Ubuntu
linux package

Xenial update to 4.4.114 stable release

Xenial (16.04)
Bug #1754592

Bug #1754592 reported by Stefan Bader on 2018-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Stefan Bader

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.114 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

git://git.kernel.org/

TEST CASE: TBD

The following patches from the 4.4.114 stable release shall be applied:
* x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels
* usbip: prevent vhci_hcd driver from leaking a socket pointer address
* usbip: Fix implicit fallthrough warning
* usbip: Fix potential format overflow in userspace tools
* x86/microcode/intel: Fix BDW late-loading revision check
* x86/retpoline: Fill RSB on context switch for affected CPUs
* sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks
* can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
* can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
* PM / sleep: declare __tracedata symbols as char[] rather than char
* time: Avoid undefined behaviour in ktime_add_safe()
* timers: Plug locking race vs. timer migration
* Prevent timer value 0 for MWAITX
* drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled
* drivers: base: cacheinfo: fix boot error message when acpi is enabled
* PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID
* PCI: layerscape: Fix MSG TLP drop setting
* mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version
* fs/select: add vmalloc fallback for select(2)
* hwpoison, memcg: forcibly uncharge LRU pages
* cma: fix calculation of aligned offset
* mm, page_alloc: fix potential false positive in __zone_watermark_ok
* ipc: msg, make msgrcv work with LONG_MIN
* x86/ioapic: Fix incorrect pointers in ioapic_setup_resources()
* ACPI / processor: Avoid reserving IO regions too early
* ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
* ACPICA: Namespace: fix operand cache leak
* netfilter: x_tables: speed up jump target validation
* netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in
64bit kernel
* netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
* netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
* netfilter: nfnetlink_queue: reject verdict request from different portid
* netfilter: restart search if moved to other chain
* netfilter: nf_conntrack_sip: extend request line validation
* netfilter: use fwmark_reflect in nf_send_reset
* ext2: Don't clear SGID when inheriting ACLs
* reiserfs: fix race in prealloc discard
* reiserfs: don't preallocate blocks for extended attributes
* reiserfs: Don't clear SGID when inheriting ACLs
* fs/fcntl: f_setown, avoid undefined behaviour
* scsi: libiscsi: fix shifting of DID_REQUEUE host byte
* Input: trackpoint - force 3 buttons if 0 button is reported
* usb: usbip: Fix possible deadlocks reported by lockdep
* usbip: fix stub_rx: get_pipe() to validate endpoint number
* usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
* usbip: prevent leaking socket pointer address in messages
* um: link vmlinux with -no-pie
* vsyscall: Fix permissions for emulate mode with KAISER/PTI
* eventpoll.h: add missing epoll event masks
* x86/microcode/intel: Extend BDW late-loading further with LLC size check
* hrtimer: Reset hrtimer cpu base proper on CPU hotplug
* dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
* ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL
* ipv6: fix udpv6 sendmsg crash caused by too small MTU
* ipv6: ip6_make_skb() needs to clear cork.base.dst
* lan78xx: Fix failure in USB Full Speed
* net: igmp: fix source address check for IGMPv3 reports
* tcp: __tcp_hdrlen() helper
* net: qdisc_pkt_len_init() should be more robust
* pppoe: take ->needed_headroom of lower device into account on xmit
* r8169: fix memory corruption on retrieval of hardware statistics.
* sctp: do not allow the v4 socket to bind a v4mapped v6 address
* sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
* vmxnet3: repair memory leak
* net: Allow neigh contructor functions ability to modify the primary_key
* ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
* flow_dissector: properly cap thoff field
* net: tcp: close sock if net namespace is exiting
* nfsd: auth: Fix gid sorting when rootsquash enabled
* Linux 4.4.114

See original description

Tags:

CVE References

Stefan Bader (smb) on 2018-03-09

tags:

added: kernel-stable-tracking-bug

Stefan Bader (smb) on 2018-03-09

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Stefan Bader (smb)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Invalid

Revision history for this message

Stefan Bader (smb) wrote on 2018-03-09:

Deliberately skipping "Revert "module: Add retpoline tag to VERMAGIC"" because we decided we actually are fine with flagging things that way.

Skipping because already applied:
* Slow system response time due to a monitor bug (bug 1606147)
  - x86/cpu/intel: Introduce macros for Intel family numbers
* CVE-2017-1000364
  - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
* CVE-2017-17448
  - netfilter: nfnetlink_cthelper: Add missing permission checks
* CVE-2017-17450
  - netfilter: xt_osf: Add missing permission checks

We backported the following set for (bug 16407868):
* netfilter: x_tables: pass xt_counters struct instead of packet
counter
* netfilter: x_tables: pass xt_counters struct to counter allocator
* netfilter: x_tables: pack percpu counter allocations
this caused the following stable patch to be not needed in Xenial:
* netfilter: fix IS_ERR_VALUE usage

Skipped until later decision (Spectre v2 upstream):
* x86/retpoline: Fill RSB on context switch for affected CPUs
-> re-defines the SPEC_CTRL bit with a different name and does
some STUFF_RSB related things

Revision history for this message

Stefan Bader (smb) wrote on 2018-03-09:

Now back-backported the fill RSB change to fit into Xenial code base (x86/retpoline: Fill RSB on context switch for affected CPUs).

Stefan Bader (smb) on 2018-03-09

description:

updated

Kleber Sacilotto de Souza (kleber-souza) on 2018-03-13

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-04:

Download full text (56.9 KiB)

This bug was fixed in the package linux - 4.4.0-119.143

---------------
linux (4.4.0-119.143) xenial; urgency=medium

* linux: 4.4.0-119.143 -proposed tracker (LP: #1760327)

* Dell XPS 13 9360 bluetooth scan can not detect any device (LP: #1759821)
- Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"

linux (4.4.0-118.142) xenial; urgency=medium

* linux: 4.4.0-118.142 -proposed tracker (LP: #1759607)

* Kernel panic with AWS 4.4.0-1053 / 4.4.0-1015 (Trusty) (LP: #1758869)
- x86/microcode/AMD: Do not load when running on a hypervisor

  * CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

linux (4.4.0-117.141) xenial; urgency=medium

* linux: 4.4.0-117.141 -proposed tracker (LP: #1755208)

This bug was fixed in the package linux - 4.4.0-119.143

---------------
linux (4.4.0-119.143) xenial; urgency=medium

* linux: 4.4.0-119.143 -proposed tracker (LP: #1760327)

* Dell XPS 13 9360 bluetooth scan can not detect any device (LP: #1759821)
    - Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"

linux (4.4.0-118.142) xenial; urgency=medium

* linux: 4.4.0-118.142 -proposed tracker (LP: #1759607)

* Kernel panic with AWS 4.4.0-1053 / 4.4.0-1015 (Trusty) (LP: #1758869)
    - x86/microcode/AMD: Do not load when running on a hypervisor

* CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

linux (4.4.0-117.141) xenial; urgency=medium

* linux: 4.4.0-117.141 -proposed tracker (LP: #1755208)

