Bug #1711535 “Xenial update to 4.4.82 stable release” : Bugs : linux package : Ubuntu

Stefan Bader (smb) on 2017-08-18

tags:

added: kernel-stable-tracking-bug

Revision history for this message

Stefan Bader (smb) wrote on 2017-08-18:

#1

Patch "packet: fix tp_reserve race in packet_set_ring" was skipped because it is already applied for CVE-2017-1000111.

Skipped a whole bunch of changes, namely:

* revert "net: account for current skb length when
  deciding about UFO"
* revert "ipv4: Should use consistent conditional judgement for ip
  fragment in __ip_append_data and ip_finish_output"
* udp: consistently apply ufo or fragmentation
* ipv4: Should use consistent conditional judgement for ip fragment
  in __ip_append_data and ip_finish_output
* net: account for current skb length when deciding about UFO

I checked the resulting files net/ipv4/udp.c, net/ipv4/ip_output.c, and net/ipv6/ip6_output.c from the 4.4.y tree and our Xenial tree. And overall there is only one difference in the ip*_ouput.c files which come from applying "udp: avoid ufo handling on IP payload compression packets" and "ipv6: Don't use ufo handling on later transformed packets" which I picked as additional patches to be part of CVE-2017-1000112. And those still look like fixes to valid issues (though probably not directly related to the CVE). So I would suggest we stay at what we got right now.

description:

updated

Stefan Bader (smb) on 2017-08-18

Changed in linux (Ubuntu Xenial):
assignee:	nobody → Stefan Bader (smb)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Invalid

Thadeu Lima de Souza Cascardo (cascardo) on 2017-08-22

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-09-18:

#2

Download full text (14.4 KiB)

This bug was fixed in the package linux - 4.4.0-96.119

---------------
linux (4.4.0-96.119) xenial; urgency=low

* linux: 4.4.0-96.119 -proposed tracker (LP: #1716613)

  * kernel panic -not syncing: Fatal exception: panic_on_oops (LP: #1708399)
    - s390/mm: no local TLB flush for clearing-by-ASCE IDTE
    - SAUCE: s390/mm: fix local TLB flushing vs. detach of an mm address space
    - SAUCE: s390/mm: fix race on mm->context.flush_mm

* CVE-2017-1000251
- Bluetooth: Properly check L2CAP config option output buffer length

linux (4.4.0-95.118) xenial; urgency=low

* linux: 4.4.0-95.118 -proposed tracker (LP: #1715651)

  * Xenial update to 4.4.78 stable release broke Address Sanitizer
    (LP: #1715636)
    - mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes

linux (4.4.0-94.117) xenial; urgency=low

* linux: 4.4.0-94.117 -proposed tracker (LP: #1713462)

  * mwifiex causes kernel oops when AP mode is enabled (LP: #1712746)
    - SAUCE: net/wireless: do not dereference invalid pointer
    - SAUCE: mwifiex: do not dereference invalid pointer

  * Backport more recent Broadcom bnxt_en driver (LP: #1711056)
    - SAUCE: bnxt_en_bpo: Import bnxt_en driver version 1.8.1
    - SAUCE: bnxt_en_bpo: Drop distro out-of-tree detection logic
    - SAUCE: bnxt_en_bpo: Remove unnecessary compile flags
    - SAUCE: bnxt_en_bpo: Move config settings to Kconfig
    - SAUCE: bnxt_en_bpo: Remove PCI_IDs handled by the regular driver
    - SAUCE: bnxt_en_bpo: Rename the backport driver to bnxt_en_bpo
    - bnxt_en_bpo: [Config] Enable CONFIG_BNXT_BPO=m

  * HID: multitouch: Support ALPS PTP Stick and Touchpad devices (LP: #1712481)
    - HID: multitouch: Support PTP Stick and Touchpad device
    - SAUCE: HID: multitouch: Support ALPS PTP stick with pid 0x120A

* igb: Support using Broadcom 54616 as PHY (LP: #1712024)
- SAUCE: igb: add support for using Broadcom 54616 as PHY

