← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1864669] Re: [linux-azure] overlayfs regression - internal getxattr operations without sepolicy checking

 

This bug was fixed in the package linux-azure - 5.3.0-1020.21

---------------
linux-azure (5.3.0-1020.21) eoan; urgency=medium

  * eoan/linux-azure: 5.3.0-1020.21 -proposed tracker (LP: #1870711)

  * [linux-azure] overlayfs regression - internal getxattr operations without
    sepolicy checking (LP: #1864669)
    - SAUCE: overlayfs: internal getxattr operations without sepolicy checking

  [ Ubuntu: 5.3.0-47.39 ]

  * eoan/linux: 5.3.0-47.39 -proposed tracker (LP: #1870720)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * All PS/2 ports on PS/2 Serial add-in bracket are not working after S3
    (LP: #1866734)
    - SAUCE: Input: i8042 - fix the selftest retry logic
  * Eoan update: upstream stable patchset 2020-03-31 (LP: #1869908)
    - ACPI: watchdog: Allow disabling WDAT at boot
    - HID: apple: Add support for recent firmware on Magic Keyboards
    - cfg80211: check reg_rule for NULL in handle_channel_custom()
    - scsi: libfc: free response frame from GPN_ID
    - net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch
    - net: ks8851-ml: Fix IRQ handling and locking
    - mac80211: rx: avoid RCU list traversal under mutex
    - signal: avoid double atomic counter increments for user accounting
    - slip: not call free_netdev before rtnl_unlock in slip_open
    - hinic: fix a irq affinity bug
    - hinic: fix a bug of setting hw_ioctxt
    - net: rmnet: fix NULL pointer dereference in rmnet_newlink()
    - net: rmnet: fix NULL pointer dereference in rmnet_changelink()
    - net: rmnet: fix suspicious RCU usage
    - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device()
    - net: rmnet: do not allow to change mux id if mux id is duplicated
    - net: rmnet: use upper/lower device infrastructure
    - net: rmnet: fix bridge mode bugs
    - net: rmnet: fix packet forwarding in rmnet bridge mode
    - sfc: fix timestamp reconstruction at 16-bit rollover points
    - jbd2: fix data races at struct journal_head
    - driver core: Remove device link creation limitation
    - driver core: Fix creation of device links with PM-runtime flags
    - net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue
    - ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional()
    - ARM: 8958/1: rename missed uaccess .fixup section
    - mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
    - HID: google: add moonball USB id
    - ipv4: ensure rcu_read_lock() in cipso_v4_error()
    - netfilter: hashlimit: do not use indirect calls during gc
    - netfilter: xt_hashlimit: unregister proc file before releasing mutex
    - ACPI: watchdog: Set default timeout in probe
    - HID: hid-bigbenff: fix general protection fault caused by double kfree
    - HID: hid-bigbenff: call hid_hw_stop() in case of error
    - HID: hid-bigbenff: fix race condition for scheduled work during removal
    - selftests/rseq: Fix out-of-tree compilation
    - net: ll_temac: Fix race condition causing TX hang
    - net: ll_temac: Add more error handling of dma_map_single() calls
    - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure
    - net: ll_temac: Handle DMA halt condition caused by buffer underrun
    - blk-mq: insert passthrough request into hctx->dispatch directly
    - drm/amdgpu: fix memory leak during TDR test(v2)
    - kbuild: add dtbs_check to PHONY
    - kbuild: add dt_binding_check to PHONY in a correct place
    - net: phy: mscc: fix firmware paths
    - hinic: fix a bug of rss configuration
    - blk-mq: insert flush request to the front of dispatch queue
    - HID: add ALWAYS_POLL quirk to lenovo pixart mouse
    - ARM: 8961/2: Fix Kbuild issue caused by per-task stack protector GCC plugin
  * This laptop contains a touchpadwhich is not recognized. (LP: #1858299) //
    Eoan update: upstream stable patchset 2020-03-31 (LP: #1869908)
    - HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override
  * Eoan update: upstream stable patchset 2020-03-27 (LP: #1869433)
    - net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
    - RDMA/core: Fix pkey and port assignment in get_new_pps
    - RDMA/core: Fix use of logical OR in get_new_pps
    - kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
    - ALSA: hda: do not override bus codec_mask in link_get()
    - serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
    - selftests: fix too long argument
    - usb: gadget: composite: Support more than 500mA MaxPower
    - usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
    - usb: gadget: serial: fix Tx stall after buffer overflow
    - drm/msm/mdp5: rate limit pp done timeout warnings
    - drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
    - scsi: megaraid_sas: silence a warning
    - drm/msm/dsi: save pll state before dsi host is powered off
    - drm/msm/dsi/pll: call vco set rate explicitly
    - selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing
    - net: ks8851-ml: Remove 8-bit bus accessors
    - net: ks8851-ml: Fix 16-bit data access
    - net: ks8851-ml: Fix 16-bit IO operation
    - watchdog: da9062: do not ping the hw during stop()
    - s390/cio: cio_ignore_proc_seq_next should increase position index
    - s390: make 'install' not depend on vmlinux
    - x86/boot/compressed: Don't declare __force_order in kaslr_64.c
    - s390/qdio: fill SL with absolute addresses
    - nvme: Fix uninitialized-variable warning
    - ice: Don't tell the OS that link is going down
    - x86/xen: Distribute switch variables for initialization
    - net: thunderx: workaround BGX TX Underflow issue
    - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
    - cifs: don't leak -EAGAIN for stat() during reconnect
    - usb: storage: Add quirk for Samsung Fit flash
    - usb: quirks: add NO_LPM quirk for Logitech Screen Share
    - usb: dwc3: gadget: Update chain bit correctly when using sg list
    - usb: core: hub: fix unhandled return by employing a void function
    - usb: core: hub: do error out if usb_autopm_get_interface() fails
    - usb: core: port: do error out if usb_autopm_get_interface() fails
    - vgacon: Fix a UAF in vgacon_invert_region
    - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking
      page tables prot_numa
    - mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
    - fat: fix uninit-memory access for partial initialized inode
    - arm: dts: dra76x: Fix mmc3 max-frequency
    - tty:serial:mvebu-uart:fix a wrong return
    - serial: 8250_exar: add support for ACCES cards
    - vt: selection, close sel_buffer race
    - vt: selection, push console lock down
    - vt: selection, push sel_lock up
    - media: v4l2-mem2mem.c: fix broken links
    - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
    - dmaengine: tegra-apb: Fix use-after-free
    - dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
    - dm cache: fix a crash due to incorrect work item cancelling
    - dm: report suspended device during destroy
    - dm writecache: verify watermark during resume
    - ARM: dts: ls1021a: Restore MDIO compatible to gianfar
    - spi: bcm63xx-hsspi: Really keep pll clk enabled
    - ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
    - ASoC: topology: Fix memleak in soc_tplg_manifest_load()
    - ASoC: intel: skl: Fix pin debug prints
    - ASoC: intel: skl: Fix possible buffer overflow in debug outputs
    - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
    - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
    - ASoC: dapm: Correct DAPM handling of active widgets during shutdown
    - drm/sun4i: Fix DE2 VI layer format support
    - drm/sun4i: de2/de3: Remove unsupported VI layer formats
    - phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
    - phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
    - ARM: dts: imx6: phycore-som: fix emmc supply
    - RDMA/iwcm: Fix iwcm work deallocation
    - RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
    - IB/hfi1, qib: Ensure RCU is locked when accessing list
    - ARM: imx: build v7_cpu_resume() unconditionally
    - ARM: dts: am437x-idk-evm: Fix incorrect OPP node names
    - ARM: dts: imx7-colibri: Fix frequency for sd/mmc
    - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
    - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
    - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode
      systems
    - efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper
    - efi/x86: Handle by-ref arguments covering multiple pages in mixed mode
    - dm integrity: fix a deadlock due to offloading to an incorrect workqueue
    - KVM: SVM: fix up incorrect backport
    - block, bfq: get extra ref to prevent a queue from being freed during a group
      move
    - block, bfq: do not insert oom queue into position tree
    - dm thin metadata: fix lockdep complaint
    - habanalabs: halt the engines before hard-reset
    - habanalabs: do not halt CoreSight during hard reset
    - habanalabs: patched cb equals user cb in device memset
    - drm/modes: Make sure to parse valid rotation value from cmdline
    - drm/modes: Allow DRM_MODE_ROTATE_0 when applying video mode parameters
