Bug #1877955 “Fix for secure boot rules in IMA arch policy on po...” : Bugs : linux package : Ubuntu

bugproxy (bugproxy) on 2020-05-11

tags:	added: architecture-ppc64le bugnameltc-185515 severity-medium targetmilestone-inin2004
Changed in ubuntu:
assignee:	nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects:	ubuntu → linux (Ubuntu)

Andrew Cloke (andrew-cloke) on 2020-05-11

Changed in ubuntu-power-systems:
importance:	Undecided → Medium
assignee:	nobody → Canonical Kernel Team (canonical-kernel-team)

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-05-11:

#1

Thx for creating this separate bug.
I just need to set it to Incomplete until the patch got upstream accepted and is available for example from 'linux-next' (which is not yet the case, but probably soon).
In preparation for the SRU process I changed the bug title.

summary:	- Followon for Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted - Boot + Fix for secure boot rules in IMA arch policy on powerpc
Changed in linux (Ubuntu):
status:	New → Incomplete
Changed in ubuntu-power-systems:
status:	New → Incomplete

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-05-28:

#2

I had another look at the entire thread at lore.kernel.org:
https://lore.kernel<email address hidden>/T/#u
and think patch
"powerpc/ima: Fix secure boot rules in ima arch policy"
is the one that fixes 'powerpc/ima: fix secure boot rules in ima arch policy'.

I looked it up in linux-next and found it:
$ git log --oneline --grep "powerpc/ima: Fix secure boot rules in ima arch policy"
fa4f3f56ccd2 powerpc/ima: Fix secure boot rules in ima arch policy
$ git tag --contains fa4f3f56ccd2
next-20200514
next-20200515
next-20200518
next-20200526
v5.7-rc6
v5.7-rc7
So, looks like it got recently upstream accepted.

If you can confirm that fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" is the correct patch that need to be SRUed, I'll submit it for the next SRU cycle (with last for for commit June 3rd).

Frank Heimes (fheimes) on 2020-05-29

description:	updated
description:	updated

Frank Heimes (fheimes) on 2020-05-29

description:	updated
Changed in linux (Ubuntu):
status:	Incomplete → Triaged
Changed in ubuntu-power-systems:
status:	Incomplete → Triaged

Revision history for this message

bugproxy (bugproxy) wrote on 2020-05-29: Comment bridged from LTC Bugzilla

#3

------- Comment From <email address hidden> 2020-05-29 13:23 EDT-------
Yes this is the right patch.

What is SRU ?

Thanks & Regards,
- Nayna

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-05-29:

#4

SRU stands for "Stable Release Update" and describes the process that is needed to get a patch (or patches) to fix critical issues into components that are part of an Ubuntu version that is already released (post GA).

The process for packages (https://wiki.ubuntu.com/StableReleaseUpdates) is slightly different compared to the SRU process for the kernel: https://wiki.ubuntu.com/KernelTeam/KernelUpdates

But there is also such a 'stable release update' process in use upstream at kernel.org.

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-05-29:

#5

Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#110532
Updating status to 'In Progress'.

Changed in linux (Ubuntu):
status:	Triaged → In Progress
Changed in ubuntu-power-systems:
status:	Triaged → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2020-05-29:

#6

------- Comment From <email address hidden> 2020-05-29 14:23 EDT-------
Thanks for explanation.

Thanks & Regards,
- Nayna

Revision history for this message

bugproxy (bugproxy) wrote on 2020-05-29:

#7

------- Comment From <email address hidden> 2020-05-29 14:30 EDT-------
Thanks !!

Thanks & Regards,
- Nayna

Frank Heimes (fheimes) on 2020-06-03

Changed in linux (Ubuntu Focal):
status:	New → In Progress

Khaled El Mously (kmously) on 2020-06-05

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2020-06-05

Changed in ubuntu-power-systems:
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-06-10:

#8

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-15:

#9

------- Comment From <email address hidden> 2020-06-15 13:48 EDT-------
Would start to test it today.

Thanks & Regards,
- Nayna

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-16:

#10

------- Comment From <email address hidden> 2020-06-16 13:03 EDT-------
Hi,

I followed the steps from link - https://wiki.ubuntu.com/Testing/EnableProposed

And have installed kernel:
5.4.0-38-generic for testing.

I am looking now for the key. I am not able to find one in this link - https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/proposed

Can you please share with me the gzip of the key.

Thanks & Regards,
- Nayna

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-06-16:

#11

Hi, since 'proposed' belongs to the official archives (archive.ubuntu.com/ubuntu) and packages from proposed are just located in a special area there (we call it the proposed 'pocket'), kernels and other packages from there that are signed, are signed with the standard and common key.
Only a signed kernel that comes from a non-standard archive (like a PPA) is signed with a different key, hence requires and additional key file.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-16:

#12

------- Comment From <email address hidden> 2020-06-16 17:36 EDT-------
Thanks. I have PPA keys as those versions we tested last time.
I do not have common or standard key. Can you please share the tar or path for that ?

