← Back to team overview

canonical-hw-cert team mailing list archive

[Bug 1981313] Re: bionic/linux-kvm: 4.15.0-1124.129 -proposed tracker

 

This bug was fixed in the package linux-kvm - 4.15.0-1125.130

---------------
linux-kvm (4.15.0-1125.130) bionic; urgency=medium

  [ Ubuntu: 4.15.0-191.202 ]

  * CVE-2022-2586
    - SAUCE: netfilter: nf_tables: do not allow SET_ID to refer to another table
    - SAUCE: netfilter: nf_tables: do not allow RULE_ID to refer to another chain
  * CVE-2022-2588
    - SAUCE: net_sched: cls_route: remove from list when handle is 0
  * CVE-2022-34918
    - netfilter: nf_tables: stricter validation of element data
  * BUG: kernel NULL pointer dereference, address: 0000000000000008
    (LP: #1981658)
    - tcp: make sure treq->af_specific is initialized

linux-kvm (4.15.0-1124.129) bionic; urgency=medium

  * bionic/linux-kvm: 4.15.0-1124.129 -proposed tracker (LP: #1981313)

  [ Ubuntu: 4.15.0-190.201 ]

  * bionic/linux: 4.15.0-190.201 -proposed tracker (LP: #1981321)
  * CVE-2022-1679
    - SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
  * Bionic update: upstream stable patchset 2022-07-06 (LP: #1980879)
    - MIPS: Use address-of operator on section symbols
    - block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit
    - can: grcan: grcan_probe(): fix broken system id check for errata workaround
      needs
    - can: grcan: only use the NAPI poll budget for RX
    - Bluetooth: Fix the creation of hdev->name
    - mmc: rtsx: add 74 Clocks in power on flow
    - mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
    - mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and
      __mcopy_atomic()
    - ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
    - ALSA: pcm: Fix races among concurrent read/write and buffer changes
    - ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls
    - ALSA: pcm: Fix races among concurrent prealloc proc writes
    - ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
    - VFS: Fix memory leak caused by concurrently mounting fs with subtype
    - batman-adv: Don't skb_split skbuffs with frag_list
    - net: Fix features skip in for_each_netdev_feature()
    - ipv4: drop dst in multicast routing path
    - netlink: do not reset transport header in netlink_recvmsg()
    - mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection
    - hwmon: (ltq-cputemp) restrict it to SOC_XWAY
    - s390/ctcm: fix variable dereferenced before check
    - s390/ctcm: fix potential memory leak
    - s390/lcs: fix variable dereferenced before check
    - net/smc: non blocking recvmsg() return -EAGAIN when no data and
      signal_pending
    - net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe()
    - hwmon: (f71882fg) Fix negative temperature
    - ASoC: max98090: Reject invalid values in custom control put()
    - ASoC: max98090: Generate notifications on changes for custom control
    - ASoC: ops: Validate input values in snd_soc_put_volsw_range()
    - tcp: resalt the secret every 10 seconds
    - usb: cdc-wdm: fix reading stuck on device close
    - USB: serial: pl2303: add device id for HP LM930 Display
    - USB: serial: qcserial: add support for Sierra Wireless EM7590
    - USB: serial: option: add Fibocom L610 modem
    - USB: serial: option: add Fibocom MA510 modem
    - cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp()
    - drm/vmwgfx: Initialize drm_mode_fb_cmd2
    - ping: fix address binding wrt vrf
    - tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe()
    - net/sched: act_pedit: really ensure the skb is writable
    - um: Cleanup syscall_handler_t definition/cast, fix warning
    - Input: add bounds checking to input_set_capability()
    - Input: stmfts - fix reference leak in stmfts_input_open
    - MIPS: lantiq: check the return value of kzalloc()
    - drbd: remove usage of list iterator variable after loop
    - ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame()
    - ALSA: wavefront: Proper check of get_user() error
    - perf: Fix sys_perf_event_open() race against self
    - drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
    - mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC
    - mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD
    - mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch()
    - net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()
    - net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()
    - clk: at91: generated: consider range when calculating best rate
    - net/qla3xxx: Fix a test in ql_reset_work()
    - NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
    - ARM: 9196/1: spectre-bhb: enable for Cortex-A15
    - ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
    - igb: skip phy status check where unavailable
    - net: bridge: Clear offload_fwd_mark when passing frame up bridge interface.
    - gpio: gpio-vf610: do not touch other bits when set the target bit
    - gpio: mvebu/pwm: Refuse requests with inverted polarity
    - perf bench numa: Address compiler error on s390
    - scsi: qla2xxx: Fix missed DMA unmap for aborted commands
    - mac80211: fix rx reordering with non explicit / psmp ack policy
    - ethernet: tulip: fix missing pci_disable_device() on error in
      tulip_init_one()
    - net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
    - net: atlantic: verify hw_head_ lies within TX buffer ring
    - swiotlb: fix info leak with DMA_FROM_DEVICE
    - Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
    - net: macb: Increment rx bd head after allocating skb and buffer
    - net/sched: act_pedit: sanitize shift argument before usage
    - afs: Fix afs_getattr() to refetch file status if callback break occurred
    - x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
    - staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()
    - tcp: change source port randomizarion at connect() time
    - secure_seq: use the 64 bits of the siphash for port offset calculation
    - ACPI: sysfs: Make sparse happy about address space in use
    - Revert "UBUNTU: SAUCE: ACPI: sysfs: copy ACPI data using io memory copying"
    - ACPI: sysfs: Fix BERT error region memory mapping
    - net: af_key: check encryption module availability consistency
    - net: ftgmac100: Disable hardware checksum on AST2600
    - drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI
      controllers
    - assoc_array: Fix BUG_ON during garbage collect
    - drm/i915: Fix -Wstringop-overflow warning in call to intel_read_wm_latency()
    - block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
    - exec: Force single empty string when argv is empty
    - netfilter: conntrack: re-fetch conntrack after insertion
    - zsmalloc: fix races between asynchronous zspage free and page migration
    - dm integrity: fix error code in dm_integrity_ctr()
    - dm crypt: make printing of the key constant-time
    - dm stats: add cond_resched when looping over entries
    - dm verity: set DM_TARGET_IMMUTABLE feature flag
    - tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe()
    - docs: submitting-patches: Fix crossref to 'The canonical patch format'
    - NFSD: Fix possible sleep during nfsd4_release_lockowner()
    - bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
  * Bionic update: upstream stable patchset 2022-06-21 (LP: #1979355)
    - floppy: disable FDRAWCMD by default
    - [Config] updateconfigs for BLK_DEV_FD_RAWCMD
    - hamradio: defer 6pack kfree after unregister_netdev
    - hamradio: remove needs_free_netdev to avoid UAF
    - lightnvm: disable the subsystem
    - [Config] updateconfigs for NVM, NVM_PBLK
    - usb: mtu3: fix USB 3.0 dual-role-switch from device to host
    - USB: quirks: add a Realtek card reader
    - USB: quirks: add STRING quirk for VCOM device
    - USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
    - USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
    - USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
    - USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
    - xhci: stop polling roothubs after shutdown
    - iio: dac: ad5592r: Fix the missing return value.
    - iio: dac: ad5446: Fix read_raw not returning set value
    - iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
    - usb: misc: fix improper handling of refcount in uss720_probe()
    - usb: gadget: uvc: Fix crash when encoding data for usb request
    - usb: gadget: configfs: clear deactivation flag in
      configfs_composite_unbind()
    - serial: 8250: Also set sticky MCR bits in console restoration
    - serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
    - hex2bin: make the function hex_to_bin constant-time
    - hex2bin: fix access beyond string end
    - USB: Fix xhci event ring dequeue pointer ERDP update issue
    - ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
    - phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
    - phy: samsung: exynos5250-sata: fix missing device put in probe error paths
    - ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
    - ARM: dts: Fix mmc order for omap3-gta04
    - ipvs: correctly print the memory size of ip_vs_conn_tab
    - mtd: rawnand: Fix return value check of wait_for_completion_timeout
    - sctp: check asoc strreset_chunk in sctp_generate_reconf_event
    - pinctrl: pistachio: fix use of irq_of_parse_and_map()
    - ip_gre: Make o_seqno start from 0 in native mode
    - tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
    - bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
    - clk: sunxi: sun9i-mmc: check return value after calling
      platform_get_resource()
    - net: bcmgenet: hide status block before TX timestamping
    - bnx2x: fix napi API usage sequence
    - ASoC: wm8731: Disable the regulator when probing fails
    - x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
    - cifs: destage any unwritten data to the server before calling
      copychunk_write
    - drivers: net: hippi: Fix deadlock in rr_close()
    - x86/cpu: Load microcode during restore_processor_state()
    - tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
    - tty: n_gsm: fix malformed counter for out of frame data
    - tty: n_gsm: fix insufficient txframe size
    - tty: n_gsm: fix missing explicit ldisc flush
    - tty: n_gsm: fix wrong command retry handling
    - tty: n_gsm: fix wrong command frame length field encoding
    - tty: n_gsm: fix incorrect UA handling
    - MIPS: Fix CP0 counter erratum detection for R4k CPUs
    - parisc: Merge model and model name into one line in /proc/cpuinfo
    - ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
    - Revert "SUNRPC: attempt AF_LOCAL connect on setup"
    - firewire: fix potential uaf in outbound_phy_packet_callback()
    - firewire: remove check of list iterator against head past the loop body
    - firewire: core: extend card->lock in fw_core_handle_bus_reset
    - ASoC: wm8958: Fix change notifications for DSP controls
    - can: grcan: grcan_close(): fix deadlock
    - can: grcan: use ofdev->dev when allocating DMA memory
    - nfc: replace improper check device_is_registered() in netlink related
      functions
    - NFC: netlink: fix sleep in atomic bug when firmware download timeout
    - hwmon: (adt7470) Fix warning on module removal
    - ASoC: dmaengine: Restore NULL prepare_slave_config() callback
    - net: emaclite: Add error handling for of_address_to_resource()
    - smsc911x: allow using IRQ0
    - btrfs: always log symlinks in full mode
    - net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
    - kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
    - net: ipv6: ensure we call ipv6_mc_down() at most once
    - dm: fix mempool NULL pointer race when completing IO
    - dm: interlock pending dm_io and dm_wait_for_bios_completion
    - PCI: aardvark: Clear all MSIs at setup
    - PCI: aardvark: Fix reading MSI interrupt number
    - tcp: md5: incorrect tcp_header_len for incoming connections
    - net: hns3: add validity check for message data length
    - genirq: Synchronize interrupt thread startup
    - net: stmmac: dwmac-sun8i: add missing of_node_put() in
      sun8i_dwmac_register_mdio_mux()
    - mm: fix unexpected zeroed page mapping with zram swap
  * unprivileged tests in test_verifier from ubuntu_bpf failed with "Failed to
    load prog 'Operation not permitted'" on B-4.15 (LP: #1980648)
    - selftests/bpf: Count tests skipped by unpriv
    - selftests/bpf: Only run tests if !bpf_disabled
  * CVE-2022-1734
    - nfc: nfcmrvl: main: reorder destructive operations in
      nfcmrvl_nci_unregister_dev to avoid bugs
  * CVE-2022-1652
    - floppy: use a statically allocated error counter

