group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #23823
[Bug 1765241] Re: virtio_scsi race can corrupt memory, panic kernel
This bug was fixed in the package linux - 4.4.0-127.153
---------------
linux (4.4.0-127.153) xenial; urgency=medium
* CVE-2018-3639 (powerpc)
- powerpc/pseries: Support firmware disable of RFI flush
- powerpc/powernv: Support firmware disable of RFI flush
- powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
- powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
- powerpc/rfi-flush: Always enable fallback flush on pseries
- powerpc/rfi-flush: Differentiate enabled and patched flush types
- powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
- powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
- powerpc: Add security feature flags for Spectre/Meltdown
- powerpc/pseries: Set or clear security feature flags
- powerpc/powernv: Set or clear security feature flags
- powerpc/64s: Move cpu_show_meltdown()
- powerpc/64s: Enhance the information in cpu_show_meltdown()
- powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
- powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
- powerpc/64s: Wire up cpu_show_spectre_v1()
- powerpc/64s: Wire up cpu_show_spectre_v2()
- powerpc/pseries: Fix clearing of security feature flags
- powerpc: Move default security feature flags
- powerpc/pseries: Restore default security feature flags on setup
- SAUCE: powerpc/64s: Add support for a store forwarding barrier at kernel
entry/exit
* CVE-2018-3639 (x86)
- SAUCE: Clean up IBPB and IBRS control functions and macros
- SAUCE: Fix up IBPB and IBRS kernel parameters documentation
- SAUCE: Remove #define X86_FEATURE_PTI
- x86/cpufeature: Move some of the scattered feature bits to x86_capability
- x86/cpufeature: Cleanup get_cpu_cap()
- x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6
- x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
- x86/cpufeatures: Add Intel feature bits for Speculation Control
- SAUCE: x86/kvm: Expose SPEC_CTRL from the leaf
- x86/cpufeatures: Add AMD feature bits for Speculation Control
- x86/msr: Add definitions for new speculation control MSRs
- SAUCE: x86/msr: Rename MSR spec control feature bits
- x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
- x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
- x86/speculation: Add <asm/msr-index.h> dependency
- x86/cpufeatures: Clean up Spectre v2 related CPUID flags
- x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
- SAUCE: x86/speculation: Move vendor specific IBRS/IBPB control code
- SAUCE: x86: Add alternative_msr_write
- SAUCE: x86/nospec: Simplify alternative_msr_write()
- SAUCE: x86/bugs: Concentrate bug detection into a separate function
- SAUCE: x86/bugs: Concentrate bug reporting into a separate function
- arch: Introduce post-init read-only memory
- SAUCE: x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
- SAUCE: x86/bugs, KVM: Support the combination of guest and host IBRS
- SAUCE: x86/bugs: Expose /sys/../spec_store_bypass
- SAUCE: x86/cpufeatures: Add X86_FEATURE_RDS
- SAUCE: x86/bugs: Provide boot parameters for the spec_store_bypass_disable
mitigation
- SAUCE: x86/bugs/intel: Set proper CPU features and setup RDS
- SAUCE: x86/bugs: Whitelist allowed SPEC_CTRL MSR values
- SAUCE: x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if
requested
- SAUCE: x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
- SAUCE: x86/speculation: Create spec-ctrl.h to avoid include hell
- SAUCE: prctl: Add speculation control prctls
- x86/process: Optimize TIF checks in __switch_to_xtra()
- SAUCE: x86/process: Allow runtime control of Speculative Store Bypass
- SAUCE: x86/speculation: Add prctl for Speculative Store Bypass mitigation
- SAUCE: nospec: Allow getting/setting on non-current task
- SAUCE: proc: Provide details on speculation flaw mitigations
- SAUCE: seccomp: Enable speculation flaw mitigations
- SAUCE: x86/bugs: Honour SPEC_CTRL default
- SAUCE: x86/bugs: Make boot modes __ro_after_init
- SAUCE: prctl: Add force disable speculation
- SAUCE: seccomp: Use PR_SPEC_FORCE_DISABLE
- selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC
- SAUCE: seccomp: Add filter flag to opt-out of SSB mitigation
- SAUCE: seccomp: Move speculation migitation control to arch code
- SAUCE: x86/speculation: Make "seccomp" the default mode for Speculative
Store Bypass
- SAUCE: x86/bugs: Rename _RDS to _SSBD
- SAUCE: proc: Use underscores for SSBD in 'status'
- SAUCE: Documentation/spec_ctrl: Do some minor cleanups
- SAUCE: x86/bugs: Fix __ssb_select_mitigation() return type
- SAUCE: x86/bugs: Make cpu_show_common() static
- x86/entry: define _TIF_ALLWORK_MASK flags explicitly
- Revert "x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
microcodes"
- SAUCE: kvm/cpuid: Fix CPUID_7_0.EDX handling
linux (4.4.0-125.150) xenial; urgency=medium
* linux: 4.4.0-125.150 -proposed tracker (LP: #1770011)
* Unable to insert test_bpf module on Xenial (LP: #1765698)
- bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y
- test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches
* virtio_scsi race can corrupt memory, panic kernel (LP: #1765241)
- SAUCE: (no-up) virtio-scsi: Fix race in target free
* bpf_map_lookup_elem: BUG: unable to handle kernel paging request
(LP: #1763454) // CVE-2017-17862
- SAUCE: Add missing hunks from "bpf: fix branch pruning logic"
* Xenial: rfkill: fix missing return on rfkill_init (LP: #1764810)
- rfkill: fix missing return on rfkill_init
* "ip a" command on a guest VM shows UNKNOWN status (LP: #1761534)
- virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS
* Xenial update to 4.4.128 stable release (LP: #1765010)
- cfg80211: make RATE_INFO_BW_20 the default
- md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock
- rtc: snvs: fix an incorrect check of return value
- x86/asm: Don't use RBP as a temporary register in
csum_partial_copy_generic()
- NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION
- IB/srpt: Fix abort handling
- af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
- mac80211: bail out from prep_connection() if a reconfig is ongoing
- bna: Avoid reading past end of buffer
- qlge: Avoid reading past end of buffer
- ipmi_ssif: unlock on allocation failure
- net: cdc_ncm: Fix TX zero padding
- net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control
- lockd: fix lockd shutdown race
- drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests
- pidns: disable pid allocation if pid_ns_prepare_proc() is failed in
alloc_pid()
- s390: move _text symbol to address higher than zero
- net/mlx4_en: Avoid adding steering rules with invalid ring
- NFSv4.1: Work around a Linux server bug...
