Univention Bugzilla – Bug 48782
linux: Multiple issues (4.3)
Last modified: 2019-02-27 13:29:28 CET
New Debian linux 4.9.144-3 fixes: This update addresses the following issues: * Race condition in fs/f2fs/node.c:add_free_nid() function allows local users to cause denial of service (CVE-2017-18249) * cephx protocol is vulnerable to replay attack (CVE-2018-1128) * cephx uses weak signatures (CVE-2018-1129) * buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * Integer overflow in kernel/time/posix-timers.c (CVE-2018-12896) * Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * out-of-bounds memory access in fs/f2fs/super.c (CVE-2018-13096) * divide-by-zero in fs/f2fs/super.c (CVE-2018-13097) * divide-by-zero in fs/f2fs/super.c (CVE-2018-13100) * Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image (CVE-2018-14610) * Use-after-free in try_merge_free_space() when mounting crafted btrfs image (CVE-2018-14611) * Invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image (CVE-2018-14612) * Invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image (CVE-2018-14613) * Out-of-bounds access in fs/f2fs/segment.c:__remove_dirty_segment() when mounting a crafted f2fs image (CVE-2018-14614) * NULL pointer dereference in fs/crypto/crypto.c:fscrypt_do_page_crypto() when operating on a corrupted f2fs image (CVE-2018-14616) * cleancache: Infoleak of deleted files after reuse of old inodes (CVE-2018-16862) * Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972) * TLB flush happens too late on mremap (CVE-2018-18281) * filesystem corruption due to an unchecked error condition during an xfs attribute change (CVE-2018-18690) * Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c (CVE-2018-18710) * kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c (CVE-2018-19407)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/linux_4.9.130-2.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/linux_4.9.144-3.dsc @@ -1,3 +1,1024 @@ +4.9.144-3 [Sat, 02 Feb 2019 15:53:59 +0100] Ben Hutchings <ben@decadent.org.uk>: + + * libceph: fix CEPH_FEATURE_CEPHX_V2 check in calc_signature() + (regression in 4.9.144) + +4.9.144-2 [Mon, 21 Jan 2019 21:57:31 +0000] Ben Hutchings <ben@decadent.org.uk>: + + * [mips*] inst: Avoid ABI change in 4.9.136 (fixes FTBFS) + * efi/libstub: Unify command line param parsing (fixes FTBFS on arm64) + +4.9.144-1 [Sun, 30 Dec 2018 23:27:02 +0000] Ben Hutchings <ben@decadent.org.uk>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.136 + - xfrm: Validate address prefix lengths in the xfrm selector. + - xfrm6: call kfree_skb when skb is toobig + - mac80211: Always report TX status + - cfg80211: reg: Init wiphy_idx in regulatory_hint_core() + - mac80211: fix pending queue hang due to TX_DROP + - cfg80211: Address some corner cases in scan result channel updating + - mac80211: TDLS: fix skb queue/priority assignment + - [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check + - xfrm: validate template mode + - nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT + - mac80211_hwsim: do not omit multicast announce of first added radio + - Bluetooth: SMP: fix crash in unpairing + - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor + - qed: Avoid constant logical operation warning in qed_vf_pf_acquire + - asix: Check for supported Wake-on-LAN modes + - ax88179_178a: Check for supported Wake-on-LAN modes + - lan78xx: Check for supported Wake-on-LAN modes + - sr9800: Check for supported Wake-on-LAN modes + - r8152: Check for supported Wake-on-LAN Modes + - smsc75xx: Check for Wake-on-LAN modes + - smsc95xx: Check for Wake-on-LAN modes + - perf/ring_buffer: Prevent concurent ring buffer access + - [x86] perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX + - [armhf] net: fec: fix rare tx timeout + - net: cxgb3_main: fix a missing-check bug + - perf symbols: Fix memory corruption because of zero length symbols + - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() + - [mips*] microMIPS: Fix decoding of swsp16 instruction + - [mips*] Handle non word sized instructions when examining frame + - scsi: aacraid: Fix typo in blink status + - f2fs: fix multiple f2fs_add_link() having same name for inline dentry + - igb: Remove superfluous reset to PHY and page 0 selection + - ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs + - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode + - [arm64,armhf] i2c: bcm2835: Avoid possible NULL ptr dereference + - efi/fb: Correct PCI_STD_RESOURCE_END usage + - ipv6: set rt6i_protocol properly in the route when it is installed + - [x86] platform: acer-wmi: setup accelerometer when ACPI device was found + - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist + - IB/core: Fix the validations of a multicast LID in attach or detach + operations + - rxe: Fix a sleep-in-atomic bug in post_one_send + - nvme-pci: fix CMB sysfs file removal in reset path + - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. + - net/mlx5: Fix command completion after timeout access invalid structure + - tipc: Fix tipc_sk_reinit handling of -EAGAIN + - tipc: fix a race condition of releasing subscriber object + - bnxt_en: Don't use rtnl lock to protect link change logic in workqueue. + - [armhf] dts: bcm283x: Reserve first page for firmware + - btrfs: fiemap: Cache and merge fiemap extent before submit it to user + - [arm64] reset: hi6220: Set module license so that it can be loaded + - [x86] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in + manifest + - mac80211: fix TX aggregation start/stop callback race + - libata: fix error checking in in ata_parse_force_one() + - [armhf] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization + - [i386] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC + - [armhf] gpu: ipu-v3: Fix CSI selection for VDIC + - [arm64,armhf] net: stmmac: ensure jumbo_frm error return is correctly + checked for -ve value + - Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io + - ufs: we need to sync inode before freeing it + - net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare + - ip6_tunnel: Correct tos value in collect_md mode + - net/mlx5: Fix driver load error flow when firmware is stuck + - perf evsel: Fix probing of precise_ip level for default cycles event + - perf probe: Fix probe definition for inlined functions + - net/mlx5: Fix health work queue spin lock to IRQ safe + - [armhf] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq + - [armhf] clk: samsung: Fix m2m scaler clock on Exynos542x + - rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp + - qed: Warn PTT usage by wrong hw-function + - ocfs2: fix deadlock caused by recursive locking in xattr + - net: cdc_ncm: GetNtbFormat endian fix + - sctp: use right member as the param of list_for_each_entry + - ALSA: hda - No loopback on ALC299 codec + - ath10k: convert warning about non-existent OTP board id to debug message + - ipv6: fix cleanup ordering for ip6_mr failure + - IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush + - IB/rxe: put the pool on allocation failure + - nbd: only set MSG_MORE when we have more to send + - mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' + - IB/mlx5: Avoid passing an invalid QP type to firmware + - scsi: qla2xxx: Avoid double completion of abort