Bug #1859522 “use-after-free in i915_ppgtt_close” : Bugs : linux package : Ubuntu

Tyler Hicks (tyhicks) on 2020-01-13

description:	updated
Changed in linux (Ubuntu):
status:	In Progress → Fix Released
Changed in linux (Ubuntu Bionic):
status:	New → In Progress
Changed in linux (Ubuntu Disco):
status:	New → In Progress
Changed in linux (Ubuntu Bionic):
importance:	Undecided → High
Changed in linux (Ubuntu Disco):
importance:	Undecided → High
Changed in linux (Ubuntu Bionic):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Disco):
assignee:	nobody → Tyler Hicks (tyhicks)

Tyler Hicks (tyhicks) on 2020-01-14

information type:	Private Security → Public Security
description:	updated

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2020-01-14:

#1

This is CVE-2020-7053

Marcelo Cerri (mhcerri) on 2020-01-15

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Marcelo Cerri (mhcerri) on 2020-01-15

Changed in linux (Ubuntu Disco):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-01-16:

#2

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-01-16:

#3

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-disco

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-01-27:

#4

Download full text (22.6 KiB)

This bug was fixed in the package linux - 5.0.0-40.44

---------------
linux (5.0.0-40.44) disco; urgency=medium

* disco/linux: 5.0.0-40.44 -proposed tracker (LP: #1859724)

* use-after-free in i915_ppgtt_close (LP: #1859522) // CVE-2020-7053
- SAUCE: drm/i915: Fix use-after-free when destroying GEM context

* CVE-2019-14615
- drm/i915/gen9: Clear residual context state on context switch

  * System hang with kernel traces while entering reboot process on a Disco
    ARM64 moonshot node (LP: #1859582)
    - Revert "RDMA/cm: Fix memory leak in cm_add/remove_one"

linux (5.0.0-39.43) disco; urgency=medium

* disco/linux: 5.0.0-39.43 -proposed tracker (LP: #1858547)

  * [Regression] usb usb2-port2: Cannot enable. Maybe the USB cable is bad?
    (LP: #1856608)
    - SAUCE: Revert "usb: handle warm-reset port requests on hub resume"

* PAN is broken for execute-only user mappings on ARMv8 (LP: #1858815)
- arm64: Revert support for execute-only user mappings

  * Fix unusable USB hub on Dell TB16 after S3 (LP: #1855312)
    - SAUCE: USB: core: Make port power cycle a seperate helper function
    - SAUCE: USB: core: Attempt power cycle port when it's in eSS.Disabled state

  * [sas-1126]scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()
    (LP: #1853992)
    - scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

* [sas-1126]scsi: hisi_sas: Assign NCQ tag for all NCQ commands (LP: #1853995)
- scsi: hisi_sas: Assign NCQ tag for all NCQ commands

  * [sas-1126]scsi: hisi_sas: Fix the conflict between device gone and host
    reset (LP: #1853997)
    - scsi: hisi_sas: Fix the conflict between device gone and host reset

* scsi: hisi_sas: Check sas_port before using it (LP: #1855952)
- scsi: hisi_sas: Check sas_port before using it

  * CVE-2019-18885
    - btrfs: refactor btrfs_find_device() take fs_devices as argument
    - btrfs: merge btrfs_find_device and find_device

* Integrate Intel SGX driver into linux-azure (LP: #1844245)
- [Packaging] Add systemd service to load intel_sgx

  * [SRU][B/OEM-B/OEM-OSP1/D/E/F] Add LG I2C touchscreen multitouch support
    (LP: #1857541)
    - SAUCE: HID: multitouch: Add LG MELF0410 I2C touchscreen support

  * cifs: DFS Caching feature causing problems traversing multi-tier DFS setups
    (LP: #1854887)
    - cifs: Fix retrieval of DFS referrals in cifs_mount()

* qede driver causes 100% CPU load (LP: #1855409)
- qede: Handle infinite driver spinning for Tx timestamp.