- CIFS: silence lockdep splat in cifs_relock_file()
- net: qca_spi: Fix alignment issues in rx path
- netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
- Input: elan_i2c - check if device is there before really probing
- Input: elantech - force relative mode on a certain module
- KVM: PPC: Book3S PR: Check copy_to/from_user return values
- vmxnet3: ensure that adapter is in proper state during force_close
- SMB2: Fix share type handling
- bus: brcmstb_gisb: Use register offsets with writes too
- bus: brcmstb_gisb: correct support for 64-bit address output
- PowerCap: Fix an error code in powercap_register_zone()
- ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin
- staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before
calling hfa384x_drvr_setconfig16, also fixes relative sparse warning
- x86/tsc: Provide 'tsc=unstable' boot parameter
- ARM: dts: imx6qdl-wandboard: Fix audio channel swap
- ipv6: avoid dad-failures for addresses with NODAD
- async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome()
- usb: dwc3: keystone: check return value
- btrfs: fix incorrect error return ret being passed to mapping_set_error
- ata: libahci: properly propagate return value of platform_get_irq()
- neighbour: update neigh timestamps iff update is effective
- arp: honour gratuitous ARP _replies_
- usb: chipidea: properly handle host or gadget initialization failure
- USB: ene_usb6250: fix first command execution
- net: x25: fix one potential use-after-free issue
- USB: ene_usb6250: fix SCSI residue overwriting
- serial: 8250: omap: Disable DMA for console UART
- serial: sh-sci: Fix race condition causing garbage during shutdown
- sh_eth: Use platform device for printing before register_netdev()
- scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
- powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
- ath5k: fix memory leak on buf on failed eeprom read
- selftests/powerpc: Fix TM resched DSCR test with some compilers
- xfrm: fix state migration copy replay sequence numbers
- iio: hi8435: avoid garbage event at first enable
- iio: hi8435: cleanup reset gpio
- ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
- md-cluster: fix potential lock issue in add_new_disk
- ARM: davinci: da8xx: Create DSP device only when assigned memory
- ray_cs: Avoid reading past end of buffer
- leds: pca955x: Correct I2C Functionality
- sched/numa: Use down_read_trylock() for the mmap_sem
- net/mlx5: Tolerate irq_set_affinity_hint() failures
- selinux: do not check open permission on sockets
- block: fix an error code in add_partition()
- mlx5: fix bug reading rss_hash_type from CQE
- net: ieee802154: fix net_device reference release too early
- libceph: NULL deref on crush_decode() error path
- netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
- pNFS/flexfiles: missing error code in ff_layout_alloc_lseg()
- ASoC: rsnd: SSI PIO adjust to 24bit mode
- scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
- fix race in drivers/char/random.c:get_reg()
- ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
- tcp: better validation of received ack sequences
- net: move somaxconn init from sysctl code
- Input: elan_i2c - clear INT before resetting controller
- bonding: Don't update slave->link until ready to commit
- KVM: nVMX: Fix handling of lmsw instruction
- net: llc: add lock_sock in llc_ui_bind to avoid a race condition
- ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
- thermal: power_allocator: fix one race condition issue for thermal_instances
list
- perf probe: Add warning message if there is unexpected event name
- l2tp: fix missing print session offset info
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
- hwmon: (ina2xx) Make calibration register value fixed
- media: videobuf2-core: don't go out of the buffer range
- ASoC: Intel: cht_bsw_rt5645: Analog Mic support
- scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
- vfb: fix video mode and line_length being set when loaded
- gpio: label descriptors using the device name
- ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
- wl1251: check return from call to wl1251_acx_arp_ip_filter
- hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
- ovl: filter trusted xattr for non-admin
- powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE]
- dmaengine: imx-sdma: Handle return value of clk_prepare_enable
- arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage
- net/mlx5: avoid build warning for uniprocessor
- cxgb4: FW upgrade fixes
- rtc: opal: Handle disabled TPO in opal_get_tpo_time()
- rtc: interface: Validate alarm-time before handling rollover
- SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()
- net: freescale: fix potential null pointer dereference
- KVM: SVM: do not zero out segment attributes if segment is unusable or not
present
- clk: scpi: fix return type of __scpi_dvfs_round_rate
- clk: Fix __set_clk_rates error print-string
- powerpc/spufs: Fix coredump of SPU contexts
- perf trace: Add mmap alias for s390
- qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and
qlcnic_82xx_hw_read_wx_2M
- mISDN: Fix a sleep-in-atomic bug
- drm/omap: fix tiled buffer stride calculations
- cxgb4: fix incorrect cim_la output for T6
- Fix serial console on SNI RM400 machines
- bio-integrity: Do not allocate integrity context for bio w/o data
- skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
- sit: reload iphdr in ipip6_rcv
- net/mlx4: Fix the check in attaching steering rules
- net/mlx4: Check if Granular QoS per VF has been enabled before updating QP
qos_vport
- perf header: Set proper module name when build-id event found
- perf report: Ensure the perf DSO mapping matches what libdw sees
- tags: honor COMPILED_SOURCE with apart output directory
- e1000e: fix race condition around skb_tstamp_tx()
- cx25840: fix unchecked return values
- mceusb: sporadic RX truncation corruption fix
- net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support
- ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull
- e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
- perf/core: Correct event creation with PERF_FORMAT_GROUP
- MIPS: mm: fixed mappings: correct initialisation
- MIPS: mm: adjust PKMAP location
- MIPS: kprobes: flush_insn_slot should flush only if probe initialised
- Fix loop device flush before configure v3
- net: emac: fix reset timeout with AR8035 phy
- skbuff: only inherit relevant tx_flags
- xen: avoid type warning in xchg_xen_ulong
- bnx2x: Allow vfs to disable txvlan offload
- sctp: fix recursive locking warning in sctp_do_peeloff
- sparc64: ldc abort during vds iso boot
- iio: magnetometer: st_magn_spi: fix spi_device_id table
- Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
- cpuidle: dt: Add missing 'of_node_put()'
- ACPICA: Events: Add runtime stub support for event APIs
- ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
- s390/dasd: fix hanging safe offline
- vxlan: dont migrate permanent fdb entries during learn
- bcache: stop writeback thread after detaching
- bcache: segregate flash only volume write streams
- scsi: libsas: fix memory leak in sas_smp_get_phy_events()
- scsi: libsas: fix error when getting phy events
- scsi: libsas: initialize sas_phy status according to response of DISCOVER
- blk-mq: fix kernel oops in blk_mq_tag_idle()
- tty: n_gsm: Allow ADM response in addition to UA for control dlci
- EDAC, mv64x60: Fix an error handling path
- cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
- perf tools: Fix copyfile_offset update of output offset
- ipsec: check return value of skb_to_sgvec always
- rxrpc: check return value of skb_to_sgvec always
- virtio_net: check return value of skb_to_sgvec always
- virtio_net: check return value of skb_to_sgvec in one more location
- random: use lockless method of accessing and updating f->reg_idx
- futex: Remove requirement for lock_page() in get_futex_key()
- Kbuild: provide a __UNIQUE_ID for clang
- arp: fix arp_filter on l3slave devices
- net: fix possible out-of-bound read in skb_network_protocol()
