Bug 48782 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-3-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-26 11:46 CET by Quality Assurance
Modified: 2019-02-27 13:29 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-02-26 11:46:48 CET
New Debian linux 4.9.144-3 fixes:
This update addresses the following issues:
* Race condition in fs/f2fs/node.c:add_free_nid() function allows local users  to cause denial of service (CVE-2017-18249)
* cephx protocol is vulnerable to replay attack (CVE-2018-1128)
* cephx uses weak signatures (CVE-2018-1129)
* buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may  lead to memory corruption (CVE-2018-5848)
* Integer overflow in kernel/time/posix-timers.c (CVE-2018-12896)
* Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)
* out-of-bounds memory access in fs/f2fs/super.c (CVE-2018-13096)
* divide-by-zero in fs/f2fs/super.c (CVE-2018-13097)
* divide-by-zero in fs/f2fs/super.c (CVE-2018-13100)
* Out-of-bounds access in write_extent_buffer() when mounting and operating a  crafted btrfs image (CVE-2018-14610)
* Use-after-free in try_merge_free_space() when mounting crafted btrfs image  (CVE-2018-14611)
* Invalid pointer dereference in btrfs_root_node() when mounting a crafted  btrfs image (CVE-2018-14612)
* Invalid pointer dereference in io_ctl_map_page() when mounting and  operating a crafted btrfs image (CVE-2018-14613)
* Out-of-bounds access in fs/f2fs/segment.c:__remove_dirty_segment() when  mounting a crafted f2fs image (CVE-2018-14614)
* NULL pointer dereference in fs/crypto/crypto.c:fscrypt_do_page_crypto()  when operating on a corrupted f2fs image (CVE-2018-14616)
* cleancache: Infoleak of deleted files after reuse of old inodes  (CVE-2018-16862)
* Unprivileged users able to inspect kernel stacks of arbitrary tasks  (CVE-2018-17972)
* TLB flush happens too late on mremap (CVE-2018-18281)
* filesystem corruption due to an unchecked error condition during an xfs  attribute change (CVE-2018-18690)
* Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c  (CVE-2018-18710)
* kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c  (CVE-2018-19407)
Comment 1 Quality Assurance univentionstaff 2019-02-26 17:52:08 CET
--- mirror/ftp/4.3/unmaintained/4.3-3/source/linux_4.9.130-2.dsc
+++ apt/ucs_4.3-0-errata4.3-3/source/linux_4.9.144-3.dsc
@@ -1,3 +1,1024 @@
+4.9.144-3 [Sat, 02 Feb 2019 15:53:59 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature()
+    (regression in 4.9.144)
+
+4.9.144-2 [Mon, 21 Jan 2019 21:57:31 +0000] Ben Hutchings <ben@decadent.org.uk>:
+
+  * [mips*] inst: Avoid ABI change in 4.9.136 (fixes FTBFS)
+  * efi/libstub: Unify command line param parsing (fixes FTBFS on arm64)
+
+4.9.144-1 [Sun, 30 Dec 2018 23:27:02 +0000] Ben Hutchings <ben@decadent.org.uk>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.136
+    - xfrm: Validate address prefix lengths in the xfrm selector.
+    - xfrm6: call kfree_skb when skb is toobig
+    - mac80211: Always report TX status
+    - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
+    - mac80211: fix pending queue hang due to TX_DROP
+    - cfg80211: Address some corner cases in scan result channel updating
+    - mac80211: TDLS: fix skb queue/priority assignment
+    - [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check
+    - xfrm: validate template mode
+    - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT
+    - mac80211_hwsim: do not omit multicast announce of first added radio
+    - Bluetooth: SMP: fix crash in unpairing
+    - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
+    - qed: Avoid constant logical operation warning in qed_vf_pf_acquire
+    - asix: Check for supported Wake-on-LAN modes
+    - ax88179_178a: Check for supported Wake-on-LAN modes
+    - lan78xx: Check for supported Wake-on-LAN modes
+    - sr9800: Check for supported Wake-on-LAN modes
+    - r8152: Check for supported Wake-on-LAN Modes
+    - smsc75xx: Check for Wake-on-LAN modes
+    - smsc95xx: Check for Wake-on-LAN modes
+    - perf/ring_buffer: Prevent concurent ring buffer access
+    - [x86] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
+    - [armhf] net: fec: fix rare tx timeout
+    - net: cxgb3_main: fix a missing-check bug
+    - perf symbols: Fix memory corruption because of zero length symbols
+    - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone()
+    - [mips*] microMIPS: Fix decoding of swsp16 instruction
+    - [mips*] Handle non word sized instructions when examining frame
+    - scsi: aacraid: Fix typo in blink status
+    - f2fs: fix multiple f2fs_add_link() having same name for inline dentry
+    - igb: Remove superfluous reset to PHY and page 0 selection
+    - ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs
+    - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
+    - [arm64,armhf] i2c: bcm2835: Avoid possible NULL ptr dereference
+    - efi/fb: Correct PCI_STD_RESOURCE_END usage
+    - ipv6: set rt6i_protocol properly in the route when it is installed
+    - [x86] platform: acer-wmi: setup accelerometer when ACPI device was found
+    - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
+    - IB/core: Fix the validations of a multicast LID in attach or detach
+      operations
+    - rxe: Fix a sleep-in-atomic bug in post_one_send
+    - nvme-pci: fix CMB sysfs file removal in reset path
+    - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
+    - net/mlx5: Fix command completion after timeout access invalid structure
+    - tipc: Fix tipc_sk_reinit handling of -EAGAIN
+    - tipc: fix a race condition of releasing subscriber object
+    - bnxt_en: Don't use rtnl lock to protect link change logic in workqueue.
+    - [armhf] dts: bcm283x: Reserve first page for firmware
+    - btrfs: fiemap: Cache and merge fiemap extent before submit it to user
+    - [arm64] reset: hi6220: Set module license so that it can be loaded
+    - [x86] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in
+      manifest
+    - mac80211: fix TX aggregation start/stop callback race
+    - libata: fix error checking in in ata_parse_force_one()
+    - [armhf] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization
+    - [i386] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC
+    - [armhf] gpu: ipu-v3: Fix CSI selection for VDIC
+    - [arm64,armhf] net: stmmac: ensure jumbo_frm error return is correctly
+      checked for -ve value
+    - Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io
+    - ufs: we need to sync inode before freeing it
+    - net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare
+    - ip6_tunnel: Correct tos value in collect_md mode
+    - net/mlx5: Fix driver load error flow when firmware is stuck
+    - perf evsel: Fix probing of precise_ip level for default cycles event
+    - perf probe: Fix probe definition for inlined functions
+    - net/mlx5: Fix health work queue spin lock to IRQ safe
+    - [armhf] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq
+    - [armhf] clk: samsung: Fix m2m scaler clock on Exynos542x
+    - rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
+    - qed: Warn PTT usage by wrong hw-function
+    - ocfs2: fix deadlock caused by recursive locking in xattr
+    - net: cdc_ncm: GetNtbFormat endian fix
+    - sctp: use right member as the param of list_for_each_entry
+    - ALSA: hda - No loopback on ALC299 codec
+    - ath10k: convert warning about non-existent OTP board id to debug message
+    - ipv6: fix cleanup ordering for ip6_mr failure
+    - IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
+    - IB/rxe: put the pool on allocation failure
+    - nbd: only set MSG_MORE when we have more to send
+    - mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()'
+    - IB/mlx5: Avoid passing an invalid QP type to firmware
+    - scsi: qla2xxx: Avoid double completion of abort command
+    - drm: bochs: Don't remove uninitialized fbdev framebuffer
+    - i40e: avoid NVM acquire deadlock during NVM update
+    - Revert "IB/ipoib: Update broadcast object if PKey value was changed in
+      index 0"
+    - Btrfs: incremental send, fix invalid memory access
+    - [arm64] drm/msm: Fix possible null dereference on failure of get_pages()
+    - l2tp: remove configurable payload offset
+    - macsec: fix memory leaks when skb_to_sgvec fails
+    - perf/core: Fix locking for children siblings group read
+    - cifs: Use ULL suffix for 64-bit constant
+    - futex: futex_wake_op, do not fail on invalid op
+    - ALSA: hda - Fix incorrect usage of IS_REACHABLE()
+    - enic: do not overwrite error code
+    - bonding: ratelimit failed speed/duplex update warning
+    - nvmet: fix space padding in serial number
+    - iio: buffer: fix the function signature to match implementation
+    - [x86] paravirt: Fix some warning messages
+    - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'
+    - libertas: call into generic suspend code before turning off power
+    - xhci: Fix USB3 NULL pointer dereference at logical disconnect.