command + - drm: bochs: Don't remove uninitialized fbdev framebuffer + - i40e: avoid NVM acquire deadlock during NVM update + - Revert "IB/ipoib: Update broadcast object if PKey value was changed in + index 0" + - Btrfs: incremental send, fix invalid memory access + - [arm64] drm/msm: Fix possible null dereference on failure of get_pages() + - l2tp: remove configurable payload offset + - macsec: fix memory leaks when skb_to_sgvec fails + - perf/core: Fix locking for children siblings group read + - cifs: Use ULL suffix for 64-bit constant + - futex: futex_wake_op, do not fail on invalid op + - ALSA: hda - Fix incorrect usage of IS_REACHABLE() + - enic: do not overwrite error code + - bonding: ratelimit failed speed/duplex update warning + - nvmet: fix space padding in serial number + - iio: buffer: fix the function signature to match implementation + - [x86] paravirt: Fix some warning messages + - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' + - libertas: call into generic suspend code before turning off power + - xhci: Fix USB3 NULL pointer dereference at logical disconnect. + - [armhf] dts: imx53-qsb: disable 1.2GHz OPP + - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling + rxrpc_rotate_tx_window() + - rxrpc: Only take the rwind and mtu values from latest ACK + - [x86] net: ena: fix NULL dereference due to untimely napi initialization + - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() + - mtd: spi-nor: Add support for is25wp series chips + - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" + - bridge: do not add port to router list when receives query with source + 0.0.0.0 + - net: bridge: remove ipv6 zero address check in mcast queries + - ipv6: mcast: fix a use-after-free in inet6_mc_check + - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are + called + - llc: set SOCK_RCU_FREE in llc_sap_add_socket() + - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs + - net: sched: gred: pass the right attribute to gred_change_table_def() + - net: socket: fix a missing-check bug + - [arm64,armhf] net: stmmac: Fix stmmac_mdio_reset() when building stmmac + as modules + - net: udp: fix handling of CHECKSUM_COMPLETE packets + - r8169: fix NAPI handling under high load + - sctp: fix race on sctp_id2asoc + - vhost: Fix Spectre V1 vulnerability + - ethtool: fix a privilege escalation bug + - bonding: fix length of actor system + - net: drop skb on failure in ip_check_defrag() + - net: fix pskb_trim_rcsum_slow() with odd trim offset + - rtnetlink: Disallow FDB configuration for non-Ethernet device + - ip6_tunnel: Fix encapsulation layout + - crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned + - ahci: don't ignore result code of ahci_reset_controller() + - xfs: truncate transaction does not modify the inobt + - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) + - ptp: fix Spectre v1 vulnerability + - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl + - RDMA/ucma: Fix Spectre v1 vulnerability + - IB/ucm: Fix Spectre v1 vulnerability + - cdc-acm: correct counting of UART states in serial state notification + - usb: gadget: storage: Fix Spectre v1 vulnerability + - USB: fix the usbfs flag sanitization for control transfers + - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM + - sched/fair: Fix throttle_list starvation with low CFS quota + - [x86] percpu: Fix this_cpu_read() + - [x86] time: Correct the attribute on jiffies' definition + - posix-timers: Sanitize overrun handling (CVE-2018-12896) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.137 + - bcache: fix miss key refill->end in writeback + - jffs2: free jffs2_sb_info through jffs2_kill_sb() + - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges + - [arm64] ipmi: Fix timer race with module unload + - [hppa/parisc] Fix address in HPMC IVA + - [hppa/parisc] Fix map_pages() to not overwrite existing pte entries + - ALSA: hda - Add quirk for ASUS G751 laptop + - ALSA: hda - Fix headphone pin config for ASUS G751 + - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) + - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops + - [x86] speculation: Enable cross-hyperthread spectre v2 STIBP mitigation + - [x86] corruption-check: Fix panic in memory_corruption_check() when boot + option without value is provided + - [x86] speculation: Support Enhanced IBRS on future CPUs + - Revert "perf tools: Fix PMU term format max value calculation" + - xfrm: policy: use hlist rcu variants on insert + - sched/fair: Fix the min_vruntime update logic in dequeue_entity() + - perf cpu_map: Align cpu map synthesized events properly. + - [x86] fpu: Remove second definition of fpu in __fpu__restore_sig() + - net: qla3xxx: Remove overflowing shift statement + - locking/lockdep: Fix debug_locks off performance problem + - tun: Consistently configure generic netdev params via rtnetlink + - [s390x] sthyi: Fix machine name validity indication + - [armhf] hwmon: (pwm-fan) Set fan speed to 0 on suspend + - perf tools: Free temporary 'sys' string in read_event_files() + - perf tools: Cleanup trace-event-info 'tdata' leak + - perf strbuf: Match va_{add,copy} with va_end + - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 + - iwlwifi: pcie: avoid empty free RB queue + - [i386] x86/olpc: Indicate that legacy PC XO-1 platform should not + register RTC + - [arm64,armhf] cpufreq: dt: Try freeing static OPPs only if we have added + them + - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth + - [arm64] pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux + - brcmfmac: fix for proper support of 160MHz bandwidth + - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() + - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers + - [arm64] pinctrl: qcom: spmi-mpp: Fix drive strength setting + - [arm64] pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant + - [arm64] pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant + - ixgbevf: VF2VF TCP RSS + - ath10k: schedule hardware restart if WMI command times out + - cgroup, netclassid: add a preemption point to write_classid + - scsi: esp_scsi: Track residual for PIO transfers + - scsi: megaraid_sas: fix a missing-check bug + - RDMA/core: Do not expose unsupported counters + - IB/ipoib: Clear IPCB before icmp_send + - tpm: suppress transmit cmd error logs when TPM 1.2 is + disabled/deactivated + - [x86] VMCI: Resource wildcard match fixed + - ext4: fix argument checking in EXT4_IOC_MOVE_EXT + - MD: fix invalid stored role for a disk + - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice + - [arm64,armhf] usb: chipidea: Prevent unbalanced IRQ disable + - [amd64] driver/dma/ioat: Call del_timer_sync() without holding prep_lock + - uio: ensure class is registered before devices + - scsi: lpfc: Correct soft lockup when running mds diagnostics + - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid + namespace init + - ALSA: hda: Check the non-cached stream buffers more explicitly + - [armhf] dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes + - [armhf] dts: exynos: Add missing cooling device properties for CPUs + - [armhf] dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings + - [armhf] dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250 + - xen-swiotlb: use actually allocated size on check