Bug #1793458 “Overlayfs in user namespace leaks directory conten...” : Bugs : linux package : Ubuntu

Revision history for this message

Philipp Wendler (philw85) wrote on 2018-09-20:

#1

exploit.py Edit (2.7 KiB, text/x-python)
AlsaInfo.txt Edit (44.4 KiB, text/plain; charset="utf-8")
CRDA.txt Edit (3.0 KiB, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (220.4 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.2 KiB, text/plain; charset="utf-8")
IwConfig.txt Edit (431 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (8.9 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (783 bytes, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (5.0 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (115 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (2.7 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (7.7 KiB, text/plain; charset="utf-8")
PulseList.txt Edit (35.3 KiB, text/plain; charset="utf-8")
RfKill.txt Edit (197 bytes, text/plain; charset="utf-8")
UdevDb.txt Edit (234.6 KiB, text/plain; charset="utf-8")
WifiSyslog.txt Edit (762.2 KiB, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2018-10-03

Changed in linux (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-03:

#2

Thanks for the bug report and the proof of concept! I've been able to reproduce the issue on 4.15.0-36.39-generic.

I'll start looking into the proper fix now.

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-10:

#3

I wanted to provide a quick update. Xenial and Trusty kernels are not affected (I haven't yet identified why). I've got two possible fixes and I'm deciding which one is best.

Changed in linux (Ubuntu):
status:	Confirmed → In Progress
importance:	Undecided → High

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-18:

#4

This flaw is related to CVE-2015-1328:

https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html

It was fixed by this patch:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=98a3740920f8f3362c1ac50598af2dc632f5051a

Ubuntu carries a patch that allows overlayfs mounting inside of an unprivileged user namespace, so we were carrying the fix mentioned above as a delta against the upstream Linux kernel since the issue didn't affect upstream overlayfs. (It is worth noting that we did share the details of CVE-2015-1328 and the fix privately with upstream overlayfs)

At some point between Ubuntu 16.04 LTS and Ubuntu 18.04 LTS, the patch was incorrectly dropped. This was most likely due to upstream changes to address CVE-2018-16597:

https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2018-16597

Here's the fix for that issue:

https://git.kernel.org/linus/c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862

In hindsight, the issues that CVE-2015-1328 represent were actually deserving of two CVEs instead of one. The first, and most severe, issue was the copy up permission check. The second issue was the readdir information disclosure. It looks like upstream actually was affected by an issue somewhat similar to the copy up aspect of CVE-2015-1328 and fixed it with the upstream commit c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 (which is different from the Ubuntu fix for the copy up aspect of CVE-2015-1328 but provides similar protections).

The readdir aspect of the CVE-2015-1328 fix needs to be forward ported to Ubuntu 18.04 LTS and newer kernels. I've done that work, created an Ubuntu kernel regression test so that this doesn't happen again, and now I'm consulting with the Ubuntu Security team as to whether or not a new CVE is needed.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-18:

#5

0001-UBUNTU-SAUCE-overlayfs-ensure-mounter-privileges-whe.patch Edit (4.2 KiB, text/plain)

Here's the forwarded ported and modified fix (against the Ubuntu 18.10 kernel) for the readdir issue described in the bug description.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-18:

#6

This issue is CVE-2018-6559.

Tyler Hicks (tyhicks) on 2018-10-19

information type:

Private Security → Public Security

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-10-19:

#7

Cosmic and "D": https://lists.ubuntu.com/archives/kernel-team/2018-October/096171.html
Bionic: https://lists.ubuntu.com/archives/kernel-team/2018-October/096173.html

Changed in linux (Ubuntu Bionic):
status:	New → In Progress
importance:	Undecided → Medium
Changed in linux (Ubuntu Cosmic):
importance:	High → Medium
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Tyler Hicks (tyhicks)

Ubuntu Foundations Team Bug Bot (crichton) on 2018-10-19

tags:

added: patch

Stefan Bader (smb) on 2018-11-08

Changed in linux (Ubuntu Cosmic):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-11-15:

#8

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-cosmic

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-11-15:

#9

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Philipp Wendler (philw85) wrote on 2018-11-19:

#10

I find the demand to test the fix within 5 days, combined with the threat of dropping the patch otherwise, unreasonable.

In my original report of this security problem I have already provided a script that allows to reproduce the problem and check if it still exists.

Requiring an answer within 5 days is too short, after all people can be on holiday or just busy for other reasons.

And even if I as the original submitter wouldn't respond at all, this is a real security problem in Ubuntu that was already confirmed. Are you really going to drop the patch and let CVE-2018-6559 stay unfixed forever?

Maybe I will find the time to test it on Bionic, but I will certainly not install a different version of Ubuntu than the one I am currently running.

I hope that this is all just a misunderstanding and the message does not apply to security problems. In this case please consider changing the message or improving the process such that this confusion will be avoided for future reports.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-11-19: Re: [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories

#11

On 2018-11-19 18:14:43, Philipp Wendler wrote:
> I hope that this is all just a misunderstanding and the message does not
> apply to security problems. In this case please consider changing the
> message or improving the process such that this confusion will be
> avoided for future reports.

Hi Philipp - I'm sorry about the confusion that comment caused. The
comment was created by an automated script that the kernel team uses to
help with the stable release update process. Security fixes do receive
an exception with this policy.

The common case is that we track security fixes with CVE IDs instead of
Launchpad bug reports. In this case, we do have a bug report for this
security issue so it gets lumped in with all of the other non-security
fixes that are subject to this policy.

Revision history for this message

Philipp Wendler (philw85) wrote on 2018-11-20:

#12

Tyler, thanks for the clarification.

I have tested it with 4.15.0-42-generic from bionic-proposed and can confirm it is fixed.

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2018-11-27:

#13

I've verified the fix in 4.18.0-12.13-generic from cosmic-proposed.

tags:

added: verification-done-cosmic
removed: verification-needed-cosmic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-12-03:

#14

Download full text (39.7 KiB)

This bug was fixed in the package linux - 4.18.0-12.13

---------------
linux (4.18.0-12.13) cosmic; urgency=medium

* linux: 4.18.0-12.13 -proposed tracker (LP: #1802743)

  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

* crash in ENA driver on removing an interface (LP: #1802341)
- SAUCE: net: ena: fix crash during ena_remove()

  * Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding
    (LP: #1797367)
    - s390/qeth: reduce hard-coded access to ccw channels
    - s390/qeth: sanitize strings in debug messages

* Add checksum offload and T...

