Ubuntu
linux package

Xenial update to 4.4.89 stable release

Xenial (16.04)
Bug #1721477

Bug #1721477 reported by Stefan Bader on 2017-10-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Stefan Bader

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.89 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

git://git.kernel.org/

TEST CASE: TBD

The following patches from the 4.4.89 stable release shall be applied:
* ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
* ipv6: add rcu grace period before freeing fib6_node
* ipv6: fix sparse warning on rt6i_node
* qlge: avoid memcpy buffer overflow
* Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
* Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
* Revert "net: fix percpu memory leaks"
* gianfar: Fix Tx flow control deactivation
* ipv6: fix memory leak with multiple tables during netns destruction
* ipv6: fix typo in fib6_net_exit()
* f2fs: check hot_data for roll-forward recovery
* x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps
* md/raid5: release/flush io in raid5_do_work()
* nfsd: Fix general protection fault in release_lock_stateid()
* mm: prevent double decrease of nr_reserved_highatomic
* tty: improve tty_insert_flip_char() fast path
* tty: improve tty_insert_flip_char() slow path
* tty: fix __tty_insert_flip_char regression
* Input: i8042 - add Gigabyte P57 to the keyboard reset table
* MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation
* MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero
* MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative
* MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite
  signs
* MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs
* MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs
* crypto: AF_ALG - remove SGL terminator indicator when chaining
* ext4: fix incorrect quotaoff if the quota feature is enabled
* ext4: fix quota inconsistency during orphan cleanup for read-only mounts
* powerpc: Fix DAR reporting when alignment handler faults
* block: Relax a check in blk_start_queue()
* md/bitmap: disable bitmap_resize for file-backed bitmaps.
* skd: Avoid that module unloading triggers a use-after-free
* skd: Submit requests to firmware before triggering the doorbell
* scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
* scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
* scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records
* scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA
* scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
* scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
* scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late
  response
* scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
* scsi: megaraid_sas: Check valid aen class range to avoid kernel panic
* scsi: megaraid_sas: Return pended IOCTLs with cmd_status
  MFI_STAT_WRONG_STATE in case adapter is dead
* scsi: storvsc: fix memory leak on ring buffer busy
* scsi: sg: remove 'save_scat_len'
* scsi: sg: use standard lists for sg_requests
* scsi: sg: off by one in sg_ioctl()
* scsi: sg: factor out sg_fill_request_table()
* scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
* scsi: qla2xxx: Fix an integer overflow in sysfs code
* ftrace: Fix selftest goto location on error
* tracing: Apply trace_clock changes to instance max buffer
* ARC: Re-enable MMU upon Machine Check exception
* PCI: shpchp: Enable bridge bus mastering if MSI is enabled
* media: v4l2-compat-ioctl32: Fix timespec conversion
* media: uvcvideo: Prevent heap overflow when accessing mapped controls
* bcache: initialize dirty stripes in flash_dev_run()
* bcache: Fix leak of bdev reference
* bcache: do not subtract sectors_to_gc for bypassed IO
* bcache: correct cache_dirty_target in __update_writeback_rate()
* bcache: Correct return value for sysfs attach errors
* bcache: fix for gc and write-back race
* bcache: fix bch_hprint crash and improve output
* ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
* Linux 4.4.89

See original description

Tags:

CVE References

Stefan Bader (smb) on 2017-10-05

tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Stefan Bader (smb)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Invalid

Revision history for this message

Stefan Bader (smb) wrote on 2017-10-05:

Skipped "tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0" because it is already applied for CVE-2017-14106.

Accepted fuzz 1 for "scsi: storvsc: fix memory leak on ring buffer busy".

description:

updated

Thadeu Lima de Souza Cascardo (cascardo) on 2017-10-05

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-10-30:

Download full text (11.5 KiB)

This bug was fixed in the package linux - 4.4.0-98.121

---------------
linux (4.4.0-98.121) xenial; urgency=low

* linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)

  * Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
    (LP: #1720359)
    - scsi: hpsa: limit transfer length to 1MB

  * [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
    (LP: #1720977)
    - r8152: fix the list rx_done may be used without initialization

* Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
- d-i: Add bnxt_en to nic-modules.

