This bug was fixed in the package linux - 4.15.0-13.14
---------------
linux (4.15.0-13.14) bionic; urgency=medium
* linux: 4.15.0-13.14 -proposed tracker (LP: #1756408)
* devpts: handle bind-mounts (LP: #1755857)
- SAUCE: devpts: hoist out check for DEVPTS_SUPER_MAGIC
- SAUCE: devpts: resolve devpts bind-mounts
- SAUCE: devpts: comment devpts_mntget()
- SAUCE: selftests: add devpts selftests
* [bionic][arm64] d-i: add hisi_sas_v3_hw to scsi-modules (LP: #1756103)
- d-i: add hisi_sas_v3_hw to scsi-modules
* [Bionic][ARM64] enable ROCE and HNS3 driver support for hip08 SoC
(LP: #1756097)
- RDMA/hns: Refactor eq code for hip06
- RDMA/hns: Add eq support of hip08
- RDMA/hns: Add detailed comments for mb() call
- RDMA/hns: Add rq inline data support for hip08 RoCE
- RDMA/hns: Update the usage of sr_max and rr_max field
- RDMA/hns: Set access flags of hip08 RoCE
- RDMA/hns: Filter for zero length of sge in hip08 kernel mode
- RDMA/hns: Fix QP state judgement before sending work requests
- RDMA/hns: Assign dest_qp when deregistering mr
- RDMA/hns: Fix endian problems around imm_data and rkey
- RDMA/hns: Assign the correct value for tx_cqn
- RDMA/hns: Create gsi qp in hip08
- RDMA/hns: Add gsi qp support for modifying qp in hip08
- RDMA/hns: Fill sq wqe context of ud type in hip08
- RDMA/hns: Assign zero for pkey_index of wc in hip08
- RDMA/hns: Update the verbs of polling for completion
- RDMA/hns: Set the guid for hip08 RoCE device
- net: hns3: Refactor of the reset interrupt handling logic
- net: hns3: Add reset service task for handling reset requests
- net: hns3: Refactors the requested reset & pending reset handling code
- net: hns3: Add HNS3 VF IMP(Integrated Management Proc) cmd interface
- net: hns3: Add mailbox support to VF driver
- net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support
- net: hns3: Add HNS3 VF driver to kernel build framework
- net: hns3: Unified HNS3 {VF|PF} Ethernet Driver for hip08 SoC
- net: hns3: Add mailbox support to PF driver
- net: hns3: Change PF to add ring-vect binding & resetQ to mailbox
- net: hns3: Add mailbox interrupt handling to PF driver
- net: hns3: add support to query tqps number
- net: hns3: add support to modify tqps number
- net: hns3: change the returned tqp number by ethtool -x
- net: hns3: free the ring_data structrue when change tqps
- net: hns3: get rss_size_max from configuration but not hardcode
- net: hns3: add a mask initialization for mac_vlan table
- net: hns3: add vlan offload config command
- net: hns3: add ethtool related offload command
- net: hns3: add handling vlan tag offload in bd
- net: hns3: cleanup mac auto-negotiation state query
- net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
- net: hns3: add support for set_pauseparam
- net: hns3: add support to update flow control settings after autoneg
- net: hns3: add Asym Pause support to phy default features
- net: hns3: add support for querying advertised pause frame by ethtool ethx
- net: hns3: Increase the default depth of bucket for TM shaper
- net: hns3: change TM sched mode to TC-based mode when SRIOV enabled
- net: hns3: hns3_get_channels() can be static
- net: hns3: Add ethtool interface for vlan filter
- net: hns3: Disable VFs change rxvlan offload status
- net: hns3: Unify the strings display of packet statistics
- net: hns3: Fix spelling errors
- net: hns3: Remove repeat statistic of rx_errors
- net: hns3: Modify the update period of packet statistics
- net: hns3: Mask the packet statistics query when NIC is down
- net: hns3: Fix an error of total drop packet statistics
- net: hns3: Fix a loop index error of tqp statistics query
- net: hns3: Fix an error macro definition of HNS3_TQP_STAT
- net: hns3: Remove a useless member of struct hns3_stats
- net: hns3: Add packet statistics of netdev
- net: hns3: Fix a response data read error of tqp statistics query
- net: hns3: fix for updating fc_mode_last_time
- net: hns3: fix for setting MTU
