[ubuntu/focal-security] linux 5.4.0-100.113 (Accepted)

Łukasz Zemczak lukasz.zemczak at canonical.com
Thu Feb 17 15:04:21 UTC 2022


linux (5.4.0-100.113) focal; urgency=medium

  * focal/linux: 5.4.0-100.113 -proposed tracker (LP: #1959900)

  * CVE-2022-22942
    - SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy

  * CVE-2022-0330
    - drm/i915: Flush TLBs before releasing backing store

  * Focal update: v5.4.166 upstream stable release (LP: #1957008)
    - netfilter: selftest: conntrack_vrf.sh: fix file permission
    - Linux 5.4.166
    - net/packet: rx_owner_map depends on pg_vec
    - USB: gadget: bRequestType is a bitfield, not a enum
    - HID: holtek: fix mouse probing
    - udp: using datalen to cap ipv6 udp max gso segments
    - selftests: Calculate udpgso segment count without header adjustment

  * Focal update: v5.4.165 upstream stable release (LP: #1957007)
    - serial: tegra: Change lower tolerance baud rate limit for tegra20 and
      tegra30
    - ntfs: fix ntfs_test_inode and ntfs_init_locked_inode function type
    - HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
    - HID: google: add eel USB id
    - HID: add hid_is_usb() function to make it simpler for USB detection
    - HID: add USB_HID dependancy to hid-prodikeys
    - HID: add USB_HID dependancy to hid-chicony
    - HID: add USB_HID dependancy on some USB HID drivers
    - HID: bigbenff: prevent null pointer dereference
    - HID: wacom: fix problems when device is not a valid USB device
    - HID: check for valid USB device for many HID drivers
    - can: kvaser_usb: get CAN clock frequency from device
    - can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct
      stats->{rx,tx}_errors counter
    - can: sja1000: fix use after free in ems_pcmcia_add_card()
    - nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
    - selftests: netfilter: add a vrf+conntrack testcase
    - vrf: don't run conntrack on vrf with !dflt qdisc
    - bpf: Fix the off-by-two error in range markings
    - ice: ignore dropped packets during init
    - bonding: make tx_rebalance_counter an atomic
    - nfp: Fix memory leak in nfp_cpp_area_cache_add()
    - seg6: fix the iif in the IPv6 socket control block
    - udp: using datalen to cap max gso segments
    - iavf: restore MSI state on reset
    - iavf: Fix reporting when setting descriptor count
    - IB/hfi1: Correct guard on eager buffer deallocation
    - mm: bdi: initialize bdi_min_ratio when bdi is unregistered
    - ALSA: ctl: Fix copy of updated id with element read/write
    - ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
    - ALSA: pcm: oss: Fix negative period/buffer sizes
    - ALSA: pcm: oss: Limit the period size to 16MB
    - ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
    - btrfs: clear extent buffer uptodate when we fail to write it
    - btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
    - nfsd: Fix nsfd startup race (again)
    - tracefs: Have new files inherit the ownership of their parent
    - clk: qcom: regmap-mux: fix parent clock lookup
    - drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
    - can: pch_can: pch_can_rx_normal: fix use after free
    - can: m_can: Disable and ignore ELO interrupt
    - x86/sme: Explicitly map new EFI memmap table as encrypted
    - libata: add horkage for ASMedia 1092
    - wait: add wake_up_pollfree()
    - SAUCE: binder: export __wake_up_pollfree for binder module
    - binder: use wake_up_pollfree()
    - signalfd: use wake_up_pollfree()
    - aio: keep poll requests on waitqueue until completed
    - aio: fix use-after-free due to missing POLLFREE handling
    - tracefs: Set all files to the same group ownership as the mount option
    - block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
    - qede: validate non LSO skb length
    - ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
    - i40e: Fix failed opcode appearing if handling messages from VF
    - i40e: Fix pre-set max number of queues for VF
    - mtd: rawnand: fsmc: Take instruction delay into account
    - mtd: rawnand: fsmc: Fix timing computation
    - dt-bindings: net: Reintroduce PHY no lane swap binding
    - tools build: Remove needless libpython-version feature check that breaks
      test-all fast path
    - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
    - net: altera: set a couple error code in probe()
    - net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
    - net, neigh: clear whole pneigh_entry at alloc time
    - net/qla3xxx: fix an error code in ql_adapter_up()
    - Revert "UBUNTU: SAUCE: selftests: fib_tests: assign address to dummy1 for
      rp_filter tests"
    - selftests/fib_tests: Rework fib_rp_filter_test()
    - USB: gadget: detect too-big endpoint 0 requests
    - USB: gadget: zero allocate endpoint 0 buffers
    - usb: core: config: fix validation of wMaxPacketValue entries
    - xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime
      suspending
    - usb: core: config: using bit mask instead of individual bits
    - xhci: avoid race between disable slot command and host runtime suspend
    - iio: trigger: Fix reference counting
    - iio: trigger: stm32-timer: fix MODULE_ALIAS
    - iio: stk3310: Don't return error code in interrupt handler
    - iio: mma8452: Fix trigger reference couting
    - iio: ltr501: Don't return error code in trigger handler
    - iio: kxsd9: Don't return error code in trigger handler
    - iio: itg3200: Call iio_trigger_notify_done() on error
    - iio: dln2-adc: Fix lockdep complaint
    - iio: dln2: Check return value of devm_iio_trigger_register()
    - iio: at91-sama5d2: Fix incorrect sign extension
    - iio: adc: axp20x_adc: fix charging current reporting on AXP22x
    - iio: ad7768-1: Call iio_trigger_notify_done() on error
    - iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
    - irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
    - irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
    - irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
    - irqchip: nvic: Fix offset for Interrupt Priority Offsets
    - misc: fastrpc: fix improper packet size calculation
    - bpf: Add selftests to cover packet access corner cases
    - Linux 5.4.165

