Bug #1816756 “squashfs hardening” : Bionic (18.04) : Bugs : linux package : Ubuntu

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2019-02-20:

#1

Bionic: https://lists.ubuntu.com/archives/kernel-team/2019-February/098532.html
Xenial: https://lists.ubuntu.com/archives/kernel-team/2019-February/098538.html

Changed in linux (Ubuntu Xenial):
importance:	Undecided → Medium
Changed in linux (Ubuntu Bionic):
importance:	Undecided → Medium
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Paolo Pisati (p-pisati)
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Paolo Pisati (p-pisati)
Changed in linux (Ubuntu Xenial):
status:	New → In Progress
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
Changed in linux (Ubuntu):
status:	In Progress → Fix Released

Khaled El Mously (kmously) on 2019-03-04

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed
status:	Fix Committed → In Progress

Khaled El Mously (kmously) on 2019-03-04

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2019-03-15:

#2

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Brad Figg (brad-figg) wrote on 2019-03-15:

#3

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2019-03-28:

#4

The libreoffice and chromium snaps continued to work just fine after upgrading to the xenial and bionic -proposed kernels that contain the squashfs hardening patches. Verification is complete.

tags:

added: verification-done-bionic verification-done-xenial
removed: verification-needed-bionic verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-02:

#5

Download full text (26.1 KiB)

This bug was fixed in the package linux - 4.4.0-145.171

---------------
linux (4.4.0-145.171) xenial; urgency=medium

* linux: 4.4.0-145.171 -proposed tracker (LP: #1821724)

* linux-generic should depend on linux-base >=4.1 (LP: #1820419)
- [Packaging] Fix linux-base dependency

linux (4.4.0-144.170) xenial; urgency=medium

* linux: 4.4.0-144.170 -proposed tracker (LP: #1819660)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts
    - [Packaging] resync retpoline extraction

* C++ demangling support missing from perf (LP: #1396654)
- [Packaging] fix a mistype

* CVE-2019-9213
- mm: enforce min addr even if capable() in expand_downwards()

* CVE-2019-3460
- Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

  * Xenial update: 4.4.176 upstream stable release (LP: #1818815)
    - net: fix IPv6 prefix route residue
    - vsock: cope with memory allocation failure at socket creation time
    - hwmon: (lm80) Fix missing unlock on error in set_fan_div()
    - net: Fix for_each_netdev_feature on Big endian
    - net: Add header for usage of fls64()
    - tcp: tcp_v4_err() should be more careful
    - net: Do not allocate page fragments that are not skb aligned
    - tcp: clear icsk_backoff in tcp_write_queue_purge()
    - vxlan: test dev->flags & IFF_UP before calling netif_rx()
    - net: stmmac: Fix a race in EEE enable callback
    - net: ipv4: use a dedicated counter for icmp_v4 redirect packets
    - x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32
    - mfd: as3722: Handle interrupts on suspend
    - mfd: as3722: Mark PM functions as __maybe_unused
    - net/x25: do not hold the cpu too long in x25_new_lci()
    - mISDN: fix a race in dev_expire_timer()
    - ax25: fix possible use-after-free
    - Linux 4.4.176

  * sky2 ethernet card don't work after returning from suspension
    (LP: #1798921) // Xenial update: 4.4.176 upstream stable release
    (LP: #1818815)
    - sky2: Increase D3 delay again

  * Xenial update: 4.4.175 upstream stable release (LP: #1818813)
    - drm/bufs: Fix Spectre v1 vulnerability
    - staging: iio: adc: ad7280a: handle error from __ad7280_read32()
    - ASoC: Intel: mrfld: fix uninitialized variable access
    - scsi: lpfc: Correct LCB RJT handling
    - ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
    - dlm: Don't swamp the CPU with callbacks queued during recovery
    - x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
    - powerpc/pseries: add of_node_put() in dlpar_detach_node()
    - serial: fsl_lpuart: clear parity enable bit when disable parity
    - ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
    - staging:iio:ad2s90: Make probe handle spi_setup failure
    - staging: iio: ad7780: update voltage on read
    - ARM: OMAP2+: hwmod: Fix some section annotations
    - modpost: validate symbol names also in find_elf_symbol
    - perf tools: Add Hygon Dhyana support
    - soc/tegra: Don't leak device tree node reference
    - f2fs: move dir data flush to write checkpoint process
    - f2fs: fix wrong return value of f2fs_acl_create
    - sunvdc: Do not spin in an infin...

This bug was fixed in the package linux - 4.4.0-145.171

---------------
linux (4.4.0-145.171) xenial; urgency=medium

* linux: 4.4.0-145.171 -proposed tracker (LP: #1821724)

* linux-generic should depend on linux-base >=4.1 (LP: #1820419)
    - [Packaging] Fix linux-base dependency

linux (4.4.0-144.170) xenial; urgency=medium

* linux: 4.4.0-144.170 -proposed tracker (LP: #1819660)

* Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts
    - [Packaging] resync retpoline extraction

* C++ demangling support missing from perf (LP: #1396654)
    - [Packaging] fix a mistype

* CVE-2019-9213
    - mm: enforce min addr even if capable() in expand_downwards()

* CVE-2019-3460
    - Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

* Xenial update: 4.4.176 upstream stable release (LP: #1818815)
    - net: fix IPv6 prefix route residue
    - vsock: cope with memory allocation failure at socket creation time
    - hwmon: (lm80) Fix missing unlock on error in set_fan_div()
    - net: Fix for_each_netdev_feature on Big endian
    - net: Add header for usage of fls64()
    - tcp: tcp_v4_err() should be more careful
    - net: Do not allocate page fragments that are not skb aligned
    - tcp: clear icsk_backoff in tcp_write_queue_purge()
    - vxlan: test dev->flags & IFF_UP before calling netif_rx()
    - net: stmmac: Fix a race in EEE enable callback
    - net: ipv4: use a dedicated counter for icmp_v4 redirect packets
    - x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32
    - mfd: as3722: Handle interrupts on suspend
    - mfd: as3722: Mark PM functions as __maybe_unused
    - net/x25: do not hold the cpu too long in x25_new_lci()
    - mISDN: fix a race in dev_expire_timer()
    - ax25: fix possible use-after-free
    - Linux 4.4.176

* sky2 ethernet card don't work after returning from suspension
    (LP: #1798921) // Xenial update: 4.4.176 upstream stable release
    (LP: #1818815)
    - sky2: Increase D3 delay again

