Ubuntu
linux package

Xenial update to 4.4.140 stable release

Bug #1784409 reported by Kleber Sacilotto de Souza on 2018-07-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Kleber Sacilotto de Souza

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The 4.4.140 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

git://git.kernel.org/

TEST CASE: TBD

The following patches from the 4.4.140 stable release shall be applied:

* usb: cdc_acm: Add quirk for Uniden UBC125 scanner
* USB: serial: cp210x: add CESINEL device ids
* USB: serial: cp210x: add Silicon Labs IDs for Windows Update
* n_tty: Fix stall at n_tty_receive_char_special().
* staging: android: ion: Return an ERR_PTR in ion_map_kernel
* n_tty: Access echo_* variables carefully.
* x86/boot: Fix early command-line parsing when matching at end
* ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
* i2c: rcar: fix resume by always initializing registers before transfer
* ipv4: Fix error return value in fib_convert_metrics()
* kprobes/x86: Do not modify singlestep buffer while resuming
* nvme-pci: initialize queue memory before interrupts
* netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
* ARM: dts: imx6q: Use correct SDMA script for SPI5 core
* ubi: fastmap: Correctly handle interrupted erasures in EBA
* mm: hugetlb: yield when prepping struct pages
* tracing: Fix missing return symbol in function_graph output
* scsi: sg: mitigate read/write abuse
* s390: Correct register corruption in critical section cleanup
* drbd: fix access after free
* cifs: Fix infinite loop when using hard mount option
* jbd2: don't mark block as modified if the handle is out of credits
* ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
* ext4: always check block group bounds in ext4_init_block_bitmap()
* ext4: only look at the bg_flags field if it is valid
* ext4: verify the depth of extent tree in ext4_find_extent()
* ext4: include the illegal physical block in the bad map ext4_error msg
* ext4: clear i_data in ext4_inode_info when removing inline data
* ext4: add more inode number paranoia checks
* ext4: add more mount time checks of the superblock
* ext4: check superblock mapped prior to committing
* HID: i2c-hid: Fix "incomplete report" noise
* HID: hiddev: fix potential Spectre v1
* HID: debug: check length before copy_to_user()
* x86/mce: Detect local MCEs properly
* x86/mce: Fix incorrect "Machine check from unknown source" message
* media: cx25840: Use subdev host data for PLL override
* mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
* dm bufio: avoid sleeping while holding the dm_bufio lock
* dm bufio: drop the lock when doing GFP_NOIO allocation
* mtd: rawnand: mxc: set spare area size register explicitly
* dm bufio: don't take the lock in dm_bufio_shrink_count
* mtd: cfi_cmdset_0002: Change definition naming to retry write operation
* mtd: cfi_cmdset_0002: Change erase functions to retry for error
* mtd: cfi_cmdset_0002: Change erase functions to check chip good only
* netfilter: nf_log: don't hold nf_log_mutex during user access
* staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
* Linux 4.4.140

Note:
The following patch needed some context adjustment to be applied:
* nvme-pci: initialize queue memory before interrupts

See original description

Tags:

CVE References

Kleber Sacilotto de Souza (kleber-souza) on 2018-07-30

tags:

added: kernel-stable-tracking-bug

Kleber Sacilotto de Souza (kleber-souza) on 2018-07-30

description:

updated

Stefan Bader (smb) on 2018-07-31

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Kleber Sacilotto de Souza (kleber-souza)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Invalid

Khaled El Mously (kmously) on 2018-07-31

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-08-23:

Download full text (16.4 KiB)

This bug was fixed in the package linux - 4.4.0-134.160

---------------
linux (4.4.0-134.160) xenial; urgency=medium

* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)

  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

  * Backport namespaced fscaps to xenial 4.4 (LP: #1778286)
    - Introduce v3 namespaced file capabilities
    - commoncap: move assignment of fs_ns to avoid null pointer dereference
    - capabilities: fix buffer overread on very short xattr
    - commoncap: Handle memory allocation failure.

