[ubuntu/disco-security] linux-gcp 5.0.0-1013.13 (Accepted)

Andy Whitcroft apw at canonical.com
Wed Aug 14 05:16:58 UTC 2019


linux-gcp (5.0.0-1013.13) disco; urgency=medium

  * hibmc-drm Causes Unreadable Display for Huawei amd64 Servers (LP: #1762940)
    - gcp: [Config]: Remove CONFIG_DRM_HISI_HIBMC

  [ Ubuntu: 5.0.0-25.26 ]

  * CVE-2019-1125
    - x86/cpufeatures: Carve out CQM features retrieval
    - x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
    - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
    - x86/speculation: Enable Spectre v1 swapgs mitigations
    - x86/entry/64: Use JMP instead of JMPQ
    - x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS

  [ Ubuntu: 5.0.0-24.25 ]

  * disco/linux: 5.0.0-24.25 -proposed tracker (LP: #1838395)
  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
  * hibmc-drm Causes Unreadable Display for Huawei amd64 Servers (LP: #1762940)
    - [Config] Set CONFIG_DRM_HISI_HIBMC to arm64 only
    - SAUCE: Make CONFIG_DRM_HISI_HIBMC depend on ARM64
  * [18.04 FEAT] zKVM: Add hardware CPU Model - kernel part (LP: #1836153)
    - KVM: s390: add debug logging for cpu model subfunctions
    - KVM: s390: implement subfunction processor calls
    - KVM: s390: add vector enhancements facility 2 to cpumodel
    - KVM: s390: add vector BCD enhancements facility to cpumodel
    - KVM: s390: add MSA9 to cpumodel
    - KVM: s390: provide query function for instructions returning 32 byte
    - KVM: s390: add enhanced sort facilty to cpu model
    - KVM: s390: add deflate conversion facilty to cpu model
    - KVM: s390: enable MSA9 keywrapping functions depending on cpu model
  * bcache: risk of data loss on I/O errors in backing or caching devices
    (LP: #1829563)
    - Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()"
  * Intel ethernet I219 has slow RX speed (LP: #1836152)
    - SAUCE: e1000e: add workaround for possible stalled packet
    - SAUCE: e1000e: disable force K1-off feature
  * Intel ethernet I219 may wrongly detect connection speed as 10Mbps
    (LP: #1836177)
    - SAUCE: e1000e: Make watchdog use delayed work
  * Unhide Nvidia HDA audio controller (LP: #1836308)
    - PCI: Enable NVIDIA HDA controllers
  * Enable Armada SOCs and MVPP2 NIC driver for disco/generic arm64
    (LP: #1835054)
    - [Config] Enable Armada SOCs and MVPP2 NIC driver for disco/generic arm64
  * ixgbe{vf} - Physical Function gets IRQ when VF checks link state
    (LP: #1836760)
    - ixgbevf: Use cached link state instead of re-reading the value for ethtool
  * Two crashes on raid0 error path (during a member device removal)
    (LP: #1836806)
    - block: Fix a NULL pointer dereference in generic_make_request()
    - md/raid0: Do not bypass blocking queue entered for raid0 bios
  * CVE-2019-13233
    - x86/insn-eval: Fix use-after-free access to LDT entry
  * cifs set_oplock buffer overflow in strcat (LP: #1824981)
    - cifs: fix strcat buffer overflow and reduce raciness in
      smb21_set_oplock_level()
  * CVE-2019-13272
    - ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
  * hda/realtek: can't detect external mic on a Dell machine (LP: #1836755)
    - ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
  * CVE-2019-12614
    - powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()
  * bnx2x driver causes 100% CPU load (LP: #1832082)
    - bnx2x: Prevent ptp_task to be rescheduled indefinitely
  * Sometimes touchpad detected as mouse(i2c designware fails to get adapter
    number) (LP: #1835150)
    - i2c: i2c-designware-platdrv: Cleanup setting of the adapter number
    - i2c: i2c-designware-platdrv: Always use a dynamic adapter number
  * Disco update: 5.0.18 upstream stable release (LP: #1836614)
    - locking/rwsem: Prevent decrement of reader count before increment
    - x86/speculation/mds: Revert CPU buffer clear on double fault exit
    - x86/speculation/mds: Improve CPU buffer clear documentation
    - objtool: Fix function fallthrough detection
    - arm64: dts: rockchip: fix IO domain voltage setting of APIO5 on rockpro64
