← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1864669] Re: overlayfs regression - internal getxattr operations without sepolicy checking

 

This bug was fixed in the package linux-aws - 4.15.0-1080.84

---------------
linux-aws (4.15.0-1080.84) bionic; urgency=medium

  * bionic/linux-aws: 4.15.0-1080.84 -proposed tracker (LP: #1890686)

  * Bionic update: upstream stable patchset 2020-07-17 (LP: #1887990)
    - [Config] aws: updateconfigs for EFI_CUSTOM_SSDT_OVERLAYS

  * Bionic update: upstream stable patchset 2020-07-24 (LP: #1888907)
    - [Config] aws: updateconfigs for BLK_DEV_SR_VENDOR

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - [Packaging] update update.conf

  * overlayfs regression - internal getxattr operations without sepolicy
    checking (LP: #1864669)
    - SAUCE: overlayfs: internal getxattr operations without sepolicy checking

  [ Ubuntu: 4.15.0-114.115 ]

  * bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
  * ipsec: policy priority management is broken (LP: #1890796)
    - xfrm: policy: match with both mark and mask on user interfaces

  [ Ubuntu: 4.15.0-113.114 ]

  * bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
    - usb: handle warm-reset port requests on hub resume
  * Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
    - gpio: arizona: handle pm_runtime_get_sync failure case
    - gpio: arizona: put pm_runtime in case of failure
    - pinctrl: amd: fix npins for uart0 in kerncz_groups
    - mac80211: allow rx of mesh eapol frames with default rx key
    - scsi: scsi_transport_spi: Fix function pointer check
    - xtensa: fix __sync_fetch_and_{and,or}_4 declarations
    - xtensa: update *pos in cpuinfo_op.next
    - drivers/net/wan/lapbether: Fixed the value of hard_header_len
    - net: sky2: initialize return of gm_phy_read
    - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
    - irqdomain/treewide: Keep firmware node unconditionally allocated
    - SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
      compeletion")
    - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
    - IB/umem: fix reference count leak in ib_umem_odp_get()
    - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
      GDB regression
    - ALSA: info: Drop WARN_ON() from buffer NULL sanity check
    - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
    - btrfs: fix double free on ulist after backref resolution failure
    - btrfs: fix mount failure caused by race with umount
    - btrfs: fix page leaks after failure to lock page for delalloc
    - bnxt_en: Fix race when modifying pause settings.
    - hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
      path
    - ax88172a: fix ax88172a_unbind() failures
    - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
      configuration
    - drm: sun4i: hdmi: Fix inverted HPD result
    - net: smc91x: Fix possible memory leak in smc_drv_probe()
    - bonding: check error value of register_netdevice() immediately
    - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
    - ipvs: fix the connection sync failed in some cases
    - i2c: rcar: always clear ICSAR to avoid side effects
    - bonding: check return value of register_netdevice() in bond_newlink()
    - serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
    - scripts/decode_stacktrace: strip basepath from all paths
    - HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
    - HID: apple: Disable Fn-key key-re-mapping on clone keyboards
    - dmaengine: tegra210-adma: Fix runtime PM imbalance on error
    - Input: add `SW_MACHINE_COVER`
    - spi: mediatek: use correct SPI_CFG2_REG MACRO
    - regmap: dev_get_regmap_match(): fix string comparison
    - hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
    - dmaengine: ioat setting ioat timeout as module parameter
    - Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
    - usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init()
    - arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
    - x86: math-emu: Fix up 'cmp' insn for clang ias
    - binder: Don't use mmput() from shrinker function.
    - usb: xhci-mtk: fix the failure of bandwidth allocation
    - usb: xhci: Fix ASM2142/ASM3142 DMA addressing
    - Revert "cifs: Fix the target file was deleted when rename failed."
    - staging: wlan-ng: properly check endpoint types
    - staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
    - staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
    - staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
    - serial: 8250: fix null-ptr-deref in serial8250_start_tx()
    - serial: 8250_mtk: Fix high-speed baud rates clamping
    - fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
    - vt: Reject zero-sized screen buffer size.
    - Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
    - mm/memcg: fix refcount error while moving and swapping
    - io-mapping: indicate mapping failure
    - parisc: Add atomic64_set_release() define to avoid CPU soft lockups
    - ath9k: Fix regression with Atheros 9271
    - fuse: fix weird page warning
    - qed: suppress "don't support RoCE & iWARP" flooding on HW init
    - scripts/gdb: fix lx-symbols 'gdb.error' while loading modules
    - HID: alps: support devices with report id 2
    - RISC-V: Upgrade smp_mb__after_spinlock() to iorw,iorw
    - x86, vmlinux.lds: Page-align end of ..page_aligned sections
    - ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo
      Miix 2 10
  * Bionic update: upstream stable patchset 2020-07-24 (LP: #1888907)
    - KVM: s390: reduce number of IO pins to 1
    - spi: spi-fsl-dspi: Adding shutdown hook
    - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer
    - spi: spi-fsl-dspi: use IRQF_SHARED mode to request IRQ
    - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths
    - ARM: dts: omap4-droid4: Fix spi configuration and increase rate
    - gpu: host1x: Detach driver on unregister
    - spi: spidev: fix a race between spidev_release and spidev_remove
    - spi: spidev: fix a potential use-after-free in spidev_release()
    - ixgbe: protect ring accesses with READ- and WRITE_ONCE
    - s390/kasan: fix early pgm check handler execution
    - cifs: update ctime and mtime during truncate
    - ARM: imx6: add missing put_device() call in imx6q_suspend_init()
    - scsi: mptscsih: Fix read sense data size
    - nvme-rdma: assign completion vector correctly
    - x86/entry: Increase entry_stack size to a full page
    - net: cxgb4: fix return error value in t4_prep_fw
    - smsc95xx: check return value of smsc95xx_reset
    - smsc95xx: avoid memory leak in smsc95xx_bind
    - ALSA: compress: fix partial_drain completion state
    - arm64: kgdb: Fix single-step exception handling oops
    - nbd: Fix memory leak in nbd_add_socket
    - bnxt_en: fix NULL dereference in case SR-IOV configuration fails
    - net: macb: mark device wake capable when "magic-packet" property present
    - mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON()
    - ALSA: opl3: fix infoleak in opl3
    - ALSA: hda - let hs_mic be picked ahead of hp_mic
    - ALSA: usb-audio: add quirk for MacroSilicon MS2109
    - KVM: arm64: Fix definition of PAGE_HYP_DEVICE
    - KVM: arm64: Stop clobbering x0 for HVC_SOFT_RESTART
    - KVM: x86: bit 8 of non-leaf PDPEs is not reserved
    - KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode
    - KVM: x86: Mark CR4.TSD as being possibly owned by the guest
    - btrfs: fix fatal extent_buffer readahead vs releasepage race
    - drm/radeon: fix double free
    - dm: use noio when sending kobject event
    - ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE
    - ARC: elf: use right ELF_ARCH