+    - [armhf] dts: imx53-qsb: disable 1.2GHz OPP
+    - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling
+      rxrpc_rotate_tx_window()
+    - rxrpc: Only take the rwind and mtu values from latest ACK
+    - [x86] net: ena: fix NULL dereference due to untimely napi initialization
+    - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
+    - mtd: spi-nor: Add support for is25wp series chips
+    - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing"
+    - bridge: do not add port to router list when receives query with source
+      0.0.0.0
+    - net: bridge: remove ipv6 zero address check in mcast queries
+    - ipv6: mcast: fix a use-after-free in inet6_mc_check
+    - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
+      called
+    - llc: set SOCK_RCU_FREE in llc_sap_add_socket()
+    - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
+    - net: sched: gred: pass the right attribute to gred_change_table_def()
+    - net: socket: fix a missing-check bug
+    - [arm64,armhf] net: stmmac: Fix stmmac_mdio_reset() when building stmmac
+      as modules
+    - net: udp: fix handling of CHECKSUM_COMPLETE packets
+    - r8169: fix NAPI handling under high load
+    - sctp: fix race on sctp_id2asoc
+    - vhost: Fix Spectre V1 vulnerability
+    - ethtool: fix a privilege escalation bug
+    - bonding: fix length of actor system
+    - net: drop skb on failure in ip_check_defrag()
+    - net: fix pskb_trim_rcsum_slow() with odd trim offset
+    - rtnetlink: Disallow FDB configuration for non-Ethernet device
+    - ip6_tunnel: Fix encapsulation layout
+    - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
+    - ahci: don't ignore result code of ahci_reset_controller()
+    - xfs: truncate transaction does not modify the inobt
+    - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
+    - ptp: fix Spectre v1 vulnerability
+    - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl
+    - RDMA/ucma: Fix Spectre v1 vulnerability
+    - IB/ucm: Fix Spectre v1 vulnerability
+    - cdc-acm: correct counting of UART states in serial state notification
+    - usb: gadget: storage: Fix Spectre v1 vulnerability
+    - USB: fix the usbfs flag sanitization for control transfers
+    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
+    - sched/fair: Fix throttle_list starvation with low CFS quota
+    - [x86] percpu: Fix this_cpu_read()
+    - [x86] time: Correct the attribute on jiffies' definition
+    - posix-timers: Sanitize overrun handling (CVE-2018-12896)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.137
+    - bcache: fix miss key refill->end in writeback
+    - jffs2: free jffs2_sb_info through jffs2_kill_sb()
+    - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
+    - [arm64] ipmi: Fix timer race with module unload
+    - [hppa/parisc] Fix address in HPMC IVA
+    - [hppa/parisc] Fix map_pages() to not overwrite existing pte entries
+    - ALSA: hda - Add quirk for ASUS G751 laptop
+    - ALSA: hda - Fix headphone pin config for ASUS G751
+    - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
+    - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
+    - [x86] speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
+    - [x86] corruption-check: Fix panic in memory_corruption_check() when boot
+      option without value is provided
+    - [x86] speculation: Support Enhanced IBRS on future CPUs
+    - Revert "perf tools: Fix PMU term format max value calculation"
+    - xfrm: policy: use hlist rcu variants on insert
+    - sched/fair: Fix the min_vruntime update logic in dequeue_entity()
+    - perf cpu_map: Align cpu map synthesized events properly.
+    - [x86] fpu: Remove second definition of fpu in __fpu__restore_sig()
+    - net: qla3xxx: Remove overflowing shift statement
+    - locking/lockdep: Fix debug_locks off performance problem
+    - tun: Consistently configure generic netdev params via rtnetlink
+    - [s390x] sthyi: Fix machine name validity indication
+    - [armhf] hwmon: (pwm-fan) Set fan speed to 0 on suspend
+    - perf tools: Free temporary 'sys' string in read_event_files()
+    - perf tools: Cleanup trace-event-info 'tdata' leak
+    - perf strbuf: Match va_{add,copy} with va_end
+    - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
+    - iwlwifi: pcie: avoid empty free RB queue
+    - [i386] x86/olpc: Indicate that legacy PC XO-1 platform should not
+      register RTC
+    - [arm64,armhf] cpufreq: dt: Try freeing static OPPs only if we have added
+      them
+    - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
+    - [arm64] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
+    - brcmfmac: fix for proper support of 160MHz bandwidth
+    - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
+    - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
+    - [arm64] pinctrl: qcom: spmi-mpp: Fix drive strength setting
+    - [arm64] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
+    - [arm64] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
+    - ixgbevf: VF2VF TCP RSS
+    - ath10k: schedule hardware restart if WMI command times out
+    - cgroup, netclassid: add a preemption point to write_classid
+    - scsi: esp_scsi: Track residual for PIO transfers
+    - scsi: megaraid_sas: fix a missing-check bug
+    - RDMA/core: Do not expose unsupported counters
+    - IB/ipoib: Clear IPCB before icmp_send
+    - tpm: suppress transmit cmd error logs when TPM 1.2 is
+      disabled/deactivated
+    - [x86] VMCI: Resource wildcard match fixed
+    - ext4: fix argument checking in EXT4_IOC_MOVE_EXT
+    - MD: fix invalid stored role for a disk
+    - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice
+    - [arm64,armhf] usb: chipidea: Prevent unbalanced IRQ disable
+    - [amd64] driver/dma/ioat: Call del_timer_sync() without holding prep_lock
+    - uio: ensure class is registered before devices
+    - scsi: lpfc: Correct soft lockup when running mds diagnostics
+    - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid
+      namespace init
+    - ALSA: hda: Check the non-cached stream buffers more explicitly
+    - [armhf] dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
+    - [armhf] dts: exynos: Add missing cooling device properties for CPUs
+    - [armhf] dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings
+    - [armhf] dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250
+    - xen-swiotlb: use actually allocated size on check physical continuous
+    - [x86] tpm: Restore functionality to xen vtpm driver.
