← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1851380] Re: root can lift kernel lockdown

 

This bug was fixed in the package linux - 4.15.0-72.81

---------------
linux (4.15.0-72.81) bionic; urgency=medium

  * bionic/linux: 4.15.0-72.81 -proposed tracker (LP: #1854027)

  * [Regression] Bionic kernel 4.15.0-71.80 can not boot on ThunderX
    (LP: #1853326)
    - Revert "arm64: Use firmware to detect CPUs that are not affected by
      Spectre-v2"
    - Revert "arm64: Get rid of __smccc_workaround_1_hvc_*"

  * [Regression] Bionic kernel 4.15.0-71.80 can not boot on ThunderX2 and
    Kunpeng920 (LP: #1852723)
    - SAUCE: arm64: capabilities: Move setup_boot_cpu_capabilities() call to
      correct place

linux (4.15.0-71.80) bionic; urgency=medium

  * bionic/linux: 4.15.0-71.80 -proposed tracker (LP: #1852289)

  * Bionic update: upstream stable patchset 2019-10-29 (LP: #1850541)
    - panic: ensure preemption is disabled during panic()
    - f2fs: use EINVAL for superblock with invalid magic
    - [Config] updateconfigs for USB_RIO500
    - USB: rio500: Remove Rio 500 kernel driver
    - USB: yurex: Don't retry on unexpected errors
    - USB: yurex: fix NULL-derefs on disconnect
    - USB: usb-skeleton: fix runtime PM after driver unbind
    - USB: usb-skeleton: fix NULL-deref on disconnect
    - xhci: Fix false warning message about wrong bounce buffer write length
    - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
    - xhci: Check all endpoints for LPM timeout
    - usb: xhci: wait for CNR controller not ready bit in xhci resume
    - USB: adutux: fix use-after-free on disconnect
    - USB: adutux: fix NULL-derefs on disconnect
    - USB: adutux: fix use-after-free on release
    - USB: iowarrior: fix use-after-free on disconnect
    - USB: iowarrior: fix use-after-free on release
    - USB: iowarrior: fix use-after-free after driver unbind
    - USB: usblp: fix runtime PM after driver unbind
    - USB: chaoskey: fix use-after-free on release
    - USB: ldusb: fix NULL-derefs on driver unbind
    - serial: uartlite: fix exit path null pointer
    - USB: serial: keyspan: fix NULL-derefs on open() and write()
    - USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
    - USB: serial: option: add Telit FN980 compositions
    - USB: serial: option: add support for Cinterion CLS8 devices
    - USB: serial: fix runtime PM after driver unbind
    - USB: usblcd: fix I/O after disconnect
    - USB: microtek: fix info-leak at probe
    - USB: dummy-hcd: fix power budget for SuperSpeed mode
    - usb: renesas_usbhs: gadget: Do not discard queues in
      usb_ep_set_{halt,wedge}()
    - usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
    - USB: legousbtower: fix slab info leak at probe
    - USB: legousbtower: fix deadlock on disconnect
    - USB: legousbtower: fix potential NULL-deref on disconnect
    - USB: legousbtower: fix open after failed reset request
    - USB: legousbtower: fix use-after-free on release
    - staging: vt6655: Fix memory leak in vt6655_probe
    - iio: adc: ad799x: fix probe error handling
    - iio: adc: axp288: Override TS pin bias current for some models
    - iio: light: opt3001: fix mutex unlock race
    - efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
    - perf llvm: Don't access out-of-scope array
    - perf inject jit: Fix JIT_CODE_MOVE filename
    - CIFS: Gracefully handle QueryInfo errors during open
    - CIFS: Force revalidate inode when dentry is stale
    - CIFS: Force reval dentry if LOOKUP_REVAL flag is set
    - kernel/sysctl.c: do not override max_threads provided by userspace
    - firmware: google: increment VPD key_len properly
    - gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source
    - Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
    - iio: hx711: add delay until DOUT is ready
    - iio: adc: hx711: fix bug in sampling of data
    - btrfs: fix incorrect updating of log root tree
    - NFS: Fix O_DIRECT accounting of number of bytes read/written
    - MIPS: Disable Loongson MMI instructions for kernel build
    - Fix the locking in dcache_readdir() and friends
    - media: stkwebcam: fix runtime PM after driver unbind
    - tracing/hwlat: Report total time spent in all NMIs during the sample
    - tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency
    - ftrace: Get a reference counter for the trace_array on filter files
    - tracing: Get trace_array reference for available_tracers files
    - x86/asm: Fix MWAITX C-state hint value
    - iio: adc: stm32-adc: fix a race when using several adcs with dma and irq
    - cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
    - btrfs: fix uninitialized ret in ref-verify
    - arm64/sve: Fix wrong free for task->thread.sve_state
    - [Config] updateconfigs for USB_RIO500