* Xenial update to 4.4.114 stable release (LP: #1754592)
    - x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels
    - usbip: prevent vhci_hcd driver from leaking a socket pointer address
    - usbip: Fix implicit fallthrough warning
    - usbip: Fix potential format overflow in userspace tools
    - x86/microcode/intel: Fix BDW late-loading revision check
    - x86/retpoline: Fill RSB on context switch for affected CPUs
    - sched/deadline: Use the revised wakeup rule for suspending constrained dl
      tasks
    - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
    - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
    - PM / sleep: declare __tracedata symbols as char[] rather than char
    - time: Avoid undefined behaviour in ktime_add_safe()
    - timers: Plug locking race vs. timer migration
    - Prevent timer value 0 for MWAITX
    - drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled
    - drivers: base: cacheinfo: fix boot error message when acpi is enabled
    - PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID
    - PCI: layerscape: Fix MSG TLP drop setting
    - mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version
    - fs/select: add vmalloc fallback for select(2)
    - hwpoison, memcg: forcibly uncharge LRU pages
    - cma: fix calculation of aligned offset
    - mm, page_alloc: fix potential false positive in __zone_watermark_ok
    - ipc: msg, make msgrcv work with LONG_MIN
    - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources()
    - ACPI / processor: Avoid reserving IO regions too early
    - ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
    - ACPICA: Namespace: fix operand cache leak
    - netfilter: x_tables: speed up jump target validation
    - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed
      in 64bit kernel
    - netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
    - netfilter: nf_ct_expect: remove the redundant slash when policy name is
      empty
    - netfilter: nfnetlink_queue: reject verdict request from different portid
    - netfilter: restart search if moved to other chain
    - netfilter: nf_conntrack_sip: extend request line validation
    - netfilter: use fwmark_reflect in nf_send_reset
    - ext2: Don't clear SGID when inheriting ACLs
    - reiserfs: fix race in prealloc discard
    - reiserfs: don't preallocate blocks for extended attributes
    - reiserfs: Don't clear SGID when inheriting ACLs
    - fs/fcntl: f_setown, avoid undefined behaviour
    - scsi: libiscsi: fix shifting of DID_REQUEUE host byte
    - Input: trackpoint - force 3 buttons if 0 button is reported
    - usb: usbip: Fix possible deadlocks reported by lockdep
    - usbip: fix stub_rx: get_pipe() to validate endpoint number
    - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
    - usbip: prevent leaking socket pointer address in messages
    - um: link vmlinux with -no-pie
    - vsyscall: Fix permissions for emulate mode with KAISER/PTI
    - eventpoll.h: add missing epoll event masks
    - x86/microcode/intel: Extend BDW late-loading further with LLC size check
    - hrtimer: Reset hrtimer cpu base proper on CPU hotplug
    - dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
    - ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL
    - ipv6: fix udpv6 sendmsg crash caused by too small MTU
    - ipv6: ip6_make_skb() needs to clear cork.base.dst
    - lan78xx: Fix failure in USB Full Speed
    - net: igmp: fix source address check for IGMPv3 reports
    - tcp: __tcp_hdrlen() helper
    - net: qdisc_pkt_len_init() should be more robust
    - pppoe: take ->needed_headroom of lower device into account on xmit
    - r8169: fix memory corruption on retrieval of hardware statistics.
    - sctp: do not allow the v4 socket to bind a v4mapped v6 address
    - sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
    - vmxnet3: repair memory leak
    - net: Allow neigh contructor functions ability to modify the primary_key
    - ipv4: Make neigh lookup keys for loopback/point-to-point devices be
      INADDR_ANY
    - flow_dissector: properly cap thoff field
    - net: tcp: close sock if net namespace is exiting
    - nfsd: auth: Fix gid sorting when rootsquash enabled
    - Linux 4.4.114

* Xenial update to 4.4.113 stable release (LP: #1754375)
    - gcov: disable for COMPILE_TEST
    - scsi: sg: disable SET_FORCE_LOW_DMA
    - futex: Prevent overflow by strengthen input validation
    - ALSA: pcm: Remove yet superfluous WARN_ON()
    - ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
    - ALSA: hda - Apply the existing quirk to iMac 14,1
    - af_key: fix buffer overread in verify_address_len()
    - af_key: fix buffer overread in parse_exthdrs()
    - scsi: hpsa: fix volume offline state
    - sched/deadline: Zero out positive runtime after throttling constrained tasks
    - pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
    - x86/apic/vector: Fix off by one in error path
    - Input: 88pm860x-ts - fix child-node lookup
    - Input: twl6040-vibra - fix DT node memory management
    - Input: twl6040-vibra - fix child-node lookup
    - Input: twl4030-vibra - fix sibling-node lookup
    - tracing: Fix converting enum's from the map in trace_event_eval_update()
    - phy: work around 'phys' references to usb-nop-xceiv devices
    - ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
    - can: peak: fix potential bug in packet fragmentation
    - dm btree: fix serious bug in btree_split_beneath()
    - dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
    - arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
    - kbuild: modversions for EXPORT_SYMBOL() for asm
    - x86/pti: Document fix wrong index
    - MIPS: AR7: ensure the port type's FCR value is used
    - Linux 4.4.113

* Xenial update to 4.4.113 stable release (LP: #1754375) // CVE-2017-5753
    (Spectre v1 Intel -> upstream)
    - Revert "x86/cpu/AMD: Make the LFENCE instruction serialized"
    - x86/cpu/AMD: Make LFENCE a serializing instruction
    - x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC

* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
    - i2c: octeon: Prevent error message on bus error

* qeth: fix calculation of required buffer elements for skb (LP: #1750810)
    - s390/qeth: fix underestimated count of buffer elements

* Support rfkill-any led trigger for Fujitsu u727 (LP: #1745130)
    - rfkill: Add rfkill-any LED trigger

* Redpine: Sometimes Wi-Fi connection shows "unavailable" after resume from
    WoWLAN S4. WLAN can be recover after reboot or reloading WIFI driver.
    (LP: #1753438) // Redpine: BLE scanning for nearby beacons per second is too
    low and result high loss rate. (LP: #1753439)
    - SAUCE: Redpine: resolve race while resuming from S4
    - SAUCE: Redpine: Fix card write failure issue at S4 restore
    - SAUCE: Redpine: Add deep sleep enable before connection
    - SAUCE: Redpine: resolve power save issue after S4 resume

* qeth: check not more than 16 SBALEs on the completion queue (LP: #1750568)
    - qeth: check not more than 16 SBALEs on the completion queue

* qeth: fix L3 next-hop im xmit qeth hdr (LP: #1750813)
    - s390/qeth: fix L3 next-hop in xmit qeth hdr

* qemu-efi-aarch64 in >= artful can't boot xenial cloud images (LP: #1744754)
    - irqchip/gic-v3: Refactor gic_of_init() for GICv3 driver
    - irqchip/gic-v3: Add ACPI support for GICv3/4 initialization
    - irqchip/gic-v3: ACPI: Add redistributor support via GICC structures
    - irqchip/gic-v3: Remove gic_root_node variable from the ITS code
    - irqchip/gic-v3-its: Mark its_init() and its children as __init
    - ACPICA: Headers: Add new constants for the DBG2 ACPI table
    - of/serial: move earlycon early_param handling to serial
    - ACPI: parse SPCR and enable matching console
    - [Config] CONFIG_ACPI_SPCR_TABLE=y
    - ARM64: ACPI: enable ACPI_SPCR_TABLE
    - serial: pl011: add console matching function

* OOM and High CPU utilization in update_blocked_averages because of too many
    cfs_rqs in rq->leaf_cfs_rq_list (LP: #1747896)
    - sched/fair: Fix O(nr_cgroups) in load balance path

* linux-tools: perf incorrectly linking libbfd (LP: #1748922)
    - SAUCE: tools -- add ability to disable libbfd
    - [Packaging] correct disablement of libbfd

* retpoline abi files are empty on i386 (LP: #1751021)
    - [Packaging] retpoline-extract -- instantiate retpoline files for i386
    - [Packaging] final-checks -- sanity checking ABI contents
    - [Packaging] final-checks -- check for empty retpoline files

