Package "linux-oem"

  linux-oem (4.15.0-1100.110) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1100.110 -proposed tracker (LP: #1899960)

  * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490
    - [Config] oem: Disable BlueZ highspeed support

  [ Ubuntu: 4.15.0-122.124 ]

  * bionic/linux: 4.15.0-122.124 -proposed tracker (LP: #1899941)
  * CVE-2020-12351 // CVE-2020-12352 // CVE-2020-24490
    - Bluetooth: Disable High Speed by default
    - Bluetooth: MGMT: Fix not checking if BT_HS is enabled
    - [Config] Disable BlueZ highspeed support
  * CVE-2020-12351
    - Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
  * CVE-2020-12352
    - Bluetooth: A2MP: Fix not initializing all members

 -- Stefan Bader <email address hidden> Thu, 15 Oct 2020 16:43:45 +0200

  linux-oem (4.15.0-1099.109) bionic; urgency=medium

  [ Ubuntu: 4.15.0-121.123 ]

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  [ Ubuntu: 4.15.0-120.122 ]

  * CVE-2020-16119
    - SAUCE: dccp: avoid double free of ccid on child socket
  * CVE-2020-16120
    - Revert "UBUNTU: SAUCE: overlayfs: ensure mounter privileges when reading
      directories"
    - ovl: pass correct flags for opening real directory
    - ovl: switch to mounter creds in readdir
    - ovl: verify permissions in ovl_path_open()

  linux-oem (4.15.0-1098.108) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1098.108 -proposed tracker (LP: #1896018)

  * Bionic update: upstream stable patchset 2020-09-11 (LP: #1895328)
    - [Config] updateconfigs for CONFIG_SPI_DYNAMIC

  [ Ubuntu: 4.15.0-119.120 ]