  * Bionic update: upstream stable patchset 2019-11-13 (LP: #1852492)
    - zram: fix race between backing_dev_show and backing_dev_store
    - dm snapshot: use mutex instead of rw_semaphore
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - dm: Use kzalloc for all structs with embedded biosets/mempools
    - f2fs: flush quota blocks after turnning it off
    - scsi: lpfc: Fix a duplicate 0711 log message number.
    - sc16is7xx: Fix for "Unexpected interrupt: 8"
    - powerpc/powernv: hold device_hotplug_lock when calling
      memtrace_offline_pages()
    - HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override
    - x86/cpu: Add Atom Tremont (Jacobsville)
    - HID: i2c-hid: Add Odys Winbook 13 to descriptor override
    - clk: boston: unregister clks on failure in clk_boston_setup()
    - scripts/setlocalversion: Improve -dirty check with git-status --no-optional-
      locks
    - HID: Add ASUS T100CHI keyboard dock battery quirks
    - usb: handle warm-reset port requests on hub resume
    - rtc: pcf8523: set xtal load capacitance from DT
    - mlxsw: spectrum: Set LAG port collector only when active
    - ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume
    - media: vimc: Remove unused but set variables
    - exec: load_script: Do not exec truncated interpreter path
    - PCI/PME: Fix possible use-after-free on remove
    - power: supply: max14656: fix potential use-after-free
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf jevents: Fix period for Intel fixed counters
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: n_hdlc: fix build on SPARC
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - serial: mctrl_gpio: Check for NULL pointer
    - efi/cper: Fix endianness of PCIe class code
    - efi/x86: Do not clean dummy variable in kexec path
    - MIPS: include: Mark __cmpxchg as __always_inline
    - x86/xen: Return from panic notifier
    - ocfs2: clear zero in unaligned direct IO
    - fs: ocfs2: fix possible null-pointer dereferences in
      ocfs2_xa_prepare_entry()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_write_end_nolock()
    - fs: ocfs2: fix a possible null-pointer dereference in
      ocfs2_info_scan_inode_alloc()
    - sched/vtime: Fix guest/system mis-accounting on task switch
    - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
    - MIPS: include: Mark __xchg as __always_inline
    - MIPS: fw: sni: Fix out of bounds init of o32 stack
    - nbd: fix possible sysfs duplicate warning
    - NFSv4: Fix leak of clp->cl_acceptor string
    - s390/uaccess: avoid (false positive) compiler warnings
    - tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
    - nbd: verify socket is supported during setup
    - USB: legousbtower: fix a signedness bug in tower_probe()
    - thunderbolt: Use 32-bit writes when writing ring producer/consumer
    - fuse: flush dirty data/metadata before non-truncate setattr
    - fuse: truncate pending writes on O_TRUNC
    - ALSA: bebob: Fix prototype of helper function to return negative value
    - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather
      segments")
    - USB: gadget: Reject endpoints with 0 maxpacket value
    - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set
      virt_boundary_mask to avoid SG overflows")
    - USB: ldusb: fix ring-buffer locking
    - USB: ldusb: fix control-message timeout
    - USB: serial: whiteheat: fix potential slab corruption
    - USB: serial: whiteheat: fix line-speed endianness
    - scsi: target: cxgbit: Fix cxgbit_fw4_ack()
    - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
    - HID: Fix assumption that devices have inputs
    - HID: fix error message in hid_open_report()
    - nl80211: fix validation of mesh path nexthop
    - s390/cmm: fix information leak in cmm_timeout_handler()
    - s390/idle: fix cpu idle time calculation
    - arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
    - dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
    - llc: fix sk_buff leak in llc_sap_state_process()
    - llc: fix sk_buff leak in llc_conn_service()
    - rxrpc: Fix call ref leak
    - NFC: pn533: fix use-after-free and memleaks
    - bonding: fix potential NULL deref in bond_update_slave_arr
    - net: usb: sr9800: fix uninitialized local variable
    - sch_netem: fix rcu splat in netem_enqueue()
    - sctp: fix the issue that flags are ignored when using kernel_connect
    - sctp: not bind the socket in sctp_connect
    - xfs: Correctly invert xfs_buftarg LRU isolation logic
    - ALSA: timer: Simplify error path in snd_timer_open()
    - ALSA: timer: Fix mutex deadlock at releasing card
    - Revert "ALSA: hda: Flush interrupts on disabling"
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - Btrfs: fix memory leak due to concurrent append writes with fiemap
    - tools/power turbostat: fix goldmont C-state limit decoding
    - bcache: fix input overflow to writeback_rate_minimum
    - netfilter: ipset: Make invalid MAC address checks consistent
    - platform/x86: Add the VLV ISP PCI ID to atomisp2_pm
    - platform/x86: Fix config space access for intel_atomisp2_pm
    - NFSv4: Ensure that the state manager exits the loop on SIGKILL
    - ALSA: usb-audio: Cleanup DSD whitelist
    - arm64: Add MIDR encoding for HiSilicon Taishan CPUs
    - arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs
    - scsi: lpfc: Correct localport timeout duration error
    - ext4: disallow files with EXT4_JOURNAL_DATA_FL from EXT4_IOC_SWAP_BOOT
    - net: dsa: mv88e6xxx: Release lock while requesting IRQ
    - drm/amd/display: fix odm combine pipe reset
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - arm64: armv8_deprecated: Checking return value for memory allocation
    - x86/cpu: Add Comet Lake to the Intel CPU models header
    - iio: imu: adis16400: release allocated memory on failure
    - usb: xhci: fix __le32/__le64 accessors in debugfs code
    - dmaengine: qcom: bam_dma: Fix resource leak
    - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
    - batman-adv: Avoid free/alloc race when handling OGM buffer
    - powerpc/powernv: Fix CPU idle to be called with IRQs disabled