    - selftests: forwarding: vxlan_bridge_1d: fix tos value
    - net: atlantic: check rpc result and wait for rpc address
    - net: ethernet: dm9000: Handle -EPROBE_DEFER in dm9000_parse_dt()
    - nvme/pci: Add sleep quirk for Samsung and Toshiba drives
    - csky/mm: Fixup export invalid_pte_table symbol
    - csky: Set regs->usp to kernel sp, when the exception is from kernel
    - csky/smp: Fixup boot failed when CONFIG_SMP
    - csky: Fixup ftrace modify panic
    - csky: Fixup compile warning for three unimplemented syscalls
    - arch/csky: fix some Kconfig typos
    - selftests: forwarding: vxlan_bridge_1d: use more proper tos value
    - firmware: imx: scu: Ensure sequential TX
    - binder: prevent UAF for binderfs devices
    - binder: prevent UAF for binderfs devices II
    - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
    - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
    - mm, hotplug: fix page online with DEBUG_PAGEALLOC compiled but not enabled
    - btrfs: fix RAID direct I/O reads with alternate csums
    - arm64: dts: socfpga: agilex: Fix gmac compatible
    - tty: serial: fsl_lpuart: free IDs allocated by IDA
    - media: hantro: Fix broken media controller links
    - media: mc-entity.c: use & to check pad flags, not ==
    - perf intel-pt: Fix endless record after being terminated
    - perf intel-bts: Fix endless record after being terminated
    - perf cs-etm: Fix endless record after being terminated
    - perf arm-spe: Fix endless record after being terminated
    - spi: spidev: Fix CS polarity if GPIO descriptors are used
    - s390/pci: Fix unexpected write combine on resource
    - s390/mm: fix panic in gup_fast on large pud
    - dmaengine: imx-sdma: fix context cache
    - dmaengine: imx-sdma: Fix the event id check to include RX event for UART6
    - dm integrity: fix recalculation when moving from journal mode to bitmap mode
    - dm integrity: fix invalid table returned due to argument count mismatch
    - dm zoned: Fix reference counter initial value of chunk works
    - dm: fix congested_fn for request-based device
    - drm/virtio: make resource id workaround runtime switchable.
    - drm/virtio: fix resource id creation race
    - ASoC: SOF: Fix snd_sof_ipc_stream_posn()
    - powerpc: define helpers to get L1 icache sizes
    - powerpc: Convert flush_icache_range & friends to C
    - powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
    - ASoC: Intel: Skylake: Fix available clock counter incrementation
    - spi: atmel-quadspi: fix possible MMIO window size overrun
    - drm/sun4i: Add separate DE3 VI layer formats
    - drm/i915: Program MBUS with rmw during initialization
    - drm/i915/selftests: Fix return in assert_mmap_offset()
    - arm64: dts: imx8qxp-mek: Remove unexisting Ethernet PHY
    - firmware: imx: misc: Align imx sc msg structs to 4
    - firmware: imx: scu-pd: Align imx sc msg structs to 4
    - firmware: imx: Align imx_sc_msg_req_cpu_start to 4
    - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
    - RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
    - RDMA/siw: Fix failure handling during device creation
    - RDMA/core: Fix protection fault in ib_mr_pool_destroy
    - regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
    - ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source
    - dma-buf: free dmabuf->name in dma_buf_release()
    - arm64: dts: meson: fix gxm-khadas-vim2 wifi
    - bus: ti-sysc: Fix 1-wire reset quirk
    - EDAC/synopsys: Do not print an error with back-to-back snprintf() calls
    - efi: READ_ONCE rng seed size before munmap
    - block, bfq: get a ref to a group when adding it to a service tree
    - block, bfq: remove ifdefs from around gets/puts of bfq groups
    - csky: Implement copy_thread_tls
    - drm/virtio: module_param_named() requires linux/moduleparam.h
    - net: phy: Avoid multiple suspends
    - cgroup, netclassid: periodically release file_lock on classid updating
    - gre: fix uninit-value in __iptunnel_pull_header
    - inet_diag: return classid for all socket types
    - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface
    - ipvlan: add cond_resched_rcu() while processing muticast backlog
    - ipvlan: do not add hardware address of master to its unicast filter list
    - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
    - ipvlan: don't deref eth hdr before checking it's set
    - net/ipv6: use configured metric when add peer route
    - netlink: Use netlink header as base to calculate bad attribute offset
    - net: macsec: update SCI upon MAC address change.
    - net: nfc: fix bounds checking bugs on "pipe"
    - net/packet: tpacket_rcv: do not increment ring index on drop
    - net: stmmac: dwmac1000: Disable ACS if enhanced descs are not used
    - net: systemport: fix index check to avoid an array out of bounds access
    - sfc: detach from cb_page in efx_copy_channel()
    - bnxt_en: reinitialize IRQs when MTU is modified
    - cgroup: memcg: net: do not associate sock with unrelated cgroup
    - net: memcg: late association of sock to memcg
    - net: memcg: fix lockdep splat in inet_csk_accept()
    - devlink: validate length of param values
    - fib: add missing attribute validation for tun_id
    - nl802154: add missing attribute validation
    - nl802154: add missing attribute validation for dev_type
    - can: add missing attribute validation for termination
    - macsec: add missing attribute validation for port
    - net: fq: add missing attribute validation for orphan mask
    - team: add missing attribute validation for port ifindex
    - team: add missing attribute validation for array index
    - nfc: add missing attribute validation for SE API
    - nfc: add missing attribute validation for deactivate target
    - nfc: add missing attribute validation for vendor subcommand
    - net: phy: fix MDIO bus PM PHY resuming
    - selftests/net/fib_tests: update addr_metric_test for peer route testing
    - net/ipv6: need update peer route when modify metric
    - net/ipv6: remove the old peer route if change it to a new one
    - tipc: add missing attribute validation for MTU property
    - devlink: validate length of region addr/len
    - bonding/alb: make sure arp header is pulled before accessing it
    - slip: make slhc_compress() more robust against malicious packets
    - net: fec: validate the new settings in fec_enet_set_coalesce()
    - macvlan: add cond_resched() during multicast processing
    - cgroup: cgroup_procs_next should increase position index
    - cgroup: Iterate tasks that did not finish do_exit()
    - virtio-blk: fix hw_queue stopped on arbitrary error
    - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn +
      add_taint
    - netfilter: nf_conntrack: ct_cpu_seq_next should increase position index
    - netfilter: synproxy: synproxy_cpu_seq_next should increase position index
    - netfilter: xt_recent: recent_seq_next should increase position index
    - netfilter: x_tables: xt_mttg_seq_next should increase position index
    - workqueue: don't use wq_select_unbound_cpu() for bound works
    - drm/amd/display: remove duplicated assignment to grph_obj_type
    - ktest: Add timeout for ssh sync testing
    - cifs_atomic_open(): fix double-put on late allocation failure
    - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
    - KVM: x86: clear stale x86_emulate_ctxt->intercept value
    - ARC: define __ALIGN_STR and __ALIGN symbols for ARC
    - macintosh: windfarm: fix MODINFO regression
    - efi: Fix a race and a buffer overflow while reading efivars via sysfs
    - mt76: fix array overflow on receiving too many fragments for a packet
    - x86/mce: Fix logic and comments around MSR_PPIN_CTL
    - iommu/dma: Fix MSI reservation allocation
    - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint
    - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page
    - batman-adv: Don't schedule OGM for disabled interface
    - pinctrl: meson-gxl: fix GPIOX sdio pins
    - pinctrl: core: Remove extra kref_get which blocks hogs being freed
    - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits
    - i2c: gpio: suppress error on probe defer
    - nl80211: add missing attribute validation for critical protocol indication
    - nl80211: add missing attribute validation for beacon report scanning
    - nl80211: add missing attribute validation for channel switch
    - perf bench futex-wake: Restore thread count default to online CPU count
    - netfilter: cthelper: add missing attribute validation for cthelper
    - netfilter: nft_payload: add missing attribute validation for payload csum
      flags
    - netfilter: nft_tunnel: add missing attribute validation for tunnels
    - iommu/vt-d: Fix the wrong printing in RHSA parsing
    - iommu/vt-d: Ignore devices with out-of-spec domain number
    - i2c: acpi: put device when verifying client fails
    - ipv6: restrict IPV6_ADDRFORM operation
    - net/smc: check for valid ib_client_data
    - net/smc: cancel event worker during device removal
    - efi: Add a sanity check to efivar_store_raw()
    - batman-adv: Avoid free/alloc race when handling OGM2 buffer
    - virtio_balloon: Adjust label in virtballoon_probe
    - ALSA: hda/realtek - More constifications