    - arm64: dts: rockchip: Disable DCMDs on RK3399's eMMC controller.
    - ARM: dts: qcom: ipq4019: enlarge PCIe BAR range
    - ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260
    - ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3
    - mmc: sdhci-of-arasan: Add DTS property to disable DCMDs.
    - ARM: exynos: Fix a leaked reference by adding missing of_node_put
    - power: supply: axp288_charger: Fix unchecked return value
    - power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the
      blacklist
    - arm64: mmap: Ensure file offset is treated as unsigned
    - arm64: arch_timer: Ensure counter register reads occur with seqlock held
    - arm64: compat: Reduce address limit
    - arm64: Clear OSDLR_EL1 on CPU boot
    - arm64: Save and restore OSDLR_EL1 across suspend/resume
    - sched/x86: Save [ER]FLAGS on context switch
    - x86/MCE: Add an MCE-record filtering function
    - x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models
    - x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk
    - x86/MCE: Group AMD function prototypes in <asm/mce.h>
    - x86/MCE/AMD: Don't report L1 BTB MCA errors on some family 17h models
    - crypto: crypto4xx - fix ctr-aes missing output IV
    - crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues
    - crypto: salsa20 - don't access already-freed walk.iv
    - crypto: lrw - don't access already-freed walk.iv
    - crypto: chacha-generic - fix use as arm64 no-NEON fallback
    - crypto: chacha20poly1305 - set cra_name correctly
    - crypto: ccp - Do not free psp_master when PLATFORM_INIT fails
    - crypto: vmx - fix copy-paste error in CTR mode
    - crypto: skcipher - don't WARN on unprocessed data after slow walk step
    - crypto: crct10dif-generic - fix use via crypto_shash_digest()
    - crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
    - crypto: arm64/gcm-aes-ce - fix no-NEON fallback code
    - crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
    - crypto: rockchip - update IV buffer to contain the next IV
    - crypto: caam/qi2 - fix zero-length buffer DMA mapping
    - crypto: caam/qi2 - fix DMA mapping of stack memory
    - crypto: caam/qi2 - generate hash keys in-place
    - crypto: arm/aes-neonbs - don't access already-freed walk.iv
    - crypto: arm64/aes-neonbs - don't access already-freed walk.iv
    - mmc: tegra: fix ddr signaling for non-ddr modes
    - mmc: core: Fix tag set memory leak
    - mmc: sdhci-pci: Fix BYT OCP setting
    - ALSA: line6: toneport: Fix broken usage of timer for delayed execution
    - ALSA: usb-audio: Fix a memory leak bug
    - ALSA: hda/realtek - EAPD turn on later
    - ASoC: max98090: Fix restore of DAPM Muxes
    - ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
    - ASoC: fsl_esai: Fix missing break in switch statement
    - ASoC: codec: hdac_hdmi add device_link to card device
    - bpf, arm64: remove prefetch insn in xadd mapping
    - crypto: ccree - remove special handling of chained sg
    - crypto: ccree - fix mem leak on error path
    - crypto: ccree - don't map MAC key on stack
    - crypto: ccree - use correct internal state sizes for export
    - crypto: ccree - don't map AEAD key and IV on stack
    - crypto: ccree - pm resume first enable the source clk
    - crypto: ccree - HOST_POWER_DOWN_EN should be the last CC access during
      suspend
    - crypto: ccree - add function to handle cryptocell tee fips error
    - crypto: ccree - handle tee fips error during power management resume
    - mm/mincore.c: make mincore() more conservative
    - mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned
      addresses
    - mm/hugetlb.c: don't put_page in lock of hugetlb_lock
    - hugetlb: use same fault hash key for shared and private mappings
    - ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
    - userfaultfd: use RCU to free the task struct when fork fails
    - ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle
