[ubuntu/bionic-security] linux-gcp-5.4 5.4.0-1092.101~18.04.1 (Accepted)

Andy Whitcroft apw at canonical.com
Wed Oct 19 08:34:02 UTC 2022


linux-gcp-5.4 (5.4.0-1092.101~18.04.1) bionic; urgency=medium

  [ Ubuntu: 5.4.0-1092.101 ]

  * CVE-2022-2602
    - SAUCE: io_uring/af_unix: defer registered files gc to io_uring release
    - SAUCE: io_uring/af_unix: fix memleak during unix GC
  * CVE-2022-41674
    - SAUCE: wifi: cfg80211: fix u8 overflow in
      cfg80211_update_notlisted_nontrans()
    - SAUCE: wifi: cfg80211/mac80211: reject bad MBSSID elements
    - SAUCE: wifi: cfg80211: ensure length byte is present before access
    - SAUCE: wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
    - SAUCE: wifi: cfg80211: update hidden BSSes to avoid WARN_ON
  * CVE-2022-42721
    - SAUCE: wifi: cfg80211: avoid nontransmitted BSS list corruption
  * CVE-2022-42720
    - SAUCE: wifi: cfg80211: fix BSS refcounting bugs

linux-gcp-5.4 (5.4.0-1090.98~18.04.1) bionic; urgency=medium

  * bionic/linux-gcp-5.4: 5.4.0-1090.98~18.04.1 -proposed tracker (LP: #1989870)

  [ Ubuntu: 5.4.0-1090.98 ]

