Ubuntu
linux package

Focal update: v5.4.212 upstream stable release

Bug #1991156 reported by Kamal Mostafa on 2022-09-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Medium	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.4.212 upstream stable release
from git://git.kernel.org/

audit: fix potential double free on error path from fsnotify_add_inode_mark
parisc: Fix exception handler for fldw and fstw instructions
kernel/sys_ni: add compat entry for fadvise64_64
usb: cdns3: Fix issue for clear halt endpoint
pinctrl: amd: Don't save/restore interrupt status and wake status bits
sched/deadline: Unthrottle PI boosted threads while enqueuing
sched/deadline: Fix stale throttling on de-/boosted tasks
sched/deadline: Fix priority inheritance with multiple scheduling classes
kernel/sched: Remove dl_boosted flag comment
xfrm: fix refcount leak in __xfrm_policy_check()
af_key: Do not call xfrm_probe_algs in parallel
SUNRPC: RPC level errors should set task->tk_rpc_status
rose: check NULL rose_loopback_neigh->loopback
net/mlx5e: Properly disable vlan strip on non-UL reps
net: moxa: get rid of asymmetry in DMA mapping/unmapping
bonding: 802.3ad: fix no transmission of LACPDUs
net: ipvtap - add __init/__exit annotations to module init/exit funcs
netfilter: ebtables: reject blobs that don't provide all entry points
bnxt_en: fix NQ resource accounting during vf creation on 57500 chips
netfilter: nft_payload: report ERANGE for too long offset and length
netfilter: nft_payload: do not truncate csum_offset and csum_type
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
netfilter: nft_tunnel: restrict it to netdev family
net: Fix data-races around weight_p and dev_weight_[rt]x_bias.
net: Fix data-races around netdev_tstamp_prequeue.
ratelimit: Fix data-races in ___ratelimit().
net: Fix a data-race around sysctl_tstamp_allow_data.
net: Fix a data-race around sysctl_net_busy_poll.
net: Fix a data-race around sysctl_net_busy_read.
net: Fix a data-race around netdev_budget.
net: Fix a data-race around netdev_budget_usecs.
net: Fix a data-race around sysctl_somaxconn.
ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter
btrfs: fix silent failure when deleting root reference
btrfs: replace: drop assert for suspended replace
btrfs: add info when mount fails due to stale replace target
btrfs: check if root is readonly while setting security xattr
x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry
loop: Check for overflow while configuring loop
asm-generic: sections: refactor memory_intersects
s390: fix double free of GS and RI CBs on fork() failure
ACPI: processor: Remove freq Qos request for all CPUs
mm/hugetlb: fix hugetlb not supporting softdirty tracking
md: call __md_stop_writes in md_stop
perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU
scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq
mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
s390/mm: do not trigger write fault when vma does not allow VM_WRITE
x86/bugs: Add "unknown" reporting for MMIO Stale Data
kbuild: Fix include path in scripts/Makefile.modpost
Bluetooth: L2CAP: Fix build errors in some archs
HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report
udmabuf: Set the DMA mask for the udmabuf device (v2)
media: pvrusb2: fix memory leak in pvr_probe
HID: hidraw: fix memory leak in hidraw_release()
fbdev: fb_pm2fb: Avoid potential divide by zero error
ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead
bpf: Don't redirect packets with invalid pkt_len
mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
btrfs: introduce btrfs_lookup_match_dir
btrfs: do not pin logs too early during renames
btrfs: unify lookup return value when dir entry is missing
drm/amd/display: Avoid MPC infinite loop
drm/amd/display: clear optc underflow before turn off odm clock
neigh: fix possible DoS due to net iface start/stop loop
s390/hypfs: avoid error message under KVM
drm/amd/display: Fix pixel clock programming
netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y
btrfs: tree-checker: check for overlapping extent items
lib/vdso: Let do_coarse() return 0 to simplify the callsite
lib/vdso: Mark do_hres() and do_coarse() as __always_inline
kprobes: don't call disarm_kprobe() for disabled kprobes
net/af_packet: check len when min_header_len equals to 0
net: neigh: don't call kfree_skb() under spin_lock_irqsave()
Linux 5.4.212
UBUNTU: Upstream stable to v5.4.212

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2022-09-28

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Kamal Mostafa (kamalmostafa)
description:	updated

Revision history for this message

Stefan Bader (smb) wrote on 2022-10-05:

Skipped af_key: "Do not call xfrm_probe_algs in parallel" as it already was applied for security (CVE-2022-3028).

