Ubuntu
linux package

[Bionic] i915 incomplete fix for CVE-2019-14615

Bug #1862840 reported by Tyler Hicks on 2020-02-11

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	High	Tyler Hicks
	Bionic	Fix Released	High	Tyler Hicks

Bug Description

[Impact]

Gregory Herrero reported that the proof-of-concept for CVE-2019-14615 indicates that the information leak is not fixed in the Bionic 4.15 kernel as indicated by USN-4255-1:

https://usn.ubuntu.com/4255-1/

This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete fix issue.

I've verified this by testing each Ubuntu release with the proof-of-concept. I then tested vanilla 4.15 with commit bc8a76a152c5 ("drm/i915/gen9: Clear residual context state on context switch") applied, which is the fix for CVE-2019-14615, and verified that the proof-of-concept showed that the info leak was still possible. I then tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the proof-of-concept showed that the info leak was fixed.

After bisecting changes to the DRM subsystem as well as the i915 driver, it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load") as well as its prerequisites are necessary to fully fix CVE-2019-14615 in 4.15 based kernels.

[Test Case]

A proof-of-concept for CVE-2019-14615 became available once the issue was made public. It can be found here:

https://github.com/HE-Wenjian/iGPU-Leak

Steps to use the proof-of-concept:

$ git clone https://github.com/HE-Wenjian/iGPU-Leak.git

# In one terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_victim.sh

# In another terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_attacker.sh

# In the terminal running run_attacker.sh, ensure that all data dumped
# to the terminal is zeros and that there is no non-zero data. You'll
# have to closely monitor the script for a minute or so to ensure that
# the information leak is not possible.

[Regression Potential]

High as the changes are complex in comparison to the typical SRU. However, the bulk of the change is to the initialization stages of the driver and we're just pulling back changes that landed in 4.16-rc1 to our 4.15 kernel. I don't see any later Fixes tags that reference the needed commits.

See original description

Tags:

CVE References

Tyler Hicks (tyhicks) on 2020-02-11

Changed in linux (Ubuntu Bionic):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu):
status:	In Progress → Invalid
description:	updated

Tyler Hicks (tyhicks) on 2020-02-11

description:

updated

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2020-02-11:

Please use CVE-2020-8832 for this issue. Thanks.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2020-02-11:

I've pushed a set of proposed backports which prevents the information leak when running the proof-of-concept code:

https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic/log/?h=cves/CVE-2020-8832

Tyler Hicks (tyhicks) on 2020-02-13

description:

updated

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2020-02-13:

Submission to the Ubuntu kernel-team list:

https://lists.ubuntu.com/archives/kernel-team/2020-February/107444.html

Khaled El Mously (kmously) on 2020-02-14

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-02-17:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2020-02-18:

I've verified that the proof-of-concept does not show an information leak when running 4.15.0-89.89-generic.

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-03-16:

Download full text (44.4 KiB)

This bug was fixed in the package linux - 4.15.0-91.92

---------------
linux (4.15.0-91.92) bionic; urgency=medium

* bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)

  * CVE-2020-2732
    - KVM: x86: emulate RDPID
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (4.15.0-90.91) bionic; urgency=medium

* bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

linux (4.15.0-90.90) bionic; urgency=medium

* bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)

* vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
- Revert "apparmor: don't try to replace stale label in ptrace access check"

linux (4.15.0-89.89) bionic; urgency=medium

* bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)

  * [SRU][B/OEM-B] Fix multitouch support on some devices (LP: #1862567)
    - HID: core: move the dynamic quirks handling in core
    - HID: quirks: move the list of special devices into a quirk
    - HID: core: move the list of ignored devices in hid-quirks.c
    - HID: core: remove the absolute need of hid_have_special_driver[]

* [linux] Patch to prevent possible data corruption (LP: #1848739)
- blk-mq: silence false positive warnings in hctx_unlock()

  * Add bpftool to linux-tools-common (LP: #1774815)
    - tools/bpftool: fix bpftool build with bintutils >= 2.9
    - bpftool: make libbfd optional
    - [Debian] Remove binutils-dev build dependency
    - [Debian] package bpftool in linux-tools-common

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [Bionic] i915 incomplete fix for CVE-2019-14615 (LP: #1862840) //
    CVE-2020-8832
    - drm/i915: Use same test for eviction and submitting kernel context
    - drm/i915: Define an engine class enum for the uABI
    - drm/i915: Force the switch to the i915->kernel_context
    - drm/i915: Move GT powersaving init to i915_gem_init()
    - drm/i915: Move intel_init_clock_gating() to i915_gem_init()
    - drm/i915: Inline intel_modeset_gem_init()
    - drm/i915: Mark the context state as dirty/written
    - drm/i915: Record the default hw state after reset upon load

This bug was fixed in the package linux - 4.15.0-91.92

---------------
linux (4.15.0-91.92) bionic; urgency=medium

* bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)

linux (4.15.0-90.91) bionic; urgency=medium

* bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)

* dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

linux (4.15.0-90.90) bionic; urgency=medium

* bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)

* vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
    - Revert "apparmor: don't try to replace stale label in ptrace access check"

linux (4.15.0-89.89) bionic; urgency=medium

* bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)

* [linux] Patch to prevent possible data corruption (LP: #1848739)
    - blk-mq: silence false positive warnings in hctx_unlock()

* Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

* Bionic update: upstream stable patchset 2020-02-12 (LP: #1863019)
    - xfs: Sanity check flags of Q_XQUOTARM call
    - mfd: intel-lpss: Add default I2C device properties for Gemini Lake
    - powerpc/archrandom: fix arch_get_random_seed_int()
    - tipc: fix wrong timeout input for tipc_wait_for_cond()
    - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
    - crypto: sun4i-ss - fix big endian issues
    - drm/sti: do not remove the drm_bridge that was never added
    - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
    - ALSA: hda: fix unused variable warning
    - apparmor: don't try to replace stale label in ptrace access check
    - PCI: iproc: Remove PAXC slot check to allow VF support
    - drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
    - IB/rxe: replace kvfree with vfree
    - IB/hfi1: Add mtu check for operational data VLs
    - ALSA: usb-audio: update quirk for B&W PX to remove microphone
    - staging: comedi: ni_mio_common: protect register write overflow
    - pwm: lpss: Release runtime-pm reference from the driver's remove callback
    - drm/sun4i: hdmi: Fix double flag assignation
    - mlxsw: reg: QEEC: Add minimum shaper fields
    - NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
    - pcrypt: use format specifier in kobject_add
    - exportfs: fix 'passing zero to ERR_PTR()' warning
    - drm/dp_mst: Skip validating ports during destruction, just ref
    - net: phy: Fix not to call phy_resume() if PHY is not attached
    - IB/rxe: Fix incorrect cache cleanup in error flow
    - staging: bcm2835-camera: Abort probe if there is no camera
    - switchtec: Remove immediate status check after submitting MRPC command
    - pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
    - pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
    - pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
    - pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
    - pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
    - pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
    - pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
    - pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
    - pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
    - pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
    - vxlan: changelink: Fix handling of default remotes
    - Input: nomadik-ske-keypad - fix a loop timeout test
    - clk: highbank: fix refcount leak in hb_clk_init()
    - clk: qoriq: fix refcount leak in clockgen_init()
    - clk: socfpga: fix refcount leak
    - clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
    - clk: imx6q: fix refcount leak in imx6q_clocks_init()
    - clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
    - clk: imx7d: fix refcount leak in imx7d_clocks_init()
    - clk: vf610: fix refcount leak in vf610_clocks_init()
    - clk: armada-370: fix refcount leak in a370_clk_init()
    - clk: kirkwood: fix refcount leak in kirkwood_clk_init()
    - clk: armada-xp: fix refcount leak in axp_clk_init()
    - clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
    - clk: dove: fix refcount leak in dove_clk_init()
    - MIPS: BCM63XX: drop unused and broken DSP platform device
    - IB/usnic: Fix out of bounds index check in query pkey
    - RDMA/ocrdma: Fix out of bounds index check in query pkey
    - RDMA/qedr: Fix out of bounds index check in query pkey
    - drm/shmob: Fix return value check in shmob_drm_probe
    - arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
    - spi: cadence: Correct initialisation of runtime PM
    - RDMA/iw_cxgb4: Fix the unchecked ep dereference
    - drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
    - media: s5p-jpeg: Correct step and max values for
      V4L2_CID_JPEG_RESTART_INTERVAL
    - kbuild: mark prepare0 as PHONY to fix external module build
    - crypto: brcm - Fix some set-but-not-used warning
    - crypto: tgr192 - fix unaligned memory access
    - ASoC: imx-sgtl5000: put of nodes if finding codec fails
    - IB/iser: Pass the correct number of entries for dma mapped SGL
    - rtc: cmos: ignore bogus century byte
    - spi/topcliff_pch: Fix potential NULL dereference on allocation error
    - clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
    - iwlwifi: mvm: avoid possible access out of array.
    - net/mlx5: Take lock with IRQs disabled to avoid deadlock
    - iwlwifi: mvm: fix A-MPDU reference assignment
    - tty: ipwireless: Fix potential NULL pointer dereference
    - driver: uio: fix possible memory leak in __uio_register_device
    - driver: uio: fix possible use-after-free in __uio_register_device
    - crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove()
      arguments
    - driver core: Do not resume suppliers under device_links_write_lock()
    - ARM: dts: lpc32xx: add required clocks property to keypad device node
    - ARM: dts: lpc32xx: reparent keypad controller to SIC1
    - ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
    - ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
    - ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
    - iwlwifi: mvm: fix RSS config command
    - staging: most: cdev: add missing check for cdev_add failure
    - rtc: ds1672: fix unintended sign extension
    - thermal: mediatek: fix register index error
    - net: phy: fixed_phy: Fix fixed_phy not checking GPIO
    - rtc: ds1307: rx8130: Fix alarm handling
    - rtc: 88pm860x: fix unintended sign extension
    - rtc: 88pm80x: fix unintended sign extension
    - rtc: pm8xxx: fix unintended sign extension
    - fbdev: chipsfb: remove set but not used variable 'size'
    - iw_cxgb4: use tos when importing the endpoint
    - iw_cxgb4: use tos when finding ipv6 routes
    - drm/etnaviv: potential NULL dereference
    - pinctrl: sh-pfc: emev2: Add missing pinmux functions
    - pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
    - pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
    - pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
    - PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
    - usb: phy: twl6030-usb: fix possible use-after-free on remove
    - block: don't use bio->bi_vcnt to figure out segment number
    - keys: Timestamp new keys
    - vfio_pci: Enable memory accesses before calling pci_map_rom
    - hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
    - KVM: PPC: Release all hardware TCE tables attached to a group
