[ubuntu/bionic-security] linux 4.15.0-143.147 (Accepted)

Andy Whitcroft apw at canonical.com
Tue May 11 07:33:57 UTC 2021


linux (4.15.0-143.147) bionic; urgency=medium

  * bionic/linux: 4.15.0-143.147 -proposed tracker (LP: #1923811)

  * CVE-2021-29650
    - netfilter: x_tables: Use correct memory barriers.

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] dkms-build{,--nvidia-N} sync back from LRMv4

  * Security-Fix Xen XSA 371 for Kernel 5.4.0-71 (LP: #1921902) //
    CVE-2021-28688
    - xen-blkback: don't leak persistent grants from xen_blkbk_map()

  * CVE-2021-20292
    - drm/ttm/nouveau: don't call tt destroy callback on alloc failure.

  * CVE-2021-29264
    - gianfar: fix jumbo packets+napi+rx overrun crash

  * CVE-2021-29265
    - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf

  * Bcache bypasse writeback on caching device with fragmentation (LP: #1900438)
    - bcache: consider the fragmentation when update the writeback rate

  * Bionic update: upstream stable patchset 2021-03-31 (LP: #1922124)
    - net: usb: qmi_wwan: support ZTE P685M modem
    - scripts: use pkg-config to locate libcrypto
    - scripts: set proper OpenSSL include dir also for sign-file
    - hugetlb: fix update_and_free_page contig page struct assumption
    - drm/virtio: use kvmalloc for large allocations
    - virtio/s390: implement virtio-ccw revision 2 correctly
    - arm64 module: set plt* section addresses to 0x0
    - arm64: Avoid redundant type conversions in xchg() and cmpxchg()
    - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint
    - arm64: Use correct ll/sc atomic constraints
    - JFS: more checks for invalid superblock
    - media: mceusb: sanity check for prescaler value
    - xfs: Fix assert failure in xfs_setattr_size()
    - smackfs: restrict bytes count in smackfs write functions
    - net: fix up truesize of cloned skb in skb_prepare_for_shift()
    - mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
    - net: bridge: use switchdev for port flags set through sysfs too
    - dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/
    - staging: fwserial: Fix error handling in fwserial_create
    - x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk
    - vt/consolemap: do font sum unsigned
    - wlcore: Fix command execute failure 19 for wl12xx
    - pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
    - ath10k: fix wmi mgmt tx queue full due to race condition
    - x86/build: Treat R_386_PLT32 relocation as R_386_PC32
    - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
    - staging: most: sound: add sanity check for function argument
    - media: uvcvideo: Allow entities with no pads
    - f2fs: handle unallocated section and zone on pinned/atgc
    - parisc: Bump 64-bit IRQ stack size to 64 KB
    - Xen/gnttab: handle p2m update errors on a per-slot basis
    - xen-netback: respect gnttab_map_refs()'s return value
    - zsmalloc: account the number of compacted pages correctly
    - swap: fix swapfile read/write offset
    - media: v4l: ioctl: Fix memory leak in video_usercopy
    - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse
    - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails
    - f2fs: fix to set/clear I_LINKABLE under i_lock
    - btrfs: fix error handling in commit_fs_roots
    - ALSA: hda/realtek: Add quirk for Clevo NH55RZQ
    - ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board
    - btrfs: raid56: simplify tracking of Q stripe presence
    - btrfs: fix raid6 qstripe kmap
    - usbip: tools: fix build error for multiple definition
    - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits
    - rsxx: Return -EFAULT if copy_to_user() fails
    - dm table: fix iterate_devices based device capability checks
    - dm table: fix DAX iterate_devices based device capability checks
    - dm table: fix zoned iterate_devices based device capability checks
    - iommu/amd: Fix sleeping in atomic in increase_address_space()
    - mwifiex: pcie: skip cancel_work_sync() on reset failure path
    - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines
    - platform/x86: acer-wmi: Cleanup accelerometer device handling
    - platform/x86: acer-wmi: Add new force_caps module parameter
    - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag
    - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices
    - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch
      10E SW3-016
    - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller
    - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom
    - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register
    - Revert "zram: close udev startup race condition as default groups"
    - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter

  * Bionic update: upstream stable patchset 2021-03-16 (LP: #1919380)
    - fgraph: Initialize tracing_graph_pause at task creation
    - tracing: Do not count ftrace events in top level enable output
    - tracing: Check length before giving out the filter buffer
    - arm/xen: Don't probe xenbus as part of an early initcall
    - MIPS: BMIPS: Fix section mismatch warning
    - arm64: dts: rockchip: Fix PCIe DT properties on rk3399
    - platform/x86: hp-wmi: Disable tablet-mode reporting by default
    - ovl: perform vfs_getxattr() with mounter creds
    - cap: fix conversions on getxattr
    - ovl: skip getxattr of security labels
    - ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
    - ARM: ensure the signal page contains defined contents
    - bpf: Check for integer overflow when using roundup_pow_of_two()
    - netfilter: xt_recent: Fix attempt to update deleted entry
    - xen/netback: avoid race in xenvif_rx_ring_slots_available()
    - netfilter: conntrack: skip identical origin tuple in same zone only
    - usb: dwc3: ulpi: fix checkpatch warning
    - usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one
    - net/vmw_vsock: improve locking in vsock_connect_timeout()
    - net: watchdog: hold device global xmit lock during tx disable
    - vsock/virtio: update credit only if socket is not closed
    - vsock: fix locking in vsock_shutdown()
    - i2c: stm32f7: fix configuration of the digital filter
    - h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
    - x86/build: Disable CET instrumentation in the kernel for 32-bit too
    - trace: Use -mcount-record for dynamic ftrace
    - tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-
      mcount
    - tracing: Avoid calling cc-option -mrecord-mcount for every Makefile
    - Xen/x86: don't bail early from clear_foreign_p2m_mapping()
    - Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
    - Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
    - Xen/gntdev: correct error checking in gntdev_map_grant_pages()
    - xen/arm: don't ignore return errors from set_phys_to_machine
    - xen-blkback: don't "handle" error by BUG()
    - xen-netback: don't "handle" error by BUG()
    - xen-scsiback: don't "handle" error by BUG()
    - xen-blkback: fix error handling in xen_blkbk_map()
    - scsi: qla2xxx: Fix crash during driver load on big endian machines
    - kvm: check tlbs_dirty directly
    - drm/amd/display: Free atomic state after drm_atomic_commit
    - riscv: virt_addr_valid must check the address belongs to linear mapping
    - ARM: kexec: fix oops after TLB are invalidated
    - net: hns3: add a check for queue_id in hclge_reset_vf_queue()
    - firmware_loader: align .builtin_fw to 8
    - net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
    - ovl: expand warning in ovl_d_real()
    - net: qrtr: Fix port ID for control messages
    - HID: make arrays usage and value to be the same
    - usb: quirks: add quirk to start video capture on ELMO L-12F document camera
      reliable
    - ntfs: check for valid standard information attribute
    - arm64: tegra: Add power-domain for Tegra210 HDA
    - NET: usb: qmi_wwan: Adding support for Cinterion MV31
    - cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath.
    - scripts/recordmcount.pl: support big endian for ARCH sh
    - vmlinux.lds.h: add DWARF v5 sections
    - kdb: Make memory allocations more robust
    - MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section
    - random: fix the RNDRESEEDCRNG ioctl
    - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the
      probe function
    - Bluetooth: Fix initializing response id after clearing struct
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Monk
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Spring
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa
    - arm64: dts: exynos: correct PMIC interrupt trigger level on TM2
    - arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso
    - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove()
    - usb: gadget: u_audio: Free requests only after callback
    - Bluetooth: drop HCI device reference before return
    - Bluetooth: Put HCI device if inquiry procedure interrupts
    - ARM: dts: Configure missing thermal interrupt for 4430
    - usb: dwc2: Do not update data length if it is 0 on inbound transfers
    - usb: dwc2: Abort transaction after errors with unknown reason
    - usb: dwc2: Make "trimming xfer length" a debug message
    - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules
    - arm64: dts: msm8916: Fix reserved and rfsa nodes unit address
    - ARM: s3c: fix fiq for clang IAS
    - bpf_lru_list: Read double-checked variable once without lock
    - ath9k: fix data bus crash when setting nf_override via debugfs
    - bnxt_en: reverse order of TX disable and carrier off
    - xen/netback: fix spurious event detection for common event case
    - mac80211: fix potential overflow when multiplying to u32 integers