Thanks & Regards,
- Nayna

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2020-06-16:

#13

Hi,

Each signed object is published on in the repository under /$suite/main/signed/$src-$arch. I.e. the linux in focal proposed signed artefacts can be found at:

http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/

I.e. http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/5.4.0-38.42/signed.tar.gz

inside that tarball, there should be $version/control/opal.x509 public certificate that is used for signing.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-16:

#14

------- Comment From <email address hidden> 2020-06-16 17:51 EDT-------
To be specific.
sudo apt-key list

shows:

ubuntu@ltc-wspoon13:/$ apt-key list
/etc/apt/trusted.gpg.d/canonical-kernel-team_ubuntu_bootstrap.gpg
-----------------------------------------------------------------
pub rsa1024 2010-12-01 [SC]
110E 21D8 B0E2 A1F0 243A F682 0856 F197 B892 ACEA
uid [ unknown] Launchpad PPA for Canonical Kernel Team
/etc/apt/trusted.gpg.d/sforshee_ubuntu_lp1866909.gpg
----------------------------------------------------
pub rsa1024 2011-10-06 [SC]
6B5B 9C22 2E05 413A F654 1676 1212 D9F6 559B 2FA8
uid [ unknown] Launchpad PPA for Seth Forshee
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <email address hidden>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

I need OPAL signing key as in path - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz

If you will extract this, there is one opal.x509 which is used to sign the kernel. This one is for PPA kernel if I am not missing something. And that is the key I need for proposed. So, if you can share the common or standard OPAL signing key which I can use for proposed, it would be helpful.

Thanks & Regards,
- Nayna

------- Comment From naynjain@ibm.com 2020-06-16 17:51 EDT-------
To be specific.
sudo apt-key list

shows:

ubuntu@ltc-wspoon13:/$ apt-key list
/etc/apt/trusted.gpg.d/canonical-kernel-team_ubuntu_bootstrap.gpg
-----------------------------------------------------------------
pub   rsa1024 2010-12-01 [SC]
110E 21D8 B0E2 A1F0 243A  F682 0856 F197 B892 ACEA
uid           [ unknown] Launchpad PPA for Canonical Kernel Team
/etc/apt/trusted.gpg.d/sforshee_ubuntu_lp1866909.gpg
----------------------------------------------------
pub   rsa1024 2011-10-06 [SC]
6B5B 9C22 2E05 413A F654  1676 1212 D9F6 559B 2FA8
uid           [ unknown] Launchpad PPA for Seth Forshee
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

I need OPAL signing key as in path - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz

If you will extract this, there is one opal.x509 which is used to sign the kernel. This one is for PPA kernel if I am not missing something. And that is the key I need for proposed. So, if you can share the common or standard OPAL signing key which I can use for proposed, it would be helpful.

Thanks & Regards,
- Nayna

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-06-17:

#15

So in general the key should be part of the firmware, in case of a standard IBM Power system, that is shipped to customers with secureboot support,
A kernel from proposed is part of the official Ubuntu archive and with that signed with the standard production key. But that might be different in case a development system is in use or so ...

Anyway, the key can also be found at the Ubuntu archive pages:
here:
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz
or the link for proposed:
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/current/signed.tar.gz

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-17:

#16

------- Comment From <email address hidden> 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.

I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both.

It works fine and here are the test results:

1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled.

2. With trusted boot disabled, here is the IMA rules:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

2. With both secure and trusted boot enabled, here how the IMA rules looks like:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist

And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks & Regards,
- Nayna

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-06-17:

#17

Great, many thx for the verification!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-06-30: Autopkgtest regression report (linux-oracle-5.4/5.4.0-1019.19~18.04.1)

#18

All autopkgtests for the newly accepted linux-oracle-5.4 (5.4.0-1019.19~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-oracle-5.4

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-01:

#19

Download full text (30.0 KiB)

This bug was fixed in the package linux - 5.4.0-40.44

---------------
linux (5.4.0-40.44) focal; urgency=medium

  * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120)
    - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and
      -tools-host

* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

* Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691)
- e1000e: Disable TSO for buffer overrun workaround

  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported

  * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier

* CPU stress test fails with focal kernel (LP: #1867900)
- [Config] Disable hisi_sec2 temporarily

  * Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config options

  * Focal update: v5.4.44 upstream stable release (LP: #1881927)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - net/tls: fix race condition causing kernel panic
    - nexthop: Fix attribute checking for groups
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Don't add the shutdown timer if its already been added
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - tipc: block BH before using dst_cache
    - net/mlx5e: kTLS, Destroy key object after destroying the TIS
    - net/mlx5e: Fix inner tirs handling
    - net/m...

