[ubuntu/bionic-security] linux-raspi2 4.15.0-1106.113 (Accepted)

Andy Whitcroft apw at canonical.com
Wed Mar 23 08:18:59 UTC 2022


linux-raspi2 (4.15.0-1106.113) bionic; urgency=medium

  * bionic/linux-raspi2: 4.15.0-1106.113 -proposed tracker (LP: #1964236)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md

  [ Ubuntu: 4.15.0-172.181 ]

  * CVE-2022-0847
    - lib/iov_iter: initialize "flags" in new pipe_buffer
  * Bionic update: upstream stable patchset 2022-02-11 (LP: #1960681)
    - Bluetooth: bfusb: fix division by zero in send path
    - USB: core: Fix bug in resuming hub's handling of wakeup requests
    - USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
    - mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
    - can: gs_usb: fix use of uninitialized variable, detach device on reception
      of invalid USB data
    - can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
    - random: fix data race on crng_node_pool
    - random: fix data race on crng init time
    - staging: wlan-ng: Avoid bitwise vs logical OR warning in
      hfa384x_usb_throttlefn()
    - drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
    - orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc()
    - media: uvcvideo: fix division by zero at stream start
    - rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with
      interrupts enabled
    - Bluetooth: schedule SCO timeouts with delayed_work
    - Bluetooth: fix init and cleanup of sco_conn.timeout_work
    - HID: uhid: Fix worker destroying device without any protection
    - HID: wacom: Ignore the confidence flag when a touch is removed
    - HID: wacom: Avoid using stale array indicies to read contact count
    - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed
      bind()
    - rtc: cmos: take rtc_lock while reading from CMOS
    - media: flexcop-usb: fix control-message timeouts
    - media: mceusb: fix control-message timeouts
    - media: em28xx: fix control-message timeouts
    - media: cpia2: fix control-message timeouts
    - media: s2255: fix control-message timeouts
    - media: dib0700: fix undefined behavior in tuner shutdown
    - media: redrat3: fix control-message timeouts
    - media: pvrusb2: fix control-message timeouts
    - media: stk1160: fix control-message timeouts
    - can: softing_cs: softingcs_probe(): fix memleak on registration failure
    - shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
    - Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
    - clk: bcm-2835: Pick the closest clock rate
    - clk: bcm-2835: Remove rounding up the dividers
    - wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
    - media: em28xx: fix memory leak in em28xx_init_dev
    - Bluetooth: stop proccessing malicious adv data
    - media: dmxdev: fix UAF when dvb_register_device() fails
    - crypto: qce - fix uaf on qce_ahash_register_one
    - tty: serial: atmel: Check return code of dmaengine_submit()
    - tty: serial: atmel: Call dma_async_issue_pending()
    - media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released
    - netfilter: bridge: add support for pppoe filtering
    - arm64: dts: qcom: msm8916: fix MMC controller aliases
    - drm/amdgpu: Fix a NULL pointer dereference in
      amdgpu_connector_lcd_native_mode()
    - drm/radeon/radeon_kms: Fix a NULL pointer dereference in
      radeon_driver_open_kms()
    - serial: amba-pl011: do not request memory region twice
    - floppy: Fix hang in watchdog when disk is ejected
    - media: dib8000: Fix a memleak in dib8000_init()
    - media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
    - media: si2157: Fix "warm" tuner state detection
    - sched/rt: Try to restart rt period timer when rt runtime exceeded
    - media: dw2102: Fix use after free
    - media: msi001: fix possible null-ptr-deref in msi001_probe()
    - usb: ftdi-elan: fix memory leak on device disconnect
    - x86/mce/inject: Avoid out-of-bounds write when setting flags
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      __nonstatic_find_io_region()
    - pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
      nonstatic_find_mem_region()
    - ppp: ensure minimum packet size in ppp_write()
    - fsl/fman: Check for null pointer after calling devm_ioremap
    - spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
    - tpm: add request_locality before write TPM_INT_ENABLE
    - can: softing: softing_startstop(): fix set but not used variable warning
    - can: xilinx_can: xcan_probe(): check for error irq
    - pcmcia: fix setting of kthread task states
    - net: mcs7830: handle usb read errors properly
    - ext4: avoid trim error on fs with small groups
    - ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
    - ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
    - RDMA/hns: Validate the pkey index
    - powerpc/prom_init: Fix improper check of prom_getprop()
    - ALSA: oss: fix compile error when OSS_DEBUG is enabled
    - char/mwave: Adjust io port register size
    - scsi: ufs: Fix race conditions related to driver data
    - RDMA/core: Let ib_find_gid() continue search even after empty entry