* Xenial update: 4.4.175 upstream stable release (LP: #1818813)
    - drm/bufs: Fix Spectre v1 vulnerability
    - staging: iio: adc: ad7280a: handle error from __ad7280_read32()
    - ASoC: Intel: mrfld: fix uninitialized variable access
    - scsi: lpfc: Correct LCB RJT handling
    - ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
    - dlm: Don't swamp the CPU with callbacks queued during recovery
    - x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
    - powerpc/pseries: add of_node_put() in dlpar_detach_node()
    - serial: fsl_lpuart: clear parity enable bit when disable parity
    - ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
    - staging:iio:ad2s90: Make probe handle spi_setup failure
    - staging: iio: ad7780: update voltage on read
    - ARM: OMAP2+: hwmod: Fix some section annotations
    - modpost: validate symbol names also in find_elf_symbol
    - perf tools: Add Hygon Dhyana support
    - soc/tegra: Don't leak device tree node reference
    - f2fs: move dir data flush to write checkpoint process
    - f2fs: fix wrong return value of f2fs_acl_create
    - sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN
    - nfsd4: fix crash on writing v4_end_grace before nfsd startup
    - arm64: ftrace: don't adjust the LR value
    - ARM: dts: mmp2: fix TWSI2
    - x86/fpu: Add might_fault() to user_insn()
    - media: DaVinci-VPBE: fix error handling in vpbe_initialize()
    - smack: fix access permissions for keyring
    - usb: hub: delay hub autosuspend if USB3 port is still link training
    - timekeeping: Use proper seqcount initializer
    - ARM: dts: Fix OMAP4430 SDP Ethernet startup
    - mips: bpf: fix encoding bug for mm_srlv32_op
    - iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
    - sata_rcar: fix deferred probing
    - clk: imx6sl: ensure MMDC CH0 handshake is bypassed
    - cpuidle: big.LITTLE: fix refcount leak
    - i2c-axxia: check for error conditions first
    - udf: Fix BUG on corrupted inode
    - ARM: pxa: avoid section mismatch warning
    - ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
    - memstick: Prevent memstick host from getting runtime suspended during card
      detection
    - tty: serial: samsung: Properly set flags in autoCTS mode
    - arm64: KVM: Skip MMIO insn after emulation
    - powerpc/uaccess: fix warning/error with access_ok()
    - mac80211: fix radiotap vendor presence bitmap handling
    - xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
    - Bluetooth: Fix unnecessary error message for HCI request completion
    - cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
    - drbd: narrow rcu_read_lock in drbd_sync_handshake
    - drbd: disconnect, if the wrong UUIDs are attached on a connected peer
    - drbd: skip spurious timeout (ping-timeo) when failing promote
    - drbd: Avoid Clang warning about pointless switch statment
    - video: clps711x-fb: release disp device node in probe()
    - fbdev: fbmem: behave better with small rotated displays and many CPUs
    - fbdev: fbcon: Fix unregister crash when more than one framebuffer
    - KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
    - NFS: nfs_compare_mount_options always compare auth flavors.
    - hwmon: (lm80) fix a missing check of the status of SMBus read
    - hwmon: (lm80) fix a missing check of bus read in lm80 probe
    - seq_buf: Make seq_buf_puts() null-terminate the buffer
    - crypto: ux500 - Use proper enum in cryp_set_dma_transfer
    - crypto: ux500 - Use proper enum in hash_set_dma_transfer
    - cifs: check ntwrk_buf_start for NULL before dereferencing it
    - um: Avoid marking pages with "changed protection"
    - niu: fix missing checks of niu_pci_eeprom_read
    - scripts/decode_stacktrace: only strip base path when a prefix of the path
    - ocfs2: don't clear bh uptodate for block read
    - isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in
      HFCPCI_l1hw()
    - gdrom: fix a memory leak bug
    - block/swim3: Fix -EBUSY error when re-opening device after unmount
    - HID: lenovo: Add checks to fix of_led_classdev_register
    - kernel/hung_task.c: break RCU locks based on jiffies
    - fs/epoll: drop ovflist branch prediction
    - exec: load_script: don't blindly truncate shebang string
    - thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
    - test_hexdump: use memcpy instead of strncpy
    - tipc: use destination length for copy string
    - string: drop __must_check from strscpy() and restore strscpy() usages in
      cgroup
    - dccp: fool proof ccid_hc_[rt]x_parse_options()
    - enic: fix checksum validation for IPv6
    - net: dp83640: expire old TX-skb
    - skge: potential memory corruption in skge_get_regs()
    - net: systemport: Fix WoL with password after deep sleep
    - net: dsa: slave: Don't propagate flag changes on down slave interfaces
    - ALSA: compress: Fix stop handling on compressed capture streams
    - ALSA: hda - Serialize codec registrations
    - fuse: call pipe_buf_release() under pipe lock
    - fuse: decrement NR_WRITEBACK_TEMP on the right page
    - fuse: handle zero sized retrieve correctly
    - dmaengine: imx-dma: fix wrong callback invoke
    - usb: phy: am335x: fix race condition in _probe
    - usb: gadget: udc: net2272: Fix bitwise and boolean operations
    - perf/x86/intel/uncore: Add Node ID mask
    - x86/MCE: Initialize mce.bank in the case of a fatal error in
      mce_no_way_out()
    - perf/core: Don't WARN() for impossible ring-buffer sizes
    - perf tests evsel-tp-sched: Fix bitwise operator
    - mtd: rawnand: gpmi: fix MX28 bus master lockup problem
    - signal: Always notice exiting tasks
    - signal: Better detection of synchronous signals
    - misc: vexpress: Off by one in vexpress_syscfg_exec()
    - debugfs: fix debugfs_rename parameter checking
    - mips: cm: reprime error cause
    - MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
    - MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
    - ARM: iop32x/n2100: fix PCI IRQ mapping
    - mac80211: ensure that mgmt tx skbs have tailroom for encryption
    - drm/modes: Prevent division by zero htotal
    - drm/vmwgfx: Fix setting of dma masks
    - drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
    - HID: debug: fix the ring buffer implementation
    - NFC: nxp-nci: Include unaligned.h instead of access_ok.h
    - Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure
      cifs)"
    - Revert "UBUNTU: [Config] Remove CONFIG_CIFS_POSIX=y"
    - libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
    - xfrm: refine validation of template and selector families
    - batman-adv: Avoid WARN on net_device without parent in netns
    - batman-adv: Force mac header to start of data on xmit
    - Revert "exec: load_script: don't blindly truncate shebang string"
    - uapi/if_ether.h: prevent redefinition of struct ethhdr
    - ARM: dts: da850-evm: Correct the sound card name
    - ARM: dts: kirkwood: Fix polarity of GPIO fan lines
    - gpio: pl061: handle failed allocations
    - cifs: Limit memory used by lock request calls to a page
    - Documentation/network: reword kernel version reference
    - Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
    - Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
    - perf/core: Fix impossible ring-buffer sizes warning
    - ALSA: hda - Add quirk for HP EliteBook 840 G5
    - ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
    - Input: bma150 - register input device after setting private data
    - Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
    - alpha: fix page fault handling for r16-r18 targets
    - alpha: Fix Eiger NR_IRQS to 128
    - tracing/uprobes: Fix output for multiple string arguments
    - x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
    - signal: Restore the stop PTRACE_EVENT_EXIT
    - x86/a.out: Clear the dump structure initially
    - dm thin: fix bug where bio that overwrites thin block ignores FUA
    - smsc95xx: Use skb_cow_head to deal with cloned skbs
    - ch9200: use skb_cow_head() to deal with cloned skbs
    - kaweth: use skb_cow_head() to deal with cloned skbs
    - usb: dwc2: Remove unnecessary kfree
    - pinctrl: msm: fix gpio-hog related boot issues
    - uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
    - Linux 4.4.175

