← Back to team overview

kernel-packages team mailing list archive

[Bug 1538756] Re: Trusty update to v3.13.11-ckt33 stable release

 

This bug was fixed in the package linux - 3.13.0-79.123

---------------
linux (3.13.0-79.123) trusty; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of full kernel
    credentials
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.13.0-78.122) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540559

  [ Eric Dumazet ]

  * SAUCE: (no-up) udp: properly support MSG_PEEK with truncated buffers
    - LP: #1527902

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ Upstream Kernel Changes ]

  * Revert "[stable-only] net: add length argument to
    skb_copy_and_csum_datagram_iovec"
    - LP: #1538756
  * unregister_netdevice : move RTM_DELLINK to until after ndo_uninit
    - LP: #1525324
  * rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()
    - LP: #1525324
  * Drivers: hv: Eliminate the channel spinlock in the callback path
    - LP: #1519897
  * Drivers: hv: vmbus: Implement per-CPU mapping of relid to channel
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send packet with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl()
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a siganlling host signalling issue
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a Host signaling bug
    - LP: #1519897
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1538756
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1538756
  * gre6: allow to update all parameters via rtnl
    - LP: #1538756
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1538756
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1538756
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1538756
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1538756
  * net: add validation for the socket syscall protocol argument
    - LP: #1538756
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1538756
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1538756
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1538756
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1538756
  * KEYS: Fix race between read and revoke
    - LP: #1538756
  * tools: Add a "make all" rule
    - LP: #1538756
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
    calls
    - LP: #1538756
  * net: ipmr: fix static mfc/dev leaks on table destruction
    - LP: #1538756
  * fuse: break infinite loop in fuse_fill_write_pages()
    - LP: #1538756
  * usb: gadget: pxa27x: fix suspend callback
    - LP: #1538756
  * iio: fix some warning messages
    - LP: #1538756
  * USB: cp210x: Remove CP2110 ID from compatibility list
    - LP: #1538756
  * USB: cdc_acm: Ignore Infineon Flash Loader utility
    - LP: #1538756
  * USB: serial: Another Infineon flash loader USB ID
    - LP: #1538756
  * ext4: Fix handling of extended tv_sec
    - LP: #1538756
  * jbd2: Fix unreclaimed pages after truncate in data=journal mode
    - LP: #1538756
  * drm/ttm: Fixed a read/write lock imbalance
    - LP: #1538756
  * i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
    - LP: #1538756
  * AHCI: Fix softreset failed issue of Port Multiplier
    - LP: #1538756
  * sata_sil: disable trim
    - LP: #1538756
  * staging: lustre: echo_copy.._lsm() dereferences userland pointers
    directly
    - LP: #1538756
  * irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
    - LP: #1538756
  * usb: core : hub: Fix BOS 'NULL pointer' kernel panic
    - LP: #1538756
  * USB: whci-hcd: add check for dma mapping error
    - LP: #1538756
  * usb: Use the USB_SS_MULT() macro to decode burst multiplier for log
    message
    - LP: #1538756
  * dm btree: fix leak of bufio-backed block in btree_split_sibling error
    path
    - LP: #1538756
  * SCSI: Fix NULL pointer dereference in runtime PM
    - LP: #1538756
  * usb: xhci: fix config fail of FS hub behind a HS hub with MTT
    - LP: #1538756
  * ALSA: rme96: Fix unexpected volume reset after rate changes
    - LP: #1538756
  * ALSA: hda - Add inverted dmic for Packard Bell DOTS
    - LP: #1523232, #1538756
  * virtio: fix memory leak of virtio ida cache layers
    - LP: #1538756
  * 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
    - LP: #1538756