  * Dell XPS 13 9350/9360 headphone audio hiss (LP: #1654448) // [XPS 13 9360,
    Realtek ALC3246, Black Headphone Out, Front] High noise floor
    (LP: #1845810) // Bionic update: upstream stable patchset 2019-11-13
    (LP: #1852492)
    - ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360

  * Add GeminiLake support on Intel int340x thermal device (LP: #1851506)
    - thermal: int340x: processor_thermal: Add GeminiLake support

  * System hangs at early boot (LP: #1851216)
    - x86/timer: Skip PIT initialization on modern chipsets

  * Some EFI systems fail to boot in efi_init() when booted via maas
    (LP: #1851810)
    - efi: efi_get_memory_map -- increase map headroom

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] dkms -- try launchpad librarian for pool downloads
    - [Packaging] dkms -- dkms-build quieten wget verbiage

  * update ENA driver to version 2.1.0 (LP: #1850175)
    - net: ena: fix: set freed objects to NULL to avoid failing future allocations
    - net: ena: fix swapped parameters when calling
      ena_com_indirect_table_fill_entry
    - net: ena: fix: Free napi resources when ena_up() fails
    - net: ena: fix incorrect test of supported hash function
    - net: ena: fix return value of ena_com_config_llq_info()
    - net: ena: improve latency by disabling adaptive interrupt moderation by
      default
    - net: ena: fix ena_com_fill_hash_function() implementation
    - net: ena: add handling of llq max tx burst size
    - net: ena: ethtool: add extra properties retrieval via get_priv_flags
    - net: ena: replace free_tx/rx_ids union with single free_ids field in
      ena_ring
    - net: ena: arrange ena_probe() function variables in reverse christmas tree
    - net: ena: add newline at the end of pr_err prints
    - net: ena: documentation: update ena.txt
    - net: ena: allow automatic fallback to polling mode
    - net: ena: add support for changing max_header_size in LLQ mode
    - net: ena: optimise calculations for CQ doorbell
    - net: ena: add good checksum counter
    - net: ena: use dev_info_once instead of static variable
    - net: ena: add MAX_QUEUES_EXT get feature admin command
    - net: ena: enable negotiating larger Rx ring size
    - net: ena: make ethtool show correct current and max queue sizes
    - net: ena: allow queue allocation backoff when low on memory
    - net: ena: add ethtool function for changing io queue sizes
    - net: ena: remove inline keyword from functions in *.c
    - net: ena: update driver version from 2.0.3 to 2.1.0
    - net: ena: Fix bug where ring allocation backoff stopped too late
    - Revert "net: ena: ethtool: add extra properties retrieval via
      get_priv_flags"
    - net: ena: don't wake up tx queue when down
    - net: ena: clean up indentation issue

  * Skip frame when buffer overflow on UVC camera (LP: #1849871)
    - media: uvcvideo: Mark buffer error where overflow

  * Handle the skip return code in kernel_selftests on Bionic (LP: #1812352)
    - selftests: lib.mk set KSFT_TAP_LEVEL to prevent nested TAP headers
    - selftests: Fix lib.mk run_tests target shell script
    - selftests: lib.mk: cleanup RUN_TESTS define and make it readable
    - selftests: lib.mk: add SKIP handling to RUN_TESTS define

  * Intel Wireless AC 3168 on Eoan complaints FW error in SYNC CMD
    GEO_TX_POWER_LIMIT (LP: #1846016)
    - iwlwifi: exclude GEO SAR support for 3168

  * tsc marked unstable after entered PC10 on Intel CoffeeLake (LP: #1840239)
    - SAUCE: x86/intel: Disable HPET on Intel Coffe Lake platforms
    - SAUCE: x86/intel: Disable HPET on Intel Ice Lake platforms