    - mfd: da9063: Fix OTP control register names to match datasheets for
      DA9063/63L
    - mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
    - mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write
    - mtd: maps: physmap: Store gpio_values correctly
    - mtd: maps: Allow MTD_PHYSMAP with MTD_RAM
    - tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0
    - tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
    - jbd2: check superblock mapped prior to committing
    - ext4: make sanity check in mballoc more strict
    - ext4: ignore e_value_offs for xattrs with value-in-ea-inode
    - ext4: avoid drop reference to iloc.bh twice
    - ext4: fix use-after-free race with debug_want_extra_isize
    - ext4: actually request zeroing of inode table after grow
    - ext4: fix ext4_show_options for file systems w/o journal
    - btrfs: Check the first key and level for cached extent buffer
    - btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages
      fails
    - btrfs: Honour FITRIM range constraints during free space trim
    - Btrfs: send, flush dellaloc in order to avoid data loss
    - Btrfs: do not start a transaction during fiemap
    - Btrfs: do not start a transaction at iterate_extent_inodes()
    - Btrfs: fix race between send and deduplication that lead to failures and
      crashes
    - bcache: fix a race between cache register and cacheset unregister
    - bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
    - ipmi:ssif: compare block number correctly for multi-part return messages
    - crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
    - fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going
      into workqueue when umount
    - tty: Don't force RISCV SBI console as preferred console
    - ext4: fix data corruption caused by overlapping unaligned and aligned IO
    - ext4: fix use-after-free in dx_release()
    - ext4: avoid panic during forced reboot due to aborted journal
    - ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
    - jbd2: fix potential double free
    - KVM: Fix the bitmap range to copy during clear dirty
    - KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
    - KVM: lapic: Busy wait for timer to expire when using hv_timer
    - kbuild: turn auto.conf.cmd into a mandatory include file
    - xen/pvh: set xen_domain_type to HVM in xen_pvh_init
    - xen/pvh: correctly setup the PV EFI interface for dom0
    - libnvdimm/namespace: Fix label tracking error
    - iov_iter: optimize page_copy_sane()
    - mm/gup: Remove the 'write' parameter from gup_fast_permitted()
    - s390/mm: make the pxd_offset functions more robust
    - s390/mm: convert to the generic get_user_pages_fast code
    - ext4: fix compile error when using BUFFER_TRACE
    - ext4: don't update s_rev_level if not required
    - Linux 5.0.18
  * Disco update: 5.0.17 upstream stable release (LP: #1836577)
    - bfq: update internal depth state when queue depth changes
    - platform/x86: sony-laptop: Fix unintentional fall-through
    - platform/x86: thinkpad_acpi: Disable Bluetooth for some machines
    - platform/x86: dell-laptop: fix rfkill functionality
    - hwmon: (pwm-fan) Disable PWM if fetching cooling data fails
    - hwmon: (occ) Fix extended status bits
    - selftests/seccomp: Handle namespace failures gracefully
    - kernfs: fix barrier usage in __kernfs_new_node()
    - virt: vbox: Sanity-check parameter types for hgcm-calls coming from
      userspace
    - USB: serial: fix unthrottle races
    - iio: adc: xilinx: fix potential use-after-free on remove
    - iio: adc: xilinx: fix potential use-after-free on probe
    - iio: adc: xilinx: prevent touching unclocked h/w on remove
    - acpi/nfit: Always dump _DSM output payload
    - libnvdimm/namespace: Fix a potential NULL pointer dereference
    - HID: input: add mapping for Expose/Overview key
    - HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
    - HID: input: add mapping for "Toggle Display" key
    - libnvdimm/btt: Fix a kmemdup failure check
