This bug was fixed in the package linux - 4.15.0-191.202
---------------
linux (4.15.0-191.202) bionic; urgency=medium
* CVE-2022-2586
- SAUCE: netfilter: nf_tables: do not allow SET_ID to refer to another table
- SAUCE: netfilter: nf_tables: do not allow RULE_ID to refer to another
chain
* CVE-2022-2588
- SAUCE: net_sched: cls_route: remove from list when handle is 0
* CVE-2022-34918
- netfilter: nf_tables: stricter validation of element data
* BUG: kernel NULL pointer dereference, address: 0000000000000008
(LP: #1981658)
- tcp: make sure treq->af_specific is initialized
linux (4.15.0-190.201) bionic; urgency=medium
* bionic/linux: 4.15.0-190.201 -proposed tracker (LP: #1981321)
* CVE-2022-1679
- SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
* Bionic update: upstream stable patchset 2022-07-06 (LP: #1980879)
- MIPS: Use address-of operator on section symbols
- block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit
- can: grcan: grcan_probe(): fix broken system id check for errata
workaround
needs
- can: grcan: only use the NAPI poll budget for RX
- Bluetooth: Fix the creation of hdev->name
- mmc: rtsx: add 74 Clocks in power on flow
- mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
- mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and
__mcopy_atomic()
- ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
- ALSA: pcm: Fix races among concurrent read/write and buffer changes
- ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls
- ALSA: pcm: Fix races among concurrent prealloc proc writes
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
- VFS: Fix memory leak caused by concurrently mounting fs with subtype
- batman-adv: Don't skb_split skbuffs with frag_list
- net: Fix features skip in for_each_netdev_feature()
- ipv4: drop dst in multicast routing path
- netlink: do not reset transport header in netlink_recvmsg()
- mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection
- hwmon: (ltq-cputemp) restrict it to SOC_XWAY
- s390/ctcm: fix variable dereferenced before check
- s390/ctcm: fix potential memory leak
- s390/lcs: fix variable dereferenced before check
- net/smc: non blocking recvmsg() return -EAGAIN when no data and
signal_pending
- net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe()
- hwmon: (f71882fg) Fix negative temperature
- ASoC: max98090: Reject invalid values in custom control put()
- ASoC: max98090: Generate notifications on changes for custom control
- ASoC: ops: Validate input values in snd_soc_put_volsw_range()
- tcp: resalt the secret every 10 seconds
- usb: cdc-wdm: fix reading stuck on device close
- USB: serial: pl2303: add device id for HP LM930 Display
- USB: serial: qcserial: add support for Sierra Wireless EM7590
- USB: serial: option: add Fibocom L610 modem
- USB: serial: option: add Fibocom MA510 modem
- cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp()
- drm/vmwgfx: Initialize drm_mode_fb_cmd2
- ping: fix address binding wrt vrf
- tty/serial: digicolor: fix possible null-ptr-deref in
digicolor_uart_probe()
- net/sched: act_pedit: really ensure the skb is writable
- um: Cleanup syscall_handler_t definition/cast, fix warning
- Input: add bounds checking to input_set_capability()
- Input: stmfts - fix reference leak in stmfts_input_open
- MIPS: lantiq: check the return value of kzalloc()
- drbd: remove usage of list iterator variable after loop
- ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in
unwind_frame()
- ALSA: wavefront: Proper check of get_user() error
- perf: Fix sys_perf_event_open() race against self
- drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
- mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC
- mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD
- mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch()
- net: vmxnet3: fix possible use-after-free bugs in
vmxnet3_rq_alloc_rx_buf()
- net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup()
- clk: at91: generated: consider range when calculating best rate
- net/qla3xxx: Fix a test in ql_reset_work()
- NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
- ARM: 9196/1: spectre-bhb: enable for Cortex-A15
- ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
- igb: skip phy status check where unavailable
- net: bridge: Clear offload_fwd_mark when passing frame up bridge
interface.