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-11-15:

Download full text (31.5 KiB)

This bug was fixed in the package linux - 5.4.0-132.148

---------------
linux (5.4.0-132.148) focal; urgency=medium

  * CVE-2022-42719
    - mac80211: mlme: find auth challenge directly
    - wifi: mac80211: don't parse mbssid in assoc response
    - wifi: mac80211: fix MBSSID parsing use-after-free

  * iavf: SR-IOV VFs error with no traffic flow when MTU greater than 1500
    (LP: #1983656)
    - iavf: Fix set max MTU size with port VLAN and jumbo frames
    - i40e: Fix VF set max MTU size

  * fib_nexthop_nongw.sh from ubuntu_kernel_selftests failed on B-5.4
    (LP: #1990800)
    - SAUCE: selftests/net: skipping tests for older ip command releases

  * CVE-2022-29901
    - Revert "x86/speculation: Add RSB VM Exit protections"
    - Revert "x86/cpu: Add a steppings field to struct x86_cpu_id"
    - x86/devicetable: Move x86 specific macro out of generic code
    - x86/cpu: Add consistent CPU match macros
    - x86/cpu: Add a steppings field to struct x86_cpu_id
    - x86/kvm/vmx: Make noinstr clean
    - x86/cpufeatures: Move RETPOLINE flags to word 11
    - x86/bugs: Report AMD retbleed vulnerability
    - x86/bugs: Add AMD retbleed= boot parameter
    - x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value
    - x86/entry: Remove skip_r11rcx
    - x86/entry: Add kernel IBRS implementation
    - x86/bugs: Optimize SPEC_CTRL MSR writes
    - x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS
    - x86/bugs: Split spectre_v2_select_mitigation() and
      spectre_v2_user_select_mitigation()
    - x86/bugs: Report Intel retbleed vulnerability
    - intel_idle: Disable IBRS during long idle
    - x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
    - x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n
    - x86/speculation: Fix firmware entry SPEC_CTRL handling
    - x86/speculation: Fix SPEC_CTRL write on SMT state change
    - x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit
    - x86/speculation: Remove x86_spec_ctrl_mask
    - KVM/VMX: Use TEST %REG,%REG instead of CMP $0,%REG in vmenter.S
    - KVM/nVMX: Use __vmx_vcpu_run in nested_vmx_check_vmentry_hw
    - KVM: VMX: Flatten __vmx_vcpu_run()
    - KVM: VMX: Convert launched argument to flags
    - KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS
    - KVM: VMX: Fix IBRS handling after vmexit
    - x86/speculation: Fill RSB on vmexit for IBRS
    - x86/common: Stamp out the stepping madness
    - x86/cpu/amd: Enumerate BTC_NO
    - x86/bugs: Add Cannon lake to RETBleed affected CPU list
    - x86/speculation: Disable RRSBA behavior
    - x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current
    - x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts
    - x86/speculation: Add RSB VM Exit protections

  * ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel
    systems (LP: #1990985)
    - ACPI: processor_idle: Skip dummy wait if kernel is in guest
    - ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel
      systems

* cgroup: all controllers mounted when using 'cgroup_no_v1=' (LP: #1988584)
- cgroup-v1: add disabled controller check in cgroup1_p...

This bug was fixed in the package linux - 5.4.0-132.148

---------------
linux (5.4.0-132.148) focal; urgency=medium

* CVE-2022-42719
    - mac80211: mlme: find auth challenge directly
    - wifi: mac80211: don't parse mbssid in assoc response
    - wifi: mac80211: fix MBSSID parsing use-after-free

* iavf: SR-IOV VFs error with no traffic flow when MTU greater than 1500
    (LP: #1983656)
    - iavf: Fix set max MTU size with port VLAN and jumbo frames
    - i40e: Fix VF set max MTU size

* fib_nexthop_nongw.sh from ubuntu_kernel_selftests failed on B-5.4
    (LP: #1990800)
    - SAUCE: selftests/net: skipping tests for older ip command releases