    - dmaengine: pxa/mmp: stop referencing config->slave_id
    - iommu/iova: Fix race between FQ timeout and teardown
    - ASoC: samsung: idma: Check of ioremap return value
    - misc: lattice-ecp3-config: Fix task hung when firmware load failed
    - mips: lantiq: add support for clk_set_parent()
    - mips: bcm63xx: add support for clk_set_parent()
    - RDMA/cxgb4: Set queue pair state when being queried
    - Bluetooth: Fix debugfs entry leak in hci_register_dev()
    - fs: dlm: filter user dlm messages for kernel locks
    - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
    - drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
    - usb: gadget: f_fs: Use stream_open() for endpoint files
    - HID: apple: Do not reset quirks when the Fn key is not found
    - media: b2c2: Add missing check in flexcop_pci_isr:
    - mlxsw: pci: Add shutdown method in PCI driver
    - drm/bridge: megachips: Ensure both bridges are probed before registration
    - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
    - HSI: core: Fix return freed object in hsi_new_client
    - mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
    - usb: uhci: add aspeed ast2600 uhci support
    - floppy: Add max size check for user space request
    - media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
    - media: saa7146: hexium_orion: Fix a NULL pointer dereference in
      hexium_attach()
    - media: m920x: don't use stack on USB reads
    - iwlwifi: mvm: synchronize with FW after multicast commands
    - ath10k: Fix tx hanging
    - net: bonding: debug: avoid printing debug logs when bond is not notifying
      peers
    - bpf: Do not WARN in bpf_warn_invalid_xdp_action()
    - media: igorplugusb: receiver overflow should be reported
    - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in
      hexium_attach()
    - mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
    - arm64: tegra: Adjust length of CCPLEX cluster MMIO region
    - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
    - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
    - iwlwifi: fix leaks/bad data after failed firmware load
    - iwlwifi: remove module loading failure message
    - um: registers: Rename function names to avoid conflicts and build problems
    - jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
    - ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
    - ACPICA: Utilities: Avoid deleting the same object twice in a row
    - ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
    - ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
    - btrfs: remove BUG_ON() in find_parent_nodes()
    - btrfs: remove BUG_ON(!eie) in find_parent_nodes
    - net: mdio: Demote probed message to debug print
    - mac80211: allow non-standard VHT MCS-10/11
    - dm btree: add a defensive bounds check to insert_at()
    - dm space map common: add bounds check to sm_ll_lookup_bitmap()
    - net: phy: marvell: configure RGMII delays for 88E1118
    - serial: pl010: Drop CR register reset on set_termios
    - serial: core: Keep mctrl register state and cached copy in sync
    - parisc: Avoid calling faulthandler_disabled() twice
    - powerpc/6xx: add missing of_node_put
    - powerpc/powernv: add missing of_node_put
    - powerpc/cell: add missing of_node_put
    - powerpc/btext: add missing of_node_put
    - powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
    - i2c: i801: Don't silently correct invalid transfer size
    - powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
    - i2c: mpc: Correct I2C reset procedure
    - w1: Misuse of get_user()/put_user() reported by sparse
    - ALSA: seq: Set upper limit of processed events
    - MIPS: OCTEON: add put_device() after of_find_device_by_node()
    - i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
    - MIPS: Octeon: Fix build errors using clang
    - scsi: sr: Don't use GFP_DMA
    - ASoC: mediatek: mt8173: fix device_node leak
    - power: bq25890: Enable continuous conversion for ADC at charging
    - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
    - serial: Fix incorrect rs485 polarity on uart open
    - cputime, cpuacct: Include guest time in user time in cpuacct.stat
    - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
    - ext4: make sure quota gets properly shutdown on error
    - ext4: set csum seed in tmp inode while migrating to extents
    - ext4: Fix BUG_ON in ext4_bread when write quota data
    - ext4: don't use the orphan list when migrating an inode
    - crypto: stm32/crc32 - Fix kernel BUG triggered in probe()
    - drm/radeon: fix error handling in radeon_driver_open_kms
    - firmware: Update Kconfig help text for Google firmware
    - Documentation: refer to config RANDOMIZE_BASE for kernel address-space
      randomization
    - RDMA/hns: Modify the mapping attribute of doorbell to device
    - RDMA/rxe: Fix a typo in opcode name
    - powerpc/cell: Fix clang -Wimplicit-fallthrough warning
    - powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
    - net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
    - parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