This bug was fixed in the package linux - 4.18.0-12.13

---------------
linux (4.18.0-12.13) cosmic; urgency=medium

* linux: 4.18.0-12.13 -proposed tracker (LP: #1802743)

* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

*  CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

* kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

* crash in ENA driver on removing an interface (LP: #1802341)
    - SAUCE: net: ena: fix crash during ena_remove()

* Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding
    (LP: #1797367)
    - s390/qeth: reduce hard-coded access to ccw channels
    - s390/qeth: sanitize strings in debug messages

* Add checksum offload and TSO support for HiNIC adapters (LP: #1800664)
    - net-next/hinic: add checksum offload and TSO support

* smartpqi updates for ubuntu 18.04.2 (LP: #1798208)
    - scsi: smartpqi: improve handling for sync requests
    - scsi: smartpqi: improve error checking for sync requests
    - scsi: smartpqi: add inspur advantech ids
    - scsi: smartpqi: fix critical ARM issue reading PQI index registers
    - scsi: smartpqi: bump driver version to 1.1.4-130

* [GLK/CLX] Enhanced IBRS (LP: #1786139)
    - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
    - x86/speculation: Support Enhanced IBRS on future CPUs

* Enable keyboard wakeup for S2Idle laptops (LP: #1798552)
    - Input: i8042 - enable keyboard wakeups by default when s2idle is used

* Overlayfs in user namespace leaks directory content of inaccessible
    directories (LP: #1793458) // CVE-2018-6559
    - SAUCE: overlayfs: ensure mounter privileges when reading directories

* Update ENA driver to version 2.0.1K (LP: #1798182)
    - net: ena: remove ndo_poll_controller
    - net: ena: fix auto casting to boolean
    - net: ena: minor performance improvement
    - net: ena: complete host info to match latest ENA spec
    - net: ena: introduce Low Latency Queues data structures according to ENA spec
    - net: ena: add functions for handling Low Latency Queues in ena_com
    - net: ena: add functions for handling Low Latency Queues in ena_netdev
    - net: ena: use CSUM_CHECKED device indication to report skb's checksum status
    - net: ena: explicit casting and initialization, and clearer error handling
    - net: ena: limit refill Rx threshold to 256 to avoid latency issues
    - net: ena: change rx copybreak default to reduce kernel memory pressure
    - net: ena: remove redundant parameter in ena_com_admin_init()
    - net: ena: update driver version to 2.0.1
    - net: ena: fix indentations in ena_defs for better readability
    - net: ena: Fix Kconfig dependency on X86
    - net: ena: enable Low Latency Queues
    - net: ena: fix compilation error in xtensa architecture

* Cosmic update: 4.18.17 upstream stable release (LP: #1802119)
    - xfrm: Validate address prefix lengths in the xfrm selector.
    - xfrm6: call kfree_skb when skb is toobig
    - xfrm: reset transport header back to network header after all input
      transforms ahave been applied
    - xfrm: reset crypto_done when iterating over multiple input xfrms
    - mac80211: Always report TX status
    - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
    - mac80211: fix pending queue hang due to TX_DROP
    - cfg80211: Address some corner cases in scan result channel updating
    - mac80211: TDLS: fix skb queue/priority assignment
    - mac80211: fix TX status reporting for ieee80211s
    - ARM: 8799/1: mm: fix pci_ioremap_io() offset check
    - xfrm: validate template mode
    - drm/i2c: tda9950: fix timeout counter check
    - drm/i2c: tda9950: set MAX_RETRIES for errors only
    - netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev
    - netfilter: conntrack: get rid of double sizeof
    - arm64: hugetlb: Fix handling of young ptes
    - ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
    - net: macb: Clean 64b dma addresses if they are not detected
    - soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
    - soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
    - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
    - mac80211_hwsim: fix locking when iterating radios during ns exit
    - mac80211_hwsim: fix race in radio destruction from netlink notifier
    - mac80211_hwsim: do not omit multicast announce of first added radio
    - Bluetooth: SMP: fix crash in unpairing
    - pxa168fb: prepare the clock
    - qed: Avoid implicit enum conversion in qed_set_tunn_cls_info
    - qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv
    - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
    - qed: Avoid constant logical operation warning in qed_vf_pf_acquire
    - qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt
    - nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
    - scsi: qedi: Initialize the stats mutex lock
    - rxrpc: Fix checks as to whether we should set up a new call
    - rxrpc: Fix RTT gathering
    - rxrpc: Fix transport sockopts to get IPv4 errors on an IPv6 socket
    - rxrpc: Fix error distribution
    - netfilter: nft_set_rbtree: add missing rb_erase() in GC routine
    - netfilter: avoid erronous array bounds warning
    - asix: Check for supported Wake-on-LAN modes
    - ax88179_178a: Check for supported Wake-on-LAN modes
    - lan78xx: Check for supported Wake-on-LAN modes
    - sr9800: Check for supported Wake-on-LAN modes
    - r8152: Check for supported Wake-on-LAN Modes
    - smsc75xx: Check for Wake-on-LAN modes
    - smsc95xx: Check for Wake-on-LAN modes
    - cfg80211: fix use-after-free in reg_process_hint()
    - KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled
    - KVM: x86: Do not use kvm_x86_ops->mpx_supported() directly
    - KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS
    - perf/core: Fix perf_pmu_unregister() locking
    - perf/x86/intel/uncore: Use boot_cpu_data.phys_proc_id instead of hardcorded
      physical package ID 0
    - perf/ring_buffer: Prevent concurent ring buffer access
    - perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
    - perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events
    - thunderbolt: Do not handle ICM events after domain is stopped
    - thunderbolt: Initialize after IOMMUs
    - net: fec: fix rare tx timeout
    - declance: Fix continuation with the adapter identification message
    - RISCV: Fix end PFN for low memory
    - Revert "serial: 8250_dw: Fix runtime PM handling"
    - locking/ww_mutex: Fix runtime warning in the WW mutex selftest
    - drm/amd/display: Signal hw_done() after waiting for flip_done()
    - be2net: don't flip hw_features when VXLANs are added/deleted
    - powerpc/numa: Skip onlining a offline node in kdump path
    - net: cxgb3_main: fix a missing-check bug
    - yam: fix a missing-check bug
    - ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()
    - mm/gup_benchmark: fix unsigned comparison to zero in __gup_benchmark_ioctl
    - mm/migrate.c: split only transparent huge pages when allocation fails
    - x86/paravirt: Fix some warning messages
    - clk: mvebu: armada-37xx-periph: Remove unused var num_parents
    - libertas: call into generic suspend code before turning off power
    - perf report: Don't try to map ip to invalid map
    - tls: Fix improper revert in zerocopy_from_iter
    - HID: i2c-hid: Remove RESEND_REPORT_DESCR quirk and its handling
    - compiler.h: Allow arch-specific asm/compiler.h
    - ARM: dts: imx53-qsb: disable 1.2GHz OPP
    - perf python: Use -Wno-redundant-decls to build with PYTHON=python3
    - perf record: Use unmapped IP for inline callchain cursors
    - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window()
    - rxrpc: Carry call state out of locked section in rxrpc_rotate_tx_window()
    - rxrpc: Only take the rwind and mtu values from latest ACK
    - rxrpc: Fix connection-level abort handling
    - KVM: x86: support CONFIG_KVM_AMD=y with CONFIG_CRYPTO_DEV_CCP_DD=m
    - net: ena: fix warning in rmmod caused by double iounmap
    - net: ena: fix rare bug when failed restart/resume is followed by driver
      removal
    - net: ena: fix NULL dereference due to untimely napi initialization
    - gpio: Assign gpio_irq_chip::parents to non-stack pointer
    - IB/mlx5: Unmap DMA addr from HCA before IOMMU
    - rds: RDS (tcp) hangs on sendto() to unresponding address
    - selftests: rtnetlink.sh explicitly requires bash.
    - selftests: udpgso_bench.sh explicitly requires bash
    - vmlinux.lds.h: Fix incomplete .text.exit discards
    - vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections
    - afs: Fix cell proc list
    - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
    - Revert "mm: slowly shrink slabs with a relatively small number of objects"
    - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing"
    - perf tools: Disable parallelism for 'make clean'
    - bridge: do not add port to router list when receives query with source
      0.0.0.0
    - ipv6: mcast: fix a use-after-free in inet6_mc_check
    - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
      called
    - ipv6: rate-limit probes for neighbourless routes
    - llc: set SOCK_RCU_FREE in llc_sap_add_socket()
    - net: fec: don't dump RX FIFO register when not available
    - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
    - net/mlx5e: fix csum adjustments caused by RXFCS
    - net: sched: gred: pass the right attribute to gred_change_table_def()
    - net: socket: fix a missing-check bug
    - net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
    - net: udp: fix handling of CHECKSUM_COMPLETE packets
    - r8169: fix NAPI handling under high load
    - rtnetlink: Disallow FDB configuration for non-Ethernet device
    - sctp: fix race on sctp_id2asoc
    - tipc: fix unsafe rcu locking when accessing publication list
    - udp6: fix encap return code for resubmitting
    - vhost: Fix Spectre V1 vulnerability
    - virtio_net: avoid using netif_tx_disable() for serializing tx routine
    - ethtool: fix a privilege escalation bug
    - bonding: fix length of actor system
    - ip6_tunnel: Fix encapsulation layout
    - openvswitch: Fix push/pop ethernet validation
    - net: ipmr: fix unresolved entry dumps
    - net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type
    - net: bcmgenet: Poll internal PHY for GENETv5
    - net: sched: Fix for duplicate class dump
    - net/sched: cls_api: add missing validation of netlink attributes
    - net/ipv6: Allow onlink routes to have a device mismatch if it is the default
      route
    - sctp: fix the data size calculation in sctp_data_size
    - sctp: not free the new asoc when sctp_wait_for_connect returns err
    - net/mlx5: Fix memory leak when setting fpga ipsec caps
    - net/smc: fix smc_buf_unuse to use the lgr pointer
    - mlxsw: spectrum_switchdev: Don't ignore deletions of learned MACs
    - net: bpfilter: use get_pid_task instead of pid_task
    - net: drop skb on failure in ip_check_defrag()
    - net: fix pskb_trim_rcsum_slow() with odd trim offset
    - mlxsw: core: Fix devlink unregister flow
    - sparc64: Export __node_distance.
    - sparc64: Make corrupted user stacks more debuggable.
    - sparc64: Make proc_id signed.
    - sparc64: Set %l4 properly on trap return after handling signals.
    - sparc64: Wire up compat getpeername and getsockname.
    - sparc: Fix single-pcr perf event counter management.
    - sparc: Fix syscall fallback bugs in VDSO.
    - sparc: Throttle perf events properly.
    - net: bridge: remove ipv6 zero address check in mcast queries
    - Linux 4.18.17