    - s390/mm: fix huge pte soft dirty copying
    - genetlink: remove genl_bind
    - ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg
    - l2tp: remove skb_dst_set() from l2tp_xmit_skb()
    - llc: make sure applications use ARPHRD_ETHER
    - net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb
    - tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()
    - tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers
    - tcp: md5: allow changing MD5 keys in all socket states
    - net_sched: fix a memory leak in atm_tc_init()
    - tcp: make sure listeners don't initialize congestion-control state
    - tcp: md5: do not send silly options in SYNCOOKIES
    - cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
    - cgroup: Fix sock_cgroup_data on big-endian.
    - drm/exynos: fix ref count leak in mic_pre_enable
    - arm64/alternatives: use subsections for replacement sequences
    - tpm_tis: extra chip->ops check on error path in tpm_tis_core_init
    - gfs2: read-only mounts should grab the sd_freeze_gl glock
    - i2c: eg20t: Load module automatically if ID matches
    - arm64: alternative: Use true and false for boolean values
    - arm64/alternatives: don't patch up internal branches
    - iio:magnetometer:ak8974: Fix alignment and data leak issues
    - iio:humidity:hdc100x Fix alignment and data leak issues
    - iio: magnetometer: ak8974: Fix runtime PM imbalance on error
    - iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe()
    - iio: pressure: zpa2326: handle pm_runtime_get_sync failure
    - iio:pressure:ms5611 Fix buffer element alignment
    - iio:health:afe4403 Fix timestamp alignment and prevent data leak.
    - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer
    - spi: fix initial SPI_SR value in spi-fsl-dspi
    - net: dsa: bcm_sf2: Fix node reference count
    - of: of_mdio: Correct loop scanning logic
    - Revert "usb/ohci-platform: Fix a warning when hibernating"
    - Revert "usb/ehci-platform: Set PM runtime as active on resume"
    - Revert "usb/xhci-plat: Set PM runtime as active on resume"
    - doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in
      park mode
    - mmc: sdhci: do not enable card detect interrupt for gpio cd type
    - ACPI: video: Use native backlight on Acer Aspire 5783z
    - ACPI: video: Use native backlight on Acer TravelMate 5735Z
    - iio:health:afe4404 Fix timestamp alignment and prevent data leak.
    - phy: sun4i-usb: fix dereference of pointer phy0 before it is null checked
    - arm64: dts: meson: add missing gxl rng clock
    - spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate
    - usb: gadget: udc: atmel: fix uninitialized read in debug printk
    - staging: comedi: verify array index is correct before using it
    - Revert "thermal: mediatek: fix register index error"
    - ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema
    - copy_xstate_to_kernel: Fix typo which caused GDB regression
    - perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode
    - mtd: rawnand: brcmnand: fix CS0 layout
    - mtd: rawnand: oxnas: Keep track of registered devices
    - mtd: rawnand: oxnas: Unregister all devices on error
    - mtd: rawnand: oxnas: Release all devices in the _remove() path
    - HID: magicmouse: do not set up autorepeat
    - ALSA: line6: Perform sanity check for each URB creation
    - ALSA: usb-audio: Fix race against the error recovery URB submission
    - USB: c67x00: fix use after free in c67x00_giveback_urb
    - usb: dwc2: Fix shutdown callback in platform
    - usb: chipidea: core: add wakeup support for extcon
    - usb: gadget: function: fix missing spinlock in f_uac1_legacy
    - USB: serial: iuu_phoenix: fix memory corruption
    - USB: serial: cypress_m8: enable Simply Automated UPB PIM
    - USB: serial: ch341: add new Product ID for CH340
    - USB: serial: option: add GosunCn GM500 series
    - virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial
    - fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS
    - Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()"
    - mei: bus: don't clean driver pointer
    - Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list
    - uio_pdrv_genirq: fix use without device tree and no interrupt
    - timer: Fix wheel index calculation on last level
    - MIPS: Fix build for LTS kernel caused by backporting lpj adjustment
    - hwmon: (emc2103) fix unable to change fan pwm1_enable attribute
    - intel_th: pci: Add Jasper Lake CPU support
    - intel_th: pci: Add Tiger Lake PCH-H support
    - intel_th: pci: Add Emmitsburg PCH support
    - dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler
    - misc: atmel-ssc: lock with mutex instead of spinlock
    - thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power
    - arm64: ptrace: Override SPSR.SS when single-stepping is enabled
    - sched/fair: handle case of task_h_load() returning 0
    - libceph: don't omit recovery_deletes in target_copy()
    - rxrpc: Fix trace string
    - regmap: fix alignment issue
    - i40e: protect ring accesses with READ- and WRITE_ONCE
    - usb: dwc3: pci: Fix reference count leak in dwc3_pci_resume_work
    - net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
    - drm/mediatek: Check plane visibility in atomic_update
    - net: hns3: fix use-after-free when doing self test
    - cxgb4: fix all-mask IP address comparison
    - perf: Make perf able to build with latest libbfd
    - drm/msm: fix potential memleak in error branch
    - HID: quirks: Remove ITE 8595 entry from hid_have_special_driver
    - scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
    - [Config] updateconfigs for BLK_DEV_SR_VENDOR
    - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp
      (0951:16d8)
    - ALSA: usb-audio: Rewrite registration quirk handling
    - ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Alpha S
    - ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Flight S
    - regmap: debugfs: Don't sleep while atomic for fast_io regmaps
    - HID: quirks: Always poll Obins Anne Pro 2 keyboard
    - HID: quirks: Ignore Simply Automated UPB PIM
    - ALSA: line6: Sync the pending work cancel at disconnection
    - ALSA: hda/realtek - change to suitable link model for ASUS platform
    - ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534
    - timer: Prevent base->clk from moving backward
    - riscv: use 16KB kernel stack on 64-bit
    - intel_th: Fix a NULL dereference when hub driver is not loaded
    - genirq/affinity: Handle affinity setting on inactive interrupts correctly
  * NFSv4.1: Interrupted connections cause high bandwidth RPC ping-pong between
    client and server (LP: #1887607)
    - NFSv4.1: Avoid false retries when RPC calls are interrupted
    - NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()
    - NFS: Fix interrupted slots by sending a solo SEQUENCE operation
  * tap: use after free (LP: #1889735)
    - tap: fix use-after-free
  * Bionic update: upstream stable patchset 2020-07-17 (LP: #1887990)
    - btrfs: fix a block group ref counter leak after failure to remove block
      group
    - btrfs: cow_file_range() num_bytes and disk_num_bytes are same
    - btrfs: fix data block group relocation failure due to concurrent scrub
    - mm: fix swap cache node allocation mask
    - EDAC/amd64: Read back the scrub rate PCI register on F15h
    - usbnet: smsc95xx: Fix use-after-free after removal
    - mm/slub.c: fix corrupted freechain in deactivate_slab()
    - mm/slub: fix stack overruns with SLUB_STATS
    - usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
    - kgdb: Avoid suspicious RCU usage warning