- net: hns3: fix for changing MTU
- net: hns3: add MTU initialization for hardware
- net: hns3: fix for not setting pause parameters
- net: hns3: remove redundant semicolon
- net: hns3: Add more packet size statisctics
- Revert "net: hns3: Add packet statistics of netdev"
- net: hns3: report the function type the same line with
hns3_nic_get_stats64
- net: hns3: add ethtool_ops.get_channels support for VF
- net: hns3: remove TSO config command from VF driver
- net: hns3: add ethtool_ops.get_coalesce support to PF
- net: hns3: add ethtool_ops.set_coalesce support to PF
- net: hns3: refactor interrupt coalescing init function
- net: hns3: refactor GL update function
- net: hns3: remove unused GL setup function
- net: hns3: change the unit of GL value macro
- net: hns3: add int_gl_idx setup for TX and RX queues
- net: hns3: add feature check when feature changed
- net: hns3: check for NULL function pointer in hns3_nic_set_features
- net: hns: Fix for variable may be used uninitialized warnings
- net: hns3: add support for get_regs
- net: hns3: add manager table initialization for hardware
- net: hns3: add ethtool -p support for fiber port
- net: hns3: add net status led support for fiber port
- net: hns3: converting spaces into tabs to avoid checkpatch.pl warning
- net: hns3: add get/set_coalesce support to VF
- net: hns3: add int_gl_idx setup for VF
- [Config]: enable CONFIG_HNS3_HCLGEVF as module.
* [Bionic][ARM64] add RAS extension and SDEI features (LP: #1756096)
- KVM: arm64: Store vcpu on the stack during __guest_enter()
- KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu allocation
- KVM: arm64: Change hyp_panic()s dependency on tpidr_el2
- arm64: alternatives: use tpidr_el2 on VHE hosts
- KVM: arm64: Stop save/restoring host tpidr_el1 on VHE
- Docs: dt: add devicetree binding for describing arm64 SDEI firmware
- firmware: arm_sdei: Add driver for Software Delegated Exceptions
- arm64: Add vmap_stack header file
- arm64: uaccess: Add PAN helper
- arm64: kernel: Add arch-specific SDEI entry code and CPU masking
- firmware: arm_sdei: Add support for CPU and system power states
- firmware: arm_sdei: add support for CPU private events
- arm64: acpi: Remove __init from acpi_psci_use_hvc() for use by SDEI
- firmware: arm_sdei: Discover SDEI support via ACPI
- arm64: sysreg: Move to use definitions for all the SCTLR bits
- arm64: cpufeature: Detect CPU RAS Extentions
- arm64: kernel: Survive corrected RAS errors notified by SError
- arm64: Unconditionally enable IESB on exception entry/return for firmware-
first
- arm64: kernel: Prepare for a DISR user
- KVM: arm/arm64: mask/unmask daif around VHE guests
- KVM: arm64: Set an impdef ESR for Virtual-SError using VSESR_EL2.
- KVM: arm64: Save/Restore guest DISR_EL1
- KVM: arm64: Save ESR_EL2 on guest SError
- KVM: arm64: Handle RAS SErrors from EL1 on guest exit
- KVM: arm64: Handle RAS SErrors from EL2 on guest exit
- KVM: arm64: Emulate RAS error registers and set HCR_EL2's TERR & TEA
- [Config]: enable RAS_EXTN and ARM_SDE_INTERFACE
* [Bionic][ARM64] PCI and SAS driver patches for hip08 SoCs (LP: #1756094)
- scsi: hisi_sas: fix dma_unmap_sg() parameter
- scsi: ata: enhance the definition of SET MAX feature field value
- scsi: hisi_sas: relocate clearing ITCT and freeing device
- scsi: hisi_sas: optimise port id refresh function
- scsi: hisi_sas: some optimizations of host controller reset
- scsi: hisi_sas: modify hisi_sas_dev_gone() for reset
- scsi: hisi_sas: add an mechanism to do reset work synchronously
- scsi: hisi_sas: change ncq process for v3 hw
- scsi: hisi_sas: add RAS feature for v3 hw
- scsi: hisi_sas: add some print to enhance debugging
- scsi: hisi_sas: improve int_chnl_int_v2_hw() consistency with v3 hw
- scsi: hisi_sas: add v2 hw port AXI error handling support
- scsi: hisi_sas: use an general way to delay PHY work
- scsi: hisi_sas: do link reset for some CHL_INT2 ints
- scsi: hisi_sas: judge result of internal abort