    - af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
    - net: axienet: Wait for PhyRstCmplt after core reset
    - net: axienet: fix number of TX ring slots for available check
    - netns: add schedule point in ops_exit_list()
    - libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route()
    - dmaengine: at_xdmac: Don't start transactions at tx_submit level
    - dmaengine: at_xdmac: Print debug message after realeasing the lock
    - dmaengine: at_xdmac: Fix lld view setting
    - dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
    - net_sched: restore "mpu xxx" handling
    - bcmgenet: add WOL IRQ check
    - scripts/dtc: dtx_diff: remove broken example from help text
    - lib82596: Fix IRQ check in sni_82596_probe
    - mips,s390,sh,sparc: gup: Work around the "COW can break either way" issue
    - gianfar: simplify FCS handling and fix memory leak
    - firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
    - firmware: qemu_fw_cfg: fix kobject leak in probe error path
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after
      reboot from Windows
    - wcn36xx: Release DMA channel descriptor allocations
    - tty: serial: uartlite: allow 64 bit address
    - xfrm: fix a small bug in xfrm_sa_len()
    - mmc: meson-mx-sdio: add IRQ check
    - netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
    - staging: greybus: audio: Check null pointer
    - Bluetooth: hci_bcm: Check for error irq
    - ASoC: rt5663: Handle device_property_read_u32_array error codes
    - rpmsg: Only invoke announce_create for rpdev with endpoints
    - rpmsg: core: Clean up resources on announce_create failure.
    - dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK
    - rtc: pxa: fix null pointer dereference
  * CVE-2022-0435
    - tipc: improve size validations for received domain records
  * CVE-2022-0492
    - cgroup-v1: Require capabilities to set release_agent
  * CVE-2021-3506
    - f2fs: fix to avoid out-of-bounds memory access
  * Bionic update: upstream stable patchset 2022-02-01 (LP: #1959709)
    - tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
    - tracing: Tag trace_percpu_buffer as a percpu pointer
    - virtio_pci: Support surprise removal of virtio pci device
    - ieee802154: atusb: fix uninit value in atusb_set_extended_addr
    - RDMA/core: Don't infoleak GRH fields
    - mac80211: initialize variable have_higher_than_11mbit
    - i40e: fix use-after-free in i40e_sync_filters_subtask()
    - i40e: Fix incorrect netdev's real number of RX/TX queues
    - ipv6: Check attribute length for RTA_GATEWAY in multipath route
    - ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
    - sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
    - power: reset: ltc2952: Fix use of floating point literals
    - rndis_host: support Hytera digital radios
    - phonet: refcount leak in pep_sock_accep
    - ipv6: Continue processing multipath route even if gateway attribute is
      invalid
    - ipv6: Do cleanup if attribute validation fails in multipath route
    - scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
    - ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
    - net: udp: fix alignment problem in udp4_seq_show()
    - mISDN: change function names to avoid conflicts
    - usb: mtu3: fix interval value for intr and isoc
  * Bionic update: upstream stable patchset 2022-01-27 (LP: #1959335)
    - tee: handle lookup of shm with reference count 0
    - platform/x86: apple-gmux: use resource_size() with res
    - selinux: initialize proto variable in selinux_ip_postroute_compat()
    - scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
    - net: usb: pegasus: Do not drop long Ethernet frames
    - NFC: st21nfca: Fix memory leak in device probe and remove
    - fsl/fman: Fix missing put_device() call in fman_port_probe
    - nfc: uapi: use kernel size_t to fix user-space builds
    - uapi: fix linux/nfc.h userspace compilation errors
    - xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
    - usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
    - binder: fix async_free_space accounting for empty parcels
    - scsi: vmw_pvscsi: Set residual data length conditionally
    - Input: appletouch - initialize work before device registration
    - Input: spaceball - fix parsing of movement data packets
    - net: fix use-after-free in tw_timer_handler
    - sctp: use call_rcu to free endpoint
    - Input: i8042 - add deferred probe support
    - Input: i8042 - enable deferred probe quirk for ASUS UM325UA
    - i2c: validate user data in compat ioctl
    - usb: mtu3: set interval of FS intr and isoc endpoint
  * Bionic update: upstream stable patchset 2022-01-27 (LP: #1959335) //
    HID_ASUS should depend on USB_HID in stable v4.15 backports (LP: #1959762)
    - HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option
  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis

Date: 2022-03-14 09:28:09.383624+00:00
Changed-By: Juerg Haefliger <juergh at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1106.113
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list