    - staging: r8822be: check kzalloc return or bail
    - dmaengine: mv_xor: Use correct device for DMA API
    - cdc-wdm: pass return value of recover_from_urb_loss
    - regulator: pv88060: Fix array out-of-bounds access
    - regulator: pv88080: Fix array out-of-bounds access
    - regulator: pv88090: Fix array out-of-bounds access
    - net: dsa: qca8k: Enable delay for RGMII_ID mode
    - drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
    - drm/nouveau/pmu: don't print reply values if exec is false
    - ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
    - fs/nfs: Fix nfs_parse_devname to not modify it's argument
    - staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
    - powerpc/64s: Fix logic when handling unknown CPU features
    - NFS: Fix a soft lockup in the delegation recovery code
    - clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
    - clocksource/drivers/exynos_mct: Fix error path in timer resources
      initialization
    - platform/x86: wmi: fix potential null pointer dereference
    - NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
    - mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
    - ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
    - ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
    - regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
    - netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
    - NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
    - net: aquantia: fixed instack structure overflow
    - powerpc/mm: Check secondary hash page table
    - nios2: ksyms: Add missing symbol exports
    - x86/mm: Remove unused variable 'cpu'
    - scsi: megaraid_sas: reduce module load time
    - drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
    - xen, cpu_hotplug: Prevent an out of bounds access
    - net: sh_eth: fix a missing check of of_get_phy_mode
    - regulator: lp87565: Fix missing register for LP87565_BUCK_0
    - media: ivtv: update *pos correctly in ivtv_read_pos()
    - media: cx18: update *pos correctly in cx18_read_pos()
    - media: wl128x: Fix an error code in fm_download_firmware()
    - media: cx23885: check allocation return
    - regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
    - jfs: fix bogus variable self-initialization
    - tipc: tipc clang warning
    - m68k: mac: Fix VIA timer counter accesses
    - arm64: dts: allwinner: a64: Add missing PIO clocks
    - ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
    - media: davinci-isif: avoid uninitialized variable use
    - media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
    - spi: tegra114: clear packed bit for unpacked mode
    - spi: tegra114: fix for unpacked mode transfers
    - spi: tegra114: terminate dma and reset on transfer timeout
    - spi: tegra114: flush fifos
    - spi: tegra114: configure dma burst size to fifo trig level
    - soc/fsl/qe: Fix an error code in qe_pin_request()
    - spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
    - ehea: Fix a copy-paste err in ehea_init_port_res
    - scsi: qla2xxx: Unregister chrdev if module initialization fails
    - scsi: target/core: Fix a race condition in the LUN lookup code
    - ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
    - net: hns3: fix for vport->bw_limit overflow problem
    - hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
    - platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
    - tipc: set sysctl_tipc_rmem and named_timeout right range
    - selftests/ipc: Fix msgque compiler warnings
    - powerpc: vdso: Make vdso32 installation conditional in vdso_install
    - ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
    - media: ov2659: fix unbalanced mutex_lock/unlock
    - 6lowpan: Off by one handling ->nexthdr
    - dmaengine: axi-dmac: Don't check the number of frames for alignment
    - ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
    - NFS: Don't interrupt file writeout due to fatal errors
    - irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
    - scsi: qla2xxx: Fix a format specifier
    - scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
    - packet: in recvmsg msg_name return at least sizeof sockaddr_ll
    - ASoC: fix valid stream condition
    - usb: gadget: fsl: fix link error against usb-gadget module
    - dwc2: gadget: Fix completed transfer size calculation in DDMA
    - IB/mlx5: Add missing XRC options to QP optional params mask
    - iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
    - dmaengine: tegra210-adma: restore channel status
    - mmc: core: fix possible use after free of host
    - lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
    - afs: Fix the afs.cell and afs.volume xattr handlers
    - vfio/mdev: Avoid release parent reference during error path
    - vfio/mdev: Fix aborting mdev child device removal if one fails
    - l2tp: Fix possible NULL pointer dereference
    - media: omap_vout: potential buffer overflow in vidioc_dqbuf()
    - media: davinci/vpbe: array underflow in vpbe_enum_outputs()
    - platform/x86: alienware-wmi: printing the wrong error code
    - crypto: caam - fix caam_dump_sg that iterates through scatterlist
    - netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
    - pwm: meson: Consider 128 a valid pre-divider
    - pwm: meson: Don't disable PWM when setting duty repeatedly
    - ARM: riscpc: fix lack of keyboard interrupts after irq conversion
    - kdb: do a sanity check on the cpu in kdb_per_cpu()
    - backlight: lm3630a: Return 0 on success in update_status functions
    - thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
    - EDAC/mc: Fix edac_mc_find() in case no device is found
    - ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
    - dmaengine: tegra210-adma: Fix crash during probe
    - arm64: dts: meson: libretech-cc: set eMMC as removable
    - RDMA/qedr: Fix incorrect device rate.
    - spi: spi-fsl-spi: call spi_finalize_current_message() at the end
    - crypto: ccp - fix AES CFB error exposed by new test vectors
    - crypto: ccp - Fix 3DES complaint from ccp-crypto module
    - serial: stm32: fix rx error handling
    - serial: stm32: fix transmit_chars when tx is stopped
    - serial: stm32: Add support of TC bit status check
    - serial: stm32: fix wakeup source initialization
    - misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
    - iommu: Use right function to get group for device
    - signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
    - inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
    - netvsc: unshare skb in VF rx handler
    - cpufreq: brcmstb-avs-cpufreq: Fix initial command check
    - cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
    - media: vivid: fix incorrect assignment operation when setting video mode
    - mpls: fix warning with multi-label encap
    - iommu/vt-d: Duplicate iommu_resv_region objects per device list
    - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
    - powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
    - powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
    - drm/msm/mdp5: Fix mdp5_cfg_init error return
    - net: netem: fix backlog accounting for corrupted GSO frames
    - net/af_iucv: always register net_device notifier
    - ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
    - rtc: pcf8563: Fix interrupt trigger method
    - rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
    - drm/msm/a3xx: remove TPL1 regs from snapshot
    - perf/ioctl: Add check for the sample_period value
    - dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
    - clk: qcom: Fix -Wunused-const-variable
    - nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
    - bnxt_en: Fix ethtool selftest crash under error conditions.
    - iommu/amd: Make iommu_disable safer
    - mfd: intel-lpss: Release IDA resources
    - rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
    - devres: allow const resource arguments
    - net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
    - scsi: libfc: fix null pointer dereference on a null lport
    - clk: sunxi-ng: v3s: add the missing PLL_DDR1
    - PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
    - libertas_tf: Use correct channel range in lbtf_geo_init
    - qed: reduce maximum stack frame size
    - usb: host: xhci-hub: fix extra endianness conversion
    - mic: avoid statically declaring a 'struct device'.
    - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
    - crypto: ccp - Reduce maximum stack usage
    - ALSA: aoa: onyx: always initialize register read value
    - tipc: reduce risk of wakeup queue starvation
    - ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
    - net/mlx5: Fix mlx5_ifc_query_lag_out_bits
    - cifs: fix rmmod regression in cifs.ko caused by force_sig changes
    - crypto: caam - free resources in case caam_rng registration failed
    - ext4: set error return correctly when ext4_htree_store_dirent fails
    - ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
    - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
    - ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
    - net/rds: Add a few missing rds_stat_names entries
    - bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
    - signal: Allow cifs and drbd to receive their terminating signals
    - ASoC: sun4i-i2s: RX and TX counter registers are swapped
    - dmaengine: dw: platform: Switch to acpi_dma_controller_register()
    - mac80211: minstrel_ht: fix per-group max throughput rate initialization
    - media: atmel: atmel-isi: fix timeout value for stop streaming
    - rtc: pcf2127: bugfix: read rtc disables watchdog
    - mips: avoid explicit UB in assignment of mips_io_port_base
    - iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
    - ahci: Do not export local variable ahci_em_messages
    - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
    - hwmon: (lm75) Fix write operations for negative temperatures
    - power: supply: Init device wakeup after device_add()
    - x86, perf: Fix the dependency of the x86 insn decoder selftest
    - staging: greybus: light: fix a couple double frees
    - irqdomain: Add the missing assignment of domain->fwnode for named fwnode
    - bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
    - iio: dac: ad5380: fix incorrect assignment to val
    - ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
    - tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
    - net: sonic: return NETDEV_TX_OK if failed to map buffer
    - scsi: fnic: fix msix interrupt allocation
    - Btrfs: fix hang when loading existing inode cache off disk
    - Btrfs: fix inode cache waiters hanging on failure to start caching thread
    - Btrfs: fix inode cache waiters hanging on path allocation failure
    - btrfs: use correct count in btrfs_file_write_iter()
    - ixgbe: sync the first fragment unconditionally
    - hwmon: (shtc1) fix shtc1 and shtw1 id mask
    - net: sonic: replace dev_kfree_skb in sonic_send_packet
    - pinctrl: iproc-gpio: Fix incorrect pinconf configurations
    - ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
    - RDMA/cma: Fix false error message
    - net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
    - iommu/amd: Wait for completion of IOTLB flush in attach_device
    - net: aquantia: Fix aq_vec_isr_legacy() return value
    - net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
    - net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
    - net: stmmac: dwmac-meson8b: Fix signedness bug in probe
    - net: axienet: fix a signedness bug in probe
    - of: mdio: Fix a signedness bug in of_phy_get_and_connect()
    - net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
    - nvme: retain split access workaround for capability reads
    - net: stmmac: gmac4+: Not all Unicast addresses may be available
    - mac80211: accept deauth frames in IBSS mode
    - llc: fix another potential sk_buff leak in llc_ui_sendmsg()
    - llc: fix sk_buff refcounting in llc_conn_state_process()
    - net: stmmac: fix length of PTP clock's name string
    - act_mirred: Fix mirred_init_module error handling
    - net: avoid possible false sharing in sk_leave_memory_pressure()
    - net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
    - tcp: annotate lockless access to tcp_memory_pressure
    - drm/msm/dsi: Implement reset correctly
    - dmaengine: imx-sdma: fix size check for sdma script_number
    - net: netem: fix error path for corrupted GSO frames
    - net: netem: correct the parent's backlog when corrupted packet was dropped
    - net: qca_spi: Move reset_count to struct qcaspi
    - afs: Fix large file support
    - MIPS: Loongson: Fix return value of loongson_hwmon_init
    - hv_netvsc: flag software created hash value
    - net: neigh: use long type to store jiffies delta
    - packet: fix data-race in fanout_flow_is_huge()