* cgroup: all controllers mounted when using 'cgroup_no_v1=' (LP: #1988584)
    - cgroup-v1: add disabled controller check in cgroup1_parse_param()

* Focal update: v5.4.212 upstream stable release (LP: #1991156)
    - audit: fix potential double free on error path from fsnotify_add_inode_mark
    - parisc: Fix exception handler for fldw and fstw instructions
    - kernel/sys_ni: add compat entry for fadvise64_64
    - usb: cdns3: Fix issue for clear halt endpoint
    - pinctrl: amd: Don't save/restore interrupt status and wake status bits
    - sched/deadline: Unthrottle PI boosted threads while enqueuing
    - sched/deadline: Fix stale throttling on de-/boosted tasks
    - sched/deadline: Fix priority inheritance with multiple scheduling classes
    - kernel/sched: Remove dl_boosted flag comment
    - xfrm: fix refcount leak in __xfrm_policy_check()
    - SUNRPC: RPC level errors should set task->tk_rpc_status
    - rose: check NULL rose_loopback_neigh->loopback
    - net/mlx5e: Properly disable vlan strip on non-UL reps
    - net: moxa: get rid of asymmetry in DMA mapping/unmapping
    - bonding: 802.3ad: fix no transmission of LACPDUs
    - net: ipvtap - add __init/__exit annotations to module init/exit funcs
    - netfilter: ebtables: reject blobs that don't provide all entry points
    - bnxt_en: fix NQ resource accounting during vf creation on 57500 chips
    - netfilter: nft_payload: report ERANGE for too long offset and length
    - netfilter: nft_payload: do not truncate csum_offset and csum_type
    - netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
    - netfilter: nft_tunnel: restrict it to netdev family
    - net: Fix data-races around weight_p and dev_weight_[rt]x_bias.
    - net: Fix data-races around netdev_tstamp_prequeue.
    - ratelimit: Fix data-races in ___ratelimit().
    - net: Fix a data-race around sysctl_tstamp_allow_data.
    - net: Fix a data-race around sysctl_net_busy_poll.
    - net: Fix a data-race around sysctl_net_busy_read.
    - net: Fix a data-race around netdev_budget.
    - net: Fix a data-race around netdev_budget_usecs.
    - net: Fix a data-race around sysctl_somaxconn.
    - ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter
    - btrfs: fix silent failure when deleting root reference
    - btrfs: replace: drop assert for suspended replace
    - btrfs: add info when mount fails due to stale replace target
    - btrfs: check if root is readonly while setting security xattr
    - x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry
    - loop: Check for overflow while configuring loop
    - asm-generic: sections: refactor memory_intersects
    - s390: fix double free of GS and RI CBs on fork() failure
    - ACPI: processor: Remove freq Qos request for all CPUs
    - mm/hugetlb: fix hugetlb not supporting softdirty tracking
    - md: call __md_stop_writes in md_stop
    - perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU
    - scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq
    - mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
    - s390/mm: do not trigger write fault when vma does not allow VM_WRITE
    - x86/bugs: Add "unknown" reporting for MMIO Stale Data
    - kbuild: Fix include path in scripts/Makefile.modpost
    - Bluetooth: L2CAP: Fix build errors in some archs
    - HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report
    - udmabuf: Set the DMA mask for the udmabuf device (v2)
    - media: pvrusb2: fix memory leak in pvr_probe
    - HID: hidraw: fix memory leak in hidraw_release()
    - fbdev: fb_pm2fb: Avoid potential divide by zero error
    - ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is
      dead
    - bpf: Don't redirect packets with invalid pkt_len
    - mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
    - btrfs: introduce btrfs_lookup_match_dir
    - btrfs: do not pin logs too early during renames
    - btrfs: unify lookup return value when dir entry is missing
    - drm/amd/display: Avoid MPC infinite loop
    - drm/amd/display: clear optc underflow before turn off odm clock
    - neigh: fix possible DoS due to net iface start/stop loop
    - s390/hypfs: avoid error message under KVM
    - drm/amd/display: Fix pixel clock programming
    - netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y
    - btrfs: tree-checker: check for overlapping extent items
    - lib/vdso: Let do_coarse() return 0 to simplify the callsite
    - lib/vdso: Mark do_hres() and do_coarse() as __always_inline
    - kprobes: don't call disarm_kprobe() for disabled kprobes
    - net/af_packet: check len when min_header_len equals to 0
    - net: neigh: don't call kfree_skb() under spin_lock_irqsave()
    - Linux 5.4.212