- net/ipv6: Fix route leaking between VRFs
- netlink: make sure nladdr has correct size in netlink_connect()
- net/sched: fix NULL dereference in the error path of tcf_bpf_init()
- pptp: remove a buggy dst release in pptp_connect()
- sctp: do not leak kernel memory to user space
- sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
- vhost: correctly remove wait queue during poll failure
- vlan: also check phy_driver ts_info for vlan's real device
- bonding: fix the err path for dev hwaddr sync in bond_enslave
- bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
- bonding: process the err returned by dev_set_allmulti properly in
bond_enslave
- net: fool proof dev_valid_name()
- ip_tunnel: better validate user provided tunnel names
- ipv6: sit: better validate user provided tunnel names
- ip6_gre: better validate user provided tunnel names
- ip6_tunnel: better validate user provided tunnel names
- vti6: better validate user provided tunnel names
- r8169: fix setting driver_data after register_netdev
- net sched actions: fix dumping which requires several messages to user space
- net/ipv6: Increment OUTxxx counters after netfilter hook
- ipv6: the entire IPv6 header chain must fit the first fragment
- vrf: Fix use after free and double free in vrf_finish_output
- Revert "xhci: plat: Register shutdown for xhci_plat"
- Linux 4.4.128
* sky2 gigabit ethernet driver sometimes stops working after lid-open resume
from sleep (88E8055) (LP: #1758507) // Xenial update to 4.4.128 stable
release (LP: #1765010)
- sky2: Increase D3 delay to sky2 stops working after suspend
* Xenial update to 4.4.127 stable release (LP: #1765007)
- mtd: jedec_probe: Fix crash in jedec_read_mfr()
- ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
- ALSA: pcm: potential uninitialized return values
- partitions/msdos: Unable to mount UFS 44bsd partitions
- usb: gadget: define free_ep_req as universal function
- usb: gadget: change len to size_t on alloc_ep_req()
- usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align
- usb: gadget: align buffer size when allocating for OUT endpoint
- usb: gadget: f_hid: fix: Prevent accessing released memory
- kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
- ACPI, PCI, irq: remove redundant check for null string pointer
- writeback: fix the wrong congested state variable definition
- PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant
- dm ioctl: remove double parentheses
- Input: mousedev - fix implicit conversion warning
- netfilter: nf_nat_h323: fix logical-not-parentheses warning
- genirq: Use cpumask_available() for check of cpumask variable
- cpumask: Add helper cpumask_available()
- selinux: Remove unnecessary check of array base in selinux_set_mapping()
- fs: compat: Remove warning from COMPATIBLE_IOCTL
- jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp
- frv: declare jiffies to be located in the .data section
- audit: add tty field to LOGIN event
- tty: provide tty_name() even without CONFIG_TTY
- netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch
- selinux: Remove redundant check for unknown labeling behavior
- arm64: avoid overflow in VA_START and PAGE_OFFSET
- xfrm_user: uncoditionally validate esn replay attribute struct
- RDMA/ucma: Check AF family prior resolving address
- RDMA/ucma: Fix use-after-free access in ucma_close
- RDMA/ucma: Ensure that CM_ID exists prior to access it
- RDMA/ucma: Check that device is connected prior to access it
- RDMA/ucma: Check that device exists prior to accessing it
- RDMA/ucma: Don't allow join attempts for unsupported AF family
- RDMA/ucma: Introduce safer rdma_addr_size() variants
- net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
- xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
- netfilter: bridge: ebt_among: add more missing match size checks
- netfilter: x_tables: add and use xt_check_proc_name
- Bluetooth: Fix missing encryption refresh on Security Request
- llist: clang: introduce member_address_is_nonnull()
- scsi: virtio_scsi: always read VPD pages for multiqueue too
- usb: dwc2: Improve gadget state disconnection handling
- USB: serial: ftdi_sio: add RT Systems VX-8 cable
- USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
- USB: serial: cp210x: add ELDAT Easywave RX09 id
- mei: remove dev_err message on an unsupported ioctl
- media: usbtv: prevent double free in error case
- parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
- crypto: ahash - Fix early termination in hash walk
- crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
- fs/proc: Stop trying to report thread stacks
- staging: comedi: ni_mio_common: ack ai fifo error interrupts.
- Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
- Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
- vt: change SGR 21 to follow the standards
- Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property
definition
- ARM: dts: dra7: Add power hold and power controller properties to palmas
- ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property
- md/raid10: reset the 'first' at the end of loop
- net: hns: Fix ethtool private flags
- Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()"
- Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"
- Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"
- Revert "cpufreq: Fix governor module removal race"
- Revert "mtip32xx: use runtime tag to initialize command header"
- spi: davinci: fix up dma_mapping_error() incorrect patch
- net: cavium: liquidio: fix up "Avoid dma_unmap_single on uninitialized
ndata"
- Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
- Linux 4.4.127
* Xenial update to 4.4.126 stable release (LP: #1764999)
- scsi: sg: don't return bogus Sg_requests
- Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for
shared IRQs"
- net: Fix hlist corruptions in inet_evict_bucket()
- dccp: check sk for closed state in dccp_sendmsg()
- ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
- l2tp: do not accept arbitrary sockets
- net: ethernet: arc: Fix a potential memory leak if an optional regulator is
deferred
- net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY
interface
- net/iucv: Free memory obtained by kzalloc
- netlink: avoid a double skb free in genlmsg_mcast()
- net: Only honor ifindex in IP_PKTINFO if non-0
- skbuff: Fix not waking applications when errors are enqueued
- team: Fix double free in error path
- s390/qeth: free netdevice when removing a card
- s390/qeth: when thread completes, wake up all waiters
- s390/qeth: lock read device while queueing next buffer
- s390/qeth: on channel error, reject further cmd requests
- ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
- net: fec: Fix unbalanced PM runtime calls
- net: systemport: Rewrite __bcm_sysport_tx_reclaim()
- Linux 4.4.126
* Xenial update to 4.4.125 stable release (LP: #1764973)
- MIPS: ralink: Remove ralink_halt()
- iio: st_pressure: st_accel: pass correct platform data to init
- ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
- ALSA: aloop: Sync stale timer before release
- ALSA: aloop: Fix access to not-yet-ready substream via cable
- ALSA: hda/realtek - Always immediately update mute LED with pin VREF
- mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs
- PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
- ahci: Add PCI-id for the Highpoint Rocketraid 644L card
- clk: bcm2835: Protect sections updating shared registers
- Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174
- libata: fix length validation of ATAPI-relayed SCSI commands
- libata: remove WARN() for DMA or PIO command without data
- libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
- libata: Enable queued TRIM for Samsung SSD 860
- libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
- libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
- libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
- mm/vmalloc: add interfaces to free unmapped page table
- x86/mm: implement free pmd/pte page interfaces
- drm/vmwgfx: Fix a destoy-while-held mutex problem.