    - b43: N-PHY: Fix the update of coef for the PHY revision >= 3case
    - ibmvnic: skip send_request_unmap for timeout reset
    - net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout
    - net: amd-xgbe: Reset link when the link never comes back
    - net: mvneta: Remove per-cpu queue mapping for Armada 3700
    - fbdev: aty: SPARC64 requires FB_ATY_CT
    - drm/gma500: Fix error return code in psb_driver_load()
    - gma500: clean up error handling in init
    - crypto: sun4i-ss - fix kmap usage
    - MIPS: c-r4k: Fix section mismatch for loongson2_sc_init
    - MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0
    - media: i2c: ov5670: Fix PIXEL_RATE minimum value
    - media: vsp1: Fix an error handling path in the probe function
    - media: media/pci: Fix memleak in empress_init
    - media: tm6000: Fix memleak in tm6000_start_stream
    - ASoC: cs42l56: fix up error handling in probe
    - crypto: bcm - Rename struct device_private to bcm_device_private
    - media: lmedm04: Fix misuse of comma
    - media: qm1d1c0042: fix error return code in qm1d1c0042_init()
    - media: cx25821: Fix a bug when reallocating some dma memory
    - media: pxa_camera: declare variable when DEBUG is defined
    - media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values
    - ata: ahci_brcm: Add back regulators management
    - Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()
    - btrfs: clarify error returns values in __load_free_space_cache
    - hwrng: timeriomem - Fix cooldown period calculation
    - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key()
    - ima: Free IMA measurement buffer on error
    - ima: Free IMA measurement buffer after kexec syscall
    - fs/jfs: fix potential integer overflow on shift of a int
    - jffs2: fix use after free in jffs2_sum_write_data()
    - capabilities: Don't allow writing ambiguous v3 file capabilities
    - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL
    - quota: Fix memory leak when handling corrupted quota file
    - spi: cadence-quadspi: Abort read if dummy cycles required are too many
    - HID: core: detect and skip invalid inputs to snto32()
    - dmaengine: fsldma: Fix a resource leak in the remove function
    - dmaengine: fsldma: Fix a resource leak in an error handling path of the
      probe function
    - dmaengine: hsu: disable spurious interrupt
    - mfd: bd9571mwv: Use devm_mfd_add_devices()
    - fdt: Properly handle "no-map" field in the memory region
    - of/fdt: Make sure no-map does not remove already reserved regions
    - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask
    - rtc: s5m: select REGMAP_I2C
    - clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined
    - regulator: axp20x: Fix reference cout leak
    - certs: Fix blacklist flag type confusion
    - spi: atmel: Put allocated master before return
    - isofs: release buffer head before return
    - auxdisplay: ht16k33: Fix refresh rate handling
    - IB/umad: Return EIO in case of when device disassociated
    - powerpc/47x: Disable 256k page size
    - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe
    - ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores
    - amba: Fix resource leak for drivers without .remove
    - tracepoint: Do not fail unregistering a probe due to memory failure
    - perf tools: Fix DSO filtering when not finding a map for a sampled address
    - RDMA/rxe: Fix coding error in rxe_recv.c
    - spi: stm32: properly handle 0 byte transfer
    - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq()
    - powerpc/pseries/dlpar: handle ibm, configure-connector delay status
    - powerpc/8xx: Fix software emulation interrupt
    - spi: pxa2xx: Fix the controller numbering for Wildcat Point
    - perf intel-pt: Fix missing CYC processing in PSB
    - perf test: Fix unaligned access in sample parsing test
    - Input: elo - fix an error code in elo_connect()
    - sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set
    - misc: eeprom_93xx46: Fix module alias to enable module autoprobe
    - misc: eeprom_93xx46: Add module alias to avoid breaking support for non
      device tree users
    - pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare()
    - VMCI: Use set_page_dirty_lock() when unregistering guest memory
    - PCI: Align checking of syscall user config accessors
    - drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY)
    - ext4: fix potential htree index checksum corruption
    - i40e: Fix flow for IPv6 next header (extension header)
    - i40e: Fix overwriting flow control settings during driver loading
    - net/mlx4_core: Add missed mlx4_free_cmd_mailbox()
    - ocfs2: fix a use after free on error
    - mm/memory.c: fix potential pte_unmap_unlock pte error
    - mm/hugetlb: fix potential double free in hugetlb_register_node() error path
    - arm64: Add missing ISB after invalidating TLB in __primary_switch
    - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition
    - mm/rmap: fix potential pte_unmap on an not mapped pte