  * IPR driver causes multipath to fail paths/stuck IO on Medium Errors
    (LP: #1682644)
    - scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION

  * accessing /dev/hvc1 with stress-ng on Ubuntu xenial causes crash
    (LP: #1711401)
    - tty/hvc: Use IRQF_SHARED for OPAL hvc consoles

  * memory-hotplug test needs to be fixed (LP: #1710868)
    - selftests: typo correction for memory-hotplug test
    - selftests: check hot-pluggagble memory for memory-hotplug test
    - selftests: check percentage range for memory-hotplug test
    - selftests: add missing test name in memory-hotplug test
    - selftests: fix memory-hotplug test

* HP lt4132 LTE/HSPA+ 4G Module (03f0:a31d) does not work (LP: #1707643)
- net: cdc_mbim: apply "NDP to end" quirk to HP lt4132

  * Migrating KSM page causes the VM lock up as the KSM page merging list is too
    large (LP: #1680513)
    - ksm: introduce ksm_max_page_sharing per page deduplication limit
    - ksm: fix use after free with merge_across_nodes = 0
    - ksm: cleanup stable_node chain collapse case
    - ksm: swap the two output parameters of chain/chain_prune
    - ksm: optimize refile of stable_node_dup at the head of the chain

* sort ABI files with C.UTF-8 locale (LP: #1712345)
- [Packaging] sort ABI ...

This bug was fixed in the package linux - 4.4.0-96.119

---------------
linux (4.4.0-96.119) xenial; urgency=low

* linux: 4.4.0-96.119 -proposed tracker (LP: #1716613)

* kernel panic -not syncing: Fatal exception: panic_on_oops (LP: #1708399)
    - s390/mm: no local TLB flush for clearing-by-ASCE IDTE
    - SAUCE: s390/mm: fix local TLB flushing vs. detach of an mm address space
    - SAUCE: s390/mm: fix race on mm->context.flush_mm

* CVE-2017-1000251
    - Bluetooth: Properly check L2CAP config option output buffer length

linux (4.4.0-95.118) xenial; urgency=low

* linux: 4.4.0-95.118 -proposed tracker (LP: #1715651)

* Xenial update to 4.4.78 stable release broke Address Sanitizer
    (LP: #1715636)
    - mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes

linux (4.4.0-94.117) xenial; urgency=low

* linux: 4.4.0-94.117 -proposed tracker (LP: #1713462)

* mwifiex causes kernel oops when AP mode is enabled (LP: #1712746)
    - SAUCE: net/wireless: do not dereference invalid pointer
    - SAUCE: mwifiex: do not dereference invalid pointer

* Backport more recent Broadcom bnxt_en driver (LP: #1711056)
    - SAUCE: bnxt_en_bpo: Import bnxt_en driver version 1.8.1
    - SAUCE: bnxt_en_bpo: Drop distro out-of-tree detection logic
    - SAUCE: bnxt_en_bpo: Remove unnecessary compile flags
    - SAUCE: bnxt_en_bpo: Move config settings to Kconfig
    - SAUCE: bnxt_en_bpo: Remove PCI_IDs handled by the regular driver
    - SAUCE: bnxt_en_bpo: Rename the backport driver to bnxt_en_bpo
    - bnxt_en_bpo: [Config] Enable CONFIG_BNXT_BPO=m

* HID: multitouch: Support ALPS PTP Stick and Touchpad devices (LP: #1712481)
    - HID: multitouch: Support PTP Stick and Touchpad device
    - SAUCE: HID: multitouch: Support ALPS PTP stick with pid 0x120A

* igb: Support using Broadcom 54616 as PHY (LP: #1712024)
    - SAUCE: igb: add support for using Broadcom 54616 as PHY

* IPR driver causes multipath to fail paths/stuck IO on Medium Errors
    (LP: #1682644)
    - scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION

* accessing /dev/hvc1 with stress-ng on Ubuntu xenial causes crash
    (LP: #1711401)
    - tty/hvc: Use IRQF_SHARED for OPAL hvc consoles

