This bug was fixed in the package linux - 4.15.0-169.177 --------------- linux (4.15.0-169.177) bionic; urgency=medium * bionic/linux: 4.15.0-169.177 -proposed tracker (LP: #1959877) * ubuntu_kernel_selftests.ftrace:ftracetest fails with bionic:linux 4.15.0-168.176 on s390x (LP: #1959752) - recordmcount.pl: fix typo in s390 mcount regex linux (4.15.0-168.176) bionic; urgency=medium * bionic/linux: 4.15.0-168.176 -proposed tracker (LP: #1959308) * CVE-2022-22942 - SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy * Bionic update: upstream stable patchset 2022-01-25 (LP: #1959033) - IB/qib: Use struct_size() helper - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields - net: usb: lan78xx: add Allied Telesis AT29M2-AF - can: kvaser_usb: get CAN clock frequency from device - HID: holtek: fix mouse probing - spi: change clk_disable_unprepare to clk_unprepare - IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() - netfilter: fix regression in looped (broad|multi)cast's MAC handling - qlcnic: potential dereference null pointer of rx_queue->page_ring - net: accept UFOv6 packages in virtio_net_hdr_to_skb - net: skip virtio_net_hdr_set_proto if protocol already set - bonding: fix ad_actor_system option setting to default - fjes: Check for error irq - drivers: net: smc911x: Check for error irq - sfc: falcon: Check null pointer of rx_queue->page_ring - hwmon: (lm90) Fix usage of CONFIG2 register in detect function - ALSA: jack: Check the return value of kstrdup() - ALSA: drivers: opl3: Fix incorrect use of vp->state - Input: atmel_mxt_ts - fix double free in mxt_read_info_block - x86/pkey: Fix undefined behaviour with PKRU_WD_BIT - pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines - ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling - f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() - usb: gadget: u_ether: fix race in setting MAC address in setup phase - KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state - hwmon: (lm90) Do not report 'busy' status bit as alarm - ax25: NPD bug when detaching AX25 device - hamradio: defer ax25 kfree after unregister_netdev - hamradio: improve the incomplete fix to avoid NPD - phonet/pep: refuse to enable an unbound pipe - parisc: Correct completer in lws start * Bionic update: upstream stable patchset 2022-01-14 (LP: #1957957) - nfc: fix segfault in nfc_genl_dump_devices_done - drm/msm/dsi: set default num_data_lanes - net/mlx4_en: Update reported link modes for 1/10G - parisc/agp: Annotate parisc agp init functions with __init - i2c: rk3x: Handle a spurious start completion interrupt flag - net: netlink: af_netlink: Prevent empty skb by adding a check on len. - tracing: Fix a kmemleak false positive in tracing_map - bpf: fix panic due to oob in bpf_prog_test_run_skb - hwmon: (dell-smm) Fix warning on /proc/i8k creation error - mac80211: send ADDBA requests using the tid/queue of the aggregation session - recordmcount.pl: look for jgnop instruction as well as bcrl on s390 - dm btree remove: fix use after free in rebalance_children() - audit: improve robustness of the audit queue handling - nfsd: fix use-after-free due to delegation race - x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol - x86/sme: Explicitly map new EFI memmap table as encrypted - ARM: socfpga: dts: fix qspi node compatible - dmaengine: st_fdma: fix MODULE_ALIAS - soc/tegra: fuse: Fix bitwise vs. logical OR warning - igbvf: fix double free in `igbvf_probe` - ixgbe: set X550 MDIO speed before talking to PHY - net/packet: rx_owner_map depends on pg_vec - sit: do not call ipip6_dev_free() from sit_init_net() - USB: gadget: bRequestType is a bitfield, not a enum - PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error - PCI/MSI: Mask MSI-X vectors only on success - USB: serial: option: add Telit FN990 compositions - timekeeping: Really make sure wall_to_monotonic isn't positive - libata: if T_LENGTH is zero, dma direction should be DMA_NONE - net: systemport: Add global locking for descriptor lifecycle - firmware: arm_scpi: Fix string overflow in SCPI genpd driver - ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name - fuse: annotate lock in fuse_reverse_inval_entry() - scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() - net: lan78xx: Avoid unnecessary self assignment - ARM: 8805/2: remove unneeded naked function usage - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO - ARM: 8800/1: use choice for kernel unwinders - [Config] updateconfigs for UNWINDER_ARM - Input: touchscreen - avoid bitwise vs logical OR warning - xen/blkfront: harden blkfront against event channel storms - xen/netfront: harden netfront against event channel storms - xen/console: harden hvc_xen