+    - xen/blkfront: avoid NULL blkfront_info dereference on device removal
+    - [x86] xen: fix race in xen_qlock_wait()
+    - [x86] xen: make xen_qlock_wait() nestable
+    - libertas: don't set URB_ZERO_PACKET on IN USB transfer
+    - [x86] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
+    - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
+    - [x86] libnvdimm: Hold reference on parent while scheduling async init
+    - [x86] ASoC: intel: skylake: Add missing break in skl_tplg_get_token()
+    - jbd2: fix use after free in jbd2_log_do_checkpoint()
+    - gfs2_meta: ->mount() can get NULL dev_name
+    - ext4: initialize retries variable in ext4_da_write_inline_data_begin()
+    - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR
+    - HID: hiddev: fix potential Spectre v1
+    - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
+    - [amd64] EDAC, skx_edac: Fix logical channel intermediate decoding
+    - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
+    - [ppc64el] signal/GenWQE: Fix sending of SIGKILL
+    - crypto: lrw - Fix out-of bounds access on counter overflow
+    - crypto: tcrypt - fix ghash-generic speed test
+    - ima: fix showing large 'violations' or 'runtime_measurements_count'
+    - hugetlbfs: dirty pages as they are added to pagecache
+    - [armhf] w1: omap-hdq: fix missing bus unregister at removal
+    - smb3: allow stats which track session and share reconnects to be reset
+    - smb3: do not attempt cifs operation in smb3 query info error path
+    - smb3: on kerberos mount if server doesn't specify auth type use krb5
+    - printk: Fix panic caused by passing log_buf_len to command line
+    - genirq: Fix race on spurious interrupt detection
+    - NFSv4.1: Fix the r/wsize checking
+    - nfsd: Fix an Oops in free_session()
+    - lockd: fix access beyond unterminated strings in prints
+    - dm ioctl: harden copy_params()'s copy_from_user() from malicious users
+    - [powerpc*] msi: Fix compile error on mpc83xx
+    - [mips*] OCTEON: fix out of bounds array access on CN68XX
+    - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD
+    - [x86] xen: fix xen_qlock_wait()
+    - media: em28xx: use a default format if TRY_FMT fails
+    - media: tvp5150: avoid going past array on v4l2_querymenu()
+    - media: em28xx: fix input name for Terratec AV 350
+    - media: em28xx: make v4l2-compliance happier by starting sequence on zero
+    - [arm64] lse: remove -fcall-used-x0 flag
+    - rpmsg: smd: fix memory leak on channel create
+    - Cramfs: fix abad comparison when wrap-arounds occur
+    - [arm64,armhf] soc/tegra: pmc: Fix child-node lookup
+    - btrfs: Handle owner mismatch gracefully when walking up tree
+    - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid
+      deadlock
+    - btrfs: fix error handling in free_log_tree
+    - btrfs: iterate all devices during trim, instead of
+      fs_devices::alloc_list
+    - btrfs: don't attempt to trim devices that don't support it
+    - btrfs: wait on caching when putting the bg cache
+    - btrfs: reset max_extent_size on clear in a bitmap
+    - btrfs: make sure we create all new block groups
+    - Btrfs: fix wrong dentries after fsync of file that got its parent
+      replaced
+    - btrfs: qgroup: Dirty all qgroups before rescan
+    - Btrfs: fix null pointer dereference on compressed write path error
+    - btrfs: set max_extent_size properly
+    - MD: fix invalid stored role for a disk - try2
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138
+    - [powerpc*] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log()
+    - tty: check name length in tty_find_polling_driver()
+    - [powerpc*] nohash: fix undefined behaviour when testing page size
+      support
+    - [armhf] drm/omap: fix memory barrier bug in DMM driver
+    - media: pci: cx23885: handle adding to list failure
+    - [mips*] kexec: Mark CPU offline before disabling local IRQ
+    - [powerpc*] boot: Ensure _zimage_start is a weak symbol
+    - [mips*] PCI: Call pcie_bus_configure_settings() to set MPS/MRRS
+    - media: tvp5150: fix width alignment during set_selection()
+    - 9p locks: fix glock.client_id leak in do_lock
+    - 9p: clear dangling pointers in p9stat_free
+    - cdrom: fix improper type cast, which can leat to information leak.
+      (CVE-2018-18710)
+    - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
+    - scsi: qla2xxx: shutdown chip if reset fail
+    - fuse: Fix use-after-free in fuse_dev_do_read()
+    - fuse: Fix use-after-free in fuse_dev_do_write()
+    - fuse: fix blocked_waitq wakeup
+    - fuse: set FR_SENT while locked
+    - mm: do not bug_on on incorrect length in __mm_populate()
+    - e1000: avoid null pointer dereference on invalid stat type
+    - e1000: fix race condition between e1000_down() and e1000_watchdog
+    - bna: ethtool: Avoid reading past end of buffer
+    - [hppa/parisc] Align os_hpmc_size on word boundary
+    - [hppa/parisc] Fix HPMC handler by increasing size to multiple of 16
+      bytes
+    - [hppa/parisc] Fix exported address of os_hpmc handler
+    - [mips64el,mipsel] Loongson-3: Fix CPU UART irq delivery problem
+    - [mips64le,mipsel] Loongson-3: Fix BRIDGE irq delivery problem
+    - [armhf] clk: s2mps11: Fix matching when built as module and DT node
+      contains compatible
+    - [armhf] clk: rockchip: Fix static checker warning in
+      rockchip_ddrclk_get_parent call
+    - libceph: bump CEPH_MSG_MAX_DATA_LEN
+    - Revert "ceph: fix dentry leak in splice_dentry()"
+    - mach64: fix display corruption on big endian machines
+    - mach64: fix image corruption due to reading accelerator registers
+    - [arm64] reset: hisilicon: fix potential NULL pointer dereference
+    - vhost/scsi: truncate T10 PI iov_iter to prot_bytes
+    - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
+    - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
+    - netfilter: conntrack: fix calculation of next bucket number in
+      early_drop
+    - termios, tty/tty_baudrate.c: fix buffer overrun
+    - Btrfs: fix cur_offset in the error case for nocow
+    - Btrfs: fix data corruption due to cloning of eof block
+    - clockevents/drivers/i8253: Add support for PIT shutdown quirk
+    - ext4: add missing brelse() update_backups()'s error path
+    - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
+    - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
+    - ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
+    - ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
+    - ext4: avoid buffer leak in ext4_orphan_add() after prior errors
+    - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while
+      resizing
+    - ext4: avoid possible double brelse() in add_new_gdb() on error path
+    - ext4: fix possible leak of sbi->s_group_desc_leak in error path
+    - ext4: fix possible leak of s_journal_flag_rwsem in error path
+    - ext4: release bs.bh before re-using in ext4_xattr_block_find()
+    - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
+    - ext4: fix buffer leak in __ext4_read_dirblock() on error path
+    - mount: Retest MNT_LOCKED in do_umount
+    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
