Bug #1840335 “Xenial update: 4.4.189 upstream stable release” : Xenial (16.04) : Bugs : linux package : Ubuntu

Connor Kuehl (connork) on 2019-08-15

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Xenial):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Connor Kuehl (connork)

Revision history for this message

Connor Kuehl (connork) wrote on 2019-08-15:

#1

The following patches required some backporting:

* "tcp: be more careful in tcp_fragment()"

There was a bit of a delta in an if-statement here which required manual adjusting to fit this patch in. I took the if statement from the patch.

* "x86: cpufeatures: Sort feature word 7"

This required some manual offset adjustments due to the differences in what the patch context expected (just the stuff around the hunks were in different orders.

The following patches were already applied:

* "block: blk_init_allocated_queue() set q->fq as NULL in the fail case"

* "x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations"

* "x86/speculation: Enable Spectre v1 swapgs mitigations"

* "x86/entry/64: Use JMP instead of JMPQ"

* "x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS"

description:

updated

Kleber Sacilotto de Souza (kleber-souza) on 2019-09-03

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-09-30:

#2

Download full text (12.8 KiB)

This bug was fixed in the package linux - 4.4.0-165.193

---------------
linux (4.4.0-165.193) xenial; urgency=medium

* xenial/linux: 4.4.0-165.193 -proposed tracker (LP: #1844416)

  * Xenial update: 4.4.187 upstream stable release (LP: #1840081)
    - MIPS: ath79: fix ar933x uart parity mode
    - MIPS: fix build on non-linux hosts
    - dmaengine: imx-sdma: fix use-after-free on probe error path
    - ath10k: Do not send probe response template for mesh
    - ath9k: Check for errors when reading SREV register
    - ath6kl: add some bounds checking
    - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
    - batman-adv: fix for leaked TVLV handler.
    - media: dvb: usb: fix use after free in dvb_usb_device_exit
    - crypto: talitos - fix skcipher failure due to wrong output IV
    - media: marvell-ccic: fix DMA s/g desc number calculation
    - media: vpss: fix a potential NULL pointer dereference
    - net: stmmac: dwmac1000: Clear unused address entries
    - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
    - af_key: fix leaks in key_pol_get_resp and dump_sp.
    - xfrm: Fix xfrm sel prefix length validation
    - media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
      initialization fails.
    - net: phy: Check against net_device being NULL
    - tua6100: Avoid build warnings.
    - locking/lockdep: Fix merging of hlocks with non-zero references
    - media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
    - cpupower : frequency-set -r option misses the last cpu in related cpu list
    - net: fec: Do not use netdev messages too early
    - net: axienet: Fix race condition causing TX hang
    - s390/qdio: handle PENDING state for QEBSM devices
    - perf test 6: Fix missing kvm module load for s390
    - gpio: omap: fix lack of irqstatus_raw0 for OMAP4
    - gpio: omap: ensure irq is enabled before wakeup
    - regmap: fix bulk writes on paged registers
    - bpf: silence warning messages in core
    - rcu: Force inlining of rcu_read_lock()
    - xfrm: fix sa selector validation
    - perf evsel: Make perf_evsel__name() accept a NULL argument
    - vhost_net: disable zerocopy by default
    - EDAC/sysfs: Fix memory leak when creating a csrow object
    - media: i2c: fix warning same module names
    - ntp: Limit TAI-UTC offset
    - timer_list: Guard procfs specific code
    - acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
    - media: coda: fix mpeg2 sequence number handling
    - media: coda: increment sequence offset for the last returned frame
    - mt7601u: do not schedule rx_tasklet when the device has been disconnected
    - x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
    - mt7601u: fix possible memory leak when the device is disconnected
    - ath10k: fix PCIE device wake up failed
    - rslib: Fix decoding of shortened codes
    - rslib: Fix handling of of caller provided syndrome
    - ixgbe: Check DDM existence in transceiver before access
    - EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
    - bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
    - Bluetooth: hci_bcsp: Fix memory ...