* Cosmic update: 4.18.16 upstream stable release (LP: #1802100)
    - soundwire: Fix duplicate stream state assignment
    - soundwire: Fix incorrect exit after configuring stream
    - soundwire: Fix acquiring bus lock twice during master release
    - media: af9035: prevent buffer overflow on write
    - spi: gpio: Fix copy-and-paste error
    - batman-adv: Avoid probe ELP information leak
    - batman-adv: Fix segfault when writing to throughput_override
    - batman-adv: Fix segfault when writing to sysfs elp_interval
    - batman-adv: Prevent duplicated gateway_node entry
    - batman-adv: Prevent duplicated nc_node entry
    - batman-adv: Prevent duplicated softif_vlan entry
    - batman-adv: Prevent duplicated global TT entry
    - batman-adv: Prevent duplicated tvlv handler
    - batman-adv: fix backbone_gw refcount on queue_work() failure
    - batman-adv: fix hardif_neigh refcount on queue_work() failure
    - cxgb4: fix abort_req_rss6 struct
    - clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-
      am43 SoCs
    - scsi: ibmvscsis: Fix a stringop-overflow warning
    - scsi: ibmvscsis: Ensure partition name is properly NUL terminated
    - intel_th: pci: Add Ice Lake PCH support
    - Input: atakbd - fix Atari keymap
    - Input: atakbd - fix Atari CapsLock behaviour
    - selftests: pmtu: properly redirect stderr to /dev/null
    - net: emac: fix fixed-link setup for the RTL8363SB switch
    - ravb: do not write 1 to reserved bits
    - net/smc: fix non-blocking connect problem
    - net/smc: fix sizeof to int comparison
    - qed: Fix populating the invalid stag value in multi function mode.
    - qed: Do not add VLAN 0 tag to untagged frames in multi-function mode.
    - PCI: dwc: Fix scheduling while atomic issues
    - RDMA/uverbs: Fix validity check for modify QP
    - scsi: lpfc: Synchronize access to remoteport via rport
    - drm: mali-dp: Call drm_crtc_vblank_reset on device init
    - scsi: ipr: System hung while dlpar adding primary ipr adapter back
    - scsi: sd: don't crash the host on invalid commands
    - bpf: sockmap only allow ESTABLISHED sock state
    - bpf: sockmap, fix transition through disconnect without close
    - bpf: test_maps, only support ESTABLISHED socks
    - net/mlx4: Use cpumask_available for eq->affinity_mask
    - clocksource/drivers/fttmr010: Fix set_next_event handler
    - RDMA/bnxt_re: Fix system crash during RDMA resource initialization
    - RISC-V: include linux/ftrace.h in asm-prototypes.h
    - iommu/rockchip: Free irqs in shutdown handler
    - pinctrl/amd: poll InterruptEnable bits in amd_gpio_irq_set_type
    - powerpc/tm: Fix userspace r13 corruption
    - powerpc/tm: Avoid possible userspace r1 corruption on reclaim
    - powerpc/numa: Use associativity if VPHN hcall is successful
    - iommu/amd: Return devid as alias for ACPI HID devices
    - x86/boot: Fix kexec booting failure in the SEV bit detection code
    - Revert "vfs: fix freeze protection in mnt_want_write_file() for overlayfs"
    - mremap: properly flush TLB before releasing the page
    - ARC: build: Get rid of toolchain check
    - ARC: build: Don't set CROSS_COMPILE in arch's Makefile
    - Linux 4.18.16