+    - mount: Prevent MNT_DETACH from disconnecting locked mounts
+    - sunrpc: correct the computation for page_ptr when truncating
+    - nfsd: COPY and CLONE operations require the saved filehandle to be set
+    - rtc: hctosys: Add missing range error reporting
+    - fuse: fix use-after-free in fuse_direct_IO()
+    - fuse: fix leaked notify reply
+    - configfs: replace strncpy with memcpy
+    - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn
+    - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
+    - mm: migration: fix migration of huge PMD shared pages
+    - [armhf] drm/rockchip: Allow driver to be shutdown on reboot/kexec
+    - drm/dp_mst: Check if primary mstb is null
+    - [x86] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values
+    - [x86] drm/i915/execlists: Force write serialisation into context image
+      vs execution
+    - [arm64] KVM: Fix caching of host MDCR_EL2 value
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.139
+    - flow_dissector: do not dissect l4 ports for fragments
+    - ip_tunnel: don't force DF when MTU is locked
+    - net-gro: reset skb->pkt_type in napi_reuse_skb()
+    - sctp: not allow to set asoc prsctp_enable by sockopt
+    - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control
+      paths
+    - usbnet: smsc95xx: disable carrier check while suspending
+    - inet: frags: better deal with smp races
+    - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF
+    - kbuild: Add better clang cross build support
+    - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS
+    - kbuild: Consolidate header generation from ASM offset information
+    - kbuild: consolidate redundant sed script ASM offset generation
+    - kbuild: fix asm-offset generation to work with clang
+    - kbuild: drop -Wno-unknown-warning-option from clang options
+    - kbuild, LLVMLinux: Add -Werror to cc-option to support clang
+    - kbuild: use -Oz instead of -Os when using clang
+    - kbuild: Add support to generate LLVM assembly files
+    - modules: mark __inittest/__exittest as __maybe_unused
+    - [x86] kbuild: Use cc-option to enable -falign-{jumps/loops}
+    - [amd64] crypto, x86: aesni - fix token pasting for clang
+    - kbuild: Add __cc-option macro
+    - [x86] build: Use __cc-option for boot code compiler options
+    - [x86] build: Specify stack alignment for clang
+    - kbuild: clang: Disable 'address-of-packed-member' warning
+    - [arm64] crypto: arm64/sha - avoid non-standard inline asm tricks
+    - [x86] boot: #undef memcpy() et al in string.c
+    - [arm64] efi/libstub/arm64: Use hidden attribute for struct screen_info
+      reference
+    - [arm64] efi/libstub/arm64: Force 'hidden' visibility for section markers
+    - efi/libstub: Preserve .debug sections after absolute relocation check
+    - [arm64] efi/libstub/arm64: Set -fpie when building the EFI stub
+    - [x86] build: Fix stack alignment for CLang
+    - [x86] build: Use cc-option to validate stack alignment parameter
+    - Kbuild: use -fshort-wchar globally
+    - [arm64] uaccess: suppress spurious clang warning
+    - [armel,armhf] add more CPU part numbers for Cortex and Brahma B15 CPUs
+    - [armel,armhf] bugs: prepare processor bug infrastructure
+    - [armel,armhf] bugs: hook processor bug checking into SMP and suspend
+      paths
+    - [armel,armhf] bugs: add support for per-processor bug checking
+    - [armel,armhf] spectre: add Kconfig symbol for CPUs vulnerable to Spectre
+    - [armel,armhf] spectre-v2: harden branch predictor on context switches
+    - [armel,armhf] spectre-v2: add Cortex A8 and A15 validation of the IBE
+      bit
+    - [armel,armhf] spectre-v2: harden user aborts in kernel space
+    - [armel,armhf] spectre-v2: add firmware based hardening
+    - [armel,armhf] spectre-v2: warn about incorrect context switching
+      functions
+    - [armel,armhf] KVM: invalidate BTB on guest exit for Cortex-A12/A17
+    - [armel,armhf] KVM: invalidate icache on guest exit for Cortex-A15
+    - [armel,armhf] spectre-v2: KVM: invalidate icache on guest exit for
+      Brahma B15
+    - [armel,armhf] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
+    - [armel,armhf] KVM: report support for SMCCC_ARCH_WORKAROUND_1
+    - [armel,armhf] spectre-v1: add speculation barrier (csdb) macros
+    - [armel,armhf] spectre-v1: add array_index_mask_nospec() implementation
+    - [armel,armhf] spectre-v1: fix syscall entry
+    - [armel,armhf] signal: copy registers using __copy_from_user()
+    - [armel,armhf] vfp: use __copy_from_user() when restoring VFP state
+    - [armel,armhf] oabi-compat: copy semops using __copy_from_user()
+    - [armel,armhf] use __inttype() in get_user()
+    - [armel,armhf] spectre-v1: use get_user() for __get_user()
+    - [armel,armhf] spectre-v1: mitigate user accesses
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.140
+    - Revert "x86/speculation: Enable cross-hyperthread spectre v2 STIBP
+      mitigation"
+    - Revert "ipv6: set rt6i_protocol properly in the route when it is
+      installed"
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.141
+    - cifs: don't dereference smb_file_target before null check
+    - reiserfs: propagate errors from fill_with_dentries() properly
+    - hfs: prevent btree data loss on root split
+    - hfsplus: prevent btree data loss on root split
+    - drm/edid: Add 6 bpc quirk for BOE panel.
+    - clk: fixed-rate: fix of_node_get-put imbalance
+    - fs/exofs: fix potential memory leak in mount option parsing
+    - [armhf] clk: samsung: exynos5420: Enable PERIS clocks for suspend
+    - [x86] platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307
+    - [arm64] percpu: Initialize ret in the default case
+    - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
+    - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment()
+    - netfilter: xt_IDLETIMER: add sysfs filename checking routine
+    - [s390x] qeth: fix HiperSockets sniffer
+    - [ppc64el] hwmon: (ibmpowernv) Remove bogus __init annotations
+    - clk: fixed-factor: fix of_node_get-put imbalance
+    - qed: Fix memory/entry leak in qed_init_sp_request()
+    - qed: Fix blocking/unlimited SPQ entries leak
+    - zram: close udev startup race condition as default groups
+    - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
+    - gfs2: Put bitmap buffers in put_super
+    - btrfs: Enhance btrfs_trim_fs function to handle error better
+    - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
+    - btrfs: fix pinned underflow after transaction aborted
+    - Revert "media: videobuf2-core: don't call memop 'finish' when queueing"
+    - Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"
+    - media: v4l: event: Add subscription to list before calling "add"
+      operation
+    - uio: Fix an Oops on load
+    - usb: cdc-acm: add entry for Hiro (Conexant) modem
+    - USB: quirks: Add no-lpm quirk for Raydium touchscreens
+    - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
+    - USB: misc: appledisplay: add 20" Apple Cinema Display
+    - [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list
+    - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
