address
    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
    - usbip: vhci_hcd: Fix usb device and sockfd leaks
    - usbip: vhci_hcd: check rhport before using in vhci_hub_control()
    - Revert "xhci: plat: Register shutdown for xhci_plat"
    - USB: serial: simple: add libtransistor console
    - USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
    - USB: serial: cp210x: add ID for NI USB serial console
    - usb: core: Add quirk for HP v222w 16GB Mini
    - USB: Increment wakeup count on remote wakeup.
    - ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
    - virtio: add ability to iterate over vqs
    - virtio_console: don't tie bufs to a vq
    - virtio_console: free buffers after reset
    - virtio_console: drop custom control queue cleanup
    - virtio_console: move removal code
    - virtio_console: reset on out of memory
    - drm/virtio: fix vq wait_event condition
    - tty: Don't call panic() at tty_ldisc_init()
    - tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
    - tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
    - tty: Avoid possible error pointer dereference at tty_ldisc_restore().
    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
    - ALSA: dice: fix OUI for TC group
    - ALSA: dice: fix error path to destroy initialized stream data
    - ALSA: hda - Skip jack and others for non-existing PCM streams
    - ALSA: opl3: Hardening for potential Spectre v1
    - ALSA: asihpi: Hardening for potential Spectre v1
    - ALSA: hdspm: Hardening for potential Spectre v1
    - ALSA: rme9652: Hardening for potential Spectre v1
    - ALSA: control: Hardening for potential Spectre v1
    - ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
    - ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
    - ALSA: seq: oss: Hardening for potential Spectre v1
    - ALSA: hda: Hardening for potential Spectre v1
    - ALSA: hda/realtek - Add some fixes for ALC233
    - ALSA: hda/realtek - Update ALC255 depop optimize
    - ALSA: hda/realtek - change the location for one of two front mics
    - mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
    - mtd: rawnand: tango: Fix struct clk memory leak
    - kobject: don't use WARN for registration failures
    - scsi: sd: Defer spinning up drive while SANITIZE is in progress
    - bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
    - vfio: ccw: process ssch with interrupts disabled
    - ANDROID: binder: prevent transactions into own process.
    - PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
    - PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
    - PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
    - PCI: aardvark: Fix PCIe Max Read Request Size setting
    - ARM: amba: Make driver_override output consistent with other buses
    - ARM: amba: Fix race condition with driver_override
    - ARM: amba: Don't read past the end of sysfs "driver_override" buffer
    - ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
    - KVM: arm/arm64: Close VMID generation race
    - crypto: drbg - set freed buffers to NULL
    - ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
    - libceph: un-backoff on tick when we have a authenticated session
    - libceph: reschedule a tick in finish_hunting()
    - libceph: validate con->state at the top of try_write()
    - fpga-manager: altera-ps-spi: preserve nCONFIG state
    - earlycon: Use a pointer table to fix __earlycon_table stride
    - drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
    - drm/i915: Enable display WA#1183 from its correct spot
    - objtool, perf: Fix GCC 8 -Wrestrict error
    - tools/lib/subcmd/pager.c: do not alias select() params
    - x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
    - x86/smpboot: Don't use mwait_play_dead() on AMD systems
    - x86/microcode/intel: Save microcode patch unconditionally
    - x86/microcode: Do not exit early from __reload_late()
    - tick/sched: Do not mess with an enqueued hrtimer
    - arm/arm64: KVM: Add PSCI version selection API
    - powerpc/eeh: Fix race with driver un/bind
    - serial: mvebu-uart: Fix local flags handling on termios update
    - block: do not use interruptible wait anywhere
    - ASoC: dmic: Fix clock parenting
    - PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend is
      set
    - module: Fix display of wrong module .text address
    - drm/edid: Reset more of the display info
    - drm/i915/fbdev: Enable late fbdev initial configuration
    - drm/i915/audio: set minimum CD clock to twice the BCLK
    - drm/amd/display: Fix deadlock when flushing irq
    - drm/amd/display: Disallow enabling CRTC without primary plane with FB

* Bionic update: upstream stable patchset 2018-06-22 (LP: #1778265) //
    CVE-2018-1108.
    - random: set up the NUMA crng instances after the CRNG is fully initialized

* Ryzen/Raven Ridge USB ports do not work (LP: #1756700)
    - xhci: Fix USB ports for Dell Inspiron 5775

* [Ubuntu 1804][boston][ixgbe] EEH causes kernel BUG at /build/linux-
    jWa1Fv/linux-4.15.0/drivers/pci/msi.c:352 (i2S) (LP: #1776389)
    - ixgbe/ixgbevf: Free IRQ when PCI error recovery removes the device

* Need fix to aacraid driver to prevent panic (LP: #1770095)
    - scsi: aacraid: Correct hba_send to include iu_type

* kernel: Fix arch random implementation (LP: #1775391)
    - s390/archrandom: Rework arch random implementation.