* Cosmic update: 4.18.15 upstream stable release (LP: #1802082)
    - bnxt_en: Fix TX timeout during netpoll.
    - bnxt_en: free hwrm resources, if driver probe fails.
    - bonding: avoid possible dead-lock
    - ip6_tunnel: be careful when accessing the inner header
    - ip_tunnel: be careful when accessing the inner header
    - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
    - ipv6: take rcu lock in rawv6_send_hdrinc()
    - net: dsa: bcm_sf2: Call setup during switch resume
    - net: hns: fix for unmapping problem when SMMU is on
    - net: ipv4: update fnhe_pmtu when first hop's MTU changes
    - net/ipv6: Display all addresses in output of /proc/net/if_inet6
    - netlabel: check for IPV4MASK in addrinfo_get
    - net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
    - net: mvpp2: fix a txq_done race condition
    - net: sched: Add policy validation for tc attributes
    - net: sched: cls_u32: fix hnode refcounting
    - net: systemport: Fix wake-up interrupt race during resume
    - net/usb: cancel pending work when unbinding smsc75xx
    - qlcnic: fix Tx descriptor corruption on 82xx devices
    - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface
    - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
    - sctp: update dst pmtu with the correct daddr
    - team: Forbid enslaving team device to itself
    - tipc: fix flow control accounting for implicit connect
    - udp: Unbreak modules that rely on external __skb_recv_udp() availability
    - net: qualcomm: rmnet: Skip processing loopback packets
    - net: qualcomm: rmnet: Fix incorrect allocation flag in transmit
    - net: qualcomm: rmnet: Fix incorrect allocation flag in receive path
    - tun: remove unused parameters
    - tun: initialize napi_mutex unconditionally
    - tun: napi flags belong to tfile
    - net: stmmac: Fixup the tail addr setting in xmit path
    - net/packet: fix packet drop as of virtio gso
    - net: dsa: bcm_sf2: Fix unbind ordering
    - net/mlx5e: Set vlan masks for all offloaded TC rules
    - net: aquantia: memory corruption on jumbo frames
    - net/mlx5: E-Switch, Fix out of bound access when setting vport rate
    - bonding: pass link-local packets to bonding master also.
    - bonding: fix warning message
    - net: stmmac: Rework coalesce timer and fix multi-queue races
    - nfp: avoid soft lockups under control message storm
    - bnxt_en: don't try to offload VLAN 'modify' action
    - net-ethtool: ETHTOOL_GUFO did not and should not require CAP_NET_ADMIN
    - net: phy: phylink: fix SFP interface autodetection
    - sfp: fix oops with ethtool -m
    - tcp/dccp: fix lockdep issue when SYN is backlogged
    - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
    - net: dsa: b53: Keep CPU port as tagged in all VLANs
    - rtnetlink: Fail dump if target netnsid is invalid
    - bnxt_en: Fix VNIC reservations on the PF.
    - net: ipv4: don't let PMTU updates increase route MTU
    - net/mlx5: Check for SQ and not RQ state when modifying hairpin SQ
    - bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request
    - bnxt_en: get the reduced max_irqs by the ones used by RDMA
    - net/ipv6: Remove extra call to ip6_convert_metrics for multipath case
    - net/ipv6: stop leaking percpu memory in fib6 info
    - net: mscc: fix the frame extraction into the skb
    - qed: Fix shmem structure inconsistency between driver and the mfw.
    - r8169: fix network stalls due to missing bit TXCFG_AUTO_FIFO
    - r8169: set RX_MULTI_EN bit in RxConfig for 8168F-family chips
    - vxlan: fill ttl inherit info
    - ASoC: dapm: Fix NULL pointer deference on CODEC to CODEC DAIs
    - ASoC: max98373: Added speaker FS gain cotnrol register to volatile.
    - ASoC: rt5514: Fix the issue of the delay volume applied again
    - selftests: android: move config up a level
    - selftests: kselftest: Remove outdated comment
    - ASoC: max98373: Added 10ms sleep after amp software reset
    - ASoC: wm8804: Add ACPI support
    - ASoC: sigmadsp: safeload should not have lower byte limit
    - ASoC: q6routing: initialize data correctly
    - selftests: add headers_install to lib.mk
    - selftests/efivarfs: add required kernel configs
    - selftests: memory-hotplug: add required configs
    - ASoC: rsnd: adg: care clock-frequency size
    - ASoC: rsnd: don't fallback to PIO mode when -EPROBE_DEFER
    - hwmon: (nct6775) Fix access to fan pulse registers
    - Fix cg_read_strcmp()
    - ASoC: AMD: Ensure reset bit is cleared before configuring
    - drm/pl111: Make sure of_device_id tables are NULL terminated
    - Bluetooth: SMP: Fix trying to use non-existent local OOB data
    - Bluetooth: Use correct tfm to generate OOB data
    - Bluetooth: hci_ldisc: Free rw_semaphore on close
    - mfd: omap-usb-host: Fix dts probe of children
    - KVM: PPC: Book3S HV: Don't use compound_order to determine host mapping size
    - scsi: iscsi: target: Don't use stack buffer for scatterlist
    - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted()
    - sound: enable interrupt after dma buffer initialization
    - sound: don't call skl_init_chip() to reset intel skl soc
    - bpf: btf: Fix end boundary calculation for type section
    - bpf: use __GFP_COMP while allocating page
    - hwmon: (nct6775) Fix virtual temperature sources for NCT6796D
    - hwmon: (nct6775) Fix RPM output for fan7 on NCT6796D
    - stmmac: fix valid numbers of unicast filter entries
    - hwmon: (nct6775) Use different register to get fan RPM for fan7
    - net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency
    - net: macb: disable scatter-gather for macb on sama5d3
    - ARM: dts: at91: add new compatibility string for macb on sama5d3
    - PCI: hv: support reporting serial number as slot information
    - clk: x86: add "ether_clk" alias for Bay Trail / Cherry Trail
    - clk: x86: Stop marking clocks as CLK_IS_CRITICAL
    - pinctrl: cannonlake: Fix gpio base for GPP-E
    - x86/kvm/lapic: always disable MMIO interface in x2APIC mode
    - drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
    - drm/amdkfd: Change the control stack MTYPE from UC to NC on GFX9
    - drm/amdkfd: Fix ATS capablity was not reported correctly on some APUs
    - mm: slowly shrink slabs with a relatively small number of objects
    - mm/vmstat.c: fix outdated vmstat_text
    - afs: Fix afs_server struct leak
    - afs: Fix clearance of reply
    - MIPS: Fix CONFIG_CMDLINE handling
    - MIPS: VDSO: Always map near top of user memory
    - mach64: detect the dot clock divider correctly on sparc
    - vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced
      pointers
    - percpu: stop leaking bitmap metadata blocks
    - perf script python: Fix export-to-postgresql.py occasional failure
    - perf script python: Fix export-to-sqlite.py sample columns
    - s390/cio: Fix how vfio-ccw checks pinned pages
    - dm cache: destroy migration_cache if cache target registration failed
    - dm: fix report zone remapping to account for partition offset
    - dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled
    - dm linear: fix linear_end_io conditional definition
    - cgroup: Fix dom_cgrp propagation when enabling threaded mode
    - Input: xpad - add support for Xbox1 PDP Camo series gamepad
    - drm/nouveau/drm/nouveau: Grab runtime PM ref in nv50_mstc_detect()
    - mmc: block: avoid multiblock reads for the last sector in SPI mode
    - pinctrl: mcp23s08: fix irq and irqchip setup order
    - arm64: perf: Reject stand-alone CHAIN events for PMUv3
    - mm/mmap.c: don't clobber partially overlapping VMA with MAP_FIXED_NOREPLACE
    - mm/thp: fix call to mmu_notifier in set_pmd_migration_entry() v2
    - filesystem-dax: Fix dax_layout_busy_page() livelock
    - mm: Preserve _PAGE_DEVMAP across mprotect() calls
    - i2c: i2c-scmi: fix for i2c_smbus_write_block_data
    - KVM: PPC: Book3S HV: Avoid crash from THP collapse during radix page fault
    - Linux 4.18.15