    - net: dsa: fix phylink_start()/phylink_stop() calls
    - net: dsa: mv88e6xxx: fix lockup on warm boot
    - net: hns3: fix a not link up issue when fibre port supports autoneg
    - net: phy: bcm63xx: fix OOPS due to missing driver name
    - taprio: Fix sending packets without dequeueing them
    - net: taprio: add missing attribute validation for txtime delay
    - net: phy: avoid clearing PHY interrupts twice in irq handler
    - net: dsa: Don't instantiate phylink for CPU/DSA ports unless needed
    - netfilter: nf_tables: fix infinite loop when expr is not available
    - drm/i915: be more solid in checking the alignment
    - drm/i915: Defer semaphore priority bumping to a workqueue
    - KVM: nVMX: avoid NULL pointer dereference with incorrect EVMCS GPAs
    - s390/dasd: fix data corruption for thin provisioned devices
    - x86/ioremap: Map EFI runtime services data as encrypted for SEV
    - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag
    - pinctrl: imx: scu: Align imx sc msg structs to 4
    - virtio_ring: Fix mem leak with vring_new_virtqueue()
    - drm/i915/gvt: Fix dma-buf display blur issue on CFL
    - iommu/vt-d: Fix RCU-list bugs in intel_iommu_init()
    - netfilter: nf_tables: dump NFTA_CHAIN_FLAGS attribute
    - netfilter: nft_chain_nat: inet family is missing module ownership
  * Eoan update: upstream stable patchset 2020-03-26 (LP: #1869268)
    - iwlwifi: pcie: fix rb_allocator workqueue allocation
    - ipmi:ssif: Handle a possible NULL pointer reference
    - drm/msm: Set dma maximum segment size for mdss
    - dax: pass NOWAIT flag to iomap_apply
    - mac80211: consider more elements in parsing CRC
    - cfg80211: check wiphy driver existence for drvinfo report
    - s390/zcrypt: fix card and queue total counter wrap
    - qmi_wwan: re-add DW5821e pre-production variant
    - qmi_wwan: unconditionally reject 2 ep interfaces
    - ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi
    - soc/tegra: fuse: Fix build with Tegra194 configuration
    - net: ena: fix potential crash when rxfh key is NULL
    - net: ena: fix uses of round_jiffies()
    - net: ena: add missing ethtool TX timestamping indication
    - net: ena: fix incorrect default RSS key
    - net: ena: rss: fix failure to get indirection table
    - net: ena: rss: store hash function as values and not bits
    - net: ena: fix incorrectly saving queue numbers when setting RSS indirection
      table
    - net: ena: ethtool: use correct value for crc32 hash
    - net: ena: ena-com.c: prevent NULL pointer dereference
    - cifs: Fix mode output in debugging statements
    - cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
    - net: fib_rules: Correctly set table field when table number exceeds 8 bits
    - net: mscc: fix in frame extraction
    - net: phy: restore mdio regs in the iproc mdio driver
    - net: sched: correct flower port blocking
    - nfc: pn544: Fix occasional HW initialization failure
    - sctp: move the format error check out of __sctp_sf_do_9_1_abort
    - ipv6: Fix route replacement with dev-only route
    - ipv6: Fix nlmsg_flags when splitting a multipath route
    - qede: Fix race between rdma destroy workqueue and link change event
    - net/tls: Fix to avoid gettig invalid tls record
    - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
    - audit: fix error handling in audit_data_to_entry()
    - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
    - ACPI: watchdog: Fix gas->access_width usage
    - KVM: VMX: check descriptor table exits on instruction emulation
    - HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock
    - HID: core: fix off-by-one memset in hid_report_raw_event()
    - HID: core: increase HID report buffer size to 8KiB
    - macintosh: therm_windtunnel: fix regression when instantiating devices
    - tracing: Disable trace_printk() on post poned tests
    - Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"
    - amdgpu/gmc_v9: save/restore sdpif regs during S3
    - vhost: Check docket sk_family instead of call getname
    - HID: alps: Fix an error handling path in 'alps_input_configured()'
    - HID: hiddev: Fix race in in hiddev_disconnect()
    - MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
    - i2c: altera: Fix potential integer overflow
    - i2c: jz4780: silence log flood on txabrt
    - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime
    - drm/i915/gvt: Separate display reset from ALL_ENGINES reset
    - hv_netvsc: Fix unwanted wakeup in netvsc_attach()
    - usb: charger: assign specific number for enum value
    - s390/qeth: vnicc Fix EOPNOTSUPP precedence
    - net: netlink: cap max groups which will be considered in netlink_bind()
    - net: atlantic: fix use after free kasan warn
    - net: atlantic: fix potential error handling
    - net/smc: no peer ID in CLC decline for SMCD
    - net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
    - namei: only return -ECHILD from follow_dotdot_rcu()
    - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()
    - mwifiex: delete unused mwifiex_get_intf_num()
    - KVM: SVM: Override default MMIO mask if memory encryption is enabled
    - KVM: Check for a bad hva before dropping into the ghc slow path
    - drivers: net: xgene: Fix the order of the arguments of
      'alloc_etherdev_mqs()'
    - kprobes: Set unoptimized flag after unoptimizing code
    - pwm: omap-dmtimer: put_device() after of_find_device_by_node()
    - perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc
    - KVM: x86: Remove spurious kvm_mmu_unload() from vcpu destruction path
    - KVM: x86: Remove spurious clearing of async #PF MSR
    - thermal: brcmstb_thermal: Do not use DT coefficients
    - netfilter: nft_tunnel: no need to call htons() when dumping ports
    - netfilter: nf_flowtable: fix documentation
    - mm/huge_memory.c: use head to check huge zero page
    - mm, thp: fix defrag setting if newline is not used
    - audit: always check the netlink payload length in audit_receive_msg()
    - io_uring: grab ->fs as part of async offload
    - EDAC: skx_common: downgrade message importance on missing PCI device
    - net: dsa: b53: Ensure the default VID is untagged
    - net: macb: ensure interface is not suspended on at91rm9200
    - Revert "net: dev: introduce support for sch BYPASS for lockless qdisc"
    - udp: rehash on disconnect
    - bnxt_en: Improve device shutdown method.
    - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs.
    - net: export netdev_next_lower_dev_rcu()
    - bonding: fix lockdep warning in bond_get_stats()
    - sched/core: Don't skip remote tick for idle CPUs
    - timers/nohz: Update NOHZ load in remote tick
    - NFSv4: Fix races between open and dentry revalidation
    - drm/amd/display: Do not set optimized_require to false after plane disable
    - RDMA/siw: Remove unwanted WARN_ON in siw_cm_llp_data_ready()
    - drm/amd/display: Check engine is not NULL before acquiring
    - i40e: Fix the conditional for i40e_vc_validate_vqs_bitmaps
    - net: ena: rss: do not allocate key when not supported
    - net: ena: fix corruption of dev_idx_to_host_tbl
    - ice: update Unit Load Status bitmask to check after reset
    - mac80211: fix wrong 160/80+80 MHz setting
    - net: hns3: add management table after IMP reset
    - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples()
    - nvme/tcp: fix bug on double requeue when send fails
    - nvme: prevent warning triggered by nvme_stop_keep_alive
    - nvme/pci: move cqe check after device shutdown
    - drm/amdgpu: Drop DRIVER_USE_AGP
    - drm/radeon: Inline drm_get_pci_dev
    - io_uring: fix 32-bit compatability with sendmsg/recvmsg
    - netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports
    - net/smc: transfer fasync_list in case of fallback
    - netfilter: ipset: Fix forceadd evaluation path
    - netfilter: xt_hashlimit: reduce hashlimit_mutex scope for htable_put()
    - mac80211: Remove a redundant mutex unlock
    - kbuild: fix DT binding schema rule to detect command line changes
    - nvme-pci: Hold cq_poll_lock while completing CQEs
    - net: atlantic: fix out of range usage of active_vlans array
    - selftests: Install settings files to fix TIMEOUT failures
    - sched/fair: Optimize select_idle_cpu
    - f2fs: fix to add swap extent correctly
    - ima: ima/lsm policy rule loading logic bug fixes
    - lib/vdso: Make __arch_update_vdso_data() logic understandable
    - lib/vdso: Update coarse timekeeper unconditionally
    - perf ui gtk: Add missing zalloc object
    - x86/resctrl: Check monitoring static key in the MBM overflow handler
    - rcu: Allow only one expedited GP to run concurrently with wakeups
    - ubifs: Fix ino_t format warnings in orphan_delete()
    - bus: tegra-aconnect: Remove PM_CLK dependency
    - mm/gup: allow FOLL_FORCE for get_user_pages_fast()
    - kvm: nVMX: VMWRITE checks VMCS-link pointer before VMCS field
    - kvm: nVMX: VMWRITE checks unsupported field before read-only field
  * Eoan update: upstream stable patchset 2020-03-24 (LP: #1868865)
    - iommu/qcom: Fix bogus detach logic
    - ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
    - ALSA: hda/realtek - Apply quirk for MSI GP63, too
