Univention Bugzilla – Bug 52287
linux: Multiple issues (4.4)
Last modified: 2020-11-25 17:41:55 CET
New Debian linux 4.9.240-2 fixes: This update addresses the following issues: * out of bounds read due to missing bounds check in F2FS driver leads to local information disclosure (CVE-2019-9445) * Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel (DOS) (CVE-2019-19073) * a memory leak in the ath9k management function in allows local DoS (CVE-2019-19074) * mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c (CVE-2019-19448) * net: bluetooth: type confusion while processing AMP packets (CVE-2020-12351) * net: bluetooth: information leak when processing certain AMP packets (CVE-2020-12352) * sync of excessive duration via an XFS v5 image with crafted metadata (CVE-2020-12655) * deadlock if a coalescing operation fails in btree_gc_coalesce function in drivers/md/bcache/btree.c (CVE-2020-12771) * vfio: access to disabled MMIO space of some devices may lead to DoS scenario (CVE-2020-12888) * memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305) * buffer uses out of index in ext3/4 filesystem (CVE-2020-14314) * kernel: buffer over write in vgacon_scroll (CVE-2020-14331) * Use After Free vulnerability in cgroup BPF component (CVE-2020-14356) * memory corruption in net/packet/af_packet.c leads to elevation of privilege (CVE-2020-14386) * out-of-bounds write in fbcon_redraw_softback (CVE-2020-14390) * memory leak in usbtest_disconnect function in drivers/usb/misc/usbtest.c (CVE-2020-15393) * information exposure in drivers/char/random.c and kernel/time/timer.c (CVE-2020-16166) * net: bluetooth: heap buffer overflow when processing extended advertising report events (CVE-2020-24490) * Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c (CVE-2020-25211) * TOCTOU mismatch in the NFS client code (CVE-2020-25212) * use-after-free because skcd->no_refcnt was not considered during the backport of CVE-2020-14356 (CVE-2020-25220) * incomplete permission checking for access to rbd devices (CVE-2020-25284) * race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285) * soft-lockups in iov_iter_copy_from_user_atomic() could result in DoS (CVE-2020-25641) * improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow (CVE-2020-25643) * missing CAP_NET_RAW check in NFC socket creation in net/nfc/rawsock.c allows local attackers to create raw sockets (CVE-2020-26088)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/linux_4.9.228-1.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/linux_4.9.240-2.dsc @@ -1,3 +1,909 @@ +4.9.240-2 [Fri, 30 Oct 2020 18:26:41 +0000] Ben Hutchings <benh@debian.org>: + + * xen/events: don't use chip_data for legacy IRQs (Closes: #973417) + +4.9.240-1 [Thu, 29 Oct 2020 18:09:40 +0000] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.229 + - [armhf] clk: sunxi: Fix incorrect usage of round_down() + - [x86] i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets + - [x86] iio: pressure: bmp280: Tolerate IRQ before registering + - [arm64] clk: qcom: msm8916: Fix the address location of pll->config_reg + - [arm64] backlight: lp855x: Ensure regulators are disabled on probe + failure + - [i386] ALSA: isa/wavefront: prevent out of bounds write in ioctl + - scsi: qla2xxx: Fix issue with adapter's stopping state + - [x86] iio: bmp280: fix compensation of humidity + - [i386] i2c: pxa: clear all master action bits in i2c_pxa_stop_message() + - usblp: poison URBs upon disconnect + - [arm64] PCI: aardvark: Don't blindly enable ASPM L0s and don't write to + read-only register + - vfio/pci: fix memory leaks in alloc_perm_bits() + - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event + - nfsd: Fix svc_xprt refcnt leak when setup callback client failed + - yam: fix possible memory leak in yam_init_driver + - mksysmap: Fix the mismatch of '.L' symbols in System.map + - scsi: sr: Fix sr_probe() missing deallocate of device minor + - tty: hvc: Fix data abort due to race in hvc_open + - [i386] i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output + - [arm64,armhf] serial: amba-pl011: Make sure we initialize the port.lock + spinlock + - drivers: base: Fix NULL pointer exception in __platform_driver_probe() if + a driver developer is foolish + - PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges + - scsi: mpt3sas: Fix double free warnings + - dlm: remove BUG() before panic() + - tty: n_gsm: Fix SOF skipping + - tty: n_gsm: Fix waking up upper tty layer when room available + - vfio-pci: Mask cap zero + - [arm64] drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms + allocation + - [armhf] USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() + - tty: n_gsm: Fix bogus i++ in gsm_data_kick + - [armhf] clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 + - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port + - IB/cma: Fix ports memory leak in cma_configfs + - [arm64,armhf] usb: dwc2: gadget: move gadget resume after the core is in + L0 state + - usb: gadget: Fix issue with config_ep_by_speed function + - [arm64,armhf] clk: bcm2835: Fix return type of bcm2835_register_gate + - net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' + - NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION + - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' + - gfs2: Allow lock_nolock mount to specify jid=X + - scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj + - [armhf] crypto: omap-sham - add proper load balancing support for + multicore + - lib/zlib: remove outdated and incorrect pre-increment optimization + - perf report: Fix NULL pointer dereference in + hists__fprintf_nr_sample_events() + - bcache: fix potential deadlock problem in btree_gc_coalesce + (CVE-2020-12771) + - block: Fix use-after-free in blkdev_get() + - libata: Use per port sync for detach + - drm: encoder_slave: fix refcouting error for modules + - drm/dp_mst: Reformat drm_dp_check_act_status() a bit + - drm/qxl: Use correct notify port address when creating cursor ring + - selinux: fix double free + - ext4: fix partial cluster initialization when splitting extent + - drm/dp_mst: Increase ACT retry timeout to 3s + - [x86] boot/compressed: Relax sed symbol type regex for LLVM ld.lld + - block: nr_sects_write(): Disable preemption on seqcount write + - [x86] drm/i915: Whitelist context-local timestamp in the gen9 cmdparser + - crypto: algboss - don't wait during notifier callback + - kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex + - [x86] kprobes: Avoid kretprobe recursion bug + - kretprobe: Prevent triggering kretprobe from within kprobe_flush_task + - e1000e: Do not wake up the system via WOL if device wakeup is disabled + - net: core: device_rename: Use rwsem instead of a seqcount + - media: dvb_frontend: initialize variable s with FE_NONE instead of 0 + - media: dvb/frontend.h: move out a private internal structure + - media: dvb/frontend.h: document the uAPI file + - media: dvb_frontend: get rid of get_property() callback + - media: stv0288: get rid of set_property boilerplate + - media: stv6110: get rid of a srate dead code + - media: friio-fe: get rid of set_property() + - media: dvb_frontend: get rid of set_property() callback + - media: dvb_frontend: cleanup dvb_frontend_ioctl_properties() + - media: dvb_frontend: cleanup ioctl handling logic + - media: dvb_frontend: get rid of property cache's state + - media: dvb_frontend: better document the -EPERM condition + - media: dvb_frontend: fix return values for FE_SET_PROPERTY + - media: dvb_frontend: dtv_property_process_set() cleanups + - media: dvb_frontend: be sure to init dvb_frontend_handle_ioctl() return + code + - media: dvb_frontend: Add unlocked_ioctl in dvb_frontend.c + - media: dvb_frontend: Add compat_ioctl callback + - media: dvb_frontend: Add commands implementation for compat ioct + - media: dvb_frontend: fix wrong cast in compat_ioctl + - media: dvb_frontend: fix return error code + - mtd: rawnand: Pass a nand_chip object to nand_release() + - [x86] mtd: rawnand: diskonchip: Fix the probe error path + - [armel,armhf] mtd: rawnand: orion: Fix the probe error path + - l2tp: Allow duplicate session creation with UDP + - net: sched: export __netdev_watchdog_up() + - mld: fix memory leak in ipv6_mc_destroy_dev() + - net: fix memleak in register_netdevice() + - net: usb: ax88179_178a: fix packet alignment padding + - rxrpc: Fix notification call on completion of discarded calls + - tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes + - ip_tunnel: fix use-after-free in ip_tunnel_lookup() + - tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT + - ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() + - tcp: grow window for OOO packets only for SACK flows + - sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket + - net: Fix the arp error in some cases + - net: Do not clear the sock TX queue in sk_set_socket() + - net: core: reduce recursion limit value + - [arm64,armhf] usb: dwc2: Postponed gadget registration to the udc class + driver + - usb: add USB_QUIRK_DELAY_INIT for Logitech C922 + - USB: ehci: reopen solution for Synopsys HC bug + - [armhf] usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() + - ALSA: usb-audio: add quirk for Denon DCD-1500RE + - xhci: Fix incorrect EP_STATE_MASK + - xhci: Fix enumeration issue when setting max packet size for FS devices. + - cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip + - ALSA: usb-audio: uac1: Invalidate ctl on interrupt + - ALSA: usb-audio: Clean up mixer element list traverse + - ALSA: usb-audio: Fix OOB access of mixer element list + - xhci: Poll for U0 after disabling USB2 LPM + - cifs/smb3: Fix data inconsistent when punch hole + - cifs/smb3: Fix data inconsistent when zero file range + - efi/esrt: Fix reference count leak in esre_create_sysfs_entry. + - RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() + - net: qed: fix left elements count calculation + - net: qed: fix NVMe login fails over VFs + - net: qed: fix excessive QM ILT lines consumption + - [armhf] imx5: add missing put_device() call in imx_suspend_alloc_ocram() + - usb: gadget: udc: Potential Oops in error handling code + - netfilter: ipset: fix unaligned atomic access + - sched/core: Fix PI boosting between RT and DEADLINE tasks + - ata/libata: Fix usage of page address by page_address in + ata_scsi_mode_select_xlat function + - net: alx: fix race condition in alx_remove + - kbuild: improve cc-option to clean up all temporary files + - blktrace: break out of