    - scsi: bnx2fc: Fix Kconfig warning & CNIC build errors
    - blk-settings: align max_sectors on "logical_block_size" boundary
    - ACPI: property: Fix fwnode string properties matching
    - ACPI: configfs: add missing check after configfs_register_default_group()
    - HID: wacom: Ignore attempts to overwrite the touch_max value from HID
    - Input: raydium_ts_i2c - do not send zero length
    - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox
      Series X|S
    - Input: joydev - prevent potential read overflow in ioctl
    - Input: i8042 - add ASUS Zenbook Flip to noselftest list
    - USB: serial: option: update interface mapping for ZTE P685M
    - usb: musb: Fix runtime PM race in musb_queue_resume_work
    - USB: serial: mos7840: fix error code in mos7840_write()
    - USB: serial: mos7720: fix error code in mos7720_write()
    - usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1
    - usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt
    - ALSA: hda/realtek: modify EAPD in the ALC886
    - tpm_tis: Fix check_locality for correct locality acquisition
    - KEYS: trusted: Fix migratable=1 failing
    - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root
    - btrfs: fix reloc root leak with 0 ref reloc roots on recovery
    - btrfs: fix extent buffer leak on failure to copy root
    - crypto: sun4i-ss - checking sg length is not sufficient
    - crypto: sun4i-ss - handle BigEndian for cipher
    - seccomp: Add missing return in non-void function
    - drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue
    - staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table
    - x86/reboot: Force all cpus to exit VMX root if VMX is supported
    - floppy: reintroduce O_NDELAY fix
    - arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing
    - watchdog: mei_wdt: request stop on unregister
    - mtd: spi-nor: hisi-sfc: Put child node np on error path
    - fs/affs: release old buffer head on error path
    - hugetlb: fix copy_huge_page_from_user contig page struct assumption
    - mm: hugetlb: fix a race between freeing and dissolving the page
    - libnvdimm/dimm: Avoid race between probe and available_slots_show()
    - module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols
    - mmc: sdhci-esdhc-imx: fix kernel panic when remove module
    - gpio: pcf857x: Fix missing first interrupt
    - printk: fix deadlock when kernel panic
    - f2fs: fix out-of-repair __setattr_copy()
    - sparc32: fix a user-triggerable oops in clear_user()
    - gfs2: Don't skip dlm unlock if glock has an lvb
    - dm era: Recover committed writeset after crash
    - dm era: Verify the data block size hasn't changed
    - dm era: Fix bitset memory leaks
    - dm era: Use correct value size in equality function of writeset tree
    - dm era: Reinitialize bitset cache before digesting a new writeset
    - dm era: only resize metadata in preresume
    - icmp: introduce helper for nat'd source address in network device context
    - icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n
    - gtp: use icmp_ndo_send helper
    - sunvnet: use icmp_ndo_send helper
    - ipv6: icmp6: avoid indirect call for icmpv6_send()
    - ipv6: silence compilation warning for non-IPV6 builds
    - net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
    - dm era: Update in-core bitset after committing the metadata
    - USB: quirks: sort quirk entries
    - jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked()
      operations
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family
    - arm64: dts: allwinner: A64: properly connect USB PHY to port 0
    - arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card
    - arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz
    - memory: ti-aemif: Drop child node when jumping out loop
    - ibmvnic: add memory barrier to protect long term buffer
    - net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning
    - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition
    - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction.
    - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error)
    - f2fs: fix to avoid inconsistent quota data
    - regulator: s5m8767: Drop regulators OF node reference
    - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to
      128-bytes
    - RDMA/rxe: Correct skb on loopback path
    - i40e: Add zero-initialization of AQ command structures
    - i40e: Fix add TC filter for IPv6
    - r8169: fix jumbo packet handling on RTL8168e
    - USB: serial: ftdi_sio: fix FTX sub-integer prescaler
    - crypto: arm64/sha - add missing module aliases
    - misc: rtsx: init of rts522a add OCP power off when no card is present
    - seq_file: document how per-entry resources are managed.
    - x86: fix seq_file iteration for pat/memtype.c

Date: 2021-04-14 15:51:11.238827+00:00
Changed-By: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux/4.15.0-143.147
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list