Ubuntu
linux package

Xenial update: 4.4.191 upstream stable release

Xenial (16.04)
Bug #1845036

Bug #1845036 reported by Connor Kuehl on 2019-09-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Connor Kuehl

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

* HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
* MIPS: kernel: only use i8253 clocksource with periodic clockevent
* netfilter: ebtables: fix a memory leak bug in compat
* bonding: Force slave speed check after link state recovery for 802.3ad
* can: dev: call netif_carrier_off() in register_candev()
* st21nfca_connectivity_event_received: null check the allocation
* st_nci_hci_connectivity_event_received: null check the allocation
* ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
* net: usb: qmi_wwan: Add the BroadMobi BM818 card
* isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
* isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
* perf bench numa: Fix cpu0 binding
* can: sja1000: force the string buffer NULL-terminated
* can: peak_usb: force the string buffer NULL-terminated
* NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
* net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
* net: hisilicon: make hip04_tx_reclaim non-reentrant
* net: hisilicon: fix hip04-xmit never return TX_BUSY
* net: hisilicon: Fix dma_map_single failed on arm64
* libata: add SG safety checks in SFF pio transfers
* selftests: kvm: Adding config fragments
* HID: wacom: correct misreported EKR ring values
* Revert "dm bufio: fix deadlock with loop device"
* userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
* x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
* x86/apic: Handle missing global clockevent gracefully
* x86/boot: Save fields explicitly, zero out everything else
* x86/boot: Fix boot regression caused by bootparam sanitizing
* dm btree: fix order of block initialization in btree_split_beneath
* dm space map metadata: fix missing store of apply_bops() return value
* dm table: fix invalid memory accesses with too high sector number
* cgroup: Disable IRQs while holding css_set_lock
* net: arc_emac: fix koops caused by sk_buff free
* siphash: implement HalfSipHash1-3 for hash tables
* netfilter: ctnetlink: don't use conntrack/expect object addresses as id
* netfilter: conntrack: Use consistent ct id hash calculation
* Revert "perf test 6: Fix missing kvm module load for s390"
* x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume
* x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
* scsi: ufs: Fix NULL pointer dereference in ufshcd_config_vreg_hpm()
* dmaengine: ste_dma40: fix unneeded variable warning
* usb: gadget: composite: Clear "suspended" on reset/disconnect
* usb: host: fotg2: restart hcd after port reset
* tools: hv: fix KVP and VSS daemons exit code
* watchdog: bcm2835_wdt: Fix module autoload
* tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
* ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
* ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
* tcp: make sure EPOLLOUT wont be missed
* ALSA: seq: Fix potential concurrent access to the deleted pool
* KVM: x86: Don't update RIP or do single-step on faulting emulation
* x86/apic: Do not initialize LDR and DFR for bigsmp
* x86/apic: Include the LDR when clearing out APIC registers
* usb-storage: Add new JMS567 revision to unusual_devs
* USB: cdc-wdm: fix race between write and disconnect due to flag abuse
* usb: host: ohci: fix a race condition between shutdown and irq
* USB: storage: ums-realtek: Update module parameter description for auto_delink_en
* USB: storage: ums-realtek: Whitelist auto-delink support
* ptrace,x86: Make user_64bit_mode() available to 32-bit builds
* uprobes/x86: Fix detection of 32-bit user mode
* mmc: sdhci-of-at91: add quirk for broken HS200
* mmc: core: Fix init of SD cards reporting an invalid VDD range
* stm class: Fix a double free of stm_source_device
* VMCI: Release resource if the work is already queued
* Revert "cfg80211: fix processing world regdomain when non modular"
* mac80211: fix possible sta leak
* x86/ptrace: fix up botched merge of spectrev1 fix
* Linux 4.4.191

4.4.191 upstream stable release
from git://git.kernel.org/

See original description

Tags:

CVE References

Connor Kuehl (connork) on 2019-09-23

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug

Connor Kuehl (connork) on 2019-09-23

Changed in linux (Ubuntu Xenial):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Connor Kuehl (connork)
Changed in linux (Ubuntu):
status:	Confirmed → Invalid