* Xenial update: 4.4.174 upstream stable release (LP: #1818806)
    - inet: frags: change inet_frags_init_net() return value
    - inet: frags: add a pointer to struct netns_frags
    - inet: frags: refactor ipfrag_init()
    - inet: frags: refactor ipv6_frag_init()
    - inet: frags: refactor lowpan_net_frag_init()
    - rhashtable: add rhashtable_lookup_get_insert_key()
    - rhashtable: Add rhashtable_lookup()
    - rhashtable: add schedule points
    - inet: frags: use rhashtables for reassembly units
    - net: ieee802154: 6lowpan: fix frag reassembly
    - ipfrag: really prevent allocation on netns exit
    - inet: frags: remove some helpers
    - inet: frags: get rif of inet_frag_evicting()
    - inet: frags: remove inet_frag_maybe_warn_overflow()
    - inet: frags: break the 2GB limit for frags storage
    - inet: frags: do not clone skb in ip_expire()
    - ipv6: frags: rewrite ip6_expire_frag_queue()
    - rhashtable: reorganize struct rhashtable layout
    - inet: frags: reorganize struct netns_frags
    - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
    - inet: frags: fix ip6frag_low_thresh boundary
    - ip: discard IPv4 datagrams with overlapping segments.
    - net: modify skb_rbtree_purge to return the truesize of all purged skbs.
    - ipv6: defrag: drop non-last frags smaller than min mtu
    - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
    - ip: use rb trees for IP frag queue.
    - ip: add helpers to process in-order fragments faster.
    - ip: process in-order fragments efficiently
    - ip: frags: fix crash in ip_do_fragment()
    - ipv4: frags: precedence bug in ip_expire()
    - inet: frags: better deal with smp races
    - net: fix pskb_trim_rcsum_slow() with odd trim offset
    - net: ipv4: do not handle duplicate fragments as overlapping
    - rcu: Force boolean subscript for expedited stall warnings
    - Linux 4.4.174

* Xenial update: 4.4.173 upstream stable release (LP: #1818803)
    - net: Fix usage of pskb_trim_rcsum
    - openvswitch: Avoid OOB read when parsing flow nlattrs
    - net: ipv4: Fix memory leak in network namespace dismantle
    - net_sched: refetch skb protocol for each filter
    - net: bridge: Fix ethernet header pointer before check skb forwardable
    - USB: serial: simple: add Motorola Tetra TPG2200 device id
    - USB: serial: pl2303: add new PID to support PL2303TB
    - ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages
    - ARC: perf: map generic branches to correct hardware condition
    - s390/early: improve machine detection
    - s390/smp: fix CPU hotplug deadlock with CPU rescan
    - char/mwave: fix potential Spectre v1 vulnerability
    - staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
    - tty: Handle problem if line discipline does not have receive_buf
    - tty/n_hdlc: fix __might_sleep warning
    - CIFS: Fix possible hang during async MTU reads and writes
    - Input: xpad - add support for SteelSeries Stratus Duo
    - KVM: x86: Fix single-step debugging
    - x86/kaslr: Fix incorrect i8254 outb() parameters
    - can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by
      removing it
    - can: bcm: check timer values before ktime conversion
    - vt: invoke notifier on screen size change
    - perf unwind: Unwind with libdw doesn't take symfs into account
    - perf unwind: Take pgoff into account when reporting elf to libdwfl
    - irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size
    - arm64: mm: remove page_mapping check in __sync_icache_dcache
    - f2fs: read page index before freeing
    - Revert "loop: Fix double mutex_unlock(&loop_ctl_mutex) in
      loop_control_ioctl()"
    - Revert "loop: Get rid of loop_index_mutex"
    - Revert "loop: Fold __loop_release into loop_release"
    - s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU
    - fs: add the fsnotify call to vfs_iter_write
    - ipv6: Consider sk_bound_dev_if when binding a socket to an address
    - l2tp: copy 4 more bytes to linear part if necessary
    - net/mlx4_core: Add masking for a few queries on HCA caps
    - netrom: switch to sock timer API
    - net/rose: fix NULL ax25_cb kernel panic
    - ucc_geth: Reset BQL queue when stopping device
    - l2tp: remove l2specific_len dependency in l2tp_core
    - l2tp: fix reading optional fields of L2TPv3
    - CIFS: Do not count -ENODATA as failure for query directory
    - fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
    - ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment
    - arm64: hyp-stub: Forbid kprobing of the hyp-stub
    - gfs2: Revert "Fix loop in gfs2_rbm_find"
    - platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK
    - platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes
    - mmc: sdhci-iproc: handle mmc_of_parse() errors during probe
    - kernel/exit.c: release ptraced tasks before zap_pid_ns_processes
    - mm, oom: fix use-after-free in oom_kill_process
    - cifs: Always resolve hostname before reconnecting
    - drivers: core: Remove glue dirs from sysfs earlier
    - mm: migrate: don't rely on __PageMovable() of newpage after unlocking it
    - fs: don't scan the inode cache before SB_BORN is set
    - Linux 4.4.173

* Xenial update: 4.4.172 upstream stable release (LP: #1818797)
    - tty/ldsem: Wake up readers after timed out down_write()
    - can: gw: ensure DLC boundaries after CAN frame modification
    - f2fs: clean up argument of recover_data
    - f2fs: cover more area with nat_tree_lock
    - f2fs: move sanity checking of cp into get_valid_checkpoint
    - f2fs: fix to convert inline directory correctly
    - f2fs: give -EINVAL for norecovery and rw mount
    - f2fs: remove an obsolete variable
    - f2fs: factor out fsync inode entry operations
    - f2fs: fix inode cache leak
    - f2fs: fix to avoid reading out encrypted data in page cache
    - f2fs: not allow to write illegal blkaddr
    - f2fs: avoid unneeded loop in build_sit_entries
    - f2fs: use crc and cp version to determine roll-forward recovery
    - f2fs: introduce get_checkpoint_version for cleanup
    - f2fs: put directory inodes before checkpoint in roll-forward recovery
    - f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack
    - f2fs: detect wrong layout
    - f2fs: free meta pages if sanity check for ckpt is failed
    - f2fs: fix race condition in between free nid allocator/initializer
    - f2fs: return error during fill_super
    - f2fs: check blkaddr more accuratly before issue a bio
    - f2fs: sanity check on sit entry
    - f2fs: enhance sanity_check_raw_super() to avoid potential overflow
    - f2fs: clean up with is_valid_blkaddr()
    - f2fs: introduce and spread verify_blkaddr
    - f2fs: fix to do sanity check with secs_per_zone
    - f2fs: fix to do sanity check with user_block_count
    - f2fs: Add sanity_check_inode() function
    - f2fs: fix to do sanity check with node footer and iblocks
    - f2fs: fix to do sanity check with reserved blkaddr of inline inode
    - f2fs: fix to do sanity check with block address in main area
    - f2fs: fix to do sanity check with block address in main area v2
    - f2fs: fix to do sanity check with cp_pack_start_sum
    - f2fs: fix invalid memory access
    - f2fs: fix missing up_read
    - f2fs: fix validation of the block count in sanity_check_raw_super
    - media: em28xx: Fix misplaced reset of dev->v4l::field_count
    - arm64/kvm: consistently handle host HCR_EL2 flags
    - arm64: Don't trap host pointer auth use to EL2
    - ipv6: fix kernel-infoleak in ipv6_local_error()
    - net: bridge: fix a bug on using a neighbour cache entry without checking its
      state
    - packet: Do not leak dev refcounts on error exit
    - ip: on queued skb use skb_header_pointer instead of pskb_may_pull
    - crypto: authencesn - Avoid twice completion call in decrypt path
    - crypto: authenc - fix parsing key with misaligned rta_len
    - btrfs: wait on ordered extents on abort cleanup
    - Yama: Check for pid death before checking ancestry
    - scsi: sd: Fix cache_type_store()
    - mips: fix n32 compat_ipc_parse_version
    - mfd: tps6586x: Handle interrupts on suspend
    - Disable MSI also when pcie-octeon.pcie_disable on
    - omap2fb: Fix stack memory disclosure
    - media: vivid: fix error handling of kthread_run
    - media: vivid: set min width/height to a value > 0
    - LSM: Check for NULL cred-security on free
    - media: vb2: vb2_mmap: move lock up
    - sunrpc: handle ENOMEM in rpcb_getport_async
    - selinux: fix GPF on invalid policy
    - sctp: allocate sctp_sockaddr_entry with kzalloc
    - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
    - tipc: fix uninit-value in tipc_nl_compat_bearer_enable
    - tipc: fix uninit-value in tipc_nl_compat_link_set
    - tipc: fix uninit-value in tipc_nl_compat_name_table_dump
    - tipc: fix uninit-value in tipc_nl_compat_doit
    - block/loop: Use global lock for ioctl() operation.
    - loop: Fold __loop_release into loop_release
    - loop: Get rid of loop_index_mutex
    - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
    - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
    - media: vb2: be sure to unlock mutex on errors
    - r8169: Add support for new Realtek Ethernet
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - arm64: perf: set suppress_bind_attrs flag to true
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - pstore/ram: Do not treat empty buffers as valid
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - net: call sk_dst_reset when set SO_DONTROUTE
    - scsi: target: use consistent left-aligned ASCII INQUIRY data
    - clk: imx6q: reset exclusive gates on init
    - kconfig: fix file name and line number of warn_ignored_character()
    - kconfig: fix memory leak when EOF is encountered in quotation
    - mmc: atmel-mci: do not assume idle after atmci_request_end
    - perf intel-pt: Fix error with config term "pt=0"
    - perf svghelper: Fix unchecked usage of strncpy()
    - perf parse-events: Fix unchecked usage of strncpy()
    - dm kcopyd: Fix bug causing workqueue stalls
    - dm snapshot: Fix excessive memory usage and workqueue stalls
    - ALSA: bebob: fix model-id of unit for Apogee Ensemble
    - sysfs: Disable lockdep for driver bind/unbind files
    - scsi: megaraid: fix out-of-bound array accesses
    - ocfs2: fix panic due to unrecovered local alloc
    - mm/page-writeback.c: don't break integrity writeback on ->writepage() error
    - mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
    - net: speed up skb_rbtree_purge()
    - ipmi:ssif: Fix handling of multi-part return messages
    - Linux 4.4.172