* Focal update: v5.4.211 upstream stable release (LP: #1990190)
    - Makefile: link with -z noexecstack --no-warn-rwx-segments
    - x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments
    - scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"
    - ALSA: bcd2000: Fix a UAF bug on the error path of probing
    - igc: Remove _I_PHY_ID checking
    - wifi: mac80211_hwsim: fix race condition in pending packet
    - wifi: mac80211_hwsim: add back erroneously removed cast
    - wifi: mac80211_hwsim: use 32-bit skb cookie
    - add barriers to buffer_uptodate and set_buffer_uptodate
    - HID: wacom: Only report rotation for art pen
    - HID: wacom: Don't register pad_input for touch switch
    - KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
    - KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case
    - KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
    - KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value
    - KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
    - KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP
    - mm/mremap: hold the rmap lock in write mode when moving page table entries.
    - ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model
    - ALSA: hda/cirrus - support for iMac 12,1 model
    - ALSA: hda/realtek: Add quirk for another Asus K42JZ model
    - tty: vt: initialize unicode screen buffer
    - vfs: Check the truncate maximum size in inode_newsize_ok()
    - fs: Add missing umask strip in vfs_tmpfile
    - thermal: sysfs: Fix cooling_device_stats_setup() error code path
    - fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters
    - usbnet: Fix linkwatch use-after-free on disconnect
    - ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh()
    - parisc: Fix device names in /proc/iomem
    - parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode
    - drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error
    - drm/nouveau: fix another off-by-one in nvbios_addr
    - drm/amdgpu: Check BO's requested pinning domains against its
      preferred_domains
    - iio: light: isl29028: Fix the warning in isl29028_remove()
    - fuse: limit nsec
    - serial: mvebu-uart: uart2 error bits clearing
    - md-raid10: fix KASAN warning
    - ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
    - PCI: Add defines for normal and subtractive PCI bridges
    - powerpc/fsl-pci: Fix Class Code of PCIe Root Port
    - powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E
    - powerpc/powernv: Avoid crashing if rng is NULL
    - MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
    - coresight: Clear the connection field properly
    - USB: HCD: Fix URB giveback issue in tasklet function
    - ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC
    - arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC
    - netfilter: nf_tables: fix null deref due to zeroed list head
    - epoll: autoremove wakers even more aggressively
    - x86: Handle idle=nomwait cmdline properly for x86_idle
    - arm64: Do not forget syscall when starting a new thread.
    - arm64: fix oops in concurrently setting insn_emulation sysctls
    - ext2: Add more validity checks for inode counts
    - genirq: Don't return error on missing optional irq_request_resources()
    - wait: Fix __wait_event_hrtimeout for RT/DL tasks
    - ARM: dts: imx6ul: add missing properties for sram
    - ARM: dts: imx6ul: change operating-points to uint32-matrix
    - ARM: dts: imx6ul: fix csi node compatible
    - ARM: dts: imx6ul: fix lcdif node compatible
    - ARM: dts: imx6ul: fix qspi node compatible
    - spi: synquacer: Add missing clk_disable_unprepare()
    - ARM: OMAP2+: display: Fix refcount leak bug
    - ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks
    - ACPI: PM: save NVS memory for Lenovo G40-45
    - ACPI: LPSS: Fix missing check in register_device_clock()
    - arm64: dts: qcom: ipq8074: fix NAND node name
    - arm64: dts: allwinner: a64: orangepi-win: Fix LED node name
    - ARM: shmobile: rcar-gen2: Increase refcount for new reference
    - PM: hibernate: defer device probing when resuming from hibernation
    - selinux: Add boundary check in put_entry()
    - spi: spi-rspi: Fix PIO fallback on RZ platforms
    - ARM: findbit: fix overflowing offset
    - meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init
    - ARM: bcm: Fix refcount leak in bcm_kona_smc_init
    - x86/pmem: Fix platform-device leak in error path
    - ARM: dts: ast2500-evb: fix board compatible
    - ARM: dts: ast2600-evb: fix board compatible
    - soc: fsl: guts: machine variable might be unset
    - ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg
    - ARM: OMAP2+: Fix refcount leak in omapdss_init_of
    - ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init