  * [roce-1126]RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
    (LP: #1853989)
    - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
    - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver

* [roce-1126]RDMA/hns: Fixs hw access invalid dma memory error (LP: #1853990)
- RDMA/hns: Fixs hw access invalid dma memory error

  * [hns-1126]net: hns3: revert to old channel when setting new channel num fail
    (LP: #1853983)
    - net: hns3: revert to old channel when setting new channel num fail

  * [hns-1126]net: hns3: fix port setting handle for fibre port
    (LP: #1853984)
    - net: hns3: fix port setting handle for fibre...

This bug was fixed in the package linux - 5.0.0-40.44

---------------
linux (5.0.0-40.44) disco; urgency=medium

* disco/linux: 5.0.0-40.44 -proposed tracker (LP: #1859724)

* use-after-free in i915_ppgtt_close (LP: #1859522) // CVE-2020-7053
    - SAUCE: drm/i915: Fix use-after-free when destroying GEM context

* CVE-2019-14615
    - drm/i915/gen9: Clear residual context state on context switch

* System hang with kernel traces while entering reboot process on a Disco
    ARM64 moonshot node (LP: #1859582)
    - Revert "RDMA/cm: Fix memory leak in cm_add/remove_one"

linux (5.0.0-39.43) disco; urgency=medium

* disco/linux: 5.0.0-39.43 -proposed tracker (LP: #1858547)

* [Regression] usb usb2-port2: Cannot enable. Maybe the USB cable is bad?
    (LP: #1856608)
    - SAUCE: Revert "usb: handle warm-reset port requests on hub resume"

* PAN is broken for execute-only user mappings on ARMv8 (LP: #1858815)
    - arm64: Revert support for execute-only user mappings

* Fix unusable USB hub on Dell TB16 after S3 (LP: #1855312)
    - SAUCE: USB: core: Make port power cycle a seperate helper function
    - SAUCE: USB: core: Attempt power cycle port when it's in eSS.Disabled state

* [sas-1126]scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()
    (LP: #1853992)
    - scsi: hisi_sas: Fix out of bound at debug_I_T_nexus_reset()

* [sas-1126]scsi: hisi_sas: Assign NCQ tag for all NCQ commands (LP: #1853995)
    - scsi: hisi_sas: Assign NCQ tag for all NCQ commands

* [sas-1126]scsi: hisi_sas: Fix the conflict between device gone and host
    reset (LP: #1853997)
    - scsi: hisi_sas: Fix the conflict between device gone and host reset

* scsi: hisi_sas: Check sas_port before using it (LP: #1855952)
    - scsi: hisi_sas: Check sas_port before using it

* CVE-2019-18885
    - btrfs: refactor btrfs_find_device() take fs_devices as argument
    - btrfs: merge btrfs_find_device and find_device

*  Integrate Intel SGX driver into linux-azure (LP: #1844245)
    - [Packaging] Add systemd service to load intel_sgx

* [SRU][B/OEM-B/OEM-OSP1/D/E/F] Add LG I2C touchscreen multitouch support
    (LP: #1857541)
    - SAUCE: HID: multitouch: Add LG MELF0410 I2C touchscreen support

* cifs: DFS Caching feature causing problems traversing multi-tier DFS setups
    (LP: #1854887)
    - cifs: Fix retrieval of DFS referrals in cifs_mount()

* qede driver causes 100% CPU load (LP: #1855409)
    - qede: Handle infinite driver spinning for Tx timestamp.

* [roce-1126]RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
    (LP: #1853989)
    - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
    - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver

* [roce-1126]RDMA/hns: Fixs hw access invalid dma memory error (LP: #1853990)
    - RDMA/hns: Fixs hw access invalid dma memory error

* [hns-1126]net: hns3: revert to old channel when setting new channel num fail
    (LP: #1853983)
    - net: hns3: revert to old channel when setting new channel num fail

* [hns-1126]net: hns3: fix port setting handle for fibre port
    (LP: #1853984)
    - net: hns3: fix port setting handle for fibre port

* [hns-1126] net: hns: add support for vlan TSO (LP: #1853937)
    - net: hns: add support for vlan TSO

* [hns-1126]net: hns3: fix flow control configure issue for fibre port
    (LP: #1853948)
    - net: hns3: fix flow control configure issue for fibre port