- scsi: hisi_sas: add internal abort dev in some places
- scsi: hisi_sas: fix SAS_QUEUE_FULL problem while running IO
- scsi: hisi_sas: re-add the lldd_port_deformed()
- scsi: hisi_sas: add v3 hw suspend and resume
- scsi: hisi_sas: Change frame type for SET MAX commands
- scsi: hisi_sas: make local symbol host_attrs static
- scsi: hisi_sas: fix a bug in hisi_sas_dev_gone()
- SAUCE: scsi: hisi_sas: config for hip08 ES
- SAUCE: scsi: hisi_sas: export device table of v3 hw to userspace
- PM / core: Add LEAVE_SUSPENDED driver flag
- PCI / PM: Support for LEAVE_SUSPENDED driver flag
- PCI/AER: Skip recovery callbacks for correctable errors from ACPI APEI
- PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics
- PCI/ASPM: Enable Latency Tolerance Reporting when supported
- PCI/ASPM: Unexport internal ASPM interfaces
- PCI: Make PCI_SCAN_ALL_PCIE_DEVS work for Root as well as Downstream Ports
- PCI/AER: Return error if AER is not supported
- PCI/DPC: Enable DPC only if AER is available
* [CVE] Spectre: System Z {kernel} UBUNTU18.04 (LP: #1754580)
- s390: scrub registers on kernel entry and KVM exit
- s390: add optimized array_index_mask_nospec
- s390/alternative: use a copy of the facility bit mask
- s390: add options to change branch prediction behaviour for the kernel
- s390: run user space and KVM guests with modified branch prediction
- s390: introduce execute-trampolines for branches
- s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
- s390: do not bypass BPENTER for interrupt system calls
- s390/entry.S: fix spurious zeroing of r0
* s390/crypto: Fix kernel crash on aes_s390 module remove (LP: #1753424)
- SAUCE: s390/crypto: Fix kernel crash on aes_s390 module remove.
* [Feature]Update Ubuntu 18.04 lpfc FC driver with 32/64GB HBA support and bug
fixes (LP: #1752182)
- scsi: lpfc: FLOGI failures are reported when connected to a private loop.
- scsi: lpfc: Expand WQE capability of every NVME hardware queue
- scsi: lpfc: Handle XRI_ABORTED_CQE in soft IRQ
- scsi: lpfc: Fix NVME LS abort_xri
- scsi: lpfc: Raise maximum NVME sg list size for 256 elements
- scsi: lpfc: Driver fails to detect direct attach storage array
- scsi: lpfc: Fix display for debugfs queInfo
- scsi: lpfc: Adjust default value of lpfc_nvmet_mrq
- scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN
- scsi: lpfc: Linux LPFC driver does not process all RSCNs
- scsi: lpfc: correct port registrations with nvme_fc
- scsi: lpfc: Correct driver deregistrations with host nvme transport
- scsi: lpfc: Fix crash during driver unload with running nvme traffic
- scsi: lpfc: Fix driver handling of nvme resources during unload
- scsi: lpfc: small sg cnt cleanup
- scsi: lpfc: Fix random heartbeat timeouts during heavy IO
- scsi: lpfc: update driver version to 11.4.0.5
- scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv
- scsi: lpfc: Fix receive PRLI handling
- scsi: lpfc: Increase SCSI CQ and WQ sizes.
- scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled
- scsi: lpfc: Fix issues connecting with nvme initiator
- scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port.
- scsi: lpfc: Beef up stat counters for debug
- scsi: lpfc: update driver version to 11.4.0.6
- scsi: lpfc: correct sg_seg_cnt attribute min vs default
- scsi: scsi_transport_fc: fix typos on 64/128 GBit define names
- scsi: lpfc: don't dereference localport before it has been null checked
- scsi: lpfc: fix a couple of minor indentation issues
- treewide: Use DEVICE_ATTR_RW
- treewide: Use DEVICE_ATTR_RO
- treewide: Use DEVICE_ATTR_WO
- scsi: lpfc: Fix frequency of Release WQE CQEs
- scsi: lpfc: Increase CQ and WQ sizes for SCSI
- scsi: lpfc: move placement of target destroy on driver detach
- scsi: lpfc: correct debug counters for abort
- scsi: lpfc: Add WQ Full Logic for NVME Target
- scsi: lpfc: Fix PRLI handling when topology type changes
- scsi: lpfc: Fix IO failure during hba reset testing with nvme io.