* Cosmic update: 4.18.14 upstream stable release (LP: #1801986)
    - perf/core: Add sanity check to deal with pinned event failure
    - mm: migration: fix migration of huge PMD shared pages
    - mm, thp: fix mlocking THP page with migration enabled
    - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
    - KVM: VMX: check for existence of secondary exec controls before accessing
    - blk-mq: I/O and timer unplugs are inverted in blktrace
    - pstore/ram: Fix failure-path memory leak in ramoops_init
    - clocksource/drivers/timer-atmel-pit: Properly handle error cases
    - fbdev/omapfb: fix omapfb_memory_read infoleak
    - mmc: core: Fix debounce time to use microseconds
    - mmc: slot-gpio: Fix debounce time to use miliseconds again
    - mac80211: allocate TXQs for active monitor interfaces
    - drm/amdgpu: Fix vce work queue was not cancelled when suspend
    - drm: fix use-after-free read in drm_mode_create_lease_ioctl()
    - x86/vdso: Fix asm constraints on vDSO syscall fallbacks
    - selftests/x86: Add clock_gettime() tests to test_vdso
    - x86/vdso: Only enable vDSO retpolines when enabled and supported
    - x86/vdso: Fix vDSO syscall fallback asm constraint regression
    - Revert "UBUNTU: SAUCE: PCI: Reprogram bridge prefetch registers on resume"
    - PCI: Reprogram bridge prefetch registers on resume
    - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
    - PM / core: Clear the direct_complete flag on errors
    - dm mpath: fix attached_handler_name leak and dangling hw_handler_name
      pointer
    - dm cache metadata: ignore hints array being too small during resize
    - dm cache: fix resize crash if user doesn't reload cache table
    - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
    - usb: xhci-mtk: resume USB3 roothub first
    - USB: serial: simple: add Motorola Tetra MTP6550 id
    - USB: serial: option: improve Quectel EP06 detection
    - USB: serial: option: add two-endpoints device-id flag
    - usb: cdc_acm: Do not leak URB buffers
    - tty: Drop tty->count on tty_reopen() failure
    - of: unittest: Disable interrupt node tests for old world MAC systems
    - powerpc: Avoid code patching freed init sections
    - powerpc/lib: fix book3s/32 boot failure due to code patching
    - ARC: clone syscall to setp r25 as thread pointer
    - f2fs: fix invalid memory access
    - tipc: call start and done ops directly in __tipc_nl_compat_dumpit()
    - ucma: fix a use-after-free in ucma_resolve_ip()
    - ubifs: Check for name being NULL while mounting
    - rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
    - ath10k: fix scan crash due to incorrect length calculation
    - Linux 4.18.14