* Xenial update: 4.4.171 upstream stable release (LP: #1818237)
    - ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225
    - btrfs: cleanup, stop casting for extent_map->lookup everywhere
    - btrfs: Enhance chunk validation check
    - Btrfs: add validadtion checks for chunk loading
    - Btrfs: check inconsistence between chunk and block group
    - Btrfs: fix em leak in find_first_block_group
    - Btrfs: detect corruption when non-root leaf has zero item
    - Btrfs: check btree node's nritems
    - Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty
    - Btrfs: memset to avoid stale content in btree node block
    - Btrfs: improve check_node to avoid reading corrupted nodes
    - Btrfs: kill BUG_ON in run_delayed_tree_ref
    - Btrfs: memset to avoid stale content in btree leaf
    - Btrfs: fix emptiness check for dirtied extent buffers at check_leaf()
    - btrfs: struct-funcs, constify readers
    - btrfs: Refactor check_leaf function for later expansion
    - btrfs: Check if item pointer overlaps with the item itself
    - btrfs: Add sanity check for EXTENT_DATA when reading out leaf
    - btrfs: Add checker for EXTENT_CSUM
    - btrfs: Move leaf and node validation checker to tree-checker.c
    - btrfs: tree-checker: Enhance btrfs_check_node output
    - btrfs: tree-checker: Fix false panic for sanity test
    - btrfs: tree-checker: Add checker for dir item
    - btrfs: tree-checker: use %zu format string for size_t
    - btrfs: tree-check: reduce stack consumption in check_dir_item
    - btrfs: tree-checker: Verify block_group_item
    - btrfs: tree-checker: Detect invalid and empty essential trees
    - btrfs: validate type when reading a chunk
    - btrfs: Check that each block group has corresponding chunk at mount time
    - btrfs: Verify that every chunk has corresponding block group at mount time
    - btrfs: tree-checker: Check level for leaves and nodes
    - btrfs: tree-checker: Fix misleading group system information
    - CIFS: Do not hide EINTR after sending network packets
    - cifs: Fix potential OOB access of lock element array
    - usb: cdc-acm: send ZLP for Telit 3G Intel based modems
    - USB: storage: don't insert sane sense for SPC3+ when bad sense specified
    - USB: storage: add quirk for SMI SM3350
    - USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB
    - slab: alien caches must not be initialized if the allocation of the alien
      cache failed
    - PCI: altera: Fix altera_pcie_link_is_up()
    - PCI: altera: Reorder read/write functions
    - PCI: altera: Check link status before retrain link
    - PCI: altera: Poll for link up status after retraining the link
    - PCI: altera: Poll for link training status after retraining the link
    - PCI: altera: Rework config accessors for use without a struct pci_bus
    - PCI: altera: Move retrain from fixup to altera_pcie_host_init()
    - ACPI: power: Skip duplicate power resource references in _PRx
    - i2c: dev: prevent adapter retries and timeout being set as minus value
    - crypto: cts - fix crash on short inputs
    - ext4: fix a potential fiemap/page fault deadlock w/ inline_data
    - sunrpc: use-after-free in svc_process_common()
    - Linux 4.4.171

* [Packaging] Allow overlay of config annotations (LP: #1752072)
    - [Packaging] config-check: Add an include directive

* CVE-2018-9517
    - l2tp: pass tunnel pointer to ->session_create()

* squashfs hardening (LP: #1816756)
    - squashfs metadata 2: electric boogaloo
    - Squashfs: Compute expected length from inode size rather than block length

* Update ENA driver to version 2.0.3K (LP: #1816806)
    - net: ena: update driver version from 2.0.2 to 2.0.3
    - net: ena: fix race between link up and device initalization
    - net: ena: fix crash during failed resume from hibernation

* bnxt_en_po: TX timed out triggering Netdev Watchdog Timer (LP: #1814095)
    - SAUCE: bnxt_en_bpo: Fix TX timeout during netpoll

* CVE-2019-3459
    - Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

* CVE-2019-7222
    - KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

* CVE-2019-7221
    - KVM: nVMX: unconditionally cancel preemption timer in free_nested
      (CVE-2019-7221)

* CVE-2019-6974
    - kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

* Regular D-state processes impacting LXD containers (LP: #1817628)
    - mm: do not stall register_shrinker()

* libsas disks can have non-unique by-path names (LP: #1817784)
    - scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached

* Hard lockups due to unrestricted lapic timer delay (LP: #1817918)
    - KVM: x86: move nsec_to_cycles from x86.c to x86.h
    - KVM: LAPIC: cap __delay at lapic_timer_advance_ns

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 26 Mar 2019 13:27:29 +0100

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-02:

#6

Download full text (25.4 KiB)