against event channel storms - xen/netback: fix rx queue stall detection - xen/netback: don't queue unlimited number of packages - mac80211: track only QoS data frames for admission control * Bionic update: upstream stable patchset 2022-01-11 (LP: #1957113) - HID: add hid_is_usb() function to make it simpler for USB detection - HID: add USB_HID dependancy to hid-prodikeys - HID: add USB_HID dependancy to hid-chicony - HID: add USB_HID dependancy on some USB HID drivers - HID: wacom: fix problems when device is not a valid USB device - HID: check for valid USB device for many HID drivers - can: sja1000: fix use after free in ems_pcmcia_add_card() - nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done - bpf: Fix the off-by-two error in range markings - nfp: Fix memory leak in nfp_cpp_area_cache_add() - seg6: fix the iif in the IPv6 socket control block - IB/hfi1: Correct guard on eager buffer deallocation - mm: bdi: initialize bdi_min_ratio when bdi is unregistered - ALSA: ctl: Fix copy of updated id with element read/write - ALSA: pcm: oss: Fix negative period/buffer sizes - ALSA: pcm: oss: Limit the period size to 16MB - ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() - tracefs: Have new files inherit the ownership of their parent - can: pch_can: pch_can_rx_normal: fix use after free - can: m_can: Disable and ignore ELO interrupt - libata: add horkage for ASMedia 1092 - wait: add wake_up_pollfree() - binder: use wake_up_pollfree() - signalfd: use wake_up_pollfree() - tracefs: Set all files to the same group ownership as the mount option - block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) - qede: validate non LSO skb length - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero - net: altera: set a couple error code in probe() - net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() - net, neigh: clear whole pneigh_entry at alloc time - net/qla3xxx: fix an error code in ql_adapter_up() - USB: gadget: detect too-big endpoint 0 requests - USB: gadget: zero allocate endpoint 0 buffers - usb: core: config: fix validation of wMaxPacketValue entries - xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending - usb: core: config: using bit mask instead of individual bits - iio: trigger: Fix reference counting - iio: trigger: stm32-timer: fix MODULE_ALIAS - iio: stk3310: Don't return error code in interrupt handler - iio: mma8452: Fix trigger reference couting - iio: ltr501: Don't return error code in trigger handler - iio: kxsd9: Don't return error code in trigger handler - iio: itg3200: Call iio_trigger_notify_done() on error - iio: dln2-adc: Fix lockdep complaint - iio: dln2: Check return value of devm_iio_trigger_register() - iio: adc: axp20x_adc: fix charging current reporting on AXP22x - iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove - irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() - irqchip/armada-370-xp: Fix support for Multi-MSI interrupts - irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL - irqchip: nvic: Fix offset for Interrupt Priority Offsets - bonding: make tx_rebalance_counter an atomic * Bionic update: upstream stable patchset 2022-01-06 (LP: #1956614) - USB: serial: option: add Telit LE910S1 0x9200 composition - USB: serial: option: add Fibocom FM101-GL variants - usb: hub: Fix usb enumeration issue due to address0 race - usb: hub: Fix locking issues with address0_mutex - binder: fix test regression due to sender_euid change - ALSA: ctxfi: Fix out-of-range access - media: cec: copy sequence field for the reply - HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() - fuse: fix page stealing - xen: don't continue xenstore initialization in case of errors - xen: detect uninitialized xenbus in xenbus_init - tracing: Fix pid filtering when triggers are attached - netfilter: ipvs: Fix reuse connection if RS weight is 0 - ARM: dts: BCM5301X: Fix I2C controller interrupt - ARM: dts: BCM5301X: Add interrupt properties to GPIO node - ASoC: topology: Add missing rwsem around snd_ctl_remove() calls - net: ieee802154: handle iftypes as u32 - NFSv42: Don't fail clone() unless the OP_CLONE operation failed - ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE - scsi: mpt3sas: Fix kernel panic during drive powercycle test - drm/vc4: fix error code in vc4_create_object() - ipv6: fix typos in __ip6_finish_output() - net/smc: Ensure the active closing peer first closes clcsock - PM: hibernate: use correct mode for swsusp_close() - tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows - MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 - net/smc: Don't call clcsock shutdown twice when smc shutdown - vhost/vsock: fix incorrect used length reported to the