    - mmc: sdio: fix wl1251 vendor id
    - mmc: core: fix wl1251 sdio quirks
    - affs: fix a memory leak in affs_remount
    - dmaengine: ti: edma: fix missed failure handling
    - drm/radeon: fix bad DMA from INTERRUPT_CNTL2
    - arm64: dts: juno: Fix UART frequency
    - IB/iser: Fix dma_nents type definition
    - serial: stm32: fix clearing interrupt error flags
    - m68k: Call timer_interrupt() with interrupts disabled
    - SUNRPC: Fix svcauth_gss_proxy_init()
    - perf map: No need to adjust the long name of modules
    - ipmi: Fix memory leak in __ipmi_bmc_register
    - apparmor: Fix network performance issue in aa_label_sk_perm
    - firmware: coreboot: Let OF core populate platform device
    - bridge: br_arp_nd_proxy: set icmp6_router if neigh has NTF_ROUTER
    - signal/ia64: Use the generic force_sigsegv in setup_frame
    - ASoC: wm9712: fix unused variable warning
    - genirq/debugfs: Reinstate full OF path for domain name
    - usb: gadget: fsl_udc_core: check allocation return value and cleanup on
      failure
    - cfg80211: regulatory: make initialization more robust
    - net: socionext: Add dummy PHY register read in phy_write()
    - mlxsw: spectrum: Set minimum shaper on MC TCs
    - pinctrl: meson-gxl: remove invalid GPIOX tsin_a pins
    - drm: rcar-du: Fix vblank initialization
    - arm64: dts: meson-gx: Add hdmi_5v regulator as hdmi tx supply
    - IB/hfi1: Correctly process FECN and BECN in packets
    - OPP: Fix missing debugfs supply directory for OPPs
    - staging: bcm2835-camera: fix module autoloading
    - fork,memcg: fix crash in free_thread_stack on memcg charge fail
    - arm64: defconfig: Re-enable bcm2835-thermal driver
    - remoteproc: qcom: q6v5-mss: Add missing clocks for MSM8996
    - remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996
    - drm: Fix error handling in drm_legacy_addctx
    - ARM: dts: r8a7743: Remove generic compatible string from iic3
    - drm/etnaviv: fix some off by one bugs
    - fork, memcg: fix cached_stacks case
    - net: hns3: fix wrong combined count returned by ethtool -l
    - net: hns3: fix bug of ethtool_ops.get_channels for VF
    - ARM: dts: sun8i-a23-a33: Move NAND controller device node to sort by address
    - clk: ingenic: jz4740: Fix gating of UDC clock
    - ntb_hw_switchtec: NT req id mapping table register entry number should be
      512
    - net: dsa: b53: Fix default VLAN ID
    - net: dsa: b53: Properly account for VLAN filtering
    - net: dsa: b53: Do not program CPU port's PVID
    - drm/nouveau: fix missing break in switch statement
    - net: dsa: fix unintended change of bridge interface STP state
    - perf: Copy parent's address filter offsets on clone
    - netfilter: nft_set_hash: bogus element self comparison from deactivation
      path
    - iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm()
    - NFS: Add missing encode / decode sequence_maxsz to v4.2 operations
    - ARM: dts: sun8i: a33: Reintroduce default pinctrl muxing
    - ARM: dts: sun9i: optimus: Fix fixed-regulators
    - bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated
    - arm64/vdso: don't leak kernel addresses
    - rtc: mt6397: Don't call irq_dispose_mapping.
    - bpf: Add missed newline in verifier verbose log
    - ACPI: button: reinitialize button state upon resume
    - soc: amlogic: meson-gx-pwrc-vpu: Fix power on/off register bitmask
    - net: hns3: fix loop condition of hns3_get_tx_timeo_queue_info()
    - afs: Fix AFS file locking to allow fine grained locks
    - afs: Further fix file locking
    - scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd()
    - KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest
    - vfio/mdev: Follow correct remove sequence
    - ALSA: aica: Fix a long-time build breakage
    - nfp: bpf: fix static check error through tightening shift amount adjustment
    - thermal: rcar_gen3_thermal: fix interrupt type
    - afs: Fix lock-wait/callback-break double locking
    - afs: Fix double inc of vnode->cb_break
    - clk: meson: gxbb: no spread spectrum on mpll0
    - serial: stm32: fix word length configuration
    - serial: stm32: fix rx data length when parity enabled
    - net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector
    - crypto: talitos - fix AEAD processing.
    - net: don't clear sock->sk early to avoid trouble in strparser
    - crypto: inside-secure - fix zeroing of the request in ahash_exit_inv
    - arm64: dts: meson-gxm-khadas-vim2: fix gpio-keys-polled node
    - arm64: dts: meson-gxm-khadas-vim2: fix Bluetooth support
    - phy: usb: phy-brcm-usb: Remove sysfs attributes upon driver removal
    - qed: iWARP - fix uninitialized callback
    - IB/hfi1: Handle port down properly in pio
    - net/af_iucv: build proper skbs for HiperTransport
    - ARM: dts: iwg20d-q7-common: Fix SDHI1 VccQ regularor
    - ip6_fib: Don't discard nodes with valid routing information in
      fib6_locate_1()
    - nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm
    - fork,memcg: alloc_thread_stack_node needs to set tsk->stack
    - PM: ACPI/PCI: Resume all devices during hibernation
    - ACPI: PM: Simplify and fix PM domain hibernation callbacks
    - ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS
    - drm/panel: make drm_panel.h self-contained
    - cxgb4: smt: Add lock for atomic_dec_and_test
    - powerpc/64s/radix: Fix memory hot-unplug page table split
    - rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
    - i40e: reduce stack usage in i40e_set_fc
    - ARM: 8896/1: VDSO: Don't leak kernel addresses
    - rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
    - usb: typec: tps6598x: Fix build error without CONFIG_REGMAP_I2C
    - bcache: Fix an error code in bch_dump_read()
    - ARM: dts: aspeed-g5: Fixe gpio-ranges upper limit
    - net: hns3: fix error VF index when setting VLAN offload
    - mailbox: qcom-apcs: fix max_register value
    - powerpc/mm/mce: Keep irqs disabled during lockless page table walk
    - net: netsec: Fix signedness bug in netsec_probe()
    - s390/qeth: Fix error handling during VNICC initialization
    - s390/qeth: Fix initialization of vnicc cmd masks during set online
    - vhost/test: stop device before reset
    - arm64: hibernate: check pgd table allocation
    - afs: Fix missing timeout reset
    - hwrng: omap3-rom - Fix missing clock by probing with device tree
    - arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node