This bug was fixed in the package linux - 5.4.0-40.44

---------------
linux (5.4.0-40.44) focal; urgency=medium

* linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120)
    - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and
      -tools-host

* Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

* Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691)
    - e1000e: Disable TSO for buffer overrun workaround

* CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported

* Realtek 8723DE [10ec:d723] subsystem [10ec:d738]  disconnects unsolicitedly
    when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147)
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before
      association for 11N chip"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being
      connected"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc"
    - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support"
    - rtw88: add a debugfs entry to dump coex's info
    - rtw88: add a debugfs entry to enable/disable coex mechanism
    - rtw88: 8723d: Add coex support
    - SAUCE: rtw88: coex: 8723d: set antanna control owner
    - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases
    - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier

* CPU stress test fails with focal kernel (LP: #1867900)
    - [Config] Disable hisi_sec2 temporarily

* Enforce all config annotations (LP: #1879327)
    - [Config]: do not enforce CONFIG_VERSION_SIGNATURE
    - [Config]: prepare to enforce all
    - [Config]: enforce all config options

* Focal update: v5.4.44 upstream stable release (LP: #1881927)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - dpaa_eth: fix usage as DSA master, try 3
    - net: don't return invalid table id error when we fall back to PF_UNSPEC
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend
    - __netif_receive_skb_core: pass skb by reference
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: mvpp2: fix RX hashing for non-10G ports
    - net: nlmsg_cancel() if put fails for nhmsg
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - net/tls: fix race condition causing kernel panic
    - nexthop: Fix attribute checking for groups
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Don't add the shutdown timer if its already been added
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - tipc: block BH before using dst_cache
    - net/mlx5e: kTLS, Destroy key object after destroying the TIS
    - net/mlx5e: Fix inner tirs handling
    - net/mlx5: Fix memory leak in mlx5_events_init
    - net/mlx5e: Update netdev txq on completions during closure
    - net/mlx5: Fix error flow in case of function_setup failure
    - net/mlx5: Annotate mutex destroy for root ns
    - net/tls: fix encryption error checking
    - net/tls: free record only on encryption error
    - net: sun: fix missing release regions in cas_init_one().
    - net/mlx4_core: fix a memory leak bug.
    - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload
      fails
    - ARM: dts: rockchip: fix phy nodename for rk3228-evb
    - ARM: dts: rockchip: fix phy nodename for rk3229-xms6
    - arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
    - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
    - ARM: dts: rockchip: swap clock-names of gpu nodes
    - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
    - gpio: tegra: mask GPIO IRQs during IRQ shutdown
    - ALSA: usb-audio: add mapping for ASRock TRX40 Creator
    - net: microchip: encx24j600: add missed kthread_stop
    - gfs2: move privileged user check to gfs2_quota_lock_check
    - gfs2: Grab glock reference sooner in gfs2_add_revoke
    - drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate
    - drm/amd/powerplay: perform PG ungate prior to CG ungate
    - drm/amdgpu: Use GEM obj reference for KFD BOs
    - cachefiles: Fix race between read_waiter and read_copier involving op->to_do
    - usb: dwc3: pci: Enable extcon driver for Intel Merrifield
    - usb: phy: twl6030-usb: Fix a resource leak in an error handling path in
      'twl6030_usb_probe()'
    - usb: gadget: legacy: fix redundant initialization warnings
    - net: freescale: select CONFIG_FIXED_PHY where needed
    - IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
    - riscv: stacktrace: Fix undefined reference to `walk_stackframe'
    - clk: ti: am33xx: fix RTC clock parent
    - csky: Fixup msa highest 3 bits mask
    - csky: Fixup perf callchain unwind
    - csky: Fixup remove duplicate irq_disable
    - hwmon: (nct7904) Fix incorrect range of temperature limit registers
    - cifs: Fix null pointer check in cifs_read
    - csky: Fixup raw_copy_from_user()
    - samples: bpf: Fix build error
    - drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c
