[ubuntu/bionic-security] linux-snapdragon 4.15.0-1120.129 (Accepted)
Andy Whitcroft
apw at canonical.com
Mon Feb 21 20:52:17 UTC 2022
linux-snapdragon (4.15.0-1120.129) bionic; urgency=medium
* bionic/linux-snapdragon: 4.15.0-1120.129 -proposed tracker (LP: #1959306)
[ Ubuntu: 4.15.0-168.176 ]
* bionic/linux: 4.15.0-168.176 -proposed tracker (LP: #1959308)
* CVE-2022-22942
- SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy
* Bionic update: upstream stable patchset 2022-01-25 (LP: #1959033)
- IB/qib: Use struct_size() helper
- IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
- net: usb: lan78xx: add Allied Telesis AT29M2-AF
- can: kvaser_usb: get CAN clock frequency from device
- HID: holtek: fix mouse probing
- spi: change clk_disable_unprepare to clk_unprepare
- IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
- netfilter: fix regression in looped (broad|multi)cast's MAC handling
- qlcnic: potential dereference null pointer of rx_queue->page_ring
- net: accept UFOv6 packages in virtio_net_hdr_to_skb
- net: skip virtio_net_hdr_set_proto if protocol already set
- bonding: fix ad_actor_system option setting to default
- fjes: Check for error irq
- drivers: net: smc911x: Check for error irq
- sfc: falcon: Check null pointer of rx_queue->page_ring
- hwmon: (lm90) Fix usage of CONFIG2 register in detect function
- ALSA: jack: Check the return value of kstrdup()
- ALSA: drivers: opl3: Fix incorrect use of vp->state
- Input: atmel_mxt_ts - fix double free in mxt_read_info_block
- x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
- pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
- ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
- f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
- usb: gadget: u_ether: fix race in setting MAC address in setup phase
- KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state
- hwmon: (lm90) Do not report 'busy' status bit as alarm
- ax25: NPD bug when detaching AX25 device
- hamradio: defer ax25 kfree after unregister_netdev
- hamradio: improve the incomplete fix to avoid NPD
- phonet/pep: refuse to enable an unbound pipe
- parisc: Correct completer in lws start
* Bionic update: upstream stable patchset 2022-01-14 (LP: #1957957)
- nfc: fix segfault in nfc_genl_dump_devices_done
- drm/msm/dsi: set default num_data_lanes
- net/mlx4_en: Update reported link modes for 1/10G
- parisc/agp: Annotate parisc agp init functions with __init
- i2c: rk3x: Handle a spurious start completion interrupt flag
- net: netlink: af_netlink: Prevent empty skb by adding a check on len.
- tracing: Fix a kmemleak false positive in tracing_map
- bpf: fix panic due to oob in bpf_prog_test_run_skb
- hwmon: (dell-smm) Fix warning on /proc/i8k creation error
- mac80211: send ADDBA requests using the tid/queue of the aggregation session
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390
- dm btree remove: fix use after free in rebalance_children()
- audit: improve robustness of the audit queue handling
- nfsd: fix use-after-free due to delegation race
- x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol
- x86/sme: Explicitly map new EFI memmap table as encrypted
- ARM: socfpga: dts: fix qspi node compatible
- dmaengine: st_fdma: fix MODULE_ALIAS
- soc/tegra: fuse: Fix bitwise vs. logical OR warning
- igbvf: fix double free in `igbvf_probe`
- ixgbe: set X550 MDIO speed before talking to PHY
- net/packet: rx_owner_map depends on pg_vec
- sit: do not call ipip6_dev_free() from sit_init_net()
- USB: gadget: bRequestType is a bitfield, not a enum
- PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
- PCI/MSI: Mask MSI-X vectors only on success
- USB: serial: option: add Telit FN990 compositions
- timekeeping: Really make sure wall_to_monotonic isn't positive
- libata: if T_LENGTH is zero, dma direction should be DMA_NONE
- net: systemport: Add global locking for descriptor lifecycle
- firmware: arm_scpi: Fix string overflow in SCPI genpd driver
- ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
- fuse: annotate lock in fuse_reverse_inval_entry()
- scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
- net: lan78xx: Avoid unnecessary self assignment
- ARM: 8805/2: remove unneeded naked function usage
- mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO
- ARM: 8800/1: use choice for kernel unwinders
- [Config] updateconfigs for UNWINDER_ARM
- Input: touchscreen - avoid bitwise vs logical OR warning
- xen/blkfront: harden blkfront against event channel storms
- xen/netfront: harden netfront against event channel storms
- xen/console: harden hvc_xen against event channel storms
- xen/netback: fix rx queue stall detection
- xen/netback: don't queue unlimited number of packages
- mac80211: track only QoS data frames for admission control