    - cxgb4: use unaligned conversion for fetching timestamp
    - cxgb4: parse TC-U32 key values and masks natively
    - hwmon: (max6697) Make sure the OVERT mask is set correctly
    - hwmon: (acpi_power_meter) Fix potential memory leak in
      acpi_power_meter_add()
    - drm: sun4i: hdmi: Remove extra HPD polling
    - virtio-blk: free vblk-vqs in error path of virtblk_probe()
    - i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665
    - nfsd: apply umask on fs without ACL support
    - Revert "ALSA: usb-audio: Improve frames size computation"
    - SMB3: Honor 'seal' flag for multiuser mounts
    - SMB3: Honor persistent/resilient handle flags for multiuser mounts
    - cifs: Fix the target file was deleted when rename failed.
    - MIPS: Add missing EHB in mtc0 -> mfc0 sequence for DSPen
    - irqchip/gic: Atomically update affinity
    - dm zoned: assign max_io_len correctly
    - [Config] updateconfigs for EFI_CUSTOM_SSDT_OVERLAYS
    - efi: Make it possible to disable efivar_ssdt entirely
    - s390/debug: avoid kernel warning on too large number of pages
    - cxgb4: use correct type for all-mask IP address comparison
    - SMB3: Honor lease disabling for multiuser mounts
  * Enable Quectel EG95 LTE modem [2c7c:0195]  (LP: #1886744)
    - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem
    - USB: serial: option: add Quectel EG95 LTE modem
  * kernel oops xr-usb-serial (LP: #1885271)
    - SAUCE: Revert "xr-usb-serial: fix kbuild"
    - SAUCE: Revert "xr-usb-serial: Changes to support updates in struct
      gpio_chip"
    - SAUCE: Revert "xr-usb-serial: re-initialise baudrate after resume from
      S3/S4"
    - SAUCE: Revert "xr-usb-serial: Update driver for Exar USB serial ports"
  * [hns3-0115] add 8 BD limit for tx flow  (LP: #1859756)
    - net: hns3: add 8 BD limit for tx flow
    - net: hns3: avoid mult + div op in critical data path
    - net: hns3: remove some ops in struct hns3_nic_ops
    - net: hns3: fix for not calculating tx bd num correctly
    - net: hns3: unify maybe_stop_tx for TSO and non-TSO case
    - net: hns3: add check for max TX BD num for tso and non-tso case
    - net: hns3: fix for TX queue not restarted problem
    - net: hns3: fix a use after free problem in hns3_nic_maybe_stop_tx()
  * Regression in kernel 4.15.0-91 causes kernel panic with Bcache
    (LP: #1867916)
    - bcache: check and adjust logical block size for backing devices
  * use-after-free in af_alg_accept() due to bh_lock_sock() (LP: #1884766)
    - crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()
  * Bionic update: upstream stable patchset 2020-07-15 (LP: #1887715)
    - net: be more gentle about silly gso requests coming from user
    - block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed
    - net: sched: export __netdev_watchdog_up()
    - fix a braino in "sparc32: fix register window handling in
      genregs32_[gs]et()"
    - apparmor: don't try to replace stale label in ptraceme check
    - ibmveth: Fix max MTU limit
    - mld: fix memory leak in ipv6_mc_destroy_dev()
    - net: bridge: enfore alignment for ethernet address
    - net: fix memleak in register_netdevice()
    - net: usb: ax88179_178a: fix packet alignment padding
    - rocker: fix incorrect error handling in dma_rings_init
    - rxrpc: Fix notification call on completion of discarded calls
    - sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
    - tcp: grow window for OOO packets only for SACK flows
    - tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
    - ip_tunnel: fix use-after-free in ip_tunnel_lookup()
    - tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
    - ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
    - net: Fix the arp error in some cases
    - net: Do not clear the sock TX queue in sk_set_socket()
    - net: core: reduce recursion limit value
    - USB: ohci-sm501: Add missed iounmap() in remove
    - usb: dwc2: Postponed gadget registration to the udc class driver
    - usb: add USB_QUIRK_DELAY_INIT for Logitech C922
    - USB: ehci: reopen solution for Synopsys HC bug
    - usb: host: xhci-mtk: avoid runtime suspend when removing hcd
    - usb: host: ehci-exynos: Fix error check in exynos_ehci_probe()
    - ALSA: usb-audio: add quirk for Denon DCD-1500RE
    - xhci: Fix incorrect EP_STATE_MASK
    - xhci: Fix enumeration issue when setting max packet size for FS devices.
    - cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip
    - loop: replace kill_bdev with invalidate_bdev
    - ALSA: usb-audio: Clean up mixer element list traverse
    - ALSA: usb-audio: Fix OOB access of mixer element list
    - xhci: Poll for U0 after disabling USB2 LPM
    - cifs/smb3: Fix data inconsistent when punch hole
    - cifs/smb3: Fix data inconsistent when zero file range
    - efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
    - ARM: dts: NSP: Correct FA2 mailbox node
    - rxrpc: Fix handling of rwind from an ACK packet
    - RDMA/cma: Protect bind_list and listen_list while finding matching cm id
    - ASoC: rockchip: Fix a reference count leak.
    - RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
    - net: qed: fix left elements count calculation
    - net: qed: fix NVMe login fails over VFs
    - net: qed: fix excessive QM ILT lines consumption
    - ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
    - usb: gadget: udc: Potential Oops in error handling code
    - netfilter: ipset: fix unaligned atomic access
    - net: bcmgenet: use hardware padding of runt frames
    - sched/core: Fix PI boosting between RT and DEADLINE tasks
    - ata/libata: Fix usage of page address by page_address in
      ata_scsi_mode_select_xlat function
    - net: alx: fix race condition in alx_remove
    - s390/ptrace: fix setting syscall number
    - kbuild: improve cc-option to clean up all temporary files
    - blktrace: break out of blktrace setup on concurrent calls
    - ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table
    - ACPI: sysfs: Fix pm_profile_attr type
    - KVM: X86: Fix MSR range of APIC registers in X2APIC mode
    - KVM: nVMX: Plumb L2 GPA through to PML emulation
    - btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof
    - mm/slab: use memzero_explicit() in kzfree()
    - ocfs2: load global_inode_alloc
    - ocfs2: fix value of OCFS2_INVALID_SLOT
    - ocfs2: fix panic on nfs server over ocfs2
    - arm64: perf: Report the PC value in REGS_ABI_32 mode
    - tracing: Fix event trigger to accept redundant spaces
    - drm/radeon: fix fb_div check in ni_init_smc_spll_table()
    - Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
    - sunrpc: fixed rollback in rpc_gssd_dummy_populate()
    - SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
    - pNFS/flexfiles: Fix list corruption if the mirror count changes
    - NFSv4 fix CLOSE not waiting for direct IO compeletion
    - xfs: add agf freeblocks verify in xfs_agf_verify
    - net: bcmgenet: remove HFB_CTRL access
    - EDAC/amd64: Add Family 17h Model 30h PCI IDs
    - i2c: tegra: Cleanup kerneldoc comments
    - i2c: tegra: Add missing kerneldoc for some fields
    - net: phy: Check harder for errors in get_phy_id()
    - ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG)
    - scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action
    - xhci: Return if xHCI doesn't support LPM
    - IB/mad: Fix use after free when destroying MAD agent
    - regmap: Fix memory leak from regmap_register_patch
    - RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
    - cxgb4: move handling L2T ARP failures to caller
    - sched/deadline: Initialize ->dl_boosted
    - s390/vdso: fix vDSO clock_getres()
    - arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
    - ALSA: hda/realtek - Add quirk for MSI GE63 laptop
  * Bionic update: upstream stable patchset 2020-07-07 (LP: #1886710)
    - s390: fix syscall_get_error for compat processes
    - drm/i915: Whitelist context-local timestamp in the gen9 cmdparser
    - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select
    - clk: sunxi: Fix incorrect usage of round_down()
    - i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets
    - iio: pressure: bmp280: Tolerate IRQ before registering
    - remoteproc: Fix IDR initialisation in rproc_alloc()
    - clk: qcom: msm8916: Fix the address location of pll->config_reg
    - backlight: lp855x: Ensure regulators are disabled on probe failure
    - ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type
    - ARM: integrator: Add some Kconfig selections
    - scsi: qedi: Check for buffer overflow in qedi_set_path()
    - ALSA: isa/wavefront: prevent out of bounds write in ioctl
    - scsi: qla2xxx: Fix issue with adapter's stopping state
    - iio: bmp280: fix compensation of humidity
    - f2fs: report delalloc reserve as non-free in statfs for project quota
    - i2c: pxa: clear all master action bits in i2c_pxa_stop_message()
    - usblp: poison URBs upon disconnect
    - dm mpath: switch paths in dm_blk_ioctl() code path
    - PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only
      register
    - ps3disk: use the default segment boundary
    - vfio/pci: fix memory leaks in alloc_perm_bits()
    - m68k/PCI: Fix a memory leak in an error handling path
    - mfd: wm8994: Fix driver operation if loaded as modules
    - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event
    - clk: clk-flexgen: fix clock-critical handling
    - powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7
      events run
    - nfsd: Fix svc_xprt refcnt leak when setup callback client failed
    - powerpc/crashkernel: Take "mem=" option into account
    - yam: fix possible memory leak in yam_init_driver
    - NTB: Fix the default port and peer numbers for legacy drivers
    - mksysmap: Fix the mismatch of '.L' symbols in System.map
    - apparmor: fix introspection of of task mode for unconfined tasks
    - scsi: sr: Fix sr_probe() missing deallocate of device minor
    - scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
    - staging: greybus: fix a missing-check bug in gb_lights_light_config()
    - scsi: qedi: Do not flush offload work if ARP not resolved
    - ALSA: usb-audio: Improve frames size computation
    - s390/qdio: put thinint indicator after early error
    - thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR
    - staging: sm750fb: add missing case while setting FB_VISUAL
    - i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output
    - serial: amba-pl011: Make sure we initialize the port.lock spinlock
    - drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a
      driver developer is foolish
    - PCI: rcar: Fix incorrect programming of OB windows
    - PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges
    - scsi: qla2xxx: Fix warning after FC target reset
    - power: supply: lp8788: Fix an error handling path in
      'lp8788_charger_probe()'
    - power: supply: smb347-charger: IRQSTAT_D is volatile
    - scsi: mpt3sas: Fix double free warnings
    - dlm: remove BUG() before panic()
    - clk: ti: composite: fix memory leak
    - PCI: Fix pci_register_host_bridge() device_register() error handling
    - tty: n_gsm: Fix SOF skipping
    - tty: n_gsm: Fix waking up upper tty layer when room available
    - powerpc/pseries/ras: Fix FWNMI_VALID off by one
    - powerpc/ps3: Fix kexec shutdown hang
    - vfio-pci: Mask cap zero
    - usb/ohci-platform: Fix a warning when hibernating
    - drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation
    - USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
    - tty: n_gsm: Fix bogus i++ in gsm_data_kick
    - clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1
    - powerpc/64s/pgtable: fix an undefined behaviour
    - dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone
    - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port
    - IB/cma: Fix ports memory leak in cma_configfs
    - watchdog: da9062: No need to ping manually before setting timeout
    - usb: dwc2: gadget: move gadget resume after the core is in L0 state
    - USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in
      s3c2410_udc_nuke
    - usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check
    - usb: gadget: fix potential double-free in m66592_probe.
    - usb: gadget: Fix issue with config_ep_by_speed function
    - x86/apic: Make TSC deadline timer detection message visible
    - clk: bcm2835: Fix return type of bcm2835_register_gate
    - scsi: ufs-qcom: Fix scheduling while atomic issue
    - net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
    - NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION
    - powerpc/4xx: Don't unmap NULL mbase
    - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
    - ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed
    - vfio/mdev: Fix reference count leak in add_mdev_supported_type
    - openrisc: Fix issue with argument clobbering for clone/fork
    - gfs2: Allow lock_nolock mount to specify jid=X
    - scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
    - scsi: ufs: Don't update urgent bkops level when toggling auto bkops
    - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
    - pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()'
    - crypto: omap-sham - add proper load balancing support for multicore
    - geneve: change from tx_error to tx_dropped on missing metadata
    - lib/zlib: remove outdated and incorrect pre-increment optimization
    - include/linux/bitops.h: avoid clang shift-count-overflow warnings
    - elfnote: mark all .note sections SHF_ALLOC
    - selftests/vm/pkeys: fix alloc_random_pkey() to make it really random
    - blktrace: use errno instead of bi_status
    - blktrace: fix endianness in get_pdu_int()
    - blktrace: fix endianness for blk_log_remap()
    - gfs2: fix use-after-free on transaction ail lists
    - selftests/net: in timestamping, strncpy needs to preserve null byte
    - drm/sun4i: hdmi ddc clk: Fix size of m divider
    - scsi: acornscsi: Fix an error handling path in acornscsi_probe()
    - usb/xhci-plat: Set PM runtime as active on resume
    - usb/ehci-platform: Set PM runtime as active on resume
    - perf report: Fix NULL pointer dereference in
      hists__fprintf_nr_sample_events()
    - bcache: fix potential deadlock problem in btree_gc_coalesce
    - block: Fix use-after-free in blkdev_get()
    - arm64: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
    - drm: encoder_slave: fix refcouting error for modules
    - drm/dp_mst: Reformat drm_dp_check_act_status() a bit
    - drm/qxl: Use correct notify port address when creating cursor ring
    - selinux: fix double free
    - ext4: fix partial cluster initialization when splitting extent
    - drm/dp_mst: Increase ACT retry timeout to 3s
    - x86/boot/compressed: Relax sed symbol type regex for LLVM ld.lld
    - block: nr_sects_write(): Disable preemption on seqcount write
    - mtd: rawnand: Pass a nand_chip object to nand_release()
    - mtd: rawnand: diskonchip: Fix the probe error path
    - mtd: rawnand: sharpsl: Fix the probe error path
    - mtd: rawnand: xway: Fix the probe error path
    - mtd: rawnand: orion: Fix the probe error path
    - mtd: rawnand: oxnas: Add of_node_put()
    - mtd: rawnand: oxnas: Fix the probe error path
    - mtd: rawnand: socrates: Fix the probe error path
