[ubuntu/xenial-security] linux-aws 4.4.0-1106.117 (Accepted)

Andy Whitcroft apw at canonical.com
Wed Apr 29 14:58:06 UTC 2020


linux-aws (4.4.0-1106.117) xenial; urgency=medium

  * xenial/linux-aws: 4.4.0-1106.117 -proposed tracker (LP: #1870649)

  [ Ubuntu: 4.4.0-178.208 ]

  * xenial/linux: 4.4.0-178.208 -proposed tracker (LP: #1870660)
  * CVE-2019-19768
    - blktrace: Protect q->blk_trace with RCU
    - blktrace: fix dereference after null check
  * Multiple Kexec in AWS Nitro instances fail (LP: #1869948)
    - net: ena: Add PCI shutdown handler to allow safe kexec
  * Insert test_bpf module will report 4 failures for ubuntu_bpf_jit on X s390x
    (LP: #1768452)
    - test_bpf: flag tests that cannot be jited on s390
  * Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver
    (LP: #1869229)
    - block: fix bio_will_gap() for first bvec with offset
  * Xenial update: 4.4.217 upstream stable release (LP: #1868629)
    - NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array
    - r8152: check disconnect status after long sleep
    - net: nfc: fix bounds checking bugs on "pipe"
    - bnxt_en: reinitialize IRQs when MTU is modified
    - fib: add missing attribute validation for tun_id
    - nl802154: add missing attribute validation
    - nl802154: add missing attribute validation for dev_type
    - team: add missing attribute validation for port ifindex
    - team: add missing attribute validation for array index
    - nfc: add missing attribute validation for SE API
    - nfc: add missing attribute validation for vendor subcommand
    - ipvlan: add cond_resched_rcu() while processing muticast backlog
    - ipvlan: do not add hardware address of master to its unicast filter list
    - ipvlan: egress mcast packets are not exceptional
    - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
    - ipvlan: don't deref eth hdr before checking it's set
    - macvlan: add cond_resched() during multicast processing
    - net: fec: validate the new settings in fec_enet_set_coalesce()
    - slip: make slhc_compress() more robust against malicious packets
    - bonding/alb: make sure arp header is pulled before accessing it
    - net: fq: add missing attribute validation for orphan mask
    - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn +
      add_taint
    - drm/amd/display: remove duplicated assignment to grph_obj_type
    - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
    - KVM: x86: clear stale x86_emulate_ctxt->intercept value
    - ARC: define __ALIGN_STR and __ALIGN symbols for ARC
    - efi: Fix a race and a buffer overflow while reading efivars via sysfs
    - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint
    - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page
    - nl80211: add missing attribute validation for critical protocol indication
    - nl80211: add missing attribute validation for channel switch
    - netfilter: cthelper: add missing attribute validation for cthelper
    - iommu/vt-d: Fix the wrong printing in RHSA parsing
    - iommu/vt-d: Ignore devices with out-of-spec domain number
    - ipv6: restrict IPV6_ADDRFORM operation
    - efi: Add a sanity check to efivar_store_raw()
    - batman-adv: Fix invalid read while copying bat_iv.bcast_own
    - batman-adv: Only put gw_node list reference when removed
    - batman-adv: Only put orig_node_vlan list reference when removed
    - batman-adv: Avoid endless loop in bat-on-bat netdevice check
    - batman-adv: Fix unexpected free of bcast_own on add_if error
    - batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
    - batman-adv: init neigh node last seen field
    - batman-adv: Deactivate TO_BE_ACTIVATED hardif on shutdown
    - batman-adv: Drop reference to netdevice on last reference
    - batman-adv: Fix reference counting of vlan object for tt_local_entry
    - batman-adv: Avoid duplicate neigh_node additions
    - batman-adv: fix skb deref after free
    - batman-adv: Fix use-after-free/double-free of tt_req_node
    - batman-adv: Fix ICMP RR ethernet access after skb_linearize
    - batman-adv: Clean up untagged vlan when destroying via rtnl-link
    - batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
    - batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
    - batman-adv: Fix orig_node_vlan leak on orig_node_release
    - batman-adv: lock crc access in bridge loop avoidance
    - batman-adv: Fix non-atomic bla_claim::backbone_gw access
    - batman-adv: Fix reference leak in batadv_find_router
    - batman-adv: Free last_bonding_candidate on release of orig_node
    - batman-adv: Fix speedy join in gateway client mode
    - batman-adv: Add missing refcnt for last_candidate
    - batman-adv: Fix double free during fragment merge error
    - batman-adv: Fix transmission of final, 16th fragment
    - batman-adv: Fix rx packet/bytes stats on local ARP reply
    - batman-adv: fix TT sync flag inconsistencies
    - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
    - batman-adv: Fix internal interface indices types
    - batman-adv: update data pointers after skb_cow()
    - batman-adv: Fix skbuff rcsum on packet reroute
    - batman-adv: Avoid race in TT TVLV allocator helper
    - batman-adv: Fix TT sync flags for intermediate TT responses
    - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs
    - batman-adv: Fix debugfs path for renamed hardif
    - batman-adv: Fix debugfs path for renamed softif
    - batman-adv: Avoid storing non-TT-sync flags on singular entries too
    - batman-adv: Prevent duplicated gateway_node entry
    - batman-adv: Prevent duplicated nc_node entry
    - batman-adv: Prevent duplicated global TT entry
    - batman-adv: Prevent duplicated tvlv handler
    - batman-adv: Reduce claim hash refcnt only for removed entry
    - batman-adv: Reduce tt_local hash refcnt only for removed entry