* kernel: Fix memory leak on CCA and EP11 CPRB processing. (LP: #1775390)
    - s390/zcrypt: Fix CCA and EP11 CPRB processing failure memory leak.

* Various fixes for CXL kernel module (LP: #1774471)
    - cxl: Remove function write_timebase_ctrl_psl9() for PSL9
    - cxl: Set the PBCQ Tunnel BAR register when enabling capi mode
    - cxl: Report the tunneled operations status
    - cxl: Configure PSL to not use APC virtual machines
    - cxl: Disable prefault_mode in Radix mode

* Bluetooth not working (LP: #1764645)
    - Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models

* linux-snapdragon: wcn36xx: mac address generation on boot (LP: #1776491)
    - [Config] arm64: snapdragon: WCN36XX_SNAPDRAGON_HACKS=y
    - SAUCE: wcn36xx: read MAC from file or randomly generate one

* fscache: Fix hanging wait on page discarded by writeback (LP: #1777029)
    - fscache: Fix hanging wait on page discarded by writeback

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Wed, 15 Aug 2018 14:50:38 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-08-23:

#16

Download full text (16.4 KiB)

This bug was fixed in the package linux - 4.4.0-134.160

---------------
linux (4.4.0-134.160) xenial; urgency=medium

* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)

  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

  * Backport namespaced fscaps to xenial 4.4 (LP: #1778286)
    - Introduce v3 namespaced file capabilities
    - commoncap: move assignment of fs_ns to avoid null pointer dereference
    - capabilities: fix buffer overread on very short xattr
    - commoncap: Handle memory allocation failure.

  * Xenial update to 4.4.140 stable release (LP: #1784409)
    - usb: cdc_acm: Add quirk for Uniden UBC125 scanner
    - USB: serial: cp210x: add CESINEL device ids
    - USB: serial: cp210x: add Silicon Labs IDs for Windows Update
    - n_tty: Fix stall at n_tty_receive_char_special().
    - staging: android: ion: Return an ERR_PTR in ion_map_kernel
    - n_tty: Access echo_* variables carefully.
    - x86/boot: Fix early command-line parsing when matching at end
    - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
    - i2c: rcar: fix resume by always initializing registers before transfer
    - ipv4: Fix error return value in fib_convert_metrics()
    - kprobes/x86: Do not modify singlestep buffer while resuming
    - nvme-pci: initialize queue memory before interrupts
    - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
    - ARM: dts: imx6q: Use correct SDMA script for SPI5 core
    - ubi: fastmap: Correctly handle interrupted erasures in EBA
    - mm: hugetlb: yield when prepping struct pages
    - tracing: Fix missing return symbol in function_graph output
    - scsi: sg: mitigate read/write abuse
    - s390: Correct register corruption in critical section cleanup
    - drbd: fix access after free
    - cifs: Fix infinite loop when using hard mount option
    - jbd2: don't mark block as modified if the handle is out of credits
    - ext4: make sure bitmaps and the inode table don't overlap with bg
      descriptors
    - ext4: always check block group bounds in ext4_init_block_bitmap()
    - ext4: only look at the bg_flags field if it is valid
    - ext4: verify the depth of extent tree in ext4_find_extent()
    - ext4: include the illegal physical block in the bad map ext4_error msg
    - ext4: clear i_data in ext4_inode_info when removing inline data
    - ext4: add more inode number paranoia checks
    - ext4: add more mount time checks of the superblock
    - ext4: check superblock mapped prior to committing
    - HID: i2c-hid: Fix "incomplete report" noise
    - HID: hiddev: fix potential Spectre v1
    - HID: debug: check length before copy_to_user()
    - x86/mce: Detect local MCEs properly
    - x86/mce: Fix incorrect "Machine check from unknown source" message
    - media: cx25840: Use subdev host data for PLL override
    - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
    - dm bufio: avoid sleeping while holding the dm_bufio lock
    - dm bufio: drop the lock when doing GFP_NOIO allocation
    - mtd: rawnand: mxc: set spa...