    - Input: usbtouchscreen - add support for BonXeon TP
    - Input: evdev - call input_flush_device() on release(), not flush()
    - Input: xpad - add custom init packet for Xbox One S controllers
    - Input: dlink-dir685-touchkeys - fix a typo in driver name
    - Input: i8042 - add ThinkPad S230u to i8042 reset list
    - Input: synaptics-rmi4 - really fix attn_data use-after-free
    - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
    - ARM: 8970/1: decompressor: increase tag size
    - ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
    - ARM: uaccess: integrate uaccess_save and uaccess_restore
    - ARM: uaccess: fix DACR mismatch with nested exceptions
    - gpio: exar: Fix bad handling for ida_simple_get error path
    - arm64: dts: mt8173: fix vcodec-enc clock
    - soc: mediatek: cmdq: return send msg error code
    - gpu/drm: Ingenic: Fix opaque pointer casted to wrong type
    - IB/qib: Call kobject_put() when kobject_init_and_add() fails
    - ARM: dts/imx6q-bx50v3: Set display interface clock parents
    - ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
    - ARM: dts: bcm: HR2: Fix PPI interrupt types
    - mmc: block: Fix use-after-free issue for rpmb
    - gpio: pxa: Fix return value of pxa_gpio_probe()
    - gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe()
    - RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
    - ALSA: hwdep: fix a left shifting 1 by 31 UB bug
    - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
    - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
    - exec: Always set cap_ambient in cap_bprm_set_creds
    - clk: qcom: gcc: Fix parent for gpll0_out_even
    - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
    - ALSA: hda/realtek - Add new codec supported for ALC287
    - libceph: ignore pool overlay and cache logic on redirects
    - ceph: flush release queue when handling caps for unknown inode
    - RDMA/core: Fix double destruction of uobject
    - drm/amd/display: drop cursor position check in atomic test
    - IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
    - mm,thp: stop leaking unreleased file pages
    - mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
    - fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
    - include/asm-generic/topology.h: guard cpumask_of_node() macro argument
    - Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and
      REQ_NOWAIT"
    - gpio: fix locking open drain IRQ lines
    - iommu: Fix reference count leak in iommu_group_alloc.
    - parisc: Fix kernel panic in mem_init()
    - cfg80211: fix debugfs rename crash
    - x86/syscalls: Revert "x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long"
    - mac80211: mesh: fix discovery timer re-arming issue / crash
    - x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
    - copy_xstate_to_kernel(): don't leave parts of destination uninitialized
    - xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
    - xfrm: do pskb_pull properly in __xfrm_transport_prep
    - xfrm: remove the xfrm_state_put call becofe going to out_reset
    - xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
    - xfrm interface: fix oops when deleting a x-netns interface
    - xfrm: fix a warning in xfrm_policy_insert_list
    - xfrm: fix a NULL-ptr deref in xfrm_local_error
    - xfrm: fix error in comment
    - ip_vti: receive ipip packet by calling ip_tunnel_rcv
    - netfilter: nft_reject_bridge: enable reject with bridge vlan
    - netfilter: ipset: Fix subcounter update skip
    - netfilter: conntrack: make conntrack userspace helpers work again
    - netfilter: nfnetlink_cthelper: unbreak userspace helper support
    - netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
    - esp6: get the right proto for transport mode in esp6_gso_encap
    - bnxt_en: Fix accumulation of bp->net_stats_prev.
    - ieee80211: Fix incorrect mask for default PE duration
    - xsk: Add overflow check for u64 division, stored into u32
    - qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
    - crypto: chelsio/chtls: properly set tp->lsndtime
    - nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry
    - nexthops: don't modify published nexthop groups
    - nexthop: Expand nexthop_is_multipath in a few places
    - ipv4: nexthop version of fib_info_nh_uses_dev
    - net: dsa: declare lockless TX feature for slave ports
    - bonding: Fix reference count leak in bond_sysfs_slave_add.
    - netfilter: conntrack: comparison of unsigned in cthelper confirmation
    - netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update
    - netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
    - perf: Make perf able to build with latest libbfd
    - Linux 5.4.44

