[ubuntu/bionic-security] linux-snapdragon 4.15.0-1120.129 (Accepted)

Andy Whitcroft apw at canonical.com
Mon Feb 21 20:52:17 UTC 2022


linux-snapdragon (4.15.0-1120.129) bionic; urgency=medium

  * bionic/linux-snapdragon: 4.15.0-1120.129 -proposed tracker (LP: #1959306)

  [ Ubuntu: 4.15.0-168.176 ]

  * bionic/linux: 4.15.0-168.176 -proposed tracker (LP: #1959308)
  * CVE-2022-22942
    - SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy
  * Bionic update: upstream stable patchset 2022-01-25 (LP: #1959033)
    - IB/qib: Use struct_size() helper
    - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
    - net: usb: lan78xx: add Allied Telesis AT29M2-AF
    - can: kvaser_usb: get CAN clock frequency from device
    - HID: holtek: fix mouse probing
    - spi: change clk_disable_unprepare to clk_unprepare
    - IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
    - netfilter: fix regression in looped (broad|multi)cast's MAC handling
    - qlcnic: potential dereference null pointer of rx_queue->page_ring
    - net: accept UFOv6 packages in virtio_net_hdr_to_skb
    - net: skip virtio_net_hdr_set_proto if protocol already set
    - bonding: fix ad_actor_system option setting to default
    - fjes: Check for error irq
    - drivers: net: smc911x: Check for error irq
    - sfc: falcon: Check null pointer of rx_queue->page_ring
    - hwmon: (lm90) Fix usage of CONFIG2 register in detect function
    - ALSA: jack: Check the return value of kstrdup()
    - ALSA: drivers: opl3: Fix incorrect use of vp->state
    - Input: atmel_mxt_ts - fix double free in mxt_read_info_block
    - x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
    - pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
    - ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
    - f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
    - usb: gadget: u_ether: fix race in setting MAC address in setup phase
    - KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
    - hwmon: (lm90) Do not report 'busy' status bit as alarm
    - ax25: NPD bug when detaching AX25 device
    - hamradio: defer ax25 kfree after unregister_netdev
    - hamradio: improve the incomplete fix to avoid NPD
    - phonet/pep: refuse to enable an unbound pipe
    - parisc: Correct completer in lws start
  * Bionic update: upstream stable patchset 2022-01-14 (LP: #1957957)
    - nfc: fix segfault in nfc_genl_dump_devices_done
    - drm/msm/dsi: set default num_data_lanes
    - net/mlx4_en: Update reported link modes for 1/10G
    - parisc/agp: Annotate parisc agp init functions with __init
    - i2c: rk3x: Handle a spurious start completion interrupt flag
    - net: netlink: af_netlink: Prevent empty skb by adding a check on len.
    - tracing: Fix a kmemleak false positive in tracing_map
    - bpf: fix panic due to oob in bpf_prog_test_run_skb
    - hwmon: (dell-smm) Fix warning on /proc/i8k creation error
    - mac80211: send ADDBA requests using the tid/queue of the aggregation session
    - recordmcount.pl: look for jgnop instruction as well as bcrl on s390
    - dm btree remove: fix use after free in rebalance_children()
    - audit: improve robustness of the audit queue handling
    - nfsd: fix use-after-free due to delegation race
    - x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol
    - x86/sme: Explicitly map new EFI memmap table as encrypted
    - ARM: socfpga: dts: fix qspi node compatible
    - dmaengine: st_fdma: fix MODULE_ALIAS
    - soc/tegra: fuse: Fix bitwise vs. logical OR warning
    - igbvf: fix double free in `igbvf_probe`
    - ixgbe: set X550 MDIO speed before talking to PHY
    - net/packet: rx_owner_map depends on pg_vec
    - sit: do not call ipip6_dev_free() from sit_init_net()
    - USB: gadget: bRequestType is a bitfield, not a enum
    - PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
    - PCI/MSI: Mask MSI-X vectors only on success
    - USB: serial: option: add Telit FN990 compositions
    - timekeeping: Really make sure wall_to_monotonic isn't positive
    - libata: if T_LENGTH is zero, dma direction should be DMA_NONE
    - net: systemport: Add global locking for descriptor lifecycle
    - firmware: arm_scpi: Fix string overflow in SCPI genpd driver
    - ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
    - fuse: annotate lock in fuse_reverse_inval_entry()
    - scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
    - net: lan78xx: Avoid unnecessary self assignment
    - ARM: 8805/2: remove unneeded naked function usage
    - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
    - ARM: 8800/1: use choice for kernel unwinders
    - [Config] updateconfigs for UNWINDER_ARM
    - Input: touchscreen - avoid bitwise vs logical OR warning
    - xen/blkfront: harden blkfront against event channel storms
    - xen/netfront: harden netfront against event channel storms
    - xen/console: harden hvc_xen against event channel storms
    - xen/netback: fix rx queue stall detection
    - xen/netback: don't queue unlimited number of packages
    - mac80211: track only QoS data frames for admission control