    - ALSA: hda/realtek - Apply quirk for yet another MSI laptop
    - ASoC: sun8i-codec: Fix setting DAI data format
    - ecryptfs: fix a memory leak bug in parse_tag_1_packet()
    - ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
    - thunderbolt: Prevent crash if non-active NVMem file is read
    - USB: misc: iowarrior: add support for 2 OEMed devices
    - USB: misc: iowarrior: add support for the 28 and 28L devices
    - USB: misc: iowarrior: add support for the 100 device
    - floppy: check FDC index for errors before assigning it
    - vt: fix scrollback flushing on background consoles
    - vt: selection, handle pending signals in paste_selection
    - vt: vt_ioctl: fix race in VT_RESIZEX
    - staging: android: ashmem: Disallow ashmem memory from being remapped
    - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
    - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range.
    - xhci: fix runtime pm enabling for quirky Intel hosts
    - xhci: Fix memory leak when caching protocol extended capability PSI tables -
      take 2
    - usb: host: xhci: update event ring dequeue pointer on purpose
    - USB: core: add endpoint-blacklist quirk
    - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
    - usb: uas: fix a plug & unplug racing
    - USB: Fix novation SourceControl XL after suspend
    - USB: hub: Don't record a connect-change event during reset-resume
    - USB: hub: Fix the broken detection of USB3 device in SMSC hub
    - usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows
    - usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields
    - staging: rtl8188eu: Fix potential security hole
    - staging: rtl8188eu: Fix potential overuse of kernel memory
    - staging: rtl8723bs: Fix potential security hole
    - staging: rtl8723bs: Fix potential overuse of kernel memory
    - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal
      delivery
    - jbd2: fix ocfs2 corrupt when clearing block group bits
    - x86/mce/amd: Publish the bank pointer only after setup has succeeded
    - x86/mce/amd: Fix kobject lifetime
    - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
    - serial: 8250: Check UPF_IRQ_SHARED in advance
    - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
    - tty: serial: imx: setup the correct sg entry for tx dma
    - serdev: ttyport: restore client ops on deregistration
    - MAINTAINERS: Update drm/i915 bug filing URL
    - mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
    - nvme-multipath: Fix memory leak with ana_log_buf
    - genirq/irqdomain: Make sure all irq domain flags are distinct
    - mm/vmscan.c: don't round up scan size for online memory cgroup
    - drm/amdgpu/soc15: fix xclk for raven
    - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
    - KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI
    - tty: serial: qcom_geni_serial: Fix RX cancel command failure
    - lib/stackdepot.c: fix global out-of-bounds in stack_slabs
    - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets
    - ext4: fix a data race in EXT4_I(inode)->i_disksize
    - ext4: add cond_resched() to __ext4_find_entry()
    - ext4: fix potential race between online resizing and write operations
    - ext4: fix potential race between s_group_info online resizing and access
    - ext4: fix potential race between s_flex_groups online resizing and access
    - ext4: fix mount failure with quota configured as module
    - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
    - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
    - KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1
    - KVM: apic: avoid calculating pending eoi from an uninitialized val
    - btrfs: fix bytes_may_use underflow in prealloc error condtition
    - btrfs: reset fs_root to NULL on error in open_ctree
    - btrfs: do not check delayed items are empty for single transaction cleanup
    - Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered
      extents
    - scsi: Revert "RDMA/isert: Fix a recently introduced regression related to
      logout"
    - scsi: Revert "target: iscsi: Wait for all commands to finish before freeing
      a session"
    - usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
    - usb: dwc2: Fix in ISOC request length checking
    - staging: rtl8723bs: fix copy of overlapping memory
    - staging: greybus: use after free in gb_audio_manager_remove_all()
    - ecryptfs: replace BUG_ON with error handling code
    - iommu/vt-d: Fix compile warning from intel-svm.h
    - genirq/proc: Reject invalid affinity masks (again)
    - bpf, offload: Replace bitwise AND by logical AND in
      bpf_prog_offload_info_fill
    - ALSA: rawmidi: Avoid bit fields for state flags
    - ALSA: seq: Avoid concurrent access to queue flags
    - ALSA: seq: Fix concurrent access to queue current tick/time
    - netfilter: xt_hashlimit: limit the max size of hashtable
    - rxrpc: Fix call RCU cleanup using non-bh-safe locks
    - ata: ahci: Add shutdown to freeze hardware resources of ahci
    - xen: Enable interrupts when calling _cond_resched()
    - s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in
      storage_key_init_range
    - Revert "char/random: silence a lockdep splat with printk()"
    - tpm: Initialize crypto_id of allocated_banks to HASH_ALGO__LAST
    - btrfs: handle logged extent failure properly
    - e1000e: Use rtnl_lock to prevent race conditions between net and pci/pm
    - usb: dwc3: debug: fix string position formatting mixup with ret and len
    - powerpc/8xx: Fix clearing of bits 20-23 in ITLB miss
    - powerpc/eeh: Fix deadlock handling dead PHB
    - powerpc/hugetlb: Fix 512k hugepages on 8xx with 16k page size
    - powerpc/hugetlb: Fix 8M hugepages on 8xx
    - x86/ima: use correct identifier for SetupMode variable
    - mm/sparsemem: pfn_to_page is not valid yet on SPARSEMEM
    - drm/amdgpu/gfx9: disable gfxoff when reading rlc clock
    - drm/amdgpu/gfx10: disable gfxoff when reading rlc clock
    - drm/i915: Update drm/i915 bug filing URL
    - sched/psi: Fix OOB write when writing 0 bytes to PSI files
    - KVM: nVMX: clear PIN_BASED_POSTED_INTR from nested pinbased_ctls only when
      apicv is globally disabled
    - btrfs: destroy qgroup extent records on transaction abort
    - Btrfs: fix race between shrinking truncate and fiemap
    - btrfs: don't set path->leave_spinning for truncate
    - Btrfs: fix deadlock during fast fsync when logging prealloc extents beyond
      eof
    - drm/i915/gvt: more locking for ppgtt mm LRU list
    - drm/msm/dpu: fix BGR565 vs RGB565 confusion
    - crypto: rename sm3-256 to sm3 in hash_algo_name
    - io_uring: fix __io_iopoll_check deadlock in io_sq_thread
    - io_uring: prevent sq_thread from spinning when it should stop
    - net/mlx5e: Reset RQ doorbell counter before moving RQ state from RST to RDY
    - net/mlx5: Fix sleep while atomic in mlx5_eswitch_get_vepa
    - s390/kaslr: Fix casts in get_random
    - bpf: Selftests build error in sockmap_basic.c
    - ASoC: SOF: Intel: hda: Add iDisp4 DAI
  * Eoan update: upstream stable patchset 2020-03-20 (LP: #1868324)
    - core: Don't skip generic XDP program execution for cloned SKBs
    - enic: prevent waking up stopped tx queues over watchdog reset
    - net/smc: fix leak of kernel memory to user space
    - net: dsa: tag_qca: Make sure there is headroom for tag
    - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
    - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
    - Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
    - KVM: nVMX: Use correct root level for nested EPT shadow page tables
    - drm/gma500: Fixup fbdev stolen size usage evaluation
    - cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
    - brcmfmac: Fix use after free in brcmf_sdio_readframes()
    - leds: pca963x: Fix open-drain initialization
    - ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
    - ALSA: ctl: allow TLV read operation for callback type of element in locked
      case
    - gianfar: Fix TX timestamping with a stacked DSA driver
    - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
    - pxa168fb: Fix the function used to release some memory in an error handling
      path
    - media: i2c: mt9v032: fix enum mbus codes and frame sizes
    - powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE
      number
    - gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in
      grgpio_irq_map/unmap()
    - iommu/vt-d: Fix off-by-one in PASID allocation
    - media: sti: bdisp: fix a possible sleep-in-atomic-context bug in
      bdisp_device_run()
    - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
    - efi/x86: Map the entire EFI vendor string before copying it
    - MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
    - sparc: Add .exit.data section.
    - uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
    - usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
    - usb: dwc2: Fix IN FIFO allocation
    - clocksource/drivers/bcm2835_timer: Fix memory leak of timer
    - kselftest: Minimise dependency of get_size on C library interfaces
    - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info
      when load journal
    - x86/sysfb: Fix check for bad VRAM size