blktrace setup on concurrent calls + - ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table + - ACPI: sysfs: Fix pm_profile_attr type + - [x86] KVM: X86: Fix MSR range of APIC registers in X2APIC mode + - mm/slab: use memzero_explicit() in kzfree() + - ocfs2: load global_inode_alloc + - ocfs2: fix value of OCFS2_INVALID_SLOT + - ocfs2: fix panic on nfs server over ocfs2 + - [arm64] perf: Report the PC value in REGS_ABI_32 mode + - tracing: Fix event trigger to accept redundant spaces + - drm/radeon: fix fb_div check in ni_init_smc_spll_table() + - sunrpc: fixed rollback in rpc_gssd_dummy_populate() + - SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() + - pNFS/flexfiles: Fix list corruption if the mirror count changes + - xfs: add agf freeblocks verify in xfs_agf_verify (CVE-2020-12655) + - Revert "tty: hvc: Fix data abort due to race in hvc_open" + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.230 + - btrfs: fix a block group ref counter leak after failure to remove block + group + - btrfs: cow_file_range() num_bytes and disk_num_bytes are same + - btrfs: fix data block group relocation failure due to concurrent scrub + - mm: fix swap cache node allocation mask + - [x86] EDAC/amd64: Read back the scrub rate PCI register on F15h + - usbnet: smsc95xx: Fix use-after-free after removal + - mm/slub.c: fix corrupted freechain in deactivate_slab() + - mm/slub: fix stack overruns with SLUB_STATS + - usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect + (CVE-2020-15393) + - crypto: af_alg - fix use-after-free in af_alg_accept() due to + bh_lock_sock() + - sched/rt: Show the 'sched_rr_timeslice' SCHED_RR timeslice tuning knob in + milliseconds + - cxgb4: parse TC-U32 key values and masks natively + - [x86] hwmon: (acpi_power_meter) Fix potential memory leak in + acpi_power_meter_add() + - virtio-blk: free vblk-vqs in error path of virtblk_probe() + - i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 + - SMB3: Honor 'seal' flag for multiuser mounts + - SMB3: Honor persistent/resilient handle flags for multiuser mounts + - netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6 + - efi: Make it possible to disable efivar_ssdt entirely + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.231 + - [arm64,armhf] gpu: host1x: Detach driver on unregister + - spi: spidev: fix a race between spidev_release and spidev_remove + - spi: spidev: fix a potential use-after-free in spidev_release() + - cifs: update ctime and mtime during truncate + - [armhf] imx6: add missing put_device() call in imx6q_suspend_init() + - scsi: mptscsih: Fix read sense data size + - net: cxgb4: fix return error value in t4_prep_fw + - smsc95xx: check return value of smsc95xx_reset + - smsc95xx: avoid memory leak in smsc95xx_bind + - ALSA: compress: fix partial_drain completion state + - bnxt_en: fix NULL dereference in case SR-IOV configuration fails + - [arm64] net: macb: mark device wake capable when "magic-packet" property + present + - [i386] ALSA: opl3: fix infoleak in opl3 + - ALSA: hda - let hs_mic be picked ahead of hp_mic + - ALSA: usb-audio: add quirk for MacroSilicon MS2109 + - [arm64] KVM: arm64: Fix definition of PAGE_HYP_DEVICE + - [x86] KVM: x86: bit 8 of non-leaf PDPEs is not reserved + - Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" + - btrfs: fix fatal extent_buffer readahead vs releasepage race + - drm/radeon: fix double free + - ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg + - l2tp: remove skb_dst_set() from l2tp_xmit_skb() + - llc: make sure applications use ARPHRD_ETHER + - net: Added pointer check for dst->ops->neigh_lookup in + dst_neigh_lookup_skb + - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem + - tcp: md5: add missing memory barriers in tcp_md5_do_add()/ + tcp_md5_hash_key() + - tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers + - genetlink: remove genl_bind + - tcp: make sure listeners don't initialize congestion-control state + - tcp: md5: do not send silly options in SYNCOOKIES + - tcp: md5: allow changing MD5 keys in all socket states + - cgroup: fix cgroup_sk_alloc() for sk_clone_lock() (CVE-2020-14356) + - cgroup: Fix sock_cgroup_data on big-endian. + - [i386] i2c: eg20t: Load module automatically if ID matches + - [armhf] iio: mma8452: Add missed iio_device_unregister() call in + mma8452_probe() + - [armhf] net: dsa: bcm_sf2: Fix node reference count + - [armhf] spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock + rate + - [x86] staging: comedi: verify array index is correct before using it + - [armhf] dts: socfpga: Align L2 cache-controller nodename with dtschema + - perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode + - HID: magicmouse: do not set up autorepeat + - usb: core: Add a helper function to check the validity of EP type in URB + - ALSA: line6: Perform sanity check for each URB creation + - ALSA: usb-audio: Fix race against the error recovery URB submission + - [arm64,armhf] usb: dwc2: Fix shutdown callback in platform + - [arm64,armhf] usb: chipidea: core: add wakeup support for extcon + - usb: gadget: function: fix missing spinlock in f_uac1_legacy + - USB: serial: iuu_phoenix: fix memory corruption + - USB: serial: cypress_m8: enable Simply Automated UPB PIM + - USB: serial: ch341: add new Product ID for CH340 + - USB: serial: option: add GosunCn GM500 series + - USB: serial: option: add Quectel EG95 LTE modem + - virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial + - fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS + - mei: bus: don't clean driver pointer + - [x86] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list + - timer: Fix wheel index calculation on last level + - [arm64] ptrace: Override SPSR.SS when single-stepping is enabled + - sched/fair: handle case of task_h_load() returning 0 + - [arm64,armhf] irqchip/gic: Atomically update affinity + - [x86] cpu: Move x86_cache_bits settings + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.232 + - [x86] pinctrl: amd: fix npins for uart0 in kerncz_groups + - mac80211: allow rx of mesh eapol frames with default rx key + - scsi: scsi_transport_spi: Fix function pointer check + - net: sky2: initialize return of gm_phy_read + - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout + - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to + fix GDB regression + - ALSA: info: Drop WARN_ON() from buffer NULL sanity check + - btrfs: fix double free on ulist after backref resolution failure + - btrfs: fix mount failure caused by race with umount + - bnxt_en: Fix race when modifying pause settings. + - [x86] hippi: Fix a size used in a 'pci_free_consistent()' in an error + handling path + - ax88172a: fix ax88172a_unbind() failures + - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual + configuration + - [arm64,armhf] net: smc91x: Fix possible memory leak in smc_drv_probe() + - [x86] HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override + - HID: apple: Disable Fn-key key-re-mapping on clone keyboards + - [arm64] dmaengine: tegra210-adma: Fix runtime PM imbalance on error + - regmap: dev_get_regmap_match(): fix string comparison + - dmaengine: ioat setting ioat timeout as module parameter + - [arm64] Use test_tsk_thread_flag() for checking TIF_SINGLESTEP + - usb: xhci: Fix ASM2142/ASM3142 DMA addressing + - staging: wlan-ng: properly check endpoint types + - [x86] staging: comedi: addi_apci_{1032,1500,1564}: check + INSN_CONFIG_DIGITAL_TRIG shift + - [x86] staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support + - serial: 8250: fix null-ptr-deref in serial8250_start_tx() + - vt: Reject zero-sized screen buffer size. + - mm/memcg: fix refcount error while moving and swapping + - io-mapping: indicate mapping failure + - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + - ath9k: Fix regression with Atheros 9271 + - AX.25: Fix out-of-bounds read in ax25_connect() + - AX.25: Prevent out-of-bounds read in ax25_sendmsg() + - dev: Defer free of skbs in flush_backlog + - net-sysfs: add a newline when printing 'tx_timeout' by sysfs + - net: udp: Fix wrong clean up for IS_UDPLITE macro + - rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA + - AX.25: Prevent integer overflows in connect and sendmsg + - tcp: allow at most one TLP probe per flight + - ip6_gre: fix null-ptr-deref in ip6gre_init_net() + - regmap: debugfs: check count when read regmap file + - perf probe: Fix to check blacklist address correctly + - perf annotate: Use asprintf when formatting objdump command line + - perf tools: Fix snprint warnings for gcc 8 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.233 + - net: phy: mdio-bcm-unimac: fix potential NULL dereference in + unimac_mdio_probe() + - [x86] crypto: ccp - Release all allocated memory if sha type is invalid + - media: rc: prevent memory leak in cx23888_ir_probe + - ath9k_htc: release allocated buffer if timed out (CVE-2019-19073) + - ath9k: release allocated buffer if timed out (CVE-2019-19074) + - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge + - [armel,armhf] 8986/1: hw_breakpoint: Don't invoke overflow handler on + uaccess watchpoints + - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() + - drm: hold gem reference until object is no longer accessed + - f2fs: check memory boundary by insane namelen + - f2fs: check if file namelen exceeds max value (CVE-2019-9445) + - 9p/trans_fd: abort p9_read_work if req status changed + - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/ + p9_read_work + - [x86] build/lto: Fix truncated .bss with -fdata-sections + - [x86] vmlinux.lds: Page-align end of ..page_aligned sections + - fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. + - rds: Prevent kernel-infoleak in rds_notify_queue_get() + - xfs: fix missed wakeup on l_flush_wait + - uapi: includes linux/types.h before exporting files + - install several missing uapi headers + - net/x25: Fix x25_neigh refcnt leak when x25 disconnect + - net/x25: Fix null-ptr-deref in x25_disconnect + - net: lan78xx: add missing endpoint sanity check + - net: lan78xx: fix transfer-buffer memory leak + - mlx4: disable device on shutdown + - mac80211: mesh: Free ie data when leaving mesh + - mac80211: mesh: Free pending skb when destroying a mpath + - [arm64] csum: Fix handling of bad packets + - usb: hso: Fix debug compile warning on sparc32 + - qed: Disable "MFW indication via attention" SPAM every 5 minutes + - xen-netfront: fix potential deadlock in xennet_remove() + - [x86] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is + hw disabled + - [x86] i8259: Use printk_deferred() to prevent deadlock + - random32: update the net random state on interrupt and activity + (CVE-2020-16166) + - [armel,armhf] percpu.h: fix build error + - random: fix circular include dependency on arm64 after addition of + percpu.h + - random32: move the pseudo-random 32-bit definitions to prandom.h + - ext4: fix direct I/O read error + - USB: serial: qcserial: add EM7305 QDL product ID + - net/mlx5e: Don't support phys switch id if not in switchdev mode + - ALSA: seq: oss: Serialize ioctls + - Bluetooth: Fix slab-out-of-bounds read in + hci_extended_inquiry_result_evt() + - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + - Bluetooth: Prevent out-of-bounds read in + hci_inquiry_result_with_rssi_evt() + - vgacon: Fix for missing check in scrollback handling (CVE-2020-14331) + - mtd: properly check all write ioctls for permissions + - leds: wm831x-status: fix use-after-free on unbind + - net/9p: validate fds in p9_fd_open + - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some + reason + - cfg80211: check vendor command doit pointer before use + - igb: reinit_locked() should be called with rtnl_lock + - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent + - tools lib traceevent: Fix memory leak in process_dynamic_array_len + - xattr: break delegations in {set,remove}xattr + - binder: Prevent context manager from incrementing ref 0 + - ipv4: Silence suspicious RCU usage warning + - ipv6: fix memory leaks on IPV6_ADDRFORM path + - vxlan: Ensure FDB dump is performed under RCU + - net: lan78xx: replace bogus endpoint lookup + - Revert "vxlan: fix tos value before xmit" + - usb: hso: check for return value in hso_serial_common_create() + - tracepoint: Mark __tracepoint_string's __used + - gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...) + - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone() + (CVE-2020-25220) + - EDAC: Fix reference count leaks + - [arm64] dts: qcom: msm8916: Replace invalid bias-pull-none property + - [arm64] dts: exynos: Fix silent hang after boot on Espresso + - [x86] platform/x86: intel-hid: Fix return value check in check_acpi_dev() + - [x86] platform/x86: intel-vbtn: Fix return value check in + check_acpi_dev() + - [armhf] socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + - [armhf] drm/tilcdc: fix leak & null ref in panel_connector_get_modes + - Bluetooth: add a mutex lock to avoid UAF in do_enale_set + - fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls + - drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync + - video: fbdev: neofb: fix memory leak in neo_scan_monitor() + - md-cluster: fix wild pointer of unlock_all_bitmaps() + - drm/nouveau: fix multiple instances of reference count leaks + - drm/debugfs: fix plain echo to connector "force" attribute + - mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + - brcmfmac: To fix Bss Info flag definition Bug + - iwlegacy: Check the return value of pcie_capability_read_*() + - usb: gadget: net2280: fix memory leak on probe error handling paths + - bdc: Fix bug causing crash after multiple disconnects + - dyndbg: fix a BUG_ON in ddebug_describe_flags + - bcache: fix super block seq numbers comparision in register_cache_set() + - ACPICA: Do not increment operation_region reference counts for field + units + - [x86] agp/intel: Fix a memory leak on module initialisation failure + - iio: improve IIO_CONCENTRATION channel type description + - [armhf] media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + - [armhf] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline + - drm/radeon: fix array out-of-bounds read and write issues + - media: firewire: Using uninitialized values in node_probe() + - xfs: fix reflink quota reservation accounting error + - PCI: Fix pci_cfg_wait queue locking problem + - leds: core: Flush scheduled work for system suspend + - [arm64,armhf] drm: panel: simple: Fix bpc for LG LB070WV8 panel + - scsi: scsi_debug: Add check for sdebug_max_queue during module init + - mwifiex: Prevent memory corruption handling keys + - [x86] staging: rtl8192u: fix a dubious looking mask before a shift + - PCI/ASPM: Add missing newline in sysfs 'policy' + - [armhf] drm/imx: tve: fix regulator_disable error path + - USB: serial: iuu_phoenix: fix led-activity helpers + - [arm64,armhf] usb: dwc2: Fix error path in gadget registration + - [arm64,armhf] wl1251: fix always return 0 error + - dlm: Fix kobject memleak + - pinctrl-single: fix pcs_parse_pinconf() return value + - [x86] drivers/net/wan/lapbether: Added needed_headroom and a skb->len + check + - net/nfc/rawsock.c: add CAP_NET_RAW check. (CVE-2020-26088) + - net: Set fput_needed iff FDPUT_FPUT is set + - USB: serial: cp210x: re-enable auto-RTS on open + - USB: serial: cp210x: enable usb generic throttle/unthrottle + - ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support + - ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 + - ALSA: usb-audio: add quirk for Pioneer DDJ-RB + - [x86] crypto: qat - fix double free in qat_uclo_create_batch_init_list + - [x86] crypto: ccp - Fix use of merged scatterlists + - fs/minix: check return value of sb_getblk() + - fs/minix: don't allow getting deleted inodes + - fs/minix: reject too-large maximum file size + - ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 + - 9p: Fix memory leak in v9fs_mount + - xen/balloon: fix accounting in alloc_xenballooned_pages error path + - xen/balloon: make the balloon wait interruptible + - smb3: warn on confusing error scenario with sec=krb5 + - PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context() + - btrfs: don't allocate anonymous block device for user invisible roots + - btrfs: only search for left_info if there is no right_info in + try_merge_free_space (CVE-2019-19448) + - btrfs: fix memory leaks after failure to lookup checksums during inode + logging + - [arm64,armhf] net: ethernet: stmmac: Disable hardware multicast filter + - [arm64,armhf] net: stmmac: dwmac1000: provide multicast filter fallback + - net/compat: Add missing sock updates for SCM_RIGHTS + - md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 + - bcache: allocate meta data pages as compound pages + - mac80211: fix misplaced while instead of if + - ext2: fix missing percpu_counter_inc + - ocfs2: change slot number type s16 to u16 + - ftrace: Setup correct FTRACE_FL_REGS flags for module + - kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler + - [x86] watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in + watchdog_info.options + - [x86] watchdog: f71808e_wdt: remove use of wrong watchdog_info option + - [x86] watchdog: f71808e_wdt: clear watchdog timeout occurred flag + - USB: serial: ftdi_sio: make process-packet buffer unsigned + - USB: serial: ftdi_sio: clean up receive processing + - [armhf] gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers + - [armhf] iommu/omap: Check for failure of a call to omap_iommu_dump_ctx + - [x86] iommu/vt-d: Enforce PASID devTLB field mask + - Input: sentelic - fix error return when fsp_reg_write fails + - [x86] drm/vmwgfx: Fix two list_for_each loop exit tests + - [arm64] net: qcom/emac: add missed clk_disable_unprepare in error path of + emac_clks_phase1_init + - nfs: Fix getxattr kernel panic and memory overflow (CVE-2020-25212) + - fs/ufs: avoid potential u32 multiplication overflow + - ALSA: echoaudio: Fix potential Oops in snd_echo_resume() + - khugepaged: retract_page_tables() remember to test exit + - mm: Avoid calling build_all_zonelists_init under hotplug context + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.234 + - [x86] asm: Add instruction suffixes to bitops + - [armhf] drm/imx: imx-ldb: Disable both channels for split mode in + enc->disable() + - perf probe: Fix memory leakage when the probe point is not found + - tracing: Clean up the hwlat binding code + - [rt] tracing/hwlat: Honor the tracing_cpumask + - khugepaged: khugepaged_test_exit() check mmget_still_valid() + - khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() + - btrfs: export helpers for subvolume name/id resolution + - btrfs: don't show full path of bind mounts in subvol= + - romfs: fix uninitialized memory leak in romfs_dev_read() + - kernel/relay.c: fix memleak on destroy relay channel + - [armhf] mm: include CMA pages in lowmem_reserve at boot + - mm, page_alloc: fix core hung in free_pcppages_bulk() + - ext4: clean up ext4_match() and callers + - ext4: fix checking of directory entry validity for inline directories + - scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices + - media: budget-core: Improve exception handling in budget_register() + - Input: psmouse - add a newline when printing 'proto' by sysfs + - xfs: fix inode quota reservation checks + - jffs2: fix UAF problem + - scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases + - virtio_ring: Avoid loop when vq is broken in virtqueue_poll + - xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init + - ext4: fix potential negative array index in do_split() (CVE-2020-14314) + - i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + - [x86] ASoC: intel: Fix memleak in sst_media_open + - [armhf] net: dsa: b53: check for timeout + - epoll: Keep a reference on files added to the check list + - do_epoll_ctl(): clean the failure exits up a bit + - mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible + - xen: don't reschedule in preemption off sections + - [arm64,armhf] KVM: arm/arm64: Don't reschedule in unmap_stage2_range() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.235 + - bonding: fix a potential double-unregister + - bonding: show saner speed for broadcast mode + - net: Fix potential wrong skb->protocol in skb_vlan_untag() + - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() + - ipvlan: fix device features + - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY + - ALSA: pci: delete repeated words in comments + - [arm64,armhf] ASoC: tegra: Fix reference count leaks. + - [arm64] dts: qcom: msm8916: Pull down PDM GPIOs during sleep + - media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA + value in debiirq() + - scsi: target: tcmu: Fix crash on ARM during cmd completion + - [x86] drm/amdkfd: Fix reference count leaks. + - drm/radeon: fix multiple reference count leak + - drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms + - drm/amd/display: fix ref count leak in amdgpu_drm_ioctl + - drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config + - drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails + - scsi: lpfc: Fix shost refcount mismatch when deleting vport + - PCI: Fix pci_create_slot() reference count leak + - rtlwifi: rtl8192cu: Prevent leaking urb + - cec-api: prevent leaking memory through hole in structure + - drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open + - drm/nouveau: Fix reference count leak in nouveau_connector_detect + - scsi: iscsi: Do not put host in iscsi_set_flashnode_param() + - ceph: fix potential mdsc use-after-free crash + - scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() + - [x86] EDAC/ie31200: Fallback if host bridge device is already initialized + - media: davinci: vpif_capture: fix potential double free + - USB: sisusbvga: Fix a potential UB casued by left shifting a negative + value + - efi: provide empty efi_enter_virtual_mode implementation + - Revert "ath10k: fix DMA related firmware crashes on multiple devices" + - usb: gadget: f_tcm: Fix some resource leaks in some error paths + - jbd2: make sure jh have b_transaction set in refile/unfile_buffer + - jbd2: abort journal if free a async write error metadata buffer + - fs: prevent BUG_ON in submit_bh_wbc() + - scsi: ufs: Fix possible infinite loop in ufshcd_hold + - scsi: ufs: Improve interrupt handling for shared interrupts + - [x86] HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands + - btrfs: fix space cache memory leak after transaction abort + - fbcon: prevent user font height or width change from causing potential + out-of-bounds access + - vt: defer kfree() of vc_screenbuf in vc_do_resize() + - vt_ioctl: change VT_RESIZEX ioctl to check for error return from + vc_resize() + - [armhf] serial: samsung: Removes the IRQ not found warning + - [arm64,armhf] serial: pl011: Fix oops on -EPROBE_DEFER + - [arm64,armhf] serial: pl011: Don't leak amba_ports entry on driver + register error + - serial: 8250: change lock order in serial8250_do_startup() + - writeback: Protect inode->i_io_list with inode->i_lock + - writeback: Avoid skipping inode writeback + - writeback: Fix sync livelock due to b_dirty_time processing + - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt + XEN data pointer which contains XEN specific information. + - xhci: Do warm-reset when both CAS and XDEV_RESUME are set + - PM: sleep: core: Fix the handling of pending runtime resume requests + - device property: Fix the secondary firmware node handling in + set_primary_fwnode() + - USB: yurex: Fix bad gfp argument + - usb: uas: Add quirk for PNY Pro Elite + - USB: quirks: Add no-lpm quirk for another Raydium touchscreen + - USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge + - usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe() + - overflow.h: Add allocation size calculation helpers + - USB: gadget: u_f: add overflow checks to VLA macros + - USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() + - USB: gadget: u_f: Unbreak offset calculation in VLAs + - usb: storage: Add unusual_uas entry for Sony PSZ drives + - btrfs: check the right error variable in btrfs_del_dir_entries_in_log + - HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() + - ALSA: usb-audio: Update documentation comment for MS2109 quirk + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.236 + - HID: core: Correctly handle ReportSize being zero + - HID: core: Sanitize event code and type when mapping input + - [x86] hwmon: (applesmc) check status earlier. + - nvmet: Disable keep-alive timer when kato is cleared to 0h + - ceph: don't allow setlease on cephfs + - xen/xenbus: Fix granting of vmalloc'd memory + - dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling + - batman-adv: Avoid uninitialized chaddr when handling DHCP + - batman-adv: bla: use netif_rx_ni when not in interrupt context + - dmaengine: at_hdmac: check return value of of_find_device_by_node() in + at_dma_xlate() + - netfilter: nf_tables: add NFTA_SET_USERDATA if not null + - netfilter: nf_tables: incorrect enum nft_list_attributes definition + - netfilter: nf_tables: fix destination register zeroing + - [arm64] net: hns: Fix memleak in hns_nic_dev_probe + - [armhf] dmaengine: pl330: Fix burst length if burst size is smaller than + bus width + - bnxt_en: Check for zero dir entries in NVRAM. + - bnxt_en: Fix PCI AER error recovery flow + - fix regression in "epoll: Keep a reference on files added to the check + list" + - tg3: Fix soft lockup when tg3_reset_task() fails. + - [x86] iommu/vt-d: Serialize IOMMU GCMD register modifications + - [armhf] thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 + - include/linux/log2.h: add missing () around n in roundup_pow_of_two() + - btrfs: drop path before adding new uuid tree entry + - btrfs: Remove redundant extent_buffer_get in get_old_root + - btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind + - btrfs: set the lockdep class for log tree extent buffers + - uaccess: Add non-pagefault user-space read functions + - uaccess: Add non-pagefault user-space write function + - btrfs: fix potential deadlock in the search ioctl + - net: usb: qmi_wwan: add Telit 0x1050 composition + - drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201 + - qmi_wwan: new Telewell and Sierra device IDs + - usb: qmi_wwan: add D-Link DWM-222 A2 device ID + - ALSA: ca0106: fix error code handling + - ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check + - ALSA: firewire-digi00x: exclude Avid Adrenaline from detection + - block: allow for_each_bvec to support zero len bvec (CVE-2020-25641) + - block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h> + - libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks + - dm cache metadata: Avoid returning cmd->bm wild pointer on error + - dm thin metadata: Avoid returning cmd->bm wild pointer on error + - mm: slub: fix conversion of freelist_corrupted() + - vfio/type1: Support faulting PFNMAP vmas + - vfio-pci: Fault mmaps to enable vma tracking + - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory + (CVE-2020-12888) + - [arm64] KVM: arm64: Add kvm_extable for vaxorcism code + - [arm64] KVM: arm64: Defer guest entry when an asynchronous exception is + pending + - [arm64] KVM: arm64: Survive synchronous exceptions caused by AT + instructions + - [arm64] KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous + exception + - net: refactor bind_bucket fastreuse into helper + - net: initialize fastreuse on inet_inherit_port + - vfio/pci: Fix SR-IOV VF handling with MMIO blocking + - checkpatch: fix the usage of capture group ( ... ) + - mm/hugetlb: fix a race between hugetlb sysctl handlers (CVE-2020-25285) + - cfg80211: regulatory: reject invalid hints + - net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() + - ALSA; firewire-tascam: exclude Tascam FE-8 from detection + - fs/affs: use octal for permissions + - affs: fix basic permission bits to actually work + - net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() + - bnxt: don't enable NAPI until rings are ready + - netlabel: fix problems with mapping removal + - net: usb: dm9601: Add USB ID of Keenetic Plus DSL + - sctp: not disable bh in the whole sctp_get_port_local() + - net: disable netpoll on fresh napis + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.237 + - [armhf] dts: socfpga: fix register entry for timer3 on Arria10 + - RDMA/rxe: Fix memleak in rxe_mem_init_user + - RDMA/rxe: Drop pointless checks in rxe_init_ports + - scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA + - [x86] drivers/net/wan/lapbether: Added needed_tailroom + - [x86] firestream: Fix memleak in fs_open + - ALSA: hda: Fix 2 channel swapping for Tegra + - [x86] drivers/net/wan/lapbether: Set network_header before transmitting + - xfs: initialize the shortform attr header padding entry + - [x86] drivers/net/wan/hdlc_cisco: Add hard_header_len + - ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled + - [x86] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data + leak. + - [x86] iio:magnetometer:ak8975 Fix alignment and data leak issues. + - [armhf] iio:accel:mma8452: Fix timestamp alignment and prevent data leak. + - USB: core: add helpers to retrieve endpoints + - [x86] staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() + - btrfs: fix wrong address when faulting in pages in the search ioctl + - regulator: push allocation in set_consumer_device_supply() out of lock + - scsi: target: iscsi: Fix data digest calculation + - scsi: target: iscsi: Fix hang in iscsit_access_np() when getting + tpg->np_login_sem + - rbd: require global CAP_SYS_ADMIN for mapping and unmapping + (CVE-2020-25284) + - fbcon: remove soft scrollback code (CVE-2020-14390) + - fbcon: remove now unusued 'softback_lines' cursor() argument + - vgacon: remove software scrollback support + - [x86] KVM: VMX: Don't freeze guest when event delivery causes an APIC- + access exit + - video: fbdev: fix OOB read in vga_8planes_imageblit() + - usb: core: fix slab-out-of-bounds Read in read_descriptors + - USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter + - USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules + - usb: Fix out of sync data toggle if a configured device is reconfigured + - IB/rxe: Remove a pointless indirection layer + - RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars + - net: handle the return value of pskb_carve_frag_list() correctly + - NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation + recall + - scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort + - scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery + - SUNRPC: stop printk reading past end of string + - i2c: algo: pca: Reapply i2c bus settings after reset + - [armhf] clk: rockchip: Fix initialization of mux_pll_src_4plls_p + - [x86] Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload + - perf test: Free formats for perf pmu parse test + - fbcon: Fix user font detection test at fbcon_resize(). + - [x86] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD + zhaoxin notebook + - USB: UAS: fix disconnect by unplugging a hub + - usblp: fix race between disconnect() and read() + - [x86] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset + lists + - serial: 8250_pci: Add Realtek 816a and 816b + - ehci-hcd: Move include to keep CRC stable + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.238 + - af_key: pfkey_dump needs parameter validation + - KVM: fix memory leak in kvm_io_bus_unregister_dev() + - kprobes: fix kill kprobe which