This bug was fixed in the package linux - 5.4.0-128.144 --------------- linux (5.4.0-128.144) focal; urgency=medium
* focal/linux: 5.4.0-128.144 -proposed tracker (LP: #1990152) * CVE-2022-3176 - io_uring: disable polling pollfree files * ip/nexthop: fix default address selection for connected nexthop (LP: #1988809) - selftests/net: test nexthop without gw * ip/nexthop: fix default address selection for connected nexthop (LP: #1988809) // icmp_redirect.sh in ubuntu_kernel_selftests failed on Jammy 5.15.0-49.55 (LP: #1990124) - ip: fix triggering of 'icmp redirect' linux (5.4.0-127.143) focal; urgency=medium * focal/linux: 5.4.0-127.143 -proposed tracker (LP: #1989892) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2022.09.19) * [UBUNTU 20.04] mlx5 driver crashes on accessing device attributes during recovery (LP: #1987287) - net/mlx5: Avoid processing commands before cmdif is ready * Focal update: v5.4.210 upstream stable release (LP: #1989230) - thermal: Fix NULL pointer dereferences in of_thermal_ functions - ACPI: video: Force backlight native for some TongFang devices - ACPI: video: Shortening quirk list by identifying Clevo by board_name only - ACPI: APEI: Better fix to avoid spamming the console with old error logs - bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() - selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads - bpf: Test_verifier, #70 error message updates for 32-bit right shift - KVM: Don't null dereference ops->destroy - selftests: KVM: Handle compiler optimizations in ucall - media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls - macintosh/adb: fix oob read in do_adb_query() function - x86/speculation: Add RSB VM Exit protections - x86/speculation: Add LFENCE to RSB fill sequence - Linux 5.4.210 * Focal update: v5.4.209 upstream stable release (LP: #1989228) - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put - ntfs: fix use-after-free in ntfs_ucsncmp() - s390/archrandom: prevent CPACF trng invocations in interrupt context - tcp: Fix data-races around sysctl_tcp_dsack. - tcp: Fix a data-race around sysctl_tcp_app_win. - tcp: Fix a data-race around sysctl_tcp_adv_win_scale. - tcp: Fix a data-race around sysctl_tcp_frto. - tcp: Fix a data-race around sysctl_tcp_nometrics_save. - ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) - ice: do not setup vlan for loopback VSI - scsi: ufs: host: Hold reference returned by of_parse_phandle() - tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. - tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. - net: ping6: Fix memleak in ipv6_renew_options(). - ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr - igmp: Fix data-races around sysctl_igmp_qrv. - net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() - tcp: Fix a data-race around sysctl_tcp_min_tso_segs. - tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. - tcp: Fix a data-race around sysctl_tcp_autocorking. - tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. - Documentation: fix sctp_wmem in ip-sysctl.rst - tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. - tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. - i40e: Fix interface init with MSI interrupts (no MSI-X) - sctp: fix sleep in atomic context bug in timer handlers - virtio-net: fix the race between refill work and close - perf symbol: Correct address for bss symbols - sfc: disable softirqs for ptp TX - sctp: leave the err path free in sctp_stream_init to sctp_stream_free - ARM: crypto: comment out gcc warning that breaks clang builds - mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. - scsi: core: Fix race between handling STS_RESOURCE and completion - Linux 5.4.209 * Focal update: v5.4.208 upstream stable release (LP: #1988225) - pinctrl: stm32: fix optional IRQ support to gpios - riscv: add as-options for modules with assembly compontents - mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication - lockdown: Fix kexec lockdown bypass with ima policy - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE - PCI: hv: Fix multi-MSI to allow more than one MSI vector - PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() - PCI: hv: Fix interrupt mapping for multi-MSI - serial: mvebu-uart: correctly report configured baudrate value - xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe - pinctrl: ralink: Check for null return of devm_kcalloc - perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() - igc: Reinstate IGC_REMOVED logic and implement it properly - ip: Fix data-races around sysctl_ip_no_pmtu_disc. - ip: Fix data-races around sysctl_ip_fwd_use_pmtu. - ip: Fix data-races around sysctl_ip_nonlocal_bind. - ip: Fix a data-race around sysctl_fwmark_reflect. - tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. - tcp: Fix data-races around sysctl_tcp_mtu_probing. - tcp: Fix data-races around sysctl_tcp_base_mss. - tcp: Fix data-races around sysctl_tcp_min_snd_mss. - tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. - tcp: Fix a data-race around sysctl_tcp_probe_threshold. - tcp: Fix a data-race around sysctl_tcp_probe_interval. - i2c: cadence: Change large transfer count reset logic to be unconditional - net: stmmac: fix dma queue left shift overflow issue - net/tls: Fix race in TLS device down flow - igmp: Fix data-races around sysctl_igmp_llm_reports. - igmp: Fix a data-race around sysctl_igmp_max_memberships. - tcp: Fix data-races around sysctl_tcp_syncookies. - tcp: Fix data-races around sysctl_tcp_reordering. - tcp: Fix data-races around some timeout sysctl knobs. - tcp: Fix a data-race around sysctl_tcp_notsent_lowat. - tcp: Fix a data-race around sysctl_tcp_tw_reuse. - tcp: Fix data-races around sysctl_max_syn_backlog. - tcp: Fix data-races around sysctl_tcp_fastopen. - iavf: Fix handling of dummy receive descriptors - i40e: Fix erroneous adapter reinitialization during recovery process - ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero - gpio: pca953x: only use single read/write for No AI mode - be2net: Fix buffer overflow in be_get_module_eeprom - ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. - udp: Fix a data-race around sysctl_udp_l3mdev_accept. - tcp: Fix data-races around sysctl knobs related to SYN option. - tcp: Fix a data-race around sysctl_tcp_early_retrans. - tcp: Fix data-races around sysctl_tcp_recovery. - tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. - tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. - tcp: Fix a data-race around sysctl_tcp_retrans_collapse. - tcp: Fix a data-race around sysctl_tcp_stdurg. - tcp: Fix a data-race around sysctl_tcp_rfc1337. - tcp: Fix data-races around sysctl_tcp_max_reordering. - spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers - mm/mempolicy: fix uninit-value in mpol_rebind_policy() - bpf: Make sure mac_header was set before using it - dlm: fix pending remove if msg allocation fails - ima: remove the IMA_TEMPLATE Kconfig option - [Config] updateconfigs for IMA_TEMPLATE - locking/refcount: Define constants for saturation and max refcount values - locking/refcount: Ensure integer operands are treated as signed - locking/refcount: Remove unused refcount_*_checked() variants - locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the <linux/refcount.h> header - locking/refcount: Improve performance of generic REFCOUNT_FULL code - locking/refcount: Move saturation warnings out of line - locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions - locking/refcount: Consolidate implementations of refcount_t - [Config] updateconfigs for REFCOUNT_FULL - x86: get rid of small constant size cases in raw_copy_{to,from}_user() - x86/uaccess: Implement macros for CMPXCHG on user addresses - mmap locking API: initial implementation as rwsem wrappers - x86/mce: Deduplicate exception handling - bitfield.h: Fix "type of reg too small for mask" test - ALSA: memalloc: Align buffer allocations in page size - Bluetooth: Add bt_skb_sendmsg helper - Bluetooth: Add bt_skb_sendmmsg helper - Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg - Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg - Bluetooth: Fix passing NULL to PTR_ERR - Bluetooth: SCO: Fix sco_send_frame returning skb->len - Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks - tty: drivers/tty/, stop using tty_schedule_flip() - tty: the rest, stop using tty_schedule_flip() - tty: drop tty_schedule_flip() - tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() - tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() - x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() - Linux 5.4.208 * Focal update: v5.4.207 upstream stable release (LP: #1988219) - ALSA: hda - Add fixup for Dell Latitidue E5430 - ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop - xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue - tracing/histograms: Fix memory leak problem - net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer - ip: fix dflt addr selection for connected nexthop - ARM: 9213/1: Print message about disabled Spectre workarounds only once - ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction - wifi: mac80211: fix queue selection for mesh/OCB interfaces - cgroup: Use separate src/dst nodes when preloading css_sets for migration - drm/panfrost: Fix shrinker list corruption by madvise IOCTL - nilfs2: fix incorrect masking of permission flags for symlinks - Revert "evm: Fix memleak in init_desc" - sched/rt: Disable RT_RUNTIME_SHARE by default - ext4: fix race condition