    - s390/dasd: Fix capacity calculation for large volumes
    - mac80211: fix unaligned access in mesh table hash function
    - mac80211: Increase MAX_MSG_LEN
    - cfg80211: Handle WMM rules in regulatory domain intersection
    - mac80211: fix memory accounting with A-MSDU aggregation
    - nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
    - libnvdimm/security: provide fix for secure-erase to use zero-key
    - libnvdimm/pmem: fix a possible OOB access when read and write pmem
    - tools/testing/nvdimm: Retain security state after overwrite
    - s390/3270: fix lockdep false positive on view->lock
    - drm/ttm: fix dma_fence refcount imbalance on error path
    - drm/amd/display: extending AUX SW Timeout
    - clocksource/drivers/npcm: select TIMER_OF
    - clocksource/drivers/oxnas: Fix OX820 compatible
    - selftests: fib_tests: Fix 'Command line is not complete' errors
    - drm/amdgpu: shadow in shadow_list without tbo.mem.start cause page fault in
      sriov TDR
    - mISDN: Check address length before reading address family
    - vxge: fix return of a free'd memblock on a failed dma mapping
    - qede: fix write to free'd pointer error and double free of ptp
    - afs: Unlock pages for __pagevec_release()
    - afs: Fix in-progess ops to ignore server-level callback invalidation
    - qed: Delete redundant doorbell recovery types
    - qed: Fix the doorbell address sanity check
    - qed: Fix missing DORQ attentions
    - qed: Fix the DORQ's attentions handling
    - drm/amd/display: If one stream full updates, full update all planes
    - s390/pkey: add one more argument space for debug feature entry
    - x86/build/lto: Fix truncated .bss with -fdata-sections
    - x86/mm: Prevent bogus warnings with "noexec=off"
    - x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T
    - KVM: nVMX: always use early vmcs check when EPT is disabled
    - KVM: fix spectrev1 gadgets
    - KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in
      tracing
    - tools lib traceevent: Fix missing equality check for strcmp
    - perf top: Always sample time to satisfy needs of use of ordered queuing
    - ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash
    - ocelot: Don't sleep in atomic context (irqs_disabled())
    - perf tools: Fix map reference counting
    - scsi: aic7xxx: fix EISA support
    - slab: store tagged freelist for off-slab slabmgmt
    - mm/hotplug: treat CMA pages as unmovable
    - mm: fix inactive list balancing between NUMA nodes and cgroups
    - init: initialize jump labels before command line option parsing
    - drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs
    - selftests: netfilter: check icmp pkttoobig errors are set as related
    - ipvs: do not schedule icmp errors from tunnels
    - netfilter: ctnetlink: don't use conntrack/expect object addresses as id
    - netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
    - netfilter: nat: fix icmp id randomization
    - MIPS: perf: ath79: Fix perfcount IRQ assignment
    - IB/mlx5: Fix scatter to CQE in DCT QP creation
    - s390: ctcm: fix ctcm_new_device error return code
    - drm/sun4i: Set device driver data at bind time for use in unbind
    - drm/sun4i: Fix component unbinding and component master deletion
    - of_net: Fix residues after of_get_nvmem_mac_address removal
    - selftests/net: correct the return value for run_afpackettests
    - netfilter: never get/set skb->tstamp
    - netfilter: fix nf_l4proto_log_invalid to log invalid packets
    - dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg
    - gpu: ipu-v3: dp: fix CSC handling
    - drm/imx: don't skip DP channel disable for background plane
    - ARM: fix function graph tracer and unwinder dependencies
    - ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is
      disabled
    - spi: Micrel eth switch: declare missing of table
    - spi: ST ST95HF NFC: declare missing of table
    - ceph: handle the case where a dentry has been renamed on outstanding req