This bug was fixed in the package linux - 4.15.0-47.50

---------------
linux (4.15.0-47.50) bionic; urgency=medium

* linux: 4.15.0-47.50 -proposed tracker (LP: #1819716)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts
    - [Packaging] resync retpoline extraction

* C++ demangling support missing from perf (LP: #1396654)
- [Packaging] fix a mistype

* arm-smmu-v3 arm-smmu-v3.3.auto: CMD_SYNC timeout (LP: #1818162)
- iommu/arm-smmu-v3: Fix unexpected CMD_SYNC timeout

* Crash in nvme_irq_check() when using threaded interrupts (LP: #1818747)
- nvme-pci: fix out of bounds access in nvme_cqe_pending

* CVE-2019-9213
- mm: enforce min addr even if capable() in expand_downwards()

* CVE-2019-3460
- Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

  * amdgpu with mst WARNING on blanking (LP: #1814308)
    - drm/amd/display: Don't use dc_link in link_encoder
    - drm/amd/display: Move wait for hpd ready out from edp power control.
    - drm/amd/display: eDP sequence BL off first then DP blank.
    - drm/amd/display: Fix unused variable compilation error
    - drm/amd/display: Fix warning about misaligned code
    - drm/amd/display: Fix MST dp_blank REG_WAIT timeout

* tun/tap: unable to manage carrier state from userland (LP: #1806392)
- tun: implement carrier change

* CVE-2019-8980
- exec: Fix mem leak in kernel_read_file

  * raw_skew in timer from the ubuntu_kernel_selftests failed on Bionic
    (LP: #1811194)
    - selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock
      adjustments are in progress

* [Packaging] Allow overlay of config annotations (LP: #1752072)
- [Packaging] config-check: Add an include directive

  * CVE-2019-7308
    - bpf: move {prev_,}insn_idx into verifier env
    - bpf: move tmp variable into ax register in interpreter
    - bpf: enable access to ax register also from verifier rewrite
    - bpf: restrict map value pointer arithmetic for unprivileged
    - bpf: restrict stack pointer arithmetic for unprivileged
    - bpf: restrict unknown scalars of mixed signed bounds for unprivileged
    - bpf: fix check_map_access smin_value test when pointer contains offset
    - bpf: prevent out of bounds speculation on pointer arithmetic
    - bpf: fix sanitation of alu op with pointer / scalar type from different
      paths
    - bpf: add various test cases to selftests

  * CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - bpf: fix inner map masking to prevent oob under speculation

* BPF: kernel pointer leak to unprivileged userspace (LP: #1815259)
- bpf/verifier: disallow pointer subtraction

  * squashfs hardening (LP: #1816756)
    - squashfs: more metadata hardening
    - squashfs metadata 2: electric boogaloo
    - squashfs: more metadata hardening
    - Squashfs: Compute expected length from inode size rather than block length

* efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted (LP: #1814982)
- efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted

* Update ENA driver to version 2.0.3K (LP: #1816806)...

This bug was fixed in the package linux - 4.15.0-47.50

---------------
linux (4.15.0-47.50) bionic; urgency=medium

* linux: 4.15.0-47.50 -proposed tracker (LP: #1819716)

* Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts
    - [Packaging] resync retpoline extraction

* C++ demangling support missing from perf (LP: #1396654)
    - [Packaging] fix a mistype

* arm-smmu-v3 arm-smmu-v3.3.auto: CMD_SYNC timeout (LP: #1818162)
    - iommu/arm-smmu-v3: Fix unexpected CMD_SYNC timeout

* Crash in nvme_irq_check() when using threaded interrupts (LP: #1818747)
    - nvme-pci: fix out of bounds access in nvme_cqe_pending

* CVE-2019-9213
    - mm: enforce min addr even if capable() in expand_downwards()

* CVE-2019-3460
    - Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

* amdgpu with mst WARNING on blanking (LP: #1814308)
    - drm/amd/display: Don't use dc_link in link_encoder
    - drm/amd/display: Move wait for hpd ready out from edp power control.
    - drm/amd/display: eDP sequence BL off first then DP blank.
    - drm/amd/display: Fix unused variable compilation error
    - drm/amd/display: Fix warning about misaligned code
    - drm/amd/display: Fix MST dp_blank REG_WAIT timeout

* tun/tap: unable to manage carrier state from userland (LP: #1806392)
    - tun: implement carrier change

* CVE-2019-8980
    - exec: Fix mem leak in kernel_read_file

* raw_skew in timer from the ubuntu_kernel_selftests failed on Bionic
    (LP: #1811194)
    - selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock
      adjustments are in progress

* [Packaging] Allow overlay of config annotations (LP: #1752072)
    - [Packaging] config-check: Add an include directive

* CVE-2019-7308
    - bpf: move {prev_,}insn_idx into verifier env
    - bpf: move tmp variable into ax register in interpreter
    - bpf: enable access to ax register also from verifier rewrite
    - bpf: restrict map value pointer arithmetic for unprivileged
    - bpf: restrict stack pointer arithmetic for unprivileged
    - bpf: restrict unknown scalars of mixed signed bounds for unprivileged
    - bpf: fix check_map_access smin_value test when pointer contains offset
    - bpf: prevent out of bounds speculation on pointer arithmetic
    - bpf: fix sanitation of alu op with pointer / scalar type from different
      paths
    - bpf: add various test cases to selftests

* CVE-2017-5753
    - bpf: properly enforce index mask to prevent out-of-bounds speculation
    - bpf: fix inner map masking to prevent oob under speculation

* BPF: kernel pointer leak to unprivileged userspace (LP: #1815259)
    - bpf/verifier: disallow pointer subtraction

* squashfs hardening (LP: #1816756)
    - squashfs: more metadata hardening
    - squashfs metadata 2: electric boogaloo
    - squashfs: more metadata hardening
    - Squashfs: Compute expected length from inode size rather than block length

* efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted (LP: #1814982)
    - efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted

* Update ENA driver to version 2.0.3K (LP: #1816806)
    - net: ena: update driver version from 2.0.2 to 2.0.3
    - net: ena: fix race between link up and device initalization
    - net: ena: fix crash during failed resume from hibernation

* ipset kernel error: 4.15.0-43-generic (LP: #1811394)
    - netfilter: ipset: Fix wraparound in hash:*net* types

* Silent "Unknown key" message when pressing keyboard backlight hotkey
    (LP: #1817063)
    - platform/x86: dell-wmi: Ignore new keyboard backlight change event

* CVE-2018-18021
    - arm64: KVM: Tighten guest core register access from userspace
    - KVM: arm/arm64: Introduce vcpu_el1_is_32bit
    - arm64: KVM: Sanitize PSTATE.M when being set from userspace