  * Bionic update: upstream stable patchset 2019-11-08 (LP: #1851876)
    - scsi: ufs: skip shutdown if hba is not powered
    - scsi: megaraid: disable device when probe failed after enabled device
    - scsi: qla2xxx: Fix unbound sleep in fcport delete path.
    - ARM: OMAP2+: Fix missing reset done flag for am3 and am43
    - ieee802154: ca8210: prevent memory leak
    - ARM: dts: am4372: Set memory bandwidth limit for DISPC
    - net: dsa: qca8k: Use up to 7 ports for all operations
    - MIPS: dts: ar9331: fix interrupt-controller size
    - xen/efi: Set nonblocking callbacks
    - nl80211: fix null pointer dereference
    - mac80211: fix txq null pointer dereference
    - mips: Loongson: Fix the link time qualifier of 'serial_exit()'
    - net: hisilicon: Fix usage of uninitialized variable in function
      mdio_sc_cfg_reg_write()
    - namespace: fix namespace.pl script to support relative paths
    - Revert "drm/radeon: Fix EEH during kexec"
    - ocfs2: fix panic due to ocfs2_wq is null
    - ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
    - net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
    - net: bcmgenet: Set phydev->dev_flags only for internal PHYs
    - net: i82596: fix dma_alloc_attr for sni_82596
    - net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow
    - sctp: change sctp_prot .no_autobind with true
    - net: avoid potential infinite loop in tc_ctl_action()
    - memfd: Fix locking when tagging pins
    - USB: legousbtower: fix memleak on disconnect
    - ALSA: hda/realtek - Add support for ALC711
    - usb: udc: lpc32xx: fix bad bit shift operation
    - USB: serial: ti_usb_3410_5052: fix port-close races
    - USB: ldusb: fix memleak on disconnect
    - USB: usblp: fix use-after-free on disconnect
    - USB: ldusb: fix read info leaks
    - arm64: v8.4: Support for new floating point multiplication instructions
    - arm64: Documentation: cpu-feature-registers: Remove RES0 fields
    - arm64: Expose Arm v8.4 features
    - arm64: move SCTLR_EL{1,2} assertions to <asm/sysreg.h>
    - arm64: add PSR_AA32_* definitions
    - arm64: Introduce sysreg_clear_set()
    - arm64: capabilities: Update prototype for enable call back
    - arm64: capabilities: Move errata work around check on boot CPU
    - arm64: capabilities: Move errata processing code
    - arm64: capabilities: Prepare for fine grained capabilities
    - arm64: capabilities: Add flags to handle the conflicts on late CPU
    - arm64: capabilities: Unify the verification
    - arm64: capabilities: Filter the entries based on a given mask
    - arm64: capabilities: Prepare for grouping features and errata work arounds
    - arm64: capabilities: Split the processing of errata work arounds
    - arm64: capabilities: Allow features based on local CPU scope
    - arm64: capabilities: Group handling of features and errata workarounds
    - arm64: capabilities: Introduce weak features based on local CPU
    - arm64: capabilities: Restrict KPTI detection to boot-time CPUs
    - arm64: capabilities: Add support for features enabled early
    - arm64: capabilities: Change scope of VHE to Boot CPU feature
    - arm64: capabilities: Clean up midr range helpers
    - arm64: Add helpers for checking CPU MIDR against a range
    - arm64: Add MIDR encoding for Arm Cortex-A55 and Cortex-A35
    - arm64: capabilities: Add support for checks based on a list of MIDRs
    - arm64: KVM: Use SMCCC_ARCH_WORKAROUND_1 for Falkor BP hardening
    - arm64: don't zero DIT on signal return
    - arm64: Get rid of __smccc_workaround_1_hvc_*
    - arm64: cpufeature: Detect SSBS and advertise to userspace
    - arm64: ssbd: Add support for PSTATE.SSBS rather than trapping to EL3