between ext4_write and ext4_convert_inline_data - ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count - ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle - ARM: 9210/1: Mark the FDT_FIXED sections as shareable - drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() - ima: Fix a potential integer overflow in ima_appraise_measurement - ASoC: sgtl5000: Fix noise on shutdown/remove - net: stmmac: dwc-qos: Disable split header for Tegra194 - inetpeer: Fix data-races around sysctl. - net: Fix data-races around sysctl_mem. - cipso: Fix data-races around sysctl. - icmp: Fix data-races around sysctl. - ipv4: Fix a data-race around sysctl_fib_sync_mem. - ARM: dts: at91: sama5d2: Fix typo in i2s1 node - ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero - drm/i915/gt: Serialize TLB invalidates with GT resets - icmp: Fix a data-race around sysctl_icmp_ratelimit. - icmp: Fix a data-race around sysctl_icmp_ratemask. - raw: Fix a data-race around sysctl_raw_l3mdev_accept. - ipv4: Fix data-races around sysctl_ip_dynaddr. - net: ftgmac100: Hold reference returned by of_get_child_by_name() - sfc: fix use after free when disabling sriov - seg6: fix skb checksum evaluation in SRH encapsulation/insertion - seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors - seg6: bpf: fix skb checksum in bpf_push_seg6_encap() - sfc: fix kernel panic when creating VF - mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE - virtio_mmio: Add missing PM calls to freeze/restore - virtio_mmio: Restore guest page size on resume - netfilter: br_netfilter: do not skip all hooks with 0 priority - cpufreq: pmac32-cpufreq: Fix refcount leak bug - platform/x86: hp-wmi: Ignore Sanitization Mode event - net: tipc: fix possible refcount leak in tipc_sk_create() - NFC: nxp-nci: don't print header length mismatch on i2c error - nvme: fix regression when disconnect a recovering ctrl - net: sfp: fix memory leak in sfp_probe() - ASoC: ops: Fix off by one in range control validation - ASoC: wm5110: Fix DRE control - ASoC: cs47l15: Fix event generation for low power mux control - ASoC: madera: Fix event generation for OUT1 demux - ASoC: madera: Fix event generation for rate controls - irqchip: or1k-pic: Undefine mask_ack for level triggered hardware - x86: Clear .brk area at early boot - soc: ixp4xx/npe: Fix unused match warning - ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 - signal handling: don't use BUG_ON() for debugging - USB: serial: ftdi_sio: add Belimo device ids - usb: typec: add missing uevent when partner support PD - usb: dwc3: gadget: Fix event pending check - tty: serial: samsung_tty: set dma burst_size to 1 - serial: 8250: fix return error code in serial8250_request_std_resource() - serial: stm32: Clear prev values before setting RTS delays - serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle - can: m_can: m_can_tx_handler(): fix use after free of skb - Linux 5.4.207 * Focal update: v5.4.206 upstream stable release (LP: #1988215) - Linux 5.4.206 * Focal update: v5.4.205 upstream stable release (LP: #1988214) - esp: limit skb_page_frag_refill use to a single page - mm/slub: add missing TID updates on slab deactivation - can: bcm: use call_rcu() instead of costly synchronize_rcu() - can: grcan: grcan_probe(): remove extra of_node_get() - can: gs_usb: gs_usb_open/close(): fix memory leak - usbnet: fix memory leak in error case - net: rose: fix UAF bug caused by rose_t0timer_expiry - iommu/vt-d: Fix PCI bus rescan device hot add - fbdev: fbmem: Fix logo center image dx issue - video: of_display_timing.h: include errno.h - powerpc/powernv: delay rng platform device creation until later in boot - can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info - can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression - can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits - xfs: remove incorrect ASSERT in xfs_rename - ARM: meson: Fix refcount leak in meson_smp_prepare_cpus - pinctrl: sunxi: a83t: Fix NAND function name for some pins - pinctrl: sunxi: sunxi_pconf_set: use correct offset - ARM: at91: pm: use proper compatible for sama5d2's rtc - ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt - ibmvnic: Properly dispose of all skbs during a failover. - selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT - selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT - selftests: forwarding: fix error message in learning_test - i2c: cadence: Unregister the clk notifier in error path - dmaengine: imx-sdma: Allow imx8m for imx7 FW revs - misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer - misc: rtsx_usb: use separate command and response buffers - misc: rtsx_usb: set return value in rsp_buf alloc err path - dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo - ida: don't use BUG_ON() for debugging - dmaengine: pl330: Fix lockdep warning about non-static key - dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly - dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate - dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate - Linux 5.4.205 * Focal update: v5.4.204 upstream stable release (LP: #1988212) - ipv6: take care of disable_policy when restoring routes - nvdimm: Fix badblocks clear off-by-one error - powerpc/prom_init: Fix kernel config grep - powerpc/bpf: Fix use of user_pt_regs in uapi - dm raid: fix accesses beyond end of raid member array - dm raid: fix KASAN warning in raid5_add_disks - s390/archrandom: simplify back to earlier design and initialize earlier - SUNRPC: Fix READ_PLUS crasher - net: rose: fix UAF bugs caused by timer handler - net: usb: ax88179_178a: Fix packet receiving - virtio-net: fix race between ndo_open() and virtio_device_ready() - selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test - net: tun: unlink NAPI from device on destruction - net: tun: stop NAPI when detaching queues - RDMA/qedr: Fix reporting QP timeout attribute - linux/dim: Fix divide by 0 in RDMA DIM - usbnet: fix memory allocation in helpers - net: ipv6: unexport __init-annotated seg6_hmac_net_init() - caif_virtio: fix race between virtio_device_ready() and ndo_open() - PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events - s390: remove unneeded 'select BUILD_BIN2C' - netfilter: nft_dynset: restore set element counter when failing to update - net/sched: act_api: Notify user space if any actions were flushed before error - net: bonding: fix possible NULL deref in rlb code - net: bonding: fix use-after-free after 802.3ad slave unbind - nfc: nfcmrvl: Fix irq_of_parse_and_map() return value - NFC: nxp-nci: Don't issue a zero length i2c_master_read() - net: tun: avoid disabling NAPI twice - xen/gntdev: Avoid blocking in unmap_grant_pages() - hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails - net: dsa: bcm_sf2: force pause link settings - sit: use min - ipv6/sit: fix ipip6_tunnel_get_prl return value - rseq/selftests,x86_64: Add rseq_offset_deref_addv() - selftests/rseq: remove ARRAY_SIZE define from individual tests - selftests/rseq: introduce own copy of rseq uapi header - selftests/rseq: Remove useless assignment to cpu variable - selftests/rseq: Remove volatile from __rseq_abi - selftests/rseq: Introduce rseq_get_abi() helper - selftests/rseq: Introduce thread pointer getters - selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 - selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian - selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store - selftests/rseq: Fix ppc32 offsets by using long rather than off_t - selftests/rseq: Fix warnings about #if checks of undefined tokens - selftests/rseq: Remove arm/mips asm goto compiler work-around - selftests/rseq: Fix: work-around asm goto compiler bugs - selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area - selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area - selftests/rseq: Change type of rseq_offset to ptrdiff_t - xen/blkfront: fix leaking data in shared pages - xen/netfront: fix leaking data in shared pages - xen/netfront: force data bouncing when backend is untrusted - xen/blkfront: force data bouncing when backend is untrusted - xen/arm: Fix race in RB-tree based P2M accounting - net: usb: qmi_wwan: add Telit 0x1060 composition - net: usb: qmi_wwan: add Telit 0x1070 composition - clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() - Linux 5.4.204 -- Stefan Bader <stefan.ba...@canonical.com> Tue, 20 Sep 2022 11:19:18 +0200 ** Changed in: linux (Ubuntu Focal) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3176 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1988215 Title: Focal update: v5.4.206 upstream stable release Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Bug description: SRU Justification Impact: The upstream process for stable tree updates is quite similar in scope to the Ubuntu SRU process, e.g., each patch has to demonstrably fix a bug, and each patch is vetted by upstream by originating either directly from a mainline/stable Linux tree or a minimally backported form of that patch. The following upstream stable patches should be included in the Ubuntu kernel: v5.4.206 upstream stable release from git://git.kernel.org/ NOTE: This patch set (v5.4.206) is empty; it contained only one revert: Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting" which was never applied to Focal. Linux 5.4.206 UBUNTU: Upstream stable to v5.4.206 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1988215/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp