Package "linux-hwe-5.8"

  linux-hwe-5.8 (5.8.0-67.75) focal; urgency=medium

  * focal/linux-hwe-5.8: 5.8.0-67.75 -proposed tracker (LP: #1947262)

  * CVE-2021-3744 // CVE-2021-3764
    - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

  * CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md

 -- Stefan Bader <email address hidden> Wed, 27 Oct 2021 10:49:04 +0200

  linux-hwe-5.8 (5.8.0-66.74) focal; urgency=medium

  * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.27)

  * linux: btrfs: fix NULL pointer dereference when deleting device by invalid
    id (LP: #1945987)
    - btrfs: fix NULL pointer dereference when deleting device by invalid id

  * CVE-2021-38199
    - NFSv4: Initialise connection to the server in nfs4_alloc_client()

  * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
    - bnx2x: Fix enabling network interfaces without VFs

  * CVE-2021-3759
    - memcg: enable accounting of ipc resources

  * CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count

  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded"
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add EFI_CERT_X509_GUID support for dbx entries
    - certs: Move load_system_certificate_list to a common function
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs

  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table

  * CVE-2020-36311
    - KVM: SVM: Periodically schedule when unregistering regions on destroy

  * CVE-2021-22543
    - KVM: do not allow mapping valid but non-reference-counted pages

  * CVE-2021-3612
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl

  * CVE-2021-38207
    - net: ll_temac: Fix TX BD buffer overwrite

  * CVE-2021-40490
    - ext4: fix race writing to an inline_data file while its xattrs are changing

  * LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

 -- Stefan Bader <email address hidden> Tue, 05 Oct 2021 10:54:57 +0200

  linux-hwe-5.8 (5.8.0-65.73) focal; urgency=medium

  * focal/linux-hwe-5.8: 5.8.0-65.73 -proposed tracker (LP: #1939805)

  * Packaging resync (LP: #1786013)
    - [Packaging] update variants
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

  * CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

  * CVE-2021-3653
    - KVM: nSVM: introduce nested_svm_load_cr3()/nested_npt_enabled()
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

 -- Stefan Bader <email address hidden> Fri, 13 Aug 2021 14:19:52 +0200

  linux-hwe-5.8 (5.8.0-64.72) focal; urgency=medium

  * focal/linux-hwe-5.8: 5.8.0-64.72 -proposed tracker (LP: #1937067)

  * Packaging resync (LP: #1786013)
    - [Packaging] update update.conf

  * large_dir in ext4 broken (LP: #1933074)
    - SAUCE: ext4: fix directory index node split corruption

  * Add l2tp.sh in net from ubuntu_kernel_selftests back (LP: #1934293)
    - Revert "UBUNTU: SAUCE: selftests/net -- disable l2tp.sh test"

  * icmp_redirect.sh in net from ubuntu_kernel_selftests failed on F-OEM-5.6 /
    F-OEM-5.10 / F-OEM-5.13 / F / G / H (LP: #1880645)
    - selftests: icmp_redirect: support expected failures

  * ubuntu-host driver lacks lseek ops (LP: #1934110)
    - ubuntu-host: add generic lseek op

  * ubuntu_kernel_selftests ftrace fails on arm64 F / aws-5.8 / amd64 F
    azure-5.8 (LP: #1927749)
    - selftests/ftrace: fix event-no-pid on 1-core machine

  * pmtu.sh from net in ubuntu_kernel_selftests failed with no error message
    (LP: #1887661)
    - selftests: pmtu.sh: improve the test result processing

  * cifs: On cifs_reconnect, resolve the hostname again (LP: #1929831)
    - cifs: rename reconn_inval_dfs_target()
    - cifs: Simplify reconnect code when dfs upcall is enabled
    - cifs: Avoid error pointer dereference
    - cifs: On cifs_reconnect, resolve the hostname again.