* memory-hotplug test needs to be fixed (LP: #1710868)
    - selftests: typo correction for memory-hotplug test
    - selftests: check hot-pluggagble memory for memory-hotplug test
    - selftests: check percentage range for memory-hotplug test
    - selftests: add missing test name in memory-hotplug test
    - selftests: fix memory-hotplug test

* HP lt4132 LTE/HSPA+ 4G Module (03f0:a31d) does not work (LP: #1707643)
    - net: cdc_mbim: apply "NDP to end" quirk to HP lt4132

* Migrating KSM page causes the VM lock up as the KSM page merging list is too
    large (LP: #1680513)
    - ksm: introduce ksm_max_page_sharing per page deduplication limit
    - ksm: fix use after free with merge_across_nodes = 0
    - ksm: cleanup stable_node chain collapse case
    - ksm: swap the two output parameters of chain/chain_prune
    - ksm: optimize refile of stable_node_dup at the head of the chain

* sort ABI files with C.UTF-8 locale (LP: #1712345)
    - [Packaging] sort ABI files with C.UTF-8 locale

* Include Broadcom GPL modules in Xenial Kernel (LP: #1665783)
    - [Config] OpenNSL Kconfig/Makefile
    - Import OpenNSL v3.1.0.17
    - [Config] CONFIG_OPENNSL=y for amd64
    - OpenNSL: Enable Kconfig and build
    - SAUCE: opennsl: add proper CFLAGS

* Xenial update to 4.4.83 stable release (LP: #1711557)
    - cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
    - mm: ratelimit PFNs busy info message
    - iscsi-target: fix memory leak in iscsit_setup_text_cmd()
    - iscsi-target: Fix iscsi_np reset hung task during parallel delete
    - fuse: initialize the flock flag in fuse_file on allocation
    - nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays
    - USB: serial: option: add D-Link DWM-222 device ID
    - USB: serial: cp210x: add support for Qivicon USB ZigBee dongle
    - USB: serial: pl2303: add new ATEN device id
    - usb: musb: fix tx fifo flush handling again
    - USB: hcd: Mark secondary HCD as dead if the primary one died
    - staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
    - iio: accel: bmc150: Always restore device to normal mode after suspend-
      resume
    - iio: light: tsl2563: use correct event code
    - uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
    - USB: Check for dropped connection before switching to full speed
    - usb: core: unlink urbs from the tail of the endpoint's urb_list
    - usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
    - usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
    - iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits
    - pnfs/blocklayout: require 64-bit sector_t
    - pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
    - pinctrl: samsung: Remove bogus irq_[un]mask from resource management
    - Linux 4.4.83

* Xenial update to 4.4.82 stable release (LP: #1711535)
    - tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
    - net: fix keepalive code vs TCP_FASTOPEN_CONNECT
    - bpf, s390: fix jit branch offset related to ldimm64
    - net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target
    - tcp: fastopen: tcp_connect() must refresh the route
    - net: avoid skb_warn_bad_offload false positives on UFO
    - sparc64: Prevent perf from running during super critical sections
    - KVM: arm/arm64: Handle hva aging while destroying the vm
    - mm/mempool: avoid KASAN marking mempool poison checks as use-after-free
    - Linux 4.4.82