has been marked as gone + - RDMA/ucma: ucma_context reference leak in error path + - mtd: Fix comparison in map_word_andequal() + - hdlc_ppp: add range checks in ppp_cp_parse_cr() (CVE-2020-25643) + - ip: fix tos reflection in ack and reset packets + - tipc: use skb_unshare() instead in tipc_buf_append() + - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. + - net: phy: Avoid NPD upon phy_detach() when driver is unbound + - net: add __must_check to skb_put_padto() + - serial: 8250: Avoid error message on reprobe + - scsi: aacraid: fix illegal IO beyond last LBA + - [x86] gma/gma500: fix a memory disclosure bug due to uninitialized bytes + - [armel/marvell] ASoC: kirkwood: fix IRQ error handling + - ALSA: usb-audio: Add delay quirk for H570e USB headsets + - [armhf] PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out + - [armhf] clk/ti/adpll: allocate room for terminating null + - mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of + cfi_amdstd_setup() + - mfd: mfd-core: Protect against NULL call-back function pointer + - tracing: Adding NULL checks for trace_array descriptor pointer + - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock + - RDMA/i40iw: Fix potential use after free + - xfs: fix attr leaf header freemap.size underflow + - RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' + - debugfs: Fix !DEBUG_FS debugfs_create_automount + - CIFS: Properly process SMB3 lease breaks + - kernel/sys.c: avoid copying possible padding bytes in copy_to_user + - neigh_stat_seq_next() should increase position index + - rt_cpu_seq_next should increase position index + - seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier + - [armhf] media: ti-vpe: cal: Restrict DMA to avoid memory corruption + - ACPI: EC: Reference count query handlers under lock + - tracing: Set kernel_stack's caller size properly + - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter + - Bluetooth: Fix refcount use-after-free issue + - mm: pagewalk: fix termination condition in walk_pte_range() + - Bluetooth: prefetch channel before killing sock + - KVM: fix overflow of zero page refcount with ksm running + - ALSA: hda: Clear RIRB status before reading WP + - skbuff: fix a data race in skb_queue_len() + - audit: CONFIG_CHANGE don't log internal bookkeeping as an event + - selinux: sel_avc_get_stat_idx should increase position index + - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available + - scsi: lpfc: Fix coverity errors in fmdi attribute handling + - [armhf] drm/omap: fix possible object reference leak + - RDMA/rxe: Fix configuration of atomic queue pair attributes + - [x86] KVM: x86: fix incorrect comparison in trace event + - [x86] pkeys: Add check for pkey "overflow" + - bpf: Remove recursion prevention from rcu free callback + - dmaengine: tegra-apb: Prevent race conditions on channel's freeing + - media: go7007: Fix URB type for interrupt handling + - Bluetooth: guard against controllers sending zero'd events + - timekeeping: Prevent 32bit truncation in scale64_check_overflow() + - drm/amdgpu: increase atombios cmd timeout + - Bluetooth: L2CAP: handle l2cap config request during open state + - media: tda10071: fix unsigned sign extension overflow + - xfs: don't ever return a stale pointer from __xfs_dir3_free_read + - tracing: Use address-of operator on section symbols + - serial: 8250_port: Don't service RX FIFO if throttled + - [armhf] serial: 8250_omap: Fix sleeping function called from invalid + context during probe + - [armhf] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX + timeout + - cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn + - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' + - svcrdma: Fix leak of transport addresses + - ubifs: Fix out-of-bounds memory access caused by abnormal value of + node_len + - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra + endpoint descriptor + - mm/filemap.c: clear page error before actual read + - mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area + - [x86] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race + - bdev: Reduce time holding bd_mutex in sync in blkdev_close() + - drivers: char: tlclk.c: Avoid data race between init and interrupt + handler + - atm: fix a memory leak of vcc->user_back + - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete + - [armhf] tty: serial: samsung: Correct clock selection logic + - ALSA: hda: Fix potential race in unsol event handler + - fuse: don't check refcount after stealing page + - e1000: Do not perform reset in reset_task if we are already down + - printk: handle blank console arguments passed in. + - btrfs: don't force read-only after error in drop snapshot + - vfio/pci: fix memory leaks of eventfd ctx + - perf util: Fix memory leak of prefix_if_not_in + - perf kcore_copy: Fix module map when there are no modules loaded + - ceph: fix potential race in ceph_check_caps + - mtd: parser: cmdline: Support MTD names containing one or more colons + - [x86] speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline + - vfio/pci: Clear error and request eventfd ctx after releasing + - cifs: Fix double add page to memcg when cifs_readpages + - vfio/pci: fix racy on error and request eventfd ctx + - i2c: core: Call i2c_acpi_install_space_handler() before + i2c_acpi_register_devices() + - objtool: Fix noreturn detection for ignored functions + - ieee802154/adf7242: check status of adf7242_read_reg + - mwifiex: Increase AES key storage size to 256 bits + - batman-adv: bla: fix type misuse for backbone_gw hash indexing + - [x86] atm: eni: fix the missed pci_disable_device() for eni_init_one() + - batman-adv: mcast/TT: fix wrongly dropped or rerouted packets + - mac802154: tx: fix use-after-free + - batman-adv: Add missing include for in_interrupt() + - batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh + - ALSA: asihpi: fix iounmap in error handler + - kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() + - lib/string.c: implement stpcpy + - ata: define AC_ERR_OK + - ata: make qc_prep return ata_completion_errors + - ata: sata_mv, avoid trigerrable BUG_ON + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.239 + - vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock + - vsock/virtio: stop workers during the .remove() + - USB: gadget: f_ncm: Fix NDP16 datagram validation + - [x86] Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 + - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config + - net: dec: de2104x: Increase receive ring size for Tulip + - rndis_host: increase sleep time in the query-response loop + - drivers/net/wan/hdlc: Set skb->protocol before transmitting + - mac80211: do not allow bigger VHT MPDUs than the hardware supports + - nfs: Fix security label length not being reset + - [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED + - random32: Restore __latent_entropy attribute on net_rand_state + - net/packet: fix overflow in tpacket_rcv (CVE-2020-14386) + - epoll: do not insert into poll queues until all sanity checks are done + - epoll: replace ->visited/visited_list with generation count + - epoll: EPOLL_CTL_ADD: close the race in decision to take fast path + - ep_create_wakeup_source(): dentry name can change under you... + - netfilter: ctnetlink: add a range check for l3/l4 protonum + (CVE-2020-25211) + - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h + - Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts + - fbcon: Fix global-out-of-bounds read in fbcon_get_font() + - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() + - usermodehelper: reset umask to default before executing user process + - [x86] platform/x86: thinkpad_acpi: initialize tp_nvram_state variable + - [x86] platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when + reuse + - driver core: Fix probe_count imbalance in really_probe() + - perf top: Fix stdio interface input handling with glibc 2.28+ + - [armhf] mtd: rawnand: sunxi: Fix the probe error path + - ftrace: Move RCU is watching check after recursion check + - macsec: avoid use-after-free in macsec_handle_frame() + - mm/khugepaged: fix filemap page_to_pgoff(page) != offset + - sctp: fix sctp_auth_init_hmacs() error path + - team: set dev->needed_headroom in team_setup_by_port() + - net: team: fix memory leak in __team_options_register + - openvswitch: handle DNAT tuple collision + - drm/amdgpu: prevent double kfree ttm->sg + - xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + - xfrm: clone whole liftime_cur structure in xfrm_do_migrate + - [arm64,armhf] net: stmmac: removed enabling eee in EEE set callback + - xfrm: Use correct address family in xfrm_state_find + - bonding: set dev->needed_headroom in bond_setup_by_slave() + - [arm64] mdio: fix mdio-thunder.c dependency & build error + - rxrpc: Fix rxkad token xdr encoding + - rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + - rxrpc: Fix some missing _bh annotations on locking conn->state_lock + - rxrpc: Fix server keyring leak + - perf: Fix task_function_call() error handling + - mm: khugepaged: recalculate min_free_kbytes after memory hotplug as + expected by khugepaged + - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.240 + - Bluetooth: A2MP: Fix not initializing all members (CVE-2020-12352) + - Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel + (CVE-2020-12351) + - Bluetooth: MGMT: Fix not checking if BT_HS is enabled + - Bluetooth: fix kernel oops in store_pending_adv_report (CVE-2020-24490) + - Bluetooth: Consolidate encryption handling in hci_encrypt_cfm + - Bluetooth: Fix update of connection state in `hci_encrypt_cfm` + - Bluetooth: Disconnect if E0 is used for Level 4 + - media: usbtv: Fix refcounting mixup + - USB: serial: option: add Cellient MPL200 card + - USB: serial: option: Add Telit FT980-KS composition + - [x86] staging: comedi: check validity of wMaxPacketSize of usb endpoints + found + - USB: serial: pl2303: add device-id for HP GC device + - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters + - reiserfs: Initialize inode keys properly + - reiserfs: Fix oops during mount + - crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA + + [ Ben Hutchings ] + * [rt] Add new signing key for Clark Williams + * [rt] Update to 4.9.240-rt155 + * [rt] mm, page_alloc: Restore "fix core hung in free_pcppages_bulk()" + * [rt] net: Restore use of tofree_queue in flush_backlog() + * Bump ABI to 14 + 4.9.228-1 [Sun, 05 Jul 2020 22:29:47 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://10.200.17.11/4.4-6/#5477426688458639753>