    - KVM: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully disabled and !vhe
    - arm64: fix SSBS sanitization
    - arm64: Add sysfs vulnerability show for spectre-v1
    - arm64: add sysfs vulnerability show for meltdown
    - arm64: enable generic CPU vulnerabilites support
    - arm64: Always enable ssb vulnerability detection
    - arm64: Provide a command line to disable spectre_v2 mitigation
    - arm64: Advertise mitigation of Spectre-v2, or lack thereof
    - arm64: Always enable spectre-v2 vulnerability detection
    - arm64: add sysfs vulnerability show for spectre-v2
    - arm64: add sysfs vulnerability show for speculative store bypass
    - arm64: ssbs: Don't treat CPUs with SSBS as unaffected by SSB
    - arm64: Force SSBS on context switch
    - arm64: Use firmware to detect CPUs that are not affected by Spectre-v2
    - arm64/speculation: Support 'mitigations=' cmdline option
    - MIPS: tlbex: Fix build_restore_pagemask KScratch restore
    - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
    - scsi: sd: Ignore a failure to sync cache due to lack of authorization
    - scsi: core: save/restore command resid for error handling
    - scsi: core: try to get module before removing device
    - scsi: ch: Make it possible to open a ch device multiple times again
    - Input: da9063 - fix capability and drop KEY_SLEEP
    - Input: synaptics-rmi4 - avoid processing unknown IRQs
    - ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
    - cfg80211: wext: avoid copying malformed SSIDs
    - mac80211: Reject malformed SSID elements
    - drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1
    - drivers/base/memory.c: don't access uninitialized memmaps in
      soft_offline_page_store()
    - fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c
    - scsi: zfcp: fix reaction on bit error threshold notification
    - mm/slub: fix a deadlock in show_slab_objects()
    - mm/page_owner: don't access uninitialized memmaps when reading
      /proc/pagetypeinfo
    - hugetlbfs: don't access uninitialized memmaps in pfn_range_valid_gigantic()
    - xtensa: drop EXPORT_SYMBOL for outs*/ins*
    - parisc: Fix vmap memory leak in ioremap()/iounmap()
    - CIFS: avoid using MID 0xFFFF
    - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area
    - pinctrl: armada-37xx: fix control of pins 32 and up
    - pinctrl: armada-37xx: swap polarity on LED group
    - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group()
    - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
    - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
    - xen/netback: fix error path of xenvif_connect_data()
    - PCI: PM: Fix pci_power_up()
    - KVM: X86: introduce invalidate_gpa argument to tlb flush
    - kvm: vmx: Introduce lapic_mode enumeration
    - kvm: vmx: Basic APIC virtualization controls have three settings
    - RDMA/cxgb4: Do not dma memory off of the stack
    - ARM: OMAP2+: Fix warnings with broken omap2_set_init_voltage()
    - libata/ahci: Fix PCS quirk application
    - ipv4: fix race condition between route lookup and invalidation
    - ALSA: hda/realtek - Enable headset mic on Asus MJ401TA
    - ALSA: hda - Force runtime PM on Nvidia HDMI codecs
    - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
    - EDAC/ghes: Fix Use after free in ghes_edac remove path
    - arm64: Enable workaround for Cavium TX2 erratum 219 when running SMT
    - CIFS: Fix use after free of file info structures
    - perf/aux: Fix AUX output stopping
    - dm cache: fix bugs when a GFP_NOWAIT allocation fails
    - x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu
    - Btrfs: add missing extents release on file extent cluster relocation error