    - mtd: rawnand: plat_nand: Fix the probe error path
    - mtd: rawnand: mtk: Fix the probe error path
    - mtd: rawnand: tmio: Fix the probe error path
    - crypto: algif_skcipher - Cap recv SG list at ctx->used
    - crypto: algboss - don't wait during notifier callback
    - kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
    - e1000e: Do not wake up the system via WOL if device wakeup is disabled
    - kretprobe: Prevent triggering kretprobe from within kprobe_flush_task
    - sched/rt, net: Use CONFIG_PREEMPTION.patch
    - net: core: device_rename: Use rwsem instead of a seqcount
    - kvm: x86: Move kvm_set_mmio_spte_mask() from x86.c to mmu.c
    - kvm: x86: Fix reserved bits related calculation errors caused by MKTME
    - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated
    - ASoC: tegra: tegra_wm8903: Support nvidia, headset property
    - PCI: Allow pci_resize_resource() for devices on root bus
    - clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical
    - serial: 8250: Fix max baud limit in generic 8250 port
    - gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-
      registration
    - pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case
    - x86/purgatory: Disable various profiling and sanitizing options
    - arm64: dts: mt8173: fix unit name warnings
    - gpio: dwapb: Append MODULE_ALIAS for platform driver
    - pinctrl: rza1: Fix wrong array assignment of rza1l_swio_entries
    - ALSA: usb-audio: Fix racy list management in output queue
    - PCI: v3-semi: Fix a memory leak in v3_pci_probe() error handling paths
    - pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map
    - powerpc/64: Don't initialise init_task->thread.regs
    - HID: Add quirks for Trust Panora Graphic Tablet
    - RDMA/iw_cxgb4: cleanup device debugfs entries on ULD remove
    - ASoC: fix incomplete error-handling in img_i2s_in_probe.
    - of: Fix a refcounting bug in __of_attach_node_sysfs()
    - NTB: Revert the change to use the NTB device dev for DMA allocations
    - drivers/perf: hisi: Fix wrong value for all counters enable
    - x86/idt: Keep spurious entries unset in system_vectors
    - usb: host: ehci-platform: add a quirk to avoid stuck
    - afs: Fix non-setting of mtime when writing into mmap
    - afs: afs_write_end() should change i_size under the right lock
    - drm/amdgpu: Replace invalid device ID with a valid device ID
    - ext4: avoid race conditions when remounting with options that change dax
    - net: octeon: mgmt: Repair filling of RX ring
    - Revert "dpaa_eth: fix usage as DSA master, try 3"
  * Computer is frozen after suspend (LP: #1867983) // Bionic update: upstream
    stable patchset 2020-07-07 (LP: #1886710)
    - libata: Use per port sync for detach
  * The thread level parallelism would be a bottleneck when searching for the
    shared pmd by using hugetlbfs (LP: #1882039)
    - hugetlbfs: take read_lock on i_mmap for PMD sharing
  * Bionic update: upstream stable patchset 2020-06-25 (LP: #1885176)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - make 'user_access_begin()' do 'access_ok()'
    - Fix 'acccess_ok()' on alpha and SH
    - arch/openrisc: Fix issues with access_ok()
    - x86: uaccess: Inhibit speculation past access_ok() in user_access_begin()
    - lib: Reduce user_access_begin() boundaries in strncpy_from_user() and
      strnlen_user()
    - serial: imx: Fix handling of TC irq in combination with DMA
    - crypto: talitos - fix ECB and CBC algs ivsize
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - Input: synaptics - add a second working PNP_ID for Lenovo T470s
    - drivers/net/ibmvnic: Update VNIC protocol version reporting
    - powerpc/xive: Clear the page tables for the ESB IO mapping
    - ath9k_htc: Silence undersized packet warnings
    - perf probe: Accept the instance number of kretprobe event
    - mm: add kvfree_sensitive() for freeing sensitive data objects
    - x86_64: Fix jiffies ODR violation
    - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
    - ACPI: GED: add support for _Exx / _Lxx handler methods
    - ACPI: PM: Avoid using power resources if there are none for D0
    - cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: bcm2835aux: Fix controller unregister order
    - spi: bcm-qspi: when tx/rx buffer is NULL set to 0
    - crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
      fully iterated
    - ALSA: pcm: disallow linking stream to itself
    - kvm: x86: Fix L1TF mitigation for shadow MMU
    - KVM: x86/mmu: Consolidate "is MMIO SPTE" code
    - KVM: x86: only do L1TF workaround on affected processors
    - x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
      IBRS.
    - x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
    - spi: dw: Fix controller unregister order
    - spi: No need to assign dummy value in spi_unregister_controller()
    - spi: Fix controller unregister order
    - spi: pxa2xx: Fix controller unregister order
    - spi: bcm2835: Fix controller unregister order
    - crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req()
    - crypto: virtio: Fix src/dst scatterlist calculation in
      __virtio_crypto_skcipher_do_req()
    - crypto: virtio: Fix dest length calculation in
      __virtio_crypto_skcipher_do_req()
    - selftests/net: in rxtimestamp getopt_long needs terminating null entry
    - ovl: initialize error in ovl_copy_xattr
    - proc: Use new_inode not new_inode_pseudo
    - video: fbdev: w100fb: Fix a potential double free.
    - KVM: nSVM: fix condition for filtering async PF
    - KVM: nSVM: leave ASID aside in copy_vmcb_control_area
    - KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
    - KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
    - KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
    - KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
    - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
    - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
    - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
    - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
    - Smack: slab-out-of-bounds in vsscanf
    - mm/slub: fix a memory leak in sysfs_slab_add()
    - fat: don't allow to mount if the FAT length == 0
    - perf: Add cond_resched() to task_function_call()
    - agp/intel: Reinforce the barrier after GTT updates
    - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning
    - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card()
    - can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
    - xen/pvcalls-back: test for errors when calling backend_connect()
    - ACPI: GED: use correct trigger type field in _Exx / _Lxx handling
    - drm: bridge: adv7511: Extend list of audio sample rates
    - crypto: ccp -- don't "select" CONFIG_DMADEVICES
    - media: si2157: Better check for running tuner in init
    - objtool: Ignore empty alternatives
    - spi: pxa2xx: Apply CS clk quirk to BXT
    - net: ena: fix error returning in ena_com_get_hash_function()
    - spi: dw: Zero DMA Tx and Rx configurations on stack
    - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
    - MIPS: Loongson: Build ATI Radeon GPU driver as module
    - Bluetooth: Add SCO fallback for invalid LMP parameters error
    - kgdb: Prevent infinite recursive entries to the debugger
    - spi: dw: Enable interrupts in accordance with DMA xfer mode
    - clocksource: dw_apb_timer: Make CPU-affiliation being optional
    - clocksource: dw_apb_timer_of: Fix missing clockevent timers
    - btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
    - ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