    - batman-adv: Reduce tt_global hash refcnt only for removed entry
    - batman-adv: Only read OGM tvlv_len after buffer len check
    - batman-adv: Avoid free/alloc race when handling OGM buffer
    - batman-adv: Don't schedule OGM for disabled interface
    - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag
    - net: ks8851-ml: Fix IRQ handling and locking
    - signal: avoid double atomic counter increments for user accounting
    - jbd2: fix data races at struct journal_head
    - ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional()
    - ARM: 8958/1: rename missed uaccess .fixup section
    - mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
    - ipv4: ensure rcu_read_lock() in cipso_v4_error()
    - Linux 4.4.217
  * Xenial update: 4.4.216 upstream stable release (LP: #1868628)
    - iwlwifi: pcie: fix rb_allocator workqueue allocation
    - ext4: fix potential race between online resizing and write operations
    - ext4: fix potential race between s_flex_groups online resizing and access
    - ext4: fix potential race between s_group_info online resizing and access
    - ipmi:ssif: Handle a possible NULL pointer reference
    - mac80211: consider more elements in parsing CRC
    - cfg80211: check wiphy driver existence for drvinfo report
    - cifs: Fix mode output in debugging statements
    - cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
    - sysrq: Restore original console_loglevel when sysrq disabled
    - sysrq: Remove duplicated sysrq message
    - net: fib_rules: Correctly set table field when table number exceeds 8 bits
    - net: phy: restore mdio regs in the iproc mdio driver
    - ipv6: Fix nlmsg_flags when splitting a multipath route
    - ipv6: Fix route replacement with dev-only route
    - sctp: move the format error check out of __sctp_sf_do_9_1_abort
    - nfc: pn544: Fix occasional HW initialization failure
    - net: sched: correct flower port blocking
    - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
    - audit: fix error handling in audit_data_to_entry()
    - HID: core: fix off-by-one memset in hid_report_raw_event()
    - HID: core: increase HID report buffer size to 8KiB
    - HID: hiddev: Fix race in in hiddev_disconnect()
    - MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
    - i2c: jz4780: silence log flood on txabrt
    - ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66
    - net: netlink: cap max groups which will be considered in netlink_bind()
    - namei: only return -ECHILD from follow_dotdot_rcu()
    - KVM: Check for a bad hva before dropping into the ghc slow path
    - slip: stop double free sl->dev in slip_open
    - mm: make page ref count overflow check tighter and more explicit
    - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
    - audit: always check the netlink payload length in audit_receive_msg()
    - serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
    - usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
    - usb: gadget: serial: fix Tx stall after buffer overflow
    - drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
    - drm/msm/dsi: save pll state before dsi host is powered off
    - net: ks8851-ml: Remove 8-bit bus accessors
    - net: ks8851-ml: Fix 16-bit data access
    - net: ks8851-ml: Fix 16-bit IO operation
    - watchdog: da9062: do not ping the hw during stop()
    - s390/cio: cio_ignore_proc_seq_next should increase position index
    - cifs: don't leak -EAGAIN for stat() during reconnect
    - usb: storage: Add quirk for Samsung Fit flash
    - usb: quirks: add NO_LPM quirk for Logitech Screen Share
    - usb: core: hub: do error out if usb_autopm_get_interface() fails
    - usb: core: port: do error out if usb_autopm_get_interface() fails
    - vgacon: Fix a UAF in vgacon_invert_region
    - fat: fix uninit-memory access for partial initialized inode
    - vt: selection, close sel_buffer race
    - vt: selection, push console lock down
    - vt: selection, push sel_lock up
    - dmaengine: tegra-apb: Fix use-after-free
    - dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
    - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
    - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
    - ASoC: dapm: Correct DAPM handling of active widgets during shutdown
    - RDMA/iwcm: Fix iwcm work deallocation
    - RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
    - ARM: imx: build v7_cpu_resume() unconditionally
    - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
    - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
    - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode
      systems
    - dm cache: fix a crash due to incorrect work item cancelling
    - crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
    - Linux 4.4.216
  * Xenial update: 4.4.215 upstream stable release (LP: #1868627)
    - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
    - ecryptfs: fix a memory leak bug in parse_tag_1_packet()
    - ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
    - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
    - ubifs: Fix deadlock in concurrent bulk-read and writepage
    - ext4: fix checksum errors with indexed dirs
    - Btrfs: fix race between using extent maps and merging them
    - btrfs: log message when rw remount is attempted with unclean tree-log
    - padata: Remove broken queue flushing
    - s390/time: Fix clk type in get_tod_clock
    - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
    - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
    - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
    - btrfs: print message when tree-log replay starts
    - scsi: qla2xxx: fix a potential NULL pointer dereference
    - Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
    - drm/gma500: Fixup fbdev stolen size usage evaluation