  * Colour banding in Lenovo G50-80 laptop display (i915) (LP: #1819968) //
    Bionic update: upstream stable patchset 2019-11-08 (LP: #1851876)
    - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50

  * cloudimg: no iavf/i40evf module so no network available with SR-IOV enabled
    cloud (LP: #1848481)
    - [Debian]: include i40evf in generic

  * [SRU][B/OEM-B/OEM-OSP1/D/E] UBUNTU: SAUCE: add rtl623 codec support and fix
    mic issues (LP: #1850599)
    - SAUCE: ALSA: hda/realtek - Add support for ALC623
    - SAUCE: ALSA: hda/realtek - Fix 2 front mics of codec 0x623

  * Add Intel Comet Lake ethernet support (LP: #1848555)
    - e1000e: Add support for Comet Lake

  * Suppress "hid_field_extract() called with n (192) > 32!" message floods
    (LP: #1850600)
    - HID: core: reformat and reduce hid_printk macros
    - HID: core: Add printk_once variants to hid_warn() etc
    - HID: core: fix dmesg flooding if report field larger than 32bit

  * AMD Prairie Falcon platform failed to boot up (LP: #1850572)
    - drm/amdgpu: re-enable CGCG on CZ and disable on ST

  * UIO: mutex used in interrupt handler causes crash (LP: #1843487)
    - Revert "uio: use request_threaded_irq instead"

  * root can lift kernel lockdown (LP: #1851380)
    - SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace

  * Suspend stopped working from 4.4.0-157 onwards (LP: #1844021) // Bionic
    update: upstream stable patchset 2019-10-29 (LP: #1850541)
    - xhci: Increase STS_SAVE timeout in xhci_suspend()