* CVE-2018-14678
    - x86/entry/64: Remove %ebx handling from error_entry/exit

* CVE-2018-19824
    - ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c

* CVE-2019-3459
    - Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

* Bionic update: upstream stable patchset 2019-02-08 (LP: #1815234)
    - fork: unconditionally clear stack on fork
    - spi: spi-s3c64xx: Fix system resume support
    - Input: elan_i2c - add ACPI ID for lenovo ideapad 330
    - Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
    - Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
    - kvm, mm: account shadow page tables to kmemcg
    - delayacct: fix crash in delayacct_blkio_end() after delayacct init failure
    - tracing: Fix double free of event_trigger_data
    - tracing: Fix possible double free in event_enable_trigger_func()
    - kthread, tracing: Don't expose half-written comm when creating kthreads
    - tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
    - tracing: Quiet gcc warning about maybe unused link variable
    - arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups
    - mlxsw: spectrum_switchdev: Fix port_vlan refcounting
    - kcov: ensure irq code sees a valid area
    - xen/netfront: raise max number of slots in xennet_get_responses()
    - skip LAYOUTRETURN if layout is invalid
    - ALSA: emu10k1: add error handling for snd_ctl_add
    - ALSA: fm801: add error handling for snd_ctl_add
    - NFSv4.1: Fix the client behaviour on NFS4ERR_SEQ_FALSE_RETRY
    - nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
    - vfio: platform: Fix reset module leak in error path
    - vfio/mdev: Check globally for duplicate devices
    - vfio/type1: Fix task tracking for QEMU vCPU hotplug
    - kernel/hung_task.c: show all hung tasks before panic
    - mm: /proc/pid/pagemap: hide swap entries from unprivileged users
    - mm: vmalloc: avoid racy handling of debugobjects in vunmap
    - mm/slub.c: add __printf verification to slab_err()
    - rtc: ensure rtc_set_alarm fails when alarms are not supported
    - perf tools: Fix pmu events parsing rule
    - netfilter: ipset: forbid family for hash:mac sets
    - netfilter: ipset: List timing out entries with "timeout 1" instead of zero
    - irqchip/ls-scfg-msi: Map MSIs in the iommu
    - watchdog: da9063: Fix updating timeout value
    - printk: drop in_nmi check from printk_safe_flush_on_panic()
    - bpf, arm32: fix inconsistent naming about emit_a32_lsr_{r64,i64}
    - ceph: fix alignment of rasize
    - e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes
    - powerpc/lib: Adjust .balign inside string functions for PPC32
    - powerpc/64s: Add barrier_nospec
    - powerpc/eeh: Fix use-after-release of EEH driver
    - hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
    - powerpc/64s: Fix compiler store ordering to SLB shadow area
    - RDMA/mad: Convert BUG_ONs to error flows
    - lightnvm: pblk: warn in case of corrupted write buffer
    - netfilter: nf_tables: check msg_type before nft_trans_set(trans)
    - pnfs: Don't release the sequence slot until we've processed layoutget on
      open
    - disable loading f2fs module on PAGE_SIZE > 4KB
    - f2fs: fix error path of move_data_page
    - f2fs: fix to don't trigger writeback during recovery
    - f2fs: fix to wait page writeback during revoking atomic write
    - f2fs: Fix deadlock in shutdown ioctl
    - f2fs: fix to detect failure of dquot_initialize
    - f2fs: fix race in between GC and atomic open
    - block, bfq: remove wrong lock in bfq_requests_merged
    - usbip: usbip_detach: Fix memory, udev context and udev leak
    - usbip: dynamically allocate idev by nports found in sysfs
    - perf/x86/intel/uncore: Correct fixed counter index check in generic code
    - perf/x86/intel/uncore: Correct fixed counter index check for NHM
    - selftests/intel_pstate: Improve test, minor fixes
    - selftests: memfd: return Kselftest Skip code for skipped tests
    - selftests: intel_pstate: return Kselftest Skip code for skipped tests
    - PCI: Fix devm_pci_alloc_host_bridge() memory leak
    - iwlwifi: pcie: fix race in Rx buffer allocator
    - Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning
    - Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
    - ASoC: dpcm: fix BE dai not hw_free and shutdown
    - mfd: cros_ec: Fail early if we cannot identify the EC
    - mwifiex: handle race during mwifiex_usb_disconnect
    - wlcore: sdio: check for valid platform device data before suspend
    - media: tw686x: Fix incorrect vb2_mem_ops GFP flags
    - media: videobuf2-core: don't call memop 'finish' when queueing
    - Btrfs: don't return ino to ino cache if inode item removal fails
    - Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
    - btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups
    - btrfs: qgroup: Finish rescan when hit the last leaf of extent tree
    - x86/microcode: Make the late update update_lock a raw lock for RT
    - PM / wakeup: Make s2idle_lock a RAW_SPINLOCK
    - PCI: Prevent sysfs disable of device while driver is attached
    - nvme-rdma: stop admin queue before freeing it
    - nvme-pci: Fix AER reset handling
    - ath: Add regulatory mapping for FCC3_ETSIC
    - ath: Add regulatory mapping for ETSI8_WORLD
    - ath: Add regulatory mapping for APL13_WORLD
    - ath: Add regulatory mapping for APL2_FCCA
    - ath: Add regulatory mapping for Uganda
    - ath: Add regulatory mapping for Tanzania
    - ath: Add regulatory mapping for Serbia
    - ath: Add regulatory mapping for Bermuda
    - ath: Add regulatory mapping for Bahamas
    - powerpc/32: Add a missing include header
    - powerpc/chrp/time: Make some functions static, add missing header include
    - powerpc/powermac: Add missing prototype for note_bootable_part()
    - powerpc/powermac: Mark variable x as unused
    - powerpc: Add __printf verification to prom_printf
    - spi: sh-msiof: Fix setting SIRMDR1.SYNCAC to match SITMDR1.SYNCAC
    - powerpc/8xx: fix invalid register expression in head_8xx.S
    - pinctrl: at91-pio4: add missing of_node_put
    - bpf: powerpc64: pad function address loads with NOPs
    - PCI: pciehp: Request control of native hotplug only if supported
    - net: dsa: qca8k: Add support for QCA8334 switch
    - mwifiex: correct histogram data with appropriate index
    - ima: based on policy verify firmware signatures (pre-allocated buffer)
    - drivers/perf: arm-ccn: don't log to dmesg in event_init
    - spi: Add missing pm_runtime_put_noidle() after failed get
    - fscrypt: use unbound workqueue for decryption
    - scsi: ufs: ufshcd: fix possible unclocked register access
    - scsi: ufs: fix exception event handling
    - scsi: zfcp: assert that the ERP lock is held when tracing a recovery trigger
    - drm/nouveau/fifo/gk104-: poll for runlist update completion
    - Bluetooth: btusb: add ID for LiteOn 04ca:301a
    - rtc: tps6586x: fix possible race condition
    - rtc: vr41xx: fix possible race condition
    - rtc: tps65910: fix possible race condition
    - ALSA: emu10k1: Rate-limit error messages about page errors
    - regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
    - md/raid1: add error handling of read error from FailFast device
    - md: fix NULL dereference of mddev->pers in remove_and_add_spares()
    - ixgbevf: fix MAC address changes through ixgbevf_set_mac()
    - media: smiapp: fix timeout checking in smiapp_read_nvm
    - net: ethernet: ti: cpsw-phy-sel: check bus_find_device() ret value
    - ALSA: usb-audio: Apply rate limit to warning messages in URB complete
      callback
    - media: atomisp: ov2680: don't declare unused vars
    - arm64: cmpwait: Clear event register before arming exclusive monitor
    - HID: hid-plantronics: Re-resend Update to map button for PTT products
    - arm64: dts: renesas: salvator-common: use audio-graph-card for Sound
    - drm/radeon: fix mode_valid's return type
    - drm/amdgpu: Remove VRAM from shared bo domains.
    - powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by
      Starlet
    - HID: i2c-hid: check if device is there before really probing
    - EDAC, altera: Fix ARM64 build warning