  * Focal update: v5.4.164 upstream stable release (LP: #1956381)
    - NFSv42: Fix pagecache invalidation after COPY/CLONE
    - of: clk: Make <linux/of_clk.h> self-contained
    - arm64: dts: mcbin: support 2W SFP modules
    - can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
    - gfs2: Fix length of holes reported at end-of-file
    - drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
    - mac80211: do not access the IV when it was stripped
    - net/smc: Transfer remaining wait queue entries during fallback
    - atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
    - net: return correct error code
    - platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
    - s390/setup: avoid using memblock_enforce_memory_limit
    - btrfs: check-integrity: fix a warning on write caching disabled disk
    - thermal: core: Reset previous low and high trip during thermal zone init
    - scsi: iscsi: Unblock session then wake up error handler
    - ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
    - ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in
      hns_dsaf_ge_srst_by_port()
    - net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of
      bound
    - net: ethernet: dec: tulip: de4x5: fix possible array overflows in
      type3_infoblock()
    - perf hist: Fix memory leak of a perf_hpp_fmt
    - perf report: Fix memory leaks around perf_tip()
    - net/smc: Avoid warning of possible recursive locking
    - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
    - kprobes: Limit max data_size of the kretprobe instances
    - rt2x00: do not mark device gone on EPROTO errors during start
    - cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
    - s390/pci: move pseudo-MMIO to prevent MIO overlap
    - sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
    - sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
    - i2c: stm32f7: flush TX FIFO upon transfer errors
    - i2c: stm32f7: recover the bus on access timeout
    - i2c: stm32f7: stop dma transfer in case of NACK
    - i2c: cbus-gpio: set atomic transfer callback
    - natsemi: xtensa: fix section mismatch warnings
    - net: qlogic: qlcnic: Fix a NULL pointer dereference in
      qlcnic_83xx_add_rings()
    - net: mpls: Fix notifications when deleting a device
    - siphash: use _unaligned version by default
    - net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
    - selftests: net: Correct case name
    - rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
    - net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ
      is available
    - net: marvell: mvpp2: Fix the computation of shared CPUs
    - net: annotate data-races on txq->xmit_lock_owner
    - ipv4: convert fib_num_tclassid_users to atomic_t
    - net/rds: correct socket tunable error in rds_tcp_tune()
    - net/smc: Keep smc_close_final rc during active close
    - drm/msm: Do hw_init() before capturing GPU state
    - ipv6: fix memory leak in fib6_rule_suppress
    - KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
    - sched/uclamp: Fix rq->uclamp_max not set on first enqueue
    - parisc: Fix KBUILD_IMAGE for self-extracting kernel
    - parisc: Fix "make install" on newer debian releases
    - vgacon: Propagate console boot parameters before calling `vc_resize'
    - xhci: Fix commad ring abort, write all 64 bits to CRCR register.
    - USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
    - usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
    - x86/tsc: Add a timer to make sure TSC_adjust is always checked
    - x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
    - x86/64/mm: Map all kernel memory into trampoline_pgd
    - tty: serial: msm_serial: Deactivate RX DMA for polling support
    - serial: pl011: Add ACPI SBSA UART match id
    - serial: core: fix transmit-buffer reset and memleak
    - serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
    - serial: 8250_pci: rewrite pericom_do_set_divisor()
    - iwlwifi: mvm: retry init flow if failed
    - parisc: Mark cr16 CPU clocksource unstable on all SMP machines
    - net/tls: Fix authentication failure in CCM mode
    - Linux 5.4.164