* Bionic update: upstream stable patchset 2022-01-11 (LP: #1957113)
- HID: add hid_is_usb() function to make it simpler for USB detection
- HID: add USB_HID dependancy to hid-prodikeys
- HID: add USB_HID dependancy to hid-chicony
- HID: add USB_HID dependancy on some USB HID drivers
- HID: wacom: fix problems when device is not a valid USB device
- HID: check for valid USB device for many HID drivers
- can: sja1000: fix use after free in ems_pcmcia_add_card()
- nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
- bpf: Fix the off-by-two error in range markings
- nfp: Fix memory leak in nfp_cpp_area_cache_add()
- seg6: fix the iif in the IPv6 socket control block
- IB/hfi1: Correct guard on eager buffer deallocation
- mm: bdi: initialize bdi_min_ratio when bdi is unregistered
- ALSA: ctl: Fix copy of updated id with element read/write
- ALSA: pcm: oss: Fix negative period/buffer sizes
- ALSA: pcm: oss: Limit the period size to 16MB
- ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
- tracefs: Have new files inherit the ownership of their parent
- can: pch_can: pch_can_rx_normal: fix use after free
- can: m_can: Disable and ignore ELO interrupt
- libata: add horkage for ASMedia 1092
- wait: add wake_up_pollfree()
- binder: use wake_up_pollfree()
- signalfd: use wake_up_pollfree()
- tracefs: Set all files to the same group ownership as the mount option
- block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
- qede: validate non LSO skb length
- net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
- net: altera: set a couple error code in probe()
- net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
- net, neigh: clear whole pneigh_entry at alloc time
- net/qla3xxx: fix an error code in ql_adapter_up()
- USB: gadget: detect too-big endpoint 0 requests
- USB: gadget: zero allocate endpoint 0 buffers
- usb: core: config: fix validation of wMaxPacketValue entries
- xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime
suspending
- usb: core: config: using bit mask instead of individual bits
- iio: trigger: Fix reference counting
- iio: trigger: stm32-timer: fix MODULE_ALIAS
- iio: stk3310: Don't return error code in interrupt handler
- iio: mma8452: Fix trigger reference couting
- iio: ltr501: Don't return error code in trigger handler
- iio: kxsd9: Don't return error code in trigger handler
- iio: itg3200: Call iio_trigger_notify_done() on error
- iio: dln2-adc: Fix lockdep complaint
- iio: dln2: Check return value of devm_iio_trigger_register()
- iio: adc: axp20x_adc: fix charging current reporting on AXP22x
- iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
- irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
- irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
- irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
- irqchip: nvic: Fix offset for Interrupt Priority Offsets
- bonding: make tx_rebalance_counter an atomic
* Bionic update: upstream stable patchset 2022-01-06 (LP: #1956614)
- USB: serial: option: add Telit LE910S1 0x9200 composition
- USB: serial: option: add Fibocom FM101-GL variants
- usb: hub: Fix usb enumeration issue due to address0 race
- usb: hub: Fix locking issues with address0_mutex
- binder: fix test regression due to sender_euid change
- ALSA: ctxfi: Fix out-of-range access
- media: cec: copy sequence field for the reply
- HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
- staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
- fuse: fix page stealing
- xen: don't continue xenstore initialization in case of errors
- xen: detect uninitialized xenbus in xenbus_init
- tracing: Fix pid filtering when triggers are attached
- netfilter: ipvs: Fix reuse connection if RS weight is 0
- ARM: dts: BCM5301X: Fix I2C controller interrupt
- ARM: dts: BCM5301X: Add interrupt properties to GPIO node
- ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
- net: ieee802154: handle iftypes as u32
- NFSv42: Don't fail clone() unless the OP_CLONE operation failed
- ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
- scsi: mpt3sas: Fix kernel panic during drive powercycle test
- drm/vc4: fix error code in vc4_create_object()
- ipv6: fix typos in __ip6_finish_output()
- net/smc: Ensure the active closing peer first closes clcsock
- PM: hibernate: use correct mode for swsusp_close()
- tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited
flows
- MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
- net/smc: Don't call clcsock shutdown twice when smc shutdown
- vhost/vsock: fix incorrect used length reported to the guest
- tracing: Check pid filtering when creating events
- s390/mm: validate VMA in PGSTE manipulation functions
- PCI: aardvark: Fix a leaked reference by adding missing of_node_put()
- PCI: aardvark: Wait for endpoint to be ready before training link