Revision history for this message

Connor Kuehl (connork) wrote on 2019-09-24:

Already applied:

* GFS2: don't set rgrp gl_object until it's inserted into rgrp tree
* vhost-net: set packet weight of tx polling to 2 * vq size
* vhost_net: use packet weight for rx handler, too
* vhost_net: introduce vhost_exceeds_weight()
* vhost: introduce vhost_exceeds_weight()
* vhost_net: fix possible infinite loop
* vhost: scsi: add weight support
* siphash: add cryptographically secure PRF
* inet: switch IP ID generator to siphash

Connor Kuehl (connork) on 2019-09-24

description:

updated

Khaled El Mously (kmously) on 2019-09-26

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2019-10-01:

I have removed the following commit from the Xenial tree given that it was causing a build failure on s390x.

* Revert "perf test 6: Fix missing kvm module load for s390"

This issue had already been resolved by "UBUNTU: SAUCE: Fix perf test 6: Fix missing kvm module load for s390", so the upstream fix was not needed.

Revision history for this message

Stefan Bader (smb) wrote on 2019-10-01:

commit dd20ee8f5a91cd67ee34aec07b446a3a20b82d01
Author: Sasha Levin <email address hidden>
Date: Tue Aug 27 22:58:51 2019 -0400

Revert "perf test 6: Fix missing kvm module load for s390"

Above patch should not have applied cleanly from linux-4.4.y because we fixed it up already. It is not mentioned above that there was anything specially done. However the committed result is not what the upstream stable did. Instead of removing a function, it gets added (a second time as the fixed up version we did is still present). Not sure how this did happen.

Revision history for this message

Connor Kuehl (connork) wrote on 2019-10-01:

I have been using the stable updates toolchain that was used for the Bionic stable updates project. Generally, if a patch doesn't apply one of the tools checks to see if it was already applied. If it doesn't believe the patch is applied, and it doesn't apply cleanly, we use "patch" because it tries a little bit harder than "git am" for fitting the hunks in at different offsets.

In this case, it didn't see this patch was effectively applied under an "UBUNTU: SAUCE:" prefix. This is something that it should do, so I'll work on trying to get a patch sent for that toolchain.

Revision history for this message

Stefan Bader (smb) wrote on 2019-10-01:

Ok, but in this case the patch from upstream did a bigger hunk of removals. That would not have worked even with patch because to fix the build, we have replaced two function calls within that hunk. The change applied under the title of the revert was actually a re-do of the initial addition of that hunk. Not the revert.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-10-21:

Download full text (15.0 KiB)

This bug was fixed in the package linux - 4.4.0-166.195

---------------
linux (4.4.0-166.195) xenial; urgency=medium

* xenial/linux: 4.4.0-166.195 -proposed tracker (LP: #1846069)

* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

* CVE-2017-18232
- scsi: libsas: direct call probe and destruct

* CVE-2018-21008
- rsi: add fix for crash during assertions

  * Xenial update: 4.4.194 upstream stable release (LP: #1845405)
    - bridge/mdb: remove wrong use of NLM_F_MULTI
    - cdc_ether: fix rndis support for Mediatek based smartphones
    - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
    - isdn/capi: check message length in capi_write()
    - net: Fix null de-reference of device refcount
    - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
    - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
    - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
    - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
    - tipc: add NULL pointer check before calling kfree_rcu
    - tun: fix use-after-free when register netdev failed
    - Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
    - Btrfs: fix assertion failure during fsync and use of stale transaction
    - genirq: Prevent NULL pointer dereference in resend_irqs()
    - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
    - KVM: x86: work around leak of uninitialized stack contents
    - KVM: nVMX: handle page fault in vmread
    - MIPS: VDSO: Prevent use of smp_processor_id()
    - MIPS: VDSO: Use same -m%-float cflag as the kernel proper
    - clk: rockchip: Don't yell about bad mmc phases when getting
    - driver core: Fix use-after-free and double free on glue directory
    - crypto: talitos - check AES key size
    - crypto: talitos - check data blocksize in ablkcipher.
    - x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence
      GCC9 build warning
    - MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
    - ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
    - USB: usbcore: Fix slab-out-of-bounds bug during device reset
    - media: tm6000: double free if usb disconnect while streaming
    - x86/boot: Add missing bootparam that breaks boot on some platforms
    - xen-netfront: do not assume sk_buff_head list is empty in error handling
    - serial: sprd: correct the wrong sequence of arguments
    - tty/serial: atmel: reschedule TX after RX was started
    - mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
    - s390/bpf: fix lcgr instruction encoding
    - ARM: OMAP2+: Fix omap4 errata warning on other SoCs
    - s390/bpf: use 32-bit index for tail calls
    - NFSv4: Fix return values for nfs4_file_open()
    - NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
    - Kconfig: Fix the reference to the IDT77105 Phy driver in the description of
      ATM_NICSTAR_USE_IDT77105
    - ARM: 8874/1: mm: only adjust sections of valid mm structures
    - r8152: Set memory to all 0xFFs on failed reg reads
    - x86/apic: Fix arch_dynirq_lower_bound() bug for D...

This bug was fixed in the package linux - 4.4.0-166.195

---------------
linux (4.4.0-166.195) xenial; urgency=medium

* xenial/linux: 4.4.0-166.195 -proposed tracker (LP: #1846069)

* Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

* CVE-2017-18232
    - scsi: libsas: direct call probe and destruct

* CVE-2018-21008
    - rsi: add fix for crash during assertions

* CVE-2019-14821
    - KVM: coalesced_mmio: add bounds checking

* Xenial update: 4.4.193 upstream stable release (LP: #1845395)
    - ALSA: hda - Fix potential endless loop at applying quirks
    - ALSA: hda/realtek - Fix overridden device-specific initialization
    - xfrm: clean up xfrm protocol checks
    - vhost/test: fix build for vhost test
    - scripts/decode_stacktrace: match basepath using shell prefix operator, not
      regex
    - clk: s2mps11: Add used attribute to s2mps11_dt_match
    - x86, boot: Remove multiple copy of static function sanitize_boot_params()
    - af_packet: tone down the Tx-ring unsupported spew.
    - Linux 4.4.193

* Xenial update: 4.4.192 upstream stable release (LP: #1845374)
    - net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ
      context
    - net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx
    - Bluetooth: btqca: Add a short delay before downloading the NVM
    - ibmveth: Convert multicast list size for little-endian system
    - gpio: Fix build error of function redefinition
    - cxgb4: fix a memory leak bug
    - net: myri10ge: fix memory leaks
    - cx82310_eth: fix a memory leak bug
    - net: kalmia: fix memory leaks
    - wimax/i2400m: fix a memory leak bug
    - ravb: Fix use-after-free ravb_tstamp_skb
    - Tools: hv: kvp: eliminate 'may be used uninitialized' warning
    - IB/mlx4: Fix memory leaks
    - ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
    - KVM: arm/arm64: Only skip MMIO insn once
    - libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
    - spi: bcm2835aux: ensure interrupts are enabled for shared handler
    - spi: bcm2835aux: unifying code between polling and interrupt driven code
    - spi: bcm2835aux: remove dangerous uncontrolled read of fifo
    - spi: bcm2835aux: fix corruptions for longer spi transfers
    - Revert "x86/apic: Include the LDR when clearing out APIC registers"
    - net: fix skb use after free in netpoll
    - net: stmmac: dwmac-rk: Don't fail if phy regulator is absent
    - Linux 4.4.192