* Focal update: v5.4.43 upstream stable release (LP: #1881178)
    - i2c: dev: Fix the race between the release of i2c_dev and cdev
    - KVM: SVM: Fix potential memory leak in svm_cpu_init()
    - ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash()
    - evm: Check also if *tfm is an error pointer in init_desc()
    - ima: Fix return value of ima_write_policy()
    - ubifs: fix wrong use of crypto_shash_descsize()
    - ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive
    - mtd: spinand: Propagate ECC information to the MTD structure
    - fix multiplication overflow in copy_fdtable()
    - ubifs: remove broken lazytime support
    - i2c: fix missing pm_runtime_put_sync in i2c_device_probe
    - iommu/amd: Fix over-read of ACPI UID from IVRS table
    - evm: Fix a small race in init_desc()
    - i2c: mux: demux-pinctrl: Fix an error handling path in
      'i2c_demux_pinctrl_probe()'
    - ubi: Fix seq_file usage in detailed_erase_block_info debugfs file
    - afs: Don't unlock fetched data pages until the op completes successfully
    - mtd: Fix mtd not registered due to nvmem name collision
    - kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check
    - net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report()
    - gcc-common.h: Update for GCC 10
    - HID: multitouch: add eGalaxTouch P80H84 support
    - HID: alps: Add AUI1657 device ID
    - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead
    - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV
    - scsi: qla2xxx: Delete all sessions before unregister local nvme port
    - configfs: fix config_item refcnt leak in configfs_rmdir()
    - vhost/vsock: fix packet delivery order to monitoring devices
    - aquantia: Fix the media type of AQC100 ethernet controller in the driver
    - component: Silence bind error on -EPROBE_DEFER
    - net/ena: Fix build warning in ena_xdp_set()
    - scsi: ibmvscsi: Fix WARN_ON during event pool release
    - HID: i2c-hid: reset Synaptics SYNA2393 on resume
    - x86/mm/cpa: Flush direct map alias during cpa
    - ibmvnic: Skip fatal error reset after passive init
    - x86/apic: Move TSC deadline timer debug printk
    - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp()
    - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock
    - ceph: fix double unlock in handle_cap_export()
    - stmmac: fix pointer check after utilization in stmmac_interrupt
    - USB: core: Fix misleading driver bug report
    - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA
    - iommu/amd: Call domain_flush_complete() in update_domain()
    - drm/amd/display: Prevent dpcd reads with passive dongles
    - KVM: selftests: Fix build for evmcs.h
    - ARM: futex: Address build warning
    - scripts/gdb: repair rb_first() and rb_last()
    - ALSA: hda - constify and cleanup static NodeID tables
    - ALSA: hda: patch_realtek: fix empty macro usage in if block
    - ALSA: hda: Manage concurrent reg access more properly
    - ALSA: hda/realtek - Add supported new mute Led for HP
    - ALSA: hda/realtek - Add HP new mute led supported for ALC236
    - ALSA: hda/realtek: Add quirk for Samsung Notebook
    - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295
    - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295
    - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295
    - KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c
    - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio
      option
    - ALSA: pcm: fix incorrect hw_base increase
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme
    - ALSA: hda/realtek - Add more fixup entries for Clevo machines
    - scsi: qla2xxx: Do not log message when reading port speed via sysfs
    - scsi: target: Put lun_ref at end of tmr processing
    - arm64: Fix PTRACE_SYSEMU semantics
    - drm/etnaviv: fix perfmon domain interation
    - apparmor: Fix aa_label refcnt leak in policy_update
    - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
    - drm/etnaviv: Fix a leak in submit_pin_objects()
    - dmaengine: dmatest: Restore default for channel
    - dmaengine: owl: Use correct lock in owl_dma_get_pchan()
    - vsprintf: don't obfuscate NULL and error pointers
    - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance.
    - drm/i915: Propagate error from completed fences
    - powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
    - powerpc/64s: Disable STRICT_KERNEL_RWX
    - bpf: Avoid setting bpf insns pages read-only when prog is jited
    - kbuild: Remove debug info from kallsyms linking
    - Revert "gfs2: Don't demote a glock until its revokes are written"
    - media: fdp1: Fix R-Car M3-N naming in debug message
    - staging: iio: ad2s1210: Fix SPI reading
    - staging: kpc2000: fix error return code in kp2000_pcie_probe()
    - staging: greybus: Fix uninitialized scalar variable
    - iio: sca3000: Remove an erroneous 'get_device()'
    - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()'
    - iio: adc: ti-ads8344: Fix channel selection
    - misc: rtsx: Add short delay after exit from ASPM
    - tty: serial: add missing spin_lock_init for SiFive serial console
    - mei: release me_cl object reference
    - ipack: tpci200: fix error return code in tpci200_register()
    - s390/kaslr: add support for R_390_JMP_SLOT relocation type
    - device-dax: don't leak kernel memory to user space after unloading kmem
    - rapidio: fix an error in get_user_pages_fast() error handling
    - kasan: disable branch tracing for core runtime
    - rxrpc: Fix the excessive initial retransmission timeout
    - rxrpc: Fix a memory leak in rxkad_verify_response()
    - s390/kexec_file: fix initrd location for kdump kernel
    - flow_dissector: Drop BPF flow dissector prog ref on netns cleanup
    - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
    - iio: adc: stm32-adc: Use dma_request_chan() instead
      dma_request_slave_channel()
    - iio: adc: stm32-adc: fix device used to request dma
    - iio: adc: stm32-dfsdm: Use dma_request_chan() instead
      dma_request_slave_channel()
    - iio: adc: stm32-dfsdm: fix device used to request dma
    - rxrpc: Trace discarded ACKs
    - rxrpc: Fix ack discard
    - tpm: check event log version before reading final events
    - sched/fair: Reorder enqueue/dequeue_task_fair path
    - sched/fair: Fix reordering of enqueue/dequeue_task_fair()
    - sched/fair: Fix enqueue_task_fair() warning some more
    - Linux 5.4.43