  * Focal update: v5.4.163 upstream stable release (LP: #1956380)
    - USB: serial: option: add Telit LE910S1 0x9200 composition
    - USB: serial: option: add Fibocom FM101-GL variants
    - usb: dwc2: gadget: Fix ISOC flow for elapsed frames
    - usb: dwc2: hcd_queue: Fix use of floating point literal
    - net: nexthop: fix null pointer dereference when IPv6 is not enabled
    - usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts
    - usb: hub: Fix usb enumeration issue due to address0 race
    - usb: hub: Fix locking issues with address0_mutex
    - binder: fix test regression due to sender_euid change
    - ALSA: ctxfi: Fix out-of-range access
    - media: cec: copy sequence field for the reply
    - HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
    - staging/fbtft: Fix backlight
    - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
    - xen: don't continue xenstore initialization in case of errors
    - xen: detect uninitialized xenbus in xenbus_init
    - KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB
    - tracing/uprobe: Fix uprobe_perf_open probes iteration
    - tracing: Fix pid filtering when triggers are attached
    - mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB
    - mdio: aspeed: Fix "Link is Down" issue
    - PCI: aardvark: Deduplicate code in advk_pcie_rd_conf()
    - PCI: aardvark: Wait for endpoint to be ready before training link
    - PCI: aardvark: Fix big endian support
    - PCI: aardvark: Train link immediately after enabling training
    - PCI: aardvark: Improve link training
    - PCI: aardvark: Issue PERST via GPIO
    - PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros
    - PCI: aardvark: Don't touch PCIe registers if no card connected
    - PCI: aardvark: Fix compilation on s390
    - PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link()
    - PCI: aardvark: Update comment about disabling link training
    - PCI: pci-bridge-emul: Fix array overruns, improve safety
    - PCI: aardvark: Configure PCIe resources from 'ranges' DT property
    - PCI: aardvark: Fix PCIe Max Payload Size setting
    - PCI: aardvark: Implement re-issuing config requests on CRS response
    - PCI: aardvark: Simplify initialization of rootcap on virtual bridge
    - PCI: aardvark: Fix link training
    - PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated
      bridge
    - PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge
    - PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge
    - pinctrl: armada-37xx: Correct PWM pins definitions
    - arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function
    - proc/vmcore: fix clearing user buffer by properly using clear_user()
    - netfilter: ipvs: Fix reuse connection if RS weight is 0
    - ARM: dts: BCM5301X: Fix I2C controller interrupt
    - ARM: dts: BCM5301X: Add interrupt properties to GPIO node
    - ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer
    - ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
    - net: ieee802154: handle iftypes as u32
    - firmware: arm_scmi: pm: Propagate return value to caller
    - NFSv42: Don't fail clone() unless the OP_CLONE operation failed
    - ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
    - scsi: mpt3sas: Fix kernel panic during drive powercycle test
    - drm/vc4: fix error code in vc4_create_object()
    - iavf: Prevent changing static ITR values if adaptive moderation is on
    - ipv6: fix typos in __ip6_finish_output()
    - nfp: checking parameter process for rx-usecs/tx-usecs is invalid
    - net: ipv6: add fib6_nh_release_dsts stub
    - net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group
    - scsi: core: sysfs: Fix setting device state to SDEV_RUNNING
    - net/smc: Ensure the active closing peer first closes clcsock
    - nvmet-tcp: fix incomplete data digest send
    - net/ncsi : Add payload to be 32-bit aligned to fix dropped packets
    - PM: hibernate: use correct mode for swsusp_close()
    - tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited
      flows
    - nvmet: use IOCB_NOWAIT only if the filesystem supports it
    - igb: fix netpoll exit with traffic
    - MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
    - net: vlan: fix underflow for the real_dev refcnt
    - net/smc: Don't call clcsock shutdown twice when smc shutdown
    - net: hns3: fix VF RSS failed problem after PF enable multi-TCs
    - net: mscc: ocelot: don't downgrade timestamping RX filters in SIOCSHWTSTAMP
    - net: mscc: ocelot: correctly report the timestamping RX filters in ethtool
    - f2fs: set SBI_NEED_FSCK flag when inconsistent node block found
    - smb3: do not error on fsync when readonly
    - vhost/vsock: fix incorrect used length reported to the guest
    - tracing: Check pid filtering when creating events
    - s390/mm: validate VMA in PGSTE manipulation functions
    - shm: extend forced shm destroy to support objects from several IPC nses
    - NFC: add NCI_UNREG flag to eliminate the race
    - fuse: release pipe buf after last use
    - xen: sync include/xen/interface/io/ring.h with Xen's newest version
    - xen/blkfront: read response from backend only once
    - xen/blkfront: don't take local copy of a request from the ring page
    - xen/blkfront: don't trust the backend response data blindly
    - xen/netfront: read response from backend only once
    - xen/netfront: don't read data from request on the ring page
    - xen/netfront: disentangle tx_skb_freelist
    - xen/netfront: don't trust the backend response data blindly
    - tty: hvc: replace BUG_ON() with negative return value
    - Linux 5.4.163

  * net/mlx5e: EPERM on vlan 0 programming (LP: #1957753)
    - net/mlx5e: Unblock setting vid 0 for VF in case PF isn't eswitch manager

  * CVE-2021-4083
    - fget: check that the fd still exists after getting a ref to it

  * CVE-2021-4155
    - xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate

Date: 2022-02-03 18:40:09.933492+00:00
Changed-By: Stefan Bader <stefan.bader at canonical.com>
Signed-By: Łukasz Zemczak <lukasz.zemczak at canonical.com>
https://launchpad.net/ubuntu/+source/linux/5.4.0-100.113
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list