* Xenial update: 4.4.191 upstream stable release (LP: #1845036)
    - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
    - MIPS: kernel: only use i8253 clocksource with periodic clockevent
    - netfilter: ebtables: fix a memory leak bug in compat
    - bonding: Force slave speed check after link state recovery for 802.3ad
    - can: dev: call netif_carrier_off() in register_candev()
    - st21nfca_connectivity_event_received: null check the allocation
    - st_nci_hci_connectivity_event_received: null check the allocation
    - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
    - net: usb: qmi_wwan: Add the BroadMobi BM818 card
    - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
      start_isoc_chain()
    - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
    - perf bench numa: Fix cpu0 binding
    - can: sja1000: force the string buffer NULL-terminated
    - can: peak_usb: force the string buffer NULL-terminated
    - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
    - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    - net: hisilicon: make hip04_tx_reclaim non-reentrant
    - net: hisilicon: fix hip04-xmit never return TX_BUSY
    - net: hisilicon: Fix dma_map_single failed on arm64
    - libata: add SG safety checks in SFF pio transfers
    - selftests: kvm: Adding config fragments
    - HID: wacom: correct misreported EKR ring values
    - Revert "dm bufio: fix deadlock with loop device"
    - userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
    - x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
    - x86/apic: Handle missing global clockevent gracefully
    - x86/boot: Save fields explicitly, zero out everything else
    - x86/boot: Fix boot regression caused by bootparam sanitizing
    - dm btree: fix order of block initialization in btree_split_beneath
    - dm space map metadata: fix missing store of apply_bops() return value
    - dm table: fix invalid memory accesses with too high sector number
    - cgroup: Disable IRQs while holding css_set_lock
    - net: arc_emac: fix koops caused by sk_buff free
    - siphash: implement HalfSipHash1-3 for hash tables
    - netfilter: ctnetlink: don't use conntrack/expect object addresses as id
    - netfilter: conntrack: Use consistent ct id hash calculation
    - x86/pm: Introduce quirk framework to save/restore extra MSR registers around
      suspend/resume
    - x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
    - scsi: ufs: Fix NULL pointer dereference in ufshcd_config_vreg_hpm()
    - dmaengine: ste_dma40: fix unneeded variable warning
    - usb: gadget: composite: Clear "suspended" on reset/disconnect
    - usb: host: fotg2: restart hcd after port reset
    - tools: hv: fix KVP and VSS daemons exit code
    - watchdog: bcm2835_wdt: Fix module autoload
    - tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
    - ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
    - ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
    - tcp: make sure EPOLLOUT wont be missed
    - ALSA: seq: Fix potential concurrent access to the deleted pool
    - KVM: x86: Don't update RIP or do single-step on faulting emulation
    - x86/apic: Do not initialize LDR and DFR for bigsmp
    - x86/apic: Include the LDR when clearing out APIC registers
    - usb-storage: Add new JMS567 revision to unusual_devs
    - USB: cdc-wdm: fix race between write and disconnect due to flag abuse
    - usb: host: ohci: fix a race condition between shutdown and irq
    - USB: storage: ums-realtek: Update module parameter description for
      auto_delink_en
    - ptrace,x86: Make user_64bit_mode() available to 32-bit builds
    - uprobes/x86: Fix detection of 32-bit user mode
    - mmc: sdhci-of-at91: add quirk for broken HS200
    - mmc: core: Fix init of SD cards reporting an invalid VDD range
    - stm class: Fix a double free of stm_source_device
    - VMCI: Release resource if the work is already queued
    - Revert "cfg80211: fix processing world regdomain when non modular"
    - mac80211: fix possible sta leak
    - x86/ptrace: fix up botched merge of spectrev1 fix
    - Linux 4.4.191

* New ID in ums-realtek module breaks cardreader (LP: #1838886) // Xenial
    update: 4.4.191 upstream stable release (LP: #1845036)
    - USB: storage: ums-realtek: Whitelist auto-delink support