* Focal update: v5.4.42 upstream stable release (LP: #1879759)
    - net: dsa: Do not make user port errors fatal
    - shmem: fix possible deadlocks on shmlock_user_lock
    - net: phy: microchip_t1: add lan87xx_phy_init to initialize the lan87xx phy.
    - KVM: arm: vgic: Synchronize the whole guest on GIC{D,R}_I{S,C}ACTIVER read
    - gpio: pca953x: Fix pca953x_gpio_set_config
    - SUNRPC: Add "@len" parameter to gss_unwrap()
    - SUNRPC: Fix GSS privacy computation of auth->au_ralign
    - net/sonic: Fix a resource leak in an error handling path in
      'jazz_sonic_probe()'
    - net: moxa: Fix a potential double 'free_irq()'
    - ftrace/selftests: workaround cgroup RT scheduling issues
    - drop_monitor: work around gcc-10 stringop-overflow warning
    - virtio-blk: handle block_device_operations callbacks after hot unplug
    - sun6i: dsi: fix gcc-4.8
    - net_sched: fix tcm_parent in tc filter dump
    - scsi: sg: add sg_remove_request in sg_write
    - mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040
    - dpaa2-eth: properly handle buffer size restrictions
    - net: fix a potential recursive NETDEV_FEAT_CHANGE
    - netlabel: cope with NULL catmap
    - net: phy: fix aneg restart in phy_ethtool_set_eee
    - net: stmmac: fix num_por initialization
    - pppoe: only process PADT targeted at local interfaces
    - Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu"
    - tcp: fix error recovery in tcp_zerocopy_receive()
    - tcp: fix SO_RCVLOWAT hangs with fat skbs
    - virtio_net: fix lockdep warning on 32 bit
    - dpaa2-eth: prevent array underflow in update_cls_rule()
    - hinic: fix a bug of ndo_stop
    - net: dsa: loop: Add module soft dependency
    - net: ipv4: really enforce backoff for redirects
    - netprio_cgroup: Fix unlimited memory leak of v2 cgroups
    - net: tcp: fix rx timestamp behavior for tcp_recvmsg
    - nfp: abm: fix error return code in nfp_abm_vnic_alloc()
    - r8169: re-establish support for RTL8401 chip version
    - umh: fix memory leak on execve failure
    - riscv: fix vdso build with lld
    - dmaengine: pch_dma.c: Avoid data race between probe and irq handler
    - dmaengine: mmp_tdma: Do not ignore slave config validation errors
    - dmaengine: mmp_tdma: Reset channel error on release
    - selftests/ftrace: Check the first record for kprobe_args_type.tc
    - cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once
    - ALSA: hda/hdmi: fix race in monitor detection during probe
    - drm/amd/powerplay: avoid using pm_en before it is initialized revised
    - drm/amd/display: check if REFCLK_CNTL register is present
    - drm/amd/display: Update downspread percent to match spreadsheet for DCN2.1
    - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper()
    - drm/amdgpu: simplify padding calculations (v2)
    - drm/amdgpu: invalidate L2 before SDMA IBs (v2)
    - ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
    - gfs2: Another gfs2_walk_metadata fix
    - mmc: sdhci-pci-gli: Fix no irq handler from suspend
    - IB/hfi1: Fix another case where pq is left on waitlist
    - ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake()
    - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H
    - pinctrl: baytrail: Enable pin configuration setting for GPIO chip
    - pinctrl: qcom: fix wrong write in update_dual_edge
    - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler
    - bpf: Fix error return code in map_lookup_and_delete_elem()
    - ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints
      format
    - i40iw: Fix error handling in i40iw_manage_arp_cache()
    - drm/i915: Don't enable WaIncreaseLatencyIPCEnabled when IPC is disabled
    - bpf, sockmap: msg_pop_data can incorrecty set an sge length
    - bpf, sockmap: bpf_tcp_ingress needs to subtract bytes from sg.size
    - mmc: alcor: Fix a resource leak in the error path for ->probe()
    - mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10
    - mmc: core: Check request type before completing the request
    - mmc: core: Fix recursive locking issue in CQE recovery path
    - mmc: block: Fix request completion in the CQE timeout path
    - gfs2: More gfs2_find_jhead fixes
    - fork: prevent accidental access to clone3 features