- scsi: lpfc: Fix RQ empty firmware trap
- scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target
- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
- scsi: lpfc: Fix issue_lip if link is disabled
- scsi: lpfc: Indicate CONF support in NVMe PRLI
- scsi: lpfc: Fix SCSI io host reset causing kernel crash
- scsi: lpfc: Validate adapter support for SRIU option
- scsi: lpfc: Fix header inclusion in lpfc_nvmet
- scsi: lpfc: Treat SCSI Write operation Underruns as an error
- scsi: lpfc: Fix nonrecovery of NVME controller after cable swap.
- scsi: lpfc: update driver version to 11.4.0.7
- scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright
- scsi: lpfc: Rework lpfc to allow different sli4 cq and eq handlers
- scsi: lpfc: Rework sli4 doorbell infrastructure
- scsi: lpfc: Add SLI-4 if_type=6 support to the code base
- scsi: lpfc: Add push-to-adapter support to sli4
- scsi: lpfc: Add PCI Ids for if_type=6 hardware
- scsi: lpfc: Add 64G link speed support
- scsi: lpfc: Add if_type=6 support for cycling valid bits
- scsi: lpfc: Enable fw download on if_type=6 devices
- scsi: lpfc: Add embedded data pointers for enhanced performance
- scsi: lpfc: Fix nvme embedded io length on new hardware
- scsi: lpfc: Work around NVME cmd iu SGL type
- scsi: lpfc: update driver version to 12.0.0.0
- scsi: lpfc: Change Copyright of 12.0.0.0 modified files to 2018
- scsi: lpfc: use __raw_writeX on DPP copies
- scsi: lpfc: Add missing unlock in WQ full logic
* CVE-2018-8043
- net: phy: mdio-bcm-unimac: fix potential NULL dereference in
unimac_mdio_probe()
* Bionic update to 4.15.10 stable release (LP: #1756100)
- Revert "UBUNTU: SAUCE: ALSA: hda/realtek - Add support headset mode for
DELL
WYSE"
- RDMA/ucma: Limit possible option size
- RDMA/ucma: Check that user doesn't overflow QP state
- RDMA/mlx5: Fix integer overflow while resizing CQ
- bpf: cpumap: use GFP_KERNEL instead of GFP_ATOMIC in
__cpu_map_entry_alloc()
- IB/uverbs: Improve lockdep_check
- mac80211_hwsim: don't use WQ_MEM_RECLAIM
- net/smc: fix NULL pointer dereference on sock_create_kern() error path
- regulator: stm32-vrefbuf: fix check on ready flag
- drm/i915: Check for fused or unused pipes
- drm/i915/audio: fix check for av_enc_map overflow
- drm/i915: Fix rsvd2 mask when out-fence is returned
- drm/i915: Clear the in-use marker on execbuf failure
- drm/i915: Disable DC states around GMBUS on GLK
- drm/i915: Update watermark state correctly in sanitize_watermarks
- drm/i915: Try EDID bitbanging on HDMI after failed read
- drm/i915/perf: fix perf stream opening lock
- scsi: core: Avoid that ATA error handling can trigger a kernel hang or
oops
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
- drm/i915: Always call to intel_display_set_init_power() in resume_early.
- workqueue: Allow retrieval of current task's work struct
- drm: Allow determining if current task is output poll worker
- drm/nouveau: Fix deadlock on runtime suspend
- drm/radeon: Fix deadlock on runtime suspend
- drm/amdgpu: Fix deadlock on runtime suspend
- drm/nouveau: prefer XBGR2101010 for addfb ioctl
- drm/amd/powerplay/smu7: allow mclk switching with no displays
- drm/amd/powerplay/vega10: allow mclk switching with no displays
- Revert "drm/radeon/pm: autoswitch power state when in balanced mode"
- drm/amd/display: check for ipp before calling cursor operations
- drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
- drm/amd/powerplay: fix power over limit on Fiji
- drm/amd/display: Default HDMI6G support to true. Log VBIOS table error.