This bug was fixed in the package linux - 4.4.0-165.193

---------------
linux (4.4.0-165.193) xenial; urgency=medium

* xenial/linux: 4.4.0-165.193 -proposed tracker (LP: #1844416)

* Xenial update: 4.4.187 upstream stable release (LP: #1840081)
    - MIPS: ath79: fix ar933x uart parity mode
    - MIPS: fix build on non-linux hosts
    - dmaengine: imx-sdma: fix use-after-free on probe error path
    - ath10k: Do not send probe response template for mesh
    - ath9k: Check for errors when reading SREV register
    - ath6kl: add some bounds checking
    - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
    - batman-adv: fix for leaked TVLV handler.
    - media: dvb: usb: fix use after free in dvb_usb_device_exit
    - crypto: talitos - fix skcipher failure due to wrong output IV
    - media: marvell-ccic: fix DMA s/g desc number calculation
    - media: vpss: fix a potential NULL pointer dereference
    - net: stmmac: dwmac1000: Clear unused address entries
    - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
    - af_key: fix leaks in key_pol_get_resp and dump_sp.
    - xfrm: Fix xfrm sel prefix length validation
    - media: staging: media: davinci_vpfe: - Fix for memory leak if decoder
      initialization fails.
    - net: phy: Check against net_device being NULL
    - tua6100: Avoid build warnings.
    - locking/lockdep: Fix merging of hlocks with non-zero references
    - media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
    - cpupower : frequency-set -r option misses the last cpu in related cpu list
    - net: fec: Do not use netdev messages too early
    - net: axienet: Fix race condition causing TX hang
    - s390/qdio: handle PENDING state for QEBSM devices
    - perf test 6: Fix missing kvm module load for s390
    - gpio: omap: fix lack of irqstatus_raw0 for OMAP4
    - gpio: omap: ensure irq is enabled before wakeup
    - regmap: fix bulk writes on paged registers
    - bpf: silence warning messages in core
    - rcu: Force inlining of rcu_read_lock()
    - xfrm: fix sa selector validation
    - perf evsel: Make perf_evsel__name() accept a NULL argument
    - vhost_net: disable zerocopy by default
    - EDAC/sysfs: Fix memory leak when creating a csrow object
    - media: i2c: fix warning same module names
    - ntp: Limit TAI-UTC offset
    - timer_list: Guard procfs specific code
    - acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
    - media: coda: fix mpeg2 sequence number handling
    - media: coda: increment sequence offset for the last returned frame
    - mt7601u: do not schedule rx_tasklet when the device has been disconnected
    - x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
    - mt7601u: fix possible memory leak when the device is disconnected
    - ath10k: fix PCIE device wake up failed
    - rslib: Fix decoding of shortened codes
    - rslib: Fix handling of of caller provided syndrome
    - ixgbe: Check DDM existence in transceiver before access
    - EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
    - bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
    - Bluetooth: hci_bcsp: Fix memory leak in rx_skb
    - Bluetooth: 6lowpan: search for destination address in all peers
    - Bluetooth: Check state in l2cap_disconnect_rsp
    - Bluetooth: validate BLE connection interval updates
    - crypto: ghash - fix unaligned memory access in ghash_setkey()
    - crypto: arm64/sha1-ce - correct digest for empty data in finup
    - crypto: arm64/sha2-ce - correct digest for empty data in finup
    - Input: gtco - bounds check collection indent level
    - regulator: s2mps11: Fix buck7 and buck8 wrong voltages
    - tracing/snapshot: Resize spare buffer if size changed
    - NFSv4: Handle the special Linux file open access mode
    - lib/scatterlist: Fix mapping iterator when sg->offset is greater than
      PAGE_SIZE
    - ALSA: seq: Break too long mutex context in the write loop
    - media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
    - media: coda: Remove unbalanced and unneeded mutex unlock
    - KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
    - drm/nouveau/i2c: Enable i2c pads & busses during preinit
    - padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
    - 9p/virtio: Add cleanup path in p9_virtio_init
    - PCI: Do not poll for PME if the device is in D3cold
    - take floppy compat ioctls to sodding floppy.c
    - floppy: fix out-of-bounds read in next_valid_format
    - floppy: fix invalid pointer dereference in drive_name
    - coda: pass the host file in vma->vm_file on mmap
    - gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
    - parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
    - powerpc/32s: fix suspend/resume when IBATs 4-7 are used
    - powerpc/watchpoint: Restore NV GPRs while returning from exception
    - eCryptfs: fix a couple type promotion bugs
    - intel_th: msu: Fix single mode with disabled IOMMU
    - Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
    - usb: Handle USB3 remote wakeup for LPM enabled devices correctly
    - dm bufio: fix deadlock with loop device
    - bnx2x: Prevent load reordering in tx completion processing
    - caif-hsi: fix possible deadlock in cfhsi_exit_module()
    - ipv4: don't set IPv6 only flags to IPv4 addresses
    - net: bcmgenet: use promisc for unsupported filters
    - net: neigh: fix multiple neigh timer scheduling
    - nfc: fix potential illegal memory access
    - sky2: Disable MSI on ASUS P6T
    - netrom: fix a memory leak in nr_rx_frame()
    - netrom: hold sock when setting skb->destructor
    - tcp: Reset bytes_acked and bytes_received when disconnecting
    - bonding: validate ip header before check IPPROTO_IGMP
    - net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
    - net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
    - net: bridge: stp: don't cache eth dest pointer before skb pull
    - elevator: fix truncation of icq_cache_name
    - NFSv4: Fix open create exclusive when the server reboots
    - nfsd: increase DRC cache limit
    - nfsd: give out fewer session slots as limit approaches
    - nfsd: fix performance-limiting session calculation
    - nfsd: Fix overflow causing non-working mounts on 1 TB machines
    - drm/panel: simple: Fix panel_simple_dsi_probe
    - usb: core: hub: Disable hub-initiated U1/U2
    - tty: max310x: Fix invalid baudrate divisors calculator
    - pinctrl: rockchip: fix leaked of_node references
    - tty: serial: cpm_uart - fix init when SMC is relocated
    - memstick: Fix error cleanup path of memstick_init
    - tty/serial: digicolor: Fix digicolor-usart already registered warning
    - tty: serial: msm_serial: avoid system lockup condition
    - drm/virtio: Add memory barriers for capset cache.
    - phy: renesas: rcar-gen2: Fix memory leak at error paths
    - usb: gadget: Zero ffs_io_data
    - powerpc/pci/of: Fix OF flags parsing for 64bit BARs
    - PCI: sysfs: Ignore lockdep for remove attribute
    - iio: iio-utils: Fix possible incorrect mask calculation
    - recordmcount: Fix spurious mcount entries on powerpc
    - mfd: core: Set fwnode for created devices
    - mfd: arizona: Fix undefined behavior
    - um: Silence lockdep complaint about mmap_sem
    - powerpc/4xx/uic: clear pending interrupt after irq type/pol change
    - serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
    - kallsyms: exclude kasan local symbols on s390
    - perf test mmap-thread-lookup: Initialize variable to suppress memory
      sanitizer warning
    - f2fs: avoid out-of-range memory access
    - mailbox: handle failed named mailbox channel request
    - powerpc/eeh: Handle hugepages in ioremap space
    - sh: prevent warnings when using iounmap
    - mm/kmemleak.c: fix check for softirq context
    - 9p: pass the correct prototype to read_cache_page
    - mm/mmu_notifier: use hlist_add_head_rcu()
    - locking/lockdep: Fix lock used or unused stats error
    - locking/lockdep: Hide unused 'class' variable
    - usb: wusbcore: fix unbalanced get/put cluster_id
    - usb: pci-quirks: Correct AMD PLL quirk detection
    - x86/sysfb_efi: Add quirks for some devices with swapped width and height
    - x86/speculation/mds: Apply more accurate check on hypervisor platform
    - hpet: Fix division by zero in hpet_time_div()
    - ALSA: hda - Add a conexant codec entry to let mute led work
    - access: avoid the RCU grace period for the temporary subjective credentials
    - vmstat: Remove BUG_ON from vmstat_update
    - mm, vmstat: make quiet_vmstat lighter
    - ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
    - tcp: reset sk_send_head in tcp_write_queue_purge
    - ISDN: hfcsusb: checking idx of ep configuration
    - media: cpia2_usb: first wake up, then free in disconnect
    - media: radio-raremono: change devm_k*alloc to k*alloc
    - Bluetooth: hci_uart: check for missing tty operations
    - sched/fair: Don't free p->numa_faults with concurrent readers
    - drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
    - ceph: hold i_ceph_lock when removing caps for freeing inode
    - Linux 4.4.187
    - perf tests: Add valid callback for parse-events test
    - SAUCE: Fix perf test 6: Fix missing kvm module load for s390