  * radeon/cik: Fix GFX IB test on Big-Endian
    - LP: #1538756
  * crypto: skcipher - Copy iv from desc even for 0-len walks
    - LP: #1538756
  * dm thin metadata: fix bug when taking a metadata snapshot
    - LP: #1538756
  * dm space map metadata: fix ref counting bug when bootstrapping a new
    space map
    - LP: #1538756
  * ipmi: move timer init to before irq is setup
    - LP: #1538756
  * KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR
    - LP: #1538756
  * rfkill: copy the name into the rfkill struct
    - LP: #1538756
  * dm btree: fix bufio buffer leaks in dm_btree_del() error path
    - LP: #1538756
  * ses: Fix problems with simple enclosures
    - LP: #1538756
  * vgaarb: fix signal handling in vga_get()
    - LP: #1538756
  * ses: fix additional element traversal bug
    - LP: #1538756
  * xhci: fix usb2 resume timing and races.
    - LP: #1538756
  * USB: add quirk for devices with broken LPM
    - LP: #1538756
  * powercap / RAPL: fix BIOS lock check
    - LP: #1538756
  * parisc iommu: fix panic due to trying to allocate too large region
    - LP: #1538756
  * mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't
    make any progress
    - LP: #1538756
  * mm: hugetlb: call huge_pte_alloc() only if ptep is null
    - LP: #1538756
  * drivers/base/memory.c: prohibit offlining of memory blocks with missing
    sections
    - LP: #1538756
  * sh64: fix __NR_fgetxattr
    - LP: #1538756
  * n_tty: Fix poll() after buffer-limited eof push read
    - LP: #1538756
  * tty: Fix GPF in flush_to_ldisc()
    - LP: #1538756
  * genirq: Prevent chip buslock deadlock
    - LP: #1538756
  * ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest
    DragonFly
    - LP: #1538756
  * ARM: 8471/1: need to save/restore arm register(r11) when it is
    corrupted
    - LP: #1538756
  * spi: fix parent-device reference leak
    - LP: #1538756
  * scripts: recordmcount: break hardlinks
    - LP: #1538756
  * ftrace/scripts: Have recordmcount copy the object file
    - LP: #1538756
  * ARC: dw2 unwind: Reinstante unwinding out of modules
    - LP: #1538756
  * ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing
    - LP: #1538756
  * ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
    - LP: #1538756
  * s390/dis: Fix handling of format specifiers
    - LP: #1538756
  * USB: ipaq.c: fix a timeout loop
    - LP: #1538756
  * USB: fix invalid memory access in hub_activate()
    - LP: #1538756
  * x86/mce: Ensure offline CPUs don't participate in rendezvous process
    - LP: #1538756
  * parisc: Fix syscall restarts
    - LP: #1538756
  * ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
    - LP: #1538756
  * ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
    - LP: #1538756
  * mm/memory_hotplug.c: check for missing sections in
    test_pages_in_a_zone()
    - LP: #1538756
  * ftrace/scripts: Fix incorrect use of sprintf in recordmcount
    - LP: #1538756
  * tracing: Fix setting of start_index in find_next()
    - LP: #1538756
  * async_tx: use GFP_NOWAIT rather than GFP_IO
    - LP: #1538756
  * dts: vt8500: Add SDHC node to DTS file for WM8650
    - LP: #1538756
  * ftrace/module: Call clean up function when module init fails early
    - LP: #1538756
  * vmstat: allocate vmstat_wq before it is used
    - LP: #1538756
  * firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6
    - LP: #1538756
  * kvm: x86: only channel 0 of the i8254 is linked to the HPET
    - LP: #1538756
  * ipv6/addrlabel: fix ip6addrlbl_get()
    - LP: #1538756
  * net: fix warnings in 'make htmldocs' by moving macro definition out of
    field declaration
    - LP: #1538756
  * ser_gigaset: fix deallocation of platform device structure
    - LP: #1538756
  * pinctrl: bcm2835: Fix initial value for direction_output
    - LP: #1538756
  * mISDN: fix a loop count
    - LP: #1538756
  * sh_eth: fix TX buffer byte-swapping
    - LP: #1538756
  * qlcnic: fix a timeout loop
    - LP: #1538756
  * net: phy: mdio-mux: Check return value of mdiobus_alloc()
    - LP: #1538756
  * include/linux/mmdebug.h: should include linux/bug.h
    - LP: #1538756
  * net: possible use after free in dst_release
    - LP: #1538756
  * Linux 3.13.11-ckt33
    - LP: #1538756
  * xfrm: dst_entries_init() per-net dst_ops
    - LP: #1486670