+    - libceph: fall back to sendmsg for slab pages
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.142
+    - usb: core: Fix hub port connection events lost
+    - [arm64,armhf] usb: dwc3: core: Clean up ULPI device
+    - usb: xhci: fix timeout for transition from RExit to U0
+    - MAINTAINERS: Add Sasha as a stable branch maintainer
+    - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error
+      path
+    - iwlwifi: mvm: support sta_statistics() even on older firmware
+    - iwlwifi: mvm: fix regulatory domain update when the firmware starts
+    - brcmfmac: fix reporting support for 160 MHz channels
+    - tools/power/cpupower: fix compilation with STATIC=true
+    - v9fs_dir_readdir: fix double-free on p9stat_read error
+    - selinux: Add __GFP_NOWARN to allocation at str_read()
+    - bfs: add sanity check at bfs_fill_super()
+    - sctp: clear the transport of some out_chunk_list chunks in
+      sctp_assoc_rm_peer
+    - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
+    - llc: do not use sk_eat_skb()
+    - mm: don't warn about large allocations for slab
+    - drm/ast: change resolution may cause screen blurred
+    - drm/ast: fixed cursor may disappear sometimes
+    - drm/ast: Remove existing framebuffers before loading driver
+    - can: dev: can_get_echo_skb(): factor out non sending code to
+      __can_get_echo_skb()
+    - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame
+      to access frame length
+    - can: dev: __can_get_echo_skb(): Don't crash the kernel if
+      can_priv::echo_skb is accessed out of bounds
+    - can: dev: __can_get_echo_skb(): print error message, if trying to echo
+      non existing skb
+    - IB/core: Fix for core panic
+    - [amd64] IB/hfi1: Eliminate races in the SDMA send error path
+    - usb: xhci: Prevent bus suspend if a port connect change or polling state
+      is detected
+    - [arm64] pinctrl: meson: fix pinconf bias disable
+    - [armhf] cpufreq: imx6q: add return value check for voltage scale
+    - floppy: fix race condition in __floppy_read_block_0()
+    - [powerpc*] io: Fix the IO workarounds code to work with Radix
+    - [x86] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and
+      CoffeeLake CPUs
+    - SUNRPC: Fix a bogus get/put in generic_key_to_expire()
+    - [powerpc*] numa: Suppress "VPHN is not supported" messages
+    - [arm64,armhf] efi/arm: Revert deferred unmap of early memmap mapping
+    - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative
+      offset
+    - of: add helper to lookup compatible child node
+    - ath10k: fix kernel panic due to race in accessing arvif list
+    - Input: xpad - add product ID for Xbox One S pad
+    - Input: xpad - fix Xbox One rumble stopping after 2.5 secs
+    - Input: xpad - correctly sort vendor id's
+    - Input: xpad - move reporting xbox one home button to common function
+    - Input: xpad - simplify error condition in init_output
+    - Input: xpad - don't depend on endpoint order
+    - Input: xpad - fix stuck mode button on Xbox One S pad
+    - Input: xpad - restore LED state after device resume
+    - Input: xpad - support some quirky Xbox One pads
+    - Input: xpad - sort supported devices by USB ID
+    - Input: xpad - sync supported devices with xboxdrv
+    - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth
+    - Input: xpad - sync supported devices with 360Controller
+    - Input: xpad - sync supported devices with XBCD
+    - Input: xpad - constify usb_device_id
+    - Input: xpad - fix PowerA init quirk for some gamepad models
+    - Input: xpad - validate USB endpoint type during probe
+    - Input: xpad - add support for PDP Xbox One controllers
+    - Input: xpad - add PDP device id 0x02a4
+    - Input: xpad - fix some coding style issues
+    - Input: xpad - avoid using __set_bit() for capabilities
+    - Input: xpad - add GPD Win 2 Controller USB IDs
+    - Input: xpad - fix GPD Win 2 controller name
+    - Input: xpad - add support for Xbox1 PDP Camo series gamepad
+    - mwifiex: prevent register accesses after host is sleeping
+    - mwifiex: report error to PCIe for suspend failure
+    - mwifiex: Fix NULL pointer dereference in skb_dequeue()
+    - mwifiex: fix p2p device doesn't find in scan problem
+    - scsi: ufs: fix bugs related to null pointer access and array size
+    - scsi: ufshcd: Fix race between clk scaling and ungate work
+    - scsi: ufs: fix race between clock gating and devfreq scaling work
+    - scsi: ufshcd: release resources if probe fails
+    - tty: wipe buffer.
+    - tty: wipe buffer if not echoing data
+    - usb: xhci: fix uninitialized completion when USB3 port got wrong status
+    - sched/core: Allow __sched_setscheduler() in interrupts when PI is not
+      used
+    - namei: allow restricted O_CREAT of FIFOs and regular files
+    - lan78xx: Read MAC address from DT if present
+    - [s390x] mm: Check for valid vma before zapping in gmap_discard
+    - net: ieee802154: 6lowpan: fix frag reassembly
+    - Revert "evm: Translate user/group ids relative to s_user_ns when
+      computing HMAC"
+    - ima: always measure and audit files in policy
+    - ima: re-introduce own integrity cache lock
+    - ima: re-initialize iint->atomic_flags
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.143
+    - mm/huge_memory: rename freeze_page() to unmap_page()
+    - mm/huge_memory.c: reorder operations in __split_huge_page_tail()
+    - mm/huge_memory: splitting set mapping+index before unfreeze
+    - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
+    - mm/khugepaged: collapse_shmem() stop if punched or truncated
+    - shmem: shmem_charge: verify max_block is not exceeded before inode
+      update
+    - shmem: introduce shmem_inode_acct_block
+    - mm/khugepaged: fix crashes due to misaccounted holes
+    - mm/khugepaged: collapse_shmem() remember to clear holes
+    - mm/khugepaged: minor reorderings in collapse_shmem()
+    - mm/khugepaged: collapse_shmem() without freezing new_page
+    - mm/khugepaged: collapse_shmem() do not crash on Compound
+    - media: em28xx: Fix use-after-free when disconnecting
+    - [arm64,armhf] Revert "wlcore: Add missing PM call for
+      wlcore_cmd_wait_for_event_or_timeout()"
+    - net: skb_scrub_packet(): Scrub offload_fwd_mark
+    - [s390x] qeth: fix length check in SNMP processing
+    - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
+    - [x86] kvm: mmu: Fix race in emulated page table writes
+    - [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
+    - [x86] KVM: Fix scan ioapic use-before-initialization (CVE-2018-19407)
+    - Btrfs: ensure path name is null terminated at btrfs_control_ioctl
+    - [x86] perf/x86/intel: Move branch tracing setup to the Intel-specific
+      source file
+    - [x86] perf/x86/intel: Add generic branch tracing check to
+      intel_pmu_has_bts()
+    - fs: fix lost error code in dio_complete
+    - [i386] ALSA: wss: Fix invalid snd_free_pages() at error path
+    - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
+    - ALSA: control: Fix race between adding and removing a user element
+    - [sparc] ALSA: sparc: Fix invalid snd_free_pages() at error path