* CVE-2018-20976
    - xfs: clear sb->s_fs_info on mount failure

* Xenial update: 4.4.189 upstream stable release (LP: #1840335)
    - arm64: cpufeature: Fix CTR_EL0 field definitions
    - arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
    - netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
    - HID: Add quirk for HP X1200 PIXART OEM mouse
    - tcp: be more careful in tcp_fragment()
    - atm: iphase: Fix Spectre v1 vulnerability
    - net: bridge: delete local fdb on device init failure
    - net: fix ifindex collision during namespace removal
    - tipc: compat: allow tipc commands without arguments
    - net: sched: Fix a possible null-pointer dereference in dequeue_func()
    - net/mlx5: Use reversed order when unregister devices
    - bnx2x: Disable multi-cos feature.
    - compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
    - spi: bcm2835: Fix 3-wire mode if DMA is enabled
    - x86: cpufeatures: Sort feature word 7
    - x86/entry/64: Fix context tracking state warning when load_gs_index fails
    - Linux 4.4.189

* CVE-2019-0136
    - mac80211: handle deauthentication/disassociation from TDLS peer

* skb_warn_bad_offload kernel splat due to CHECKSUM target not compatible with
    GSO skbs (LP: #1840619)
    - netfilter: xt_checksum: ignore gso skbs

* CVE-2018-20961
    - usb: gadget: f_midi: fail if set_alt fails to allocate requests
    - USB: gadget: f_midi: fixing a possible double-free in f_midi

* CVE-2019-11487
    - pipe: add pipe_buf_get() helper
    - mm: add 'try_get_page()' helper function
    - fs: prevent page refcount overflow in pipe_buf_get
    - mm: make page ref count overflow check tighter and more explicit
    - mm, gup: ensure real head page is ref-counted when using hugepages
    - mm: prevent get_user_pages() from overflowing page refcount

* Xenial update: 4.4.188 upstream stable release (LP: #1840289)
    - ARM: riscpc: fix DMA
    - ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
    - kernel/module.c: Only return -EEXIST for modules that have finished loading
    - MIPS: lantiq: Fix bitfield masking
    - dmaengine: rcar-dmac: Reject zero-length slave DMA requests
    - fs/adfs: super: fix use-after-free bug
    - btrfs: fix minimum number of chunk errors for DUP
    - ceph: fix improper use of smp_mb__before_atomic()
    - scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
    - ACPI: fix false-positive -Wuninitialized warning
    - be2net: Signal that the device cannot transmit during reconfiguration
    - x86/apic: Silence -Wtype-limits compiler warnings
    - x86: math-emu: Hide clang warnings for 16-bit overflow
    - mm/cma.c: fail if fixed declaration can't be honored
    - coda: add error handling for fget
    - coda: fix build using bare-metal toolchain
    - uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side
      headers
    - ipc/mqueue.c: only perform resource calculation if user valid
    - x86/kvm: Don't call kvm_spurious_fault() from .fixup
    - selinux: fix memory leak in policydb_init()
    - s390/dasd: fix endless loop after read unit address configuration
    - xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
    - Linux 4.4.188

* Line 6 POD HD500 driver fault (LP: #1790595) // Xenial update: 4.4.187
    upstream stable release (LP: #1840081)
    - ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1

* CVE-2016-10905
    - GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 17 Sep 2019 18:24:13 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Ubuntu
linux package

Xenial update: 4.4.189 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Connor Kuehl

Ubuntulinux package