* mce: ras:  When inject 1bit ecc error,  there is no mce log recorded in the
    dmesg (LP: #1857413)
    - RAS/CEC: Increment cec_entered under the mutex lock
    - RAS/CEC: Check count_threshold unconditionally

* efivarfs test in ubuntu_kernel_selftest failed on the second run
    (LP: #1809704)
    - selftests/efivarfs: clean up test files from test_create*()

* CVE-2019-19082
    - drm/amd/display: prevent memory leak

* CVE-2019-19078
    - ath10k: fix memory leak

* CVE-2019-19077
    - RDMA: Fix goto target to release the allocated memory

* Disco update: upstream stable patchset 2019-12-17 (LP: #1856754)
    - rsi: release skb if rsi_prepare_beacon fails
    - arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
    - sparc64: implement ioremap_uc
    - lp: fix sparc64 LPSETTIMEOUT ioctl
    - usb: gadget: u_serial: add missing port entry locking
    - tty: serial: fsl_lpuart: use the sg count from dma_map_sg
    - tty: serial: msm_serial: Fix flow control
    - serial: pl011: Fix DMA ->flush_buffer()
    - serial: serial_core: Perform NULL checks for break_ctl ops
    - serial: ifx6x60: add missed pm_runtime_disable
    - autofs: fix a leak in autofs_expire_indirect()
    - RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
    - iwlwifi: pcie: don't consider IV len in A-MSDU
    - exportfs_decode_fh(): negative pinned may become positive without the parent
      locked
    - audit_get_nd(): don't unlock parent too early
    - NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
    - xfrm: release device reference for invalid state
    - Input: cyttsp4_core - fix use after free bug
    - sched/core: Avoid spurious lock dependencies
    - perf/core: Consistently fail fork on allocation failures
    - ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
    - drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
    - selftests: kvm: fix build with glibc >= 2.30
    - rsxx: add missed destroy_workqueue calls in remove
    - net: ep93xx_eth: fix mismatch of request_mem_region in remove
    - i2c: core: fix use after free in of_i2c_notify
    - fuse: verify nlink
    - fuse: verify attributes
    - ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
    - ALSA: pcm: oss: Avoid potential buffer overflows
    - ALSA: hda - Add mute led support for HP ProBook 645 G4
    - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
    - Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
    - Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
    - Input: goodix - add upside-down quirk for Teclast X89 tablet
    - coresight: etm4x: Fix input validation for sysfs.
    - Input: Fix memory leak in psxpad_spi_probe
    - x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
    - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
    - CIFS: Fix SMB2 oplock break processing
    - tty: vt: keyboard: reject invalid keycodes
    - can: slcan: Fix use-after-free Read in slcan_open
    - kernfs: fix ino wrap-around detection
    - jbd2: Fix possible overflow in jbd2_log_space_left()
    - drm/msm: fix memleak on release
    - drm/i810: Prevent underflow in ioctl
    - arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc
      node"
    - KVM: arm/arm64: vgic: Don't rely on the wrong pending table
    - KVM: x86: do not modify masked bits of shared MSRs
    - KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
    - KVM: x86: Grab KVM's srcu lock when setting nested state
    - crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
    - crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
    - crypto: af_alg - cast ki_complete ternary op to int
    - crypto: ccp - fix uninitialized list head
    - crypto: ecdh - fix big endian bug in ECC library
    - crypto: user - fix memory leak in crypto_report
    - spi: atmel: Fix CS high support
    - mwifiex: update set_mac_address logic
    - can: ucan: fix non-atomic allocation in completion handler
    - RDMA/qib: Validate ->show()/store() callbacks before calling them
    - iomap: Fix pipe page leakage during splicing
    - thermal: Fix deadlock in thermal thermal_zone_device_check
    - vcs: prevent write access to vcsu devices
    - binder: Fix race between mmap() and binder_alloc_print_pages()
    - binder: Handle start==NULL in binder_update_page_range()
    - ALSA: hda - Fix pending unsol events at shutdown
    - watchdog: aspeed: Fix clock behaviour for ast2600
    - perf script: Fix invalid LBR/binary mismatch error
    - xfs: add missing error check in xfs_prepare_shift()
    - KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
    - net: qrtr: fix memort leak in qrtr_tun_write_iter
    - appletalk: Fix potential NULL pointer dereference in unregister_snap_client
    - appletalk: Set error code if register_snap_client failed
    - time: Zero the upper 32-bits in __kernel_timespec on 32-bit
    - RDMA/hns: Correct the value of srq_desc_size
    - ecryptfs: fix unlink and rmdir in face of underlying fs modifications
    - x86/resctrl: Fix potential lockdep warning
    - ravb: implement MTU change while device is up
    - net: hns3: reallocate SSU' buffer size when pfc_en changes
    - net: hns3: fix ETS bandwidth validation bug
    - media: rc: mark input device as pointing stick
    - nfsd: Ensure CLONE persists data and metadata changes to the target file
    - drm: damage_helper: Fix race checking plane->state->fb
    - KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter
    - crypto: geode-aes - switch to skcipher for cbc(aes) fallback
    - spi: stm32-qspi: Fix kernel oops when unbinding driver
    - spi: Fix SPI_CS_HIGH setting when using native and GPIO CS
    - spi: Fix NULL pointer when setting SPI_CS_HIGH for GPIO CS
    - EDAC/ghes: Fix locking and memory barrier issues
    - kselftest: Fix NULL INSTALL_PATH for TARGETS runlist
    - ALSA: hda: hdmi - fix pin setup on Tigerlake