  * Bionic update: upstream stable patchset 2022-01-11 (LP: #1957113)
    - HID: add hid_is_usb() function to make it simpler for USB detection
    - HID: add USB_HID dependancy to hid-prodikeys
    - HID: add USB_HID dependancy to hid-chicony
    - HID: add USB_HID dependancy on some USB HID drivers
    - HID: wacom: fix problems when device is not a valid USB device
    - HID: check for valid USB device for many HID drivers
    - can: sja1000: fix use after free in ems_pcmcia_add_card()
    - nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
    - bpf: Fix the off-by-two error in range markings
    - nfp: Fix memory leak in nfp_cpp_area_cache_add()
    - seg6: fix the iif in the IPv6 socket control block
    - IB/hfi1: Correct guard on eager buffer deallocation
    - mm: bdi: initialize bdi_min_ratio when bdi is unregistered
    - ALSA: ctl: Fix copy of updated id with element read/write
    - ALSA: pcm: oss: Fix negative period/buffer sizes
    - ALSA: pcm: oss: Limit the period size to 16MB
    - ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
    - tracefs: Have new files inherit the ownership of their parent
    - can: pch_can: pch_can_rx_normal: fix use after free
    - can: m_can: Disable and ignore ELO interrupt
    - libata: add horkage for ASMedia 1092
    - wait: add wake_up_pollfree()
    - binder: use wake_up_pollfree()
    - signalfd: use wake_up_pollfree()
    - tracefs: Set all files to the same group ownership as the mount option
    - block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
    - qede: validate non LSO skb length
    - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
    - net: altera: set a couple error code in probe()
    - net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
    - net, neigh: clear whole pneigh_entry at alloc time
    - net/qla3xxx: fix an error code in ql_adapter_up()
    - USB: gadget: detect too-big endpoint 0 requests
    - USB: gadget: zero allocate endpoint 0 buffers
    - usb: core: config: fix validation of wMaxPacketValue entries
    - xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime
      suspending
    - usb: core: config: using bit mask instead of individual bits
    - iio: trigger: Fix reference counting
    - iio: trigger: stm32-timer: fix MODULE_ALIAS
    - iio: stk3310: Don't return error code in interrupt handler
    - iio: mma8452: Fix trigger reference couting
    - iio: ltr501: Don't return error code in trigger handler
    - iio: kxsd9: Don't return error code in trigger handler
    - iio: itg3200: Call iio_trigger_notify_done() on error
    - iio: dln2-adc: Fix lockdep complaint
    - iio: dln2: Check return value of devm_iio_trigger_register()
    - iio: adc: axp20x_adc: fix charging current reporting on AXP22x
    - iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
    - irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
    - irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
    - irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
    - irqchip: nvic: Fix offset for Interrupt Priority Offsets
    - bonding: make tx_rebalance_counter an atomic
  * Bionic update: upstream stable patchset 2022-01-06 (LP: #1956614)
    - USB: serial: option: add Telit LE910S1 0x9200 composition
    - USB: serial: option: add Fibocom FM101-GL variants
    - usb: hub: Fix usb enumeration issue due to address0 race
    - usb: hub: Fix locking issues with address0_mutex
    - binder: fix test regression due to sender_euid change
    - ALSA: ctxfi: Fix out-of-range access
    - media: cec: copy sequence field for the reply
    - HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
    - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
    - fuse: fix page stealing
    - xen: don't continue xenstore initialization in case of errors
    - xen: detect uninitialized xenbus in xenbus_init
    - tracing: Fix pid filtering when triggers are attached
    - netfilter: ipvs: Fix reuse connection if RS weight is 0
    - ARM: dts: BCM5301X: Fix I2C controller interrupt
    - ARM: dts: BCM5301X: Add interrupt properties to GPIO node
    - ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
    - net: ieee802154: handle iftypes as u32
    - NFSv42: Don't fail clone() unless the OP_CLONE operation failed
    - ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
    - scsi: mpt3sas: Fix kernel panic during drive powercycle test
    - drm/vc4: fix error code in vc4_create_object()
    - ipv6: fix typos in __ip6_finish_output()
    - net/smc: Ensure the active closing peer first closes clcsock
    - PM: hibernate: use correct mode for swsusp_close()
    - tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited
      flows
    - MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
    - net/smc: Don't call clcsock shutdown twice when smc shutdown
    - vhost/vsock: fix incorrect used length reported to the guest
    - tracing: Check pid filtering when creating events
    - s390/mm: validate VMA in PGSTE manipulation functions
    - PCI: aardvark: Fix a leaked reference by adding missing of_node_put()