  * focal/linux-gcp: 5.4.0-1090.98 -proposed tracker (LP: #1989871)
  * Focal update: v5.4.208 upstream stable release (LP: #1988225)
    - [config] Update configs after rebase
  * focal/linux: 5.4.0-128.144 -proposed tracker (LP: #1990152)
  * CVE-2022-3176
    - io_uring: disable polling pollfree files
  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809)
    - selftests/net: test nexthop without gw
  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809) // icmp_redirect.sh in ubuntu_kernel_selftests failed on
    Jammy 5.15.0-49.55 (LP: #1990124)
    - ip: fix triggering of 'icmp redirect'
  * focal/linux: 5.4.0-127.143 -proposed tracker (LP: #1989892)
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2022.09.19)
  * [UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during
    recovery (LP: #1987287)
    - net/mlx5: Avoid processing commands before cmdif is ready
  * Focal update: v5.4.210 upstream stable release (LP: #1989230)
    - thermal: Fix NULL pointer dereferences in of_thermal_ functions
    - ACPI: video: Force backlight native for some TongFang devices
    - ACPI: video: Shortening quirk list by identifying Clevo by board_name only
    - ACPI: APEI: Better fix to avoid spamming the console with old error logs
    - bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()
    - selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads
    - bpf: Test_verifier, #70 error message updates for 32-bit right shift
    - KVM: Don't null dereference ops->destroy
    - selftests: KVM: Handle compiler optimizations in ucall
    - media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls
    - macintosh/adb: fix oob read in do_adb_query() function
    - x86/speculation: Add RSB VM Exit protections
    - x86/speculation: Add LFENCE to RSB fill sequence
    - Linux 5.4.210
  * Focal update: v5.4.209 upstream stable release (LP: #1989228)
    - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
    - ntfs: fix use-after-free in ntfs_ucsncmp()
    - s390/archrandom: prevent CPACF trng invocations in interrupt context
    - tcp: Fix data-races around sysctl_tcp_dsack.
    - tcp: Fix a data-race around sysctl_tcp_app_win.
    - tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
    - tcp: Fix a data-race around sysctl_tcp_frto.
    - tcp: Fix a data-race around sysctl_tcp_nometrics_save.
    - ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
    - ice: do not setup vlan for loopback VSI
    - scsi: ufs: host: Hold reference returned by of_parse_phandle()
    - tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
    - tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
    - net: ping6: Fix memleak in ipv6_renew_options().
    - ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
    - igmp: Fix data-races around sysctl_igmp_qrv.
    - net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
    - tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
    - tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
    - tcp: Fix a data-race around sysctl_tcp_autocorking.
    - tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
    - Documentation: fix sctp_wmem in ip-sysctl.rst
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
    - i40e: Fix interface init with MSI interrupts (no MSI-X)
    - sctp: fix sleep in atomic context bug in timer handlers
    - virtio-net: fix the race between refill work and close
    - perf symbol: Correct address for bss symbols
    - sfc: disable softirqs for ptp TX
    - sctp: leave the err path free in sctp_stream_init to sctp_stream_free
    - ARM: crypto: comment out gcc warning that breaks clang builds
    - mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle.
    - scsi: core: Fix race between handling STS_RESOURCE and completion
    - Linux 5.4.209
  * Focal update: v5.4.208 upstream stable release (LP: #1988225)
    - pinctrl: stm32: fix optional IRQ support to gpios
    - riscv: add as-options for modules with assembly compontents
    - mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication
    - lockdown: Fix kexec lockdown bypass with ima policy
    - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE
    - PCI: hv: Fix multi-MSI to allow more than one MSI vector
    - PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI
    - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()
    - PCI: hv: Fix interrupt mapping for multi-MSI
    - serial: mvebu-uart: correctly report configured baudrate value
    - xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in
      xfrm_bundle_lookup()
    - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
    - pinctrl: ralink: Check for null return of devm_kcalloc
    - perf/core: Fix data race between perf_event_set_output() and
      perf_mmap_close()
    - igc: Reinstate IGC_REMOVED logic and implement it properly
    - ip: Fix data-races around sysctl_ip_no_pmtu_disc.
    - ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
    - ip: Fix data-races around sysctl_ip_nonlocal_bind.
    - ip: Fix a data-race around sysctl_fwmark_reflect.
    - tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.
    - tcp: Fix data-races around sysctl_tcp_mtu_probing.
    - tcp: Fix data-races around sysctl_tcp_base_mss.
    - tcp: Fix data-races around sysctl_tcp_min_snd_mss.
    - tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor.
    - tcp: Fix a data-race around sysctl_tcp_probe_threshold.
    - tcp: Fix a data-race around sysctl_tcp_probe_interval.
    - i2c: cadence: Change large transfer count reset logic to be unconditional
    - net: stmmac: fix dma queue left shift overflow issue
    - net/tls: Fix race in TLS device down flow
    - igmp: Fix data-races around sysctl_igmp_llm_reports.
    - igmp: Fix a data-race around sysctl_igmp_max_memberships.
    - tcp: Fix data-races around sysctl_tcp_syncookies.
    - tcp: Fix data-races around sysctl_tcp_reordering.
    - tcp: Fix data-races around some timeout sysctl knobs.
    - tcp: Fix a data-race around sysctl_tcp_notsent_lowat.
    - tcp: Fix a data-race around sysctl_tcp_tw_reuse.
    - tcp: Fix data-races around sysctl_max_syn_backlog.
    - tcp: Fix data-races around sysctl_tcp_fastopen.
    - iavf: Fix handling of dummy receive descriptors
    - i40e: Fix erroneous adapter reinitialization during recovery process
    - ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
    - gpio: pca953x: only use single read/write for No AI mode
    - be2net: Fix buffer overflow in be_get_module_eeprom
    - ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh.
    - udp: Fix a data-race around sysctl_udp_l3mdev_accept.
    - tcp: Fix data-races around sysctl knobs related to SYN option.
    - tcp: Fix a data-race around sysctl_tcp_early_retrans.
    - tcp: Fix data-races around sysctl_tcp_recovery.
    - tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.
    - tcp: Fix data-races around sysctl_tcp_slow_start_after_idle.
    - tcp: Fix a data-race around sysctl_tcp_retrans_collapse.
    - tcp: Fix a data-race around sysctl_tcp_stdurg.
    - tcp: Fix a data-race around sysctl_tcp_rfc1337.
    - tcp: Fix data-races around sysctl_tcp_max_reordering.
    - spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA
      transfers
    - mm/mempolicy: fix uninit-value in mpol_rebind_policy()
    - bpf: Make sure mac_header was set before using it
    - dlm: fix pending remove if msg allocation fails
    - ima: remove the IMA_TEMPLATE Kconfig option
    - [Config] updateconfigs for IMA_TEMPLATE
    - locking/refcount: Define constants for saturation and max refcount values
    - locking/refcount: Ensure integer operands are treated as signed
    - locking/refcount: Remove unused refcount_*_checked() variants
    - locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the
      <linux/refcount.h> header
    - locking/refcount: Improve performance of generic REFCOUNT_FULL code
    - locking/refcount: Move saturation warnings out of line
    - locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions
    - locking/refcount: Consolidate implementations of refcount_t
    - [Config] updateconfigs for REFCOUNT_FULL
    - x86: get rid of small constant size cases in raw_copy_{to,from}_user()
    - x86/uaccess: Implement macros for CMPXCHG on user addresses
    - mmap locking API: initial implementation as rwsem wrappers
    - x86/mce: Deduplicate exception handling
    - bitfield.h: Fix "type of reg too small for mask" test
    - ALSA: memalloc: Align buffer allocations in page size
    - Bluetooth: Add bt_skb_sendmsg helper
    - Bluetooth: Add bt_skb_sendmmsg helper
    - Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg
    - Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg
    - Bluetooth: Fix passing NULL to PTR_ERR
    - Bluetooth: SCO: Fix sco_send_frame returning skb->len
    - Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks
    - tty: drivers/tty/, stop using tty_schedule_flip()
    - tty: the rest, stop using tty_schedule_flip()
    - tty: drop tty_schedule_flip()
    - tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()
    - tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
    - x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm()
    - Linux 5.4.208
  * Focal update: v5.4.207 upstream stable release (LP: #1988219)
    - ALSA: hda - Add fixup for Dell Latitidue E5430
    - ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221
    - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
    - xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
    - tracing/histograms: Fix memory leak problem
    - net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale
      pointer
    - ip: fix dflt addr selection for connected nexthop
    - ARM: 9213/1: Print message about disabled Spectre workarounds only once
    - ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction
    - wifi: mac80211: fix queue selection for mesh/OCB interfaces
    - cgroup: Use separate src/dst nodes when preloading css_sets for migration
    - drm/panfrost: Fix shrinker list corruption by madvise IOCTL
    - nilfs2: fix incorrect masking of permission flags for symlinks
    - Revert "evm: Fix memleak in init_desc"
    - sched/rt: Disable RT_RUNTIME_SHARE by default
    - ext4: fix race condition between ext4_write and ext4_convert_inline_data
    - ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count
    - ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle
    - ARM: 9210/1: Mark the FDT_FIXED sections as shareable
    - drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
    - ima: Fix a potential integer overflow in ima_appraise_measurement
    - ASoC: sgtl5000: Fix noise on shutdown/remove
    - net: stmmac: dwc-qos: Disable split header for Tegra194
    - inetpeer: Fix data-races around sysctl.
    - net: Fix data-races around sysctl_mem.
    - cipso: Fix data-races around sysctl.
    - icmp: Fix data-races around sysctl.
    - ipv4: Fix a data-race around sysctl_fib_sync_mem.
    - ARM: dts: at91: sama5d2: Fix typo in i2s1 node
    - ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero
    - drm/i915/gt: Serialize TLB invalidates with GT resets
    - icmp: Fix a data-race around sysctl_icmp_ratelimit.
    - icmp: Fix a data-race around sysctl_icmp_ratemask.
    - raw: Fix a data-race around sysctl_raw_l3mdev_accept.
    - ipv4: Fix data-races around sysctl_ip_dynaddr.
    - net: ftgmac100: Hold reference returned by of_get_child_by_name()
    - sfc: fix use after free when disabling sriov
    - seg6: fix skb checksum evaluation in SRH encapsulation/insertion
    - seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors
    - seg6: bpf: fix skb checksum in bpf_push_seg6_encap()
    - sfc: fix kernel panic when creating VF
    - mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE
    - virtio_mmio: Add missing PM calls to freeze/restore
    - virtio_mmio: Restore guest page size on resume
    - netfilter: br_netfilter: do not skip all hooks with 0 priority
    - cpufreq: pmac32-cpufreq: Fix refcount leak bug
    - platform/x86: hp-wmi: Ignore Sanitization Mode event
    - net: tipc: fix possible refcount leak in tipc_sk_create()
    - NFC: nxp-nci: don't print header length mismatch on i2c error
    - nvme: fix regression when disconnect a recovering ctrl
    - net: sfp: fix memory leak in sfp_probe()
    - ASoC: ops: Fix off by one in range control validation
    - ASoC: wm5110: Fix DRE control
    - ASoC: cs47l15: Fix event generation for low power mux control
    - ASoC: madera: Fix event generation for OUT1 demux
    - ASoC: madera: Fix event generation for rate controls
    - irqchip: or1k-pic: Undefine mask_ack for level triggered hardware
    - x86: Clear .brk area at early boot
    - soc: ixp4xx/npe: Fix unused match warning
    - ARM: dts: stm32: use the correct clock source for CEC on stm32mp151
    - signal handling: don't use BUG_ON() for debugging
    - USB: serial: ftdi_sio: add Belimo device ids
    - usb: typec: add missing uevent when partner support PD
    - usb: dwc3: gadget: Fix event pending check
    - tty: serial: samsung_tty: set dma burst_size to 1
    - serial: 8250: fix return error code in serial8250_request_std_resource()
    - serial: stm32: Clear prev values before setting RTS delays
    - serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle
    - can: m_can: m_can_tx_handler(): fix use after free of skb
    - Linux 5.4.207
  * Focal update: v5.4.206 upstream stable release (LP: #1988215)
    - Linux 5.4.206
  * Focal update: v5.4.205 upstream stable release (LP: #1988214)
    - esp: limit skb_page_frag_refill use to a single page
    - mm/slub: add missing TID updates on slab deactivation
    - can: bcm: use call_rcu() instead of costly synchronize_rcu()
    - can: grcan: grcan_probe(): remove extra of_node_get()
    - can: gs_usb: gs_usb_open/close(): fix memory leak
    - usbnet: fix memory leak in error case
    - net: rose: fix UAF bug caused by rose_t0timer_expiry
    - iommu/vt-d: Fix PCI bus rescan device hot add
    - fbdev: fbmem: Fix logo center image dx issue
    - video: of_display_timing.h: include errno.h
    - powerpc/powernv: delay rng platform device creation until later in boot
    - can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info
    - can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression
    - can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits
    - xfs: remove incorrect ASSERT in xfs_rename
    - ARM: meson: Fix refcount leak in meson_smp_prepare_cpus
    - pinctrl: sunxi: a83t: Fix NAND function name for some pins
    - pinctrl: sunxi: sunxi_pconf_set: use correct offset
    - ARM: at91: pm: use proper compatible for sama5d2's rtc
    - ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt
    - ibmvnic: Properly dispose of all skbs during a failover.
    - selftests: forwarding: fix flood_unicast_test when h2 supports
      IFF_UNICAST_FLT
    - selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT
    - selftests: forwarding: fix error message in learning_test
    - i2c: cadence: Unregister the clk notifier in error path
    - dmaengine: imx-sdma: Allow imx8m for imx7 FW revs
    - misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer
    - misc: rtsx_usb: use separate command and response buffers
    - misc: rtsx_usb: set return value in rsp_buf alloc err path
    - dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo
    - ida: don't use BUG_ON() for debugging
    - dmaengine: pl330: Fix lockdep warning about non-static key
    - dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly
    - dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate
    - dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate
    - Linux 5.4.205
  * Focal update: v5.4.204 upstream stable release (LP: #1988212)
    - ipv6: take care of disable_policy when restoring routes
    - nvdimm: Fix badblocks clear off-by-one error
    - powerpc/prom_init: Fix kernel config grep
    - powerpc/bpf: Fix use of user_pt_regs in uapi
    - dm raid: fix accesses beyond end of raid member array
    - dm raid: fix KASAN warning in raid5_add_disks
    - s390/archrandom: simplify back to earlier design and initialize earlier
    - SUNRPC: Fix READ_PLUS crasher
    - net: rose: fix UAF bugs caused by timer handler
    - net: usb: ax88179_178a: Fix packet receiving
    - virtio-net: fix race between ndo_open() and virtio_device_ready()
    - selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
    - net: tun: unlink NAPI from device on destruction
    - net: tun: stop NAPI when detaching queues
    - RDMA/qedr: Fix reporting QP timeout attribute
    - linux/dim: Fix divide by 0 in RDMA DIM
    - usbnet: fix memory allocation in helpers
    - net: ipv6: unexport __init-annotated seg6_hmac_net_init()
    - caif_virtio: fix race between virtio_device_ready() and ndo_open()
    - PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
    - s390: remove unneeded 'select BUILD_BIN2C'
    - netfilter: nft_dynset: restore set element counter when failing to update
    - net/sched: act_api: Notify user space if any actions were flushed before
      error
    - net: bonding: fix possible NULL deref in rlb code
    - net: bonding: fix use-after-free after 802.3ad slave unbind
    - nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
    - NFC: nxp-nci: Don't issue a zero length i2c_master_read()
    - net: tun: avoid disabling NAPI twice
    - xen/gntdev: Avoid blocking in unmap_grant_pages()
    - hwmon: (ibmaem) don't call platform_device_del() if platform_device_add()
      fails
    - net: dsa: bcm_sf2: force pause link settings
    - sit: use min
    - ipv6/sit: fix ipip6_tunnel_get_prl return value
    - rseq/selftests,x86_64: Add rseq_offset_deref_addv()
    - selftests/rseq: remove ARRAY_SIZE define from individual tests
    - selftests/rseq: introduce own copy of rseq uapi header
    - selftests/rseq: Remove useless assignment to cpu variable
    - selftests/rseq: Remove volatile from __rseq_abi
    - selftests/rseq: Introduce rseq_get_abi() helper
    - selftests/rseq: Introduce thread pointer getters
    - selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35
    - selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian
    - selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for
      load/store
    - selftests/rseq: Fix ppc32 offsets by using long rather than off_t
    - selftests/rseq: Fix warnings about #if checks of undefined tokens
    - selftests/rseq: Remove arm/mips asm goto compiler work-around
    - selftests/rseq: Fix: work-around asm goto compiler bugs
    - selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread
      area
    - selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread
      area
    - selftests/rseq: Change type of rseq_offset to ptrdiff_t
    - xen/blkfront: fix leaking data in shared pages
    - xen/netfront: fix leaking data in shared pages
    - xen/netfront: force data bouncing when backend is untrusted
    - xen/blkfront: force data bouncing when backend is untrusted
    - xen/arm: Fix race in RB-tree based P2M accounting
    - net: usb: qmi_wwan: add Telit 0x1060 composition
    - net: usb: qmi_wwan: add Telit 0x1070 composition
    - clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from
      ixp4xx_timer_setup()
    - Linux 5.4.204

Date: 2022-10-17 18:26:11.997609+00:00
Changed-By: Thadeu Lima de Souza Cascardo <thadeu.cascardo at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1092.101~18.04.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list