    - brcmfmac: Fix use after free in brcmf_sdio_readframes()
    - gianfar: Fix TX timestamping with a stacked DSA driver
    - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
    - media: i2c: mt9v032: fix enum mbus codes and frame sizes
    - media: sti: bdisp: fix a possible sleep-in-atomic-context bug in
      bdisp_device_run()
    - efi/x86: Map the entire EFI vendor string before copying it
    - MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
    - uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
    - usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
    - nfs: NFS_SWAP should depend on SWAP
    - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info
      when load journal
    - tracing: Fix very unlikely race of registering two stat tracers
    - ext4, jbd2: ensure panic when aborting with zero errno
    - kconfig: fix broken dependency in randconfig-generated .config
    - clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
    - drm/amdgpu: remove 4 set but not used variable in
      amdgpu_atombios_get_connector_info_from_object_table
    - regulator: rk808: Lower log level on optional GPIOs being not available
    - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use
      le16_add_cpu().
    - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
    - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
    - b43legacy: Fix -Wcast-function-type
    - ipw2x00: Fix -Wcast-function-type
    - iwlegacy: Fix -Wcast-function-type
    - rtlwifi: rtl_pci: Fix -Wcast-function-type
    - orinoco: avoid assertion in case of NULL pointer
    - ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
    - scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
    - ARM: dts: r8a7779: Add device node for ARM global timer
    - x86/vdso: Provide missing include file
    - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
    - ALSA: sh: Fix compile warning wrt const
    - tools lib api fs: Fix gcc9 stringop-truncation compilation error
    - usbip: Fix unsafe unaligned pointer usage
    - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
    - rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
    - Input: edt-ft5x06 - work around first register access error
    - wan: ixp4xx_hss: fix compile-testing on 64-bit
    - ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
    - PCI: Don't disable bridge BARs when assigning bus resources
    - driver core: Print device when resources present in really_probe()
    - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
    - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
    - iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
    - scsi: iscsi: Don't destroy session if there are outstanding connections
    - cmd64x: potential buffer overflow in cmd64x_program_timings()
    - ide: serverworks: potential overflow in svwks_set_pio_mode()
    - remoteproc: Initialize rproc_class before use
    - s390/ftrace: generate traced function stack frame
    - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
    - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit
      record
    - ARM: 8951/1: Fix Kexec compilation issue.
    - hostap: Adjust indentation in prism2_hostapd_add_sta
    - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
    - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
    - trigger_next should increase position index
    - radeon: insert 10ms sleep in dce5_crtc_load_lut
    - ocfs2: fix a NULL pointer dereference when call
      ocfs2_update_inode_fsync_trans()
    - lib/scatterlist.c: adjust indentation in __sg_alloc_table
    - reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
    - bcache: explicity type cast in bset_bkey_last()
    - irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building
      INVALL
    - microblaze: Prevent the overflow of the start
    - brd: check and limit max_part par
    - selinux: ensure we cleanup the internal AVC counters on error in
      avc_update()
    - enic: prevent waking up stopped tx queues over watchdog reset
    - floppy: check FDC index for errors before assigning it
    - staging: android: ashmem: Disallow ashmem memory from being remapped
    - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
    - usb: uas: fix a plug & unplug racing
    - USB: Fix novation SourceControl XL after suspend
    - USB: hub: Don't record a connect-change event during reset-resume
    - staging: rtl8188eu: Fix potential security hole
    - staging: rtl8188eu: Fix potential overuse of kernel memory
    - x86/mce/amd: Fix kobject lifetime
    - tty: serial: imx: setup the correct sg entry for tx dma
    - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
    - VT_RESIZEX: get rid of field-by-field copyin
    - vt: vt_ioctl: fix race in VT_RESIZEX
    - netfilter: xt_bpf: add overflow checks
    - ext4: fix a data race in EXT4_I(inode)->i_disksize
    - ext4: add cond_resched() to __ext4_find_entry()
    - KVM: apic: avoid calculating pending eoi from an uninitialized val
    - Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered
      extents
    - scsi: Revert "RDMA/isert: Fix a recently introduced regression related to
      logout"
    - scsi: Revert "target: iscsi: Wait for all commands to finish before freeing
      a session"
    - ecryptfs: replace BUG_ON with error handling code
    - ALSA: rawmidi: Avoid bit fields for state flags
    - ALSA: seq: Avoid concurrent access to queue flags
    - ALSA: seq: Fix concurrent access to queue current tick/time
    - xen: Enable interrupts when calling _cond_resched()
    - Linux 4.4.215

Date: 2020-04-08 09:48:23.210305+00:00
Changed-By: Kelsey Margarete Skunberg <kelsey.skunberg at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1106.117
-------------- next part --------------
Sorry, changesfile not available.


More information about the Xenial-changes mailing list