  * Xenial update to 4.4.140 stable release (LP: #1784409)
    - usb: cdc_acm: Add quirk for Uniden UBC125 scanner
    - USB: serial: cp210x: add CESINEL device ids
    - USB: serial: cp210x: add Silicon Labs IDs for Windows Update
    - n_tty: Fix stall at n_tty_receive_char_special().
    - staging: android: ion: Return an ERR_PTR in ion_map_kernel
    - n_tty: Access echo_* variables carefully.
    - x86/boot: Fix early command-line parsing when matching at end
    - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode
    - i2c: rcar: fix resume by always initializing registers before transfer
    - ipv4: Fix error return value in fib_convert_metrics()
    - kprobes/x86: Do not modify singlestep buffer while resuming
    - nvme-pci: initialize queue memory before interrupts
    - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
    - ARM: dts: imx6q: Use correct SDMA script for SPI5 core
    - ubi: fastmap: Correctly handle interrupted erasures in EBA
    - mm: hugetlb: yield when prepping struct pages
    - tracing: Fix missing return symbol in function_graph output
    - scsi: sg: mitigate read/write abuse
    - s390: Correct register corruption in critical section cleanup
    - drbd: fix access after free
    - cifs: Fix infinite loop when using hard mount option
    - jbd2: don't mark block as modified if the handle is out of credits
    - ext4: make sure bitmaps and the inode table don't overlap with bg
      descriptors
    - ext4: always check block group bounds in ext4_init_block_bitmap()
    - ext4: only look at the bg_flags field if it is valid
    - ext4: verify the depth of extent tree in ext4_find_extent()
    - ext4: include the illegal physical block in the bad map ext4_error msg
    - ext4: clear i_data in ext4_inode_info when removing inline data
    - ext4: add more inode number paranoia checks
    - ext4: add more mount time checks of the superblock
    - ext4: check superblock mapped prior to committing
    - HID: i2c-hid: Fix "incomplete report" noise
    - HID: hiddev: fix potential Spectre v1
    - HID: debug: check length before copy_to_user()
    - x86/mce: Detect local MCEs properly
    - x86/mce: Fix incorrect "Machine check from unknown source" message
    - media: cx25840: Use subdev host data for PLL override
    - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
    - dm bufio: avoid sleeping while holding the dm_bufio lock
    - dm bufio: drop the lock when doing GFP_NOIO allocation
    - mtd: rawnand: mxc: set spa...

This bug was fixed in the package linux - 4.4.0-134.160

---------------
linux (4.4.0-134.160) xenial; urgency=medium

* linux: 4.4.0-134.160 -proposed tracker (LP: #1787177)

* locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

* Xenial update to 4.4.139 stable release (LP: #1784382)
    - xfrm6: avoid potential infinite loop in _decode_session6()
    - netfilter: ebtables: handle string from userspace with care
    - ipvs: fix buffer overflow with sync daemon and service
    - atm: zatm: fix memcmp casting
    - net: qmi_wwan: Add Netgear Aircard 779S
    - net/sonic: Use dma_mapping_error()
    - Revert "Btrfs: fix scrub to repair raid6 corruption"
    - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
    - Btrfs: make raid6 rebuild retry more
    - usb: musb: fix remote wakeup racing with suspend
    - bonding: re-evaluate force_primary when the primary slave name changes
    - tcp: verify the checksum of the first data segment in a new connection
    - ext4: update mtime in ext4_punch_hole even if no blocks are released
    - ext4: fix fencepost error in check for inode count overflow during resize
    - driver core: Don't ignore class_dir_create_and_add() failure.
    - btrfs: scrub: Don't use inode pages for device replace
    - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
    - ALSA: hda: add dock and led support for HP EliteBook 830 G5
    - ALSA: hda: add dock and led support for HP ProBook 640 G4
    - cpufreq: Fix new policy initialization during limits updates via sysfs
    - libata: zpodd: make arrays cdb static, reduces object code size
    - libata: zpodd: small read overflow in eject_tray()
    - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
    - w1: mxc_w1: Enable clock before calling clk_get_rate() on it
    - x86/spectre_v1: Disable compiler optimizations over
      array_index_mask_nospec()
    - m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
    - serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
    - signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
    - usb: do not reset if a low-speed or full-speed device timed out
    - 1wire: family module autoload fails because of upper/lower case mismatch.
    - ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
    - ASoC: cirrus: i2s: Fix LRCLK configuration
    - ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
    - lib/vsprintf: Remove atomic-unsafe support for %pCr
    - mips: ftrace: fix static function graph tracing
    - branch-check: fix long->int truncation when profiling branches
    - ipmi:bt: Set the timeout before doing a capabilities check
    - Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
    - fuse: atomic_o_trunc should truncate pagecache
    - fuse: don't keep dead fuse_conn at fuse_fill_super().
    - fuse: fix control dir setup and teardown
    - powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
    - powerpc/ptrace: Fix setting 512B aligned breakpoints with
      PTRACE_SET_DEBUGREG
    - powerpc/ptrace: Fix enforcement of DAWR constraints
    - cpuidle: powernv: Fix promotion from snooze if next state disabled
    - powerpc/fadump: Unregister fadump on kexec down path.
    - ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
    - of: unittest: for strings, account for trailing \0 in property length field
    - IB/qib: Fix DMA api warning with debug kernel
    - RDMA/mlx4: Discard unknown SQP work requests
    - mtd: cfi_cmdset_0002: Change write buffer to check correct value
    - mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
    - mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
    - mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
    - mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
    - MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
    - PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on
      resume
    - MIPS: io: Add barrier after register read in inX()
    - time: Make sure jiffies_to_msecs() preserves non-zero time periods
    - Btrfs: fix clone vs chattr NODATASUM race
    - iio:buffer: make length types match kfifo types
    - scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
    - scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
    - scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
    - scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
    - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
    - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for
      ERP_FAILED
    - scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
    - scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
    - linvdimm, pmem: Preserve read-only setting for pmem devices
    - md: fix two problems with setting the "re-add" device state.
    - ubi: fastmap: Cancel work upon detach
    - UBIFS: Fix potential integer overflow in allocation
    - xfrm: skip policies marked as dead while rehashing
    - backlight: as3711_bl: Fix Device Tree node lookup
    - backlight: max8925_bl: Fix Device Tree node lookup
    - backlight: tps65217_bl: Fix Device Tree node lookup
    - mfd: intel-lpss: Program REMAP register in PIO mode
    - perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
    - perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
    - perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
    - perf intel-pt: Fix MTC timing after overflow
    - perf intel-pt: Fix "Unexpected indirect branch" error
    - perf intel-pt: Fix packet decoding of CYC packets
    - media: v4l2-compat-ioctl32: prevent go past max size
    - media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
    - nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
    - NFSv4: Fix possible 1-byte stack overflow in
      nfs_idmap_read_and_verify_message
    - video: uvesafb: Fix integer overflow in allocation
    - Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
    - xen: Remove unnecessary BUG_ON from __unbind_from_irq()
    - udf: Detect incorrect directory size
    - Input: elan_i2c_smbus - fix more potential stack buffer overflows
    - Input: elantech - enable middle button of touchpads on ThinkPad P52
    - Input: elantech - fix V4 report decoding for module with middle key
    - ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
    - Btrfs: fix unexpected cow in run_delalloc_nocow
    - spi: Fix scatterlist elements size in spi_map_buf
    - block: Fix transfer when chunk sectors exceeds max
    - dm thin: handle running out of data space vs concurrent discard
    - cdc_ncm: avoid padding beyond end of skb
    - Bluetooth: Fix connection if directed advertising and privacy is used
    - Linux 4.4.139

* Support AverMedia DVD EZMaker 7 USB video capture dongle (LP: #1620762) //
    Xenial update to 4.4.139 stable release (LP: #1784382)
    - media: cx231xx: Add support for AverMedia DVD EZMaker 7

* vfio/pci: cannot assign a i40e pf device to a vm using vfio-pci
    (LP: #1779830)
    - vfio/pci: Hide broken INTx support from user

* Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.6.5.6-0ubuntu25

* Allow multiple mounts of zfs datasets (LP: #1759848)
    - SAUCE: Allow mounting datasets more than once (LP: #1759848)

* CVE-2018-12233
    - jfs: Fix inconsistency between memory allocation and ea_buf->max_size

* Redpine: Observed kernel panic while running wireless tests in regression
    mode (LP: #1773410) // Redpine: Observed kernel panic while running soft-ap
    tests (LP: #1777850)
    - SAUCE: Redpine: improve cancel_hw_scan handling to fix kernel panic

* [HMS] Upgrades to Support SocketCAN over USB on Dell IoT 300x Gateways
    (LP: #1783241)
    - SAUCE: (no-up) upgrade IXXAT USB SocketCAN driver

* CVE-2018-13094
    - xfs: don't call xfs_da_shrink_inode with NULL bp

* other users' coredumps can be read via setgid directory and killpriv bypass
    (LP: #1779923) // CVE-2018-13405
    - Fix up non-directory creation in SGID directories

* snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build
    (LP: #1782116)
    - snapcraft.yaml: copy retpoline-extract-one to scripts before build

* Enable basic support for Solarflare 8000 series NIC (LP: #1783152)
    - sfc: make TSO version a per-queue parameter
    - sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC

* Redpine: Observed kernel panic while running wireless regressions tests
    (LP: #1777858)
    - SAUCE: Redpine: improve kernel thread handling to fix kernel panic

* Xenial update to 4.4.138 stable release (LP: #1777389)
    - x86: Remove unused function cpu_has_ht_siblings()
    - x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros
    - x86/fpu: Disable AVX when eagerfpu is off
    - x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off")
    - x86/fpu: Hard-disable lazy FPU mode
    - af_key: Always verify length of provided sadb_key
    - x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c
      code
    - gpio: No NULL owner
    - Clarify (and fix) MAX_LFS_FILESIZE macros
    - serial: samsung: fix maxburst parameter for DMA transactions
    - vmw_balloon: fixing double free when batching mode is off
    - Input: goodix - add new ACPI id for GPD Win 2 touch screen
    - crypto: vmx - Remove overly verbose printk from AES init routines
    - Linux 4.4.138

* Redpine: wifi-ap stopped working after restart (LP: #1773400)
    - SAUCE: Redpine: fix soft-ap invisible issue

* Xenial update to 4.4.137 stable release (LP: #1777063)
    - tpm: do not suspend/resume if power stays on
    - tpm: self test failure should not cause suspend to fail
    - mmap: introduce sane default mmap limits
    - mmap: relax file size limit for regular files
    - kconfig: Avoid format overflow warning from GCC 8.1
    - xfs: fix incorrect log_flushed on fsync
    - drm: set FMODE_UNSIGNED_OFFSET for drm files
    - brcmfmac: Fix check for ISO3166 code
    - bnx2x: use the right constant
    - dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
    - enic: set DMA mask to 47 bit
    - ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
    - ipv4: remove warning in ip_recv_error
    - isdn: eicon: fix a missing-check bug
    - netdev-FAQ: clarify DaveM's position for stable backports
    - net/packet: refine check for priv area size
    - net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
    - packet: fix reserve calculation
    - qed: Fix mask for physical address in ILT entry
    - net/mlx4: Fix irq-unsafe spinlock usage
    - team: use netdev_features_t instead of u32
    - rtnetlink: validate attributes in do_setlink()
    - net: phy: broadcom: Fix bcm_write_exp()
    - net: metrics: add proper netlink validation
    - Linux 4.4.137

* Xenial update to 4.4.136 stable release (LP: #1776177)
    - arm64: lse: Add early clobbers to some input/output asm operands
    - powerpc/64s: Clear PCR on boot
    - USB: serial: cp210x: use tcflag_t to fix incompatible pointer type
    - sh: New gcc support
    - xfs: detect agfl count corruption and reset agfl
    - Input: elan_i2c_smbus - fix corrupted stack
    - tracing: Fix crash when freeing instances with event triggers
    - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
    - cfg80211: further limit wiphy names to 64 bytes
    - rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c
    - ASoC: Intel: sst: remove redundant variable dma_dev_name
    - irda: fix overly long udelay()
    - tcp: avoid integer overflows in tcp_rcv_space_adjust()
    - i2c: rcar: make sure clocks are on when doing clock calculation
    - i2c: rcar: rework hw init
    - i2c: rcar: remove unused IOERROR state
    - i2c: rcar: remove spinlock
    - i2c: rcar: refactor setup of a msg
    - i2c: rcar: init new messages in irq
    - i2c: rcar: don't issue stop when HW does it automatically
    - i2c: rcar: check master irqs before slave irqs
    - i2c: rcar: revoke START request early
    - dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all()
    - iio:kfifo_buf: check for uint overflow
    - MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs
    - MIPS: prctl: Disallow FRE without FR with PR_SET_FP_MODE requests
    - scsi: scsi_transport_srp: Fix shost to rport translation
    - stm class: Use vmalloc for the master map
    - hwtracing: stm: fix build error on some arches
    - drm/i915: Disable LVDS on Radiant P845
    - Kbuild: change CC_OPTIMIZE_FOR_SIZE definition
    - [Config] Add CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
    - fix io_destroy()/aio_complete() race
    - mm: fix the NULL mapping case in __isolate_lru_page()
    - sparc64: Fix build warnings with gcc 7.
    - Linux 4.4.136

* Xenial update to 4.4.135 stable release (LP: #1776158)
    - Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU"
    - Linux 4.4.135

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Wed, 15 Aug 2018 13:51:11 +0000

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package