    - spi: dw: Fix Rx-only DMA transfers
    - x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
    - net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
      vmxnet3_get_rss()
    - staging: android: ion: use vmap instead of vm_map_ram
    - brcmfmac: fix wrong location to get firmware feature
    - tools api fs: Make xxx__mountpoint() more scalable
    - e1000: Distribute switch variables for initialization
    - dt-bindings: display: mediatek: control dpi pins mode to avoid leakage
    - audit: fix a net reference leak in audit_send_reply()
    - media: dvb: return -EREMOTEIO on i2c transfer failure.
    - media: platform: fcp: Set appropriate DMA parameters
    - MIPS: Make sparse_init() using top-down allocation
    - audit: fix a net reference leak in audit_list_rules_send()
    - netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
    - net: bcmgenet: set Rx mode before starting netif
    - lib/mpi: Fix 64-bit MIPS build with Clang
    - exit: Move preemption fixup up, move blocking operations down
    - net: lpc-enet: fix error return code in lpc_mii_init()
    - media: cec: silence shift wrapping warning in __cec_s_log_addrs()
    - net: allwinner: Fix use correct return type for ndo_start_xmit()
    - powerpc/spufs: fix copy_to_user while atomic
    - Crypto/chcr: fix for ccm(aes) failed test
    - MIPS: Truncate link address into 32bit for 32bit kernel
    - mips: cm: Fix an invalid error code of INTVN_*_ERR
    - kgdb: Fix spurious true from in_dbg_master()
    - nvme: refine the Qemu Identify CNS quirk
    - wcn36xx: Fix error handling path in 'wcn36xx_probe()'
    - net: qed*: Reduce RX and TX default ring count when running inside kdump
      kernel
    - md: don't flush workqueue unconditionally in md_open
    - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
    - mwifiex: Fix memory corruption in dump_station
    - x86/boot: Correct relocation destination on old linkers
    - mips: MAAR: Use more precise address mask
    - mips: Add udelay lpj numbers adjustment
    - x86/mm: Stop printing BRK addresses
    - m68k: mac: Don't call via_flush_cache() on Mac IIfx
    - macvlan: Skip loopback packets in RX handler
    - PCI: Don't disable decoding when mmio_always_on is set
    - MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
    - mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
    - staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core
    - mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
    - ixgbe: fix signed-integer-overflow warning
    - mmc: sdhci-esdhc-imx: fix the mask for tuning start point
    - spi: dw: Return any value retrieved from the dma_transfer callback
    - cpuidle: Fix three reference count leaks
    - platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
    - string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
    - btrfs: send: emit file capabilities after chown
    - mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()
    - ima: Fix ima digest hash table key calculation
    - ima: Directly assign the ima_default_policy pointer to ima_rules
    - evm: Fix possible memory leak in evm_calc_hmac_or_hash()
    - ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
    - ext4: fix error pointer dereference
    - ext4: fix race between ext4_sync_parent() and rename()
    - PCI: Add ACS quirk for iProc PAXB
    - PCI: Add ACS quirk for Ampere root ports
    - PCI: Make ACS quirk implementations more uniform
    - vga_switcheroo: Deduplicate power state tracking
    - vga_switcheroo: Use device link for HDA controller
    - PCI: Generalize multi-function power dependency device links
    - PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
    - PCI: Unify ACS quirk desired vs provided checking
    - btrfs: fix error handling when submitting direct I/O bio
    - btrfs: fix wrong file range cleanup after an error filling dealloc range
    - blk-mq: move _blk_mq_update_nr_hw_queues synchronize_rcu call
    - PCI: Program MPS for RCiEP devices
    - e1000e: Relax condition to trigger reset for ME workaround
    - carl9170: remove P2P_GO support
    - media: go7007: fix a miss of snd_card_free
    - b43legacy: Fix case where channel status is corrupted
    - b43: Fix connection problem with WPA3
    - b43_legacy: Fix connection problem with WPA3
    - media: ov5640: fix use of destroyed mutex
    - igb: Report speed and duplex as unknown when device is runtime suspended
    - power: vexpress: add suppress_bind_attrs to true
    - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs
    - sparc32: fix register window handling in genregs32_[gs]et()
    - sparc64: fix misuses of access_process_vm() in genregs32_[sg]et()
    - dm crypt: avoid truncating the logical block size
    - kernel/cpu_pm: Fix uninitted local in cpu_pm
    - ARM: tegra: Correct PL310 Auxiliary Control Register initialization
    - drivers/macintosh: Fix memleak in windfarm_pm112 driver
    - powerpc/64s: Don't let DT CPU features set FSCR_DSCR
    - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
    - kbuild: force to build vmlinux if CONFIG_MODVERSION=y
    - sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate
      registrations.
    - sunrpc: clean up properly in gss_mech_unregister()
    - mtd: rawnand: brcmnand: fix hamming oob layout
    - mtd: rawnand: pasemi: Fix the probe error path
    - w1: omap-hdq: cleanup to add missing newline for some dev_dbg
    - perf probe: Do not show the skipped events
    - perf probe: Fix to check blacklist address correctly
    - perf symbols: Fix debuginfo search for Ubuntu
    - bridge: Avoid infinite loop when suppressing NS messages with invalid
      options
    - tun: correct header offsets in napi frags mode
    - Input: mms114 - fix handling of mms345l
    - x86/cpu/amd: Make erratum #1054 a legacy erratum
    - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
      Dock
    - PM: runtime: clk: Fix clk_pm_runtime_get() error path
    - net: atlantic: make hw_get_regs optional
    - efi/libstub/x86: Work around LLVM ELF quirk build regression
    - mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
    - Bluetooth: btbcm: Add 2 missing models to subver tables
    - sched/core: Fix illegal RCU from offline CPUs
    - drivers/perf: hisi: Fix typo in events attribute array
    - xfs: reset buffer write failure state on successful completion
    - net/mlx5e: IPoIB, Drop multicast packets that this interface sent
    - crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
    - crypto: stm32/crc32 - fix run-time self test issue.
    - crypto: stm32/crc32 - fix multi-instance
    - btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new
      qgroup
    - bcache: fix refcount underflow in bcache_device_free()
    - PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect
    - PCI: Remove unused NFP32xx IDs
    - PCI: add USR vendor id and use it in r8169 and w6692 driver
    - PCI: Move Rohm Vendor ID to generic list
    - misc: pci_endpoint_test: Add the layerscape EP device support
    - misc: pci_endpoint_test: Add support to test PCI EP in AM654x
    - x86/amd_nb: Add PCI device IDs for family 17h, model 70h
    - ALSA: lx6464es - add support for LX6464ESe pci express variant
    - PCI: Add Genesys Logic, Inc. Vendor ID
    - PCI: Add Amazon's Annapurna Labs vendor ID
    - x86/amd_nb: Add Family 19h PCI IDs
    - PCI: Add Loongson vendor ID
    - serial: 8250_pci: Move Pericom IDs to pci_ids.h
    - alpha: fix memory barriers so that they conform to the specification
    - perf probe: Check address correctness by map instead of _etext
  * Bionic update: upstream stable patchset 2020-06-12 (LP: #1883314)
    - libnvdimm: Fix endian conversion issues