* snapcraft.yaml: add dpkg-dev to the build deps (LP: #1718886)
- snapcraft.yaml: add dpkg-dev to the build deps

* Support setting I2C_TIMEOUT via ioctl for i2c-designware (LP: #1718578)
- i2c: designware: Use transfer timeout from ioctl I2C_TIMEOUT

  * 5U84 - ses driver isn't binding right - cannot blink lights on 1 of the 2
    5u84 (LP: #1693369)
    - scsi_transport_sas: add function to get SAS endpoint address
    - ses: fix discovery of SATA devices in SAS enclosures
    - scsi: sas: provide stub implementation for scsi_is_sas_rphy
    - scsi: ses: Fix SAS device detection in enclosure

  * multipath -ll is not showing the disks which are actually multipath
    (LP: #1718397)
    - fs: aio: fix the increment of aio-nr and counting against aio-max-nr

* Support Dell Wireless DW5819/5818 WWAN devices (LP: #1721455)
- SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819

* CVE-2017-10911
- xen-blkback: don't leak stack data via response ring

  * implement 'complain mode' in seccomp for developer mode with snaps
    (LP: #1567597)
    - seccomp: Provide matching filter for introspection
    - seccomp: Sysctl to display available actions
    - seccomp: Operation for checking if an action is available
    - seccomp: Sysctl to configure actions that are allowed to be logged
    - seccomp: Selftest for detection of filter flag support
    - seccomp: Action to log before allowing

  * implement errno action logging in seccomp for strict mode with snaps
    (LP: #1721676)
    - seccomp: Provide matching filter for introspection
    - seccomp: Sysctl to display available actions
    - seccomp: Operation for checking if an action is available
    - seccomp: Sysctl to configure actions that are allowed to be logged
    - seccomp: Selftest for detection of filter flag support
    - seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

* [Xenial] update OpenNSL kernel modules to 6.5.10 (LP: #1721511)
- SAUCE: update OpenNSL kernel modules to 6.5.10

This bug was fixed in the package linux - 4.4.0-98.121

---------------
linux (4.4.0-98.121) xenial; urgency=low

* linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)

* Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
    (LP: #1720359)
    - scsi: hpsa: limit transfer length to 1MB

* [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
    (LP: #1720977)
    - r8152: fix the list rx_done may be used without initialization

* Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
    - d-i: Add bnxt_en to nic-modules.

* snapcraft.yaml: add dpkg-dev to the build deps (LP: #1718886)
    - snapcraft.yaml: add dpkg-dev to the build deps

* Support setting I2C_TIMEOUT via ioctl for i2c-designware (LP: #1718578)
    - i2c: designware: Use transfer timeout from ioctl I2C_TIMEOUT

* multipath -ll is not showing the disks which are actually multipath
    (LP: #1718397)
    - fs: aio: fix the increment of aio-nr and counting against aio-max-nr

* Support Dell Wireless DW5819/5818 WWAN devices (LP: #1721455)
    - SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819

* CVE-2017-10911
    - xen-blkback: don't leak stack data via response ring

* [Xenial] update OpenNSL kernel modules to 6.5.10 (LP: #1721511)
    - SAUCE: update OpenNSL kernel modules to 6.5.10

* Xenial update to 4.4.90 stable release (LP: #1721550)
    - cifs: release auth_key.response for reconnect.
    - mac80211: flush hw_roc_start work before cancelling the ROC
    - KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
    - tracing: Fix trace_pipe behavior for instance traces
    - tracing: Erase irqsoff trace with empty write
    - md/raid5: fix a race condition in stripe batch
    - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
    - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse
      nlmsg properly
    - crypto: talitos - Don't provide setkey for non hmac hashing algs.
    - crypto: talitos - fix sha224
    - KEYS: fix writing past end of user-supplied buffer in keyring_read()
    - KEYS: prevent creating a different user's keyrings
    - KEYS: prevent KEYCTL_READ on negative key
    - powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
    - Fix SMB3.1.1 guest authentication to Samba
    - SMB: Validate negotiate (to protect against downgrade) even if signing off
    - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
    - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
    - nl80211: check for the required netlink attributes presence
    - bsg-lib: don't free job in bsg_prepare_job
    - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
    - arm64: Make sure SPsel is always set
    - arm64: fault: Route pte translation faults via do_translation_fault
    - KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
    - kvm: nVMX: Don't allow L2 to access the hardware CR8
    - PCI: Fix race condition with driver_override
    - btrfs: fix NULL pointer dereference from free_reloc_roots()
    - btrfs: propagate error to btrfs_cmp_data_prepare caller
    - btrfs: prevent to set invalid default subvolid
    - x86/fpu: Don't let userspace set bogus xcomp_bv
    - gfs2: Fix debugfs glocks dump
    - timer/sysclt: Restrict timer migration sysctl values to 0 and 1
    - KVM: VMX: do not change SN bit in vmx_update_pi_irte()
    - KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
    - cxl: Fix driver use count
    - dmaengine: mmp-pdma: add number of requestors
    - ARM: pxa: add the number of DMA requestor lines
    - ARM: pxa: fix the number of DMA requestor lines
    - KVM: VMX: use cmpxchg64
    - video: fbdev: aty: do not leak uninitialized padding in clk to userspace
    - swiotlb-xen: implement xen_swiotlb_dma_mmap callback
    - fix xen_swiotlb_dma_mmap prototype
    - Linux 4.4.90