* Bionic update: upstream stable patchset 2020-02-06 (LP: #1862259)
    - dt-bindings: reset: meson8b: fix duplicate reset IDs
    - clk: Don't try to enable critical clocks if prepare failed
    - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
    - ALSA: seq: Fix racy access for queue timer in proc read
    - Fix built-in early-load Intel microcode alignment
    - block: fix an integer overflow in logical block size
    - ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number
    - iio: buffer: align the size of scan bytes to size of the largest element
    - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
    - USB: serial: option: Add support for Quectel RM500Q
    - USB: serial: opticon: fix control-message timeouts
    - USB: serial: option: add support for Quectel RM500Q in QDL mode
    - USB: serial: suppress driver bind attributes
    - USB: serial: ch341: handle unbound port at reset_resume
    - USB: serial: io_edgeport: add missing active-port sanity check
    - USB: serial: keyspan: handle unbound ports
    - USB: serial: quatech2: handle unbound ports
    - scsi: fnic: fix invalid stack access
    - scsi: mptfusion: Fix double fetch bug in ioctl
    - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
    - usb: core: hub: Improved device recognition on remote wakeup
    - x86/resctrl: Fix an imbalance in domain_remove_cpu()
    - x86/efistub: Disable paging at mixed mode entry
    - perf hists: Fix variable name's inconsistency in hists__for_each() macro
    - perf report: Fix incorrectly added dimensions as switch perf data file
    - mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD
      alignment
    - btrfs: fix memory leak in qgroup accounting
    - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
    - net: stmmac: 16KB buffer must be 16 byte aligned
    - net: stmmac: Enable 16KB buffer size
    - USB: serial: io_edgeport: use irqsave() in USB's complete callback
    - USB: serial: io_edgeport: handle unbound ports on URB completion
    - mm/huge_memory.c: make __thp_get_unmapped_area static
    - mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD
      alignment
    - arm64: dts: agilex/stratix10: fix pmu interrupt numbers
    - cfg80211: fix page refcount issue in A-MSDU decap
    - netfilter: fix a use-after-free in mtype_destroy()
    - netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
    - NFC: pn533: fix bulk-message timeout
    - batman-adv: Fix DAT candidate selection on little endian systems
    - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
    - hv_netvsc: Fix memory leak when removing rndis device
    - net: dsa: tag_qca: fix doubled Tx statistics
    - net: hns: fix soft lockup when there is not enough memory
    - net: usb: lan78xx: limit size of local TSO packets
    - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
    - ptp: free ptp device pin descriptors properly
    - r8152: add missing endpoint sanity check
    - tcp: fix marked lost packets not being retransmitted
    - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
    - cw1200: Fix a signedness bug in cw1200_load_firmware()
    - arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node
    - cfg80211: check for set_wiphy_params
    - tick/sched: Annotate lockless access to last_jiffies_update
    - Revert "arm64: dts: juno: add dma-ranges property"
    - reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
    - scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
    - scsi: qla4xxx: fix double free bug
    - scsi: bnx2i: fix potential use after free
    - scsi: target: core: Fix a pr_debug() argument
    - scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
    - scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
    - scsi: core: scsi_trace: Use get_unaligned_be*()
    - perf probe: Fix wrong address verification
    - regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
    - ARM: dts: meson8: fix the size of the PMU registers
    - LSM: generalize flag passing to security_capable
    - drm/i915: Add missing include file <linux/math64.h>
    - btrfs: do not delete mismatched root refs
    - ARM: dts: imx6qdl: Add Engicam i.Core 1.5 MX6
    - ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
    - mlxsw: spectrum: Wipe xstats.backlog of down ports
    - tcp: refine rule to allow EPOLLOUT generation under mem pressure
    - mtd: devices: fix mchp23k256 read and write
    - drm/nouveau/bar/nv50: check bar1 vmm return value
    - drm/nouveau/bar/gf100: ensure BAR is mapped
    - drm/nouveau/mmu: qualify vmm during dtor