  * Bionic update: upstream stable patchset 2019-10-23 (LP: #1849576)
    - s390/process: avoid potential reading of freed stack
    - KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
    - s390/topology: avoid firing events before kobjs are created
    - s390/cio: avoid calling strlen on null pointer
    - s390/cio: exclude subchannels with no parent from pseudo check
    - KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on P9
    - PM / devfreq: tegra: Fix kHz to Hz conversion
    - ASoC: Define a set of DAPM pre/post-up events
    - powerpc/powernv: Restrict OPAL symbol map to only be readable by root
    - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
    - tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file
    - crypto: qat - Silence smp_processor_id() warning
    - crypto: skcipher - Unmap pages after an external error
    - crypto: cavium/zip - Add missing single_release()
    - crypto: caam - fix concurrency issue in givencrypt descriptor
    - usercopy: Avoid HIGHMEM pfn warning
    - timer: Read jiffies once when forwarding base clk
    - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
    - drm/omap: fix max fclk divider for omap36xx
    - mmc: sdhci: improve ADMA error reporting
    - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
    - Revert "locking/pvqspinlock: Don't wait if vCPU is preempted"
    - xen/xenbus: fix self-deadlock after killing user process
    - ieee802154: atusb: fix use-after-free at disconnect
    - cfg80211: initialize on-stack chandefs
    - ima: always return negative code for error
    - fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
    - 9p: avoid attaching writeback_fid on mmap with type PRIVATE
    - xen/pci: reserve MCFG areas earlier
    - ceph: fix directories inode i_blkbits initialization
    - ceph: reconnect connection if session hang in opening state
    - watchdog: aspeed: Add support for AST2600
    - netfilter: nf_tables: allow lookups in dynamic sets
    - drm/amdgpu: Check for valid number of registers to read
    - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors
    - pwm: stm32-lp: Add check in case requested period cannot be achieved
    - thermal: Fix use-after-free when unregistering thermal zone device
    - fuse: fix memleak in cuse_channel_open
    - sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr()
    - perf build: Add detection of java-11-openjdk-devel package
    - kernel/elfcore.c: include proper prototypes
    - perf unwind: Fix libunwind build failure on i386 systems
    - KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the
      VP
    - nbd: fix crash when the blksize is zero
    - block/ndb: add WQ_UNBOUND to the knbd-recv workqueue
    - nbd: fix max number of supported devs
    - powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt()
    - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
    - tick: broadcast-hrtimer: Fix a race in bc_set_next
    - perf tools: Fix segfault in cpu_cache_level__read()
    - perf stat: Fix a segmentation fault when using repeat forever
    - perf stat: Reset previous counts on repeat with interval
    - vfs: Fix EOVERFLOW testing in put_compat_statfs64
    - coresight: etm4x: Use explicit barriers on enable/disable
    - cfg80211: add and use strongly typed element iteration macros
    - cfg80211: Use const more consistently in for_each_element macros
    - nl80211: validate beacon head
    - ASoC: sgtl5000: Improve VAG power and mute control
    - KVM: PPC: Book3S HV: Check for MMU ready on piggybacked virtual cores
    - powerpc/mce: Fix MCE handling for huge pages
    - powerpc/mce: Schedule work from irq_work
    - MIPS: Treat Loongson Extensions as ASEs
    - PCI: Restore Resizable BAR size bits correctly for 1MB BARs
    - drm/msm/dsi: Fix return value check for clk_get_parent
    - ima: fix freeing ongoing ahash_request
    - x86/purgatory: Disable the stackleak GCC plugin for the purgatory
    - thermal_hwmon: Sanitize thermal_zone type
    - libnvdimm/region: Initialize bad block for volatile namespaces
    - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed

 -- Stefan Bader <stefan.bader@xxxxxxxxxxxxx>  Tue, 26 Nov 2019 12:18:37
+0100

** Changed in: linux (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1851380

Title:
  root can lift kernel lockdown

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  Invalid
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Disco:
  Fix Released
Status in linux source package in Eoan:
  Fix Released
Status in linux source package in Focal:
  In Progress

Bug description:
  SRU Justification

  Impact: The kernel lockdown support adds a sysrq to allow a physically
  present user to disable lockdown from the keyboard. A bug in the
  implementation makes it possible to also lift lockdown by writing to
  /proc/sysrq-trigger.

  Fix: Correct the logic to disallow disabling lockdown via /proc/sysrq-
  trigger.

  Test Case: Write "x" to /proc/sysrq-trigger. When working properly
  there should be no messages in dmesg about lifting lockdown, and
  lockdown restrictions (e.g. loading unsigned modules) should remain in
  effect.

  Regression Potential: Anyone using /proc/sysrq-trigger to disable
  lockdown will no longer be able to do so. Implementation bugs could
  prevent use of the sysrq from the keyboard from disabling lockdown,
  but this has been confrimed to still work with the fix in place.