- gpio: gpio-vf610: do not touch other bits when set the target bit
- gpio: mvebu/pwm: Refuse requests with inverted polarity
- perf bench numa: Address compiler error on s390
- scsi: qla2xxx: Fix missed DMA unmap for aborted commands
- mac80211: fix rx reordering with non explicit / psmp ack policy
- ethernet: tulip: fix missing pci_disable_device() on error in
tulip_init_one()
- net: stmmac: fix missing pci_disable_device() on error in
stmmac_pci_probe()
- net: atlantic: verify hw_head_ lies within TX buffer ring
- swiotlb: fix info leak with DMA_FROM_DEVICE
- Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
- net: macb: Increment rx bd head after allocating skb and buffer
- net/sched: act_pedit: sanitize shift argument before usage
- afs: Fix afs_getattr() to refetch file status if callback break occurred
- x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
- staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()
- tcp: change source port randomizarion at connect() time
- secure_seq: use the 64 bits of the siphash for port offset calculation
- ACPI: sysfs: Make sparse happy about address space in use
- Revert "UBUNTU: SAUCE: ACPI: sysfs: copy ACPI data using io memory
copying"
- ACPI: sysfs: Fix BERT error region memory mapping
- net: af_key: check encryption module availability consistency
- net: ftgmac100: Disable hardware checksum on AST2600
- drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI
controllers
- assoc_array: Fix BUG_ON during garbage collect
- drm/i915: Fix -Wstringop-overflow warning in call to
intel_read_wm_latency()
- block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
- exec: Force single empty string when argv is empty
- netfilter: conntrack: re-fetch conntrack after insertion
- zsmalloc: fix races between asynchronous zspage free and page migration
- dm integrity: fix error code in dm_integrity_ctr()
- dm crypt: make printing of the key constant-time
- dm stats: add cond_resched when looping over entries
- dm verity: set DM_TARGET_IMMUTABLE feature flag
- tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe()
- docs: submitting-patches: Fix crossref to 'The canonical patch format'
- NFSD: Fix possible sleep during nfsd4_release_lockowner()
- bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
* Bionic update: upstream stable patchset 2022-06-21 (LP: #1979355)
- floppy: disable FDRAWCMD by default
- [Config] updateconfigs for BLK_DEV_FD_RAWCMD
- hamradio: defer 6pack kfree after unregister_netdev
- hamradio: remove needs_free_netdev to avoid UAF
- lightnvm: disable the subsystem
- [Config] updateconfigs for NVM, NVM_PBLK
- usb: mtu3: fix USB 3.0 dual-role-switch from device to host
- USB: quirks: add a Realtek card reader
- USB: quirks: add STRING quirk for VCOM device
- USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
- USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
- USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
- USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
- xhci: stop polling roothubs after shutdown
- iio: dac: ad5592r: Fix the missing return value.
- iio: dac: ad5446: Fix read_raw not returning set value
- iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
- usb: misc: fix improper handling of refcount in uss720_probe()
- usb: gadget: uvc: Fix crash when encoding data for usb request
- usb: gadget: configfs: clear deactivation flag in
configfs_composite_unbind()
- serial: 8250: Also set sticky MCR bits in console restoration
- serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
- hex2bin: make the function hex_to_bin constant-time
- hex2bin: fix access beyond string end
- USB: Fix xhci event ring dequeue pointer ERDP update issue
- ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
- phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
- phy: samsung: exynos5250-sata: fix missing device put in probe error paths
- ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
- ARM: dts: Fix mmc order for omap3-gta04
- ipvs: correctly print the memory size of ip_vs_conn_tab
- mtd: rawnand: Fix return value check of wait_for_completion_timeout
- sctp: check asoc strreset_chunk in sctp_generate_reconf_event
- pinctrl: pistachio: fix use of irq_of_parse_and_map()
- ip_gre: Make o_seqno start from 0 in native mode
- tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
- bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
- clk: sunxi: sun9i-mmc: check return value after calling
platform_get_resource()
- net: bcmgenet: hide status block before TX timestamping
- bnx2x: fix napi API usage sequence
- ASoC: wm8731: Disable the regulator when probing fails