- drm/amdgpu: used cached pcie gen info for SI (v2)
- drm/amdgpu: Notify sbios device ready before send request
- drm/radeon: fix KV harvesting
- drm/amdgpu: fix KV harvesting
- drm/amdgpu:Correct max uvd handles
- drm/amdgpu:Always save uvd vcpu_bo in VM Mode
- ovl: redirect_dir=nofollow should not follow redirect for opaque lower
- MIPS: BMIPS: Do not mask IPIs during suspend
- MIPS: ath25: Check for kzalloc allocation failure
- MIPS: OCTEON: irq: Check for null return on kzalloc allocation
- PCI: dwc: Fix enumeration end when reaching root subordinate
- Input: matrix_keypad - fix race when disabling interrupts
- Revert "Input: synaptics - Lenovo Thinkpad T460p devices should use RMI"
- bug: use %pB in BUG and stack protector failure
- lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()
- mm/memblock.c: hardcode the end_pfn being -1
- Documentation/sphinx: Fix Directive import error
- loop: Fix lost writes caused by missing flag
- virtio_ring: fix num_free handling in error case
- KVM: s390: fix memory overwrites when not using SCA entries
- arm64: mm: fix thinko in non-global page table attribute check
- IB/core: Fix missing RDMA cgroups release in case of failure to register
device
- Revert "nvme: create 'slaves' and 'holders' entries for hidden
controllers"
- kbuild: Handle builtin dtb file names containing hyphens
- dm bufio: avoid false-positive Wmaybe-uninitialized warning
- IB/mlx5: Fix incorrect size of klms in the memory region
- bcache: fix crashes in duplicate cache device register
- bcache: don't attach backing with duplicate UUID
- x86/MCE: Save microcode revision in machine check records
- x86/MCE: Serialize sysfs changes
- perf tools: Fix trigger class trigger_on()
- x86/spectre_v2: Don't check microcode versions when running under
hypervisors
- ALSA: hda/realtek - Add support headset mode for DELL WYSE
- ALSA: hda/realtek - Add headset mode support for Dell laptop
- ALSA: hda/realtek: Limit mic boost on T480
- ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
- ALSA: hda/realtek - Make dock sound work on ThinkPad L570
- ALSA: seq: More protection for concurrent write and ioctl races
- ALSA: hda: add dock and led support for HP EliteBook 820 G3
- ALSA: hda: add dock and led support for HP ProBook 640 G2
- scsi: qla2xxx: Fix NULL pointer crash due to probe failure
- scsi: qla2xxx: Fix recursion while sending terminate exchange
- dt-bindings: Document mti,mips-cpc binding
- MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base()
- nospec: Kill array_index_nospec_mask_check()
- nospec: Include <asm/barrier.h> dependency
- x86/entry: Reduce the code footprint of the 'idtentry' macro
- x86/entry/64: Use 'xorl' for faster register clearing
- x86/mm: Remove stale comment about KMEMCHECK
- x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers
- x86/IO-APIC: Avoid warning in 32-bit builds
- x86/LDT: Avoid warning in 32-bit builds with older gcc
- x86-64/realmode: Add instruction suffix
- Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
- x86/speculation: Use IBRS if available before calling into firmware
- x86/retpoline: Support retpoline builds with Clang
- x86/speculation, objtool: Annotate indirect calls/jumps for objtool
- x86/speculation: Move firmware_restrict_branch_speculation_*() from C to
CPP
- x86/paravirt, objtool: Annotate indirect calls
- x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
- x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
- objtool: Use existing global variables for options
- objtool: Add retpoline validation
- objtool: Add module specific retpoline rules
- objtool, retpolines: Integrate objtool with retpoline support more closely
- objtool: Fix another switch table detection issue
- objtool: Fix 32-bit build
- x86/kprobes: Fix kernel crash when probing .entry_trampoline code
- watchdog: hpwdt: SMBIOS check
- watchdog: hpwdt: Check source of NMI
- watchdog: hpwdt: fix unused variable warning
- watchdog: hpwdt: Remove legacy NMI sourcing.
- netfilter: add back stackpointer size checks
- netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
- netfilter: xt_hashlimit: fix lock imbalance
- netfilter: x_tables: fix missing timer initialization in xt_LED
- netfilter: nat: cope with negative port range
- netfilter: IDLETIMER: be syzkaller friendly
- netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
- netfilter: bridge: ebt_among: add missing match size checks
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
- netfilter: use skb_to_full_sk in ip6_route_me_harder
- tpm_tis: Move ilb_base_addr to tpm_tis_data
- tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd()
- tpm: delete the TPM_TIS_CLK_ENABLE flag
- tpm: remove unused variables
- tpm: only attempt to disable the LPC CLKRUN if is already enabled
- x86/xen: Calculate __max_logical_packages on PV domains
- scsi: qla2xxx: Fix system crash for Notify ack timeout handling
- scsi: qla2xxx: Fix gpnid error processing
- scsi: qla2xxx: Move session delete to driver work queue
- scsi: qla2xxx: Skip IRQ affinity for Target QPairs
- scsi: qla2xxx: Fix re-login for Nport Handle in use
- scsi: qla2xxx: Retry switch command on time out
- scsi: qla2xxx: Serialize GPNID for multiple RSCN
- scsi: qla2xxx: Fix login state machine stuck at GPDB
- scsi: qla2xxx: Fix NPIV host cleanup in target mode
- scsi: qla2xxx: Relogin to target port on a cable swap
- scsi: qla2xxx: Fix Relogin being triggered too fast
- scsi: qla2xxx: Fix PRLI state check
- scsi: qla2xxx: Fix abort command deadlock due to spinlock
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
- scsi: qla2xxx: Fix scan state field for fcport
- scsi: qla2xxx: Clear loop id after delete
- scsi: qla2xxx: Defer processing of GS IOCB calls
- scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout.
- scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref
- scsi: qla2xxx: Fix memory leak in dual/target mode
- NFS: Fix an incorrect type in struct nfs_direct_req
- pNFS: Prevent the layout header refcount going to zero in pnfs_roc()
- NFS: Fix unstable write completion
- Linux 4.15.10
* Bionic update to 4.15.10 stable release (LP: #1756100) // CVE-2018-1000004.
- ALSA: seq: Don't allow resizing pool in use
* nfp: prioritize stats updates (LP: #1752061)
- nfp: flower: prioritize stats updates
* Ubuntu 18.04 - Kernel crash on nvme subsystem-reset /dev/nvme0 (Bolt / NVMe)
(LP: #1753371)
- nvme-pci: Fix EEH failure on ppc
* sbsa watchdog crashes thunderx2 system (LP: #1755595)
- watchdog: sbsa: use 32-bit read for WCV
* KVM: s390: add vcpu stat counters for many instruction (LP: #1755132)
- KVM: s390: diagnoses are instructions as well
- KVM: s390: add vcpu stat counters for many instruction
* CIFS SMB2/SMB3 does not work for domain based DFS (LP: #1747572)
- CIFS: make IPC a regular tcon
- CIFS: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl
- CIFS: dump IPC tcon in debug proc file
* i2c-thunderx: erroneous error message "unhandled state: 0" (LP: #1754076)
- i2c: octeon: Prevent error message on bus error
* Boston-LC:bos1u1: Stress test on Qlogic Fibre Channel on Ubuntu KVM guest
that caused KVM host crashed in qlt_free_session_done call (LP: #1750441)
- scsi: qla2xxx: Fix memory corruption during hba reset test
* Ubuntu 18.04 - Performance: Radix page fault handler bug in KVM
(LP: #1752236)
- KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault
handler
* Fix ARC hit rate (LP: #1755158)
- SAUCE: Fix ARC hit rate (LP: #1755158)
* Bionic update to 4.15.9 stable release (LP: #1755275)
- bpf: fix mlock precharge on arraymaps
- bpf: fix memory leak in lpm_trie map_free callback function
- bpf: fix rcu lockdep warning for lpm_trie map_free callback
- bpf, x64: implement retpoline for tail call
- bpf, arm64: fix out of bounds access in tail call
- bpf: add schedule points in percpu arrays management
- bpf: allow xadd only on aligned memory
- bpf, ppc64: fix out of bounds access in tail call
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload
- KVM: x86: fix backward migration with async_PF
- Linux 4.15.9
* Bionic update to 4.15.8 stable release (LP: #1755179)
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
- ipmi_si: Fix error handling of platform device
- platform/x86: dell-laptop: Allocate buffer on heap rather than globally
- powerpc/pseries: Enable RAS hotplug events later
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
- ixgbe: fix crash in build_skb Rx code path
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the
bus
- tpm: fix potential buffer overruns caused by bit glitches on the bus
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on
the bus
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on
the
bus
- tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
- ALSA: usb-audio: Add a quirck for B&W PX headphones
- ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
- ALSA: x86: Fix missing spinlock and mutex initializations
- ALSA: hda: Add a power_save blacklist
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
- mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
- mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
- mmc: dw_mmc: Avoid accessing registers in runtime suspended state
- mmc: dw_mmc: Factor out dw_mci_init_slot_caps
- mmc: dw_mmc: Fix out-of-bounds access for slot's caps
- timers: Forward timer base before migrating timers
- parisc: Use cr16 interval timers unconditionally on qemu
- parisc: Reduce irq overhead when run in qemu
- parisc: Fix ordering of cache and TLB flushes
- parisc: Hide virtual kernel memory layout
- btrfs: use proper endianness accessors for super_copy
- block: fix the count of PGPGOUT for WRITE_SAME
- block: kyber: fix domain token leak during requeue
- block: pass inclusive 'lend' parameter to truncate_inode_pages_range
- vfio: disable filesystem-dax page pinning
- cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
- dax: fix vma_is_fsdax() helper
- direct-io: Fix sleep in atomic due to sync AIO
- x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
- x86/platform/intel-mid: Handle Intel Edison reboot correctly
- x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
- bridge: check brport attr show in brport_show
- fib_semantics: Don't match route with mismatching tclassid
- hdlc_ppp: carrier detect ok, don't turn off negotiation