This bug was fixed in the package linux - 4.4.0-134.160

---------------
linux (4.4.0-134.160) xenial; urgency=medium

* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)

* locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

* Backport namespaced fscaps to xenial 4.4 (LP: #1778286)
    - Introduce v3 namespaced file capabilities
    - commoncap: move assignment of fs_ns to avoid null pointer dereference
    - capabilities: fix buffer overread on very short xattr
    - commoncap: Handle memory allocation failure.

* Xenial update to 4.4.140 stable release (LP: #1784409)
    - usb: cdc_acm: Add quirk for Uniden UBC125 scanner
    - USB: serial: cp210x: add CESINEL device ids
    - USB: serial: cp210x: add Silicon Labs IDs for Windows Update
    - n_tty: Fix stall at n_tty_receive_char_special().
    - staging: android: ion: Return an ERR_PTR in ion_map_kernel
    - n_tty: Access echo_* variables carefully.
    - x86/boot: Fix early command-line parsing when matching at end
    - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
    - i2c: rcar: fix resume by always initializing registers before transfer
    - ipv4: Fix error return value in fib_convert_metrics()
    - kprobes/x86: Do not modify singlestep buffer while resuming
    - nvme-pci: initialize queue memory before interrupts
    - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
    - ARM: dts: imx6q: Use correct SDMA script for SPI5 core
    - ubi: fastmap: Correctly handle interrupted erasures in EBA
    - mm: hugetlb: yield when prepping struct pages
    - tracing: Fix missing return symbol in function_graph output
    - scsi: sg: mitigate read/write abuse
    - s390: Correct register corruption in critical section cleanup
    - drbd: fix access after free
    - cifs: Fix infinite loop when using hard mount option
    - jbd2: don't mark block as modified if the handle is out of credits
    - ext4: make sure bitmaps and the inode table don't overlap with bg
      descriptors
    - ext4: always check block group bounds in ext4_init_block_bitmap()
    - ext4: only look at the bg_flags field if it is valid
    - ext4: verify the depth of extent tree in ext4_find_extent()
    - ext4: include the illegal physical block in the bad map ext4_error msg
    - ext4: clear i_data in ext4_inode_info when removing inline data
    - ext4: add more inode number paranoia checks
    - ext4: add more mount time checks of the superblock
    - ext4: check superblock mapped prior to committing
    - HID: i2c-hid: Fix "incomplete report" noise
    - HID: hiddev: fix potential Spectre v1
    - HID: debug: check length before copy_to_user()
    - x86/mce: Detect local MCEs properly
    - x86/mce: Fix incorrect "Machine check from unknown source" message
    - media: cx25840: Use subdev host data for PLL override
    - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
    - dm bufio: avoid sleeping while holding the dm_bufio lock
    - dm bufio: drop the lock when doing GFP_NOIO allocation
    - mtd: rawnand: mxc: set spare area size register explicitly
    - dm bufio: don't take the lock in dm_bufio_shrink_count
    - mtd: cfi_cmdset_0002: Change definition naming to retry write operation
    - mtd: cfi_cmdset_0002: Change erase functions to retry for error
    - mtd: cfi_cmdset_0002: Change erase functions to check chip good only
    - netfilter: nf_log: don't hold nf_log_mutex during user access
    - staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
    - Linux 4.4.140