    - pwm: omap-dmtimer: Simplify error handling
    - s390/pci: Fix possible deadlock in recover_store()
    - powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov()
    - tracing: Fix tracing_stat return values in error handling paths
    - tracing: Fix very unlikely race of registering two stat tracers
    - ARM: 8952/1: Disable kmemleak on XIP kernels
    - ext4, jbd2: ensure panic when aborting with zero errno
    - ath10k: Correct the DMA direction for management tx buffers
    - drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero
    - nbd: add a flush_workqueue in nbd_start_device
    - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
    - kconfig: fix broken dependency in randconfig-generated .config
    - clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
    - drm/amdgpu: remove 4 set but not used variable in
      amdgpu_atombios_get_connector_info_from_object_table
    - drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG
    - regulator: rk808: Lower log level on optional GPIOs being not available
    - net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
    - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use
      le16_add_cpu().
    - arm64: dts: allwinner: H6: Add PMU mode
    - arm: dts: allwinner: H3: Add PMU node
    - selinux: ensure we cleanup the internal AVC counters on error in
      avc_insert()
    - arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
    - ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
    - ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed
    - PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in
    - media: cx23885: Add support for AVerMedia CE310B
    - PCI: Add generic quirk for increasing D3hot delay
    - PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers
    - media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device
      macros
    - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
    - r8169: check that Realtek PHY driver module is loaded
    - fore200e: Fix incorrect checks of NULL pointer dereference
    - netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy
    - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
    - b43legacy: Fix -Wcast-function-type
    - ipw2x00: Fix -Wcast-function-type
    - iwlegacy: Fix -Wcast-function-type
    - rtlwifi: rtl_pci: Fix -Wcast-function-type
    - orinoco: avoid assertion in case of NULL pointer
    - ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
    - scsi: ufs: Complete pending requests in host reset and restore path
    - scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
    - drm/mediatek: handle events when enabling/disabling crtc
    - ARM: dts: r8a7779: Add device node for ARM global timer
    - selinux: ensure we cleanup the internal AVC counters on error in
      avc_update()
    - dmaengine: Store module owner in dma_device struct
    - crypto: chtls - Fixed memory leak
    - x86/vdso: Provide missing include file
    - PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
    - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
    - reset: uniphier: Add SCSSI reset control for each channel
    - RDMA/rxe: Fix error type of mmap_offset
    - clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
    - ALSA: sh: Fix unused variable warnings
    - clk: uniphier: Add SCSSI clock gate for each channel
    - ALSA: sh: Fix compile warning wrt const
    - tools lib api fs: Fix gcc9 stringop-truncation compilation error
    - ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch
    - mlx5: work around high stack usage with gcc
    - drm: remove the newline for CRC source name.
    - ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco
    - usbip: Fix unsafe unaligned pointer usage
    - udf: Fix free space reporting for metadata and virtual partitions
    - staging: rtl8188: avoid excessive stack usage
    - IB/hfi1: Add software counter for ctxt0 seq drop
    - soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
    - efi/x86: Don't panic or BUG() on non-critical error conditions
    - rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
    - Input: edt-ft5x06 - work around first register access error
    - x86/nmi: Remove irq_work from the long duration NMI handler
    - wan: ixp4xx_hss: fix compile-testing on 64-bit
    - ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
    - tty: synclinkmp: Adjust indentation in several functions
    - tty: synclink_gt: Adjust indentation in several functions
    - visorbus: fix uninitialized variable access
    - driver core: platform: Prevent resouce overflow from causing infinite loops
    - driver core: Print device when resources present in really_probe()
    - bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map
    - vme: bridges: reduce stack usage
    - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
    - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
    - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
    - drm/nouveau/drm/ttm: Remove set but not used variable 'mem'
    - drm/nouveau/fault/gv100-: fix memory leak on module unload
    - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
    - usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
    - iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
    - f2fs: set I_LINKABLE early to avoid wrong access by vfs
    - f2fs: free sysfs kobject
    - scsi: iscsi: Don't destroy session if there are outstanding connections
    - arm64: fix alternatives with LLVM's integrated assembler
    - drm/amd/display: fixup DML dependencies
    - watchdog/softlockup: Enforce that timestamp is valid on boot
    - f2fs: fix memleak of kobject
    - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
    - pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
    - cmd64x: potential buffer overflow in cmd64x_program_timings()
    - ide: serverworks: potential overflow in svwks_set_pio_mode()
    - pwm: Remove set but not set variable 'pwm'
    - btrfs: fix possible NULL-pointer dereference in integrity checks
    - btrfs: safely advance counter when looking up bio csums
    - btrfs: device stats, log when stats are zeroed
    - module: avoid setting info->name early in case we can fall back to
      info->mod->name
    - remoteproc: Initialize rproc_class before use
    - irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
    - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
    - kbuild: use -S instead of -E for precise cc-option test in Kconfig
    - x86/decoder: Add TEST opcode to Group3-2
    - s390: adjust -mpacked-stack support check for clang 10
    - s390/ftrace: generate traced function stack frame
    - driver core: platform: fix u32 greater or equal to zero comparison
    - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
    - drm/nouveau/mmu: fix comptag memory leak
    - powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
    - bcache: cached_dev_free needs to put the sb page
    - iommu/vt-d: Remove unnecessary WARN_ON_ONCE()
    - selftests: bpf: Reset global state between reuseport test runs
    - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit
      record
    - jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
    - ARM: 8951/1: Fix Kexec compilation issue.
    - hostap: Adjust indentation in prism2_hostapd_add_sta
    - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
    - cifs: fix NULL dereference in match_prepath
    - bpf: map_seq_next should always increase position index
    - ceph: check availability of mds cluster on mount after wait timeout
    - rbd: work around -Wuninitialized warning
    - irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
    - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
    - ftrace: fpid_next() should increase position index
    - trigger_next should increase position index
    - radeon: insert 10ms sleep in dce5_crtc_load_lut
    - ocfs2: fix a NULL pointer dereference when call
      ocfs2_update_inode_fsync_trans()
    - lib/scatterlist.c: adjust indentation in __sg_alloc_table
    - reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
    - bcache: explicity type cast in bset_bkey_last()
    - irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building
      INVALL
    - iwlwifi: mvm: Fix thermal zone registration
    - microblaze: Prevent the overflow of the start
    - brd: check and limit max_part par
    - drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency
    - drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage
    - NFS: Fix memory leaks
    - help_next should increase position index
    - cifs: log warning message (once) if out of disk space
    - virtio_balloon: prevent pfn array overflow
    - mlxsw: spectrum_dpipe: Add missing error path
    - drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2)
    - ath10k: Fix qmi init error handling
    - wil6210: fix break that is never reached because of zero'ing of a retry
      counter
    - drm/qxl: Complete exception handling in qxl_device_init()
    - rcu: Fix missed wakeup of exp_wq waiters
    - rcu: Fix data-race due to atomic_t copy-by-value
    - f2fs: preallocate DIO blocks when forcing buffered_io
    - f2fs: call f2fs_balance_fs outside of locked page