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
- cifs: destage any unwritten data to the server before calling
copychunk_write
- drivers: net: hippi: Fix deadlock in rr_close()
- x86/cpu: Load microcode during restore_processor_state()
- tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
- tty: n_gsm: fix malformed counter for out of frame data
- tty: n_gsm: fix insufficient txframe size
- tty: n_gsm: fix missing explicit ldisc flush
- tty: n_gsm: fix wrong command retry handling
- tty: n_gsm: fix wrong command frame length field encoding
- tty: n_gsm: fix incorrect UA handling
- MIPS: Fix CP0 counter erratum detection for R4k CPUs
- parisc: Merge model and model name into one line in /proc/cpuinfo
- ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
- Revert "SUNRPC: attempt AF_LOCAL connect on setup"
- firewire: fix potential uaf in outbound_phy_packet_callback()
- firewire: remove check of list iterator against head past the loop body
- firewire: core: extend card->lock in fw_core_handle_bus_reset
- ASoC: wm8958: Fix change notifications for DSP controls
- can: grcan: grcan_close(): fix deadlock
- can: grcan: use ofdev->dev when allocating DMA memory
- nfc: replace improper check device_is_registered() in netlink related
functions
- NFC: netlink: fix sleep in atomic bug when firmware download timeout
- hwmon: (adt7470) Fix warning on module removal
- ASoC: dmaengine: Restore NULL prepare_slave_config() callback
- net: emaclite: Add error handling for of_address_to_resource()
- smsc911x: allow using IRQ0
- btrfs: always log symlinks in full mode
- net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
- kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
- net: ipv6: ensure we call ipv6_mc_down() at most once
- dm: fix mempool NULL pointer race when completing IO
- dm: interlock pending dm_io and dm_wait_for_bios_completion
- PCI: aardvark: Clear all MSIs at setup
- PCI: aardvark: Fix reading MSI interrupt number
- tcp: md5: incorrect tcp_header_len for incoming connections
- net: hns3: add validity check for message data length
- genirq: Synchronize interrupt thread startup
- net: stmmac: dwmac-sun8i: add missing of_node_put() in
sun8i_dwmac_register_mdio_mux()
- mm: fix unexpected zeroed page mapping with zram swap
* unprivileged tests in test_verifier from ubuntu_bpf failed with "Failed to
load prog 'Operation not permitted'" on B-4.15 (LP: #1980648)
- selftests/bpf: Count tests skipped by unpriv
- selftests/bpf: Only run tests if !bpf_disabled
* CVE-2022-1734
- nfc: nfcmrvl: main: reorder destructive operations in
nfcmrvl_nci_unregister_dev to avoid bugs
* CVE-2022-1652
- floppy: use a statically allocated error counter
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Wed, 03 Aug
2022 22:18:18 -0300
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1652
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1679
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1734
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2586
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2588
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-34918
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1980879
Title:
Bionic update: upstream stable patchset 2022-07-06
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Fix Released
Bug description:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
upstream stable patchset 2022-07-06
Ported from the following upstream stable releases:
v4.14.279, v4.19.243
v4.14.280, v4.19.244
v4.14.281, v4.19.245
from git://git.kernel.org/
MIPS: Use address-of operator on section symbols
block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit
can: grcan: grcan_probe(): fix broken system id check for errata workaround
needs
can: grcan: only use the NAPI poll budget for RX
Bluetooth: Fix the creation of hdev->name
mmc: rtsx: add 74 Clocks in power on flow
mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and
__mcopy_atomic()
ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
ALSA: pcm: Fix races among concurrent read/write and buffer changes
ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls
ALSA: pcm: Fix races among concurrent prealloc proc writes
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
VFS: Fix memory leak caused by concurrently mounting fs with subtype
UBUNTU: Upstream stable to v4.14.279, v4.19.243
batman-adv: Don't skb_split skbuffs with frag_list
net: Fix features skip in for_each_netdev_feature()
ipv4: drop dst in multicast routing path
netlink: do not reset transport header in netlink_recvmsg()
mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection
hwmon: (ltq-cputemp) restrict it to SOC_XWAY
s390/ctcm: fix variable dereferenced before check
s390/ctcm: fix potential memory leak
s390/lcs: fix variable dereferenced before check
net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending
net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe()
hwmon: (f71882fg) Fix negative temperature
ASoC: max98090: Reject invalid values in custom control put()
ASoC: max98090: Generate notifications on changes for custom control
ASoC: ops: Validate input values in snd_soc_put_volsw_range()
tcp: resalt the secret every 10 seconds
usb: cdc-wdm: fix reading stuck on device close
USB: serial: pl2303: add device id for HP LM930 Display
USB: serial: qcserial: add support for Sierra Wireless EM7590
USB: serial: option: add Fibocom L610 modem
USB: serial: option: add Fibocom MA510 modem
cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp()
drm/vmwgfx: Initialize drm_mode_fb_cmd2
ping: fix address binding wrt vrf
tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe()
net/sched: act_pedit: really ensure the skb is writable
UBUNTU: Upstream stable to v4.14.280, v4.19.244
floppy: use a statically allocated error counter
um: Cleanup syscall_handler_t definition/cast, fix warning
Input: add bounds checking to input_set_capability()
Input: stmfts - fix reference leak in stmfts_input_open
MIPS: lantiq: check the return value of kzalloc()
drbd: remove usage of list iterator variable after loop
ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame()
ALSA: wavefront: Proper check of get_user() error
perf: Fix sys_perf_event_open() race against self
drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC
mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD
mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch()
net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()
net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()
clk: at91: generated: consider range when calculating best rate
net/qla3xxx: Fix a test in ql_reset_work()
NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
ARM: 9196/1: spectre-bhb: enable for Cortex-A15
ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
igb: skip phy status check where unavailable
net: bridge: Clear offload_fwd_mark when passing frame up bridge interface.
gpio: gpio-vf610: do not touch other bits when set the target bit
gpio: mvebu/pwm: Refuse requests with inverted polarity
perf bench numa: Address compiler error on s390
scsi: qla2xxx: Fix missed DMA unmap for aborted commands
mac80211: fix rx reordering with non explicit / psmp ack policy
ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one()
net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
net: atlantic: verify hw_head_ lies within TX buffer ring
swiotlb: fix info leak with DMA_FROM_DEVICE
Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
net: macb: Increment rx bd head after allocating skb and buffer
net/sched: act_pedit: sanitize shift argument before usage
afs: Fix afs_getattr() to refetch file status if callback break occurred
UBUNTU: Upstream stable to v4.14.281, v4.19.245
x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()
tcp: change source port randomizarion at connect() time
secure_seq: use the 64 bits of the siphash for port offset calculation
ACPI: sysfs: Make sparse happy about address space in use
Revert "UBUNTU: SAUCE: ACPI: sysfs: copy ACPI data using io memory copying"
ACPI: sysfs: Fix BERT error region memory mapping
net: af_key: check encryption module availability consistency
net: ftgmac100: Disable hardware checksum on AST2600
drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI
controllers
assoc_array: Fix BUG_ON during garbage collect
drm/i915: Fix -Wstringop-overflow warning in call to intel_read_wm_latency()
block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
exec: Force single empty string when argv is empty
netfilter: conntrack: re-fetch conntrack after insertion
zsmalloc: fix races between asynchronous zspage free and page migration
dm integrity: fix error code in dm_integrity_ctr()
dm crypt: make printing of the key constant-time
dm stats: add cond_resched when looping over entries
dm verity: set DM_TARGET_IMMUTABLE feature flag
tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe()
docs: submitting-patches: Fix crossref to 'The canonical patch format'
NFSD: Fix possible sleep during nfsd4_release_lockowner()
bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
UBUNTU: Upstream stable to v4.14.282, v4.19.246
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1980879/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