* Realtek ALC256M with DTS Audio Processing internal microphone doesn't work
    on Redmi Book 14 2019 (LP: #1846148) // Disco update: upstream stable
    patchset 2019-12-17 (LP: #1856754)
    - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop

* Disco update: upstream stable patchset 2019-12-12 (LP: #1856213)
    - clk: meson: gxbb: let sar_adc_clk_div set the parent clock rate
    - clocksource/drivers/mediatek: Fix error handling
    - ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX
    - ASoC: compress: fix unsigned integer overflow check
    - reset: Fix memory leak in reset_control_array_put()
    - clk: samsung: exynos5433: Fix error paths
    - ASoC: kirkwood: fix external clock probe defer
    - ASoC: kirkwood: fix device remove ordering
    - clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume
    - pinctrl: cherryview: Allocate IRQ chip dynamic
    - ARM: dts: imx6qdl-sabreauto: Fix storm of accelerometer interrupts
    - reset: fix reset_control_ops kerneldoc comment
    - clk: at91: avoid sleeping early
    - clk: sunxi: Fix operator precedence in sunxi_divs_clk_setup
    - clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18
    - ARM: dts: sun8i-a83t-tbs-a711: Fix WiFi resume from suspend
    - samples/bpf: fix build by setting HAVE_ATTR_TEST to zero
    - powerpc/bpf: Fix tail call implementation
    - idr: Fix integer overflow in idr_for_each_entry
    - idr: Fix idr_alloc_u32 on 32-bit systems
    - x86/resctrl: Prevent NULL pointer dereference when reading mondata
    - clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call
    - clk: ti: clkctrl: Fix failed to enable error with double udelay timeout
    - net: fec: add missed clk_disable_unprepare in remove
    - bridge: ebtables: don't crash when using dnat target in output chains
    - can: peak_usb: report bus recovery as well
    - can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open
    - can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb
      mem leak
    - can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue
      beyond skb_queue_len_max
    - can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on
      queue overflow or OOM
    - can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate
      error value in case of errors
    - can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error
    - can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error
    - can: flexcan: increase error counters if skb enqueueing via
      can_rx_offload_queue_sorted() fails
    - can: mcp251x: mcp251x_restart_work_handler(): Fix potential force_quit race
      condition
    - watchdog: meson: Fix the wrong value of left time
    - ASoC: stm32: sai: add restriction on mmap support
    - scripts/gdb: fix debugging modules compiled with hot/cold partitioning
    - net: bcmgenet: use RGMII loopback for MAC reset
    - net: bcmgenet: reapply manual settings to the PHY
    - net: mscc: ocelot: fix __ocelot_rmw_ix prototype
    - ceph: return -EINVAL if given fsc mount option on kernel w/o support
    - net/fq_impl: Switch to kvmalloc() for memory allocation
    - mac80211: fix station inactive_time shortly after boot
    - block: drbd: remove a stray unlock in __drbd_send_protocol()
    - pwm: bcm-iproc: Prevent unloading the driver module while in use
    - clk: at91: fix update bit maps on CFG_MOR write
    - usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
    - staging: rtl8192e: fix potential use after free
    - staging: rtl8723bs: Drop ACPI device ids
    - staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
    - USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
    - mei: bus: prefix device names on bus with the bus name
    - mei: me: add comet point V device id
    - thunderbolt: Power cycle the router if NVM authentication fails
    - media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE
    - pwm: Clear chip_data in pwm_put()
    - media: atmel: atmel-isc: fix INIT_WORK misplacement
    - macvlan: schedule bc_work even if error
    - net: psample: fix skb_over_panic