I removed linux 4.9.240-2 from 4.4-0-errata4.4-6 for now, it should not block the errata release necessary for the UCS 4.4-7 release. 58c733db Remove yaml from 4.4-6
[4.4-6] 8919bd344d Bug #52287: univention-kernel-image-signed 5.0.0-13A~4.4.0.202011251617 doc/errata/staging/linux.yaml | 8 +- .../staging/univention-kernel-image-signed.yaml | 85 ++++++++++++++++++++++ doc/errata/staging/univention-kernel-image.yaml | 85 ++++++++++++++++++++++ 3 files changed, 175 insertions(+), 3 deletions(-) [4.4-6] 9f5b5d7c0e Bug #52287: Update to linux-4.9.0-13 kernel/univention-kernel-image/debian/changelog | 6 ++++++ kernel/univention-kernel-image/debian/rules | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) [4.4-6] 88f91fe183 Bug #52287: Update to linux-4.9.240-2 .../univention-kernel-image-signed/debian/changelog | 6 ++++++ kernel/univention-kernel-image-signed/debian/control | 10 +++++----- .../vmlinuz-4.9.0-13-amd64.efi.signed | Bin 4269680 -> 0 bytes .../vmlinuz-4.9.0-14-amd64.efi.signed | Bin 0 -> 4265584 bytes 4 files changed, 11 insertions(+), 5 deletions(-) [4.4-6] 5fe96cc855 Revert "Bug #52287: Remove yaml from 4.4-6" doc/errata/staging/linux.yaml | 83 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/univention-kernel-image_12.0.0-5A~4.4.0.202007231023.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/univention-kernel-image_12.0.0-6A~4.4.0.202011251627.dsc @@ -1,6 +1,10 @@ -12.0.0-5A~4.4.0.202007231023 [Thu, 23 Jul 2020 10:23:20 +0200] Univention builddaemon <buildd@univention.de>: +12.0.0-6A~4.4.0.202011251627 [Wed, 25 Nov 2020 16:27:10 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.0-6 [Wed, 25 Nov 2020 16:26:23 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #52287: Update to linux-4.9.0-13 12.0.0-5 [Thu, 23 Jul 2020 10:18:25 +0200] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-6/#2288575411309166934>
--- mirror/ftp/4.4/unmaintained/4.4-6/source/univention-kernel-image-signed_5.0.0-12A~4.4.0.202007231029.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/univention-kernel-image-signed_5.0.0-13A~4.4.0.202011251617.dsc @@ -1,6 +1,10 @@ -5.0.0-12A~4.4.0.202007231029 [Thu, 23 Jul 2020 10:29:58 +0200] Univention builddaemon <buildd@univention.de>: +5.0.0-13A~4.4.0.202011251617 [Wed, 25 Nov 2020 16:17:45 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.0-13 [Wed, 25 Nov 2020 16:14:04 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #52287: Update to linux-4.9.240-2 5.0.0-12 [Thu, 23 Jul 2020 10:28:28 +0200] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-6/#2288575411309166934>
--- mirror/ftp/4.4/unmaintained/4.4-6/source/linux_4.9.228-1.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/linux_4.9.240-2.dsc @@ -1,3 +1,909 @@ +4.9.240-2 [Fri, 30 Oct 2020 18:26:41 +0000] Ben Hutchings <benh@debian.org>: + + * xen/events: don't use chip_data for legacy IRQs (Closes: #973417) + +4.9.240-1 [Thu, 29 Oct 2020 18:09:40 +0000] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.229 + - [armhf] clk: sunxi: Fix incorrect usage of round_down() + - [x86] i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets + - [x86] iio: pressure: bmp280: Tolerate IRQ before registering + - [arm64] clk: qcom: msm8916: Fix the address location of pll->config_reg + - [arm64] backlight: lp855x: Ensure regulators are disabled on probe + failure + - [i386] ALSA: isa/wavefront: prevent out of bounds write in ioctl + - scsi: qla2xxx: Fix issue with adapter's stopping state + - [x86] iio: bmp280: fix compensation of humidity + - [i386] i2c: pxa: clear all master action bits in i2c_pxa_stop_message() + - usblp: poison URBs upon disconnect + - [arm64] PCI: aardvark: Don't blindly enable ASPM L0s and don't write to + read-only register + - vfio/pci: fix memory leaks in alloc_perm_bits() + - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event + - nfsd: Fix svc_xprt refcnt leak when setup callback client failed + - yam: fix possible memory leak in yam_init_driver + - mksysmap: Fix the mismatch of '.L' symbols in System.map + - scsi: sr: Fix sr_probe() missing deallocate of device minor + - tty: hvc: Fix data abort due to race in hvc_open + - [i386] i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output + - [arm64,armhf] serial: amba-pl011: Make sure we initialize the port.lock + spinlock + - drivers: base: Fix NULL pointer exception in __platform_driver_probe() if + a driver developer is foolish + - PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges + - scsi: mpt3sas: Fix double free warnings + - dlm: remove BUG() before panic() + - tty: n_gsm: Fix SOF skipping + - tty: n_gsm: Fix waking up upper tty layer when room available + - vfio-pci: Mask cap zero + - [arm64] drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms + allocation + - [armhf] USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() + - tty: n_gsm: Fix bogus i++ in gsm_data_kick + - [armhf] clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 + - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port + - IB/cma: Fix ports memory leak in cma_configfs + - [arm64,armhf] usb: dwc2: gadget: move gadget resume after the core is in + L0 state + - usb: gadget: Fix issue with config_ep_by_speed function + - [arm64,armhf] clk: bcm2835: Fix return type of bcm2835_register_gate + - net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' + - NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION + - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' + - gfs2: Allow lock_nolock mount to specify jid=X + - scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj + - [armhf] crypto: omap-sham - add proper load balancing support for + multicore + - lib/zlib: remove outdated and incorrect pre-increment optimization + - perf report: Fix NULL pointer dereference in + hists__fprintf_nr_sample_events() + - bcache: fix potential deadlock problem in btree_gc_coalesce + (CVE-2020-12771) + - block: Fix use-after-free in blkdev_get() + - libata: Use per port sync for detach + - drm: encoder_slave: fix refcouting error for modules + - drm/dp_mst: Reformat drm_dp_check_act_status() a bit + - drm/qxl: Use correct notify port address when creating cursor ring + - selinux: fix double free + - ext4: fix partial cluster initialization when splitting extent + - drm/dp_mst: Increase ACT retry timeout to 3s + - [x86] boot/compressed: Relax sed symbol type regex for LLVM ld.lld + - block: nr_sects_write(): Disable preemption on seqcount write + - [x86] drm/i915: Whitelist context-local timestamp in the gen9 cmdparser + - crypto: algboss - don't wait during notifier callback + - kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex + - [x86] kprobes: Avoid kretprobe recursion bug + - kretprobe: Prevent triggering kretprobe from within kprobe_flush_task + - e1000e: Do not wake up the system via WOL if device wakeup is disabled + - net: core: device_rename: Use rwsem instead of a seqcount + - media: dvb_frontend: initialize variable s with FE_NONE instead of 0 + - media: dvb/frontend.h: move out a private internal structure + - media: dvb/frontend.h: document the uAPI file + - media: dvb_frontend: get rid of get_property() callback + - media: stv0288: get rid of set_property boilerplate + - media: stv6110: get rid of a srate dead code + - media: friio-fe: get rid of set_property() + - media: dvb_frontend: get rid of set_property() callback + - media: dvb_frontend: cleanup dvb_frontend_ioctl_properties() + - media: dvb_frontend: cleanup ioctl handling logic + - media: dvb_frontend: get rid of property cache's state + - media: dvb_frontend: better document the -EPERM condition + - media: dvb_frontend: fix return values for FE_SET_PROPERTY + - media: dvb_frontend: dtv_property_process_set() cleanups + - media: dvb_frontend: be sure to init dvb_frontend_handle_ioctl() return + code + - media: dvb_frontend: Add unlocked_ioctl in dvb_frontend.c + - media: dvb_frontend: Add compat_ioctl callback + - media: dvb_frontend: Add commands implementation for compat ioct + - media: dvb_frontend: fix wrong cast in compat_ioctl + - media: dvb_frontend: fix return error code + - mtd: rawnand: Pass a nand_chip object to nand_release() + - [x86] mtd: rawnand: diskonchip: Fix the probe error path + - [armel,armhf] mtd: rawnand: orion: Fix the probe error path + - l2tp: Allow duplicate session creation with UDP + - net: sched: export __netdev_watchdog_up() + - mld: fix memory leak in ipv6_mc_destroy_dev() + - net: fix memleak in register_netdevice() + - net: usb: ax88179_178a: fix packet alignment padding + - rxrpc: Fix notification call on completion of discarded calls + - tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes + - ip_tunnel: fix use-after-free in ip_tunnel_lookup() + - tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT + - ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() + - tcp: grow window for OOO packets only for SACK flows + - sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket + - net: Fix the arp error in some cases + - net: Do not clear the sock TX queue in sk_set_socket() + - net: core: reduce recursion limit value + - [arm64,armhf] usb: dwc2: Postponed gadget registration to the udc class + driver + - usb: add USB_QUIRK_DELAY_INIT for Logitech C922 + - USB: ehci: reopen solution for Synopsys HC bug + - [armhf] usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() + - ALSA: usb-audio: add quirk for Denon DCD-1500RE + - xhci: Fix incorrect EP_STATE_MASK + - xhci: Fix enumeration issue when setting max packet size for FS devices. + - cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip + - ALSA: usb-audio: uac1: Invalidate ctl on interrupt + - ALSA: usb-audio: Clean up mixer element list traverse + - ALSA: usb-audio: Fix OOB access of mixer element list + - xhci: Poll for U0 after disabling USB2 LPM + - cifs/smb3: Fix data inconsistent when punch hole + - cifs/smb3: Fix data inconsistent when zero file range + - efi/esrt: Fix reference count leak in esre_create_sysfs_entry. + - RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() + - net: qed: fix left elements count calculation + - net: qed: fix NVMe login fails over VFs + - net: qed: fix excessive QM ILT lines consumption + - [armhf] imx5: add missing put_device() call in imx_suspend_alloc_ocram() + - usb: gadget: udc: Potential Oops in error handling code + - netfilter: ipset: fix unaligned atomic access + - sched/core: Fix PI boosting between RT and DEADLINE tasks + - ata/libata: Fix usage of page