- drm/radeon: Don't turn off DP sink when disconnected
- drm: udl: Properly check framebuffer mmap offsets
- acpi, numa: fix pxm to online numa node associations
- brcmfmac: fix P2P_DEVICE ethernet address generation
- rtlwifi: rtl8723be: Fix loss of signal
- tracing: probeevent: Fix to support minus offset from symbol
- mtd: nand: fsl_ifc: Fix nand waitfunc return value
- staging: ncpfs: memory corruption in ncp_read_kernel()
- can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
- can: cc770: Fix queue stall & dropped RTR reply
- can: cc770: Fix use after free in cc770_tx_interrupt()
- tty: vt: fix up tabstops properly
- x86/build/64: Force the linker to use 2MB page size
- x86/boot/64: Verify alignment of the LOAD segment
- perf/x86/intel: Don't accidentally clear high bits in bdw_limit_period()
- staging: lustre: ptlrpc: kfree used instead of kvfree
- kbuild: disable clang's default use of -fmerge-all-constants
- bpf: skip unnecessary capability check
- bpf, x64: increase number of passes
- Linux 4.4.125
* System fails to start (boot) on battery due to read-only root file-system
(LP: #1726930) // Xenial update to 4.4.125 stable release (LP: #1764973)
- libata: disable LPM for Crucial BX100 SSD 500GB drive
* Xenial update to 4.4.124 stable release (LP: #1764762)
- tpm: fix potential buffer overruns caused by bit glitches on the bus
- tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
- staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
- platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA
- regulator: anatop: set default voltage selector for pcie
- x86: i8259: export legacy_pic symbol
- rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs
- Input: ar1021_i2c - fix too long name in driver's device table
- time: Change posix clocks ops interfaces to use timespec64
- ACPI/processor: Fix error handling in __acpi_processor_start()
- ACPI/processor: Replace racy task affinity logic
- cpufreq/sh: Replace racy task affinity logic
- genirq: Use irqd_get_trigger_type to compare the trigger type for shared
IRQs
- i2c: i2c-scmi: add a MS HID
- net: ipv6: send unsolicited NA on admin up
- media/dvb-core: Race condition when writing to CAM
- spi: dw: Disable clock after unregistering the host
- ath: Fix updating radar flags for coutry code India
- clk: ns2: Correct SDIO bits
- scsi: virtio_scsi: Always try to read VPD pages
- KVM: PPC: Book3S PR: Exit KVM on failed mapping
- ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER
- iommu/omap: Register driver before setting IOMMU ops
- md/raid10: wait up frozen array in handle_write_completed
- NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete()
- tcp: remove poll() flakes with FastOpen
- e1000e: fix timing for 82579 Gigabit Ethernet controller
- ALSA: hda - Fix headset microphone detection for ASUS N551 and N751
- IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
- IB/ipoib: Update broadcast object if PKey value was changed in index 0
- HSI: ssi_protocol: double free in ssip_pn_xmit()
- IB/mlx4: Take write semaphore when changing the vma struct
- IB/mlx4: Change vma from shared to private
- ASoC: Intel: Skylake: Uninitialized variable in probe_codec()
- Fix driver usage of 128B WQEs when WQ_CREATE is V1.
- netfilter: xt_CT: fix refcnt leak on error path
- openvswitch: Delete conntrack entry clashing with an expectation.
- mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR()
- wan: pc300too: abort path on failure
- qlcnic: fix unchecked return value
- scsi: mac_esp: Replace bogus memory barrier with spinlock
- infiniband/uverbs: Fix integer overflows
- NFS: don't try to cross a mountpount when there isn't one there.
- Revert "UBUNTU: SAUCE: (no-up) iio: st_pressure: st_accel: Initialise sensor
platform data properly"
- iio: st_pressure: st_accel: Initialise sensor platform data properly
- mt7601u: check return value of alloc_skb
- rndis_wlan: add return value validation
- Btrfs: send, fix file hole not being preserved due to inline extent
- mac80211: don't parse encrypted management frames in ieee80211_frame_acked
- mfd: palmas: Reset the POWERHOLD mux during power off
- mtip32xx: use runtime tag to initialize command header
- staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK
set to y
- staging: wilc1000: fix unchecked return value
- mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a
- ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP
- ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
- ACPI / PMIC: xpower: Fix power_table addresses
- drm/nouveau/kms: Increase max retries in scanout position queries.
- bnx2x: Align RX buffers
- power: supply: pda_power: move from timer to delayed_work
- Input: twl4030-pwrbutton - use correct device for irq request
- md/raid10: skip spare disk as 'first' disk
- ia64: fix module loading for gcc-5.4
- tcm_fileio: Prevent information leak for short reads
- video: fbdev: udlfb: Fix buffer on stack
- sm501fb: don't return zero on failure path in sm501fb_start()
- net: hns: fix ethtool_get_strings overflow in hns driver
- cifs: small underflow in cnvrtDosUnixTm()
- rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks
- rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL
- perf tests kmod-path: Don't fail if compressed modules aren't supported
- Bluetooth: hci_qca: Avoid setup failure on missing rampatch
- media: c8sectpfe: fix potential NULL pointer dereference in
c8sectpfe_timer_interrupt
- drm/msm: fix leak in failed get_pages
- RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
- rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
- media: bt8xx: Fix err 'bt878_probe()'
- media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart
- cros_ec: fix nul-termination for firmware build info
- platform/chrome: Use proper protocol transfer function
- mmc: avoid removing non-removable hosts during suspend
- IB/ipoib: Avoid memory leak if the SA returns a different DGID
- RDMA/cma: Use correct size when writing netlink stats
- IB/umem: Fix use of npages/nmap fields
- vgacon: Set VGA struct resource types
- drm/omap: DMM: Check for DMM readiness after successful transaction commit
- pty: cancel pty slave port buf's work in tty_release
- coresight: Fix disabling of CoreSight TPIU
- pinctrl: Really force states during suspend/resume
- iommu/vt-d: clean up pr_irq if request_threaded_irq fails
- ip6_vti: adjust vti mtu according to mtu of lower device
- RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
- nfsd4: permit layoutget of executable-only files
- clk: si5351: Rename internal plls to avoid name collisions
- dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63
- RDMA/ucma: Fix access to non-initialized CM_ID object
- Linux 4.4.124
* Xenial update to 4.4.123 stable release (LP: #1764666)
- blkcg: fix double free of new_blkg in blkcg_init_queue
- Input: tsc2007 - check for presence and power down tsc2007 during probe
- staging: speakup: Replace BUG_ON() with WARN_ON().
- staging: wilc1000: add check for kmalloc allocation failure.
- HID: reject input outside logical range only if null state is set
- drm: qxl: Don't alloc fbdev if emulation is not supported
- ath10k: fix a warning during channel switch with multiple vaps
- PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()
- selinux: check for address length in selinux_socket_bind()
- perf sort: Fix segfault with basic block 'cycles' sort dimension
- i40e: Acquire NVM lock before reads on all devices
- i40e: fix ethtool to get EEPROM data from X722 interface
- perf tools: Make perf_event__synthesize_mmap_events() scale
- drivers: net: xgene: Fix hardware checksum setting
- drm: Defer disabling the vblank IRQ until the next interrupt (for instant-
off)
- ath10k: disallow DFS simulation if DFS channel is not enabled
- perf probe: Return errno when not hitting any event
- HID: clamp input to logical range if no null state
- net/8021q: create device with all possible features in wanted_features
- ARM: dts: Adjust moxart IRQ controller and flags
- batman-adv: handle race condition for claims between gateways
- of: fix of_device_get_modalias returned length when truncating buffers
- solo6x10: release vb2 buffers in solo_stop_streaming()
- scsi: ipr: Fix missed EH wakeup
- media: i2c/soc_camera: fix ov6650 sensor getting wrong clock
- timers, sched_clock: Update timeout for clock wrap
- sysrq: Reset the watchdog timers while displaying high-resolution timers
- Input: qt1070 - add OF device ID table
- sched: act_csum: don't mangle TCP and UDP GSO packets
- ASoC: rcar: ssi: don't set SSICR.CKDV = 000 with SSIWSR.CONT
- spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer
- tcp: sysctl: Fix a race to avoid unexpected 0 window from space
- dmaengine: imx-sdma: add 1ms delay to ensure SDMA channel is stopped
- driver: (adm1275) set the m,b and R coefficients correctly for power
- mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative()
- blk-throttle: make sure expire time isn't too big
- f2fs: relax node version check for victim data in gc
- bonding: refine bond_fold_stats() wrap detection
- braille-console: Fix value returned by _braille_console_setup
- drm/vmwgfx: Fixes to vmwgfx_fb
- vxlan: vxlan dev should inherit lowerdev's gso_max_size
- NFC: nfcmrvl: Include unaligned.h instead of access_ok.h
- NFC: nfcmrvl: double free on error path
- ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks
- ARM: dts: r8a7791: Correct parent of SSI[0-9] clocks
- powerpc: Avoid taking a data miss on every userspace instruction miss
- net/faraday: Add missing include of of.h
- ARM: dts: koelsch: Correct clock frequency of X2 DU clock input
- reiserfs: Make cancel_old_flush() reliable
- ALSA: firewire-digi00x: handle all MIDI messages on streaming packets
- fm10k: correctly check if interface is removed
- apparmor: Make path_max parameter readonly
- iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
- video: ARM CLCD: fix dma allocation size
- drm/radeon: Fail fb creation from imported dma-bufs.