    - PCI: aardvark: Wait for endpoint to be ready before training link
    - PCI: aardvark: Train link immediately after enabling training
    - PCI: aardvark: Improve link training
    - PCI: aardvark: Issue PERST via GPIO
    - PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros
    - PCI: aardvark: Indicate error in 'val' when config read fails
    - PCI: aardvark: Introduce an advk_pcie_valid_device() helper
    - PCI: aardvark: Don't touch PCIe registers if no card connected
    - PCI: aardvark: Fix compilation on s390
    - PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link()
    - PCI: aardvark: Update comment about disabling link training
    - PCI: aardvark: Remove PCIe outbound window configuration
    - PCI: aardvark: Configure PCIe resources from 'ranges' DT property
    - PCI: aardvark: Fix PCIe Max Payload Size setting
    - PCI: Add PCI_EXP_LNKCTL2_TLS* macros
    - PCI: aardvark: Fix link training
    - PCI: aardvark: Fix checking for link up via LTSSM state
    - pinctrl: armada-37xx: Correct mpp definitions
    - pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup
    - pinctrl: armada-37xx: Correct PWM pins definitions
    - arm64: dts: marvell: armada-37xx: declare PCIe reset pin
    - arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function
    - proc/vmcore: fix clearing user buffer by properly using clear_user()
    - NFC: add NCI_UNREG flag to eliminate the race
    - fuse: release pipe buf after last use
    - xen: sync include/xen/interface/io/ring.h with Xen's newest version
    - xen/blkfront: read response from backend only once
    - xen/blkfront: don't take local copy of a request from the ring page
    - xen/blkfront: don't trust the backend response data blindly
    - xen/netfront: read response from backend only once
    - xen/netfront: don't read data from request on the ring page
    - xen/netfront: disentangle tx_skb_freelist
    - xen/netfront: don't trust the backend response data blindly
    - tty: hvc: replace BUG_ON() with negative return value
    - shm: extend forced shm destroy to support objects from several IPC nses
    - ipc: WARN if trying to remove ipc object which is absent
    - NFSv42: Fix pagecache invalidation after COPY/CLONE
    - hugetlb: take PMD sharing into account when flushing tlb/caches
    - net: return correct error code
    - platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
    - s390/setup: avoid using memblock_enforce_memory_limit
    - btrfs: check-integrity: fix a warning on write caching disabled disk
    - thermal: core: Reset previous low and high trip during thermal zone init
    - scsi: iscsi: Unblock session then wake up error handler
    - ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in
      hns_dsaf_ge_srst_by_port()
    - net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of
      bound
    - net: ethernet: dec: tulip: de4x5: fix possible array overflows in
      type3_infoblock()
    - perf hist: Fix memory leak of a perf_hpp_fmt
    - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
    - kprobes: Limit max data_size of the kretprobe instances
    - sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
    - sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
    - natsemi: xtensa: fix section mismatch warnings
    - net: qlogic: qlcnic: Fix a NULL pointer dereference in
      qlcnic_83xx_add_rings()
    - net: mpls: Fix notifications when deleting a device
    - siphash: use _unaligned version by default
    - net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
    - net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ
      is available
    - net/rds: correct socket tunable error in rds_tcp_tune()
    - net/smc: Keep smc_close_final rc during active close
    - parisc: Fix KBUILD_IMAGE for self-extracting kernel
    - parisc: Fix "make install" on newer debian releases
    - vgacon: Propagate console boot parameters before calling `vc_resize'
    - xhci: Fix commad ring abort, write all 64 bits to CRCR register.
    - usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
    - x86/64/mm: Map all kernel memory into trampoline_pgd
    - tty: serial: msm_serial: Deactivate RX DMA for polling support
    - serial: pl011: Add ACPI SBSA UART match id
    - serial: core: fix transmit-buffer reset and memleak
    - parisc: Mark cr16 CPU clocksource unstable on all SMP machines
    - xtensa: use CONFIG_USE_OF instead of CONFIG_OF
    - net: hns3: fix VF RSS failed problem after PF enable multi-TCs
    - i2c: stm32f7: recover the bus on access timeout
    - net: annotate data-races on txq->xmit_lock_owner
  * CVE-2022-0330
    - drm/i915: Flush TLBs before releasing backing store
  * CVE-2021-4083
    - fs: add fget_many() and fput_many()
    - fget: check that the fd still exists after getting a ref to it
  * CVE-2021-4155
    - xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate

Date: 2022-02-01 15:49:18.294726+00:00
Changed-By: Stefan Bader <stefan.bader at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1120.129
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list