    - spi: dw: use "smp_mb()" to avoid sending spi data error
    - s390/ftrace: save traced function caller
    - ARC: Fix ICCM & DCCM runtime size checks
    - ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT
    - i2c: altera: Fix race between xfer_msg and isr thread
    - x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables
    - net: bmac: Fix read of MAC address from ROM
    - net/ethernet/freescale: rework quiesce/activate for ucc_geth
    - net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x
    - net: smsc911x: Fix runtime PM imbalance on error
    - HID: sony: Fix for broken buttons on DS3 USB dongles
    - HID: i2c-hid: add Schneider SCL142ALM to descriptor override
    - p54usb: add AirVasT USB stick device-id
    - mmc: fix compilation of user API
    - scsi: ufs: Release clock if DMA map fails
    - airo: Fix read overflows sending packets
    - devinet: fix memleak in inetdev_init()
    - l2tp: do not use inet_hash()/inet_unhash()
    - net: usb: qmi_wwan: add Telit LE910C1-EUX composition
    - NFC: st21nfca: add missed kfree_skb() in an error path
    - vsock: fix timeout in vsock_accept()
    - net: check untrusted gso_size at kernel entry
    - l2tp: add sk_family checks to l2tp_validate_socket
    - USB: serial: qcserial: add DW5816e QDL support
    - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors
    - USB: serial: option: add Telit LE910C1-EUX compositions
    - usb: musb: start session in resume for host port
    - usb: musb: Fix runtime PM imbalance on error
    - vt: keyboard: avoid signed integer overflow in k_ascii
    - tty: hvc_console, fix crashes on parallel open/close
    - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
    - CDC-ACM: heed quirk also in error handling
    - nvmem: qfprom: remove incorrect write support
    - iio: vcnl4000: Fix i2c swapped word reading.
    - uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly
      aligned
    - drm/i915: fix port checks for MST support on gen >= 11
    - s390/mm: fix set_huge_pte_at() for empty ptes
  * Bionic update: upstream stable patchset 2020-06-11 (LP: #1883167)
    - ax25: fix setsockopt(SO_BINDTODEVICE)
    - net: ipip: fix wrong address family in init error path
    - net/mlx5: Add command entry handling completion
    - net: revert "net: get rid of an signed integer overflow in
      ip_idents_reserve()"
    - net sched: fix reporting the first-time use timestamp
    - r8152: support additional Microsoft Surface Ethernet Adapter variant
    - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and
      socket is closed
    - net/mlx5e: Update netdev txq on completions during closure
    - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
    - net: sun: fix missing release regions in cas_init_one().
    - net/mlx4_core: fix a memory leak bug.
    - ARM: dts: rockchip: fix phy nodename for rk3228-evb
    - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
    - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
    - gpio: tegra: mask GPIO IRQs during IRQ shutdown
    - net: microchip: encx24j600: add missed kthread_stop
    - gfs2: move privileged user check to gfs2_quota_lock_check
    - cachefiles: Fix race between read_waiter and read_copier involving op->to_do
    - usb: gadget: legacy: fix redundant initialization warnings
    - net: freescale: select CONFIG_FIXED_PHY where needed
    - cifs: Fix null pointer check in cifs_read
    - samples: bpf: Fix build error
    - Input: usbtouchscreen - add support for BonXeon TP
    - Input: evdev - call input_flush_device() on release(), not flush()
    - Input: xpad - add custom init packet for Xbox One S controllers
    - Input: dlink-dir685-touchkeys - fix a typo in driver name
    - Input: i8042 - add ThinkPad S230u to i8042 reset list
    - Input: synaptics-rmi4 - really fix attn_data use-after-free
    - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
    - ARM: 8843/1: use unified assembler in headers
    - ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
    - ARM: uaccess: integrate uaccess_save and uaccess_restore
    - ARM: uaccess: fix DACR mismatch with nested exceptions
    - gpio: exar: Fix bad handling for ida_simple_get error path
    - IB/qib: Call kobject_put() when kobject_init_and_add() fails
    - ARM: dts: imx6q-bx50v3: Add internal switch
    - ARM: dts/imx6q-bx50v3: Set display interface clock parents
    - ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
    - mmc: block: Fix use-after-free issue for rpmb
    - RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
    - ALSA: hwdep: fix a left shifting 1 by 31 UB bug
    - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
    - exec: Always set cap_ambient in cap_bprm_set_creds
    - ALSA: hda/realtek - Add new codec supported for ALC287
    - libceph: ignore pool overlay and cache logic on redirects
    - mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
    - fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
    - include/asm-generic/topology.h: guard cpumask_of_node() macro argument
    - iommu: Fix reference count leak in iommu_group_alloc.
    - parisc: Fix kernel panic in mem_init()
    - mac80211: mesh: fix discovery timer re-arming issue / crash
    - x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
    - copy_xstate_to_kernel(): don't leave parts of destination uninitialized
    - xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
    - xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
    - xfrm: fix a warning in xfrm_policy_insert_list
    - xfrm: fix a NULL-ptr deref in xfrm_local_error
    - xfrm: fix error in comment
    - vti4: eliminated some duplicate code.
    - ip_vti: receive ipip packet by calling ip_tunnel_rcv
    - netfilter: nft_reject_bridge: enable reject with bridge vlan
    - netfilter: ipset: Fix subcounter update skip
    - netfilter: nfnetlink_cthelper: unbreak userspace helper support
    - netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
    - esp6: get the right proto for transport mode in esp6_gso_encap
    - qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
    - bonding: Fix reference count leak in bond_sysfs_slave_add.
    - netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
    - mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap()
    - KVM: VMX: check for existence of secondary exec controls before accessing
    - dpaa_eth: fix usage as DSA master, try 3
    - net: dsa: mt7530: fix roaming from DSA user ports
    - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
    - sctp: Don't add the shutdown timer if its already been added
    - arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
    - ARM: dts: rockchip: swap clock-names of gpu nodes
    - IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
    - riscv: stacktrace: Fix undefined reference to `walk_stackframe'
    - ARM: 8970/1: decompressor: increase tag size
    - ARM: dts: bcm: HR2: Fix PPI interrupt types
    - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
    - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
    - IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
    - bnxt_en: Fix accumulation of bp->net_stats_prev.
  * apparmor reference leak causes refcount_t overflow with af_alg_accept()
    (LP: #1883962)
    - apparmor: check/put label on apparmor_sk_clone_security()
  * Freezing on boot since kernel 4.15.0-72-generic release (LP: #1856387)
    - x86/timer: Don't skip PIT setup when APIC is disabled or in legacy mode
  * smpboot: don't call topology_sane() when Sub-NUMA-Clustering is enabled
    (LP: #1882478)
    - x86, sched: Allow topologies where NUMA nodes share an LLC