physical continuous + - [x86] tpm: Restore functionality to xen vtpm driver. + - xen/blkfront: avoid NULL blkfront_info dereference on device removal + - [x86] xen: fix race in xen_qlock_wait() + - [x86] xen: make xen_qlock_wait() nestable + - libertas: don't set URB_ZERO_PACKET on IN USB transfer + - [x86] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten + - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() + - [x86] libnvdimm: Hold reference on parent while scheduling async init + - [x86] ASoC: intel: skylake: Add missing break in skl_tplg_get_token() + - jbd2: fix use after free in jbd2_log_do_checkpoint() + - gfs2_meta: ->mount() can get NULL dev_name + - ext4: initialize retries variable in ext4_da_write_inline_data_begin() + - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR + - HID: hiddev: fix potential Spectre v1 + - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting + - [amd64] EDAC, skx_edac: Fix logical channel intermediate decoding + - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk + - [ppc64el] signal/GenWQE: Fix sending of SIGKILL + - crypto: lrw - Fix out-of bounds access on counter overflow + - crypto: tcrypt - fix ghash-generic speed test + - ima: fix showing large 'violations' or 'runtime_measurements_count' + - hugetlbfs: dirty pages as they are added to pagecache + - [armhf] w1: omap-hdq: fix missing bus unregister at removal + - smb3: allow stats which track session and share reconnects to be reset + - smb3: do not attempt cifs operation in smb3 query info error path + - smb3: on kerberos mount if server doesn't specify auth type use krb5 + - printk: Fix panic caused by passing log_buf_len to command line + - genirq: Fix race on spurious interrupt detection + - NFSv4.1: Fix the r/wsize checking + - nfsd: Fix an Oops in free_session() + - lockd: fix access beyond unterminated strings in prints + - dm ioctl: harden copy_params()'s copy_from_user() from malicious users + - [powerpc*] msi: Fix compile error on mpc83xx + - [mips*] OCTEON: fix out of bounds array access on CN68XX + - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD + - [x86] xen: fix xen_qlock_wait() + - media: em28xx: use a default format if TRY_FMT fails + - media: tvp5150: avoid going past array on v4l2_querymenu() + - media: em28xx: fix input name for Terratec AV 350 + - media: em28xx: make v4l2-compliance happier by starting sequence on zero + - [arm64] lse: remove -fcall-used-x0 flag + - rpmsg: smd: fix memory leak on channel create + - Cramfs: fix abad comparison when wrap-arounds occur + - [arm64,armhf] soc/tegra: pmc: Fix child-node lookup + - btrfs: Handle owner mismatch gracefully when walking up tree + - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid + deadlock + - btrfs: fix error handling in free_log_tree + - btrfs: iterate all devices during trim, instead of + fs_devices::alloc_list + - btrfs: don't attempt to trim devices that don't support it + - btrfs: wait on caching when putting the bg cache + - btrfs: reset max_extent_size on clear in a bitmap + - btrfs: make sure we create all new block groups + - Btrfs: fix wrong dentries after fsync of file that got its parent + replaced + - btrfs: qgroup: Dirty all qgroups before rescan + - Btrfs: fix null pointer dereference on compressed write path error + - btrfs: set max_extent_size properly + - MD: fix invalid stored role for a disk - try2 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.138 + - [powerpc*] powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() + - tty: check name length in tty_find_polling_driver() + - [powerpc*] nohash: fix undefined behaviour when testing page size + support + - [armhf] drm/omap: fix memory barrier bug in DMM driver + - media: pci: cx23885: handle adding to list failure + - [mips*] kexec: Mark CPU offline before disabling local IRQ + - [powerpc*] boot: Ensure _zimage_start is a weak symbol + - [mips*] PCI: Call pcie_bus_configure_settings() to set MPS/MRRS + - media: tvp5150: fix width alignment during set_selection() + - 9p locks: fix glock.client_id leak in do_lock + - 9p: clear dangling pointers in p9stat_free + - cdrom: fix improper type cast, which can leat to information leak. + (CVE-2018-18710) + - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters + - scsi: qla2xxx: shutdown chip if reset fail + - fuse: Fix use-after-free in fuse_dev_do_read() + - fuse: Fix use-after-free in fuse_dev_do_write() + - fuse: fix blocked_waitq wakeup + - fuse: set FR_SENT while locked + - mm: do not bug_on on incorrect length in __mm_populate() + - e1000: avoid null pointer dereference on invalid stat type + - e1000: fix race condition between e1000_down() and e1000_watchdog + - bna: ethtool: Avoid reading past end of buffer + - [hppa/parisc] Align os_hpmc_size on word boundary + - [hppa/parisc] Fix HPMC handler by increasing size to multiple of 16 + bytes + - [hppa/parisc] Fix exported address of os_hpmc handler + - [mips64el,mipsel] Loongson-3: Fix CPU UART irq delivery problem + - [mips64le,mipsel] Loongson-3: Fix BRIDGE irq delivery problem + - [armhf] clk: s2mps11: Fix matching when built as module and DT node + contains compatible + - [armhf] clk: rockchip: Fix static checker warning in + rockchip_ddrclk_get_parent call + - libceph: bump CEPH_MSG_MAX_DATA_LEN + - Revert "ceph: fix dentry leak in splice_dentry()" + - mach64: fix display corruption on big endian machines + - mach64: fix image corruption due to reading accelerator registers + - [arm64] reset: hisilicon: fix potential NULL pointer dereference + - vhost/scsi: truncate T10 PI iov_iter to prot_bytes + - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry + - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings + - netfilter: conntrack: fix calculation of next bucket number in + early_drop + - termios, tty/tty_baudrate.c: fix buffer overrun + - Btrfs: fix cur_offset in the error case for nocow + - Btrfs: fix data corruption due to cloning of eof block + - clockevents/drivers/i8253: Add support for PIT shutdown quirk + - ext4: add missing brelse() update_backups()'s error path + - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path + - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path + - ext4: avoid potential extra brelse in setup_new_flex_group_blocks() + - ext4: fix possible inode leak in the retry loop of ext4_resize_fs() + - ext4: avoid buffer leak in ext4_orphan_add() after prior errors + - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while + resizing + - ext4: avoid possible double brelse() in add_new_gdb() on error path + - ext4: fix possible leak of sbi->s_group_desc_leak in error path + - ext4: fix possible leak of s_journal_flag_rwsem in error path + - ext4: release bs.bh before re-using in ext4_xattr_block_find() + - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path + - ext4: fix buffer leak in __ext4_read_dirblock() on error path + - mount: Retest MNT_LOCKED in do_umount + - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts + - mount: Prevent MNT_DETACH from disconnecting locked mounts + - sunrpc: correct the computation for page_ptr when truncating + - nfsd: COPY and CLONE operations require the saved filehandle to be set + - rtc: hctosys: Add missing range error reporting + - fuse: fix use-after-free in