+    - ext2: fix potential use after free
+    - btrfs: release metadata before running delayed refs
+    - USB: usb-storage: Add new IDs to ums-realtek
+    - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
+    - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
+    - mm: use swp_offset as key in shmem_replace_page()
+    - [x86] Drivers: hv: vmbus: check the creation_status in
+      vmbus_establish_gpadl()
+    - [amd64] misc: mic/scif: fix copy-paste error in
+      scif_create_remote_lookup
+    - [armhf] bus: arm-cci: remove unnecessary unreachable()
+    - [armhf] trusted_foundations: do not use naked function
+    - [x86] efi/libstub: Make file I/O chunking x86-specific
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144
+    - kernfs: Replace strncpy with memcpy
+    - ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
+    - scsi: bfa: convert to strlcpy/strlcat
+    - [x86] staging: rts5208: fix gcc-8 logic error warning
+    - [amd64] x86/power/64: Use char arrays for asm function names
+    - iser: set sector for ambiguous mr status errors
+    - uprobes: Fix handle_swbp() vs. unregister() + register() race once more
+    - [mips*] fix mips_get_syscall_arg o32 check
+    - IB/mlx5: Avoid load failure due to unknown link width
+    - drm/ast: Fix incorrect free on ioregs
+    - drm: set is_master to 0 upon drm_new_set_master() failure
+    - scsi: scsi_devinfo: cleanly zero-pad devinfo strings
+    - scsi: csiostor: Avoid content leaks and casts
+    - [x86] svm: Add mutex_lock to protect apic_access_page_done on AMD
+      systems
+    - Input: xpad - quirk all PDP Xbox One gamepads
+    - Input: elan_i2c - add ELAN0620 to the ACPI table
+    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
+    - Input: elan_i2c - add support for ELAN0621 touchpad
+    - btrfs: Always try all copies when reading extent buffers
+    - Btrfs: fix use-after-free when dumping free space
+    - udf: Allow mounting volumes with incorrect identification strings
+    - [arm64,armhf] reset: make optional functions really optional
+    - [arm64,armhf] reset: core: fix reset_control_put
+    - reset: fix optional reset_control_get stubs to return NULL
+    - [arm64,armhf] reset: add exported __reset_control_get, return NULL if
+      optional
+    - [arm64,armhf] reset: make device_reset_optional() really optional
+    - reset: remove remaining WARN_ON() in <linux/reset.h>
+    - mm: cleancache: fix corruption on missed inode invalidation
+      (CVE-2018-16862)
+    - net: qed: use correct strncpy() size
+    - tipc: use destination length for copy string
+    - libceph: drop len argument of *verify_authorizer_reply()
+    - libceph: no need to drop con->mutex for ->get_authorizer()
+    - libceph: store ceph_auth_handshake pointer in ceph_connection
+    - libceph: factor out __prepare_write_connect()
+    - libceph: factor out __ceph_x_decrypt()
+    - libceph: factor out encrypt_authorizer()
+    - libceph: add authorizer challenge (CVE-2018-1128)
+    - libceph: implement CEPHX_V2 calculation mode (CVE-2018-1129)
+    - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
+    - libceph: check authorizer reply/challenge length before reading
+    - bpf: Prevent memory disambiguation attack (CVE-2018-3639)
+    - wil6210: missing length check in wmi_set_ie (CVE-2018-5848)
+    - btrfs: validate type when reading a chunk (CVE-2018-14611)
+    - btrfs: Verify that every chunk has corresponding block group at mount
+      time (CVE-2018-14612)
+    - btrfs: Refactor check_leaf function for later expansion
+    - btrfs: Check if item pointer overlaps with the item itself
+    - btrfs: Add sanity check for EXTENT_DATA when reading out leaf
+    - btrfs: Add checker for EXTENT_CSUM
+    - btrfs: Move leaf and node validation checker to tree-checker.c
+    - btrfs: struct-funcs, constify readers
+    - btrfs: tree-checker: Enhance btrfs_check_node output
+    - btrfs: tree-checker: Fix false panic for sanity test
+    - btrfs: tree-checker: Add checker for dir item
+    - btrfs: tree-checker: use %zu format string for size_t
+    - btrfs: tree-check: reduce stack consumption in check_dir_item
+    - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613)
+    - btrfs: tree-checker: Detect invalid and empty essential trees
+      (CVE-2018-14612)
+    - btrfs: Check that each block group has corresponding chunk at mount time
+      (CVE-2018-14610)
+    - btrfs: tree-checker: Check level for leaves and nodes
+    - btrfs: tree-checker: Fix misleading group system information
+    - f2fs: fix race condition in between free nid allocator/initializer
+      (CVE-2017-18249)
+    - f2fs: detect wrong layout
+    - f2fs: return error during fill_super
+    - f2fs: check blkaddr more accuratly before issue a bio
+    - f2fs: sanity check on sit entry
+    - f2fs: enhance sanity_check_raw_super() to avoid potential overflow
+    - f2fs: clean up with is_valid_blkaddr()
+    - f2fs: introduce and spread verify_blkaddr
+    - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100)
+    - f2fs: fix to do sanity check with user_block_count (CVE-2018-13097)
+    - f2fs: Add sanity_check_inode() function
+    - f2fs: fix to do sanity check with node footer and iblocks
+      (CVE-2018-13096)
+    - f2fs: fix to do sanity check with block address in main area
+    - f2fs: fix missing up_read
+    - f2fs: fix to do sanity check with block address in main area v2
+      (CVE-2018-14616)
+    - f2fs: free meta pages if sanity check for ckpt is failed
+    - f2fs: fix to do sanity check with cp_pack_start_sum (CVE-2018-14614)
+    - xfs: don't fail when converting shortform attr to long form during
+      ATTR_REPLACE (CVE-2018-18690)
+    - hugetlbfs: fix bug in pgoff overflow checking
+
+  [ Ben Hutchings ]
+  * drivers/net/ethernet: Ignore ABI changes (fixes FTBFS on arm64;
+    Closes: #914556)
+  * libcpupower: Hide private function and drop it from .symbols file
+  * Revert "elevator: fix truncation of icq_cache_name" to avoid ABI change
+  * reset: Avoid ABI changes in 4.9.144
+  * esp_scsi: Ignore ABI changes
+  * snd-hda: Ignore ABI changes
+  * posix-timers: Avoid ABI change in 4.9.136
+  * sched: Avoid ABI change in 4.9.136
+  * [armel,armhf] Avoid ABI change in 4.9.139
+
+  [ Noah Meyerhans ]
+  * [arm64] PCI: Enable HOTPLUG_PCI and HOTPLUG_PCI_ACPI (Closes: #915231)
+  * drivers/net/ethernet/amazon: Backport ENA 2.0.2 network driver
+    (Closes: #915229)
+
+  [ Salvatore Bonaccorso ]
+  * [rt] Refresh
+    0159-genirq-Allow-disabling-of-softirq-processing-in-irq-.patch for
+    context changes in 4.9.137
+  * Refresh mips-loongson-3-support-irq_set_affinity-in-i8259-ch.patch for
+    context changes in 4.9.138
+  * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in
+    4.9.139
+  * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes
+    in 4.9.139
+  * scripts/mod: Update modpost wrapper for 4.9.139.
+    Upstream commit cf0c3e68aa81 "kbuild: fix asm-offset generation to work
+    with clang" changed the macros used by devicetable-offsets.c.  Copy the
+    new sed code from upstream scripts/Makefile.lib.
+    Originates from the same change for 4.12 done by Ben Hutchings.