 -- Ian May <ian.may@xxxxxxxxxxxxx>  Tue, 11 Aug 2020 19:51:24 -0500

** Changed in: linux-aws (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1864669

Title:
  overlayfs regression - internal getxattr operations without sepolicy
  checking

Status in linux-aws package in Ubuntu:
  Confirmed
Status in linux-azure package in Ubuntu:
  Fix Released
Status in linux-azure-4.15 package in Ubuntu:
  Invalid
Status in linux-aws source package in Xenial:
  Invalid
Status in linux-azure source package in Xenial:
  Fix Released
Status in linux-azure-4.15 source package in Xenial:
  Invalid
Status in linux-aws source package in Bionic:
  Fix Released
Status in linux-azure source package in Bionic:
  Fix Committed
Status in linux-azure-4.15 source package in Bionic:
  Fix Released
Status in linux-aws source package in Eoan:
  Fix Committed
Status in linux-azure source package in Eoan:
  Fix Released
Status in linux-azure-4.15 source package in Eoan:
  Invalid
Status in linux-aws source package in Focal:
  Fix Released
Status in linux-azure source package in Focal:
  Fix Released
Status in linux-azure-4.15 source package in Focal:
  Invalid

Bug description:
  Bug description and repro:

  Run the following commands on host instances:

  Prepare the overlayfs directories:
  $ cd /tmp
  $ mkdir -p base/dir1/dir2 upper olwork merged
  $ touch base/dir1/dir2/file
  $ chown -R 100000:100000 base upper olwork merged

  Verify that the directory is owned by user 100000:
  $ ls -al merged/ 
  total 8
  drwxr-xr-x  2 100000 100000 4096 Nov  1 07:08 .
  drwxrwxrwt 16 root   root   4096 Nov  1 07:08 ..

  We use lxc-usernsexec to start a new shell as user 100000.
  $ lxc-usernsexec -m b:0:100000:1 -- /bin/bash
  $$ ls -al merged/
  total 8
  drwxr-xr-x  2 root   root    4096 Nov  1 07:08 .
  drwxrwxrwt 16 nobody nogroup 4096 Nov  1 07:08 ..

  Notice that the ownership of . and .. has changed because the new shell is running as the remapped user.
  Now, mount the overlayfs as an unprivileged user in the new shell. This is the key to trigger the bug.
  $$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
  $$ ls -al merged/dir1/dir2/file 
  -rw-r--r-- 1 root root 0 Nov  1 07:09 merged/dir1/dir2/file

  We can see the file in the base layer from the mount directory. Now trigger the bug:
  $$ rm -rf merged/dir1/dir2/
  $$ mkdir merged/dir1/dir2
  $$ ls -al merged/dir1/dir2
  total 12
  drwxr-xr-x 2 root root 4096 Nov  1 07:10 .
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 ..

  File does not show up in the newly created dir2 as expected. But it will reappear after we remount the filesystem (or any other means that might evict the cached dentry, such as attempt to delete the parent directory):
  $$ umount merged
  $$ mount -t overlay -o lowerdir=base,upperdir=upper,workdir=olwork none merged
  $$ ls -al merged/dir1/dir2
  total 12
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 .
  drwxr-xr-x 1 root root 4096 Nov  1 07:10 ..
  -rw-r--r-- 1 root root    0 Nov  1 07:09 file
  $$ exit
  $

  This is a recent kernel regression. I tried the above step on an old
  kernel (4.4.0-1072-aws) but cannot reproduce.


  I looked up linux source code and figured out where the "regression" is coming from. The issue lies in how overlayfs checks the "opaque" flag from the underlying upper-level filesystem. It checks the "trusted.overlay.opaque" extended attribute to decide whether to hide the directory content from the lower level. The logic are different in 4.4 and 4.15 kernel.
  In 4.4: https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L255
  static bool ovl_is_opaquedir(struct dentry *dentry)
  {
  	int res;
  	char val;
  	struct inode *inode = dentry->d_inode;

  	if (!S_ISDIR(inode->i_mode) || !inode->i_op->getxattr)
  		return false;

  	res = inode->i_op->getxattr(dentry, OVL_XATTR_OPAQUE, &val, 1);
  	if (res == 1 && val == 'y')
  		return true;

  	return false;
  }

  In 4.15: https://elixir.bootlin.com/linux/v4.15/source/fs/overlayfs/util.c#L349
  static bool ovl_is_opaquedir(struct dentry *dentry)
  {
  	return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
  }

  bool ovl_check_dir_xattr(struct dentry *dentry, const char *name)
  {
  	int res;
  	char val;

  	if (!d_is_dir(dentry))
  		return false;

  	res = vfs_getxattr(dentry, name, &val, 1);
  	if (res == 1 && val == 'y')
  		return true;

  	return false;
  }

  The 4.4 version simply uses the internal i_node callback inode->i_op->getxattr from the host filesystem, which doesn't perform any permission check. While the 4.15 version calls the VFS interface vfs_getxattr that performs bunch of permission checks before the calling the internal insecure callback __vfs_getxattr:
  See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L317
  ssize_t
  vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
  {
  	struct inode *inode = dentry->d_inode;
  	int error;

  	error = xattr_permission(inode, name, MAY_READ);
  	if (error)
  		return error;

  	error = security_inode_getxattr(dentry, name);
  	if (error)
  		return error;

  	if (!strncmp(name, XATTR_SECURITY_PREFIX,
  				XATTR_SECURITY_PREFIX_LEN)) {
  		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
  		int ret = xattr_getsecurity(inode, suffix, value, size);
  		/*
  		 * Only overwrite the return value if a security module
  		 * is actually active.
  		 */
  		if (ret == -EOPNOTSUPP)
  			goto nolsm;
  		return ret;
  	}
  nolsm:
  	return __vfs_getxattr(dentry, inode, name, value, size);
  }

  In 4.15, ovl_is_opaquedir is called by the following caller:
  ovl_is_opaquedir <-
  ovl_lookup_single() <-
  ovl_lookup_layer <-
  ovl_lookup,
  ovl_lookup is the entry point for directory listing in overlayfs. Importantly, it assumes the filesystem mounter's credential to perform all internal lookup operations:
  struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
  			  unsigned int flags)
  {
     old_cred = ovl_override_creds(dentry->d_sb);
     // perform lookups
     // ....
     revert_creds(old_cred);   
  }

  The "credential switching" logic also does not exist in the 4.4 kernel: https://elixir.bootlin.com/linux/v4.4/source/fs/overlayfs/super.c#L397
  That means, on 4.15, overlayfs uses the file system mounter's credential to fetch the "trusted.overlay.opaque" xattr from the underlying filesystem. This can fail the permission check if the overlayfs is mounted by a remapped user, who doesn't have CAP_SYS_ADMIN capability
  See https://elixir.bootlin.com/linux/v4.15/source/fs/xattr.c#L115:
  static int xattr_permission(struct inode *inode, const char *name, int mask)
  {
   ....
    	/*
  	 * The trusted.* namespace can only be accessed by privileged users.
  	 */
  	if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
  		if (!capable(CAP_SYS_ADMIN))
  			return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
  		return 0;
  	}
  ....
  }

  When this call fails, overlayfs assumes the upper directory is not
  "opaque" and combines the content from the lower directory in the
  result.

  
  There's a proposed patch to fix this issue: https://lkml.org/lkml/2019/7/30/787
  The patch calls the insecure __vfs_getxattr to fetch the opaque flag so that it can bypass the permission check even if the other lookup operation is done under the mounter's credential.
  However, the patch hasn't been merged to the upstream linux kernel as of today (see https://elixir.bootlin.com/linux/v5.4-rc5/source/fs/overlayfs/util.c#L551).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1864669/+subscriptions