* Xenial update to 4.4.139 stable release (LP: #1784382)
    - xfrm6: avoid potential infinite loop in _decode_session6()
    - netfilter: ebtables: handle string from userspace with care
    - ipvs: fix buffer overflow with sync daemon and service
    - atm: zatm: fix memcmp casting
    - net: qmi_wwan: Add Netgear Aircard 779S
    - net/sonic: Use dma_mapping_error()
    - Revert "Btrfs: fix scrub to repair raid6 corruption"
    - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
    - Btrfs: make raid6 rebuild retry more
    - usb: musb: fix remote wakeup racing with suspend
    - bonding: re-evaluate force_primary when the primary slave name changes
    - tcp: verify the checksum of the first data segment in a new connection
    - ext4: update mtime in ext4_punch_hole even if no blocks are released
    - ext4: fix fencepost error in check for inode count overflow during resize
    - driver core: Don't ignore class_dir_create_and_add() failure.
    - btrfs: scrub: Don't use inode pages for device replace
    - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
    - ALSA: hda: add dock and led support for HP EliteBook 830 G5
    - ALSA: hda: add dock and led support for HP ProBook 640 G4
    - cpufreq: Fix new policy initialization during limits updates via sysfs
    - libata: zpodd: make arrays cdb static, reduces object code size
    - libata: zpodd: small read overflow in eject_tray()
    - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
    - w1: mxc_w1: Enable clock before calling clk_get_rate() on it
    - x86/spectre_v1: Disable compiler optimizations over
      array_index_mask_nospec()
    - m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
    - serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
    - signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
    - usb: do not reset if a low-speed or full-speed device timed out
    - 1wire: family module autoload fails because of upper/lower case mismatch.
    - ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
    - ASoC: cirrus: i2s: Fix LRCLK configuration
    - ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
    - lib/vsprintf: Remove atomic-unsafe support for %pCr
    - mips: ftrace: fix static function graph tracing
    - branch-check: fix long->int truncation when profiling branches
    - ipmi:bt: Set the timeout before doing a capabilities check
    - Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
    - fuse: atomic_o_trunc should truncate pagecache
    - fuse: don't keep dead fuse_conn at fuse_fill_super().
    - fuse: fix control dir setup and teardown
    - powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
    - powerpc/ptrace: Fix setting 512B aligned breakpoints with
      PTRACE_SET_DEBUGREG
    - powerpc/ptrace: Fix enforcement of DAWR constraints
    - cpuidle: powernv: Fix promotion from snooze if next state disabled
    - powerpc/fadump: Unregister fadump on kexec down path.
    - ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
    - of: unittest: for strings, account for trailing \0 in property length field
    - IB/qib: Fix DMA api warning with debug kernel
    - RDMA/mlx4: Discard unknown SQP work requests
    - mtd: cfi_cmdset_0002: Change write buffer to check correct value
    - mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
    - mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
    - mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
    - mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
    - MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
    - PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on
      resume
    - MIPS: io: Add barrier after register read in inX()
    - time: Make sure jiffies_to_msecs() preserves non-zero time periods
    - Btrfs: fix clone vs chattr NODATASUM race
    - iio:buffer: make length types match kfifo types
    - scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
    - scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
    - scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
    - scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
    - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
    - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for
      ERP_FAILED
    - scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
    - scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
    - linvdimm, pmem: Preserve read-only setting for pmem devices
    - md: fix two problems with setting the "re-add" device state.
    - ubi: fastmap: Cancel work upon detach
    - UBIFS: Fix potential integer overflow in allocation
    - xfrm: skip policies marked as dead while rehashing
    - backlight: as3711_bl: Fix Device Tree node lookup
    - backlight: max8925_bl: Fix Device Tree node lookup
    - backlight: tps65217_bl: Fix Device Tree node lookup
    - mfd: intel-lpss: Program REMAP register in PIO mode
    - perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
    - perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
    - perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
    - perf intel-pt: Fix MTC timing after overflow
    - perf intel-pt: Fix "Unexpected indirect branch" error
    - perf intel-pt: Fix packet decoding of CYC packets
    - media: v4l2-compat-ioctl32: prevent go past max size
    - media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
    - nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
    - NFSv4: Fix possible 1-byte stack overflow in
      nfs_idmap_read_and_verify_message
    - video: uvesafb: Fix integer overflow in allocation
    - Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
    - xen: Remove unnecessary BUG_ON from __unbind_from_irq()
    - udf: Detect incorrect directory size
    - Input: elan_i2c_smbus - fix more potential stack buffer overflows
    - Input: elantech - enable middle button of touchpads on ThinkPad P52
    - Input: elantech - fix V4 report decoding for module with middle key
    - ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
    - Btrfs: fix unexpected cow in run_delalloc_nocow
    - spi: Fix scatterlist elements size in spi_map_buf
    - block: Fix transfer when chunk sectors exceeds max
    - dm thin: handle running out of data space vs concurrent discard
    - cdc_ncm: avoid padding beyond end of skb
    - Bluetooth: Fix connection if directed advertising and privacy is used
    - Linux 4.4.139

* Support AverMedia DVD EZMaker 7 USB video capture dongle (LP: #1620762) //
    Xenial update to 4.4.139 stable release (LP: #1784382)
    - media: cx231xx: Add support for AverMedia DVD EZMaker 7

* vfio/pci: cannot assign a i40e pf device to a vm using vfio-pci
    (LP: #1779830)
    - vfio/pci: Hide broken INTx support from user

* Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.6.5.6-0ubuntu25

* Allow multiple mounts of zfs datasets (LP: #1759848)
    - SAUCE: Allow mounting datasets more than once (LP: #1759848)

* CVE-2018-12233
    - jfs: Fix inconsistency between memory allocation and ea_buf->max_size

* Redpine: Observed kernel panic while running wireless tests in regression
    mode (LP: #1773410) // Redpine: Observed kernel panic while running soft-ap
    tests (LP: #1777850)
    - SAUCE: Redpine: improve cancel_hw_scan handling to fix kernel panic

* [HMS] Upgrades to Support SocketCAN over USB on Dell IoT 300x Gateways
    (LP: #1783241)
    - SAUCE: (no-up) upgrade IXXAT USB SocketCAN driver

* CVE-2018-13094
    - xfs: don't call xfs_da_shrink_inode with NULL bp

* other users' coredumps can be read via setgid directory and killpriv bypass
    (LP: #1779923) // CVE-2018-13405
    - Fix up non-directory creation in SGID directories

* snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build
    (LP: #1782116)
    - snapcraft.yaml: copy retpoline-extract-one to scripts before build

* Enable basic support for Solarflare 8000 series NIC (LP: #1783152)
    - sfc: make TSO version a per-queue parameter
    - sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC

* Redpine: Observed kernel panic while running wireless regressions tests
    (LP: #1777858)
    - SAUCE: Redpine: improve kernel thread handling to fix kernel panic

* Xenial update to 4.4.138 stable release (LP: #1777389)
    - x86: Remove unused function cpu_has_ht_siblings()
    - x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros
    - x86/fpu: Disable AVX when eagerfpu is off
    - x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off")
    - x86/fpu: Hard-disable lazy FPU mode
    - af_key: Always verify length of provided sadb_key
    - x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c
      code
    - gpio: No NULL owner
    - Clarify (and fix) MAX_LFS_FILESIZE macros
    - serial: samsung: fix maxburst parameter for DMA transactions
    - vmw_balloon: fixing double free when batching mode is off
    - Input: goodix - add new ACPI id for GPD Win 2 touch screen
    - crypto: vmx - Remove overly verbose printk from AES init routines
    - Linux 4.4.138

* Redpine: wifi-ap stopped working after restart (LP: #1773400)
    - SAUCE: Redpine: fix soft-ap invisible issue

* Xenial update to 4.4.137 stable release (LP: #1777063)
    - tpm: do not suspend/resume if power stays on
    - tpm: self test failure should not cause suspend to fail
    - mmap: introduce sane default mmap limits
    - mmap: relax file size limit for regular files
    - kconfig: Avoid format overflow warning from GCC 8.1
    - xfs: fix incorrect log_flushed on fsync
    - drm: set FMODE_UNSIGNED_OFFSET for drm files
    - brcmfmac: Fix check for ISO3166 code
    - bnx2x: use the right constant
    - dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
    - enic: set DMA mask to 47 bit
    - ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
    - ipv4: remove warning in ip_recv_error
    - isdn: eicon: fix a missing-check bug
    - netdev-FAQ: clarify DaveM's position for stable backports
    - net/packet: refine check for priv area size
    - net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
    - packet: fix reserve calculation
    - qed: Fix mask for physical address in ILT entry
    - net/mlx4: Fix irq-unsafe spinlock usage
    - team: use netdev_features_t instead of u32
    - rtnetlink: validate attributes in do_setlink()
    - net: phy: broadcom: Fix bcm_write_exp()
    - net: metrics: add proper netlink validation
    - Linux 4.4.137