  * Pixel format change broken for Elgato Cam Link 4K (LP: #1932367)
    - (upstream) media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K

  * Groovy update: upstream stable patchset 2021-06-28 (LP: #1933877)
    - proc: Track /proc/$pid/attr/ opener mm_struct
    - ASoC: max98088: fix ni clock divider calculation
    - spi: Fix spi device unregister flow
    - net/nfc/rawsock.c: fix a permission check bug
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet
    - vfio-ccw: Serialize FSM IDLE state with I/O completion
    - ASoC: sti-sas: add missing MODULE_DEVICE_TABLE
    - spi: sprd: Add missing MODULE_DEVICE_TABLE
    - isdn: mISDN: netjet: Fix crash in nj_probe:
    - bonding: init notify_work earlier to avoid uninitialized use
    - netlink: disable IRQs for netlink_lock_table()
    - net: mdiobus: get rid of a BUG_ON()
    - cgroup: disable controllers at parse time
    - wq: handle VM suspension in stall detection
    - net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
    - RDS tcp loopback connection can hang
    - scsi: bnx2fc: Return failure if io_req is already in ABTS processing
    - scsi: vmw_pvscsi: Set correct residual data length
    - scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq
    - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
    - net: macb: ensure the device is available before accessing GEMGXL control
      registers
    - net: appletalk: cops: Fix data race in cops_probe1
    - net: dsa: microchip: enable phy errata workaround on 9567
    - nvme-fabrics: decode host pathing error for connect
    - MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER
    - dm verity: fix require_signatures module_param permissions
    - bnx2x: Fix missing error code in bnx2x_iov_init_one()
    - nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME
    - powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
    - powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
    - spi: Don't have controller clean up spi device before driver unbind
    - spi: Cleanup on failure of initial setup
    - i2c: mpc: Make use of i2c_recover_bus()
    - i2c: mpc: implement erratum A-004447 workaround
    - x86/boot: Add .text.* to setup.ld
    - spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
    - drm: Fix use-after-free read in drm_getunique()
    - drm: Lock pointer access in drm_master_release()
    - kvm: avoid speculation-based attacks from out-of-range memslot accesses
    - staging: rtl8723bs: Fix uninitialized variables
    - btrfs: return value from btrfs_mark_extent_written() in case of error
    - btrfs: promote debugging asserts to full-fledged checks in validate_super
    - cgroup1: don't allow '\n' in renaming
    - USB: f_ncm: ncm_bitrate (speed) is unsigned
    - usb: f_ncm: only first packet of aggregate needs to start timer
    - usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms
    - usb: dwc3: ep0: fix NULL pointer exception
    - usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling
    - usb: typec: wcove: Use LE to CPU conversion when accessing msg->header
    - usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path
    - usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind
    - USB: serial: ftdi_sio: add NovaTech OrionMX product ID
    - USB: serial: omninet: add device id for Zyxel Omni 56K Plus
    - USB: serial: quatech2: fix control-request directions
    - USB: serial: cp210x: fix alternate function for CP2102N QFN20
    - usb: gadget: eem: fix wrong eem header operation
    - usb: fix various gadgets null ptr deref on 10gbps cabling.
    - usb: fix various gadget panics on 10gbps cabling
    - regulator: core: resolve supply for boot-on/always-on regulators
    - regulator: max77620: Use device_set_of_node_from_dev()
    - usb: typec: mux: Fix copy-paste mistake in typec_mux_match
    - RDMA/ipoib: Fix warning caused by destroying non-initial netns
    - RDMA/mlx4: Do not map the core_clock page to user space unless enabled
    - vmlinux.lds.h: Avoid orphan section with !SMP
    - perf: Fix data race between pin_count increment/decrement
    - sched/fair: Make sure to update tg contrib for blocked load
    - KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message
    - IB/mlx5: Fix initializing CQ fragments buffer
    - NFS: Fix a potential NULL dereference in nfs_get_client()
    - NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode()
    - perf session: Correct buffer copying whe