    - openvswitch: fix flow command message size
    - sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
    - slip: Fix use-after-free Read in slip_open
    - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
    - openvswitch: remove another BUG_ON()
    - selftests: bpf: test_sockmap: handle file creation failures gracefully
    - tipc: fix link name length check
    - sctp: cache netns in sctp_ep_common
    - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
    - net: macb: add missed tasklet_kill
    - ext4: add more paranoia checking in ext4_expand_extra_isize handling
    - watchdog: sama5d4: fix WDD value to be always set to max
    - net: macb: Fix SUBNS increment and increase resolution
    - net: macb driver, check for SKBTX_HW_TSTAMP
    - mtd: rawnand: atmel: Fix spelling mistake in error message
    - mtd: rawnand: atmel: fix possible object reference leak
    - drm/atmel-hlcdc: revert shift by 8
    - mailbox: stm32_ipcc: add spinlock to fix channels concurrent access
    - tcp: exit if nothing to retransmit on RTO timeout
    - HID: core: check whether Usage Page item is after Usage ID items
    - crypto: stm32/hash - Fix hmac issue more than 256 bytes
    - media: stm32-dcmi: fix DMA corruption when stopping streaming
    - media: stm32-dcmi: fix check of pm_runtime_get_sync return value
    - hwrng: stm32 - fix unbalanced pm_runtime_enable
    - clk: stm32mp1: fix HSI divider flag
    - clk: stm32mp1: fix mcu divider table
    - clk: stm32mp1: add CLK_SET_RATE_NO_REPARENT to Kernel clocks
    - clk: stm32mp1: parent clocks update
    - mailbox: mailbox-test: fix null pointer if no mmio
    - pinctrl: stm32: fix memory leak issue
    - ASoC: stm32: i2s: fix dma configuration
    - ASoC: stm32: i2s: fix 16 bit format support
    - ASoC: stm32: i2s: fix IRQ clearing
    - ASoC: stm32: sai: add missing put_device()
    - platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
    - platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
    - net: fec: fix clock count mis-match
    - net: separate out the msghdr copy from ___sys_{send,recv}msg()
    - XArray: Fix xas_next() with a single entry at 0
    - thunderbolt: Fix lockdep circular locking depedency warning
    - soundwire: intel: fix intel_register_dai PDI offsets and numbers
    - clk: samsung: exynos542x: Move G3D subsystem clocks to its sub-CMU
    - arm64: dts: ls1028a: fix a compatible issue
    - soc: imx: gpc: fix initialiser format
    - bpf: Change size to u64 for bpf_map_{area_alloc, charge_init}()
    - idr: Fix idr_get_next_ul race with idr_remove
    - fbdev: c2p: Fix link failure on non-inlining
    - ASoC: hdac_hda: fix race in device removal
    - x86/tsc: Respect tsc command line paraemeter for clocksource_tsc_early
    - perf scripting engines: Iterate on tep event arrays directly
    - nvme-rdma: fix a segmentation fault during module unload
    - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths
    - watchdog: pm8916_wdt: fix pretimeout registration flow
    - ALSA: hda: hdmi - add Tigerlake support
    - mm/gup_benchmark: fix MAP_HUGETLB case
    - drm/amdgpu: dont schedule jobs while in reset
    - net/mlx5e: Fix eswitch debug print of max fdb flow
    - drm/amdgpu: add warning for GRBM 1-cycle delay issue in gfx9
    - net: stmmac: gmac4: bitrev32 returns u32
    - net: stmmac: xgmac: Fix TSA selection
    - net: stmmac: xgmac: Disable Flow Control when 1 or more queues are in AV
    - mac80211: fix ieee80211_txq_setup_flows() failure path
    - ice: fix potential infinite loop because loop counter being too small
    - iavf: initialize ITRN registers with correct values
    - x86/fpu: Don't cache access to fpu_fpregs_owner_ctx
    - net/tls: take into account that bpf_exec_tx_verdict() may free the record
    - net/tls: free the record on encryption error
    - net: skmsg: fix TLS 1.3 crash with full sk_msg
    - selftests/tls: add a test for fragmented messages
    - net/tls: remove the dead inplace_crypto code
    - net/tls: use sg_next() to walk sg entries
    - selftests: bpf: correct perror strings