* Cosmic update: 4.18.13 upstream stable release (LP: #1801931)
    - rseq/selftests: fix parametrized test with -fpie
    - mac80211: Run TXQ teardown code before de-registering interfaces
    - mac80211_hwsim: require at least one channel
    - Btrfs: fix unexpected failure of nocow buffered writes after snapshotting
      when low on space
    - KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
    - cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule)
    - btrfs: btrfs_shrink_device should call commit transaction at the end
    - scsi: csiostor: add a check for NULL pointer after kmalloc()
    - scsi: csiostor: fix incorrect port capabilities
    - scsi: libata: Add missing newline at end of file
    - scsi: aacraid: fix a signedness bug
    - bpf, sockmap: fix potential use after free in bpf_tcp_close
    - bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg
    - bpf: sockmap, decrement copied count correctly in redirect error case
    - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - cfg80211: make wmm_rule part of the reg_rule structure
    - mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom
    - nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP
    - nl80211: Pass center frequency in kHz instead of MHz
    - bpf: fix several offset tests in bpf_msg_pull_data
    - gpio: adp5588: Fix sleep-in-atomic-context bug
    - mac80211: mesh: fix HWMP sequence numbering to follow standard
    - mac80211: avoid kernel panic when building AMSDU from non-linear SKB
    - gpiolib: acpi: Switch to cansleep version of GPIO library call
    - gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall
    - gpio: dwapb: Fix error handling in dwapb_gpio_probe()
    - bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data
    - bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data
    - bpf: fix sg shift repair start offset in bpf_msg_pull_data
    - tipc: switch to rhashtable iterator
    - sh_eth: Add R7S9210 support
    - net: mvpp2: initialize port of_node pointer
    - tc-testing: add test-cases for numeric and invalid control action
    - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
    - mac80211: do not convert to A-MSDU if frag/subframe limited
    - mac80211: always account for A-MSDU header changes
    - tools/kvm_stat: fix python3 issues
    - tools/kvm_stat: fix handling of invalid paths in debugfs provider
    - tools/kvm_stat: fix updates for dead guests
    - gpio: Fix crash due to registration race
    - ARC: atomics: unbork atomic_fetch_##op()
    - Revert "blk-throttle: fix race between blkcg_bio_issue_check() and
      cgroup_rmdir()"
    - md/raid5-cache: disable reshape completely
    - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
    - selftests: pmtu: maximum MTU for vti4 is 2^16-1-20
    - selftests: pmtu: detect correct binary to ping ipv6 addresses
    - ibmvnic: Include missing return code checks in reset function
    - bpf: Fix bpf_msg_pull_data()
    - bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP
    - i2c: uniphier: issue STOP only for last message or I2C_M_STOP
    - i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
    - net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
    - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
    - mac80211: fix an off-by-one issue in A-MSDU max_subframe computation
    - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
    - mac80211: fix WMM TXOP calculation
    - mac80211: fix a race between restart and CSA flows
    - mac80211: Fix station bandwidth setting after channel switch
    - mac80211: don't Tx a deauth frame if the AP forbade Tx
    - mac80211: shorten the IBSS debug messages
    - fsnotify: fix ignore mask logic in fsnotify()
    - net/ibm/emac: wrong emac_calc_base call was used by typo
    - nds32: fix logic for module
    - nds32: add NULL entry to the end of_device_id array
    - nds32: Fix empty call trace
    - nds32: Fix get_user/put_user macro expand pointer problem
    - nds32: fix build error because of wrong semicolon
    - tools/vm/slabinfo.c: fix sign-compare warning
    - tools/vm/page-types.c: fix "defined but not used" warning
    - nds32: linker script: GCOV kernel may refers data in __exit
    - ceph: avoid a use-after-free in ceph_destroy_options()
    - firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
    - afs: Fix cell specification to permit an empty address list
    - mm: madvise(MADV_DODUMP): allow hugetlbfs pages
    - bpf: 32-bit RSH verification must truncate input before the ALU op
    - netfilter: xt_cluster: add dependency on conntrack module
    - netfilter: xt_checksum: ignore gso skbs
    - HID: intel-ish-hid: Enable Sunrise Point-H ish driver
    - HID: add support for Apple Magic Keyboards
    - usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
    - HID: hid-saitek: Add device ID for RAT 7 Contagion
    - scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values
      fails
    - scsi: iscsi: target: Fix conn_ops double free
    - scsi: qedi: Add the CRC size within iSCSI NVM image
    - perf annotate: Properly interpret indirect call
    - perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx()
    - perf util: Fix bad memory access in trace info.
    - perf probe powerpc: Ignore SyS symbols irrespective of endianness
    - perf annotate: Fix parsing aarch64 branch instructions after objdump update
    - netfilter: kconfig: nat related expression depend on nftables core
    - netfilter: nf_tables: release chain in flushing set
    - Revert "iio: temperature: maxim_thermocouple: add MAX31856 part"
    - iio: imu: st_lsm6dsx: take into account ts samples in wm configuration
    - RDMA/ucma: check fd type in ucma_migrate_id()
    - riscv: Do not overwrite initrd_start and initrd_end
    - HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report
    - usb: host: xhci-plat: Iterate over parent nodes for finding quirks
    - USB: yurex: Check for truncation in yurex_read()
    - nvmet-rdma: fix possible bogus dereference under heavy load
    - bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces
    - net/mlx5: Consider PCI domain in search for next dev
    - dm raid: fix reshape race on small devices
    - drm/nouveau: fix oops in client init failure path
    - drm/nouveau/mmu: don't attempt to dereference vmm without valid instance
      pointer
    - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
    - drm/nouveau/disp: fix DP disable race
    - drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP
      panels
    - dm raid: fix stripe adding reshape deadlock
    - dm raid: fix rebuild of specific devices by updating superblock
    - dm raid: fix RAID leg rebuild errors
    - r8169: set TxConfig register after TX / RX is enabled, just like RxConfig
    - fs/cifs: suppress a string overflow warning
    - perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing
      CPUs
    - sched/topology: Set correct NUMA topology type
    - dm thin metadata: try to avoid ever aborting transactions
    - netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
    - netfilter: xt_hashlimit: use s->file instead of s->private
    - arch/hexagon: fix kernel/dma.c build warning
    - hexagon: modify ffs() and fls() to return int
    - drm/amdgpu: Fix SDMA hang in prt mode v2
    - arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
    - drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
    - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
    - s390/qeth: don't dump past end of unknown HW header
    - cifs: read overflow in is_valid_oplock_break()
    - asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP &&
      CONFIG_INDIRECT_PIO
    - xen/manage: don't complain about an empty value in control/sysrq node
    - xen: avoid crash in disable_hotplug_cpu
    - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
    - x86/APM: Fix build warning when PROC_FS is not enabled
    - new primitive: discard_new_inode()
    - vfs: don't evict uninitialized inode
    - ovl: set I_CREATING on inode being created
    - ovl: fix access beyond unterminated strings
    - ovl: fix memory leak on unlink of indexed file
    - ovl: fix format of setxattr debug
    - sysfs: Do not return POSIX ACL xattrs via listxattr
    - b43: fix DMA error related regression with proprietary firmware
    - firmware: Fix security issue with request_firmware_into_buf()
    - firmware: Always initialize the fw_priv list object
    - cpufreq: qcom-kryo: Fix section annotations
    - smb2: fix missing files in root share directory listing
    - iommu/amd: Clear memory encryption mask from physical address
    - crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
    - crypto: chelsio - Fix memory corruption in DMA Mapped buffers.
    - crypto: mxs-dcp - Fix wait logic on chan threads
    - crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic
    - gpiolib: Free the last requested descriptor
    - Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()
    - tools: hv: fcopy: set 'error' in case an unknown operation was requested
    - proc: restrict kernel stack dumps to root
    - ocfs2: fix locking for res->tracking and dlm->tracking_list
    - HID: i2c-hid: disable runtime PM operations on hantick touchpad
    - ixgbe: check return value of napi_complete_done()
    - dm thin metadata: fix __udivdi3 undefined on 32-bit
    - Revert "drm/amd/pp: Send khz clock values to DC for smu7/8"
    - Linux 4.18.13

* Volume control not working Dell XPS 27 (7760) (LP: #1775068) // Cosmic
    update: 4.18.13 upstream stable release (LP: #1801931)
    - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760

* [Bionic][Cosmic]  ipmi: Fix timer race with module unload (LP: #1799281)
    - ipmi: Fix timer race with module unload

* [Bionic][Cosmic] Fix to ipmi to support vendor specific messages greater
    than 255 bytes (LP: #1799794)
    - ipmi:ssif: Add support for multi-part transmit messages > 2 parts

* 18.10 kernel does not appear to validate kernel module signatures correctly
    (LP: #1798863) // CVE-2018-18653
    - SAUCE: (efi-lockdown) module: remove support for deferring module signature
      verification to IMA

* 18.10 kernel does not appear to validate kernel module signatures correctly
    (LP: #1798863)
    - SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module
      signing

* [Ubuntu] net/af_iucv: fix skb leaks for HiperTransport (LP: #1800639)
    - net/af_iucv: drop inbound packets with invalid flags
    - net/af_iucv: fix skb handling on HiperTransport xmit error

* Power consumption during s2idle is higher than long idle(sk hynix)
    (LP: #1801875)
    - SAUCE: pci: prevent sk hynix nvme from entering D3
    - SAUCE: nvme: add quirk to not call disable function when suspending

* NULL pointer dereference at 0000000000000020 when access
    dst_orig->ops->family in function  xfrm_lookup_with_ifid() (LP: #1801878)
    - xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.