    - drm/amdgpu: force fbdev into vram
    - NFS: Fix fscache super_cookie index_key from changing after umount
    - nfs: fscache: use timespec64 in inode auxdata
    - NFSv4: Fix fscache cookie aux_data to ensure change_attr is included
    - netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
    - drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest
    - arm64: fix the flush_icache_range arguments in machine_kexec
    - nfs: fix NULL deference in nfs4_get_valid_delegation
    - SUNRPC: Signalled ASYNC tasks need to exit
    - netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
    - netfilter: nft_set_rbtree: Add missing expired checks
    - RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info()
    - IB/mlx4: Test return value of calls to ib_get_cached_pkey
    - IB/core: Fix potential NULL pointer dereference in pkey cache
    - RDMA/core: Fix double put of resource
    - RDMA/iw_cxgb4: Fix incorrect function parameters
    - hwmon: (da9052) Synchronize access with mfd
    - s390/ism: fix error return code in ism_probe()
    - mm, memcg: fix inconsistent oom event behavior
    - NFSv3: fix rpc receive buffer size for MOUNT call
    - pnp: Use list_for_each_entry() instead of open coding
    - net/rds: Use ERR_PTR for rds_message_alloc_sgs()
    - Stop the ad-hoc games with -Wno-maybe-initialized
    - [Config] updateconfigs for CC_HAS_WARN_MAYBE_UNINITIALIZED
    - gcc-10: disable 'zero-length-bounds' warning for now
    - gcc-10: disable 'array-bounds' warning for now
    - gcc-10: disable 'stringop-overflow' warning for now
    - gcc-10: disable 'restrict' warning for now
    - gcc-10 warnings: fix low-hanging fruit
    - gcc-10: mark more functions __init to avoid section mismatch warnings
    - gcc-10: avoid shadowing standard library 'free()' in crypto
    - usb: usbfs: correct kernel->user page attribute mismatch
    - USB: usbfs: fix mmap dma mismatch
    - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
    - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA
    - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
    - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
    - usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B
    - usb: host: xhci-plat: keep runtime active when removing host
    - usb: cdns3: gadget: prev_req->trb is NULL for ep0
    - usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
    - Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE()
    - ARM: dts: dra7: Fix bus_dma_limit for PCIe
    - ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
    - ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection
    - drm/amd/display: add basic atomic check for cursor plane
    - powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG
    - cifs: fix leaked reference on requeued write
    - x86: Fix early boot crash on gcc-10, third try
    - x86/unwind/orc: Fix error handling in __unwind_start()
    - exec: Move would_dump into flush_old_exec
    - clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks
    - dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg()
    - fanotify: fix merging marks masks with FAN_ONDIR
    - usb: gadget: net2272: Fix a memory leak in an error handling path in
      'net2272_plat_probe()'
    - usb: gadget: audio: Fix a missing error return value in audio_bind()
    - usb: gadget: legacy: fix error return code in gncm_bind()
    - usb: gadget: legacy: fix error return code in cdc_bind()
    - clk: Unlink clock if failed to prepare or enable
    - arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property
    - arm64: dts: meson-g12-common: fix dwc2 clock names
    - arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328
      boards
    - arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy
    - arm64: dts: imx8mn: Change SDMA1 ahb clock for imx8mn
    - ARM: dts: r8a73a4: Add missing CMT1 interrupts
    - arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes
    - ARM: dts: r8a7740: Add missing extal2 to CPG node
    - SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()")
    - bpf: Fix sk_psock refcnt leak when receiving message
    - KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
    - Makefile: disallow data races on gcc-10 as well
    - Linux 5.4.42