+  * Refresh media-v4l-avoid-abi-change-in-4.9.131.patch for context changes in
+    4.9.141
+  * Refresh fs-enable-link-security-restrictions-by-default.patch for context
+    changes in 4.9.142
+  * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes
+    in 4.9.142
+
+  [ Michal Simek ]
+  * [arm64] Enable Xilinx ZynqMP SoC and drivers
+
+4.9.135-1 [Sun, 11 Nov 2018 15:03:44 +0100] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.131
+    - crypto: skcipher - Fix -Wstringop-truncation warnings
+    - tsl2550: fix lux1_input error in low light
+    - [x86] vmci: type promotion bug in qp_host_get_user_memory()
+    - [amd64] numa_emulation: Fix emulated-to-physical node mapping
+    - [x86] staging: rts5208: fix missing error check on call to
+      rtsx_write_register
+    - uwb: hwa-rc: fix memory leak at probe
+    - [arm64,armhf] power: vexpress: fix corruption in notifier registration
+    - [amd64] iommu/amd: make sure TLB to be flushed before IOVA freed
+    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
+    - USB: serial: kobil_sct: fix modem-status error handling
+    - 6lowpan: iphc: reset mac_header after decompress to fix panic
+    - [s390x] mm: correct allocate_pgste proc_handler callback
+    - power: remove possible deadlock when unregistering power_supply
+    - IB/core: type promotion bug in rdma_rw_init_one_mr()
+    - [powerpc*] kdump: Handle crashkernel memory reservation failure
+    - [x86] tsc: Add missing header to tsc_msr.c
+    - [armhf] hwmod: RTC: Don't assume lock/unlock will be called with irq
+      enabled
+    - [x86] entry/64: Add two more instruction suffixes
+    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
+      buffer size
+    - scsi: klist: Make it safe to use klists in atomic context
+    - [powerpc/powerpc64,ppc64*] scsi: ibmvscsi: Improve strings handling
+    - usb: wusbcore: security: cast sizeof to int for comparison
+    - [ppc64el] powerpc/powernv/ioda2: Reduce upper limit for DMA window size
+    - alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053)
+    - [s390x] extmem: fix gcc 8 stringop-overflow warning
+    - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial
+      data
+    - drivers/tty: add error handling for pcmcia_loop_config
+    - [x86] media: tm6000: add error handling for dvb_register_adapter
+    - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
+    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
+    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
+    - [arm64,armhf] wlcore: Add missing PM call for
+      wlcore_cmd_wait_for_event_or_timeout()
+    - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c
+    - HID: hid-ntrig: add error handling for sysfs_create_group
+    - [x86] perf/x86/intel/lbr: Fix incomplete LBR call stack
+    - scsi: bnx2i: add error handling for ioremap_nocache
+    - scsi: megaraid_sas: Update controller info during resume
+    - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove
+    - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
+    - nfsd: fix corrupted reply to badly ordered compound
+    - EDAC: Fix memleak in module init error path
+    - [armhf] dts: dra7: fix DCAN node addresses
+    - [arm64] spi: tegra20-slink: explicitly enable/disable clock
+    - [arm*] regulator: fix crash caused by null driver data
+    - USB: fix error handling in usb_driver_claim_interface()
+    - USB: handle NULL config in usb_find_alt_setting()
+    - slub: make ->cpu_partial unsigned int
+    - media: uvcvideo: Support realtek's UVC 1.5 device
+    - USB: usbdevfs: sanitize flags more
+    - USB: usbdevfs: restore warning for nonsensical flags
+    - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
+      service_outstanding_interrupt()"
+    - USB: remove LPM management from usb_driver_claim_interface()
+    - Input: elantech - enable middle button of touchpad on ThinkPad P72
+    - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
+    - [amd64] IB/hfi1: Invalid user input can result in crash
+    - [amd64] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
+    - scsi: target: iscsi: Use bin2hex instead of a re-implementation
+    - [armhf] serial: imx: restore handshaking irq for imx1
+    - [amd64] IB/hfi1: Fix SL array bounds check
+    - qed: Wait for ready indication before rereading the shmem
+    - qed: Wait for MCP halt and resume commands to take place
+    - [arm*] thermal: of-thermal: disable passive polling when thermal zone is
+      disabled
+    - [arm64] net: hns: fix length and page_offset overflow when
+      CONFIG_ARM64_64K_PAGES
+    - [arm64] net: hns: fix skb->truesize underestimation
+    - e1000: check on netif_running() before calling e1000_up()
+    - e1000: ensure to free old tx/rx rings in set_ringparam()
+    - hwmon: (adt7475) Make adt7475_read_word() return errors
+    - [x86] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
+    - [arm*] smccc-1.1: Make return values unsigned long
+    - [arm*] smccc-1.1: Handle function result as parameters
+    - [x86] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
+    - media: v4l: event: Prevent freeing event subscriptions while accessed
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.132
+    - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to
+      userspace
+    - time: Introduce jiffies64_to_nsecs()
+    - mac80211: Run TXQ teardown code before de-registering interfaces
+    - [ppc64el] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate
+      function
+    - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+    - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+    - mac80211: mesh: fix HWMP sequence numbering to follow standard
+    - [arm64] net: hns: add netif_carrier_off before change speed and duplex
+    - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
+    - gpio: Fix crash due to registration race
+    - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
+    - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
+    - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
+    - mac80211: fix a race between restart and CSA flows
+    - mac80211: Fix station bandwidth setting after channel switch
+    - mac80211: don't Tx a deauth frame if the AP forbade Tx
+    - mac80211: shorten the IBSS debug messages
+    - mm: madvise(MADV_DODUMP): allow hugetlbfs pages
+    - HID: add support for Apple Magic Keyboards
+    - HID: hid-saitek: Add device ID for RAT 7 Contagion
+    - perf evsel: Fix potential null pointer dereference in
+      perf_evsel__new_idx()
+    - [ppc64el] perf probe powerpc: Ignore SyS symbols irrespective of
+      endianness
+    - RDMA/ucma: check fd type in ucma_migrate_id()
+    - USB: yurex: Check for truncation in yurex_read()
+    - nvmet-rdma: fix possible bogus dereference under heavy load
+    - net/mlx5: Consider PCI domain in search for next dev
+    - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
+    - dm raid: fix rebuild of specific devices by updating superblock
+    - fs/cifs: suppress a string overflow warning
+    - [x86] net: ena: fix driver when PAGE_SIZE == 64kB
+    - [x86] perf/x86/intel: Add support/quirk for the MISPREDICT bit on
+      Knights Landing CPUs
+    - dm thin metadata: try to avoid ever aborting transactions
+    - [arm64] jump_label.h: use asm_volatile_goto macro instead of "asm goto"
+    - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
+    - [s390x] qeth: use vzalloc for QUERY OAT buffer
+    - [s390x] qeth: don't dump past end of unknown HW header
+    - cifs: read overflow in is_valid_oplock_break()
+    - xen/manage: don't complain about an empty value in control/sysrq node
+    - xen: avoid crash in disable_hotplug_cpu
+    - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
+    - sysfs: Do not return POSIX ACL xattrs via listxattr
+    - smb2: fix missing files in root share directory listing
+    - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
+    - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
+    - gpiolib: Free the last requested descriptor
+    - proc: restrict kernel stack dumps to root (CVE-2018-17972)
+    - ocfs2: fix locking for res->tracking and dlm->tracking_list
+    - dm thin metadata: fix __udivdi3 undefined on 32-bit
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.133
+    - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
+    - [amd64] x86/vdso: Fix asm constraints on vDSO syscall fallbacks
+    - [amd64] x86/vdso: Fix vDSO syscall fallback asm constraint regression
+    - PCI: Reprogram bridge prefetch registers on resume
+    - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
+    - PM / core: Clear the direct_complete flag on errors
+    - dm cache metadata: ignore hints array being too small during resize
+    - dm cache: fix resize crash if user doesn't reload cache table
+    - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
+    - USB: serial: simple: add Motorola Tetra MTP6550 id
+    - tty: Drop tty->count on tty_reopen() failure
+    - cgroup: Fix deadlock in cpu hotplug path
+    - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
+    - ath10k: fix kernel panic issue during pci probe
+    - f2fs: fix invalid memory access
+    - ucma: fix a use-after-free in ucma_resolve_ip()
+    - ubifs: Check for name being NULL while mounting
+    - ath10k: fix scan crash due to incorrect length calculation
+    - ebtables: arpreply: Add the standard target sanity check
+    - [x86] fpu: Remove use_eager_fpu()
+    - [x86] fpu: Remove struct fpu::counter
+    - Revert "perf: sync up x86/.../cpufeatures.h"
+    - [x86] fpu: Finish excising 'eagerfpu'
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.134
+    - [armhf] mfd: omap-usb-host: Fix dts probe of children
+    - scsi: iscsi: target: Don't use stack buffer for scatterlist
+    - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted()
+    - sound: enable interrupt after dma buffer initialization
+    - [arm64,armhf] stmmac: fix valid numbers of unicast filter entries
+    - [x86] kvm/lapic: always disable MMIO interface in x2APIC mode
+    - ext4: Fix error code in ext4_xattr_set_entry()
+    - mm/vmstat.c: fix outdated vmstat_text
+    - mach64: detect the dot clock divider correctly on sparc
+    - [x86] i2c: i2c-scmi: fix for i2c_smbus_write_block_data
+    - xhci: Don't print a warning when setting link state for disabled ports
+    - bnxt_en: Fix TX timeout during netpoll.