    - cpufreq: zynq: Fix refcount leak in zynq_get_revision
    - soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register
    - ARM: dts: qcom: pm8841: add required thermal-sensor-cells
    - bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe()
    - arm64: dts: mt7622: fix BPI-R64 WPS button
    - erofs: avoid consecutive detection for Highmem memory
    - blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created
    - regulator: of: Fix refcount leak bug in of_get_regulation_constraints()
    - nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt()
    - thermal/tools/tmon: Include pthread and time headers in tmon.h
    - dm: return early from dm_pr_call() if DM device is suspended
    - ath10k: do not enforce interrupt trigger type
    - wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c()
    - drm/mipi-dbi: align max_chunk to 2 in spi_transfer
    - drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()
    - drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function
    - drm: adv7511: override i2c address of cec before accessing it
    - i2c: Fix a potential use after free
    - media: tw686x: Register the irq at the end of probe
    - wifi: iwlegacy: 4965: fix potential off-by-one overflow in
      il4965_rs_fill_link_cmd()
    - drm: bridge: adv7511: Add check for mipi_dsi_driver_register
    - drm/mcde: Fix refcount leak in mcde_dsi_bind
    - media: hdpvr: fix error value returns in hdpvr_read
    - drm/vc4: plane: Remove subpixel positioning check
    - drm/vc4: plane: Fix margin calculations for the right/bottom edges
    - drm/vc4: dsi: Correct DSI divider calculations
    - crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE
    - drm/rockchip: vop: Don't crash for invalid duplicate_state()
    - drm/rockchip: Fix an error handling path rockchip_dp_probe()
    - drm/mediatek: dpi: Remove output format of YUV
    - drm/mediatek: dpi: Only enable dpi after the bridge is enabled
    - drm: bridge: sii8620: fix possible off-by-one
    - drm/msm/mdp5: Fix global state lock backoff
    - crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq
    - media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment
    - mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init()
    - drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed.
    - tcp: make retransmitted SKB fit into the send window
    - libbpf: Fix the name of a reused map
    - selftests: timers: valid-adjtimex: build fix for newer toolchains
    - selftests: timers: clocksource-switch: fix passing errors from child
    - fs: check FMODE_LSEEK to control internal pipe splicing
    - wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()
    - wifi: p54: Fix an error handling path in p54spi_probe()
    - wifi: p54: add missing parentheses in p54_flush()
    - selftests/bpf: fix a test for snprintf() overflow
    - can: pch_can: do not report txerr and rxerr during bus-off
    - can: rcar_can: do not report txerr and rxerr during bus-off
    - can: sja1000: do not report txerr and rxerr during bus-off
    - can: hi311x: do not report txerr and rxerr during bus-off
    - can: sun4i_can: do not report txerr and rxerr during bus-off
    - can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off
    - can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off
    - can: usb_8dev: do not report txerr and rxerr during bus-off
    - can: error: specify the values of data[5..7] of CAN error frames
    - can: pch_can: pch_can_error(): initialize errc before using it
    - Bluetooth: hci_intel: Add check for platform_driver_register
    - i2c: cadence: Support PEC for SMBus block read
    - i2c: mux-gpmux: Add of_node_put() when breaking out of loop
    - wifi: wil6210: debugfs: fix uninitialized variable use in
      `wil_write_file_wmi()`
    - wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue
    - wifi: libertas: Fix possible refcount leak in if_usb_probe()
    - net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS
    - crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of
    - iavf: Fix max_rate limiting
    - netdevsim: Avoid allocation warnings triggered from user space
    - net: rose: fix netdev reference changes
    - dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
    - clk: renesas: r9a06g032: Fix UART clkgrp bitsel
    - mtd: maps: Fix refcount leak in of_flash_probe_versatile
    - mtd: maps: Fix refcount leak in ap_flash_init
    - mtd: rawnand: meson: Fix a potential double free issue
    - HID: cp2112: prevent a buffer overflow in cp2112_xfer()
    - mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release
    - mtd: partitions: Fix refcount leak in parse_redboot_of
    - mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path