guest - tracing: Check pid filtering when creating events - s390/mm: validate VMA in PGSTE manipulation functions - PCI: aardvark: Fix a leaked reference by adding missing of_node_put() - PCI: aardvark: Wait for endpoint to be ready before training link - PCI: aardvark: Train link immediately after enabling training - PCI: aardvark: Improve link training - PCI: aardvark: Issue PERST via GPIO - PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros - PCI: aardvark: Indicate error in 'val' when config read fails - PCI: aardvark: Introduce an advk_pcie_valid_device() helper - PCI: aardvark: Don't touch PCIe registers if no card connected - PCI: aardvark: Fix compilation on s390 - PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() - PCI: aardvark: Update comment about disabling link training - PCI: aardvark: Remove PCIe outbound window configuration - PCI: aardvark: Configure PCIe resources from 'ranges' DT property - PCI: aardvark: Fix PCIe Max Payload Size setting - PCI: Add PCI_EXP_LNKCTL2_TLS* macros - PCI: aardvark: Fix link training - PCI: aardvark: Fix checking for link up via LTSSM state - pinctrl: armada-37xx: Correct mpp definitions - pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup - pinctrl: armada-37xx: Correct PWM pins definitions - arm64: dts: marvell: armada-37xx: declare PCIe reset pin - arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function - proc/vmcore: fix clearing user buffer by properly using clear_user() - NFC: add NCI_UNREG flag to eliminate the race - fuse: release pipe buf after last use - xen: sync include/xen/interface/io/ring.h with Xen's newest version - xen/blkfront: read response from backend only once - xen/blkfront: don't take local copy of a request from the ring page - xen/blkfront: don't trust the backend response data blindly - xen/netfront: read response from backend only once - xen/netfront: don't read data from request on the ring page - xen/netfront: disentangle tx_skb_freelist - xen/netfront: don't trust the backend response data blindly - tty: hvc: replace BUG_ON() with negative return value - shm: extend forced shm destroy to support objects from several IPC nses - ipc: WARN if trying to remove ipc object which is absent - NFSv42: Fix pagecache invalidation after COPY/CLONE - hugetlb: take PMD sharing into account when flushing tlb/caches - net: return correct error code - platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep - s390/setup: avoid using memblock_enforce_memory_limit - btrfs: check-integrity: fix a warning on write caching disabled disk - thermal: core: Reset previous low and high trip during thermal zone init - scsi: iscsi: Unblock session then wake up error handler - ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() - net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound - net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() - perf hist: Fix memory leak of a perf_hpp_fmt - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit - kprobes: Limit max data_size of the kretprobe instances - sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl - sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl - natsemi: xtensa: fix section mismatch warnings - net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() - net: mpls: Fix notifications when deleting a device - siphash: use _unaligned version by default - net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() - net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available - net/rds: correct socket tunable error in rds_tcp_tune() - net/smc: Keep smc_close_final rc during active close - parisc: Fix KBUILD_IMAGE for self-extracting kernel - parisc: Fix "make install" on newer debian releases - vgacon: Propagate console boot parameters before calling `vc_resize' - xhci: Fix commad ring abort, write all 64 bits to CRCR register. - usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect - x86/64/mm: Map all kernel memory into trampoline_pgd - tty: serial: msm_serial: Deactivate RX DMA for polling support - serial: pl011: Add ACPI SBSA UART match id - serial: core: fix transmit-buffer reset and memleak - parisc: Mark cr16 CPU clocksource unstable on all SMP machines - xtensa: use CONFIG_USE_OF instead of CONFIG_OF - net: hns3: fix VF RSS failed problem after PF enable multi-TCs - i2c: stm32f7: recover the bus on access timeout - net: annotate data-races on txq->xmit_lock_owner * CVE-2022-0330 - drm/i915: Flush TLBs before releasing backing store * CVE-2021-4083 - fs: add fget_many() and fput_many() - fget: check that the fd still exists after getting a ref to it * CVE-2021-4155 - xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate -- Kleber Sacilotto de Souza