* Xenial update to 4.4.136 stable release (LP: #1776177)
    - arm64: lse: Add early clobbers to some input/output asm operands
    - powerpc/64s: Clear PCR on boot
    - USB: serial: cp210x: use tcflag_t to fix incompatible pointer type
    - sh: New gcc support
    - xfs: detect agfl count corruption and reset agfl
    - Input: elan_i2c_smbus - fix corrupted stack
    - tracing: Fix crash when freeing instances with event triggers
    - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
    - cfg80211: further limit wiphy names to 64 bytes
    - rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c
    - ASoC: Intel: sst: remove redundant variable dma_dev_name
    - irda: fix overly long udelay()
    - tcp: avoid integer overflows in tcp_rcv_space_adjust()
    - i2c: rcar: make sure clocks are on when doing clock calculation
    - i2c: rcar: rework hw init
    - i2c: rcar: remove unused IOERROR state
    - i2c: rcar: remove spinlock
    - i2c: rcar: refactor setup of a msg
    - i2c: rcar: init new messages in irq
    - i2c: rcar: don't issue stop when HW does it automatically
    - i2c: rcar: check master irqs before slave irqs
    - i2c: rcar: revoke START request early
    - dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all()
    - iio:kfifo_buf: check for uint overflow
    - MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs
    - MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests
    - scsi: scsi_transport_srp: Fix shost to rport translation
    - stm class: Use vmalloc for the master map
    - hwtracing: stm: fix build error on some arches
    - drm/i915: Disable LVDS on Radiant P845
    - Kbuild: change CC_OPTIMIZE_FOR_SIZE definition
    - [Config] Add CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
    - fix io_destroy()/aio_complete() race
    - mm: fix the NULL mapping case in __isolate_lru_page()
    - sparc64: Fix build warnings with gcc 7.
    - Linux 4.4.136

* Xenial update to 4.4.135 stable release (LP: #1776158)
    - Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU"
    - Linux 4.4.135

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Wed, 15 Aug 2018 13:51:11 +0000

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-08-23:

#17

Download full text (6.4 KiB)

This bug was fixed in the package linux - 3.13.0-157.207

---------------
linux (3.13.0-157.207) trusty; urgency=medium

* linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)

* CVE-2017-5715 (Spectre v2 retpoline)
- SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"

* CVE-2017-2583
- KVM: x86: fix emulation of "MOV SS, null selector"

* CVE-2017-7518
- KVM: x86: fix singlestepping over syscall

* CVE-2017-18270
- KEYS: prevent creating a different user's keyrings

  * Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
    - Documentation: Document array_index_nospec
    - array_index_nospec: Sanitize speculative array de-references
    - x86: Implement array_index_mask_nospec
    - x86: Introduce barrier_nospec
    - x86/get_user: Use pointer masking to limit speculation
    - x86/syscall: Sanitize syscall table de-references under speculation
    - vfs, fdtable: Prevent bounds-check bypass via speculative execution
    - nl80211: Sanitize array index in parse_txq_params
    - x86/spectre: Report get_user mitigation for spectre_v1
    - x86/kvm: Update spectre-v1 mitigation
    - nospec: Allow index argument to have const-qualified type
    - nospec: Move array_index_nospec() parameter checking into separate macro
    - nospec: Kill array_index_nospec_mask_check()
    - SAUCE: Replace osb() calls with array_index_nospec()
    - SAUCE: Rename osb() to barrier_nospec()
    - SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h

  * Prevent speculation on user controlled pointer (LP: #1775137)
    - x86: reorganize SMAP handling in user space accesses
    - x86: fix SMAP in 32-bit environments
    - x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
    - x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
    - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec

  * CVE-2016-10208
    - ext4: validate s_first_meta_bg at mount time
    - ext4: fix fencepost in s_first_meta_bg validation

* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_extents_to_btree

* CVE-2017-16911
- usbip: prevent vhci_hcd driver from leaking a socket pointer address

* CVE-2018-13406
- video: uvesafb: Fix integer overflow in allocation

* CVE-2018-10877
- ext4: verify the depth of extent tree in ext4_find_extent()

* CVE-2018-10881
- ext4: clear i_data in ext4_inode_info when removing inline data

* CVE-2018-1092
- ext4: fail ext4_iget for root directory if unallocated

  * CVE-2018-1093
    - ext4: fix block bitmap validation when bigalloc, ^flex_bg
    - ext4: add validity checks for bitmap block numbers

* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size

* CVE-2017-16912
- usbip: fix stub_rx: get_pipe() to validate endpoint number

* CVE-2018-10675
- mm/mempolicy: fix use after free when calling get_mempolicy

  * CVE-2017-8831
    - saa7164: fix sparse warnings
    - saa7164: fix double fetch PCIe access condition

* CVE-2017-16533
- HID: usbhid: fix out-of-bounds bug

* CVE-2017-16538
- media: dvb-usb-v2: lmedm04: move ts2...

Ubuntu
linux package

other users' coredumps can be read via setgid directory and killpriv bypass

Bug Description

CVE References

Other bug subscribers

Ubuntulinux package

other users' coredumps can be read via setgid directory and killpriv bypass

Bug Description

CVE References

Other bug subscribers

Ubuntu
linux package