- drm/amdgpu: Fail fb creation from imported dma-bufs. (v2)
- coresight: Fixes coresight DT parse to get correct output port ID.
- MIPS: BPF: Quit clobbering callee saved registers in JIT code.
- MIPS: BPF: Fix multiple problems in JIT skb access helpers.
- MIPS: r2-on-r6-emu: Fix BLEZL and BGTZL identification
- MIPS: r2-on-r6-emu: Clear BLTZALL and BGEZALL debugfs counters
- regulator: isl9305: fix array size
- md/raid6: Fix anomily when recovering a single device in RAID6.
- usb: dwc2: Make sure we disconnect the gadget state
- usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in
dummy_hub_control()
- drivers/perf: arm_pmu: handle no platform_device
- perf inject: Copy events when reordering events in pipe mode
- perf session: Don't rely on evlist in pipe mode
- scsi: sg: check for valid direction before starting the request
- scsi: sg: close race condition in sg_remove_sfp_usercontext()
- kprobes/x86: Fix kprobe-booster not to boost far call instructions
- kprobes/x86: Set kprobes pages read-only
- pwm: tegra: Increase precision in PWM rate calculation
- wil6210: fix memory access violation in wil_memcpy_from/toio_32
- drm/edid: set ELD connector type in drm_edid_to_eld()
- video/hdmi: Allow "empty" HDMI infoframes
- HID: elo: clear BTN_LEFT mapping
- ARM: dts: exynos: Correct Trats2 panel reset line
- sched: Stop switched_to_rt() from sending IPIs to offline CPUs
- sched: Stop resched_cpu() from sending IPIs to offline CPUs
- test_firmware: fix setting old custom fw path back on exit
- net: xfrm: allow clearing socket xfrm policies.
- mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]()
- ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin
- ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
- ath10k: update tdls teardown state to target
- cpufreq: Fix governor module removal race
- clk: qcom: msm8916: fix mnd_width for codec_digcodec
- ath10k: fix invalid STS_CAP_OFFSET_MASK
- tools/usbip: fixes build with musl libc toolchain
- spi: sun6i: disable/unprepare clocks on remove
- scsi: core: scsi_get_device_flags_keyed(): Always return device flags
- scsi: devinfo: apply to HP XP the same flags as Hitachi VSP
- scsi: dh: add new rdac devices
- media: cpia2: Fix a couple off by one bugs
- veth: set peer GSO values
- drm/amdkfd: Fix memory leaks in kfd topology
- agp/intel: Flush all chipset writes after updating the GGTT
- mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
- mac80211: remove BUG() when interface type is invalid
- ASoC: nuc900: Fix a loop timeout test
- ipvlan: add L2 check for packets arriving via virtual devices
- rcutorture/configinit: Fix build directory error message
- ima: relax requiring a file signature for new files with zero length
- selftests/x86/entry_from_vm86: Exit with 1 if we fail
- selftests/x86: Add tests for User-Mode Instruction Prevention
- selftests/x86: Add tests for the STR and SLDT instructions
- selftests/x86/entry_from_vm86: Add test cases for POPF
- x86/vm86/32: Fix POPF emulation
- x86/mm: Fix vmalloc_fault to use pXd_large
- ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
- ALSA: hda - Revert power_save option default value
- ALSA: seq: Fix possible UAF in snd_seq_check_queue()
- ALSA: seq: Clear client entry before deleting else at closing
- drm/amdgpu/dce: Don't turn off DP sink when disconnected
- fs: Teach path_connected to handle nfs filesystems with multiple roots.
- lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
- fs/aio: Add explicit RCU grace period when freeing kioctx
- fs/aio: Use RCU accessors for kioctx_table->table[]
- irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
- scsi: sg: fix SG_DXFER_FROM_DEV transfers
- scsi: sg: fix static checker warning in sg_is_valid_dxfer
- scsi: sg: only check for dxfer_len greater than 256M
- ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
- btrfs: alloc_chunk: fix DUP stripe size handling
- btrfs: Fix use-after-free when cleaning up fs_devs with a single stale
device
- USB: gadget: udc: Add missing platform_device_put() on error in
bdc_pci_probe()
- usb: gadget: bdc: 64-bit pointer capability check
- Linux 4.4.123
* Xenial update to 4.4.123 stable release (LP: #1764666) // CVE-2017-16995
- Revert "bpf: fix incorrect sign extension in check_alu_op()"
- bpf: fix incorrect sign extension in check_alu_op()
* Xenial update to 4.4.122 stable release (LP: #1764627)
- RDMA/ucma: Limit possible option size
- RDMA/ucma: Check that user doesn't overflow QP state
- RDMA/mlx5: Fix integer overflow while resizing CQ
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
- workqueue: Allow retrieval of current task's work struct
- drm: Allow determining if current task is output poll worker
- drm/nouveau: Fix deadlock on runtime suspend
- drm/radeon: Fix deadlock on runtime suspend
- drm/amdgpu: Fix deadlock on runtime suspend
- drm/amdgpu: Notify sbios device ready before send request
- drm/radeon: fix KV harvesting
- drm/amdgpu: fix KV harvesting
- MIPS: BMIPS: Do not mask IPIs during suspend
- MIPS: ath25: Check for kzalloc allocation failure
- MIPS: OCTEON: irq: Check for null return on kzalloc allocation
- Input: matrix_keypad - fix race when disabling interrupts
- loop: Fix lost writes caused by missing flag
- kbuild: Handle builtin dtb file names containing hyphens
- bcache: don't attach backing with duplicate UUID
- x86/MCE: Serialize sysfs changes
- ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
- ALSA: seq: More protection for concurrent write and ioctl races
- ALSA: hda: add dock and led support for HP EliteBook 820 G3
- ALSA: hda: add dock and led support for HP ProBook 640 G2
- watchdog: hpwdt: SMBIOS check
- watchdog: hpwdt: Check source of NMI
- watchdog: hpwdt: fix unused variable warning
- netfilter: nfnetlink_queue: fix timestamp attribute
- Input: tca8418_keypad - remove double read of key event register
- tc358743: fix register i2c_rd/wr function fix
- netfilter: add back stackpointer size checks
- netfilter: x_tables: fix missing timer initialization in xt_LED
- netfilter: nat: cope with negative port range
- netfilter: IDLETIMER: be syzkaller friendly
- netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
- netfilter: bridge: ebt_among: add missing match size checks
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
- netfilter: use skb_to_full_sk in ip_route_me_harder
- ext4: inplace xattr block update fails to deduplicate blocks
- ubi: Fix race condition between ubi volume creation and udev
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
- NFS: Fix an incorrect type in struct nfs_direct_req
- Revert "ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux"
- x86/module: Detect and skip invalid relocations
- x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
- serial: sh-sci: prevent lockup on full TTY buffers
- tty/serial: atmel: add new version check for usart
- uas: fix comparison for error code
- staging: comedi: fix comedi_nsamples_left.