    - ARM: dts: stih407-pinctrl: Fix complain about IRQ_TYPE_NONE usage
    - ARM: dts: emev2: Add missing interrupt-affinity to PMU node
    - ARM: dts: sh73a0: Add missing interrupt-affinity to PMU node
    - nvmem: properly handle returned value nvmem_reg_read
    - i40e: free the skb after clearing the bitlock
    - tty: Fix data race in tty_insert_flip_string_fixed_flag
    - dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA
    - net: phy: phylink: Release link GPIO
    - media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open()
    - libata: Fix command retry decision
    - ACPI / LPSS: Only call pwm_add_table() for Bay Trail PWM if PMIC HRV is 2
    - media: media-device: fix ioctl function types
    - media: saa7164: Fix driver name in debug output
    - mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages
    - brcmfmac: Add support for bcm43364 wireless chipset
    - s390/cpum_sf: Add data entry sizes to sampling trailer entry
    - perf: fix invalid bit in diagnostic entry
    - bnxt_en: Check unsupported speeds in bnxt_update_link() on PF only.
    - scsi: 3w-9xxx: fix a missing-check bug
    - scsi: 3w-xxxx: fix a missing-check bug
    - scsi: megaraid: silence a static checker bug
    - scsi: qedf: Set the UNLOADING flag when removing a vport
    - staging: lustre: o2iblnd: fix race at kiblnd_connect_peer
    - staging: lustre: o2iblnd: Fix FastReg map/unmap for MLX5
    - thermal: exynos: fix setting rising_threshold for Exynos5433
    - bpf: fix references to free_bpf_prog_info() in comments
    - f2fs: avoid fsync() failure caused by EAGAIN in writepage()
    - media: siano: get rid of __le32/__le16 cast warnings
    - drm/atomic: Handling the case when setting old crtc for plane
    - ALSA: hda/ca0132: fix build failure when a local macro is defined
    - mmc: dw_mmc: update actual clock for mmc debugfs
    - mmc: pwrseq: Use kmalloc_array instead of stack VLA
    - dt-bindings: pinctrl: meson: add support for the Meson8m2 SoC
    - spi: meson-spicc: Fix error handling in meson_spicc_probe()
    - dt-bindings: net: meson-dwmac: new compatible name for AXG SoC
    - backlight: pwm_bl: Don't use GPIOF_* with gpiod_get_direction
    - stop_machine: Use raw spinlocks
    - delayacct: Use raw_spinlocks
    - memory: tegra: Do not handle spurious interrupts
    - memory: tegra: Apply interrupts mask per SoC
    - nvme: lightnvm: add granby support
    - arm64: defconfig: Enable Rockchip io-domain driver
    - igb: Fix queue selection on MAC filters on i210
    - drm/gma500: fix psb_intel_lvds_mode_valid()'s return type
    - ipconfig: Correctly initialise ic_nameservers
    - rsi: Fix 'invalid vdd' warning in mmc
    - rsi: fix nommu_map_sg overflow kernel panic
    - audit: allow not equal op for audit by executable
    - staging: vchiq_core: Fix missing semaphore release in error case
    - staging: lustre: llite: correct removexattr detection
    - staging: lustre: ldlm: free resource when ldlm_lock_create() fails.
    - serial: core: Make sure compiler barfs for 16-byte earlycon names
    - soc: imx: gpcv2: Do not pass static memory as platform data
    - microblaze: Fix simpleImage format generation
    - usb: hub: Don't wait for connect state at resume for powered-off ports
    - crypto: authencesn - don't leak pointers to authenc keys
    - crypto: authenc - don't leak pointers to authenc keys
    - media: omap3isp: fix unbalanced dma_iommu_mapping
    - regulator: Don't return or expect -errno from of_map_mode()
    - scsi: scsi_dh: replace too broad "TP9" string with the exact models
    - scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs
    - media: atomisp: compat32: fix __user annotations
    - media: si470x: fix __be16 annotations
    - ASoC: topology: Fix bclk and fsync inversion in set_link_hw_format()
    - ASoC: topology: Add missing clock gating parameter when parsing hw_configs
    - drm: Add DP PSR2 sink enable bit
    - drm/atomic-helper: Drop plane->fb references only for
      drm_atomic_helper_shutdown()
    - drm/dp/mst: Fix off-by-one typo when dump payload table
    - block: reset bi_iter.bi_done after splitting bio
    - random: mix rdrand with entropy sent in from userspace
    - squashfs: be more careful about metadata corruption
    - ext4: fix inline data updates with checksums enabled
    - ext4: fix check to prevent initializing reserved inodes
    - PCI: xgene: Remove leftover pci_scan_child_bus() call
    - RDMA/uverbs: Protect from attempts to create flows on unsupported QP
    - net: dsa: qca8k: Force CPU port to its highest bandwidth
    - net: dsa: qca8k: Enable RXMAC when bringing up a port
    - net: dsa: qca8k: Add QCA8334 binding documentation
    - net: dsa: qca8k: Allow overwriting CPU port setting
    - ipv4: remove BUG_ON() from fib_compute_spec_dst
    - net: fix amd-xgbe flow-control issue
    - net: lan78xx: fix rx handling before first packet is send
    - net: mdio-mux: bcm-iproc: fix wrong getter and setter pair
    - NET: stmmac: align DMA stuff to largest cache line length
    - tcp_bbr: fix bw probing to raise in-flight data for very small BDPs
    - xen-netfront: wait xenbus state change when load module manually
    - netlink: Do not subscribe to non-existent groups
    - netlink: Don't shift with UB on nlk->ngroups
    - tcp: do not force quickack when receiving out-of-order packets
    - tcp: add max_quickacks param to tcp_incr_quickack and
      tcp_enter_quickack_mode
    - tcp: do not aggressively quick ack after ECN events
    - tcp: refactor tcp_ecn_check_ce to remove sk type cast
    - tcp: add one more quick ack after after ECN events
    - mm: disallow mappings that conflict for devm_memremap_pages()
    - drm/i915/glk: Add Quirk for GLK NUC HDMI port issues.
    - mm: check for SIGKILL inside dup_mmap() loop
    - rxrpc: Fix terminal retransmission connection ID to include the channel
    - ceph: fix use-after-free in ceph_statfs()
    - lightnvm: proper error handling for pblk_bio_add_pages
    - f2fs: don't drop dentry pages after fs shutdown
    - selftests: filesystems: return Kselftest Skip code for skipped tests
    - selftests/filesystems: devpts_pts included wrong header
    - iwlwifi: mvm: open BA session only when sta is authorized
    - drm/amd/display: Do not program interrupt status on disabled crtc
    - soc: qcom: smem: fix qcom_smem_set_global_partition()
    - soc: qcom: smem: byte swap values properly
    - pinctrl: msm: fix gpio-hog related boot issues
    - net: mvpp2: Add missing VLAN tag detection
    - drm/nouveau: remove fence wait code from deferred client work handler
    - drm/nouveau/gem: lookup VMAs for buffers referenced by pushbuf ioctl
    - clocksource: Move inline keyword to the beginning of function declarations
    - media: staging: atomisp: Comment out several unused sensor resolutions
    - IB: Fix RDMA_RXE and INFINIBAND_RDMAVT dependencies for DMA_VIRT_OPS
    - rsi: Add null check for virtual interfaces in wowlan config
    - ARM: dts: stih410: Fix complain about IRQ_TYPE_NONE usage
    - ARM: dts: imx53: Fix LDB OF graph warning
    - soc/tegra: pmc: Don't allocate struct tegra_powergate on stack
    - mlxsw: spectrum_router: Return an error for non-default FIB rules
    - i40e: Add advertising 10G LR mode
    - i40e: avoid overflow in i40e_ptp_adjfreq()
    - ath10k: fix kernel panic while reading tpc_stats
    - ASoC: fsl_ssi: Use u32 variable type when using regmap_read()
    - platform/x86: dell-smbios: Match on www.dell.com in OEM strings too
    - staging: ks7010: fix error handling in ks7010_upload_firmware
    - media: rc: mce_kbd decoder: low timeout values cause double keydowns
    - ath10k: search all IEs for variant before falling back
    - PCI/ASPM: Disable ASPM L1.2 Substate if we don't have LTR
    - ARM: dts: imx6qdl-wandboard: Let the codec control MCLK pinctrl
    - drm/amdgpu: Avoid reclaim while holding locks taken in MMU notifier
    - nvmet-fc: fix target sgl list on large transfers
    - i2c: rcar: handle RXDMA HW behaviour on Gen3
    - gpio: uniphier: set legitimate irq trigger type in .to_irq hook
    - tcp: ack immediately when a cwr packet arrives
    - ACPICA: AML Parser: ignore control method status in module-level code