* Bionic update: upstream stable patchset 2020-02-04 (LP: #1861934)
    - chardev: Avoid potential use-after-free in 'chrdev_open()'
    - usb: chipidea: host: Disable port power only if previously enabled
    - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
    - ALSA: hda/realtek - Add new codec supported for ALCS1200A
    - ALSA: hda/realtek - Set EAPD control to default for ALC222
    - kernel/trace: Fix do not unregister tracepoints when register
      sched_migrate_task fail
    - tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
    - HID: Fix slab-out-of-bounds read in hid_field_extract
    - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
    - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
    - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling
      to irq mode
    - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing
      CAN sk_buffs
    - gpiolib: acpi: Turn dmi_system_id table into a generic quirk table
    - gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism
    - staging: vt6656: set usb_set_intfdata on driver fail.
    - USB: serial: option: add ZLP support for 0x1bc7/0x9010
    - usb: musb: fix idling for suspend after disconnect interrupt
    - usb: musb: Disable pullup at init
    - usb: musb: dma: Correct parameter passed to IRQ handler
    - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713
    - HID: hid-input: clear unmapped usages
    - Input: add safety guards to input_set_keycode()
    - drm/fb-helper: Round up bits_per_pixel if possible
    - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
    - staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
    - tty: link tty and port before configuring it as console
    - tty: always relink the port
    - mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
    - scsi: bfa: release allocated memory in case of error
    - rtl8xxxu: prevent leaking urb
    - arm64: cpufeature: Avoid warnings due to unused symbols
    - HID: hiddev: fix mess in hiddev_open()
    - USB: Fix: Don't skip endpoint descriptors with maxpacket=0
    - phy: cpcap-usb: Fix error path when no host driver is loaded
    - phy: cpcap-usb: Fix flakey host idling and enumerating of devices
    - netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
    - netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
    - ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen
    - tracing: Change offset type to s32 in preempt/irq tracepoints
    - serdev: Don't claim unsupported ACPI serial devices
    - netfilter: conntrack: dccp, sctp: handle null timeout argument
    - hidraw: Return EPOLLOUT from hidraw_poll
    - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
    - HID: hidraw, uhid: Always report EPOLLOUT
    - ethtool: reduce stack usage with clang
    - fs/select: avoid clang stack usage warning
    - arm64: don't open code page table entry creation
    - arm64: mm: Change page table pointer name in p[md]_set_huge()
    - arm64: Enforce BBM for huge IO/VMAP mappings
    - arm64: Make sure permission updates happen for pmd/pud
    - media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
    - wimax: i2400: fix memory leak
    - wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
    - iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
    - rtc: mt6397: fix alarm register overwrite
    - RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
    - ASoC: stm32: spdifrx: fix inconsistent lock state
    - ASoC: stm32: spdifrx: fix race condition in irq handler
    - gpio: zynq: Fix for bug in zynq_gpio_restore_context API
    - iommu: Remove device link to group on failure
    - gpio: Fix error message on out-of-range GPIO in lookup table
    - hsr: reset network header when supervision frame is created
    - cifs: Adjust indentation in smb2_open_file
    - btrfs: simplify inode locking for RWF_NOWAIT
    - RDMA/mlx5: Return proper error value
    - RDMA/srpt: Report the SCSI residual to the initiator
    - scsi: enclosure: Fix stale device oops with hot replug
    - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
    - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
    - xprtrdma: Fix completion wait during device removal
    - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn
    - iio: imu: adis16480: assign bias value only if operation succeeded
    - mei: fix modalias documentation
    - clk: samsung: exynos5420: Preserve CPU clocks configuration during
      suspend/resume
    - pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args
      call
    - pinctrl: lewisburg: Update pin list according to v1.1v6
    - scsi: sd: enable compat ioctls for sed-opal
    - arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD
    - af_unix: add compat_ioctl support
    - compat_ioctl: handle SIOCOUTQNSD
    - PCI/PTM: Remove spurious "d" from granularity message
    - powerpc/powernv: Disable native PCIe port management
    - tty: serial: imx: use the sg count from dma_map_sg
    - tty: serial: pch_uart: correct usage of dma_unmap_sg
    - media: ov6650: Fix incorrect use of JPEG colorspace
    - media: ov6650: Fix some format attributes not under control
    - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support
    - media: exynos4-is: Fix recursive locking in isp_video_release()
    - mtd: spi-nor: fix silent truncation in spi_nor_read()
    - mtd: spi-nor: fix silent truncation in spi_nor_read_raw()
    - spi: atmel: fix handling of cs_change set on non-last xfer
    - rtlwifi: Remove unnecessary NULL check in rtl_regd_init
    - f2fs: fix potential overflow
    - rtc: msm6242: Fix reading of 10-hour digit
    - gpio: mpc8xxx: Add platform device to gpiochip->parent
    - scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy()
    - rseq/selftests: Turn off timeout setting
    - mips: cacheinfo: report shared CPU map
    - MIPS: Prevent link failure with kcov instrumentation
    - dmaengine: k3dma: Avoid null pointer traversal
    - ioat: ioat_alloc_ring() failure handling.
    - hexagon: parenthesize registers in asm predicates
    - hexagon: work around compiler crash
    - ocfs2: call journal flush to mark journal as empty after journal recovery
      when mount
    - s390/qeth: Fix vnicc_is_in_use if rx_bcast not set
    - drm/ttm: fix start page for huge page check in ttm_put_pages()
    - drm/ttm: fix incrementing the page pointer for huge pages
    - crypto: virtio - implement missing support for output IVs
    - iommu/mediatek: Correct the flush_iotlb_all callback
    - rtc: brcmstb-waketimer: add missed clk_disable_unprepare