- staging: android: ashmem: Fix lockdep issue during llseek
- USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
- usb: quirks: add control message delay for 1b1c:1b20
- USB: usbmon: remove assignment from IS_ERR argument
- usb: usbmon: Read text within supplied buffer size
- usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
- serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
- fixup: sctp: verify size of a new chunk in _sctp_make_chunk()
- Linux 4.4.122
* Xenial update to 4.4.122 stable release (LP: #1764627) // CVE-2018-1000004.
- ALSA: seq: Don't allow resizing pool in use
* Xenial update to 4.4.121 stable release (LP: #1764367)
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the
bus
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on
the bus
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the
bus
- ALSA: usb-audio: Add a quirck for B&W PX headphones
- ALSA: hda: Add a power_save blacklist
- cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
- media: m88ds3103: don't call a non-initalized function
- ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
- KVM: mmu: Fix overlap between public and private memslots
- btrfs: Don't clear SGID when inheriting ACLs
- ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
- x86/apic/vector: Handle legacy irq data correctly
- leds: do not overflow sysfs buffer in led_trigger_show
- x86/spectre: Fix an error message
- bridge: check brport attr show in brport_show
- fib_semantics: Don't match route with mismatching tclassid
- hdlc_ppp: carrier detect ok, don't turn off negotiation
- ipv6 sit: work around bogus gcc-8 -Wrestrict warning
- net: fix race on decreasing number of TX queues
- net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
- netlink: ensure to loop over all netns in genlmsg_multicast_allns()
- ppp: prevent unregistered channels from connecting to PPP units
- udplite: fix partial checksum initialization
- sctp: fix dst refcnt leak in sctp_v4_get_dst
- sctp: fix dst refcnt leak in sctp_v6_get_dst()
- s390/qeth: fix SETIP command handling
- s390/qeth: fix IPA command submission race
- sctp: verify size of a new chunk in _sctp_make_chunk()
- net: mpls: Pull common label check into helper
- dm io: fix duplicate bio completion due to missing ref count
- bpf, x64: implement retpoline for tail call
- btrfs: preserve i_mode if __btrfs_set_acl() fails
- Linux 4.4.121
* Xenial update to 4.4.120 stable release (LP: #1764316)
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
- f2fs: fix a bug caused by NULL extent tree
- mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
- ipv6: icmp6: Allow icmp messages to be looped back
- ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
- sget(): handle failures of register_shrinker()
- drm/nouveau/pci: do a msi rearm on init
- spi: atmel: fixed spin_lock usage inside atmel_spi_remove
- net: arc_emac: fix arc_emac_rx() error paths
- scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
- ARM: dts: ls1021a: fix incorrect clock references
- lib/mpi: Fix umul_ppmm() for MIPS64r6
- tg3: Add workaround to restrict 5762 MRRS to 2048
- tg3: Enable PHY reset in MTU change path for 5720
- bnx2x: Improve reliability in case of nested PCI errors
- s390/dasd: fix wrongly assigned configuration data
- IB/mlx4: Fix mlx4_ib_alloc_mr error flow
- IB/ipoib: Fix race condition in neigh creation
- xfs: quota: fix missed destroy of qi_tree_lock
- xfs: quota: check result of register_shrinker()
- e1000: fix disabling already-disabled warning
- drm/ttm: check the return value of kzalloc
- mac80211: mesh: drop frames appearing to be from us
- can: flex_can: Correct the checking for frame length in flexcan_start_xmit()
- bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
- xen-netfront: enable device after manual module load
- mdio-sun4i: Fix a memory leak
- SolutionEngine771x: fix Ether platform data
- xen/gntdev: Fix off-by-one error when unmapping with holes
- xen/gntdev: Fix partial gntdev_mmap() cleanup
- sctp: make use of pre-calculated len
- net: gianfar_ptp: move set_fipers() to spinlock protecting area
- MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
- Linux 4.4.120
* Xenial update to 4.4.119 stable release (LP: #1762453)
- netfilter: drop outermost socket lock in getsockopt()
- powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR
- PCI: keystone: Fix interrupt-controller-node lookup
- ip_tunnel: replace dst_cache with generic implementation
- ip_tunnel: fix preempt warning in ip tunnel creation/updating
- scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
- cfg80211: fix cfg80211_beacon_dup
- iio: buffer: check if a buffer has been set up when poll is called
- iio: adis_lib: Initialize trigger before requesting interrupt
- x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
- irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
- usb: ohci: Proper handling of ed_rm_list to handle race condition between
usb_kill_urb() and finish_unlinks()
- arm64: Disable unhandled signal log messages by default
- Add delay-init quirk for Corsair K70 RGB keyboards
- usb: dwc3: gadget: Set maxpacket size for ep0 IN
- usb: ldusb: add PIDs for new CASSY devices supported by this driver
- usb: gadget: f_fs: Process all descriptors during bind
- usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
- drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
- binder: add missing binder_unlock()
- Linux 4.4.119
* [regression] Colour banding and artefacts appear system-wide on an Asus
Zenbook UX303LA with Intel HD 4400 graphics (LP: #1749420) // Xenial update
to 4.4.119 stable release (LP: #1762453)
- drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
* Xenial update to 4.4.118 stable release (LP: #1756866)
- net: add dst_cache support
- [Config] Add CONFIG_DST_CACHE=y
- net: replace dst_cache ip6_tunnel implementation with the generic one
- cfg80211: check dev_set_name() return value
- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
- xfrm: Fix stack-out-of-bounds read on socket policy lookup.
- xfrm: check id proto in validate_tmpl()
- blktrace: fix unlocked registration of tracepoints
- drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
- Provide a function to create a NUL-terminated string from unterminated data
- selinux: ensure the context is NUL terminated in
security_context_to_sid_core()
- selinux: skip bounded transition processing if the policy isn't loaded
- crypto: x86/twofish-3way - Fix %rbp usage
- KVM: x86: fix escape of guest dr6 to the host
- netfilter: x_tables: fix int overflow in xt_alloc_table_info()
- netfilter: x_tables: avoid out-of-bounds reads in
xt_request_find_{match|target}
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
- netfilter: on sockopt() acquire sock lock only in the required scope
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
- net: avoid skb_warn_bad_offload on IS_ERR
- ASoC: ux500: add MODULE_LICENSE tag
- video: fbdev/mmp: add MODULE_LICENSE
- arm64: dts: add #cooling-cells to CPU nodes
- Make DST_CACHE a silent config option
- dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
- staging: android: ashmem: Fix a race condition in pin ioctls
- binder: check for binder_thread allocation failure in binder_poll()
- staging: iio: adc: ad7192: fix external frequency setting
- usbip: keep usbip_device sockfd state in sync with tcp_socket
- usb: build drivers/usb/common/ when USB_SUPPORT is set
- ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
- ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
- ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
- ARM: dts: am4372: Correct the interrupts_properties of McASP
- perf top: Fix window dimensions change handling
- perf bench numa: Fixup discontiguous/sparse numa nodes
- media: s5k6aa: describe some function parameters
- pinctrl: sunxi: Fix A80 interrupt pin bank
- RDMA/cma: Make sure that PSN is not over max allowed
- scripts/kernel-doc: Don't fail with status != 0 if error encountered with
-none
- ipvlan: Add the skb->mark as flow4's member to lookup route
- powerpc/perf: Fix oops when grouping different pmu events
- s390/dasd: prevent prefix I/O error
- gianfar: fix a flooded alignment reports because of padding issue.
- net_sched: red: Avoid devision by zero
- net_sched: red: Avoid illegal values
- btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
- 509: fix printing uninitialized stack memory when OID is empty
- dmaengine: ioat: Fix error handling path
- dmaengine: at_hdmac: fix potential NULL pointer dereference in
atc_prep_dma_interleaved
- clk: fix a panic error caused by accessing NULL pointer
- ASoC: rockchip: disable clock on error
- spi: sun4i: disable clocks in the remove function
- xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
- drm/armada: fix leak of crtc structure
- dmaengine: jz4740: disable/unprepare clk if probe fails
- mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
- x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
- xen: XEN_ACPI_PROCESSOR is Dom0-only
- hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
- virtio_balloon: prevent uninitialized variable use
- isdn: icn: remove a #warning
- vmxnet3: prevent building with 64K pages
- [Config] ppc64el: Drop vmxnet3 module
- gpio: intel-mid: Fix build warning when !CONFIG_PM
- platform/x86: intel_mid_thermal: Fix suspend handlers unused warning
- video: fbdev: via: remove possibly unused variables
- scsi: advansys: fix build warning for PCI=n
- x86/ras/inject: Make it depend on X86_LOCAL_APIC=y
- arm64: define BUG() instruction without CONFIG_BUG
- x86/fpu/math-emu: Fix possible uninitialized variable use
- tools build: Add tools tree support for 'make -s'
- x86/build: Silence the build with "make -s"
- thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies
- x86: add MULTIUSER dependency for KVM
- x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG
- scsi: advansys: fix uninitialized data access
- arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set
- ALSA: hda/ca0132 - fix possible NULL pointer use
- reiserfs: avoid a -Wmaybe-uninitialized warning
- ssb: mark ssb_bus_register as __maybe_unused
- thermal: spear: use __maybe_unused for PM functions
- x86/boot: Avoid warning for zero-filling .bss
- scsi: sim710: fix build warning
- drivers/net: fix eisa_driver probe section mismatch
- dpt_i2o: fix build warning
- profile: hide unused functions when !CONFIG_PROC_FS
- md: avoid warning for 32-bit sector_t
- mtd: ichxrom: maybe-uninitialized with gcc-4.9
- mtd: maps: add __init attribute
- mptfusion: hide unused seq_mpt_print_ioc_summary function
- scsi: fdomain: drop fdomain_pci_tbl when built-in
- video: fbdev: sis: remove unused variable
- staging: ste_rmi4: avoid unused function warnings
- fbdev: sis: enforce selection of at least one backend
- video: Use bool instead int pointer for get_opt_bool() argument
- scsi: mvumi: use __maybe_unused to hide pm functions
- SCSI: initio: remove duplicate module device table
- pwc: hide unused label
- usb: musb/ux500: remove duplicate check for dma_is_compatible
- tty: hvc_xen: hide xen_console_remove when unused
- target/user: Fix cast from pointer to phys_addr_t
- driver-core: use 'dev' argument in dev_dbg_ratelimited stub
- fbdev: auo_k190x: avoid unused function warnings
- amd-xgbe: Fix unused suspend handlers build warning
- mtd: sh_flctl: pass FIFO as physical address
- mtd: cfi: enforce valid geometry configuration
- fbdev: s6e8ax0: avoid unused function warnings
- modsign: hide openssl output in silent builds
- fbdev: sm712fb: avoid unused function warnings
- hwrng: exynos - use __maybe_unused to hide pm functions
- USB: cdc_subset: only build when one driver is enabled
- [Config] Add CONFIG_USB_NET_CDC_SUBSET_ENABLE=m
- rtlwifi: fix gcc-6 indentation warning
- staging: wilc1000: fix kbuild test robot error
- x86/platform/olpc: Fix resume handler build warning
- netfilter: ipvs: avoid unused variable warnings
- ipv4: ipconfig: avoid unused ic_proto_used symbol
- tc1100-wmi: fix build warning when CONFIG_PM not enabled
- tlan: avoid unused label with PCI=n
- drm/vmwgfx: use *_32_bits() macros
- tty: cyclades: cyz_interrupt is only used for PCI
- genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg
- ASoC: mediatek: add i2c dependency
- iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels
- infiniband: cxgb4: use %pR format string for printing resources
- b2c2: flexcop: avoid unused function warnings
- i2c: remove __init from i2c_register_board_info()
- staging: unisys: visorinput depends on INPUT
- tc358743: fix register i2c_rd/wr functions
- drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized
- Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
- KVM: add X86_LOCAL_APIC dependency
- go7007: add MEDIA_CAMERA_SUPPORT dependency
- em28xx: only use mt9v011 if camera support is enabled
- ISDN: eicon: reduce stack size of sig_ind function
- ASoC: rockchip: use __maybe_unused to hide st_irq_syscfg_resume
- serial: 8250_mid: fix broken DMA dependency
- drm/gma500: Sanity-check pipe index
- hdpvr: hide unused variable
- v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER
- cw1200: fix bogus maybe-uninitialized warning
- wireless: cw1200: use __maybe_unused to hide pm functions_
- perf/x86: Shut up false-positive -Wmaybe-uninitialized warning
- dmaengine: zx: fix build warning
- net: hp100: remove unnecessary #ifdefs
- gpio: xgene: mark PM functions as __maybe_unused
- ncpfs: fix unused variable warning
- Revert "power: bq27xxx_battery: Remove unneeded dependency in Kconfig"
- power: bq27xxx_battery: mark some symbols __maybe_unused
- isdn: sc: work around type mismatch warning
- binfmt_elf: compat: avoid unused function warning