* hns3: map tx ring to tc (LP: #1802023)
    - net: hns3: Set tx ring' tc info when netdev is up

* [Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup (LP: #1800641)
    - s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function
    - s390: qeth: Fix potential array overrun in cmd/rc lookup

* Mellanox CX5 stops pinging with rx_wqe_err (mlx5_core) (LP: #1799393)
    - net/mlx5: WQ, fixes for fragmented WQ buffers API

* Vulkan applications cause permanent memory leak with Intel GPU
    (LP: #1798165)
    - drm/syncobj: Don't leak fences when WAIT_FOR_SUBMIT is set

* Packaging resync (LP: #1786013)
    - [Package] add support for specifying the primary makefile

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Wed, 14 Nov 2018 11:30:22 -0200

Changed in linux (Ubuntu Cosmic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-12-03:

#15

Download full text (3.1 KiB)

This bug was fixed in the package linux - 4.15.0-42.45

---------------
linux (4.15.0-42.45) bionic; urgency=medium

* linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)

  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - KVM: s390: reset crypto attributes for all vcpus
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - s390/zcrypt: remove VLA usage from the AP bus
    - s390/zcrypt: Remove deprecated ioctls.
    - s390/zcrypt: Remove deprecated zcrypt proc interface.
    - s390/zcrypt: Support up to 256 crypto adapters.
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

-- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 15 Nov 2018 17:01:46 ...

This bug was fixed in the package linux - 4.15.0-42.45

---------------
linux (4.15.0-42.45) bionic; urgency=medium

* linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)

* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - KVM: s390: reset crypto attributes for all vcpus
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - s390/zcrypt: remove VLA usage from the AP bus
    - s390/zcrypt: Remove deprecated ioctls.
    - s390/zcrypt: Remove deprecated zcrypt proc interface.
    - s390/zcrypt: Support up to 256 crypto adapters.
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

*  CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

* kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Thu, 15 Nov 2018 17:01:46 -0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-02-04:

#16

Download full text (14.1 KiB)

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: ve...

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

* kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

* Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: venus: core: Set dma maximum segment size
    - staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
    - net: call sk_dst_reset when set SO_DONTROUTE
    - scsi: target: use consistent left-aligned ASCII INQUIRY data
    - scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
      enough
    - selftests: do not macro-expand failed assertion expressions
    - arm64: kasan: Increase stack size for KASAN_EXTRA
    - clk: imx6q: reset exclusive gates on init
    - arm64: Fix minor issues with the dcache_by_line_op macro
    - bpf: relax verifier restriction on BPF_MOV | BPF_ALU
    - kconfig: fix file name and line number of warn_ignored_character()
    - kconfig: fix memory leak when EOF is encountered in quotation
    - mmc: atmel-mci: do not assume idle after atmci_request_end
    - btrfs: volumes: Make sure there is no overlap of dev extents at mount time
    - btrfs: alloc_chunk: fix more DUP stripe size handling
    - btrfs: fix use-after-free due to race between replace start and cancel
    - btrfs: improve error handling of btrfs_add_link
    - tty/serial: do not free trasnmit buffer page under port lock
    - perf intel-pt: Fix error with config term "pt=0"
    - perf tests ARM: Disable breakpoint tests 32-bit
    - perf svghelper: Fix unchecked usage of strncpy()
    - perf parse-events: Fix unchecked usage of strncpy()
    - perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
    - netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
    - netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
    - netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
    - x86/topology: Use total_cpus for max logical packages calculation
    - dm crypt: use u64 instead of sector_t to store iv_offset
    - dm kcopyd: Fix bug causing workqueue stalls
    - perf stat: Avoid segfaults caused by negated options
    - tools lib subcmd: Don't add the kernel sources to the include path
    - dm snapshot: Fix excessive memory usage and workqueue stalls
    - perf cs-etm: Correct packets swapping in cs_etm__flush()
    - perf tools: Add missing sigqueue() prototype for systems lacking it
    - perf tools: Add missing open_memstream() prototype for systems lacking it
    - quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls.
    - clocksource/drivers/integrator-ap: Add missing of_node_put()
    - dm: Check for device sector overflow if CONFIG_LBDAF is not set
    - Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029
    - ALSA: bebob: fix model-id of unit for Apogee Ensemble
    - sysfs: Disable lockdep for driver bind/unbind files
    - IB/usnic: Fix potential deadlock
    - scsi: mpt3sas: fix memory ordering on 64bit writes
    - scsi: smartpqi: correct lun reset issues
    - ath10k: fix peer stats null pointer dereference
    - scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown()
    - scsi: megaraid: fix out-of-bound array accesses
    - iomap: don't search past page end in iomap_is_partially_uptodate
    - ocfs2: fix panic due to unrecovered local alloc
    - mm/page-writeback.c: don't break integrity writeback on ->writepage() error
    - mm/swap: use nr_node_ids for avail_lists in swap_info_struct
    - userfaultfd: clear flag if remap event not enabled
    - mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
    - iwlwifi: mvm: Send LQ command as async when necessary
    - Bluetooth: Fix unnecessary error message for HCI request completion
    - ipmi: fix use-after-free of user->release_barrier.rda
    - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
    - ipmi: Prevent use-after-free in deliver_response
    - ipmi:ssif: Fix handling of multi-part return messages
    - ipmi: Don't initialize anything in the core until something uses it
    - Linux 4.19.18

* tls selftest failures/hangs on i386 (LP: #1813607)
    - [Config] CONFIG_TLS=n for i386

* Intel XL710 - i40e driver does not work with kernel 4.15 (Ubuntu 18.04)
    (LP: #1779756)
    - i40e: prevent overlapping tx_timeout recover