    - media: meson: add missing allocation failure check on new_buf
    - clk: meson: pll: Fix by 0 division in __pll_params_to_rate()
    - brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev()
    - PCI: Fix pci_add_dma_alias() bitmask size
    - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank()
    - drm/msm/adreno: fix zap vs no-zap handling
    - media: ov5640: Fix check for PLL1 exceeding max allowed rate
    - clk: at91: sam9x60: fix programmable clock prescaler
    - clk: meson: meson8b: make the CCF use the glitch-free mali mux
    - x86/fpu: Deactivate FPU state after failure during state load
    - char/random: silence a lockdep splat with printk()
    - IB/core: Let IB core distribute cache update events
    - net: ethernet: ixp4xx: Standard module init
    - raid6/test: fix a compilation error
    - spi: fsl-lpspi: fix only one cs-gpio working
    - drm/amd/display: Clear state after exiting fixed active VRR state
    - clk: ti: dra7: fix parent for gmac_clkctrl
    - dmaengine: fsl-qdma: fix duplicated argument to &&
    - wan/hdlc_x25: fix skb handling
    - rtw88: fix rate mask for 1SS chip
    - brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362
    - selftests: settings: tests can be in subsubdirs
    - rtc: i2c/spi: Avoid inclusion of REGMAP support when not needed
    - tracing: Simplify assignment parsing for hist triggers
    - Btrfs: keep pages dirty when using btrfs_writepage_fixup_worker
    - drivers/block/zram/zram_drv.c: fix error return codes not being returned in
      writeback_store
    - block, bfq: do not plug I/O for bfq_queues with no proc refs
    - clk: qcom: Don't overwrite 'cfg' in clk_rcg2_dfs_populate_freq()
    - drm/amdkfd: Fix a bug in SDMA RLC queue counting under HWS mode
    - ath10k: correct the tlv len of ath10k_wmi_tlv_op_gen_config_pno_start
    - drm/panel: simple: Add Logic PD Type 28 display support
    - arm64: dts: rockchip: Fix NanoPC-T4 cooling maps
    - ASoC: intel: sof_rt5682: Add quirk for number of HDMI DAI's
    - ASoC: intel: sof_rt5682: Add support for tgl-max98357a-rt5682
    - arm64: dts: allwinner: H5: Add PMU node
    - bus: ti-sysc: Implement quirk handling for CLKDM_NOAUTO
    - gpu/drm: ingenic: Avoid null pointer deference in plane atomic update
    - selftests/net: make so_txtime more robust to timer variance
    - samples/bpf: Set -fno-stack-protector when building BPF programs
    - PCI: Add nr_devfns parameter to pci_add_dma_alias()
    - PCI: Add DMA alias quirk for PLX PEX NTB
    - drm/amdgpu: fix KIQ ring test fail in TDR of SRIOV
    - clk: qcom: smd: Add missing bimc clock
    - nfsd: Clone should commit src file metadata too
    - crypto: inside-secure - add unspecified HAS_IOMEM dependency
    - clk: renesas: rcar-gen3: Allow changing the RPC[D2] clocks
    - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration
    - arm64: dts: qcom: db845c: Enable ath10k 8bit host-cap quirk
    - iommu/amd: Check feature support bit before accessing MSI capability
      registers
    - iommu/amd: Only support x2APIC with IVHD type 11h/40h
    - iommu/iova: Silence warnings under memory pressure
    - clk: actually call the clock init before any other callback of the clock
    - drm/fbdev: Fallback to non tiled mode if all tiles not present
    - ASoC: soc-topology: fix endianness issues
    - fbdev: fix numbering of fbcon options
    - clk: Use parent node pointer during registration if necessary
    - ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too
    - net: phy: fixed_phy: fix use-after-free when checking link GPIO
    - vfio/spapr/nvlink2: Skip unpinning pages on error exit
    - ASoC: Intel: sof_rt5682: Ignore the speaker amp when there isn't one.
    - iommu/vt-d: Match CPU and IOMMU paging mode
    - iommu/vt-d: Avoid sending invalid page response
    - drm/amdkfd: Fix permissions of hang_hws
    - RDMA/hns: Avoid printing address of mtt page
    - usb: dwc3: use proper initializers for property entries
    - drm/mediatek: Add gamma property according to hardware capability
    - IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats
    - bnxt: Detach page from page pool before sending up the stack
    - clocksource: davinci: only enable clockevents once tim34 is initialized
    - arm64: dts: rockchip: fix dwmmc clock name for px30
    - arm64: dts: rockchip: add reg property to brcmf sub-nodes
    - ARM: dts: rockchip: add reg property to brcmf sub node for
      rk3188-bqedison2qc
    - ALSA: usb-audio: Add boot quirk for MOTU M Series
    - raid6/test: fix a compilation warning
    - dm thin: don't allow changing data device during thin-pool reload
    - perf/imx_ddr: Fix cpu hotplug state cleanup
    - kbuild: remove *.tmp file when filechk fails
    - ALSA: usb-audio: unlock on error in probe
    - scsi: ufs: pass device information to apply_dev_quirks
    - scsi: ufs-mediatek: add apply_dev_quirks variant operation
    - ALSA: usb-audio: add implicit fb quirk for MOTU M Series
    - RDMA/mlx5: Don't fake udata for kernel path
    - EDAC/sifive: Fix return value check in ecc_register()
    - KVM: PPC: Remove set but not used variable 'ra', 'rs', 'rt'
    - sched/core: Fix size of rq::uclamp initialization
    - sched/topology: Assert non-NUMA topology masks don't (partially) overlap
    - perf/x86/amd: Constrain Large Increment per Cycle events
    - debugobjects: Fix various data races
    - ASoC: SOF: Intel: hda: Fix SKL dai count
    - regulator: vctrl-regulator: Avoid deadlock getting and setting the voltage
    - regulator: core: Fix exported symbols to the exported GPL version
    - spi: spi-fsl-qspi: Ensure width is respected in spi-mem operations
    - bpf, btf: Always output invariant hit in pahole DWARF to BTF transform
    - sunrpc: Fix potential leaks in sunrpc_cache_unhash()
    - media: uvcvideo: Add a quirk to force GEO GC6500 Camera bits-per-pixel value
    - btrfs: separate definition of assertion failure handlers
    - btrfs: Fix split-brain handling when changing FSID to metadata uuid
    - alarmtimer: Make alarmtimer platform device child of RTC device
    - powerpc/pseries/lparcfg: Fix display of Maximum Memory
    - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82
    - rtw88: fix potential NULL skb access in TX ISR
    - cifs: fix unitialized variable poential problem with network I/O cache lock
      patch
    - cifs: Fix mount options set in automount
    - powerpc/mm: Don't log user reads to 0xffffffff
    - drm/amd/display: do not allocate display_mode_lib unnecessarily
    - char: hpet: Fix out-of-bounds read bug
    - powerpc: Do not consider weak unresolved symbol relocations as bad
    - btrfs: do not do delalloc reservation under page lock
    - ocfs2: make local header paths relative to C files
    - bcache: fix memory corruption in bch_cache_accounting_clear()
    - bcache: fix incorrect data type usage in btree_flush_write()
    - nvme-pci: remove nvmeq->tags
    - iwlwifi: mvm: Check the sta is not NULL in iwl_mvm_cfg_he_sta()
    - asm-generic/tlb: add missing CONFIG symbol
    - i40e: Relax i40e_xsk_wakeup's return value when PF is busy
    - s390/pci: Recover handle in clp_set_pci_fn()
    - rtc: Kconfig: select REGMAP_I2C when necessary
  * Eoan update: upstream stable patchset 2020-03-20 (LP: #1868324) //
    CVE-2019-19076.
    - Revert "nfp: abm: fix memory leak in nfp_abm_u32_knode_replace"
  * Eoan update: upstream stable patchset 2020-03-16 (LP: #1867677)
    - ASoC: pcm: update FE/BE trigger order based on the command
    - hv_sock: Remove the accept port restriction
    - IB/mlx4: Fix memory leak in add_gid error flow
    - RDMA/netlink: Do not always generate an ACK for some netlink operations
    - RDMA/core: Fix locking in ib_uverbs_event_read
    - RDMA/uverbs: Verify MR access flags
    - scsi: ufs: Fix ufshcd_probe_hba() reture value in case
      ufshcd_scsi_add_wlus() fails
    - PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
    - ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
    - PCI/switchtec: Fix vep_vector_number ioread width
    - PCI: Don't disable bridge BARs when assigning bus resources
    - nfs: NFS_SWAP should depend on SWAP
    - NFS: Revalidate the file size on a fatal write error
    - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
    - NFSv4: try lease recovery on NFS4ERR_EXPIRED
    - rtc: hym8563: Return -EINVAL if the time is known to be invalid
    - rtc: cmos: Stop using shared IRQ
    - ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node
    - platform/x86: intel_mid_powerbtn: Take a copy of ddata
    - ARM: dts: at91: Reenable UART TX pull-ups
    - ARM: dts: am43xx: add support for clkout1 clock
    - ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
    - ARM: dts: at91: sama5d3: define clock rate range for tcb1
    - tools/power/acpi: fix compilation error
    - powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning
    - powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce
      for DDW
    - iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA
    - KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
    - ARM: 8949/1: mm: mark free_memmap as __init
    - arm64: cpufeature: Fix the type of no FP/SIMD capability
    - arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations
    - KVM: arm/arm64: Fix young bit from mmu notifier
    - KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests
    - KVM: arm: Make inject_abt32() inject an external abort instead
    - KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset
    - mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock
    - mtd: sharpslpart: Fix unsigned comparison to zero
    - crypto: artpec6 - return correct error code for failed setkey()
    - crypto: atmel-sha - fix error handling when setting hmac key
    - media: i2c: adv748x: Fix unsafe macros
    - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B
    - mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
    - mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
    - libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
    - libertas: make lbs_ibss_join_existing() return error code on rates overflow
    - padata: fix null pointer deref of pd->pinst
    - IB/srp: Never use immediate data if it is disabled by a user
    - IB/mlx4: Fix leak in id_map_find_del
    - RDMA/i40iw: fix a potential NULL pointer dereference
    - RDMA/cma: Fix unbalanced cm_id reference count during address resolve
    - RDMA/umem: Fix ib_umem_find_best_pgsz()
    - PCI/switchtec: Use dma_set_mask_and_coherent()
    - PCI: tegra: Fix afi_pex2_ctrl reg offset for Tegra30
    - PCI/AER: Initialize aer_fifo
    - iwlwifi: mvm: avoid use after free for pmsr request
    - bpftool: Don't crash on missing xlated program instructions
    - bpf, sockmap: Don't sleep while holding RCU lock on tear-down
    - bpf, sockhash: Synchronize_rcu before free'ing map
    - selftests/bpf: Test freeing sockmap/sockhash with a socket in it
    - bpf: Improve bucket_log calculation logic
    - bpf, sockmap: Check update requirements after locking
    - NFS: Fix fix of show_nfs_errors
    - NFSv4: pnfs_roc() must use cred_fscmp() to compare creds
    - x86/boot: Handle malformed SRAT tables during early ACPI parsing
    - arm64: dts: qcom: msm8998: Fix tcsr syscon size
    - arm64: dts: uDPU: fix broken ethernet
    - arm64: dts: renesas: r8a77990: ebisu: Remove clkout-lr-synchronous from
      sound
    - arm64: dts: marvell: clearfog-gt-8k: fix switch cpu port node
    - ARM: dts: meson8: use the actual frequency for the GPU's 182.1MHz OPP
    - ARM: dts: meson8b: use the actual frequency for the GPU's 364MHz OPP
    - soc: qcom: rpmhpd: Set 'active_only' for active only power domains
    - powerpc/ptdump: Fix W+X verification call in mark_rodata_ro()
    - powerpc/ptdump: Only enable PPC_CHECK_WX with STRICT_KERNEL_RWX
    - powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths
    - ARM: at91: pm: use SAM9X60 PMC's compatible
    - ARM: at91: pm: use of_device_id array to find the proper shdwc node
    - sched/uclamp: Fix a bug in propagating uclamp value in new cgroups
    - arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly
    - KVM: arm64: pmu: Fix chained SW_INCR counters
    - KVM: arm64: Treat emulated TVAL TimerValue as a signed 32-bit integer
    - arm64: nofpsmid: Handle TIF_FOREIGN_FPSTATE flag cleanly
    - crypto: testmgr - don't try to decrypt uninitialized buffers
    - crypto: caam/qi2 - fix typo in algorithm's driver name
    - drivers: watchdog: stm32_iwdg: set WDOG_HW_RUNNING at probe
    - bcache: avoid unnecessary btree nodes flushing in btree_flush_write()
    - selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"
    - selinux: fix regression introduced by move_mount(2) syscall
    - pinctrl: sh-pfc: r8a77965: Fix DU_DOTCLKIN3 drive/bias control
    - regmap: fix writes to non incrementing registers
    - mfd: max77650: Select REGMAP_IRQ in Kconfig
    - clk: meson: g12a: fix missing uart2 in regmap table
    - dmaengine: axi-dmac: add a check for devm_regmap_init_mmio
    - selinux: fall back to ref-walk if audit is required
    - Input: synaptics - switch T470s to RMI4 by default
    - Input: synaptics - enable SMBus on ThinkPad L470
    - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
    - ALSA: usb-audio: Fix UAC2/3 effect unit parsing
    - ALSA: hda/realtek - Fix silent output on MSI-GL73
    - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
    - ALSA: usb-audio: sound: usb: usb true/false for bool return type
    - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000
    - ext4: don't assume that mmp_nodename/bdevname have NUL
    - ext4: fix support for inode sizes > 1024 bytes
    - ext4: fix checksum errors with indexed dirs
    - ext4: add cond_resched() to ext4_protect_reserved_inode
    - ext4: improve explanation of a mount failure caused by a misconfigured
      kernel
    - Btrfs: fix race between using extent maps and merging them
    - btrfs: ref-verify: fix memory leaks
    - btrfs: print message when tree-log replay starts
    - btrfs: log message when rw remount is attempted with unclean tree-log
    - ARM: npcm: Bring back GPIOLIB support
    - arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
    - perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map
    - nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info
    - IB/hfi1: Acquire lock to release TID entries when user file is closed
    - IB/hfi1: Close window for pq and request coliding
    - IB/rdmavt: Reset all QPs when the device is shut down
    - RDMA/core: Fix invalid memory access in spec_filter_size
    - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create
    - RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
    - RDMA/core: Fix protection fault in get_pkey_idx_qp_list
    - s390/time: Fix clk type in get_tod_clock
    - perf/x86/intel: Fix inaccurate period in context switch for auto-reload
    - hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
    - NFSv4.1 make cachethis=no for writes
    - jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
    - jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
    - KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging
    - ALSA: hda/realtek - Add more codec supported Headset Button
    - ACPI: EC: Fix flushing of pending work
    - ACPICA: Introduce acpi_any_gpe_status_set()
    - gpio: xilinx: Fix bug where the wrong GPIO register is written to
    - xprtrdma: Fix DMA scatter-gather list mapping imbalance
    - cifs: make sure we do not overflow the max EA buffer size
    - EDAC/sysfs: Remove csrow objects on errors
    - KVM: nVMX: Use correct root level for nested EPT shadow page tables
    - s390/uv: Fix handling of length extensions
    - drm/vgem: Close use-after-free race in vgem_gem_create
    - drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds
      write
    - IB/mlx5: Return failure when rts2rts_qp_counters_set_id is not supported
    - IB/umad: Fix kernel crash while unloading ib_umad
    - RDMA/iw_cxgb4: initiate CLOSE when entering TERM
    - spmi: pmic-arb: Set lockdep class for hierarchical irq domains
    - mac80211: fix quiet mode activation in action frames
    - cifs: fix mount option display for sec=krb5i
    - arm64: dts: fast models: Fix FVP PCI interrupt-map property
    - KVM: x86: Mask off reserved bit from #DB exception payload
    - perf stat: Don't report a null stalled cycles per insn metric
    - Revert "drm/sun4i: drv: Allow framebuffer modifiers in mode config"
    - ext4: choose hardlimit when softlimit is larger than hardlimit in
      ext4_statfs_project()
    - gpio: add gpiod_toggle_active_low()
    - mmc: core: Rework wp-gpio handling
  * Ryzen 3rd gen (3900X) ECC support missing from kernel (LP: #1869235)
    - EDAC/amd64: Find Chip Select memory size using Address Mask
    - EDAC/amd64: Add PCI device IDs for family 17h, model 70h
  * Multiple Kexec in AWS Nitro instances fail (LP: #1869948)
    - net: ena: Add PCI shutdown handler to allow safe kexec
  * suspend only works once on ThinkPad X1 Carbon gen 7 (LP: #1865570)
    - SAUCE: e1000e: bump up timeout to wait when ME un-configure ULP mode
  * CVE-2019-19768
    - blktrace: Protect q->blk_trace with RCU
    - blktrace: fix dereference after null check
  * Support SMO8840 as LIS2DH12 (LP: #1869694)
    - iio: st_sensors: remap SMO8840 to LIS2DH12
  * ucsi_ccg 50 second hang while resuming from s2ram with nvidia, recent
    kernels (LP: #1850238)
    - i2c: nvidia-gpu: Handle timeout correctly in gpu_i2c_check_status()
  * Introduce the new NVIDIA 440 series, and add 5.4 Linux compatibility to the
    340 and 390 series (LP: #1854485)
    - [Packaging] NVIDIA -- add support the 440 series and remove the 430 series
  *  Make Dell WD19 dock more reliable after suspend (LP: #1868217)
    - xhci: Ensure link state is U3 after setting USB_SS_PORT_LS_U3
    - xhci: Wait until link state trainsits to U0 after setting USB_SS_PORT_LS_U0
    - xhci: Finetune host initiated USB3 rootport link suspend and resume
    - USB: Disable LPM on WD19's Realtek Hub
  * Sys oopsed with sysfs test in ubuntu_stress_smoke_test on X-hwe ARM64
    (LP: #1866772)
    - SAUCE: ACPI: sysfs: copy ACPI data using io memory copying
  * update-version-dkms doesn't add a BugLink (LP: #1867790)
    - [Packaging] Add BugLink to update-version-dkms commit
  * Restore kernel control of PCIe DPC via option (LP: #1869423)
    - PCI/DPC: Add "pcie_ports=dpc-native" to allow DPC without AER control