fuse_direct_IO() + - fuse: fix leaked notify reply + - configfs: replace strncpy with memcpy + - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn + - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! + - mm: migration: fix migration of huge PMD shared pages + - [armhf] drm/rockchip: Allow driver to be shutdown on reboot/kexec + - drm/dp_mst: Check if primary mstb is null + - [x86] drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values + - [x86] drm/i915/execlists: Force write serialisation into context image + vs execution + - [arm64] KVM: Fix caching of host MDCR_EL2 value + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.139 + - flow_dissector: do not dissect l4 ports for fragments + - ip_tunnel: don't force DF when MTU is locked + - net-gro: reset skb->pkt_type in napi_reuse_skb() + - sctp: not allow to set asoc prsctp_enable by sockopt + - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control + paths + - usbnet: smsc95xx: disable carrier check while suspending + - inet: frags: better deal with smp races + - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF + - kbuild: Add better clang cross build support + - kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS + - kbuild: Consolidate header generation from ASM offset information + - kbuild: consolidate redundant sed script ASM offset generation + - kbuild: fix asm-offset generation to work with clang + - kbuild: drop -Wno-unknown-warning-option from clang options + - kbuild, LLVMLinux: Add -Werror to cc-option to support clang + - kbuild: use -Oz instead of -Os when using clang + - kbuild: Add support to generate LLVM assembly files + - modules: mark __inittest/__exittest as __maybe_unused + - [x86] kbuild: Use cc-option to enable -falign-{jumps/loops} + - [amd64] crypto, x86: aesni - fix token pasting for clang + - kbuild: Add __cc-option macro + - [x86] build: Use __cc-option for boot code compiler options + - [x86] build: Specify stack alignment for clang + - kbuild: clang: Disable 'address-of-packed-member' warning + - [arm64] crypto: arm64/sha - avoid non-standard inline asm tricks + - [x86] boot: #undef memcpy() et al in string.c + - [arm64] efi/libstub/arm64: Use hidden attribute for struct screen_info + reference + - [arm64] efi/libstub/arm64: Force 'hidden' visibility for section markers + - efi/libstub: Preserve .debug sections after absolute relocation check + - [arm64] efi/libstub/arm64: Set -fpie when building the EFI stub + - [x86] build: Fix stack alignment for CLang + - [x86] build: Use cc-option to validate stack alignment parameter + - Kbuild: use -fshort-wchar globally + - [arm64] uaccess: suppress spurious clang warning + - [armel,armhf] add more CPU part numbers for Cortex and Brahma B15 CPUs + - [armel,armhf] bugs: prepare processor bug infrastructure + - [armel,armhf] bugs: hook processor bug checking into SMP and suspend + paths + - [armel,armhf] bugs: add support for per-processor bug checking + - [armel,armhf] spectre: add Kconfig symbol for CPUs vulnerable to Spectre + - [armel,armhf] spectre-v2: harden branch predictor on context switches + - [armel,armhf] spectre-v2: add Cortex A8 and A15 validation of the IBE + bit + - [armel,armhf] spectre-v2: harden user aborts in kernel space + - [armel,armhf] spectre-v2: add firmware based hardening + - [armel,armhf] spectre-v2: warn about incorrect context switching + functions + - [armel,armhf] KVM: invalidate BTB on guest exit for Cortex-A12/A17 + - [armel,armhf] KVM: invalidate icache on guest exit for Cortex-A15 + - [armel,armhf] spectre-v2: KVM: invalidate icache on guest exit for + Brahma B15 + - [armel,armhf] KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling + - [armel,armhf] KVM: report support for SMCCC_ARCH_WORKAROUND_1 + - [armel,armhf] spectre-v1: add speculation barrier (csdb) macros + - [armel,armhf] spectre-v1: add array_index_mask_nospec() implementation + - [armel,armhf] spectre-v1: fix syscall entry + - [armel,armhf] signal: copy registers using __copy_from_user() + - [armel,armhf] vfp: use __copy_from_user() when restoring VFP state + - [armel,armhf] oabi-compat: copy semops using __copy_from_user() + - [armel,armhf] use __inttype() in get_user() + - [armel,armhf] spectre-v1: use get_user() for __get_user() + - [armel,armhf] spectre-v1: mitigate user accesses + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.140 + - Revert "x86/speculation: Enable cross-hyperthread spectre v2 STIBP + mitigation" + - Revert "ipv6: set rt6i_protocol properly in the route when it is + installed" + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.141 + - cifs: don't dereference smb_file_target before null check + - reiserfs: propagate errors from fill_with_dentries() properly + - hfs: prevent btree data loss on root split + - hfsplus: prevent btree data loss on root split + - drm/edid: Add 6 bpc quirk for BOE panel. + - clk: fixed-rate: fix of_node_get-put imbalance + - fs/exofs: fix potential memory leak in mount option parsing + - [armhf] clk: samsung: exynos5420: Enable PERIS clocks for suspend + - [x86] platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 + - [arm64] percpu: Initialize ret in the default case + - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net + - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() + - netfilter: xt_IDLETIMER: add sysfs filename checking routine + - [s390x] qeth: fix HiperSockets sniffer + - [ppc64el] hwmon: (ibmpowernv) Remove bogus __init annotations + - clk: fixed-factor: fix of_node_get-put imbalance + - qed: Fix memory/entry leak in qed_init_sp_request() + - qed: Fix blocking/unlimited SPQ entries leak + - zram: close udev startup race condition as default groups + - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() + - gfs2: Put bitmap buffers in put_super + - btrfs: Enhance btrfs_trim_fs function to handle error better + - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem + - btrfs: fix pinned underflow after transaction aborted + - Revert "media: videobuf2-core: don't call memop 'finish' when queueing" + - Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV" + - media: v4l: event: Add subscription to list before calling "add" + operation + - uio: Fix an Oops on load + - usb: cdc-acm: add entry for Hiro (Conexant) modem + - USB: quirks: Add no-lpm quirk for Raydium touchscreens + - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB + - USB: misc: appledisplay: add 20" Apple Cinema Display + - [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list + - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges + - libceph: fall back to sendmsg for slab pages + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.142 + - usb: core: Fix hub port connection events lost + - [arm64,armhf] usb: dwc3: core: Clean up ULPI device + - usb: xhci: fix timeout for transition from RExit to U0 + - MAINTAINERS: Add Sasha as a stable branch maintainer + - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error + path + - iwlwifi: mvm: support sta_statistics() even on older firmware + - iwlwifi: mvm: fix regulatory domain update when the firmware starts + - brcmfmac: fix reporting support for 160 MHz channels + - tools/power/cpupower: fix compilation with STATIC=true + - v9fs_dir_readdir: fix double-free on p9stat_read error + - selinux: Add __GFP_NOWARN to allocation at str_read() + - bfs: add sanity check at bfs_fill_super() + - sctp: clear the transport of some out_chunk_list chunks in + sctp_assoc_rm_peer + - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd + - llc: do not use sk_eat_skb() + - mm: don't warn about large allocations for slab + - drm/ast: change resolution may cause screen blurred + - drm/ast: fixed cursor may disappear sometimes + - drm/ast: Remove existing framebuffers before loading driver + - can: dev: can_get_echo_skb(): factor out non sending code to + __can_get_echo_skb() + - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame + to access frame length + - can: dev: __can_get_echo_skb(): Don't crash the kernel if + can_priv::echo_skb is accessed out of bounds + - can: dev: __can_get_echo_skb(): print error message, if trying to echo + non existing skb + - IB/core: Fix for core panic + - [amd64] IB/hfi1: Eliminate races in the SDMA send error path + - usb: xhci: Prevent bus suspend if a port connect change or polling state + is detected + - [arm64] pinctrl: meson: fix pinconf bias disable + - [armhf] cpufreq: imx6q: add return value check for voltage scale + - floppy: fix race condition in __floppy_read_block_0() + - [powerpc*] io: Fix the IO workarounds code to work with Radix + - [x86] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and + CoffeeLake CPUs + - SUNRPC: Fix a bogus get/put in generic_key_to_expire() + - [powerpc*] numa: Suppress "VPHN is not supported" messages + - [arm64,armhf] efi/arm: Revert deferred unmap of early memmap mapping + - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative + offset + - of: add helper to lookup compatible child node + - ath10k: fix kernel panic due to race in accessing arvif list + - Input: xpad - add product ID for Xbox One S pad + - Input: xpad - fix Xbox One rumble stopping after 2.5 secs + - Input: xpad - correctly sort vendor id's + - Input: xpad - move reporting xbox one home button to common function + - Input: xpad - simplify error condition in init_output + - Input: xpad - don't depend on endpoint order + - Input: xpad - fix stuck mode button on Xbox One S pad + - Input: xpad - restore LED state after device resume + - Input: xpad - support some quirky Xbox One pads + - Input: xpad - sort supported devices by USB ID + - Input: xpad - sync supported devices with xboxdrv + - Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth + - Input: xpad - sync supported devices with 360Controller + - Input: xpad - sync supported devices with XBCD + - Input: xpad - constify usb_device_id + - Input: xpad - fix PowerA init quirk for some gamepad models + - Input: xpad - validate USB endpoint type during probe + - Input: xpad - add support for PDP Xbox One controllers + - Input: xpad - add PDP device id 0x02a4 + - Input: xpad - fix some coding style issues + - Input: xpad - avoid using __set_bit() for capabilities + - Input: xpad - add GPD Win 2 Controller USB IDs + - Input: xpad - fix GPD Win 2 controller name + - Input: xpad - add support for Xbox1 PDP Camo series gamepad + - mwifiex: prevent register accesses after host is sleeping + - mwifiex: report error to PCIe for suspend failure + - mwifiex: Fix NULL pointer dereference in skb_dequeue() + - mwifiex: fix p2p device doesn't find in scan problem + - scsi: ufs: fix bugs related to null pointer access and array size + - scsi: ufshcd: Fix race between clk scaling and ungate work + - scsi: ufs: fix race between clock gating and devfreq scaling work + - scsi: ufshcd: release resources if probe fails + - tty: wipe buffer. + - tty: wipe buffer if not echoing data + - usb: xhci: fix uninitialized completion when USB3 port got wrong status + - sched/core: Allow __sched_setscheduler() in interrupts when PI is not + used + - namei: allow restricted O_CREAT of FIFOs and regular files + - lan78xx: Read MAC address from DT if present + - [s390x] mm: Check for valid vma before zapping in gmap_discard + - net: ieee802154: 6lowpan: fix frag reassembly + - Revert "evm: Translate user/group ids relative to s_user_ns when + computing HMAC" + - ima: always measure and audit files in policy + - ima: re-introduce own integrity cache lock + - ima: re-initialize iint->atomic_flags + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.143 + - mm/huge_memory: rename freeze_page() to unmap_page() + - mm/huge_memory.c: reorder operations in __split_huge_page_tail() + - mm/huge_memory: splitting set mapping+index before unfreeze + - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read() + - mm/khugepaged: collapse_shmem() stop if punched or truncated + - shmem: shmem_charge: verify max_block is not exceeded before inode + update + - shmem: introduce shmem_inode_acct_block + - mm/khugepaged: fix crashes due to misaccounted holes + - mm/khugepaged: collapse_shmem() remember to clear holes + - mm/khugepaged: minor reorderings in collapse_shmem() + - mm/khugepaged: collapse_shmem() without freezing new_page + - mm/khugepaged: collapse_shmem() do not crash on Compound + - media: em28xx: Fix use-after-free when disconnecting + - [arm64,armhf] Revert "wlcore: Add missing PM call for + wlcore_cmd_wait_for_event_or_timeout()" + - net: skb_scrub_packet(): Scrub offload_fwd_mark + - [s390x] qeth: fix length check in SNMP processing + - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 + - [x86] kvm: mmu: Fix race in emulated page table writes + - [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb + - [x86] KVM: Fix scan ioapic use-before-initialization (CVE-2018-19407) + - Btrfs: ensure path name is null terminated at btrfs_control_ioctl + - [x86] perf/x86/intel: Move branch tracing setup to the Intel-specific + source file + - [x86] perf/x86/intel: Add generic branch tracing check to + intel_pmu_has_bts() + - fs: fix lost error code in dio_complete + - [i386] ALSA: wss: Fix invalid snd_free_pages() at error path + - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write + - ALSA: control: Fix race between adding and removing a user element + - [sparc] ALSA: sparc: Fix invalid snd_free_pages() at error path + - ext2: fix potential use after free + - btrfs: release metadata before running delayed refs + - USB: usb-storage: Add new IDs to ums-realtek + - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series + - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" + - mm: use swp_offset as key in shmem_replace_page() + - [x86] Drivers: hv: vmbus: check the creation_status in + vmbus_establish_gpadl() + - [amd64] misc: mic/scif: fix copy-paste error in + scif_create_remote_lookup + - [armhf] bus: arm-cci: remove unnecessary unreachable() + - [armhf] trusted_foundations: do not use naked function + - [x86] efi/libstub: Make file I/O chunking x86-specific + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144 + - kernfs: Replace strncpy with memcpy + - ip_tunnel: Fix name string concatenate in __ip_tunnel_create() + - scsi: bfa: convert to strlcpy/strlcat + - [x86] staging: rts5208: fix gcc-8 logic error warning + - [amd64] x86/power/64: Use char arrays for asm function names + - iser: set sector for ambiguous mr status errors + - uprobes: Fix handle_swbp() vs. unregister() + register() race once more + - [mips*] fix mips_get_syscall_arg o32 check + - IB/mlx5: Avoid load failure due to unknown link width + - drm/ast: Fix incorrect free on ioregs + - drm: set is_master to 0 upon drm_new_set_master() failure + - scsi: scsi_devinfo: cleanly zero-pad devinfo strings + - scsi: csiostor: Avoid content leaks and casts + - [x86] svm: Add mutex_lock to protect apic_access_page_done on AMD + systems + - Input: xpad - quirk all PDP Xbox One gamepads + - Input: elan_i2c - add ELAN0620 to the ACPI table + - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR + - Input: elan_i2c - add support for ELAN0621 touchpad + - btrfs: Always try all copies when reading extent buffers + - Btrfs: fix use-after-free when dumping free space + - udf: Allow mounting volumes with incorrect identification strings + - [arm64,armhf] reset: make optional functions really optional + - [arm64,armhf] reset: core: fix reset_control_put + - reset: fix optional reset_control_get stubs to return NULL + - [arm64,armhf] reset: add exported __reset_control_get, return NULL if + optional + - [arm64,armhf] reset: make device_reset_optional() really optional + - reset: remove remaining WARN_ON() in <linux/reset.h> + - mm: cleancache: fix corruption on missed inode invalidation + (CVE-2018-16862) + - net: qed: use correct strncpy() size + - tipc: use destination length for copy string + - libceph: drop len argument of *verify_authorizer_reply() + - libceph: no need to drop con->mutex for ->get_authorizer() + - libceph: store ceph_auth_handshake pointer in ceph_connection + - libceph: factor out __prepare_write_connect() + - libceph: factor out __ceph_x_decrypt() + - libceph: factor out encrypt_authorizer() + - libceph: add authorizer challenge (CVE-2018-1128) + - libceph: implement CEPHX_V2 calculation mode (CVE-2018-1129) + - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() + - libceph: check authorizer reply/challenge length before reading + - bpf: Prevent memory disambiguation attack (CVE-2018-3639) + - wil6210: missing length check in wmi_set_ie (CVE-2018-5848) + - btrfs: validate type when reading a chunk (CVE-2018-14611) + - btrfs: Verify that every chunk has corresponding block group at mount + time (CVE-2018-14612) + - btrfs: Refactor check_leaf function for later expansion + - btrfs: Check if item pointer overlaps with the item itself + - btrfs: Add sanity check for EXTENT_DATA when reading out leaf + - btrfs: Add checker for EXTENT_CSUM + - btrfs: Move leaf and node validation checker to tree-checker.c + - btrfs: struct-funcs, constify readers + - btrfs: tree-checker: Enhance btrfs_check_node output + - btrfs: tree-checker: Fix false panic for sanity test + - btrfs: tree-checker: Add checker for dir item + - btrfs: tree-checker: use %zu format string for size_t + - btrfs: tree-check: reduce stack consumption in check_dir_item + - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613) + - btrfs: tree-checker: Detect invalid and empty essential trees + (CVE-2018-14612) + - btrfs: Check that each block group has corresponding chunk at mount time + (CVE-2018-14610) + - btrfs: tree-checker: Check level for leaves and nodes + - btrfs: tree-checker: Fix misleading group system information + - f2fs: fix race condition in between free nid allocator/initializer + (CVE-2017-18249) + - f2fs: detect wrong layout + - f2fs: return error during fill_super + - f2fs: check blkaddr more accuratly before issue a bio + - f2fs: sanity check on sit entry + - f2fs: enhance sanity_check_raw_super() to avoid potential overflow + - f2fs: clean up with is_valid_blkaddr() + - f2fs: introduce and spread verify_blkaddr + - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100) + - f2fs: fix to do sanity check with user_block_count (CVE-2018-13097) + - f2fs: Add sanity_check_inode() function + - f2fs: fix to do sanity check with node footer and iblocks + (CVE-2018-13096) + - f2fs: fix to do sanity check with block address in main area + - f2fs: fix missing up_read + - f2fs: fix to do sanity check with block address in main area v2 + (CVE-2018-14616) + - f2fs: free meta pages if sanity check for ckpt is failed + - f2fs: fix to do sanity check with cp_pack_start_sum (CVE-2018-14614) + - xfs: don't fail when converting shortform attr to long form during + ATTR_REPLACE (CVE-2018-18690) + - hugetlbfs: fix bug in pgoff overflow checking + + [ Ben Hutchings ] + * drivers/net/ethernet: Ignore ABI changes (fixes FTBFS on arm64; + Closes: #914556) + * libcpupower: Hide private function and drop it from .symbols file + * Revert "elevator: fix truncation of icq_cache_name" to avoid ABI change + * reset: Avoid ABI changes in 4.9.144 + * esp_scsi: Ignore ABI changes + * snd-hda: Ignore ABI changes + * posix-timers: Avoid ABI change in 4.9.136 + * sched: Avoid ABI change in 4.9.136 + * [armel,armhf] Avoid ABI change in 4.9.139 + + [ Noah Meyerhans ] + * [arm64] PCI: Enable HOTPLUG_PCI and HOTPLUG_PCI_ACPI (Closes: #915231) + * drivers/net/ethernet/amazon: Backport ENA 2.0.2 network driver + (Closes: #915229) + + [ Salvatore Bonaccorso ] + * [rt] Refresh + 0159-genirq-Allow-disabling-of-softirq-processing-in-irq-.patch for + context changes in 4.9.137 + * Refresh mips-loongson-3-support-irq_set_affinity-in-i8259-ch.patch for + context changes in 4.9.138 + * Refresh kbuild-use-nostdinc-in-compile-tests.patch for context changes in + 4.9.139 + * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes + in 4.9.139 + * scripts/mod: Update modpost wrapper for 4.9.139. + Upstream commit cf0c3e68aa81 "kbuild: fix asm-offset generation to work + with clang" changed the macros used by devicetable-offsets.c. Copy the + new sed code from upstream scripts/Makefile.lib. + Originates from the same change for 4.12 done by Ben Hutchings. + * Refresh media-v4l-avoid-abi-change-in-4.9.131.patch for context changes in + 4.9.141 + * Refresh fs-enable-link-security-restrictions-by-default.patch for context + changes in 4.9.142 + * Refresh inet-frags-avoid-abi-change-in-4.9.134.patch for context changes + in 4.9.142 + + [ Michal Simek ] + * [arm64] Enable Xilinx ZynqMP SoC and drivers + +4.9.135-1 [Sun, 11 Nov 2018 15:03:44 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.131 + - crypto: skcipher - Fix -Wstringop-truncation warnings + - tsl2550: fix lux1_input error in low light + - [x86] vmci: type promotion bug in qp_host_get_user_memory() + - [amd64] numa_emulation: Fix emulated-to-physical node mapping + - [x86] staging: rts5208: fix missing error check on call to + rtsx_write_register + - uwb: hwa-rc: fix memory leak at probe + - [arm64,armhf] power: vexpress: fix corruption in notifier registration + - [amd64] iommu/amd: make sure TLB to be flushed before IOVA freed + - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 + - USB: serial: kobil_sct: fix modem-status error handling + - 6lowpan: iphc: reset mac_header after decompress to fix panic + - [s390x] mm: correct allocate_pgste proc_handler callback + - power: remove possible deadlock when unregistering power_supply + - IB/core: type promotion bug in rdma_rw_init_one_mr() + - [powerpc*] kdump: Handle crashkernel memory reservation failure + - [x86] tsc: Add missing header to tsc_msr.c + - [armhf] hwmod: RTC: Don't assume lock/unlock will be called with irq + enabled + - [x86] entry/64: Add two more instruction suffixes + - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output + buffer size + - scsi: klist: Make it safe to use klists in atomic context + - [powerpc/powerpc64,ppc64*] scsi: ibmvscsi: Improve strings handling + - usb: wusbcore: security: cast sizeof to int for comparison + - [ppc64el] powerpc/powernv/ioda2: Reduce upper limit for DMA window size + - alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053) + - [s390x] extmem: fix gcc 8 stringop-overflow warning + - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial + data + - drivers/tty: add error handling for pcmcia_loop_config + - [x86] media: tm6000: add error handling for dvb_register_adapter + - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge + - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock + - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + - [arm64,armhf] wlcore: Add missing PM call for + wlcore_cmd_wait_for_event_or_timeout() + - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c + - HID: hid-ntrig: add error handling for sysfs_create_group + - [x86] perf/x86/intel/lbr: Fix incomplete LBR call stack + - scsi: bnx2i: add error handling for ioremap_nocache + - scsi: megaraid_sas: Update controller info during resume + - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove + - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs + - nfsd: fix corrupted reply to badly ordered compound + - EDAC: Fix memleak in module init error path + - [armhf] dts: dra7: fix DCAN node addresses + - [arm64] spi: tegra20-slink: explicitly enable/disable clock + - [arm*] regulator: fix crash caused by null driver data + - USB: fix error handling in usb_driver_claim_interface() + - USB: handle NULL config in usb_find_alt_setting() + - slub: make ->cpu_partial unsigned int + - media: uvcvideo: Support realtek's UVC 1.5 device + - USB: usbdevfs: sanitize flags more + - USB: usbdevfs: restore warning for nonsensical flags + - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in + service_outstanding_interrupt()" + - USB: remove LPM management from usb_driver_claim_interface() + - Input: elantech - enable middle button of touchpad on ThinkPad P72 + - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop + - [amd64] IB/hfi1: Invalid user input can result in crash + - [amd64] IB/hfi1: Fix context recovery when PBC has an UnsupportedVL + - scsi: target: iscsi: Use bin2hex instead of a re-implementation + - [armhf] serial: imx: restore handshaking irq for imx1 + - [amd64] IB/hfi1: Fix SL array bounds check + - qed: Wait for ready indication before rereading the shmem + - qed: Wait for MCP halt and resume commands to take place + - [arm*] thermal: of-thermal: disable passive polling when thermal zone is + disabled + - [arm64] net: hns: fix length and page_offset overflow when + CONFIG_ARM64_64K_PAGES + - [arm64] net: hns: fix skb->truesize underestimation + - e1000: check on netif_running() before calling e1000_up() + - e1000: ensure to free old tx/rx rings in set_ringparam() + - hwmon: (adt7475) Make adt7475_read_word() return errors + - [x86] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode + - [arm*] smccc-1.1: Make return values unsigned long + - [arm*] smccc-1.1: Handle function result as parameters + - [x86] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus + - media: v4l: event: Prevent freeing event subscriptions while accessed + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.132 + - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to + userspace + - time: Introduce jiffies64_to_nsecs() + - mac80211: Run TXQ teardown code before de-registering interfaces + - [ppc64el] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate + function + - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X + - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X + - mac80211: mesh: fix HWMP sequence numbering to follow standard + - [arm64] net: hns: add netif_carrier_off before change speed and duplex + - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE + - gpio: Fix crash due to registration race + - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 + - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash + - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() + - mac80211: fix a race between restart and CSA flows + - mac80211: Fix station bandwidth setting after channel switch + - mac80211: don't Tx a deauth frame if the AP forbade Tx + - mac80211: shorten the IBSS debug messages + - mm: madvise(MADV_DODUMP): allow hugetlbfs pages + - HID: add support for Apple Magic Keyboards + - HID: hid-saitek: Add device ID for RAT 7 Contagion + - perf evsel: Fix potential null pointer dereference in + perf_evsel__new_idx() + - [ppc64el] perf probe powerpc: Ignore SyS symbols irrespective of + endianness + - RDMA/ucma: check fd type in ucma_migrate_id() + - USB: yurex: Check for truncation in yurex_read() + - nvmet-rdma: fix possible bogus dereference under heavy load + - net/mlx5: Consider PCI domain in search for next dev + - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS + - dm raid: fix rebuild of specific devices by updating superblock + - fs/cifs: suppress a string overflow warning + - [x86] net: ena: fix driver when PAGE_SIZE == 64kB + - [x86] perf/x86/intel: Add support/quirk for the MISPREDICT bit on + Knights Landing CPUs + - dm thin metadata: try to avoid ever aborting transactions + - [arm64] jump_label.h: use asm_volatile_goto macro instead of "asm goto" + - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED + - [s390x] qeth: use vzalloc for QUERY OAT buffer + - [s390x] qeth: don't dump past end of unknown HW header + - cifs: read overflow in is_valid_oplock_break() + - xen/manage: don't complain about an empty value in control/sysrq node + - xen: avoid crash in disable_hotplug_cpu + - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage + - sysfs: Do not return POSIX ACL xattrs via listxattr + - smb2: fix missing files in root share directory listing + - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 + - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() + - gpiolib: Free the last requested descriptor + - proc: restrict kernel stack dumps to root (CVE-2018-17972) + - ocfs2: fix locking for res->tracking and dlm->tracking_list + - dm thin metadata: fix __udivdi3 undefined on 32-bit + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.133 + - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly + - [amd64] x86/vdso: Fix asm constraints on vDSO syscall fallbacks + - [amd64] x86/vdso: Fix vDSO syscall fallback asm constraint regression + - PCI: Reprogram bridge prefetch registers on resume + - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys + - PM / core: Clear the direct_complete flag on errors + - dm cache metadata: ignore hints array being too small during resize + - dm cache: fix resize crash if user doesn't reload cache table + - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI + - USB: serial: simple: add Motorola Tetra MTP6550 id + - tty: Drop tty->count on tty_reopen() failure + - cgroup: Fix deadlock in cpu hotplug path + - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait + - ath10k: fix kernel panic issue during pci probe + - f2fs: fix invalid memory access + - ucma: fix a use-after-free in ucma_resolve_ip() + - ubifs: Check for name being NULL while mounting + - ath10k: fix scan crash due to incorrect length calculation + - ebtables: arpreply: Add the standard target sanity check + - [x86] fpu: Remove use_eager_fpu() + - [x86] fpu: Remove struct fpu::counter + - Revert "perf: sync up x86/.../cpufeatures.h" + - [x86] fpu: Finish excising 'eagerfpu' + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.134 + - [armhf] mfd: omap-usb-host: Fix dts probe of children + - scsi: iscsi: target: Don't use stack buffer for scatterlist + - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() + - sound: enable interrupt after dma buffer initialization + - [arm64,armhf] stmmac: fix valid numbers of unicast filter entries + - [x86] kvm/lapic: always disable MMIO interface in x2APIC mode + - ext4: Fix error code in ext4_xattr_set_entry() + - mm/vmstat.c: fix outdated vmstat_text + - mach64: detect the dot clock divider correctly on sparc + - [x86] i2c: i2c-scmi: fix for i2c_smbus_write_block_data + - xhci: Don't print a warning when setting link state for disabled ports + - bnxt_en: Fix TX timeout during netpoll. + - bonding: avoid possible dead-lock + - ip6_tunnel: be careful when accessing the inner header + - ip_tunnel: be careful when accessing the inner header + - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() + - ipv6: take rcu lock in rawv6_send_hdrinc() + - [armhf] net: dsa: bcm_sf2: Call setup during switch resume + - ]arm64] net: hns: fix for unmapping problem when SMMU is on + - net: ipv4: update fnhe_pmtu when first hop's MTU changes + - net/ipv6: Display all addresses in output of /proc/net/if_inet6 + - net/usb: cancel pending work when unbinding smsc75xx + - qlcnic: fix Tx descriptor corruption on 82xx devices + - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface + - team: Forbid enslaving team device to itself + - [armhf] net: dsa: bcm_sf2: Fix unbind ordering + - [armhf] net: mvpp2: Extract the correct ethtype from the skb for tx csum + offload + - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 + - tcp/dccp: fix lockdep issue when SYN is backlogged + - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt + - inet: frags: change inet_frags_init_net() return value + - inet: frags: add a pointer to struct netns_frags + - inet: frags: refactor ipfrag_init() + - inet: frags: refactor ipv6_frag_init() + - inet: frags: refactor lowpan_net_frag_init() + - ipv6: export ip6 fragments sysctl to unprivileged users + - rhashtable: add schedule points + - inet: frags: use rhashtables for reassembly units + - inet: frags: remove some helpers + - inet: frags: get rif of inet_frag_evicting() + - inet: frags: remove inet_frag_maybe_warn_overflow() + - inet: frags: do not clone skb in ip_expire() + - ipv6: frags: rewrite ip6_expire_frag_queue() + - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB + - ip: discard IPv4 datagrams with overlapping segments. + - net: speed up skb_rbtree_purge() + - net: modify skb_rbtree_purge to return the truesize of all purged skbs. + - ipv6: defrag: drop non-last frags smaller than min mtu + - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends + - net: add rb_to_skb() and other rb tree helpers + - ip: use rb trees for IP frag queue. + - ip: add helpers to process in-order fragments faster. + - ip: process in-order fragments efficiently + - ip: frags: fix crash in ip_do_fragment() + - ipv4: frags: precedence bug in ip_expire() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135 + - media: af9035: prevent buffer overflow on write + - batman-adv: Fix segfault when writing to throughput_override + - batman-adv: Fix segfault when writing to sysfs elp_interval + - batman-adv: Prevent duplicated nc_node entry + - batman-adv: Prevent duplicated softif_vlan entry + - batman-adv: Prevent duplicated global TT entry + - batman-adv: Prevent duplicated tvlv handler + - batman-adv: fix backbone_gw refcount on queue_work() failure + - batman-adv: fix hardif_neigh refcount on queue_work() failure + - [armhf] clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP + flag for non-am43 SoCs + - [powerpc*/*64*] scsi: ibmvscsis: Fix a stringop-overflow warning + - [powerpc*/*64*] scsi: ibmvscsis: Ensure partition name is properly NUL + terminated + - [arm64] drm: mali-dp: Call drm_crtc_vblank_reset on device init + - scsi: sd: don't crash the host on invalid commands + - net/mlx4: Use cpumask_available for eq->affinity_mask + - [powerpc*] tm: Fix userspace r13 corruption + - [powerpc*] tm: Avoid possible userspace r1 corruption on reclaim + - [amd64] iommu/amd: Return devid as alias for ACPI HID devices + - mremap: properly flush TLB before releasing the page (CVE-2018-18281) + - mm: Preserve _PAGE_DEVMAP across mprotect() calls + - netfilter: check for seqadj ext existence before adding it in + nf_nat_setup_info + - HID: quirks: fix support for Apple Magic Keyboards + - usb: gadget: serial: fix oops when data rx'd after close + - sched/cputime: Convert kcpustat to nsecs + - sched/cputime: Increment kcpustat directly on irqtime account + - sched/cputime: Fix ksoftirqd cputime accounting regression + - [x86] HV: properly delay KVP packets when negotiation is in progress + + [ Ben Hutchings ] + * Resolve ABI changes caused by upstream fix for CVE-2018-5391: + - Revert "inet: frags: fix ip6frag_low_thresh boundary" + - Revert "inet: frags: reorganize struct netns_frags" + - Revert "rhashtable: reorganize struct rhashtable layout" + - Revert "inet: frags: break the 2GB limit for frags storage" + - inet: frags: Avoid ABI change in 4.9.134 + - sk_buff: Avoid ABI change in 4.9.134 + - snmp: Remove the ReasmOverlaps statistic + - ipv6: Ignore ABI changes in fragment reassembly functions + * [x86] fpu: Avoid ABI change in 4.9.133 + * power: Avoid ABI change in 4.9.131 + * slub: Avoid ABI change in 4.9.131 + * media: v4l: Avoid ABI change in 4.9.131 + * netdev: Hide netdev_notifier_info_ext from modules + * [x86] Revert "x86/mm: Expand static page table for fixmap space" + * Revert "tracing: Use strlcpy() instead of strcpy() in + __trace_find_cmdline()", which does not fix a real security issue + 4.9.130-2 [Sat, 27 Oct 2018 19:46:16 +0100] Ben Hutchings <ben@decadent.org.uk>: [ Salvatore Bonaccorso ] <http://10.200.17.11/4.3-3/#4606761765814653099>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] 6cdf8882ae Bug #48782: linux 4.9.144-3 doc/errata/staging/linux.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) [4.3-3] 8b825ca654 Bug #48782: linux 4.9.144-3 doc/errata/staging/linux.yaml | 65 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) OK: diff <(exec ./linux-dmesg-norm 4.9.130) <(exec ./linux-dmesg-norm 4.9.144) OK: i386 @ kvm OK: amd64 @ xen16 OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF+SB OK: cat /sys/kernel/security/securelevel
[4.3-3] efd50ca56f Bug #48782: Update to linux-4.9.144-3 .../debian/changelog | 6 ++++++ .../univention-kernel-image-signed/debian/control | 4 ++-- .../vmlinuz-4.9.0-8-amd64.efi.signed | Bin 4236912 -> 4245104 bytes 3 files changed, 8 insertions(+), 2 deletions(-) Package: univention-kernel-image-signed Version: 4.0.0-10A~4.3.0.201902270914 Branch: ucs_4.3-0 Scope: errata4.3-3
<http://errata.software-univention.de/ucs/4.3/447.html> <http://errata.software-univention.de/ucs/4.3/448.html>