- idle: i7300: add PCI dependency
- usb: phy: msm add regulator dependency
- ncr5380: shut up gcc indentation warning
- ARM: tegra: select USB_ULPI from EHCI rather than platform
- ASoC: Intel: Kconfig: fix build when ACPI is not enabled
- netlink: fix nla_put_{u8,u16,u32} for KASAN
- dell-wmi, dell-laptop: depends DMI
- genksyms: Fix segfault with invalid declarations
- x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix
preemptibility bug
- drm/gma500: remove helper function
- kasan: rework Kconfig settings
- KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"
exceptions simultaneously
- x86/retpoline: Remove the esp/rsp thunk
- module/retpoline: Warn about missing retpoline in module
- x86/nospec: Fix header guards names
- x86/bugs: Drop one "mitigation" from dmesg
- x86/cpu/bugs: Make retpoline module warning conditional
- x86/spectre: Check CONFIG_RETPOLINE in command line parser
- x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"
- x86/paravirt: Remove 'noreplace-paravirt' cmdline option
- x86/retpoline: Avoid retpolines for built-in __init functions
- x86/spectre: Simplify spectre_v2 command line parsing
- x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL
- KVM: nVMX: kmap() can't fail
- KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail
- kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
- KVM: VMX: clean up declaration of VPID/EPT invalidation types
- KVM: nVMX: invvpid handling improvements
- crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
- net: dst_cache_per_cpu_dst_set() can be static
- ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
- Linux 4.4.118
* ibrs/ibpb fixes result in excessive kernel logging (LP: #1755627)
- SAUCE: remove ibrs_dump sysctl interface
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Sat, 19 May 2018 11:58:02
+0200
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16995
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17862
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000004
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3639
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1765241
Title:
virtio_scsi race can corrupt memory, panic kernel
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Xenial:
Fix Released
Bug description:
There's a race in the virtio_scsi driver (for all kernels)
That race is inadvertently avoided on most kernels due to a
synchronize_rcu call coincidentally placed in one of the racing code paths
By happenstance, the set of patches backported to the Ubuntu
4.4 kernel ended up without a synchronize_rcu in the relevant place. The
issue first manifests with
commit be2a20802abbde04ae09846406d7b670731d97d2
Author: Jan Kara <jack@xxxxxxx>
Date: Wed Feb 8 08:05:56 2017 +0100
block: Move bdi_unregister() to del_gendisk()
BugLink: http://bugs.launchpad.net/bugs/1659111
The race can cause a kernel panic due to corruption of a freelist
pointer in a slab cache. The panics occur in arbitrary places as
the failure occurs at an allocation after the corruption of the
pointer. However, the most common failure observed has been within
virtio_scsi itself during probe processing, e.g.:
[ 3.111628] [<ffffffff811b0f32>] kfree_const+0x22/0x30
[ 3.112340] [<ffffffff813db534>] kobject_release+0x94/0x190
[ 3.113126] [<ffffffff813db3c7>] kobject_put+0x27/0x50
[ 3.113838] [<ffffffff8153dee7>] put_device+0x17/0x20
[ 3.114568] [<ffffffff815ac6b2>] __scsi_remove_device+0x92/0xe0
[ 3.115401] [<ffffffff815a928b>] scsi_probe_and_add_lun+0x95b/0xe80
[ 3.116287] [<ffffffff811f1083>] ? kmem_cache_alloc_trace+0x183/0x1f0
[ 3.117227] [<ffffffff8154eb0b>] ? __pm_runtime_resume+0x5b/0x80
[ 3.118048] [<ffffffff815a9eaa>] __scsi_scan_target+0x10a/0x690
[ 3.118879] [<ffffffff815aa59e>] scsi_scan_channel+0x7e/0xa0
[ 3.119653] [<ffffffff815aa743>] scsi_scan_host_selected+0xf3/0x160
[ 3.120506] [<ffffffff815aa83d>] do_scsi_scan_host+0x8d/0x90
[ 3.121295] [<ffffffff815aaa0c>] do_scan_async+0x1c/0x190
[ 3.122048] [<ffffffff810a5748>] async_run_entry_fn+0x48/0x150
[ 3.122846] [<ffffffff8109c6b5>] process_one_work+0x165/0x480
[ 3.123732] [<ffffffff8109ca1b>] worker_thread+0x4b/0x4d0
[ 3.124508] [<ffffffff8109c9d0>] ? process_one_work+0x480/0x480
Details on the race:
CPU A:
virtscsi_probe
[...]
__scsi_scan_target
scsi_probe_and_add_lun [on return calls __scsi_remove_device, below]
scsi_probe_lun
[...]
blk_execute_rq
blk_execute_rq waits for the completion event, and then on wakeup
returns up to scsi_probe_and_all_lun, which calls __scsi_remove_device.
In order for the race to occur, the wakeup must occur on a CPU other than
CPU B.
After being woken up by the completion of the request, the call
returns up the stack to scsi_probe_and_add_lun, which calls
__scsi_remove_device:
__scsi_remove_device
blk_cleanup_queue
[ no longer calls bdi_unregister ]
scsi_target_reap(scsi_target(sdev))
scsi_target_reap_ref_put
kref_put
kref_sub
scsi_target_reap_ref_release
scsi_target_destroy
->target_destroy() = virtscsi_target_destroy
kfree(tgt) <=== FREE TGT
Note that the removal of the call to bdi_unregister in commit
xenial be2a20802abbde block: Move bdi_unregister() to del_gendisk()
and annotated above is the change that gates whether the issue
manifests or not. The other code change from be2a20802abbde has no effect
on the race.
CPU B:
vring_interrupt
virtscsi_complete_cmd
scsi_mq_done (via ->scsi_done())
scsi_mq_done
blk_mq_complete_request
__blk_mq_complete_request
[...]
blk_end_sync_rq
complete
[ wake up the task from CPU A ]
After waking the CPU A task, execution returns up the stack, and
then calls atomic_dec(&tgt->reqs) in virtscsi_complete_cmd immediately
after returning from the call to ->scsi_done.
If the activity on CPU A after it is woken up (starting at
__scsi_remove_device) finishes before CPU B can call atomic_dec() in
virtscsi_complete_cmd, then the atomic_dec() will modify a free list
pointer in the freed slab object that contained tgt. This causes the
system to panic on a subsequent allocation from the per-cpu slab cache.
The call path on CPU B is significantly shorter than that on CPU A
after wakeup, so it is likely that an external event delays CPU B. This
could be either an interrupt within the VM or scheduling delays for the
virtual cpu process on the hypervisor. Whatever the delay is, it is not
the root cause but merely the triggering event.
The virtscsi race window described above exists in all kernels
that have been checked (4.4 upstream LTS, Ubuntu 4.13 and 4.15, and
current mainline as of this writing). However, none of those kernels
exhibit the panic in testing, only the Ubuntu 4.4 kernel after commit
be2a20802abbde.
The reason none of those kernels panic is they all have one thing
in common: an incidental call to synchronize_rcu somewhere in the call
path of CPU A after it is woken up. This causes CPU A to wait for CPU B's
activity, as CPU A will not go on to free the "tgt" memory until after the
RCU grace period passes, which requires waiting for CPU B's activity to
finish. Note that the specific RCU sync call is different between some of
those kernel versions, but all of them have one somewhere deep inside
blk_cleanup_queue. The bdi_unregister function has one (in the call to
bdi_remove_from_list), which is why removing that call opens the race
window on the Ubuntu 4.4 kernel.
Resolving the issue can be accomplished by adding an RCU sync
to virtscsi_target_destroy prior to freeing the target. It is also possible
to use a loop of the format:
+ while (atomic_read(&tgt->reqs))
+ cpu_relax();
but this is higher risk as the loop is non-terminating in the case
of other failure.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1765241/+subscriptions