* Xenial update to 4.4.81 stable release (LP: #1711526)
    - libata: array underflow in ata_find_dev()
    - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
    - ALSA: hda - Fix speaker output from VAIO VPCL14M1R
    - ASoC: do not close shared backend dailink
    - KVM: async_pf: make rcu irq exit if not triggered from idle task
    - mm/page_alloc: Remove kernel address exposure in free_reserved_area()
    - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
    - ext4: fix overflow caused by missing cast in ext4_resize_fs()
    - ARM: dts: armada-38x: Fix irq type for pca955
    - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
      ioctl
    - target: Avoid mappedlun symlink creation during lun shutdown
    - iscsi-target: Always wait for kthread_should_stop() before kthread exit
    - iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race
    - iscsi-target: Fix initial login PDU asynchronous socket close OOPs
    - iscsi-target: Fix delayed logout processing greater than
      SECONDS_FOR_LOGOUT_COMP
    - iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
    - mm, mprotect: flush TLB if potentially racing with a parallel reclaim
      leaving stale TLB entries
    - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
    - f2fs: sanity check checkpoint segno and blkoff
    - drm: rcar-du: fix backport bug
    - saa7164: fix double fetch PCIe access condition
    - ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
    - net: Zero terminate ifr_name in dev_ifname().
    - ipv6: avoid overflow of offset in ip6_find_1stfragopt
    - ipv4: initialize fib_trie prior to register_netdev_notifier call.
    - rtnetlink: allocate more memory for dev_set_mac_address()
    - mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
    - openvswitch: fix potential out of bound access in parse_ct
    - packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
    - ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
    - net: ethernet: nb8800: Handle all 4 RGMII modes identically
    - dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
    - dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
    - dccp: fix a memleak for dccp_feat_init err process
    - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
    - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
    - net/mlx5: Fix command bad flow on command entry allocation failure
    - net: phy: Correctly process PHY_HALTED in phy_stop_machine()
    - net: phy: Fix PHY unbind crash
    - xen-netback: correctly schedule rate-limited queues
    - sparc64: Measure receiver forward progress to avoid send mondo timeout
    - wext: handle NULL extra data in iwe_stream_add_point better
    - sh_eth: R8A7740 supports packet shecksumming
    - net: phy: dp83867: fix irq generation
    - tg3: Fix race condition in tg3_get_stats64().
    - x86/boot: Add missing declaration of string functions
    - phy state machine: failsafe leave invalid RUNNING state
    - scsi: qla2xxx: Get mutex lock before checking optrom_state
    - drm/virtio: fix framebuffer sparse warning
    - virtio_blk: fix panic in initialization error path
    - ARM: 8632/1: ftrace: fix syscall name matching
    - mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER
    - lib/Kconfig.debug: fix frv build failure
    - signal: protect SIGNAL_UNKILLABLE from unintentional clearing.
    - mm: don't dereference struct page fields of invalid pages
    - workqueue: implicit ordered attribute should be overridable
    - Linux 4.4.81