 -- Wen-chien Jesse Sung <jesse.sung@xxxxxxxxxxxxx>  Wed, 08 Apr 2020
16:31:44 +0800

** Changed in: linux-azure (Ubuntu Eoan)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19076

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19768

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1864669

Title:
  [linux-azure] overlayfs regression - internal getxattr operations
  without sepolicy checking

Status in linux-azure package in Ubuntu:
  Fix Released
Status in linux-azure-4.15 package in Ubuntu:
  Invalid
Status in linux-azure source package in Xenial:
  Fix Committed
Status in linux-azure-4.15 source package in Xenial:
  Invalid
Status in linux-azure source package in Bionic:
  Fix Committed
Status in linux-azure-4.15 source package in Bionic:
  Fix Released
Status in linux-azure source package in Eoan:
  Fix Released
Status in linux-azure-4.15 source package in Eoan:
  Invalid
Status in linux-azure source package in Focal:
  Fix Released
Status in linux-azure-4.15 source package in Focal:
  Invalid

Bug description:
  Bug description and repro:

  Run the following commands on host instances:

  Prepare the overlayfs directories:
  $ cd /tmp
  $ mkdir -p base/dir1/dir2 upper olwork merged
  $ touch base/dir1/dir2/file
  $ chown -R 100000:100000 base upper olwork merged

  Verify that the directory is owned by user 100000:
  $ ls -al merged/ 
  total 8
  drwxr-xr-x  2 100000 100000 4096 Nov  1 07:08 .
  drwxrwxrwt 16 root   root   4096 Nov  1 07:08 ..

  We use lxc-usernsexec to start a new shell as user 100000.
  $ lxc-usernsexec -m b:0:100000:1 -- /bin/bash
  $$ ls -al merged/
  total 8
  drwxr-xr-x  2 root   root    4096 Nov  1 07:08 .
  drwxrwxrwt 16 nobody nogroup 4096 Nov  1 07:08 ..

  Notice that the ownership of . and .. has changed because the new shell is running as the remapped user.
  Now, mount the overlayfs as an unprivileged user in the new shell. This is the key to trigger the bug.
  $$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
  $$ ls -al merged/dir1/dir2/file 
  -rw-r--r-- 1 root root 0 Nov  1 07:09 merged/dir1/dir2/file

  We can see the file in the base layer from the mount directory. Now trigger the bug:
  $$ rm -rf merged/dir1/dir2/
  $$ mkdir merged/dir1/dir2
  $$ ls -al merged/dir1/dir2
  total 12
  drwxr-xr-x 2 root root 4096 Nov  1 07:10 .
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 ..

  File does not show up in the newly created dir2 as expected. But it will reappear after we remount the filesystem (or any other means that might evict the cached dentry, such as attempt to delete the parent directory):
  $$ umount merged
  $$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
  $$ ls -al merged/dir1/dir2
  total 12
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 .
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 ..
  -rw-r--r-- 1 root root    0 Nov  1 07:09 file
  $$ exit
  $

  This is a recent kernel regression. I tried the above step on an old
  kernel (4.4.0-1072-aws) but cannot reproduce.


  I looked up linux source code and figured out where the "regression" is coming from. The issue lies in how overlayfs checks the "opaque" flag from the underlying upper-level filesystem. It checks the "trusted.overlay.opaque" extended attribute to decide whether to hide the directory content from the lower level. The logic are different in 4.4 and 4.15 kernel.
  In 4.4: https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L255
  static bool ovl_is_opaquedir(struct dentry *dentry)
  {
  	int res;
  	char val;
  	struct inode *inode = dentry->d_inode;

  	if (!S_ISDIR(inode->i_mode) || !inode->i_op->getxattr)
  		return false;

  	res = inode->i_op->getxattr(dentry, OVL_XATTR_OPAQUE, &val, 1);
  	if (res == 1 && val == 'y')
  		return true;

  	return false;
  }

  In 4.15: https://elixir.bootlin.com/linux/v4.15/source/fs/overlayfs/util.c#L349
  static bool ovl_is_opaquedir(struct dentry *dentry)
  {
  	return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
  }

  bool ovl_check_dir_xattr(struct dentry *dentry, const char *name)
  {
  	int res;
  	char val;

  	if (!d_is_dir(dentry))
  		return false;

  	res = vfs_getxattr(dentry, name, &val, 1);
  	if (res == 1 && val == 'y')
  		return true;

  	return false;
  }

  The 4.4 version simply uses the internal i_node callback inode->i_op->getxattr from the host filesystem, which doesn't perform any permission check. While the 4.15 version calls the VFS interface vfs_getxattr that performs bunch of permission checks before the calling the internal insecure callback __vfs_getxattr:
  See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L317
  ssize_t
  vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
  {
  	struct inode *inode = dentry->d_inode;
  	int error;

  	error = xattr_permission(inode, name, MAY_READ);
  	if (error)
  		return error;

  	error = security_inode_getxattr(dentry, name);
  	if (error)
  		return error;

  	if (!strncmp(name, XATTR_SECURITY_PREFIX,
  				XATTR_SECURITY_PREFIX_LEN)) {
  		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
  		int ret = xattr_getsecurity(inode, suffix, value, size);
  		/*
  		 * Only overwrite the return value if a security module
  		 * is actually active.
  		 */
  		if (ret == -EOPNOTSUPP)
  			goto nolsm;
  		return ret;
  	}
  nolsm:
  	return __vfs_getxattr(dentry, inode, name, value, size);
  }

  In 4.15, ovl_is_opaquedir is called by the following caller:
  ovl_is_opaquedir <-
  ovl_lookup_single() <-
  ovl_lookup_layer <-
  ovl_lookup,
  ovl_lookup is the entry point for directory listing in overlayfs. Importantly, it assumes the filesystem mounter's credential to perform all internal lookup operations:
  struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
  			  unsigned int flags)
  {
     old_cred = ovl_override_creds(dentry->d_sb);
     // perform lookups
     // ....
     revert_creds(old_cred);   
  }

  The "credential switching" logic also does not exist in the 4.4 kernel: https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L397
  That means, on 4.15, overlayfs uses the file system mounter's credential to fetch the "trusted.overlay.opaque" xattr from the underlying filesystem. This can fail the permission check if the overlayfs is mounted by a remapped user, who doesn't have CAP_SYS_ADMIN capability
  See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L115:
  static int xattr_permission(struct inode *inode, const char *name, int mask)
  {
   ....
    	/*
  	 * The trusted.* namespace can only be accessed by privileged users.
  	 */
  	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
  		if (!capable(CAP_SYS_ADMIN))
  			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
  		return 0;
  	}
  ....
  }

  When this call fails, overlayfs assumes the upper directory is not
  "opaque" and combines the content from the lower directory in the
  result.

  
  There's a proposed patch to fix this issue: https://lkml.org/lkml/2019/7/30/787
  The patch calls the insecure __vfs_getxattr to fetch the opaque flag so that it can bypass the permission check even if the other lookup operation is done under the mounter's credential.
  However, the patch hasn't been merged to the upstream linux kernel as of today (see https://elixir.bootlin.com/linux/v5.4-rc5/source/fs/overlayfs/util.c#L551).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1864669/+subscriptions