- ipv6 sit: work around bogus gcc-8 -Wrestrict warning
- net: amd-xgbe: fix comparison to bitshift when dealing with a mask
- net: ethernet: ti: cpsw: fix net watchdog timeout
- net: fix race on decreasing number of TX queues
- net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
- netlink: ensure to loop over all netns in genlmsg_multicast_allns()
- net: sched: report if filter is too large to dump
- ppp: prevent unregistered channels from connecting to PPP units
- sctp: verify size of a new chunk in _sctp_make_chunk()
- udplite: fix partial checksum initialization
- net/mlx5e: Fix TCP checksum in LRO buffers
- sctp: fix dst refcnt leak in sctp_v4_get_dst
- mlxsw: spectrum_switchdev: Check success of FDB add operation
- net/mlx5e: Specify numa node when allocating drop rq
- net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
- tcp: Honor the eor bit in tcp_mtu_probe
- rxrpc: Fix send in rxrpc_send_data_packet()
- tcp_bbr: better deal with suboptimal GSO
- doc: Change the min default value of tcp_wmem/tcp_rmem.
- net/mlx5e: Fix loopback self test when GRO is off
- net_sched: gen_estimator: fix broken estimators based on percpu stats
- net/sched: cls_u32: fix cls_u32 on filter replace
- sctp: do not pr_err for the duplicated node in transport rhlist
- mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create
- net: ipv4: Set addr_type in hash_keys for forwarded case
- sctp: fix dst refcnt leak in sctp_v6_get_dst()
- bridge: Fix VLAN reference count problem
- net/mlx5e: Verify inline header size do not exceed SKB linear size
- tls: Use correct sk->sk_prot for IPV6
- amd-xgbe: Restore PCI interrupt enablement setting on resume
- cls_u32: fix use after free in u32_destroy_key()
- mlxsw: spectrum_router: Do not unconditionally clear route offload
indication
- netlink: put module reference if dump start fails
- tcp: purge write queue upon RST
- tuntap: correctly add the missing XDP flush
- tuntap: disable preemption during XDP processing
- virtio-net: disable NAPI only when enabled during XDP set
- cxgb4: fix trailing zero in CIM LA dump
- net/mlx5: Fix error handling when adding flow rules
- net: phy: Restore phy_resume() locking assumption
- tcp: tracepoint: only call trace_tcp_send_reset with full socket
- l2tp: don't use inet_shutdown on tunnel destroy
- l2tp: don't use inet_shutdown on ppp session destroy
- l2tp: fix races with tunnel socket close
- l2tp: fix race in pppol2tp_release with session object destroy
- l2tp: fix tunnel lookup use-after-free race
- s390/qeth: fix underestimated count of buffer elements
- s390/qeth: fix SETIP command handling
- s390/qeth: fix overestimated count of buffer elements
- s390/qeth: fix IP removal on offline cards
- s390/qeth: fix double-free on IP add/remove race
- Revert "s390/qeth: fix using of ref counter for rxip addresses"
- s390/qeth: fix IP address lookup for L3 devices
- s390/qeth: fix IPA command submission race
- tcp: revert F-RTO middle-box workaround
- tcp: revert F-RTO extension to detect more spurious timeouts
- blk-mq: don't call io sched's .requeue_request when requeueing rq to
->dispatch
- media: m88ds3103: don't call a non-initalized function
- EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL
- KVM: s390: take care of clock-comparator sign control
- KVM: s390: provide only a single function for setting the tod (fix SCK)
- KVM: s390: consider epoch index on hotplugged CPUs
- KVM: s390: consider epoch index on TOD clock syncs
- nospec: Allow index argument to have const-qualified type
- x86/mm: Fix {pmd,pud}_{set,clear}_flags()
- ARM: orion: fix orion_ge00_switch_board_info initialization
- ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som
- ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
- ARM: kvm: fix building with gcc-8
- KVM: X86: Fix SMRAM accessing even if VM is shutdown
- KVM: mmu: Fix overlap between public and private memslots
- KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
- KVM: x86: move LAPIC initialization after VMCS creation
- KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
path as unlikely()
- KVM: x86: fix vcpu initialization with userspace lapic
- KVM/x86: remove WARN_ON() for when vm_munmap() fails
- ACPI / bus: Parse tables as term_list for Dell XPS 9570 and Precision
M5530
- ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux
- ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
- powerpc/64s/radix: Boot-time NULL pointer protection using a guard-PID
- md: only allow remove_and_add_spares when no sync_thread running.