    - fpga: altera-pr-ip: fix unsigned comparison with less than zero
    - usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe
    - usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe
    - usb: xhci: tegra: Fix error check
    - clk: mediatek: reset: Fix written reset bit offset
    - misc: rtsx: Fix an error handling path in rtsx_pci_probe()
    - driver core: fix potential deadlock in __driver_attach
    - clk: qcom: clk-krait: unlock spin after mux completion
    - usb: host: xhci: use snprintf() in xhci_decode_trb()
    - clk: qcom: ipq8074: fix NSS port frequency tables
    - clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks
    - clk: qcom: camcc-sdm845: Fix topology around titan_top power domain
    - soundwire: bus_type: fix remove and shutdown support
    - intel_th: Fix a resource leak in an error handling path
    - intel_th: msu-sink: Potential dereference of null pointer
    - intel_th: msu: Fix vmalloced buffers
    - staging: rtl8192u: Fix sleep in atomic context bug in
      dm_fsync_timer_callback
    - mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch
    - memstick/ms_block: Fix some incorrect memory allocation
    - memstick/ms_block: Fix a memory leak
    - mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R
    - scsi: smartpqi: Fix DMA direction for RAID requests
    - usb: gadget: udc: amd5536 depends on HAS_DMA
    - RDMA/hns: Fix incorrect clearing of interrupt status register
    - RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event
    - RDMA/hfi1: fix potential memory leak in setup_base_ctxt()
    - gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data()
    - mmc: cavium-octeon: Add of_node_put() when breaking out of loop
    - mmc: cavium-thunderx: Add of_node_put() when breaking out of loop
    - HID: alps: Declare U1_UNICORN_LEGACY support
    - PCI: tegra194: Fix Root Port interrupt handling
    - PCI: tegra194: Fix link up retry sequence
    - USB: serial: fix tty-port initialized comments
    - platform/olpc: Fix uninitialized data in debugfs write
    - mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region
    - RDMA/rxe: Fix error unwind in rxe_create_qp()
    - null_blk: fix ida error handling in null_add_dev()
    - jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction()
    - ext4: recover csum seed of tmp_inode after migrating to extents
    - jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted
    - opp: Fix error check in dev_pm_opp_attach_genpd()
    - ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe
    - ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe
    - ASoC: codecs: da7210: add check for i2c_add_driver
    - ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe
    - serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty()
    - ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV
    - ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV
    - profiling: fix shift too large makes kernel panic
    - tty: n_gsm: fix non flow control frames during mux flow off
    - tty: n_gsm: fix packet re-transmission without open control channel
    - tty: n_gsm: fix race condition in gsmld_write()
    - remoteproc: qcom: wcnss: Fix handling of IRQs
    - vfio/ccw: Do not change FSM state in subchannel event
    - tty: n_gsm: fix wrong T1 retry count handling
    - tty: n_gsm: fix DM command
    - tty: n_gsm: fix missing corner cases in gsmld_poll()
    - iommu/exynos: Handle failed IOMMU device registration properly
    - rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge
    - kfifo: fix kfifo_to_user() return type
    - mfd: t7l66xb: Drop platform disable callback
    - mfd: max77620: Fix refcount leak in max77620_initialise_fps
    - iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop
    - s390/zcore: fix race when reading from hardware system area
    - ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp()
    - fuse: Remove the control interface for virtio-fs
    - ASoC: audio-graph-card: Add of_node_put() in fail path
    - watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in
      armada_37xx_wdt_probe()
    - video: fbdev: amba-clcd: Fix refcount leak bugs
    - video: fbdev: sis: fix typos in SiS_GetModeID()
    - powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32
    - powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and
      alias
    - powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader
    - powerpc/xive: Fix refcount leak in xive_get_max_prio
    - powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address
    - perf symbol: Fail to read phdr workaround
    - kprobes: Forbid probing on trampoline and BPF code areas
    - powerpc/pci: Fix PHB numbering when using opal-phbid
    - genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO
    - scripts/faddr2line: Fix vmlinux detection on arm64
    - x86/numa: Use cpumask_available instead of hardcoded NULL check
    - video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
    - tools/thermal: Fix possible path truncations
    - video: fbdev: vt8623fb: Check the size of screen before memset_io()
    - video: fbdev: arkfb: Check the size of screen before memset_io()
    - video: fbdev: s3fb: Check the size of screen before memset_io()
    - scsi: zfcp: Fix missing auto port scan and thus missing target ports
    - scsi: qla2xxx: Fix discovery issues in FC-AL topology
    - scsi: qla2xxx: Turn off multi-queue for 8G adapters
    - scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection
    - x86/olpc: fix 'logical not is only applied to the left hand side'
    - spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
    - kexec, KEYS, s390: Make use of built-in and secondary keyring for signature
      verification
    - tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH
    - btrfs: reset block group chunk force if we have to wait
    - ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
    - ext4: make sure ext4_append() always allocates new block
    - ext4: fix use-after-free in ext4_xattr_set_entry
    - ext4: update s_overhead_clusters in the superblock during an on-line resize
    - ext4: fix extent status tree race in writeback error recovery path
    - ext4: correct max_inline_xattr_value_size computing
    - ext4: correct the misjudgment in ext4_iget_extra_inode
    - intel_th: pci: Add Raptor Lake-S CPU support
    - intel_th: pci: Add Raptor Lake-S PCH support
    - intel_th: pci: Add Meteor Lake-P support
    - dm raid: fix address sanitizer warning in raid_resume
    - dm raid: fix address sanitizer warning in raid_status
    - dm thin: fix use-after-free crash in dm_sm_register_threshold_callback
    - dm writecache: set a default MAX_WRITEBACK_JOBS
    - ACPI: CPPC: Do not prevent CPPC from working in the future
    - timekeeping: contribute wall clock to rng on time change
    - firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails
    - iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE)
    - btrfs: reject log replay if there is unsupported RO compat flag
    - KVM: Add infrastructure and macro to mark VM as bugged
    - KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
    - KVM: x86: Avoid theoretical NULL pointer dereference in
      kvm_irq_delivery_to_apic_fast()
    - tcp: fix over estimation in sk_forced_mem_schedule()
    - scsi: sg: Allow waiting for commands to complete on removed device
    - Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
    - net/9p: Initialize the iounit field during fid creation
    - net_sched: cls_route: disallow handle of 0
    - ALSA: info: Fix llseek return value when using callback
    - rds: add missing barrier to release_refill
    - ata: libata-eh: Add missing command name
    - mmc: pxamci: Fix another error handling path in pxamci_probe()
    - mmc: pxamci: Fix an error handling path in pxamci_probe()
    - btrfs: fix lost error handling when looking up extended ref on log replay
    - tracing: Have filter accept "common_cpu" to be consistent
    - can: ems_usb: fix clang's -Wunaligned-access warning
    - apparmor: fix quiet_denied for file rules
    - apparmor: fix absroot causing audited secids to begin with =
    - apparmor: Fix failed mount permission check error message
    - apparmor: fix aa_label_asxprint return check
    - apparmor: fix overlapping attachment computation
    - apparmor: fix reference count leak in aa_pivotroot()
    - apparmor: Fix memleak in aa_simple_write_to_buffer()
    - Documentation: ACPI: EINJ: Fix obsolete example
    - NFSv4.1: Don't decrease the value of seq_nr_highest_sent
    - NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly
    - NFSv4: Fix races in the legacy idmapper upcall
    - NFSv4.1: RECLAIM_COMPLETE must handle EACCES
    - NFSv4/pnfs: Fix a use-after-free bug in open
    - can: mcp251x: Fix race condition on receive interrupt
    - sunrpc: fix expiry of auth creds
    - SUNRPC: Reinitialise the backchannel request buffers before reuse
    - devlink: Fix use-after-free after a failed reload
    - net: bgmac: Fix a BUG triggered by wrong bytes_compl
    - pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
    - pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
    - pinctrl: sunxi: Add I/O bias setting for H6 R-PIO
    - ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
    - geneve: do not use RT_TOS for IPv6 flowlabel
    - plip: avoid rcu debug splat
    - vsock: Fix memory leak in vsock_connect()
    - vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
    - dt-bindings: arm: qcom: fix MSM8916 MTP compatibles