  * bionic/linux: 4.15.0-119.120 -proposed tracker (LP: #1896040)
  * gtp: unable to associate contextes to interfaces (LP: #1894605)
    - gtp: add GTPA_LINK info to msg sent to userspace
  * uvcvideo: add mapping for HEVC payloads (LP: #1895803)
    - media: videodev2.h: Add v4l2 definition for HEVC
    - SAUCE: media: uvcvideo: Add mapping for HEVC payloads
  * Novalink (mkvterm command failure) (LP: #1892546)
    - tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
  * rtnetlink.sh in net from ubuntu_kernel_selftests is returning 1 for a
    skipped test (LP: #1895258)
    - selftests: net: return Kselftest Skip code for skipped tests
  * Bionic update: upstream stable patchset 2020-09-16 (LP: #1895873)
    - net: Fix potential wrong skb->protocol in skb_vlan_untag()
    - tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
    - ipvlan: fix device features
    - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
    - ALSA: pci: delete repeated words in comments
    - ASoC: tegra: Fix reference count leaks.
    - mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs
    - arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep
    - powerpc/xive: Ignore kmemleak false positives
    - media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA
      value in debiirq()
    - blktrace: ensure our debugfs dir exists
    - scsi: target: tcmu: Fix crash on ARM during cmd completion
    - iommu/iova: Don't BUG on invalid PFNs
    - drm/amdkfd: Fix reference count leaks.
    - drm/radeon: fix multiple reference count leak
    - drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
    - drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
    - drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
    - drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
    - scsi: lpfc: Fix shost refcount mismatch when deleting vport
    - selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
    - omapfb: fix multiple reference count leaks due to pm_runtime_get_sync
    - PCI: Fix pci_create_slot() reference count leak
    - rtlwifi: rtl8192cu: Prevent leaking urb
    - mips/vdso: Fix resource leaks in genvdso.c
    - cec-api: prevent leaking memory through hole in structure
    - f2fs: fix use-after-free issue
    - drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
    - drm/nouveau: Fix reference count leak in nouveau_connector_detect
    - locking/lockdep: Fix overflow in presentation of average lock-time
    - scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
    - ceph: fix potential mdsc use-after-free crash
    - scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
    - EDAC/ie31200: Fallback if host bridge device is already initialized
    - media: davinci: vpif_capture: fix potential double free
    - KVM: arm64: Fix symbol dependency in __hyp_call_panic_nvhe
    - powerpc/spufs: add CONFIG_COREDUMP dependency
    - USB: sisusbvga: Fix a potential UB casued by left shifting a negative value
    - efi: provide empty efi_enter_virtual_mode implementation
    - Revert "ath10k: fix DMA related firmware crashes on multiple devices"
    - media: gpio-ir-tx: improve precision of transmitted signal due to scheduling
    - nvme-fc: Fix wrong return value in __nvme_fc_init_request()
    - null_blk: fix passing of REQ_FUA flag in null_handle_rq
    - i2c: rcar: in slave mode, clear NACK earlier
    - usb: gadget: f_tcm: Fix some resource leaks in some error paths
    - jbd2: make sure jh have b_transaction set in refile/unfile_buffer
    - ext4: don't BUG on inconsistent journal feature
    - jbd2: abort journal if free a async write error metadata buffer
    - fs: prevent BUG_ON in submit_bh_wbc()
    - spi: stm32: fix stm32_spi_prepare_mbr in case of odd clk_rate
    - s390/cio: add cond_resched() in the slow_eval_known_fn() loop
    - scsi: ufs: Fix possible infinite loop in ufshcd_hold
    - scsi: ufs: Improve interrupt handling for shared interrupts
    - scsi: ufs: Clean up completed request without interrupt notification
    - net: gianfar: Add of_node_put() before goto statement
    - powerpc/perf: Fix soft lockups due to missed interrupt accounting
    - HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands
    - btrfs: fix space cache memory leak after transaction abort
    - fbcon: prevent user font height or width change from causing potential out-
      of-bounds access
    - USB: lvtest: return proper error code in probe
    - vt: defer kfree() of vc_screenbuf in vc_do_resize()
    - vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
    - serial: samsung: Removes the IRQ not found warning
    - serial: pl011: Fix oops on -EPROBE_DEFER
    - serial: pl011: Don't leak amba_ports entry on driver register error
    - serial: 8250_exar: Fix number of ports for Commtech PCIe cards
    - serial: 8250: change lock order in serial8250_do_startup()
    - writeback: Protect inode->i_io_list with inode->i_lock
    - writeback: Avoid skipping inode writeback
    - writeback: Fix sync livelock due to b_dirty_time processing
    - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN
      data pointer which contains XEN specific information.
    - xhci: Do warm-reset when both CAS and XDEV_RESUME are set
    - PM: sleep: core: Fix the handling of pending runtime resume requests
    - device property: Fix the secondary firmware node handling in
      set_primary_fwnode()
    - drm/amdgpu: Fix buffer overflow in INFO ioctl
    - USB: yurex: Fix bad gfp argument
    - usb: uas: Add quirk for PNY Pro Elite
    - USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
  

  linux-oem (4.15.0-1097.107) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1097.107 -proposed tracker (LP: #1894675)

  [ Ubuntu: 4.15.0-118.119 ]