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Fri, 19 Feb 2016
13:14:25 +0000

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1575

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1576

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1538756

Title:
  Trusty update to v3.13.11-ckt33 stable release

Status in linux package in Ubuntu:
  New
Status in linux source package in Trusty:
  Fix Released

Bug description:
  SRU Justification

      Impact:
         The upstream process for stable tree updates is quite similar
         in scope to the Ubuntu SRU process, e.g., each patch has to
         demonstrably fix a bug, and each patch is vetted by upstream
         by originating either directly from a mainline/stable Linux tree or
         a minimally backported form of that patch. The v3.13.11-ckt33 upstream stable
         patch set is now available. It should be included in the Ubuntu
         kernel as well.

         git://kernel.ubuntu.com/ubuntu/linux.git

      TEST CASE: TBD

         The following patches from the v3.13.11-ckt33 stable release
  shall be applied:

  Linux 3.13.11-ckt33
  Revert "[stable-only] net: add length argument to skb_copy_and_csum_datagram_iovec"
  net: possible use after free in dst_release
  include/linux/mmdebug.h: should include linux/bug.h
  net: phy: mdio-mux: Check return value of mdiobus_alloc()
  qlcnic: fix a timeout loop
  sh_eth: fix TX buffer byte-swapping
  mISDN: fix a loop count
  pinctrl: bcm2835: Fix initial value for direction_output
  ser_gigaset: fix deallocation of platform device structure
  net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration
  ipv6/addrlabel: fix ip6addrlbl_get()
  kvm: x86: only channel 0 of the i8254 is linked to the HPET
  firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6
  vmstat: allocate vmstat_wq before it is used
  ftrace/module: Call clean up function when module init fails early
  dts: vt8500: Add SDHC node to DTS file for WM8650
  async_tx: use GFP_NOWAIT rather than GFP_IO
  tracing: Fix setting of start_index in find_next()
  ftrace/scripts: Fix incorrect use of sprintf in recordmcount
  mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone()
  ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
  ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
  parisc: Fix syscall restarts
  x86/mce: Ensure offline CPUs don't participate in rendezvous process
  USB: fix invalid memory access in hub_activate()
  USB: ipaq.c: fix a timeout loop
  s390/dis: Fix handling of format specifiers
  ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
  ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing
  ARC: dw2 unwind: Reinstante unwinding out of modules
  ftrace/scripts: Have recordmcount copy the object file
  scripts: recordmcount: break hardlinks
  spi: fix parent-device reference leak
  ARM: 8471/1: need to save/restore arm register(r11) when it is corrupted
  ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
  genirq: Prevent chip buslock deadlock
  tty: Fix GPF in flush_to_ldisc()
  n_tty: Fix poll() after buffer-limited eof push read
  sh64: fix __NR_fgetxattr
  drivers/base/memory.c: prohibit offlining of memory blocks with missing sections
  mm: hugetlb: call huge_pte_alloc() only if ptep is null
  mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress
  parisc iommu: fix panic due to trying to allocate too large region
  powercap / RAPL: fix BIOS lock check
  USB: add quirk for devices with broken LPM
  xhci: fix usb2 resume timing and races.
  ses: fix additional element traversal bug
  vgaarb: fix signal handling in vga_get()
  ses: Fix problems with simple enclosures
  dm btree: fix bufio buffer leaks in dm_btree_del() error path
  rfkill: copy the name into the rfkill struct
  KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR
  ipmi: move timer init to before irq is setup
  dm space map metadata: fix ref counting bug when bootstrapping a new space map
  dm thin metadata: fix bug when taking a metadata snapshot
  crypto: skcipher - Copy iv from desc even for 0-len walks
  radeon/cik: Fix GFX IB test on Big-Endian
  9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
  virtio: fix memory leak of virtio ida cache layers
  ALSA: hda - Add inverted dmic for Packard Bell DOTS
  ALSA: rme96: Fix unexpected volume reset after rate changes
  usb: xhci: fix config fail of FS hub behind a HS hub with MTT
  SCSI: Fix NULL pointer dereference in runtime PM
  dm btree: fix leak of bufio-backed block in btree_split_sibling error path
  usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
  USB: whci-hcd: add check for dma mapping error
  usb: core : hub: Fix BOS 'NULL pointer' kernel panic
  irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
  staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
  sata_sil: disable trim
  AHCI: Fix softreset failed issue of Port Multiplier
  i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
  drm/ttm: Fixed a read/write lock imbalance
  jbd2: Fix unreclaimed pages after truncate in data=journal mode
  ext4: Fix handling of extended tv_sec
  USB: serial: Another Infineon flash loader USB ID
  USB: cdc_acm: Ignore Infineon Flash Loader utility
  USB: cp210x: Remove CP2110 ID from compatibility list
  iio: fix some warning messages
  usb: gadget: pxa27x: fix suspend callback
  fuse: break infinite loop in fuse_fill_write_pages()
  net: ipmr: fix static mfc/dev leaks on table destruction
  efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
  tools: Add a "make all" rule
  KEYS: Fix race between read and revoke
  af_unix: Revert 'lock_interruptible' in stream receive code
  bluetooth: Validate socket address length in sco_sock_bind().
  pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
  sh_eth: fix kernel oops in skb_put()
  net: add validation for the socket syscall protocol argument
  ipv6: sctp: clone options to avoid use after free
  sctp: update the netstamp_needed counter when copying sockets
  sctp: use the same clock as if sock source timestamps were on
  atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
  gre6: allow to update all parameters via rtnl
  ip6mr: call del_timer_sync() in ip6mr_free_table()
  ARC: Fix silly typo in MAINTAINERS file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1538756/+subscriptions


References