  ---

  Echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even
  though it shouldn't.

  If I'm not mistaken, kernel lockdown is meant to create a barrier
  between root and the kernel that can only be broken with physical
  access to the system. It is automatically enabled when the system is
  booted with UEFI Secure Boot, which is the case for me.

  This should show the bug:

  # echo "x" > /proc/sysrq-trigger
  Nov 05 14:58:15 panzersperre kernel: sysrq: SysRq :
  Nov 05 14:58:15 panzersperre kernel: This sysrq operation is disabled from userspace.
  Nov 05 14:58:15 panzersperre kernel: Disabling Secure Boot restrictions
  Nov 05 14:58:15 panzersperre kernel: Lifting lockdown

  Note that it first says that the operation is disabled and then performs this operation.
  This should only be possible by physically pressing sysrq+x on an attached keyboard.

  I'm doing this on 4.15.0-68-generic on Ubuntu 18.04.3 LTS.
  I have kernel.sysrq set to 1 - this is important to be able to trigger this bug. (But I don't think it disqualifies this issue as non-security relevant because root can trivially execute `sysctl kernel.sysrq=1`.)

  I first learned about this by reading a blog post
  (https://gehrcke.de/2019/09/running-an-ebpf-program-may-require-
  lifting-the-kernel-lockdown/), so I'm not the first to notice this
  behavior (even though this post doesn't say it's a bug).

  Looking through drivers/tty/sysrq.c, I guess the problem is caused by
  this if condition in __handle_sysrq:

   554   │         /* Ban synthetic events from some sysrq functionality */
   555   │         if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
   556   │             op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
   557   │             printk("This sysrq operation is disabled from userspace.\n");
   558   │         /*
   559   │          * Should we check for enabled operations (/proc/sysrq-trigger
   560   │          * should not) and is the invoked operation enabled?
   561   │          */
   562   │         if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
   563   │             pr_cont("%s\n", op_p->action_msg);
   564   │             console_loglevel = orig_log_level;
   565   │             op_p->handler(key);
   566   │         } else {
   567   │             pr_cont("This sysrq operation is disabled.\n");
   568   │         }

  Note that `op_p->enable_mask & SYSRQ_DISABLE_USERSPACE` just causes a
  printk and no change of behavior.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-image-4.15.0-68-generic 4.15.0-68.77
  ProcVersionSignature: Ubuntu 4.15.0-68.77-generic 4.15.18
  Uname: Linux 4.15.0-68-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.8
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  niklas     2442 F.... pulseaudio
   /dev/snd/controlC0:  niklas     2442 F.... pulseaudio
  CurrentDesktop: KDE
  Date: Tue Nov  5 14:58:33 2019
  InstallationDate: Installed on 2015-12-11 (1424 days ago)
  InstallationMedia: Kubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
  MachineType: LENOVO 20E8S00600
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/@/boot/vmlinuz-4.15.0-68-generic root=UUID=67485aa6-c665-4c53-bf41-328307d0cbf0 ro rootflags=subvol=@ quiet splash kaslr i915.alpha_support=1 vt.handoff=1
  RelatedPackageVersions:
   linux-restricted-modules-4.15.0-68-generic N/A
   linux-backports-modules-4.15.0-68-generic  N/A
   linux-firmware                             1.173.11
  SourcePackage: linux
  UpgradeStatus: Upgraded to bionic on 2018-07-05 (487 days ago)
  dmi.bios.date: 09/26/2018
  dmi.bios.vendor: LENOVO
  dmi.bios.version: JHET69WW (1.69 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: Intel powered classmate PC
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0E50510 WIN
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: None
  dmi.modalias: dmi:bvnLENOVO:bvrJHET69WW(1.69):bd09/26/2018:svnLENOVO:pn20E8S00600:pvrThinkPad11e:rvnLENOVO:rnIntelpoweredclassmatePC:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:
  dmi.product.family: ThinkPad 11e
  dmi.product.name: 20E8S00600
  dmi.product.version: ThinkPad 11e
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380/+subscriptions