* Xenial update to 4.4.80 stable release (LP: #1710646)
    - af_key: Add lock to key dump
    - pstore: Make spinlock per zone instead of global
    - powerpc/pseries: Fix of_node_put() underflow during reconfig remove
    - crypto: authencesn - Fix digest_null crash
    - md/raid5: add thread_group worker async_tx_issue_pending_all
    - drm/vmwgfx: Fix gcc-7.1.1 warning
    - drm/nouveau/bar/gf100: fix access to upper half of BAR2
    - KVM: PPC: Book3S HV: Context-switch EBB registers properly
    - KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit
    - KVM: PPC: Book3S HV: Reload HTM registers explicitly
    - KVM: PPC: Book3S HV: Save/restore host values of debug registers
    - Revert "powerpc/numa: Fix percpu allocations to be NUMA aware"
    - Staging: comedi: comedi_fops: Avoid orphaned proc entry
    - drm/rcar: Nuke preclose hook
    - drm: rcar-du: Perform initialization/cleanup at probe/remove time
    - drm: rcar-du: Simplify and fix probe error handling
    - perf intel-pt: Fix ip compression
    - perf intel-pt: Fix last_ip usage
    - perf intel-pt: Use FUP always when scanning for an IP
    - perf intel-pt: Ensure never to set 'last_ip' when packet 'count' is zero
    - xfs: don't BUG() on mixed direct and mapped I/O
    - nfc: fdp: fix NULL pointer dereference
    - net: phy: Do not perform software reset for Generic PHY
    - isdn: Fix a sleep-in-atomic bug
    - isdn/i4l: fix buffer overflow
    - ath10k: fix null deref on wmi-tlv when trying spectral scan
    - wil6210: fix deadlock when using fw_no_recovery option
    - mailbox: always wait in mbox_send_message for blocking Tx mode
    - mailbox: skip complete wait event if timer expired
    - mailbox: handle empty message in tx_tick
    - mpt3sas: Don't overreach ioc->reply_post[] during initialization
    - kaweth: fix firmware download
    - kaweth: fix oops upon failed memory allocation
    - sched/cgroup: Move sched_online_group() back into css_online() to fix crash
    - PM / Domains: defer dev_pm_domain_set() until genpd->attach_dev succeeds if
      present
    - RDMA/uverbs: Fix the check for port number
    - libnvdimm, btt: fix btt_rw_page not returning errors
    - ipmi/watchdog: fix watchdog timeout set on reboot
    - v4l: s5c73m3: fix negation operator
    - pstore: Allow prz to control need for locking
    - pstore: Correctly initialize spinlock and flags
    - pstore: Use dynamic spinlock initializer
    - net: skb_needs_check() accepts CHECKSUM_NONE for tx
    - sched/cputime: Fix prev steal time accouting during CPU hotplug
    - xen/blkback: don't free be structure too early
    - xen/blkback: don't use xen_blkif_get() in xen-blkback kthread
    - tpm: fix a kernel memory leak in tpm-sysfs.c
    - tpm: Replace device number bitmap with IDR
    - x86/mce/AMD: Make the init code more robust
    - r8169: add support for RTL8168 series add-on card.
    - ARM: dts: n900: Mark eMMC slot with no-sdio and no-sd flags
    - net/mlx4: Remove BUG_ON from ICM allocation routine
    - drm/msm: Ensure that the hardware write pointer is valid
    - drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set
    - vfio-pci: use 32-bit comparisons for register address for gcc-4.5
    - irqchip/keystone: Fix "scheduling while atomic" on rt
    - ASoC: tlv320aic3x: Mark the RESET register as volatile
    - spi: dw: Make debugfs name unique between instances
    - ASoC: nau8825: fix invalid configuration in Pre-Scalar of FLL
    - irqchip/mxs: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND
    - openrisc: Add _text symbol to fix ksym build error
    - dmaengine: ioatdma: Add Skylake PCI Dev ID
    - dmaengine: ioatdma: workaround SKX ioatdma version
    - dmaengine: ti-dma-crossbar: Add some 'of_node_put()' in error path.
    - ARM64: zynqmp: Fix W=1 dtc 1.4 warnings
    - ARM64: zynqmp: Fix i2c node's compatible string
    - ARM: s3c2410_defconfig: Fix invalid values for NF_CT_PROTO_*
    - ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
    - usb: gadget: Fix copy/pasted error message
    - Btrfs: adjust outstanding_extents counter properly when dio write is split
    - tools lib traceevent: Fix prev/next_prio for deadline tasks
    - xfrm: Don't use sk_family for socket policy lookups
    - perf tools: Install tools/lib/traceevent plugins with install-bin
    - perf symbols: Robustify reading of build-id from sysfs
    - video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap
    - vfio-pci: Handle error from pci_iomap
    - arm64: mm: fix show_pte KERN_CONT fallout
    - nvmem: imx-ocotp: Fix wrong register size
    - sh_eth: enable RX descriptor word 0 shift on SH7734
    - ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion
    - HID: ignore Petzl USB headlamp
    - scsi: fnic: Avoid sending reset to firmware when another reset is in
      progress
    - scsi: snic: Return error code on memory allocation failure
    - ASoC: dpcm: Avoid putting stream state to STOP when FE stream is paused
    - Linux 4.4.80

* Please only recommend or suggest initramfs-tools | linux-initramfs-tool for
    kernels able to boot without initramfs (LP: #1700972)
    - [Debian] Don't depend on initramfs-tools

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 12 Sep 2017 15:40:01 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Ubuntu
linux package

Xenial update to 4.4.82 stable release

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Xenial	Fix Released	Medium	Stefan Bader

Ubuntulinux package