* bnx2x_attn_int_deasserted3:4323 MC assert! (LP: #1715519) //
    CVE-2018-1000026
    - net: create skb_gso_validate_mac_len()
    - bnx2x: disable GSO where gso_size is too big for hardware

* CVE-2017-17448
    - netfilter: nfnetlink_cthelper: Add missing permission checks

* TB16 dock ethernet corrupts data with hw checksum silently failing
    (LP: #1729674)
    - r8152: disable RX aggregation on Dell TB16 dock

* linux < 4.8: x-netns vti is broken (LP: #1744078)
    - net: l3mdev: Add master device lookup by index
    - xfrm: Only add l3mdev oif to dst lookups

* Xenial update to 4.4.112 stable release (LP: #1745266)
    - dm bufio: fix shrinker scans when (nr_to_scan < retain_target)
    - can: gs_usb: fix return value of the "set_bittiming" callback
    - IB/srpt: Disable RDMA access by the initiator
    - MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task
    - MIPS: Factor out NT_PRFPREG regset access helpers
    - MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
    - MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
    - MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
    - MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
    - MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
    - net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y
    - x86/vsdo: Fix build on PARAVIRT_CLOCK=y, KVM_GUEST=n
    - x86/acpi: Handle SCI interrupts above legacy space gracefully
    - iommu/arm-smmu-v3: Don't free page table ops twice
    - ALSA: pcm: Remove incorrect snd_BUG_ON() usages
    - ALSA: pcm: Add missing error checks in OSS emulation plugin builder
    - ALSA: pcm: Abort properly at pending signal in OSS read/write loops
    - ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
    - ALSA: aloop: Release cable upon open error path
    - ALSA: aloop: Fix inconsistent format due to incomplete rule
    - ALSA: aloop: Fix racy hw constraints adjustment
    - x86/acpi: Reduce code duplication in mp_override_legacy_irq()
    - mm/compaction: fix invalid free_pfn and compact_cached_free_pfn
    - mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page
    - mm/page-writeback: fix dirty_ratelimit calculation
    - mm/zswap: use workqueue to destroy pool
    - zswap: don't param_set_charp while holding spinlock
    - locks: don't check for race with close when setting OFD lock
    - futex: Replace barrier() in unqueue_me() with READ_ONCE()
    - locking/mutex: Allow next waiter lockless wakeup
    - usbvision fix overflow of interfaces array
    - usb: musb: ux500: Fix NULL pointer dereference at system PM
    - r8152: fix the wake event
    - r8152: use test_and_clear_bit
    - r8152: adjust ALDPS function
    - lan78xx: use skb_cow_head() to deal with cloned skbs
    - sr9700: use skb_cow_head() to deal with cloned skbs
    - smsc75xx: use skb_cow_head() to deal with cloned skbs
    - cx82310_eth: use skb_cow_head() to deal with cloned skbs
    - x86/mm/pat, /dev/mem: Remove superfluous error message
    - hwrng: core - sleep interruptible in read
    - sysrq: Fix warning in sysrq generated crash.
    - xhci: Fix ring leak in failure path of xhci_alloc_virt_device()
    - Revert "userfaultfd: selftest: vm: allow to build in vm/ directory"
    - x86/pti/efi: broken conversion from efi to kernel page table
    - 8021q: fix a memory leak for VLAN 0 device
    - ip6_tunnel: disable dst caching if tunnel is dual-stack
    - net: core: fix module type in sock_diag_bind
    - RDS: Heap OOB write in rds_message_alloc_sgs()
    - sh_eth: fix TSU resource handling
    - sh_eth: fix SH7757 GEther initialization
    - net: stmmac: enable EEE in MII, GMII or RGMII only
    - ipv6: fix possible mem leaks in ipv6_make_skb()
    - crypto: algapi - fix NULL dereference in crypto_remove_spawns()
    - rbd: set max_segments to USHRT_MAX
    - x86/microcode/intel: Extend BDW late-loading with a revision check
    - KVM: x86: Add memory barrier on vmcs field lookup
    - drm/vmwgfx: Potential off by one in vmw_view_add()
    - kaiser: Set _PAGE_NX only if supported
    - bpf: don't (ab)use instructions to store state
    - bpf: move fixup_bpf_calls() function
    - bpf: refactor fixup_bpf_calls()
    - bpf: adjust insn_aux_data when patching insns
    - bpf: prevent out-of-bounds speculation
    - bpf, array: fix overflow in max_entries and undefined behavior in index_mask
    - iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
    - target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
    - USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
    - USB: serial: cp210x: add new device ID ELV ALC 8xxx
    - usb: misc: usb3503: make sure reset is low for at least 100us
    - USB: fix usbmon BUG trigger
    - usbip: remove kernel addresses from usb device and urb debug msgs
    - staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
    - Bluetooth: Prevent stack info leak from the EFS element.
    - uas: ignore UAS for Norelsys NS1068(X) chips
    - e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
    - x86/Documentation: Add PTI description
    - sysfs/cpu: Fix typos in vulnerability documentation
    - x86/alternatives: Fix optimize_nops() checking
    - selftests/x86: Add test_vsyscall
    - Linux 4.4.112

* Xenial update to 4.4.111 stable release (LP: #1745263)
    - x86/kasan: Write protect kasan zero shadow
    - kernel/acct.c: fix the acct->needcheck check in check_free_space()
    - crypto: n2 - cure use after free
    - crypto: chacha20poly1305 - validate the digest size
    - crypto: pcrypt - fix freeing pcrypt instances
    - sunxi-rsb: Include OF based modalias in device uevent
    - fscache: Fix the default for fscache_maybe_release_page()
    - kernel: make groups_sort calling a responsibility group_info allocators
    - kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL
    - kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only()
      signals
    - kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in
      complete_signal()
    - ARC: uaccess: dont use "l" gcc inline asm constraint modifier
    - parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel
    - genksyms: Handle string literals with spaces in reference files
    - module: Issue warnings when tainting kernel
    - proc: much faster /proc/vmstat
    - Fix build error in vma.c
    - Linux 4.4.111

* x86/net/bpf: return statement missing value (LP: #1745364)
    - SAUCE: (no-up) arch/x86/bpf: Fix missed return statement

* Ubuntu 16.04 - s390/cpuinfo: show facilities as reported by stfle
    (LP: #1744736)
    - s390/bitops: add for_each_set_bit_inv helper
    - s390/cpuinfo: show facilities as reported by stfle

* Xenial update to 4.4.110 stable release (LP: #1745071)
    - KPTI: Rename to PAGE_TABLE_ISOLATION
    - SAUCE: Replace CONFIG_KAISER with CONFIG_PAGE_TABLE_ISOLATION
    - Linux 4.4.110

* Xenial update to 4.4.109 stable release (LP: #1745069)
    - ACPI: APEI / ERST: Fix missing error handling in erst_reader()
    - crypto: mcryptd - protect the per-CPU queue with a lock
    - mfd: cros ec: spi: Don't send first message too soon
    - mfd: twl4030-audio: Fix sibling-node lookup
    - mfd: twl6040: Fix child-node lookup
    - ALSA: rawmidi: Avoid racy info ioctl via ctl device
    - ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
    - PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
    - parisc: Hide Diva-built-in serial aux and graphics card
    - spi: xilinx: Detect stall with Unknown commands
    - KVM: X86: Fix load RFLAGS w/o the fixed bit
    - powerpc/perf: Dereference BHRB entries safely
    - net: mvneta: clear interface link status on port disable
    - tracing: Remove extra zeroing out of the ring buffer page
    - tracing: Fix possible double free on failure of allocating trace buffer
    - tracing: Fix crash when it fails to alloc ring buffer
    - ring-buffer: Mask out the info bits when returning buffer page length
    - iw_cxgb4: Only validate the MSN for successful completions
    - ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure
    - ASoC: twl4030: fix child-node lookup
    - ALSA: hda: Drop useless WARN_ON()
    - ALSA: hda - fix headset mic detection issue on a Dell machine
    - x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly()
    - x86/mm: Remove flush_tlb() and flush_tlb_current_task()
    - x86/mm: Make flush_tlb_mm_range() more predictable
    - x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range()
    - x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP
      code
    - x86/mm: Add the 'nopcid' boot option to turn off PCID
    - x86/mm/64: Fix reboot interaction with CR4.PCIDE
    - kbuild: add '-fno-stack-check' to kernel build options
    - ipv4: igmp: guard against silly MTU values
    - ipv6: mcast: better catch silly mtu values
    - net: igmp: Use correct source address on IGMPv3 reports
    - netlink: Add netns check on taps
    - net: qmi_wwan: add Sierra EM7565 1199:9091
    - net: reevalulate autoflowlabel setting after sysctl setting
    - tcp md5sig: Use skb's saddr when replying to an incoming segment
    - tg3: Fix rx hang on MTU change with 5717/5719
    - net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
    - sctp: Replace use of sockets_allocated with specified macro.
    - ipv4: Fix use-after-free when flushing FIB tables
    - net: bridge: fix early call to br_stp_change_bridge_id and plug newlink
      leaks
    - net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
    - sock: free skb in skb_complete_tx_timestamp on error
    - usbip: fix usbip bind writing random string after command in match_busid
    - usbip: stub: stop printing kernel pointer addresses in messages
    - usbip: vhci: stop printing kernel pointer addresses in messages
    - USB: serial: ftdi_sio: add id for Airbus DS P8GR
    - USB: serial: qcserial: add Sierra Wireless EM7565
    - USB: serial: option: add support for Telit ME910 PID 0x1101
    - USB: serial: option: adding support for YUGA CLM920-NC5
    - usb: Add device quirk for Logitech HD Pro Webcam C925e
    - usb: add RESET_RESUME for ELSA MicroLink 56K
    - USB: Fix off by one in type-specific length check of BOS SSP capability
    - usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
    - nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
    - x86/smpboot: Remove stale TLB flush invocations
    - n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
    - mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP
    - Linux 4.4.109

* Xenial update to 4.4.108 stable release (LP: #1745054)
    - arm64: Initialise high_memory global variable earlier
    - cxl: Check if vphb exists before iterating over AFU devices
    - x86/mm: Fix INVPCID asm constraint
    - x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID
    - mm/rmap: batched invalidations should use existing api
    - mm/mmu_context, sched/core: Fix mmu_context.h assumption
    - sched/core: Add switch_mm_irqs_off() and use it in the scheduler
    - x86/mm, sched/core: Turn off IRQs in switch_mm()
    - ARM: Hide finish_arch_post_lock_switch() from modules
    - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
    - x86/irq: Do not substract irq_tlb_count from irq_call_count
    - ALSA: hda - add support for docking station for HP 820 G2
    - ALSA: hda - add support for docking station for HP 840 G3
    - arm: kprobes: Fix the return address of multiple kretprobes
    - arm: kprobes: Align stack to 8-bytes in test code
    - cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
    - crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
    - sch_dsmark: fix invalid skb_cow() usage
    - bna: integer overflow bug in debugfs
    - net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4
    - usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
    - usb: gadget: udc: remove pointer dereference after free
    - netfilter: nfnl_cthelper: fix runtime expectation policy updates
    - netfilter: nfnl_cthelper: Fix memory leak
    - inet: frag: release spinlock before calling icmp_send()
    - pinctrl: st: add irq_request/release_resources callbacks
    - scsi: lpfc: Fix PT2PT PRLI reject
    - KVM: x86: correct async page present tracepoint
    - KVM: VMX: Fix enable VPID conditions
    - ARM: dts: ti: fix PCI bus dtc warnings
    - hwmon: (asus_atk0110) fix uninitialized data access
    - HID: xinmo: fix for out of range for THT 2P arcade controller.
    - r8152: prevent the driver from transmitting packets with carrier off
    - s390/qeth: no ETH header for outbound AF_IUCV
    - bna: avoid writing uninitialized data into hw registers
    - net: Do not allow negative values for busy_read and busy_poll sysctl
      interfaces
    - i40e: Do not enable NAPI on q_vectors that have no rings
    - RDMA/iser: Fix possible mr leak on device removal event
    - irda: vlsi_ir: fix check for DMA mapping errors
    - netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
    - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
    - ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend
    - KVM: pci-assign: do not map smm memory slot pages in vt-d page tables
    - isdn: kcapi: avoid uninitialized data
    - xhci: plat: Register shutdown for xhci_plat
    - netfilter: nfnetlink_queue: fix secctx memory leak
    - ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory
    - cpuidle: powernv: Pass correct drv->cpumask for registration
    - bnxt_en: Fix NULL pointer dereference in reopen failure path
    - backlight: pwm_bl: Fix overflow condition
    - crypto: crypto4xx - increase context and scatter ring buffer elements
    - rtc: pl031: make interrupt optional
    - net: phy: at803x: Change error to EINVAL for invalid MAC
    - PCI: Avoid bus reset if bridge itself is broken
    - scsi: cxgb4i: fix Tx skb leak
    - scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume
      created on two SATA drive
    - PCI: Create SR-IOV virtfn/physfn links before attaching driver
    - igb: check memory allocation failure
    - ixgbe: fix use of uninitialized padding
    - PCI/AER: Report non-fatal errors only to the affected endpoint
    - scsi: lpfc: Fix secure firmware updates
    - scsi: lpfc: PLOGI failures during NPIV testing
    - fm10k: ensure we process SM mbx when processing VF mbx
    - tcp: fix under-evaluated ssthresh in TCP Vegas
    - rtc: set the alarm to the next expiring timer
    - cpuidle: fix broadcast control when broadcast can not be entered
    - thermal: hisilicon: Handle return value of clk_prepare_enable
    - MIPS: math-emu: Fix final emulation phase for certain instructions
    - Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature"
    - ALSA: hda - Clear the leftover component assignment at snd_hdac_i915_exit()
    - ALSA: hda - Degrade i915 binding failure message
    - ALSA: hda - Fix yet another i915 pointer leftover in error path
    - alpha: fix build failures
    - Linux 4.4.108