* Disco update: 4.19.17 upstream stable release (LP: #1813016)
    - tty/ldsem: Wake up readers after timed out down_write()
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present
    - can: gw: ensure DLC boundaries after CAN frame modification
    - netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
    - netfilter: nf_conncount: split gc in two phases
    - netfilter: nf_conncount: restart search when nodes have been erased
    - netfilter: nf_conncount: merge lookup and add functions
    - netfilter: nf_conncount: move all list iterations under spinlock
    - netfilter: nf_conncount: speculative garbage collection on empty lists
    - netfilter: nf_conncount: fix argument order to find_next_bit
    - mmc: sdhci-msm: Disable CDR function on TX
    - Revert "scsi: target: iscsi: cxgbit: fix csk leak"
    - scsi: target: iscsi: cxgbit: fix csk leak
    - scsi: target: iscsi: cxgbit: fix csk leak
    - arm64/kvm: consistently handle host HCR_EL2 flags
    - arm64: Don't trap host pointer auth use to EL2
    - ipv6: fix kernel-infoleak in ipv6_local_error()
    - net: bridge: fix a bug on using a neighbour cache entry without checking its
      state
    - packet: Do not leak dev refcounts on error exit
    - tcp: change txhash on SYN-data timeout
    - tun: publish tfile after it's fully initialized
    - lan743x: Remove phy_read from link status change function
    - smc: move unhash as early as possible in smc_release()
    - r8169: don't try to read counters if chip is in a PCI power-save state
    - bonding: update nest level on unlink
    - ip: on queued skb use skb_header_pointer instead of pskb_may_pull
    - r8169: load Realtek PHY driver module before r8169
    - crypto: sm3 - fix undefined shift by >= width of value
    - crypto: caam - fix zero-length buffer DMA mapping
    - crypto: authencesn - Avoid twice completion call in decrypt path
    - crypto: ccree - convert to use crypto_authenc_extractkeys()
    - crypto: bcm - convert to use crypto_authenc_extractkeys()
    - crypto: authenc - fix parsing key with misaligned rta_len
    - crypto: talitos - reorder code in talitos_edesc_alloc()
    - crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
    - xen: Fix x86 sched_clock() interface for xen
    - Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
    - btrfs: wait on ordered extents on abort cleanup
    - Yama: Check for pid death before checking ancestry
    - scsi: core: Synchronize request queue PM status only on successful resume
    - scsi: sd: Fix cache_type_store()
    - mips: fix n32 compat_ipc_parse_version
    - MIPS: BCM47XX: Setup struct device for the SoC
    - MIPS: lantiq: Fix IPI interrupt handling
    - drm/i915/gvt: Fix mmap range check
    - OF: properties: add missing of_node_put
    - mfd: tps6586x: Handle interrupts on suspend
    - media: v4l: ioctl: Validate num_planes for debug messages
    - RDMA/nldev: Don't expose unsafe global rkey to regular user
    - RDMA/vmw_pvrdma: Return the correct opcode when creating WR
    - kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
    - net: dsa: realtek-smi: fix OF child-node lookup
    - pstore/ram: Avoid allocation and leak of platform data
    - arm64: kaslr: ensure randomized quantities are clean to the PoC
    - arm64: dts: marvell: armada-ap806: reserve PSCI area
    - Disable MSI also when pcie-octeon.pcie_disable on
    - fix int_sqrt64() for very large numbers
    - omap2fb: Fix stack memory disclosure
    - media: vivid: fix error handling of kthread_run
    - media: vivid: set min width/height to a value > 0
    - bpf: in __bpf_redirect_no_mac pull mac only if present
    - ipv6: make icmp6_send() robust against null skb->dev
    - LSM: Check for NULL cred-security on free
    - media: vb2: vb2_mmap: move lock up
    - sunrpc: handle ENOMEM in rpcb_getport_async
    - netfilter: ebtables: account ebt_table_info to kmemcg
    - block: use rcu_work instead of call_rcu to avoid sleep in softirq
    - selinux: fix GPF on invalid policy
    - blockdev: Fix livelocks on loop device
    - sctp: allocate sctp_sockaddr_entry with kzalloc
    - tipc: fix uninit-value in in tipc_conn_rcv_sub
    - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
    - tipc: fix uninit-value in tipc_nl_compat_bearer_enable
    - tipc: fix uninit-value in tipc_nl_compat_link_set
    - tipc: fix uninit-value in tipc_nl_compat_name_table_dump
    - tipc: fix uninit-value in tipc_nl_compat_doit
    - block/loop: Don't grab "struct file" for vfs_getattr() operation.
    - block/loop: Use global lock for ioctl() operation.
    - loop: Fold __loop_release into loop_release
    - loop: Get rid of loop_index_mutex
    - loop: Push lo_ctl_mutex down into individual ioctls
    - loop: Split setting of lo_state from loop_clr_fd
    - loop: Push loop_ctl_mutex down into loop_clr_fd()
    - loop: Push loop_ctl_mutex down to loop_get_status()
    - loop: Push loop_ctl_mutex down to loop_set_status()
    - loop: Push loop_ctl_mutex down to loop_set_fd()
    - loop: Push loop_ctl_mutex down to loop_change_fd()
    - loop: Move special partition reread handling in loop_clr_fd()
    - loop: Move loop_reread_partitions() out of loop_ctl_mutex
    - loop: Fix deadlock when calling blkdev_reread_part()
    - loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex
    - loop: Get rid of 'nested' acquisition of loop_ctl_mutex
    - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
    - loop: drop caches if offset or block_size are changed
    - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
    - selftests: Fix test errors related to lib.mk khdr target
    - media: vb2: be sure to unlock mutex on errors
    - nbd: Use set_blocksize() to set device blocksize
    - Linux 4.19.17

* Enable sound card power saving by default (LP: #1804265)
    - [Config] CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1

* Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
    - USB: Add new USB LPM helpers
    - USB: Consolidate LPM checks to avoid enabling LPM twice

* [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
    (LP: #1812797)
    - vgaarb: Add support for 64-bit frame buffer address
    - vgaarb: Keep adding VGA device in queue

* bluetooth controller not detected with 4.15 kernel (LP: #1810797)
    - SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
    - [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y

* [19.04 FEAT| Enable virtio-gpu for s390x (LP: #1799467)
    - [Config] enable virtio-gpu for s390x

* Miscellaneous Ubuntu changes
    - Revert "UBUNTU: SAUCE: selftests: disable some failing networking tests"
    - SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c
    - SAUCE: selftests/ftrace: Fix tab expansion in trace_marker snapshot trigger
      test
    - update dkms package versions

* Miscellaneous upstream changes
    - selftests/ftrace: Fix checkbashisms errors
    - selftests/powerpc/pmu: Link ebb tests with -no-pie

-- Seth Forshee <seth.forshee@canonical.com>  Mon, 28 Jan 2019 15:38:30 -0600

Changed in linux (Ubuntu Disco):
status:	In Progress → Fix Released

Ubuntu
linux package

Overlayfs in user namespace leaks directory content of inaccessible directories

Bug Description

CVE References

Other bug subscribers

Patches

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Medium	Tyler Hicks
Bionic	Fix Released	Medium	Tyler Hicks
Cosmic	Fix Released	Medium	Tyler Hicks
Disco	Fix Released	Medium	Tyler Hicks

Ubuntulinux package

Overlayfs in user namespace leaks directory content of inaccessible directories

Bug Description

CVE References

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
linux package