* Xenial update: 4.4.190 upstream stable release (LP: #1845038)
    - usb: iowarrior: fix deadlock on disconnect
    - sound: fix a memory leak bug
    - x86/mm: Check for pfn instead of page in vmalloc_sync_one()
    - x86/mm: Sync also unmappings in vmalloc_sync_all()
    - mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
    - perf db-export: Fix thread__exec_comm()
    - usb: yurex: Fix use-after-free in yurex_delete
    - can: peak_usb: fix potential double kfree_skb()
    - netfilter: nfnetlink: avoid deadlock due to synchronous request_module
    - iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
    - mac80211: don't warn about CW params when not using them
    - hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
    - cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
    - s390/qdio: add sanity checks to the fast-requeue path
    - ALSA: compress: Fix regression on compressed capture streams
    - ALSA: compress: Prevent bypasses of set_params
    - ALSA: compress: Be more restrictive about when a drain is allowed
    - perf probe: Avoid calling freeing routine multiple times for same pointer
    - ARM: davinci: fix sleep.S build error on ARMv4
    - scsi: megaraid_sas: fix panic on loading firmware crashdump
    - scsi: ibmvfc: fix WARN_ON during event pool release
    - tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
    - perf/core: Fix creating kernel counters for PMUs that override event->cpu
    - can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
    - can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
    - hwmon: (nct7802) Fix wrong detection of in4 presence
    - ALSA: firewire: fix a memory leak bug
    - mac80211: don't WARN on short WMM parameters from AP
    - SMB3: Fix deadlock in validate negotiate hits reconnect
    - smb3: send CAP_DFS capability during session setup
    - mwifiex: fix 802.11n/WPA detection
    - scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA
    - sh: kernel: hw_breakpoint: Fix missing break in switch statement
    - mm/memcontrol.c: fix use after free in mem_cgroup_iter()
    - ALSA: hda - Fix a memory leak bug
    - HID: holtek: test for sanity of intfdata
    - HID: hiddev: avoid opening a disconnected device
    - HID: hiddev: do cleanup in failure of opening a device
    - Input: kbtab - sanity check for endpoint type
    - Input: iforce - add sanity checks
    - net: usb: pegasus: fix improper read if get_registers() fail
    - xen/pciback: remove set but not used variable 'old_state'
    - irqchip/irq-imx-gpcv2: Forward irq type to parent
    - perf header: Fix divide by zero error if f_header.attr_size==0
    - perf header: Fix use of unitialized value warning
    - libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
    - scsi: hpsa: correct scsi command status issue after reset
    - ata: libahci: do not complain in case of deferred probe
    - kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules
    - IB/core: Add mitigation for Spectre V1
    - ocfs2: remove set but not used variable 'last_hash'
    - asm-generic: fix -Wtype-limits compiler warnings
    - staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
    - staging: comedi: dt3000: Fix rounding up of timer divisor
    - USB: core: Fix races in character device registration and deregistraion
    - usb: cdc-acm: make sure a refcount is taken early enough
    - USB: serial: option: add D-Link DWM-222 device ID
    - USB: serial: option: Add support for ZTE MF871A
    - USB: serial: option: add the BroadMobi BM818 card
    - USB: serial: option: Add Motorola modem UARTs
    - Backport minimal compiler_attributes.h to support GCC 9
    - include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
    - arm64: compat: Allow single-byte watchpoints on all addresses
    - Input: psmouse - fix build error of multiple definition
    - asm-generic: default BUG_ON(x) to if(x)BUG()
    - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
    - RDMA: Directly cast the sockaddr union to sockaddr
    - IB/mlx5: Make coding style more consistent
    - x86/vdso: Remove direct HPET access through the vDSO
    - iommu/amd: Move iommu_init_pci() to .init section
    - x86/boot: Disable the address-of-packed-member compiler warning
    - net/packet: fix race in tpacket_snd()
    - xen/netback: Reset nr_frags before freeing skb
    - net/mlx5e: Only support tx/rx pause setting for port owner
    - sctp: fix the transport error_count check
    - bonding: Add vlan tx offload to hw_enc_features
    - Linux 4.4.190

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Tue, 01 Oct 2019 10:23:59 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Xenial update: 4.4.191 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package