* Xenial update to 4.4.107 stable release (LP: #1745052)
    - crypto: hmac - require that the underlying hash algorithm is unkeyed
    - crypto: salsa20 - fix blkcipher_walk API usage
    - autofs: fix careless error in recent commit
    - tracing: Allocate mask_str buffer dynamically
    - USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
    - USB: core: prevent malicious bNumInterfaces overflow
    - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
    - ceph: drop negative child dentries before try pruning inode's alias
    - Bluetooth: btusb: driver to enable the usb-wakeup feature
    - xhci: Don't add a virt_dev to the devs array before it's fully allocated
    - sched/rt: Do not pull from current CPU if only one CPU to pull
    - dmaengine: dmatest: move callback wait queue to thread context
    - ext4: fix fdatasync(2) after fallocate(2) operation
    - ext4: fix crash when a directory's i_size is too small
    - KEYS: add missing permission check for request_key() destination
    - mac80211: Fix addition of mesh configuration element
    - usb: phy: isp1301: Add OF device ID table
    - md-cluster: free md_cluster_info if node leave cluster
    - userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
    - userfaultfd: selftest: vm: allow to build in vm/ directory
    - net: initialize msg.msg_flags in recvfrom
    - net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
    - net: bcmgenet: correct MIB access of UniMAC RUNT counters
    - net: bcmgenet: reserved phy revisions must be checked first
    - net: bcmgenet: power down internal phy if open or resume fails
    - net: bcmgenet: Power up the internal PHY before probing the MII
    - NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
    - NFSD: fix nfsd_reset_versions for NFSv4.
    - Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
    - drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
    - netfilter: bridge: honor frag_max_size when refragmenting
    - writeback: fix memory leak in wb_queue_work()
    - net: wimax/i2400m: fix NULL-deref at probe
    - dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
    - net: Resend IGMP memberships upon peer notification.
    - mlxsw: reg: Fix SPVM max record count
    - mlxsw: reg: Fix SPVMLR max record count
    - intel_th: pci: Add Gemini Lake support
    - openrisc: fix issue handling 8 byte get_user calls
    - scsi: hpsa: update check for logical volume status
    - scsi: hpsa: limit outstanding rescans
    - fjes: Fix wrong netdevice feature flags
    - drm/radeon/si: add dpm quirk for Oland
    - sched/deadline: Make sure the replenishment timer fires in the next period
    - sched/deadline: Throttle a constrained deadline task activated after the
      deadline
    - sched/deadline: Use deadline instead of period when calculating overflow
    - mmc: mediatek: Fixed bug where clock frequency could be set wrong
    - drm/radeon: reinstate oland workaround for sclk
    - afs: Fix missing put_page()
    - afs: Populate group ID from vnode status
    - afs: Adjust mode bits processing
    - afs: Flush outstanding writes when an fd is closed
    - afs: Migrate vlocation fields to 64-bit
    - afs: Prevent callback expiry timer overflow
    - afs: Fix the maths in afs_fs_store_data()
    - afs: Populate and use client modification time
    - afs: Fix page leak in afs_write_begin()
    - afs: Fix afs_kill_pages()
    - perf symbols: Fix symbols__fixup_end heuristic for corner cases
    - efi/esrt: Cleanup bad memory map log messages
    - NFSv4.1 respect server's max size in CREATE_SESSION
    - btrfs: add missing memset while reading compressed inline extents
    - target: Use system workqueue for ALUA transitions
    - target: fix ALUA transition timeout handling
    - target: fix race during implicit transition work flushes
    - sfc: don't warn on successful change of MAC
    - fbdev: controlfb: Add missing modes to fix out of bounds access
    - video: udlfb: Fix read EDID timeout
    - video: fbdev: au1200fb: Release some resources if a memory allocation fails
    - video: fbdev: au1200fb: Return an error code if a memory allocation fails
    - rtc: pcf8563: fix output clock rate
    - dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
    - PCI/PME: Handle invalid data when reading Root Status
    - powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
    - netfilter: ipvs: Fix inappropriate output of procfs
    - powerpc/opal: Fix EBUSY bug in acquiring tokens
    - powerpc/ipic: Fix status get and status clear
    - target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
    - iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
    - target:fix condition return in core_pr_dump_initiator_port()
    - target/file: Do not return error for UNMAP if length is zero
    - arm-ccn: perf: Prevent module unload while PMU is in use
    - crypto: tcrypt - fix buffer lengths in test_aead_speed()
    - mm: Handle 0 flags in _calc_vm_trans() macro
    - clk: mediatek: add the option for determining PLL source clock
    - clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU
    - clk: tegra: Fix cclk_lp divisor register
    - ppp: Destroy the mutex when cleanup
    - thermal/drivers/step_wise: Fix temperature regulation misbehavior
    - GFS2: Take inode off order_write list when setting jdata flag
    - bcache: explicitly destroy mutex while exiting
    - bcache: fix wrong cache_misses statistics
    - l2tp: cleanup l2tp_tunnel_delete calls
    - xfs: fix log block underflow during recovery cycle verification
    - xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
    - PCI: Detach driver before procfs & sysfs teardown on device remove
    - scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
    - scsi: hpsa: destroy sas transport properties before scsi_host
    - powerpc/perf/hv-24x7: Fix incorrect comparison in memord
    - tty fix oops when rmmod 8250
    - usb: musb: da8xx: fix babble condition handling
    - pinctrl: adi2: Fix Kconfig build problem
    - raid5: Set R5_Expanded on parity devices as well as data.
    - scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
    - vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
    - scsi: sd: change manage_start_stop to bool in sysfs interface
    - scsi: sd: change allow_restart to bool in sysfs interface
    - scsi: bfa: integer overflow in debugfs
    - udf: Avoid overflow when session starts at large offset
    - macvlan: Only deliver one copy of the frame to the macvlan interface
    - RDMA/cma: Avoid triggering undefined behavior
    - IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
    - ath9k: fix tx99 potential info leak
    - Linux 4.4.107

* Xenial update to 4.4.106 stable release (LP: #1745047)
    - can: ti_hecc: Fix napi poll return value for repoll
    - can: kvaser_usb: free buf in error paths
    - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
    - can: kvaser_usb: ratelimit errors if incomplete messages are received
    - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
    - can: ems_usb: cancel urb on -EPIPE and -EPROTO
    - can: esd_usb2: cancel urb on -EPIPE and -EPROTO
    - can: usb_8dev: cancel urb on -EPIPE and -EPROTO
    - virtio: release virtio index when fail to device_register
    - hv: kvp: Avoid reading past allocated blocks from KVP file
    - isa: Prevent NULL dereference in isa_bus driver callbacks
    - scsi: libsas: align sata_device's rps_resp on a cacheline
    - efi: Move some sysfs files to be read-only by root
    - ASN.1: fix out-of-bounds read when parsing indefinite length item
    - ASN.1: check for error from ASN1_OP_END__ACT actions
    - X.509: reject invalid BIT STRING for subjectPublicKey
    - x86/PCI: Make broadcom_postcore_init() check acpi_disabled
    - ALSA: pcm: prevent UAF in snd_pcm_info
    - ALSA: seq: Remove spurious WARN_ON() at timer check
    - ALSA: usb-audio: Fix out-of-bound error
    - ALSA: usb-audio: Add check return value for usb_string()
    - iommu/vt-d: Fix scatterlist offset handling
    - s390: fix compat system call table
    - kdb: Fix handling of kallsyms_symbol_next() return value
    - drm: extra printk() wrapper macros
    - drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
    - media: dvb: i2c transfers over usb cannot be done from stack
    - arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
    - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
    - arm64: fpsimd: Prevent registers leaking from dead tasks
    - ARM: BUG if jumping to usermode address in kernel mode
    - ARM: avoid faulting on qemu
    - thp: reduce indentation level in change_huge_pmd()
    - thp: fix MADV_DONTNEED vs. numa balancing race
    - mm: drop unused pmdp_huge_get_and_clear_notify()
    - Revert "drm/armada: Fix compile fail"
    - Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
    - Revert "s390/kbuild: enable modversions for symbols exported from asm"
    - vti6: Don't report path MTU below IPV6_MIN_MTU.
    - ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
    - x86/hpet: Prevent might sleep splat on resume
    - selftest/powerpc: Fix false failures for skipped tests
    - module: set __jump_table alignment to 8
    - ARM: OMAP2+: Fix device node reference counts
    - ARM: OMAP2+: Release device node after it is no longer needed.
    - gpio: altera: Use handle_level_irq when configured as a level_high
    - HID: chicony: Add support for another ASUS Zen AiO keyboard
    - usb: gadget: configs: plug memory leak
    - USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
    - kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
    - libata: drop WARN from protocol error in ata_sff_qc_issue()
    - workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
    - scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
    - irqchip/crossbar: Fix incorrect type of register size
    - KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
    - arm: KVM: Survive unknown traps from guests
    - arm64: KVM: Survive unknown traps from guests
    - spi_ks8995: fix "BUG: key accdaa28 not in .data!"
    - bnx2x: prevent crash when accessing PTP with interface down
    - bnx2x: fix possible overrun of VFPF multicast addresses array
    - bnx2x: do not rollback VF MAC/VLAN filters we did not configure
    - ipv6: reorder icmpv6_init() and ip6_mr_init()
    - crypto: s5p-sss - Fix completing crypto request in IRQ handler
    - i2c: riic: fix restart condition
    - zram: set physical queue limits to avoid array out of bounds accesses
    - netfilter: don't track fragmented packets
    - axonram: Fix gendisk handling
    - drm/amd/amdgpu: fix console deadlock if late init failed
    - powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
    - EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
    - EDAC, i5000, i5400: Fix definition of NRECMEMB register
    - kbuild: pkg: use --transform option to prefix paths in tar
    - mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
    - route: also update fnhe_genid when updating a route cache
    - route: update fnhe_expires for redirect when the fnhe exists
    - lib/genalloc.c: make the avail variable an atomic_long_t
    - dynamic-debug-howto: fix optional/omitted ending line number to be LARGE
      instead of 0
    - NFS: Fix a typo in nfs_rename()
    - sunrpc: Fix rpc_task_begin trace point
    - block: wake up all tasks blocked in get_request()
    - sparc64/mm: set fields in deferred pages
    - sctp: do not free asoc when it is already dead in sctp_sendmsg
    - sctp: use the right sk after waking up from wait_buf sleep
    - atm: horizon: Fix irq release error
    - jump_label: Invoke jump_label_test() via early_initcall()
    - xfrm: Copy policy family in clone_policy
    - IB/mlx4: Increase maximal message size under UD QP
    - IB/mlx5: Assign send CQ and recv CQ of UMR QP
    - afs: Connect up the CB.ProbeUuid
    - ipvlan: fix ipv6 outbound device
    - audit: ensure that 'audit=1' actually enables audit for PID 1
    - ipmi: Stop timers before cleaning up the module
    - s390: always save and restore all registers on context switch
    - tipc: fix memory leak in tipc_accept_from_sock()
    - rds: Fix NULL pointer dereference in __rds_rdma_map
    - sit: update frag_off info
    - packet: fix crash in fanout_demux_rollover()
    - net/packet: fix a race in packet_bind() and packet_notifier()
    - Revert "x86/efi: Build our own page table structures"
    - Revert "x86/efi: Hoist page table switching code into efi_call_virt()"
    - Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"
    - arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
    - usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
    - Linux 4.4.106

