Ubuntu
linux package

Bionic update: upstream stable patchset 2020-08-18

Bug #1892091 reported by Kamal Mostafa on 2020-08-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Bionic	Fix Released	Undecided	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

upstream stable patchset 2020-08-18

Ported from the following upstream stable releases:
v4.19.139

from git://git.kernel.org/

USB: serial: qcserial: add EM7305 QDL product ID
USB: iowarrior: fix up report size handling for some devices
usb: xhci: define IDs for various ASMedia host controllers
usb: xhci: Fix ASMedia ASM1142 DMA addressing
Revert "ALSA: hda: call runtime_allow() for all hda controllers"
ALSA: seq: oss: Serialize ioctls
staging: android: ashmem: Fix lockdep warning for write operation
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
omapfb: dss: Fix max fclk divider for omap36xx
binder: Prevent context manager from incrementing ref 0
vgacon: Fix for missing check in scrollback handling
mtd: properly check all write ioctls for permissions
leds: wm831x-status: fix use-after-free on unbind
leds: da903x: fix use-after-free on unbind
leds: lm3533: fix use-after-free on unbind
leds: 88pm860x: fix use-after-free on unbind
net/9p: validate fds in p9_fd_open
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
i2c: slave: improve sanity check when registering
i2c: slave: add sanity check when unregistering
usb: hso: check for return value in hso_serial_common_create()
firmware: Fix a reference count leak.
cfg80211: check vendor command doit pointer before use
igb: reinit_locked() should be called with rtnl_lock
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
xattr: break delegations in {set,remove}xattr
ipv4: Silence suspicious RCU usage warning
ipv6: fix memory leaks on IPV6_ADDRFORM path
net: ethernet: mtk_eth_soc: fix MTU warnings
vxlan: Ensure FDB dump is performed under RCU
net: lan78xx: replace bogus endpoint lookup
hv_netvsc: do not use VF device if link is down
net: gre: recompute gre csum for sctp over gre tunnels
openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
Revert "vxlan: fix tos value before xmit"
selftests/net: relax cpu affinity requirement in msg_zerocopy test
rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
i40e: add num_vectors checker in iwarp handler
i40e: Wrong truncation from u16 to u8
i40e: Memory leak in i40e_config_iwarp_qvlist
Smack: fix use-after-free in smk_write_relabel_self()
UBUNTU: upstream stable to v4.19.139

See original description

Tags:

CVE References

2020-12888

Kamal Mostafa (kamalmostafa) on 2020-08-18

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
assignee:	nobody → Kamal Mostafa (kamalmostafa)

Kamal Mostafa (kamalmostafa) on 2020-08-18

description:

updated

Ian May (ian-may) on 2020-08-25

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-21:

Download full text (8.2 KiB)

This bug was fixed in the package linux - 4.15.0-118.119

---------------
linux (4.15.0-118.119) bionic; urgency=medium

* bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)

* Packaging resync (LP: #1786013)
- update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
- [packaging] add signed modules for nvidia 450 and 450-server

* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
- cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

  * CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

  * [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

  * KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

  * Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result

This bug was fixed in the package linux - 4.15.0-118.119

---------------
linux (4.15.0-118.119) bionic; urgency=medium

* bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)

* Packaging resync (LP: #1786013)
    - update dkms package versions

* Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [packaging] add signed modules for nvidia 450 and 450-server

* cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

* CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

*  [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device

* KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running

* Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic_array_len
    - Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
    - xattr: break delegations in {set,remove}xattr
    - ipv4: Silence suspicious RCU usage warning
    - ipv6: fix memory leaks on IPV6_ADDRFORM path
    - net: ethernet: mtk_eth_soc: fix MTU warnings
    - vxlan: Ensure FDB dump is performed under RCU
    - net: lan78xx: replace bogus endpoint lookup
    - hv_netvsc: do not use VF device if link is down
    - net: gre: recompute gre csum for sctp over gre tunnels
    - openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
    - Revert "vxlan: fix tos value before xmit"
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test
    - rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
    - i40e: add num_vectors checker in iwarp handler
    - i40e: Wrong truncation from u16 to u8
    - i40e: Memory leak in i40e_config_iwarp_qvlist
    - Smack: fix use-after-free in smk_write_relabel_self()