* Bionic update: upstream stable patchset 2019-02-05 (LP: #1814813)
    - MIPS: ath79: fix register address in ath79_ddr_wb_flush()
    - MIPS: Fix off-by-one in pci_resource_to_user()
    - xen/PVH: Set up GS segment for stack canary
    - drm/nouveau/drm/nouveau: Fix runtime PM leak in nv50_disp_atomic_commit()
    - drm/nouveau: Set DRIVER_ATOMIC cap earlier to fix debugfs
    - bonding: set default miimon value for non-arp modes if not set
    - ip: hash fragments consistently
    - ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull
    - net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
    - net: skb_segment() should not return NULL
    - net/mlx5: Adjust clock overflow work period
    - net/mlx5e: Don't allow aRFS for encapsulated packets
    - net/mlx5e: Fix quota counting in aRFS expire flow
    - net/ipv6: Fix linklocal to global address with VRF
    - multicast: do not restore deleted record source filter mode to new one
    - net: phy: consider PHY_IGNORE_INTERRUPT in phy_start_aneg_priv
    - sock: fix sg page frag coalescing in sk_alloc_sg
    - rtnetlink: add rtnl_link_state check in rtnl_configure_link
    - vxlan: add new fdb alloc and create helpers
    - vxlan: make netlink notify in vxlan_fdb_destroy optional
    - vxlan: fix default fdb entry netlink notify ordering during netdev create
    - tcp: fix dctcp delayed ACK schedule
    - tcp: helpers to send special DCTCP ack
    - tcp: do not cancel delay-AcK on DCTCP special ACK
    - tcp: do not delay ACK in DCTCP upon CE status change
    - staging: speakup: fix wraparound in uaccess length check
    - usb: cdc_acm: Add quirk for Castles VEGA3000
    - usb: core: handle hub C_PORT_OVER_CURRENT condition
    - usb: dwc2: Fix DMA alignment to start at allocated boundary
    - usb: gadget: f_fs: Only return delayed status when len is 0
    - driver core: Partially revert "driver core: correct device's shutdown order"
    - can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
    - can: xilinx_can: fix power management handling
    - can: xilinx_can: fix recovery from error states not being propagated
    - can: xilinx_can: fix device dropping off bus on RX overrun
    - can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
    - can: xilinx_can: fix incorrect clear of non-processed interrupts
    - can: xilinx_can: fix RX overflow interrupt not being enabled
    - can: peak_canfd: fix firmware < v3.3.0: limit allocation to 32-bit DMA addr
      only
    - can: m_can.c: fix setup of CCCR register: clear CCCR NISO bit before
      checking can.ctrlmode
    - turn off -Wattribute-alias
    - net-next/hinic: fix a problem in hinic_xmit_frame()
    - net/mlx5e: Refine ets validation function
    - nfp: flower: ensure dead neighbour entries are not offloaded
    - usb: gadget: Fix OS descriptors support
    - ACPICA: AML Parser: ignore dispatcher error status during table load

* installer does not support iSCSI iBFT (LP: #1817321)
    - d-i: add iscsi_ibft to scsi-modules

* CVE-2019-7222
    - KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

* CVE-2019-7221
    - KVM: nVMX: unconditionally cancel preemption timer in free_nested
      (CVE-2019-7221)

* CVE-2019-6974
    - kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

* Regular D-state processes impacting LXD containers (LP: #1817628)
    - mm: do not stall register_shrinker()

* hns3 nic speed may not match optical port speed (LP: #1817969)
    - net: hns3: Config NIC port speed same as that of optical module

* [Hyper-V] srcu: Lock srcu_data structure in srcu_gp_start() (LP: #1802021)
    - srcu: Prohibit call_srcu() use under raw spinlocks
    - srcu: Lock srcu_data structure in srcu_gp_start()

* libsas disks can have non-unique by-path names (LP: #1817784)
    - scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached

* Bluetooth not working (Intel CyclonePeak) (LP: #1817518)
    - Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029

* CVE-2019-8912
    - net: crypto set sk to NULL when af_alg_release.
    - net: socket: set sock->sk to NULL after calling proto_ops::release()

* Trackpad is not recognized. (LP: #1817200)
    - pinctrl: cannonlake: Fix gpio base for GPP-E

* [ALSA] [PATCH] System76 darp5 and oryp5 fixups (LP: #1815831)
    - ALSA: hda/realtek - Headset microphone support for System76 darp5
    - ALSA: hda/realtek - Headset microphone and internal speaker support for
      System76 oryp5

* Constant noise in the headphone on Lenovo X1 machines (LP: #1817263)
    - ALSA: hda/realtek: Disable PC beep in passthrough on alc285

* AC adapter status not detected on Asus ZenBook UX410UAK (LP: #1745032)
    - Revert "ACPI / battery: Add quirk for Asus GL502VSK and UX305LA"
    - ACPI / AC: Remove initializer for unused ident dmi_system_id
    - ACPI / battery: Remove initializer for unused ident dmi_system_id
    - ACPI / battery: Add handling for devices which wrongly report discharging
      state
    - ACPI / battery: Ignore AC state in handle_discharging on systems where it is
      broken

* TPM intermittently fails after cold-boot (LP: #1762672)
    - tpm: fix intermittent failure with self tests

* qlcnic: Firmware aborts/hangs in QLogic NIC (LP: #1815033)
    - qlcnic: fix Tx descriptor corruption on 82xx devices

-- Khalid Elmously <khalid.elmously@canonical.com>  Wed, 13 Mar 2019 04:37:49 +0000

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Ubuntu
linux package

squashfs hardening

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Medium	Paolo Pisati
Xenial	Fix Released	Medium	Paolo Pisati
Bionic	Fix Released	Medium	Paolo Pisati

Ubuntulinux package

squashfs hardening

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package