* Xenial update to 4.4.89 stable release (LP: #1721477)
    - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
    - ipv6: add rcu grace period before freeing fib6_node
    - ipv6: fix sparse warning on rt6i_node
    - qlge: avoid memcpy buffer overflow
    - Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
    - Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
    - Revert "net: fix percpu memory leaks"
    - gianfar: Fix Tx flow control deactivation
    - ipv6: fix memory leak with multiple tables during netns destruction
    - ipv6: fix typo in fib6_net_exit()
    - f2fs: check hot_data for roll-forward recovery
    - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps
    - md/raid5: release/flush io in raid5_do_work()
    - nfsd: Fix general protection fault in release_lock_stateid()
    - mm: prevent double decrease of nr_reserved_highatomic
    - tty: improve tty_insert_flip_char() fast path
    - tty: improve tty_insert_flip_char() slow path
    - tty: fix __tty_insert_flip_char regression
    - Input: i8042 - add Gigabyte P57 to the keyboard reset table
    - MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation
    - MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero
    - MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative
    - MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite
      signs
    - MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs
    - MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs
    - crypto: AF_ALG - remove SGL terminator indicator when chaining
    - ext4: fix incorrect quotaoff if the quota feature is enabled
    - ext4: fix quota inconsistency during orphan cleanup for read-only mounts
    - powerpc: Fix DAR reporting when alignment handler faults
    - block: Relax a check in blk_start_queue()
    - md/bitmap: disable bitmap_resize for file-backed bitmaps.
    - skd: Avoid that module unloading triggers a use-after-free
    - skd: Submit requests to firmware before triggering the doorbell
    - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
    - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
    - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records
    - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA
    - scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
    - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
    - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late
      response
    - scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
    - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic
    - scsi: megaraid_sas: Return pended IOCTLs with cmd_status
      MFI_STAT_WRONG_STATE in case adapter is dead
    - scsi: storvsc: fix memory leak on ring buffer busy
    - scsi: sg: remove 'save_scat_len'
    - scsi: sg: use standard lists for sg_requests
    - scsi: sg: off by one in sg_ioctl()
    - scsi: sg: factor out sg_fill_request_table()
    - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
    - scsi: qla2xxx: Fix an integer overflow in sysfs code
    - ftrace: Fix selftest goto location on error
    - tracing: Apply trace_clock changes to instance max buffer
    - ARC: Re-enable MMU upon Machine Check exception
    - PCI: shpchp: Enable bridge bus mastering if MSI is enabled
    - media: v4l2-compat-ioctl32: Fix timespec conversion
    - media: uvcvideo: Prevent heap overflow when accessing mapped controls
    - bcache: initialize dirty stripes in flash_dev_run()
    - bcache: Fix leak of bdev reference
    - bcache: do not subtract sectors_to_gc for bypassed IO
    - bcache: correct cache_dirty_target in __update_writeback_rate()
    - bcache: Correct return value for sysfs attach errors
    - bcache: fix for gc and write-back race
    - bcache: fix bch_hprint crash and improve output
    - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
    - Linux 4.4.89

* ETPS/2 Elantech Touchpad inconsistently detected (Gigabyte P57W laptop)
    (LP: #1594214)
    - Input: i8042 - add Gigabyte P57 to the keyboard reset table

* Xenial update to 4.4.88 stable release (LP: #1718195)
    - usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
    - USB: serial: option: add support for D-Link DWM-157 C1
    - usb: Add device quirk for Logitech HD Pro Webcam C920-C
    - usb:xhci:Fix regression when ATI chipsets detected
    - USB: core: Avoid race of async_completed() w/ usbdev_release()
    - staging/rts5208: fix incorrect shift to extract upper nybble
    - driver core: bus: Fix a potential double free
    - intel_th: pci: Add Cannon Lake PCH-H support
    - intel_th: pci: Add Cannon Lake PCH-LP support
    - ath10k: fix memory leak in rx ring buffer allocation
    - rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
    - Bluetooth: Add support of 13d3:3494 RTL8723BE device
    - dlm: avoid double-free on error path in dlm_device_{register,unregister}
    - mwifiex: correct channel stat buffer overflows
    - drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
    - workqueue: Fix flag collision
    - cs5536: add support for IDE controller variant
    - scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
    - scsi: sg: recheck MMAP_IO request length with lock held
    - drm: adv7511: really enable interrupts for EDID detection
    - drm/bridge: adv7511: Fix mutex deadlock when interrupts are disabled
    - drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq
      context
    - drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event()
    - drm/bridge: adv7511: Re-write the i2c address before EDID probing
    - btrfs: resume qgroup rescan on rw remount
    - locktorture: Fix potential memory leak with rw lock test
    - ALSA: msnd: Optimize / harden DSP and MIDI loops
    - ARM: 8692/1: mm: abort uaccess retries upon fatal signal
    - NFS: Fix 2 use after free issues in the I/O code
    - xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
    - Linux 4.4.88

* Kernel has troule recognizing Corsair Strafe RGB keyboard (LP: #1678477)
    - usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Tue, 10 Oct 2017 08:52:24 -0300

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package