* Xenial update to 4.4.105 stable release (LP: #1745046)
    - bcache: only permit to recovery read error when cache device is clean
    - bcache: recover data from backing when data is clean
    - uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
    - usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
    - serial: 8250_pci: Add Amazon PCI serial device ID
    - s390/runtime instrumentation: simplify task exit handling
    - USB: serial: option: add Quectel BG96 id
    - ima: fix hash algorithm initialization
    - s390/pci: do not require AIS facility
    - selftests/x86/ldt_get: Add a few additional tests for limits
    - serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
    - spi: sh-msiof: Fix DMA transfer size check
    - usb: phy: tahvo: fix error handling in tahvo_usb_probe()
    - serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X
    - x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()
    - EDAC, sb_edac: Fix missing break in switch
    - sysrq : fix Show Regs call trace on ARM
    - perf test attr: Fix ignored test case result
    - kprobes/x86: Disable preemption in ftrace-based jprobes
    - net: systemport: Utilize skb_put_padto()
    - net: systemport: Pad packet before inserting TSB
    - ARM: OMAP1: DMA: Correct the number of logical channels
    - vti6: fix device register to report IFLA_INFO_KIND
    - net/appletalk: Fix kernel memory disclosure
    - ravb: Remove Rx overflow log messages
    - nfs: Don't take a reference on fl->fl_file for LOCK operation
    - KVM: arm/arm64: Fix occasional warning from the timer work function
    - NFSv4: Fix client recovery when server reboots multiple times
    - drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement
    - net: sctp: fix array overrun read on sctp_timer_tbl
    - tipc: fix cleanup at module unload
    - dmaengine: pl330: fix double lock
    - tcp: correct memory barrier usage in tcp_check_space()
    - mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
    - xen-netfront: Improve error handling during initialization
    - net: fec: fix multicast filtering hardware setup
    - Revert "ocfs2: should wait dio before inode lock in ocfs2_setattr()"
    - usb: hub: Cycle HUB power when initialization fails
    - usb: xhci: fix panic in xhci_free_virt_devices_depth_first
    - usb: ch9: Add size macro for SSP dev cap descriptor
    - USB: core: Add type-specific length check of BOS descriptors
    - USB: Increase usbfs transfer limit
    - USB: devio: Prevent integer overflow in proc_do_submiturb()
    - USB: usbfs: Filter flags passed in from user space
    - usb: host: fix incorrect updating of offset
    - xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
    - Linux 4.4.105

* Xenial update to 4.4.104 stable release (LP: #1745043)
    - x86/mm/pat: Ensure cpa->pfn only contains page frame numbers
    - x86/efi: Hoist page table switching code into efi_call_virt()
    - x86/efi: Build our own page table structures
    - ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio
    - x86/efi-bgrt: Fix kernel panic when mapping BGRT data
    - x86/efi-bgrt: Replace early_memremap() with memremap()
    - mm/madvise.c: fix madvise() infinite loop under special circumstances
    - btrfs: clear space cache inode generation always
    - KVM: x86: pvclock: Handle first-time write to pvclock-page contains random
      junk
    - KVM: x86: Exit to user-mode on #UD intercept when emulator requires
    - KVM: x86: inject exceptions produced by x86_decode_insn
    - mmc: core: Do not leave the block driver in a suspended state
    - eeprom: at24: check at24_read/write arguments
    - bcache: Fix building error on MIPS
    - Revert "drm/radeon: dont switch vt on suspend"
    - drm/radeon: fix atombios on big endian
    - drm/panel: simple: Add missing panel_simple_unprepare() calls
    - mtd: nand: Fix writing mtdoops to nand flash.
    - NFS: revalidate "." etc correctly on "open".
    - drm/i915: Don't try indexed reads to alternate slave addresses
    - drm/i915: Prevent zero length "index" write
    - nfsd: Make init_open_stateid() a bit more whole
    - nfsd: Fix stateid races between OPEN and CLOSE
    - nfsd: Fix another OPEN stateid race
    - Linux 4.4.104