* CVE-2019-19050
    - crypto: user - fix memory leak in crypto_reportstat

* headphone has noise as not mute on dell machines with alc236/256
    (LP: #1854401)
    - SAUCE: ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236

* Disco update: upstream stable patchset 2019-12-03 (LP: #1855011)
    - mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel
    - net/mlx4_en: fix mlx4 ethtool -N insertion
    - net/mlx4_en: Fix wrong limitation for number of TX rings
    - net: rtnetlink: prevent underflows in do_setvfinfo()
    - net/sched: act_pedit: fix WARN() in the traffic path
    - net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key
    - sfc: Only cancel the PPS workqueue if it exists
    - net/mlx5e: Fix set vf link state error flow
    - net/mlxfw: Verify FSM error code translation doesn't exceed array size
    - net/mlx5: Fix auto group size calculation
    - vhost/vsock: split packets to send using multiple buffers
    - gpio: max77620: Fixup debounce delays
    - tools: gpio: Correctly add make dependencies for gpio_utils
    - nbd:fix memory leak in nbd_get_socket()
    - virtio_console: allocate inbufs in add_port() only if it is needed
    - Revert "fs: ocfs2: fix possible null-pointer dereferences in
      ocfs2_xa_prepare_entry()"
    - mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
    - drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs
    - drm/i915/pmu: "Frequency" is reported as accumulated cycles
    - drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
    - mwifiex: Fix NL80211_TX_POWER_LIMITED
    - Bluetooth: Fix invalid-free in bcsp_close()
    - ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
    - ath9k_hw: fix uninitialized variable data
    - md/raid10: prevent access of uninitialized resync_pages offset
    - mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span()
    - net: phy: dp83867: fix speed 10 in sgmii mode
    - net: phy: dp83867: increase SGMII autoneg timer duration
    - ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary
    - x86/insn: Fix awk regexp warnings
    - x86/speculation: Fix incorrect MDS/TAA mitigation status
    - x86/speculation: Fix redundant MDS mitigation message
    - nbd: prevent memory leak
    - futex: Prevent robust futex exit race
    - ALSA: usb-audio: Fix NULL dereference at parsing BADD
    - nfc: port100: handle command failure cleanly
    - media: vivid: Set vid_cap_streaming and vid_out_streaming to true
    - media: vivid: Fix wrong locking that causes race conditions on streaming
      stop
    - media: usbvision: Fix races among open, close, and disconnect
    - cpufreq: Add NULL checks to show() and store() methods of cpufreq
    - media: uvcvideo: Fix error path in control parsing failure
    - media: b2c2-flexcop-usb: add sanity checking
    - media: cxusb: detect cxusb_ctrl_msg error in query
    - media: imon: invalid dereference in imon_touch_event
    - virtio_ring: fix return code on DMA mapping fails
    - USBIP: add config dependency for SGL_ALLOC
    - usbip: tools: fix fd leakage in the function of read_attr_usbip_status
    - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()
    - usb-serial: cp201x: support Mark-10 digital force gauge
    - USB: chaoskey: fix error case of a timeout
    - appledisplay: fix error handling in the scheduled work
    - USB: serial: mos7840: add USB ID to support Moxa UPort 2210
    - USB: serial: mos7720: fix remote wakeup
    - USB: serial: mos7840: fix remote wakeup
    - USB: serial: option: add support for DW5821e with eSIM support
    - USB: serial: option: add support for Foxconn T77W968 LTE modules
    - staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
    - net/tls: remove unused function tls_sw_sendpage_locked
    - net/tls: enable sk_msg redirect to tls socket egress
    - net/mlx5e: Fix error flow cleanup in mlx5e_tc_tun_create_header_ipv4/6
    - net/mlx5: Update the list of the PCI supported devices
    - net/mlx5: Update the list of the PCI supported devices
    - virtio_balloon: fix shrinker count
    - drm/amdgpu: disable gfxoff when using register read interface
    - Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues"
    - x86/xen/32: Make xen_iret_crit_fixup() independent of frame layout
    - x86/xen/32: Simplify ring check in xen_iret_crit_fixup()
    - x86/doublefault/32: Fix stack canaries in the double fault handler
    - x86/pti/32: Size initial_page_table correctly
    - x86/cpu_entry_area: Add guard page for entry stack on 32bit
    - selftests/x86/mov_ss_trap: Fix the SYSENTER test
    - selftests/x86/sigreturn/32: Invalidate DS and ES when abusing the kernel
    - x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make
      the CPU_ENTRY_AREA_PAGES assert precise
    - x86/entry/32: Fix FIXUP_ESPFIX_STACK with user CR3
    - media: usbvision: Fix invalid accesses after device disconnect
    - media: mceusb: fix out of bounds read in MCE receiver buffer