    - tools/vm/slabinfo: use alphabetic order when two values are equal
    - tools build: Switch to new openssl API for test-libcrypto
    - NTB: ntb_tool: uninitialized heap data in tool_fn_write()
    - nfp: ethtool: fix the display error of `ethtool -m DEVNAME`
    - xen/xenbus: fix return type in xenbus_file_read()
    - atm: idt77252: fix use-after-free bugs caused by tst_timer
    - dpaa2-eth: trace the allocated address instead of page struct
    - tee: add overflow check in register_shm_helper()
    - nios2: page fault et.al. are *not* restartable syscalls...
    - nios2: don't leave NULLs in sys_call_table[]
    - nios2: traced syscall does need to check the syscall number
    - nios2: fix syscall restart checks
    - nios2: restarts apply only to the first sigframe we build...
    - nios2: add force_successful_syscall_return()
    - iavf: Fix adminq error handling
    - clk: rockchip: add sclk_mac_lbtest to rk3188_critical_clocks
    - netfilter: nf_tables: really skip inactive sets when allocating name
    - powerpc/pci: Fix get_phb_number() locking
    - net: dsa: mv88e6060: prevent crash on an unused port
    - net: moxa: pass pdev instead of ndev to DMA functions
    - net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry
    - ice: Ignore EEXIST when setting promisc mode
    - i40e: Fix to stop tx_timeout recovery if GLOBR fails
    - fec: Fix timer capture timing in `fec_ptp_enable_pps()`
    - igb: Add lock to avoid data race
    - gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file
    - locking/atomic: Make test_and_*_bit() ordered on failure
    - drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors()
    - PCI: Add ACS quirk for Broadcom BCM5750x NICs
    - usb: cdns3 fix use-after-free at workaround 2
    - usb: gadget: uvc: call uvc uvcg_warn on completed status instead of
      uvcg_info
    - irqchip/tegra: Fix overflow implicit truncation warnings
    - drm/meson: Fix overflow implicit truncation warnings
    - usb: host: ohci-ppc-of: Fix refcount leak bug
    - usb: renesas: Fix refcount leak bug
    - vboxguest: Do not use devm for irq
    - clk: qcom: ipq8074: dont disable gcc_sleep_clk_src
    - scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user
      input
    - gadgetfs: ep_io - wait until IRQ finishes
    - cxl: Fix a memory leak in an error handling path
    - PCI/ACPI: Guard ARM64-specific mcfg_quirks
    - um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups
    - selftests/kprobe: Do not test for GRP/ without event failures
    - dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed
    - nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown
    - drivers:md:fix a potential use-after-free bug
    - ext4: avoid remove directory when directory is corrupted
    - ext4: avoid resizing to a partial cluster size
    - lib/list_debug.c: Detect uninitialized lists
    - tty: serial: Fix refcount leak bug in ucc_uart.c
    - vfio: Clear the caps->buf to NULL after free
    - mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start
    - riscv: mmap with PROT_WRITE but no PROT_READ is invalid
    - RISC-V: Add fast call path of crash_kexec()
    - watchdog: export lockup_detector_reconfigure
    - powerpc/32: Don't always pass -mcpu=powerpc to the compiler
    - ALSA: core: Add async signal helpers
    - ALSA: timer: Use deferred fasync helper
    - f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page()
    - smb3: check xattr value length earlier
    - powerpc/64: Init jump labels before parse_early_param()
    - video: fbdev: i740fb: Check the argument of i740_calc_vclk()
    - MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0
    - tracing/probes: Have kprobes and uprobes use $COMM too
    - can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with
      netdev_warn_once()
    - can: j1939: j1939_session_destroy(): fix memory leak of skbs
    - btrfs: only write the sectors in the vertical stripe which has data stripes
    - btrfs: raid56: don't trust any cached sector in __raid56_parity_recover()
    - Linux 5.4.211

* CVE-2022-3028
    - af_key: Do not call xfrm_probe_algs in parallel

* CVE-2022-2978
    - fs: fix UAF/GPF bug in nilfs_mdt_destroy

* CVE-2022-40768
    - scsi: stex: Properly zero out the passthrough command structure

-- Stefan Bader <stefan.bader@canonical.com>  Mon, 17 Oct 2022 17:19:41 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-11-18:

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1019.22 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Ubuntu Kernel Bot (ubuntu-kernel-bot) on 2022-12-14

tags:

removed: verification-needed-focal

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Focal update: v5.4.212 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package