* Xenial update to 4.4.103 stable release (LP: #1744873)
    - s390: fix transactional execution control register handling
    - s390/runtime instrumention: fix possible memory corruption
    - s390/disassembler: add missing end marker for e7 table
    - s390/disassembler: increase show_code buffer size
    - AF_VSOCK: Shrink the area influenced by prepare_to_wait
    - vsock: use new wait API for vsock_stream_sendmsg()
    - sched: Make resched_cpu() unconditional
    - lib/mpi: call cond_resched() from mpi_powm() loop
    - x86/decoder: Add new TEST instruction pattern
    - ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE
    - ARM: 8721/1: mm: dump: check hardware RO bit for LPAE
    - MIPS: ralink: Fix MT7628 pinmux
    - MIPS: ralink: Fix typo in mt7628 pinmux function
    - ALSA: hda: Add Raven PCI ID
    - dm bufio: fix integer overflow when limiting maximum cache size
    - dm: fix race between dm_get_from_kobject() and __dm_destroy()
    - MIPS: Fix an n32 core file generation regset support regression
    - MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
    - autofs: don't fail mount for transient error
    - nilfs2: fix race condition that causes file system corruption
    - eCryptfs: use after free in ecryptfs_release_messaging()
    - bcache: check ca->alloc_thread initialized before wake up it
    - isofs: fix timestamps beyond 2027
    - NFS: Fix typo in nomigration mount option
    - nfs: Fix ugly referral attributes
    - nfsd: deal with revoked delegations appropriately
    - rtlwifi: rtl8192ee: Fix memory leak when loading firmware
    - rtlwifi: fix uninitialized rtlhal->last_suspend_sec time
    - ata: fixes kernel crash while tracing ata_eh_link_autopsy event
    - ext4: fix interaction between i_size, fallocate, and delalloc after a crash
    - ALSA: pcm: update tstamp only if audio_tstamp changed
    - ALSA: usb-audio: Add sanity checks to FE parser
    - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
    - ALSA: usb-audio: Add sanity checks in v2 clock parsers
    - ALSA: timer: Remove kernel warning at compat ioctl error paths
    - ALSA: hda/realtek - Fix ALC700 family no sound issue
    - fix a page leak in vhost_scsi_iov_to_sgl() error recovery
    - fs/9p: Compare qid.path in v9fs_test_inode
    - iscsi-target: Fix non-immediate TMR reference leak
    - target: Fix QUEUE_FULL + SCSI task attribute handling
    - KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
    - KVM: SVM: obey guest PAT
    - SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status
    - clk: ti: dra7-atl-clock: Fix of_node reference counting
    - clk: ti: dra7-atl-clock: fix child-node lookups
    - libnvdimm, namespace: fix label initialization to use valid seq numbers
    - libnvdimm, namespace: make 'resource' attribute only readable by root
    - IB/srpt: Do not accept invalid initiator port names
    - IB/srp: Avoid that a cable pull can trigger a kernel crash
    - NFC: fix device-allocation error return
    - i40e: Use smp_rmb rather than read_barrier_depends
    - igb: Use smp_rmb rather than read_barrier_depends
    - igbvf: Use smp_rmb rather than read_barrier_depends
    - ixgbevf: Use smp_rmb rather than read_barrier_depends
    - i40evf: Use smp_rmb rather than read_barrier_depends
    - fm10k: Use smp_rmb rather than read_barrier_depends
    - ixgbe: Fix skb list corruption on Power systems
    - parisc: Fix validity check of pointer size argument in new CAS
      implementation
    - powerpc/signal: Properly handle return value from uprobe_deny_signal()
    - media: Don't do DMA on stack for firmware upload in the AS102 driver
    - media: rc: check for integer overflow
    - cx231xx-cards: fix NULL-deref on missing association descriptor
    - media: v4l2-ctrl: Fix flags field on Control events
    - sched/rt: Simplify the IPI based RT balancing logic
    - fscrypt: lock mutex before checking for bounce page pool
    - net/9p: Switch to wait_event_killable()
    - PM / OPP: Add missing of_node_put(np)
    - e1000e: Fix error path in link detection
    - e1000e: Fix return value test
    - RDS: RDMA: return appropriate error on rdma map failures
    - PCI: Apply _HPX settings only to relevant devices
    - dmaengine: zx: set DMA_CYCLIC cap_mask bit
    - net: Allow IP_MULTICAST_IF to set index to L3 slave
    - net: 3com: typhoon: typhoon_init_one: make return values more specific
    - net: 3com: typhoon: typhoon_init_one: fix incorrect return values
    - drm/armada: Fix compile fail
    - ath10k: fix incorrect txpower set by P2P_DEVICE interface
    - ath10k: ignore configuring the incorrect board_id
    - ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats()
    - ath10k: set CTS protection VDEV param only if VDEV is up
    - ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE
    - drm: Apply range restriction after color adjustment when allocation
    - mac80211: Remove invalid flag operations in mesh TSF synchronization
    - mac80211: Suppress NEW_PEER_CANDIDATE event if no room
    - iio: light: fix improper return value
    - staging: iio: cdc: fix improper return value
    - spi: SPI_FSL_DSPI should depend on HAS_DMA
    - netfilter: nft_queue: use raw_smp_processor_id()
    - netfilter: nf_tables: fix oob access
    - ASoC: rsnd: don't double free kctrl
    - btrfs: return the actual error value from from btrfs_uuid_tree_iterate
    - ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
    - s390/kbuild: enable modversions for symbols exported from asm
    - xen: xenbus driver must not accept invalid transaction ids
    - Revert "sctp: do not peel off an assoc from one netns to another one"
    - Linux 4.4.103

* ppc64el: Do not call ibm,os-term on panic (LP: #1736954)
    - powerpc: Do not call ppc_md.panic in fadump panic notifier

* Xenial update to 4.4.102 stable release (LP: #1744870)
    - mm, hwpoison: fixup "mm: check the return value of lookup_page_ext for all
      call sites"
    - Linux 4.4.102

* Xenial update to 4.4.101 stable release (LP: #1744794)
    - tcp: do not mangle skb->cb[] in tcp_make_synack()
    - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
    - bonding: discard lowest hash bit for 802.3ad layer3+4
    - vlan: fix a use-after-free in vlan_device_event()
    - af_netlink: ensure that NLMSG_DONE never fails in dumps
    - sctp: do not peel off an assoc from one netns to another one
    - fealnx: Fix building error on MIPS
    - net/sctp: Always set scope_id in sctp_inet6_skb_msgname
    - ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
    - serial: omap: Fix EFR write on RTS deassertion
    - arm64: fix dump_instr when PAN and UAO are in use
    - ocfs2: should wait dio before inode lock in ocfs2_setattr()
    - ipmi: fix unsigned long underflow
    - mm/page_alloc.c: broken deferred calculation
    - coda: fix 'kernel memory exposure attempt' in fsync
    - mm: check the return value of lookup_page_ext for all call sites
    - mm/page_ext.c: check if page_ext is not prepared
    - mm/pagewalk.c: report holes in hugetlb ranges
    - Linux 4.4.101