- PCI: aardvark: Train link immediately after enabling training
- PCI: aardvark: Improve link training
- PCI: aardvark: Issue PERST via GPIO
- PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros
- PCI: aardvark: Indicate error in 'val' when config read fails
- PCI: aardvark: Introduce an advk_pcie_valid_device() helper
- PCI: aardvark: Don't touch PCIe registers if no card connected
- PCI: aardvark: Fix compilation on s390
- PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link()
- PCI: aardvark: Update comment about disabling link training
- PCI: aardvark: Remove PCIe outbound window configuration
- PCI: aardvark: Configure PCIe resources from 'ranges' DT property
- PCI: aardvark: Fix PCIe Max Payload Size setting
- PCI: Add PCI_EXP_LNKCTL2_TLS* macros
- PCI: aardvark: Fix link training
- PCI: aardvark: Fix checking for link up via LTSSM state
- pinctrl: armada-37xx: Correct mpp definitions
- pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup
- pinctrl: armada-37xx: Correct PWM pins definitions
- arm64: dts: marvell: armada-37xx: declare PCIe reset pin
- arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function
- proc/vmcore: fix clearing user buffer by properly using clear_user()
- NFC: add NCI_UNREG flag to eliminate the race
- fuse: release pipe buf after last use
- xen: sync include/xen/interface/io/ring.h with Xen's newest version
- xen/blkfront: read response from backend only once
- xen/blkfront: don't take local copy of a request from the ring page
- xen/blkfront: don't trust the backend response data blindly
- xen/netfront: read response from backend only once
- xen/netfront: don't read data from request on the ring page
- xen/netfront: disentangle tx_skb_freelist
- xen/netfront: don't trust the backend response data blindly
- tty: hvc: replace BUG_ON() with negative return value
- shm: extend forced shm destroy to support objects from several IPC nses
- ipc: WARN if trying to remove ipc object which is absent
- NFSv42: Fix pagecache invalidation after COPY/CLONE
- hugetlb: take PMD sharing into account when flushing tlb/caches
- net: return correct error code
- platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
- s390/setup: avoid using memblock_enforce_memory_limit
- btrfs: check-integrity: fix a warning on write caching disabled disk
- thermal: core: Reset previous low and high trip during thermal zone init
- scsi: iscsi: Unblock session then wake up error handler
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in
hns_dsaf_ge_srst_by_port()
- net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of
bound
- net: ethernet: dec: tulip: de4x5: fix possible array overflows in
type3_infoblock()
- perf hist: Fix memory leak of a perf_hpp_fmt
- vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
- kprobes: Limit max data_size of the kretprobe instances
- sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
- sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
- natsemi: xtensa: fix section mismatch warnings
- net: qlogic: qlcnic: Fix a NULL pointer dereference in
qlcnic_83xx_add_rings()
- net: mpls: Fix notifications when deleting a device
- siphash: use _unaligned version by default
- net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
- net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ
is available
- net/rds: correct socket tunable error in rds_tcp_tune()
- net/smc: Keep smc_close_final rc during active close
- parisc: Fix KBUILD_IMAGE for self-extracting kernel
- parisc: Fix "make install" on newer debian releases
- vgacon: Propagate console boot parameters before calling `vc_resize'
- xhci: Fix commad ring abort, write all 64 bits to CRCR register.
- usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
- x86/64/mm: Map all kernel memory into trampoline_pgd
- tty: serial: msm_serial: Deactivate RX DMA for polling support
- serial: pl011: Add ACPI SBSA UART match id
- serial: core: fix transmit-buffer reset and memleak
- parisc: Mark cr16 CPU clocksource unstable on all SMP machines
- xtensa: use CONFIG_USE_OF instead of CONFIG_OF
- net: hns3: fix VF RSS failed problem after PF enable multi-TCs
- i2c: stm32f7: recover the bus on access timeout
- net: annotate data-races on txq->xmit_lock_owner
* CVE-2022-0330
- drm/i915: Flush TLBs before releasing backing store
* CVE-2021-4083
- fs: add fget_many() and fput_many()
- fget: check that the fd still exists after getting a ref to it
* CVE-2021-4155
- xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate
Date: 2022-02-01 15:49:18.294726+00:00
Changed-By: Stefan Bader <stefan.bader at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1120.129
-------------- next part --------------
Sorry, changesfile not available.
More information about the Bionic-changes
mailing list