* Miscellaneous Ubuntu changes
    - update dkms package versions

-- Marcelo Henrique Cerri <marcelo.cerri@canonical.com>  Tue, 14 Jan 2020 21:14:53 -0300

Changed in linux (Ubuntu Disco):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-01-27:

#5

This bug was fixed in the package linux - 4.15.0-76.86

---------------
linux (4.15.0-76.86) bionic; urgency=medium

* bionic/linux: 4.15.0-76.86 -proposed tracker (LP: #1860123)

* Integrate Intel SGX driver into linux-azure (LP: #1844245)
- [Packaging] Add systemd service to load intel_sgx

  * [Regression] Bionic kernel 4.15.0-71.80 can not boot on ThunderX
    (LP: #1853326) // Bionic kernel panic on Cavium ThunderX CN88XX
    (LP: #1853485) // Cavium ThunderX CN88XX crashes on boot (LP: #1857074)
    - arm64: Check for errata before evaluating cpu features
    - arm64: add sentinel to kpti_safe_list

linux (4.15.0-75.85) bionic; urgency=medium

* bionic/linux: 4.15.0-75.85 -proposed tracker (LP: #1859705)

* use-after-free in i915_ppgtt_close (LP: #1859522) // CVE-2020-7053
- SAUCE: drm/i915: Fix use-after-free when destroying GEM context

* CVE-2019-14615
- drm/i915/gen9: Clear residual context state on context switch

* PAN is broken for execute-only user mappings on ARMv8 (LP: #1858815)
- arm64: Revert support for execute-only user mappings

  * [Regression] usb usb2-port2: Cannot enable. Maybe the USB cable is bad?
    (LP: #1856608)
    - SAUCE: Revert "usb: handle warm-reset port requests on hub resume"

* Miscellaneous Ubuntu changes
- update dkms package versions

-- Marcelo Henrique Cerri <email address hidden> Fri, 17 Jan 2020 10:59:22 -0300

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Ubuntu
linux package

use-after-free in i915_ppgtt_close

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	High	Tyler Hicks
Bionic	Fix Released	High	Tyler Hicks
Disco	Fix Released	High	Tyler Hicks

Ubuntulinux package

use-after-free in i915_ppgtt_close

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package