* upgrading to 4.15.0-99-generic breaks the sound and the trackpad
    (LP: #1875916) // Focal update: v5.4.42 upstream stable release
    (LP: #1879759)
    - Revert "ALSA: hda/realtek: Fix pop noise on ALC225"

* Pop sound from build-in speaker during cold boot and resume from S3
    (LP: #1866357) // Focal update: v5.4.42 upstream stable release
    (LP: #1879759)
    - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse

* tpm: fix TIS locality timeout problems (LP: #1881710)
    - SAUCE: tpm: fix TIS locality timeout problems

* [UBUNTU 20.04] s390x/pci: fix linking between PF and VF for multifunction
    devices (LP: #1879704)
    - PCI/IOV: Introduce pci_iov_sysfs_link() function
    - s390/pci: create links between PFs and VFs

* Performing function level reset of AMD onboard USB and audio devices causes
    system lockup (LP: #1865988)
    - SAUCE: PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0
    - SAUCE: PCI: Avoid FLR for AMD Starship USB 3.0

* seccomp_benchmark times out on eoan (LP: #1881576)
    - SAUCE: selftests/seccomp: use 90s as timeout

* ASoC/amd: add audio driver for amd renoir (LP: #1881046)
    - ASoC: amd: add Renoir ACP3x IP register header
    - ASoC: amd: add Renoir ACP PCI driver
    - ASoC: amd: add acp init/de-init functions
    - ASoC: amd: create acp3x pdm platform device
    - ASoC: amd: add ACP3x PDM platform driver
    - ASoC: amd: irq handler changes for ACP3x PDM dma driver
    - ASoC: amd: add acp3x pdm driver dma ops
    - ASoC: amd: add ACP PDM DMA driver dai ops
    - ASoC: amd: add Renoir ACP PCI driver PM ops
    - ASoC: amd: add ACP PDM DMA driver pm ops
    - ASoC: amd: enable Renoir acp3x drivers build
    - ASoC: amd: create platform devices for Renoir
    - ASoC: amd: RN machine driver using dmic
    - ASoC: amd: enable build for RN machine driver
    - ASoC: amd: fix kernel warning
    - ASoC: amd: refactoring dai_hw_params() callback
    - ASoC: amd: return error when acp de-init fails
    - [Config]: enable amd renoir ASoC audio

* Fix for secure boot rules in IMA arch policy on powerpc (LP: #1877955)
    - powerpc/ima: Fix secure boot rules in ima arch policy

* [UBUNTU 20.04] s390x/pci: s390_pci_mmio_write/read fail when MIO
    instructions are available (LP: #1874055)
    - s390/pci: Fix s390_mmio_read/write with MIO

* security: lockdown: remove trailing semicolon before function body
    (LP: #1880660)
    - SAUCE: (lockdown) security: lockdown: remove trailing semicolon before
      function body

* Fix incorrect speed/duplex when I210 device is runtime suspended
    (LP: #1880656)
    - igb: Report speed and duplex as unknown when device is runtime suspended

* [OMEN by HP Laptop 15-dh0xxx, Realtek ALC285, Black Mic, Left] Recording
    problem (LP: #1874698)
    - ASoC: SOF: Intel: hda: allow operation without i915 gfx
    - ASoC: intel/skl/hda - add no-HDMI cases to generic HDA driver

* CVE-2020-13143
    - USB: gadget: fix illegal array access in binding with UDC

* rtl8723bu wifi issue after being turned off (LP: #1878296)
    - rtl8xxxu: Improve TX performance of RTL8723BU on rtl8xxxu driver
    - rtl8xxxu: add bluetooth co-existence support for single antenna
    - rtl8xxxu: remove set but not used variable 'rate_mask'
    - rtl8xxxu: Remove set but not used variable 'vif', 'dev', 'len'

* Fix Pericom USB controller OHCI/EHCI PME# defect (LP: #1879321)
    - serial: 8250_pci: Move Pericom IDs to pci_ids.h
    - PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect

* shiftfs: fix btrfs snapshot deletion (LP: #1879688)
    - SAUCE: shiftfs: let userns root destroy subvolumes from other users

* [UBUNTU 20.04] s390x/pci: enumerate pci functions per physical adapter
    (LP: #1874056)
    - s390/pci: Improve handling of unset UID
    - s390/pci: embedding hotplug_slot in zdev
    - s390/pci: Expose new port attribute for PCIe functions
    - s390/pci: adaptation of iommu to multifunction
    - s390/pci: define kernel parameters for PCI multifunction
    - s390/pci: define RID and RID available
    - s390/pci: create zPCI bus
    - s390/pci: adapt events for zbus
    - s390/pci: Handling multifunctions
    - s390/pci: Do not disable PF when VFs exist
    - s390/pci: Documentation for zPCI
    - s390/pci: removes wrong PCI multifunction assignment

* update-initramfs complains of missing amdgpu firmware files (LP: #1873325)
    - SAUCE: drm/amdgpu: Remove unreleased arcturus and navi12 firmware from
      modinfo

-- Marcelo Henrique Cerri <marcelo.cerri@canonical.com>  Mon, 22 Jun 2020 17:59:17 -0300

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-07-28:

#20

This bug was fixed in the package linux - 5.4.0-42.46

---------------
linux (5.4.0-42.46) focal; urgency=medium

* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

* Packaging resync (LP: #1786013)
- update dkms package versions

* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open

* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start

* CVE-2020-11935
- aufs: do not call i_readcount_inc()

  * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down

* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

-- Khalid Elmously <email address hidden> Thu, 09 Jul 2020 19:50:26 -0400

Changed in linux (Ubuntu Groovy):
status:	In Progress → Fix Released

Frank Heimes (fheimes) on 2020-07-28

Changed in ubuntu-power-systems:
status:	Fix Committed → Fix Released

Ubuntu
linux package

Fix for secure boot rules in IMA arch policy on powerpc

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
The Ubuntu-power-systems project	Fix Released	Medium	Canonical Kernel Team
linux (Ubuntu)	Fix Released	Undecided	Ubuntu on IBM Power Systems Bug Triage
Focal	Fix Released	Undecided	Unassigned
Groovy	Fix Released	Undecided	Ubuntu on IBM Power Systems Bug Triage

Ubuntulinux package

Fix for secure boot rules in IMA arch policy on powerpc

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package