- platform/x86: dell-laptop: fix kbd_get_state's request value
- Linux 4.15.8
* ZFS setgid broken on 0.7 (LP: #1753288)
- SAUCE: Fix ZFS setgid
* /proc/kallsyms prints "(null)" for null addresses in 4.15 (LP: #1754297)
- vsprintf: avoid misleading "(null)" for %px
* Miscellaneous Ubuntu changes
- d-i: Add netsec to nic-modules
- [Config] fix up retpoline abi files
- [Config] set NOBP and expoline options for s390
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Fri, 16 Mar
2018 14:49:27 -0300
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000004
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8043
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to zfs-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1753288
Title:
ZFS setgid broken on 0.7
Status in linux package in Ubuntu:
Fix Released
Status in zfs-linux package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in zfs-linux source package in Bionic:
Fix Released
Bug description:
Hey there,
We've had one of our LXD users report that setting the setgid bit
inside a container using ZFS on Ubuntu 18.04 (zfs 0.7) is silently
failing. This is not a LXD bug as the exact same operation works on
other filesystems.
There are more details available here:
https://github.com/lxc/lxd/issues/4294
Reproducer looks something like:
```
root@c1:~# touch a
root@c1:~# chmod g+s a
root@c1:~# touch b
root@c1:~# chown 0:117 b
root@c1:~# chmod g+s b
root@c1:~# stat a
File: a
Size: 0 Blocks: 1 IO Block: 131072 regular empty file
Device: 43h/67d Inode: 33890 Links: 1
Access: (2644/-rw-r-Sr--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-03-02 03:32:47.019430367 +0000
Modify: 2018-03-02 03:32:47.019430367 +0000
Change: 2018-03-02 03:32:49.459445015 +0000
Birth: -
root@c1:~# stat b
File: b
Size: 0 Blocks: 1 IO Block: 131072 regular empty file
Device: 43h/67d Inode: 34186 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 117/postdrop)
Access: 2018-03-02 03:32:50.907453706 +0000
Modify: 2018-03-02 03:32:50.907453706 +0000
Change: 2018-03-02 03:33:01.299516054 +0000
Birth: -
root@c1:~#
```
And for confirmation, using a tmpfs in the same container:
```
root@c1:~# mkdir tmpfs
root@c1:~# mount -t tmpfs tmpfs tmpfs
root@c1:~# cd tmpfs/
root@c1:~/tmpfs# touch a
root@c1:~/tmpfs# chmod g+s a
root@c1:~/tmpfs# touch b
root@c1:~/tmpfs# chown 0:117 b
root@c1:~/tmpfs# chmod g+s b
root@c1:~/tmpfs# stat a
File: a
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 65h/101d Inode: 3 Links: 1
Access: (2644/-rw-r-Sr--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-03-02 03:33:35.783722623 +0000
Modify: 2018-03-02 03:33:35.783722623 +0000
Change: 2018-03-02 03:33:40.507750883 +0000
Birth: -
root@c1:~/tmpfs# stat b
File: b
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 65h/101d Inode: 4 Links: 1
Access: (2644/-rw-r-Sr--) Uid: ( 0/ root) Gid: ( 117/postdrop)
Access: 2018-03-02 03:33:42.131760597 +0000
Modify: 2018-03-02 03:33:42.131760597 +0000
Change: 2018-03-02 03:33:46.227785091 +0000
Birth: -
root@c1:~/tmpfs#
```
This is particularly troubling because there are no errors returned to
the user, so we now have containers that will have broken binaries and
permissions applied to them with no visible way to detect the problem
short of scanning the entire filesystem against a list of known
permissions.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1753288/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