 -- Andrea Righi <andrea.righi@xxxxxxxxxxxxx>  Thu, 04 Aug 2022 11:40:01
+0200

** Changed in: linux-kvm (Ubuntu Bionic)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1652

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1679

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1734

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2586

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2588

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-34918

-- 
You received this bug notification because you are a member of hardware-
certification-users, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981313

Title:
  bionic/linux-kvm: 4.15.0-1124.129 -proposed tracker

Status in Kernel SRU Workflow:
  In Progress
Status in Kernel SRU Workflow automated-testing series:
  Fix Released
Status in Kernel SRU Workflow boot-testing series:
  Fix Released
Status in Kernel SRU Workflow certification-testing series:
  Invalid
Status in Kernel SRU Workflow new-review series:
  Fix Released
Status in Kernel SRU Workflow prepare-package series:
  Fix Released
Status in Kernel SRU Workflow prepare-package-meta series:
  Fix Released
Status in Kernel SRU Workflow promote-signing-to-proposed series:
  Invalid
Status in Kernel SRU Workflow promote-to-proposed series:
  Fix Released
Status in Kernel SRU Workflow promote-to-security series:
  New
Status in Kernel SRU Workflow promote-to-updates series:
  New
Status in Kernel SRU Workflow regression-testing series:
  Fix Released
Status in Kernel SRU Workflow security-signoff series:
  Fix Released
Status in Kernel SRU Workflow signing-signoff series:
  Invalid
Status in Kernel SRU Workflow sru-review series:
  Fix Released
Status in Kernel SRU Workflow verification-testing series:
  Fix Released
Status in linux-kvm source package in Bionic:
  Fix Released

Bug description:
  This bug will contain status and test results related to a kernel
  source (or snap) as stated in the title.

  For an explanation of the tasks and the associated workflow see:
    https://wiki.ubuntu.com/Kernel/kernel-sru-workflow

  -- swm properties --
  boot-testing-requested: true
  bugs-spammed: true
  built:
    from: 351557444fee706d
    route-entry: 1
  delta:
    promote-to-proposed: [main, meta]
  flag:
    boot-testing-requested: true
    bugs-spammed: true
    proposed-announcement-sent: true
    proposed-testing-requested: true
  issue: KSRU-4455
  kernel-stable-master-bug: 1983714
  packages:
    main: linux-kvm
    meta: linux-meta-kvm
  phase: Holding before Promote to Updates
  phase-changed: Thursday, 04. August 2022 21:31 UTC
  proposed-announcement-sent: true
  proposed-testing-requested: true
  reason:
    promote-to-updates: Holding -- parent tracker not ready for release
  synthetic:
    :promote-to-as-proposed: Fix Released
  variant: debs
  versions:
    main: 4.15.0-1124.129
    meta: 4.15.0.1124.117
  ~~:
    clamps:
      new-review: 351557444fee706d
      promote-to-proposed: 351557444fee706d
      self: 4.15.0-1124.129
      sru-review: 351557444fee706d

To manage notifications about this bug go to:
https://bugs.launchpad.net/kernel-sru-workflow/+bug/1981313/+subscriptions