* Xenial update to 4.4.100 stable release (LP: #1744639)
    - media: imon: Fix null-ptr-deref in imon_probe
    - media: dib0700: fix invalid dvb_detach argument
    - KVM: x86: fix singlestepping over syscall
    - net: cdc_ether: fix divide by 0 on bad descriptors
    - net: qmi_wwan: fix divide by 0 on bad descriptors
    - arm: crypto: reduce priority of bit-sliced AES cipher
    - Bluetooth: btusb: fix QCA Rome suspend/resume
    - dmaengine: dmatest: warn user when dma test times out
    - extcon: palmas: Check the parent instance to prevent the NULL
    - fm10k: request reset when mbx->state changes
    - ARM: dts: Fix compatible for ti81xx uarts for 8250
    - ARM: dts: Fix am335x and dm814x scm syscon to probe children
    - ARM: OMAP2+: Fix init for multiple quirks for the same SoC
    - ARM: dts: Fix omap3 off mode pull defines
    - ata: ATA_BMDMA should depend on HAS_DMA
    - ata: SATA_HIGHBANK should depend on HAS_DMA
    - ata: SATA_MV should depend on HAS_DMA
    - drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache
    - igb: reset the PHY before reading the PHY ID
    - igb: close/suspend race in netif_device_detach
    - igb: Fix hw_dbg logging in igb_update_flash_i210
    - scsi: ufs-qcom: Fix module autoload
    - scsi: ufs: add capability to keep auto bkops always enabled
    - staging: rtl8188eu: fix incorrect ERROR tags from logs
    - scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort
    - scsi: lpfc: Correct host name in symbolic_name field
    - scsi: lpfc: Correct issue leading to oops during link reset
    - scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload
    - ALSA: vx: Don't try to update capture stream before running
    - ALSA: vx: Fix possible transfer overflow
    - backlight: lcd: Fix race condition during register
    - backlight: adp5520: Fix error handling in adp5520_bl_probe()
    - gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap
    - ALSA: hda/realtek - Add new codec ID ALC299
    - arm64: dts: NS2: reserve memory for Nitro firmware
    - ixgbe: fix AER error handling
    - ixgbe: handle close/suspend race with netif_device_detach/present
    - ixgbe: Reduce I2C retry count on X550 devices
    - ixgbe: add mask for 64 RSS queues
    - ixgbe: do not disable FEC from the driver
    - staging: rtl8712: fixed little endian problem
    - MIPS: End asm function prologue macros with .insn
    - mm: add PHYS_PFN, use it in __phys_to_pfn()
    - MIPS: init: Ensure bootmem does not corrupt reserved memory
    - MIPS: init: Ensure reserved memory regions are not added to bootmem
    - MIPS: Netlogic: Exclude netlogic,xlp-pic code from XLR builds
    - Revert "crypto: xts - Add ECB dependency"
    - Revert "uapi: fix linux/rds.h userspace compilation errors"
    - uapi: fix linux/rds.h userspace compilation error
    - uapi: fix linux/rds.h userspace compilation errors
    - USB: usbfs: compute urb->actual_length for isochronous
    - USB: Add delay-init quirk for Corsair K70 LUX keyboards
    - USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
    - USB: serial: garmin_gps: fix I/O after failed probe and remove
    - USB: serial: garmin_gps: fix memory leak on probe errors
    - Linux 4.4.100

* Xenial update to 4.4.99 stable release (LP: #1744636)
    - mac80211: accept key reinstall without changing anything
    - mac80211: use constant time comparison with keys
    - mac80211: don't compare TKIP TX MIC key in reinstall prevention
    - usb: usbtest: fix NULL pointer dereference
    - Input: ims-psu - check if CDC union descriptor is sane
    - ALSA: seq: Cancel pending autoload work at unbinding device
    - tun/tap: sanitize TUNSETSNDBUF input
    - tcp: fix tcp_mtu_probe() vs highest_sack
    - l2tp: check ps->sock before running pppol2tp_session_ioctl()
    - tun: call dev_get_valid_name() before register_netdevice()
    - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
    - packet: avoid panic in packet_getsockopt()
    - ipv6: flowlabel: do not leave opt->tot_len with garbage
    - net/unix: don't show information about sockets from other namespaces
    - ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
    - tun: allow positive return values on dev_get_valid_name() call
    - sctp: reset owner sk for data chunks on out queues when migrating a sock
    - ppp: fix race in ppp device destruction
    - ipip: only increase err_count for some certain type icmp in ipip_err
    - tcp/dccp: fix ireq->opt races
    - tcp/dccp: fix lockdep splat in inet_csk_route_req()
    - tcp/dccp: fix other lockdep splats accessing ireq_opt
    - security/keys: add CONFIG_KEYS_COMPAT to Kconfig
    - tipc: fix link attribute propagation bug
    - brcmfmac: remove setting IBSS mode when stopping AP
    - target/iscsi: Fix iSCSI task reassignment handling
    - target: Fix node_acl demo-mode + uncached dynamic shutdown regression
    - misc: panel: properly restore atomic counter on error path
    - Linux 4.4.99

* elantech touchpad of Lenovo L480/580 failed to detect hw_version
    (LP: #1733605)
    - Input: elantech - add new icbody type 15

* Disabling zfs does not always disable module checks for the zfs modules
    (LP: #1737176)
    - [Packaging] disable zfs module checks when zfs is disabled

* Using asymmetric key for IMA appraisal crashes the system in Ubuntu 16.04
    (LP: #1735977)
    - integrity: convert digsig to akcipher api

* CVE-2017-17450
    - netfilter: xt_osf: Add missing permission checks

* CVE-2017-15129
    - net: Fix double free and memory corruption in get_net_ns_by_id()

* CVE-2018-5344
    - loop: fix concurrent lo_open/lo_release

* [KVM] Lower the default for halt_poll_ns to 200000 ns (LP: #1724614)
    - KVM: x86: lower default for halt_poll_ns

* $(LOCAL_ENV_CC) and $(LOCAL_ENV_DISTCC_HOSTS) should be properly quoted
    (LP: #1744077)
    - [Debian] pass LOCAL_ENV_CC and LOCAL_ENV_DISTCC_HOSTS properly

* Redpine: Wifi/BT not functioning after s3 resume (LP: #1742090) //
    [16.04][classic] Redpine: wowlan feature doesn't work (LP: #1742094)
    - SAUCE: Redpine: fix for wowlan wakeup failure
    - SAUCE: Redpine: fix data issue with non-uapsd APs
    - SAUCE: Redpine: fix reset card issue
    - SAUCE: Redpine: fix wowlan issue

* Using an NVMe drive causes huge power drain (LP: #1664602) // Samsung SSD
    960 EVO 500GB refused to change power state (LP: #1705748)
    - nvme-pci: disable APST on Samsung SSD 960 EVO + ASUS PRIME B350M-A

* Using an NVMe drive causes huge power drain (LP: #1664602)
    - nvme/scsi: Remove power management support
    - nvme: return the whole CQE through the request passthrough interface
    - nvme: factor out a add nvme_is_write helper
    - nvme: Modify and export sync command submission for fabrics
    - nvme: Fix nvme_get/set_features() with a NULL result pointer
    - nvme: Pass pointers, not dma addresses, to nvme_get/set_features()
    - nvme: Add a quirk mechanism that uses identify_ctrl
    - nvme: Enable autonomous power state transitions
    - nvme: Adjust the Samsung APST quirk
    - nvme: Quirk APST off on "THNSF5256GPUK TOSHIBA"
    - nvme: only consider exit latency when choosing useful non-op power states
    - nvme: relax APST default max latency to 100ms
    - nvme: Quirk APST on Intel 600P/P3100 devices

* CVE-2017-17862
    - bpf: fix branch pruning logic

* CVE-2017-16995
    - bpf: fix incorrect sign extension in check_alu_op()

* CVE-2017-17741
    - KVM: Fix stack-out-of-bounds read in write_mmio

* CVE-2018-5333
    - RDS: null pointer dereference in rds_atomic_free_op

* the kernel is blackholing IPv6 packets to linkdown nexthops (LP: #1738219)
    - ipv6: Do not consider linkdown nexthops during multipath

* /dev/bcache/by-uuid links not created after reboot (LP: #1729145)
    - SAUCE: (no-up) bcache: decouple emitting a cached_dev CHANGE uevent

* e1000e in 4.4.0-97-generic breaks 82574L under heavy load. (LP: #1730550)
    - e1000e: Avoid receiver overrun interrupt bursts
    - e1000e: Separate signaling for link check/link up

* ath10k: enhance rf signal strength (LP: #1736317)
    - ath10k: add max_tx_power for QCA6174 WLAN.RM.2.0 firmware

* User reports excessive ALUA retry messages (LP: #1720228)
    - scsi_dh_alua: uninitialized variable in alua_rtpg()

* Add installer support for new Broadcom network drivers.  (LP: #1734757)
    - d-i: Add bnxt_en_bpo to nic-modules.

* Transparent hugepages should default to enabled=madvise (LP: #1703742)
    - SAUCE: use CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y as default

-- Khalid Elmously <khalid.elmously@canonical.com>  Sat, 31 Mar 2018 17:09:19 +0000

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Xenial update to 4.4.114 stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package