* Bionic update: upstream stable patchset 2020-02-03 (LP: #1861739)
    - USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein
    - USB: dummy-hcd: increase max number of devices to 32
    - locking/spinlock/debug: Fix various data races
    - netfilter: ctnetlink: netns exit must wait for callbacks
    - libtraceevent: Fix lib installation with O=
    - x86/efi: Update e820 with reserved EFI boot services data to fix kexec
      breakage
    - efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs
    - efi/gop: Return EFI_SUCCESS if a usable GOP was found
    - efi/gop: Fix memory leak in __gop_query32/64()
    - ARM: vexpress: Set-up shared OPP table instead of individual for each CPU
    - netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
    - netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END
    - ARM: dts: Cygnus: Fix MDIO node address/size cells
    - spi: spi-cavium-thunderx: Add missing pci_release_regions()
    - ASoC: topology: Check return value for soc_tplg_pcm_create()
    - ARM: dts: bcm283x: Fix critical trip point
    - bpf, mips: Limit to 33 tail calls
    - ARM: dts: am437x-gp/epos-evm: fix panel compatible
    - samples: bpf: Replace symbol compare of trace_event
    - samples: bpf: fix syscall_tp due to unused syscall
    - powerpc: Ensure that swiotlb buffer is allocated from low memory
    - bnx2x: Do not handle requests from VFs after parity
    - bnx2x: Fix logic to get total no. of PFs per engine
    - net: usb: lan78xx: Fix error message format specifier
    - rfkill: Fix incorrect check to avoid NULL pointer dereference
    - ASoC: wm8962: fix lambda value
    - regulator: rn5t618: fix module aliases
    - kconfig: don't crash on NULL expressions in expr_eq()
    - perf/x86/intel: Fix PT PMI handling
    - fs: avoid softlockups in s_inodes iterators
    - net: stmmac: Do not accept invalid MTU values
    - net: stmmac: RX buffer size must be 16 byte aligned
    - s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly
    - s390/dasd: fix memleak in path handling error case
    - block: fix memleak when __blk_rq_map_user_iov() is failed
    - parisc: Fix compiler warnings in debug_core.c
    - llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
    - hv_netvsc: Fix unwanted rx_table reset
    - bpf: Fix passing modified ctx to ld/abs/ind instruction
    - PCI/switchtec: Read all 64 bits of part_event_bitmap
    - gtp: fix bad unlock balance in gtp_encap_enable_socket
    - macvlan: do not assume mac_header is set in macvlan_broadcast()
    - net: dsa: mv88e6xxx: Preserve priority when setting CPU port.
    - net: stmmac: dwmac-sun8i: Allow all RGMII modes
    - net: stmmac: dwmac-sunxi: Allow all RGMII modes
    - net: usb: lan78xx: fix possible skb leak
    - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
    - USB: core: fix check for duplicate endpoints
    - USB: serial: option: add Telit ME910G1 0x110a composition
    - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
    - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
    - vxlan: fix tos value before xmit
    - vlan: vlan_changelink() should propagate errors
    - net: sch_prio: When ungrafting, replace with FIFO
    - vlan: fix memory leak in vlan_dev_set_egress_priority
    - regulator: fix use after free issue
    - ASoC: max98090: fix possible race conditions
    - netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
    - ARM: dts: BCM5301X: Fix MDIO node address/size cells
    - bpf: Clear skb->tstamp in bpf_redirect when necessary
    - parisc: add missing __init annotation
    - iommu/iova: Init the struct iova to fix the possible memleak
    - powerpc/spinlocks: Include correct header for static key
    - ARM: dts: imx6ul: use nvmem-cells for cpu speed grading

* Sometimes can't adjust brightness on Dell AIO (LP: #1862885)
    - SAUCE: platform/x86: dell-uart-backlight: increase retry times

* 4.15 kernel hard lockup about once a week (LP: #1799497)
    - zram: correct flag name of ZRAM_ACCESS
    - zram: fix lockdep warning of free block handling

* Prevent arm64 guest from accessing host debug registers (LP: #1860657)
    - KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE

* pty03 from pty in ubuntu_ltp failed on Eoan (LP: #1862114)
    - can, slip: Protect tty->disc_data in write_wakeup and close with RCU

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Fri, 28 Feb 2020 11:45:02 +0100

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[Bionic] i915 incomplete fix for CVE-2019-14615

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package