+    - bonding: avoid possible dead-lock
+    - ip6_tunnel: be careful when accessing the inner header
+    - ip_tunnel: be careful when accessing the inner header
+    - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
+    - ipv6: take rcu lock in rawv6_send_hdrinc()
+    - [armhf] net: dsa: bcm_sf2: Call setup during switch resume
+    - ]arm64] net: hns: fix for unmapping problem when SMMU is on
+    - net: ipv4: update fnhe_pmtu when first hop's MTU changes
+    - net/ipv6: Display all addresses in output of /proc/net/if_inet6
+    - net/usb: cancel pending work when unbinding smsc75xx
+    - qlcnic: fix Tx descriptor corruption on 82xx devices
+    - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface
+    - team: Forbid enslaving team device to itself
+    - [armhf] net: dsa: bcm_sf2: Fix unbind ordering
+    - [armhf] net: mvpp2: Extract the correct ethtype from the skb for tx csum
+      offload
+    - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
+    - tcp/dccp: fix lockdep issue when SYN is backlogged
+    - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
+    - inet: frags: change inet_frags_init_net() return value
+    - inet: frags: add a pointer to struct netns_frags
+    - inet: frags: refactor ipfrag_init()
+    - inet: frags: refactor ipv6_frag_init()
+    - inet: frags: refactor lowpan_net_frag_init()
+    - ipv6: export ip6 fragments sysctl to unprivileged users
+    - rhashtable: add schedule points
+    - inet: frags: use rhashtables for reassembly units
+    - inet: frags: remove some helpers
+    - inet: frags: get rif of inet_frag_evicting()
+    - inet: frags: remove inet_frag_maybe_warn_overflow()
+    - inet: frags: do not clone skb in ip_expire()
+    - ipv6: frags: rewrite ip6_expire_frag_queue()
+    - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
+    - ip: discard IPv4 datagrams with overlapping segments.
+    - net: speed up skb_rbtree_purge()
+    - net: modify skb_rbtree_purge to return the truesize of all purged skbs.
+    - ipv6: defrag: drop non-last frags smaller than min mtu
+    - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
+    - net: add rb_to_skb() and other rb tree helpers
+    - ip: use rb trees for IP frag queue.
+    - ip: add helpers to process in-order fragments faster.
+    - ip: process in-order fragments efficiently
+    - ip: frags: fix crash in ip_do_fragment()
+    - ipv4: frags: precedence bug in ip_expire()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
+    - media: af9035: prevent buffer overflow on write
+    - batman-adv: Fix segfault when writing to throughput_override
+    - batman-adv: Fix segfault when writing to sysfs elp_interval
+    - batman-adv: Prevent duplicated nc_node entry
+    - batman-adv: Prevent duplicated softif_vlan entry
+    - batman-adv: Prevent duplicated global TT entry
+    - batman-adv: Prevent duplicated tvlv handler
+    - batman-adv: fix backbone_gw refcount on queue_work() failure
+    - batman-adv: fix hardif_neigh refcount on queue_work() failure
+    - [armhf] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP
+      flag for non-am43 SoCs
+    - [powerpc*/*64*] scsi: ibmvscsis: Fix a stringop-overflow warning
+    - [powerpc*/*64*] scsi: ibmvscsis: Ensure partition name is properly NUL
+      terminated
+    - [arm64] drm: mali-dp: Call drm_crtc_vblank_reset on device init
+    - scsi: sd: don't crash the host on invalid commands
+    - net/mlx4: Use cpumask_available for eq->affinity_mask
+    - [powerpc*] tm: Fix userspace r13 corruption
+    - [powerpc*] tm: Avoid possible userspace r1 corruption on reclaim
+    - [amd64] iommu/amd: Return devid as alias for ACPI HID devices
+    - mremap: properly flush TLB before releasing the page (CVE-2018-18281)
+    - mm: Preserve _PAGE_DEVMAP across mprotect() calls
+    - netfilter: check for seqadj ext existence before adding it in
+      nf_nat_setup_info
+    - HID: quirks: fix support for Apple Magic Keyboards
+    - usb: gadget: serial: fix oops when data rx'd after close
+    - sched/cputime: Convert kcpustat to nsecs
+    - sched/cputime: Increment kcpustat directly on irqtime account
+    - sched/cputime: Fix ksoftirqd cputime accounting regression
+    - [x86] HV: properly delay KVP packets when negotiation is in progress
+
+  [ Ben Hutchings ]
+  * Resolve ABI changes caused by upstream fix for CVE-2018-5391:
+    - Revert "inet: frags: fix ip6frag_low_thresh boundary"
+    - Revert "inet: frags: reorganize struct netns_frags"
+    - Revert "rhashtable: reorganize struct rhashtable layout"
+    - Revert "inet: frags: break the 2GB limit for frags storage"
+    - inet: frags: Avoid ABI change in 4.9.134
+    - sk_buff: Avoid ABI change in 4.9.134
+    - snmp: Remove the ReasmOverlaps statistic
+    - ipv6: Ignore ABI changes in fragment reassembly functions
+  * [x86] fpu: Avoid ABI change in 4.9.133
+  * power: Avoid ABI change in 4.9.131
+  * slub: Avoid ABI change in 4.9.131
+  * media: v4l: Avoid ABI change in 4.9.131
+  * netdev: Hide netdev_notifier_info_ext from modules
+  * [x86] Revert "x86/mm: Expand static page table for fixmap space"
+  * Revert "tracing: Use strlcpy() instead of strcpy() in
+    __trace_find_cmdline()", which does not fix a real security issue
+
 4.9.130-2 [Sat, 27 Oct 2018 19:46:16 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.3-3/#4606761765814653099>
Comment 2 Philipp Hahn univentionstaff 2019-02-27 10:47:18 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.3-3] 6cdf8882ae Bug #48782: linux 4.9.144-3
 doc/errata/staging/linux.yaml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

[4.3-3] 8b825ca654 Bug #48782: linux 4.9.144-3
 doc/errata/staging/linux.yaml | 65 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

 OK: diff <(exec ./linux-dmesg-norm 4.9.130) <(exec ./linux-dmesg-norm 4.9.144)
 OK: i386 @ kvm
 OK: amd64 @ xen16
 OK: amd64 @ kvm + SeaBIOS
 OK: amd64 @ kvm + OVMF+SB
 OK: cat /sys/kernel/security/securelevel
Comment 3 Philipp Hahn univentionstaff 2019-02-27 10:53:40 CET
[4.3-3] efd50ca56f Bug #48782: Update to linux-4.9.144-3
 .../debian/changelog                               |   6 ++++++
 .../univention-kernel-image-signed/debian/control  |   4 ++--
 .../vmlinuz-4.9.0-8-amd64.efi.signed               | Bin 4236912 -> 4245104 bytes
 3 files changed, 8 insertions(+), 2 deletions(-)

Package: univention-kernel-image-signed
Version: 4.0.0-10A~4.3.0.201902270914
Branch: ucs_4.3-0
Scope: errata4.3-3