* Bionic update: upstream stable patchset 2020-08-11 (LP: #1891228)
    - AX.25: Fix out-of-bounds read in ax25_connect()
    - AX.25: Prevent out-of-bounds read in ax25_sendmsg()
    - dev: Defer free of skbs in flush_backlog
    - drivers/net/wan/x25_asy: Fix to make it work
    - net-sysfs: add a newline when printing 'tx_timeout' by sysfs
    - net: udp: Fix wrong clean up for IS_UDPLITE macro
    - rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
    - AX.25: Prevent integer overflows in connect and sendmsg
    - ip6_gre: fix null-ptr-deref in ip6gre_init_net()
    - rtnetlink: Fix memory(net_device) leak when ->newlink fails
    - tcp: allow at most one TLP probe per flight
    - regmap: debugfs: check count when read regmap file
    - qrtr: orphan socket in qrtr_release()
    - sctp: shrink stream outq only when new outcnt < old outcnt
    - sctp: shrink stream outq when fails to do addstream reconf
    - crypto: ccp - Release all allocated memory if sha type is invalid
    - media: rc: prevent memory leak in cx23888_ir_probe
    - iio: imu: adis16400: fix memory leak
    - ath9k_htc: release allocated buffer if timed out
    - ath9k: release allocated buffer if timed out
    - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
    - wireless: Use offsetof instead of custom macro.
    - ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess
      watchpoints
    - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
    - drm: hold gem reference until object is no longer accessed
    - f2fs: check memory boundary by insane namelen
    - f2fs: check if file namelen exceeds max value
    - 9p/trans_fd: abort p9_read_work if req status changed
    - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
    - x86/build/lto: Fix truncated .bss with -fdata-sections
    - rds: Prevent kernel-infoleak in rds_notify_queue_get()
    - xfs: fix missed wakeup on l_flush_wait
    - net/x25: Fix x25_neigh refcnt leak when x25 disconnect
    - net/x25: Fix null-ptr-deref in x25_disconnect
    - selftests/net: rxtimestamp: fix clang issues for target arch PowerPC
    - sh: Fix validation of system call number
    - net: lan78xx: add missing endpoint sanity check
    - net: lan78xx: fix transfer-buffer memory leak
    - mlx4: disable device on shutdown
    - mlxsw: core: Increase scope of RCU read-side critical section
    - mlxsw: core: Free EMAD transactions using kfree_rcu()
    - ibmvnic: Fix IRQ mapping disposal in error path
    - bpf: Fix map leak in HASH_OF_MAPS map
    - mac80211: mesh: Free ie data when leaving mesh
    - mac80211: mesh: Free pending skb when destroying a mpath
    - arm64/alternatives: move length validation inside the subsection
    - arm64: csum: Fix handling of bad packets
    - usb: hso: Fix debug compile warning on sparc32
    - qed: Disable "MFW indication via attention" SPAM every 5 minutes
    - nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
    - parisc: add support for cmpxchg on u8 pointers
    - net: ethernet: ravb: exit if re-initialization fails in tx timeout
    - Revert "i2c: cadence: Fix the hold bit setting"
    - x86/unwind/orc: Fix ORC for newly forked tasks
    - cxgb4: add missing release on skb in uld_send()
    - xen-netfront: fix potential deadlock in xennet_remove()
    - KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw
      disabled
    - x86/i8259: Use printk_deferred() to prevent deadlock
    - drm/amdgpu: fix multiple memory leaks in acp_hw_init
    - selftests/net: psock_fanout: fix clang issues for target arch PowerPC
    - net/mlx5: Verify Hardware supports requested ptp function on a given pin
    - random32: update the net random state on interrupt and activity
    - ARM: percpu.h: fix build error
    - random: fix circular include dependency on arm64 after addition of percpu.h
    - random32: remove net_rand_state from the latent entropy gcc plugin
    - random32: move the pseudo-random 32-bit definitions to prandom.h
    - ext4: fix direct I/O read error

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Tue, 08 Sep 2020 12:09:02 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Po-Hsu Lin (cypressyew) on 2022-03-16

Changed in linux (Ubuntu):
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package