  * bionic/linux: 4.15.0-118.119 -proposed tracker (LP: #1894697)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * Introduce the new NVIDIA 450-server and the 450 UDA series (LP: #1887674)
    - [packaging] add signed modules for nvidia 450 and 450-server
  * cgroup refcount is bogus when cgroup_sk_alloc is disabled (LP: #1886860)
    - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
  * CVE-2020-12888
    - vfio/type1: Support faulting PFNMAP vmas
    - vfio-pci: Fault mmaps to enable vma tracking
    - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
  * [Hyper-V] VSS and File Copy daemons intermittently fails to start
    (LP: #1891224)
    - [Packaging] Bind hv_vss_daemon startup to hv_vss device
    - [Packaging] bind hv_fcopy_daemon startup to hv_fcopy device
  * KVM: Fix zero_page reference counter overflow when using KSM on KVM compute
    host (LP: #1837810)
    - KVM: fix overflow of zero page refcount with ksm running
  * Fix false-negative return value for rtnetlink.sh in kselftests/net
    (LP: #1890136)
    - selftests: rtnetlink: correct the final return value for the test
    - selftests: rtnetlink: make kci_test_encap() return sub-test result
  * Bionic update: upstream stable patchset 2020-08-18 (LP: #1892091)
    - USB: serial: qcserial: add EM7305 QDL product ID
    - USB: iowarrior: fix up report size handling for some devices
    - usb: xhci: define IDs for various ASMedia host controllers
    - usb: xhci: Fix ASMedia ASM1142 DMA addressing
    - Revert "ALSA: hda: call runtime_allow() for all hda controllers"
    - ALSA: seq: oss: Serialize ioctls
    - staging: android: ashmem: Fix lockdep warning for write operation
    - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
    - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
    - omapfb: dss: Fix max fclk divider for omap36xx
    - binder: Prevent context manager from incrementing ref 0
    - vgacon: Fix for missing check in scrollback handling
    - mtd: properly check all write ioctls for permissions
    - leds: wm831x-status: fix use-after-free on unbind
    - leds: da903x: fix use-after-free on unbind
    - leds: lm3533: fix use-after-free on unbind
    - leds: 88pm860x: fix use-after-free on unbind
    - net/9p: validate fds in p9_fd_open
    - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some
      reason
    - drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
    - i2c: slave: improve sanity check when registering
    - i2c: slave: add sanity check when unregistering
    - usb: hso: check for return value in hso_serial_common_create()
    - firmware: Fix a reference count leak.
    - cfg80211: check vendor command doit pointer before use
    - igb: reinit_locked() should be called with rtnl_lock
    - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
    - tools lib traceevent: Fix memory leak in process_dynamic_array_len
    - Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
    - xattr: break delegations in {set,remove}xattr
    - ipv4: Silence suspicious RCU usage warning
    - ipv6: fix memory leaks on IPV6_ADDRFORM path
    - net: ethernet: mtk_eth_soc: fix MTU warnings
    - vxlan: Ensure FDB dump is performed under RCU
    - net: lan78xx: replace bogus endpoint lookup
    - hv_netvsc: do not use VF device if link is down
    - net: gre: recompute gre csum for sctp over gre tunnels
    - openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
    - Revert "vxlan: fix tos value before xmit"
    - selftests/net: relax cpu affinity requirement in msg_zerocopy test
    - rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
    - i40e: add num_vectors checker in iwarp handler
    - i40e: Wrong truncation from u16 to u8
    - i40e: Memory leak in i40e_config_iwarp_qvlist
    - Smack: fix use-after-free in smk_write_relabel_self()
  * Bionic update: upstream stable patchset 2020-08-11 (LP: #1891228)
    - AX.25: Fix out-of-bounds read in ax25_connect()
    - AX.25: Prevent out-of-bounds read in ax25_sendmsg()
    - dev: Defer free of skbs in flush_backlog
    - drivers/net/wan/x25_asy: Fix to make it work
    - net-sysfs: add a newline when printing 'tx_timeout' by sysfs
    - net: udp: Fix wrong clean up for IS_UDPLITE macro
    - rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
    - AX.25: Prevent integer overflows in connect and sendmsg
    - ip6_gre: fix null-ptr-deref in ip6gre_init_net()
    - rtnetlink: Fix memory(net_device) leak when ->newlink fails
    - tcp: allow at most one TLP probe per flight
    - regmap: debugfs: check count when read regmap file
    - qrtr: orphan socket in qrtr_release()
    - sctp: shrink stream outq only when new outcnt < old outcnt
    - sctp: shrink stream outq when fails to do addstream reconf
    - crypto: ccp - Release all allocated memory if sha type is invalid
    - media: rc: prevent memory leak in cx23888_ir_probe
    - iio: imu: adis16400: fix memory leak
    - ath9k_htc: release allocated buffer if timed out
    - ath9k: release allocated buffer if timed out
    - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge
    - wireless: Use offsetof instead of custom macro.
    - ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess
      watchpoints
    - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
    - drm: hold gem reference until object is no longer accessed
    - f2fs: check memory boundary by insane namelen
    - f2fs: check if file namelen exceeds max value
    - 9p/trans_fd: abort p9_read_work if req status changed
    - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_ca