    - Revert "drm/virtio: drop prime import/export callbacks"
    - drm/sun4i: Unbind components before releasing DRM and memory
    - Input: snvs_pwrkey - make it depend on ARCH_MXC
    - Input: synaptics-rmi4 - fix possible double free
    - net: vrf: Fix operation not supported when set vrf mac
    - gpio: Fix gpiochip_add_data_with_key() error path
    - mm/memory_hotplug.c: drop memory device reference after find_memory_block()
    - mm/page_alloc.c: avoid potential NULL pointer dereference
    - bpf: only test gso type on gso packets
    - net: sched: fix cleanup NULL pointer exception in act_mirr
    - net: mvpp2: fix validate for PPv2.1
    - drm/rockchip: fix for mailbox read validation.
    - cw1200: fix missing unlock on error in cw1200_hw_scan()
    - mwl8k: Fix rate_idx underflow
    - rtlwifi: rtl8723ae: Fix missing break in switch statement
    - Don't jump to compute_result state from check_result state
    - bonding: fix arp_validate toggling in active-backup mode
    - bridge: Fix error path for kobject_init_and_add()
    - dpaa_eth: fix SG frame cleanup
    - fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL
      not supplied
    - ipv4: Fix raw socket lookup for local traffic
    - net: dsa: Fix error cleanup path in dsa_init_module
    - net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering
    - net: macb: Change interrupt and napi enable order in open
    - net: seeq: fix crash caused by not set dev.parent
    - net: ucc_geth - fix Oops when changing number of buffers in the ring
    - packet: Fix error path in packet_init
    - selinux: do not report error on connect(AF_UNSPEC)
    - tipc: fix hanging clients using poll with EPOLLOUT flag
    - vlan: disable SIOCSHWTSTAMP in container
    - vrf: sit mtu should not be updated when vrf netdev is the link
    - tuntap: fix dividing by zero in ebpf queue selection
    - tuntap: synchronize through tfiles array instead of tun->numqueues
    - net: phy: fix phy_validate_pause
    - flow_dissector: disable preemption around BPF calls
    - isdn: bas_gigaset: use usb_fill_int_urb() properly
    - drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
    - drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
    - powerpc/book3s/64: check for NULL pointer in pgd_alloc()
    - powerpc/powernv/idle: Restore IAMR after idle
    - powerpc/booke64: set RI in default MSR
    - virtio_ring: Fix potential mem leak in virtqueue_add_indirect_packed
    - PCI: hv: Fix a memory leak in hv_eject_device_work()
    - PCI: hv: Add hv_pci_remove_slots() when we unload the driver
    - PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary
    - f2fs: Fix use of number of devices
    - Linux 5.0.17
    - [Config] update configs after update to 5.0.17
  * Disco update: 5.0.16 upstream stable release (LP: #1835580)
    - Linux 5.0.16
  * CVE-2019-10126
    - mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
  * CVE-2019-3846
    - mwifiex: Fix possible buffer overflows at parsing bss descriptor
  * CVE-2019-12984
    - nfc: Ensure presence of required attributes in the deactivate_target handler
  * Sometimes touchpad(goodix) can't use tap function (LP: #1836020)
    - SAUCE: i2c: designware: add Inpiron/Vostro 7590 into i2c quirk
  * proc_thermal flooding dmesg (LP: #1824690)
    - drivers: thermal: processor_thermal: Downgrade error message

  [ Ubuntu: 5.0.0-23.24 ]

  * disco/linux: 5.0.0-23.24 -proposed tracker (LP: #1838271)
  * linux hwe i386 kernel 5.0.0-21.22~18.04.1 crashes on Lenovo x220
    (LP: #1838115)
    - x86/mm: Check for pfn instead of page in vmalloc_sync_one()
    - x86/mm: Sync also unmappings in vmalloc_sync_all()
    - mm/vmalloc.c: add priority threshold to __purge_vmap_area_lazy()
    - mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()

Date: 2019-08-01 16:30:19.381959+00:00
Changed-By: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gcp/5.0.0-1013.13
-------------- next part --------------
Sorry, changesfile not available.


More information about the Disco-changes mailing list