address by page_address in + ata_scsi_mode_select_xlat function + - net: alx: fix race condition in alx_remove + - kbuild: improve cc-option to clean up all temporary files + - blktrace: break out of blktrace setup on concurrent calls + - ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table + - ACPI: sysfs: Fix pm_profile_attr type + - [x86] KVM: X86: Fix MSR range of APIC registers in X2APIC mode + - mm/slab: use memzero_explicit() in kzfree() + - ocfs2: load global_inode_alloc + - ocfs2: fix value of OCFS2_INVALID_SLOT + - ocfs2: fix panic on nfs server over ocfs2 + - [arm64] perf: Report the PC value in REGS_ABI_32 mode + - tracing: Fix event trigger to accept redundant spaces + - drm/radeon: fix fb_div check in ni_init_smc_spll_table() + - sunrpc: fixed rollback in rpc_gssd_dummy_populate() + - SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() + - pNFS/flexfiles: Fix list corruption if the mirror count changes + - xfs: add agf freeblocks verify in xfs_agf_verify (CVE-2020-12655) + - Revert "tty: hvc: Fix data abort due to race in hvc_open" + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.230 + - btrfs: fix a block group ref counter leak after failure to remove block + group + - btrfs: cow_file_range() num_bytes and disk_num_bytes are same + - btrfs: fix data block group relocation failure due to concurrent scrub + - mm: fix swap cache node allocation mask + - [x86] EDAC/amd64: Read back the scrub rate PCI register on F15h + - usbnet: smsc95xx: Fix use-after-free after removal + - mm/slub.c: fix corrupted freechain in deactivate_slab() + - mm/slub: fix stack overruns with SLUB_STATS + - usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect + (CVE-2020-15393) + - crypto: af_alg - fix use-after-free in af_alg_accept() due to + bh_lock_sock() + - sched/rt: Show the 'sched_rr_timeslice' SCHED_RR timeslice tuning knob in + milliseconds + - cxgb4: parse TC-U32 key values and masks natively + - [x86] hwmon: (acpi_power_meter) Fix potential memory leak in + acpi_power_meter_add() + - virtio-blk: free vblk-vqs in error path of virtblk_probe() + - i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 + - SMB3: Honor 'seal' flag for multiuser mounts + - SMB3: Honor persistent/resilient handle flags for multiuser mounts + - netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6 + - efi: Make it possible to disable efivar_ssdt entirely + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.231 + - [arm64,armhf] gpu: host1x: Detach driver on unregister + - spi: spidev: fix a race between spidev_release and spidev_remove + - spi: spidev: fix a potential use-after-free in spidev_release() + - cifs: update ctime and mtime during truncate + - [armhf] imx6: add missing put_device() call in imx6q_suspend_init() + - scsi: mptscsih: Fix read sense data size + - net: cxgb4: fix return error value in t4_prep_fw + - smsc95xx: check return value of smsc95xx_reset + - smsc95xx: avoid memory leak in smsc95xx_bind + - ALSA: compress: fix partial_drain completion state + - bnxt_en: fix NULL dereference in case SR-IOV configuration fails + - [arm64] net: macb: mark device wake capable when "magic-packet" property + present + - [i386] ALSA: opl3: fix infoleak in opl3 + - ALSA: hda - let hs_mic be picked ahead of hp_mic + - ALSA: usb-audio: add quirk for MacroSilicon MS2109 + - [arm64] KVM: arm64: Fix definition of PAGE_HYP_DEVICE + - [x86] KVM: x86: bit 8 of non-leaf PDPEs is not reserved + - Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" + - btrfs: fix fatal extent_buffer readahead vs releasepage race + - drm/radeon: fix double free + - ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg + - l2tp: remove skb_dst_set() from l2tp_xmit_skb() + - llc: make sure applications use ARPHRD_ETHER + - net: Added pointer check for dst->ops->neigh_lookup in + dst_neigh_lookup_skb + - net: usb: qmi_wwan: add support for Quectel EG95 LTE modem + - tcp: md5: add missing memory barriers in tcp_md5_do_add()/ + tcp_md5_hash_key() + - tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers + - genetlink: remove genl_bind + - tcp: make sure listeners don't initialize congestion-control state + - tcp: md5: do not send silly options in SYNCOOKIES + - tcp: md5: allow changing MD5 keys in all socket states + - cgroup: fix cgroup_sk_alloc() for sk_clone_lock() (CVE-2020-14356) + - cgroup: Fix sock_cgroup_data on big-endian. + - [i386] i2c: eg20t: Load module automatically if ID matches + - [armhf] iio: mma8452: Add missed iio_device_unregister() call in + mma8452_probe() + - [armhf] net: dsa: bcm_sf2: Fix node reference count + - [armhf] spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock + rate + - [x86] staging: comedi: verify array index is correct before using it + - [armhf] dts: socfpga: Align L2 cache-controller nodename with dtschema + - perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode + - HID: magicmouse: do not set up autorepeat + - usb: core: Add a helper function to check the validity of EP type in URB + - ALSA: line6: Perform sanity check for each URB creation + - ALSA: usb-audio: Fix race against the error recovery URB submission + - [arm64,armhf] usb: dwc2: Fix shutdown callback in platform + - [arm64,armhf] usb: chipidea: core: add wakeup support for extcon + - usb: gadget: function: fix missing spinlock in f_uac1_legacy + - USB: serial: iuu_phoenix: fix memory corruption + - USB: serial: cypress_m8: enable Simply Automated UPB PIM + - USB: serial: ch341: add new Product ID for CH340 + - USB: serial: option: add GosunCn GM500 series + - USB: serial: option: add Quectel EG95 LTE modem + - virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial + - fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS + - mei: bus: don't clean driver pointer + - [x86] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list + - timer: Fix wheel index calculation on last level + - [arm64] ptrace: Override SPSR.SS when single-stepping is enabled + - sched/fair: handle case of task_h_load() returning 0 + - [arm64,armhf] irqchip/gic: Atomically update affinity + - [x86] cpu: Move x86_cache_bits settings + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.232 + - [x86] pinctrl: amd: fix npins for uart0 in kerncz_groups + - mac80211: allow rx of mesh eapol frames with default rx key + - scsi: scsi_transport_spi: Fix function pointer check + - net: sky2: initialize return of gm_phy_read + - drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout + - uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to + fix GDB regression + - ALSA: info: Drop WARN_ON() from buffer NULL sanity check + - btrfs: fix double free on ulist after backref resolution failure + - btrfs: fix mount failure caused by race with umount + - bnxt_en: Fix race when modifying pause settings. + - [x86] hippi: Fix a size used in a 'pci_free_consistent()' in an error + handling path + - ax88172a: fix ax88172a_unbind() failures + - net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual + configuration + - [arm64,armhf] net: smc91x: Fix possible memory leak in smc_drv_probe() + - [x86] HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override + - HID: apple: Disable Fn-key key-re-mapping on clone keyboards + - [arm64] dmaengine: tegra210-adma: Fix runtime PM imbalance on error + - regmap: dev_get_regmap_match(): fix string comparison + - dmaengine: ioat setting ioat timeout as module parameter + - [arm64] Use test_tsk_thread_flag() for checking TIF_SINGLESTEP + - usb: xhci: Fix ASM2142/ASM3142 DMA addressing + - staging: wlan-ng: properly check endpoint types + - [x86] staging: comedi: addi_apci_{1032,1500,1564}: check + INSN_CONFIG_DIGITAL_TRIG shift + - [x86] staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support + - serial: 8250: fix null-ptr-deref in serial8250_start_tx() + - vt: Reject zero-sized screen buffer size. + - mm/memcg: fix refcount error while moving and swapping + - io-mapping: indicate mapping failure + - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + - ath9k: Fix regression with Atheros 9271 + - AX.25: Fix out-of-bounds read in ax25_connect() + - AX.25: Prevent out-of-bounds read in ax25_sendmsg() + - dev: Defer free of skbs in flush_backlog + - net-sysfs: add a newline when printing 'tx_timeout' by sysfs + - net: udp: Fix wrong clean up for IS_UDPLITE macro + - rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA + - AX.25: Prevent integer overflows in connect and sendmsg + - tcp: allow at most one TLP probe per flight + - ip6_gre: fix null-ptr-deref in ip6gre_init_net() + - regmap: debugfs: check count when read regmap file + - perf probe: Fix to check blacklist address correctly + - perf annotate: Use asprintf when formatting objdump command line + - perf tools: Fix snprint warnings for gcc 8 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.233 + - net: phy: mdio-bcm-unimac: fix potential NULL dereference in + unimac_mdio_probe() + - [x86] crypto: ccp - Release all allocated memory if sha type is invalid + - media: rc: prevent memory leak in cx23888_ir_probe + - ath9k_htc: release allocated buffer if timed out (CVE-2019-19073) + - ath9k: release allocated buffer if timed out (CVE-2019-19074) + - PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge + - [armel,armhf] 8986/1: hw_breakpoint: Don't invoke overflow handler on + uaccess watchpoints + - drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() + - drm: hold gem reference until object is no longer accessed + - f2fs: check memory boundary by insane namelen + - f2fs: check if file namelen exceeds max value (CVE-2019-9445) + - 9p/trans_fd: abort p9_read_work if req status changed + - 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/ + p9_read_work + - [x86] build/lto: Fix truncated .bss with -fdata-sections + - [x86] vmlinux.lds: Page-align end of ..page_aligned sections + - fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. + - rds: Prevent kernel-infoleak in rds_notify_queue_get() + - xfs: fix missed wakeup on l_flush_wait + - uapi: includes linux/types.h before exporting files + - install several missing uapi headers + - net/x25: Fix x25_neigh refcnt leak when x25 disconnect + - net/x25: Fix null-ptr-deref in x25_disconnect + - net: lan78xx: add missing endpoint sanity check + - net: lan78xx: fix transfer-buffer memory leak + - mlx4: disable device on shutdown + - mac80211: mesh: Free ie data when leaving mesh + - mac80211: mesh: Free pending skb when destroying a mpath + - [arm64] csum: Fix handling of bad packets + - usb: hso: Fix debug compile warning on sparc32 + - qed: Disable "MFW indication via attention" SPAM every 5 minutes + - xen-netfront: fix potential deadlock in xennet_remove() + - [x86] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is + hw disabled + - [x86] i8259: Use printk_deferred() to prevent deadlock + - random32: update the net random state on interrupt and activity + (CVE-2020-16166) + - [armel,armhf] percpu.h: fix build error + - random: fix circular include dependency on arm64 after addition of + percpu.h + - random32: move the pseudo-random 32-bit definitions to prandom.h + - ext4: fix direct I/O read error + - USB: serial: qcserial: add EM7305 QDL product ID + - net/mlx5e: Don't support phys switch id if not in switchdev mode + - ALSA: seq: oss: Serialize ioctls + - Bluetooth: Fix slab-out-of-bounds read in + hci_extended_inquiry_result_evt() + - Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + - Bluetooth: Prevent out-of-bounds read in + hci_inquiry_result_with_rssi_evt() + - vgacon: Fix for missing check in scrollback handling (CVE-2020-14331) + - mtd: properly check all write ioctls for permissions + - leds: wm831x-status: fix use-after-free on unbind + - net/9p: validate fds in p9_fd_open + - drm/nouveau/fbcon: fix module unload when fbcon init has failed for some + reason + - cfg80211: check vendor command doit pointer before use + - igb: reinit_locked() should be called with rtnl_lock + - atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent + - tools lib traceevent: Fix memory leak in process_dynamic_array_len + - xattr: break delegations in {set,remove}xattr + - binder: Prevent context manager from incrementing ref 0 + - ipv4: Silence suspicious RCU usage warning + - ipv6: fix memory leaks on IPV6_ADDRFORM path + - vxlan: Ensure FDB dump is performed under RCU + - net: lan78xx: replace bogus endpoint lookup + - Revert "vxlan: fix tos value before xmit" + - usb: hso: check for return value in hso_serial_common_create() + - tracepoint: Mark __tracepoint_string's __used + - gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...) + - cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone() + (CVE-2020-25220) + - EDAC: Fix reference count leaks + - [arm64] dts: qcom: msm8916: Replace invalid bias-pull-none property + - [arm64] dts: exynos: Fix silent hang after boot on Espresso + - [x86] platform/x86: intel-hid: Fix return value check in check_acpi_dev() + - [x86] platform/x86: intel-vbtn: Fix return value check in + check_acpi_dev() + - [armhf] socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + - [armhf] drm/tilcdc: fix leak & null ref in panel_connector_get_modes + - Bluetooth: add a mutex lock to avoid UAF in do_enale_set + - fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls + - drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync + - video: fbdev: neofb: fix memory leak in neo_scan_monitor() + - md-cluster: fix wild pointer of unlock_all_bitmaps() + - drm/nouveau: fix multiple instances of reference count leaks + - drm/debugfs: fix plain echo to connector "force" attribute + - mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + - brcmfmac: To fix Bss Info flag definition Bug + - iwlegacy: Check the return value of pcie_capability_read_*() + - usb: gadget: net2280: fix memory leak on probe error handling paths + - bdc: Fix bug causing crash after multiple disconnects + - dyndbg: fix a BUG_ON in ddebug_describe_flags + - bcache: fix super block seq numbers comparision in register_cache_set() + - ACPICA: Do not increment operation_region reference counts for field + units + - [x86] agp/intel: Fix a memory leak on module initialisation failure + - iio: improve IIO_CONCENTRATION channel type description + - [armhf] media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + - [armhf] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline + - drm/radeon: fix array out-of-bounds read and write issues + - media: firewire: Using uninitialized values in node_probe() + - xfs: fix reflink quota reservation accounting error + - PCI: Fix pci_cfg_wait queue locking problem + - leds: core: Flush scheduled work for system suspend + - [arm64,armhf] drm: panel: simple: Fix bpc for LG LB070WV8 panel + - scsi: scsi_debug: Add check for sdebug_max_queue during module init + - mwifiex: Prevent memory corruption handling keys + - [x86] staging: rtl8192u: fix a dubious looking mask before a shift + - PCI/ASPM: Add missing newline in sysfs 'policy' + - [armhf] drm/imx: tve: fix regulator_disable error path + - USB: serial: iuu_phoenix: fix led-activity helpers + - [arm64,armhf] usb: dwc2: Fix error path in gadget registration + - [arm64,armhf] wl1251: fix always return 0 error + - dlm: Fix kobject memleak + - pinctrl-single: fix pcs_parse_pinconf() return value + - [x86] drivers/net/wan/lapbether: Added needed_headroom and a skb->len + check + - net/nfc/rawsock.c: add CAP_NET_RAW check. (CVE-2020-26088) + - net: Set fput_needed iff FDPUT_FPUT is set + - USB: serial: cp210x: re-enable auto-RTS on open + - USB: serial: cp210x: enable usb generic throttle/unthrottle + - ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support + - ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 + - ALSA: usb-audio: add quirk for Pioneer DDJ-RB + - [x86] crypto: qat - fix double free in qat_uclo_create_batch_init_list + - [x86] crypto: ccp - Fix use of merged scatterlists + - fs/minix: check return value of sb_getblk() + - fs/minix: don't allow getting deleted inodes + - fs/minix: reject too-large maximum file size + - ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 + - 9p: Fix memory leak in v9fs_mount + - xen/balloon: fix accounting in alloc_xenballooned_pages error path + - xen/balloon: make the balloon wait interruptible + - smb3: warn on confusing error scenario with sec=krb5 + - PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context() + - btrfs: don't allocate anonymous block device for user invisible roots + - btrfs: only search for left_info if there is no right_info in + try_merge_free_space (CVE-2019-19448) + - btrfs: fix memory leaks after failure to lookup checksums during inode + logging + - [arm64,armhf] net: ethernet: stmmac: Disable hardware multicast filter + - [arm64,armhf] net: stmmac: dwmac1000: provide multicast filter fallback + - net/compat: Add missing sock updates for SCM_RIGHTS + - md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 + - bcache: allocate meta data pages as compound pages + - mac80211: fix misplaced while instead of if + - ext2: fix missing percpu_counter_inc + - ocfs2: change slot number type s16 to u16 + - ftrace: Setup correct FTRACE_FL_REGS flags for module + - kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler + - [x86] watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in + watchdog_info.options + - [x86] watchdog: f71808e_wdt: remove use of wrong watchdog_info option + - [x86] watchdog: f71808e_wdt: clear watchdog timeout occurred flag + - USB: serial: ftdi_sio: make process-packet buffer unsigned + - USB: serial: ftdi_sio: clean up receive processing + - [armhf] gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers + - [armhf] iommu/omap: Check for failure of a call to omap_iommu_dump_ctx + - [x86] iommu/vt-d: Enforce PASID devTLB field mask + - Input: sentelic - fix error return when fsp_reg_write fails + - [x86] drm/vmwgfx: Fix two list_for_each loop exit tests + - [arm64] net: qcom/emac: add missed clk_disable_unprepare in error path of + emac_clks_phase1_init + - nfs: Fix getxattr kernel panic and memory overflow (CVE-2020-25212) + - fs/ufs: avoid potential u32 multiplication overflow + - ALSA: echoaudio: Fix potential Oops in snd_echo_resume() + - khugepaged: retract_page_tables() remember to test exit + - mm: Avoid calling build_all_zonelists_init under hotplug context + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.234 + - [x86] asm: Add instruction suffixes to bitops + - [armhf] drm/imx: imx-ldb: Disable both channels for split mode in + enc->disable() + - perf probe: Fix memory leakage when the probe point is not found + - tracing: Clean up the hwlat binding code + - [rt] tracing/hwlat: Honor the tracing_cpumask + - khugepaged: khugepaged_test_exit() check mmget_still_valid() + - khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() + - btrfs: export helpers for subvolume name/id resolution + - btrfs: don't show full path of bind mounts in subvol= + - romfs: fix uninitialized memory leak in romfs_dev_read() + - kernel/relay.c: fix memleak on destroy relay channel + - [armhf] mm: include CMA pages in lowmem_reserve at boot + - mm, page_alloc: fix core hung in free_pcppages_bulk() + - ext4: clean up ext4_match() and callers + - ext4: fix checking of directory entry validity for inline directories + - scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices + - media: budget-core: Improve exception handling in budget_register() + - Input: psmouse - add a newline when printing 'proto' by sysfs + - xfs: fix inode quota reservation checks + - jffs2: fix UAF problem + - scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases + - virtio_ring: Avoid loop when vq is broken in virtqueue_poll + - xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init + - ext4: fix potential negative array index in do_split() (CVE-2020-14314) + - i40e: Set RX_ONLY mode for unicast promiscuous on VLAN + - [x86] ASoC: intel: Fix memleak in sst_media_open + - [armhf] net: dsa: b53: check for timeout + - epoll: Keep a reference on files added to the check list + - do_epoll_ctl(): clean the failure exits up a bit + - mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible + - xen: don't reschedule in preemption off sections + - [arm64,armhf] KVM: arm/arm64: Don't reschedule in unmap_stage2_range() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.235 + - bonding: fix a potential double-unregister + - bonding: show saner speed for broadcast mode + - net: Fix potential wrong skb->protocol in skb_vlan_untag() + - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() + - ipvlan: fix device features + - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY + - ALSA: pci: delete repeated words in comments + - [arm64,armhf] ASoC: tegra: Fix reference count leaks. + - [arm64] dts: qcom: msm8916: Pull down PDM GPIOs during sleep + - media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA + value in debiirq() + - scsi: target: tcmu: Fix crash on ARM during cmd completion + - [x86] drm/amdkfd: Fix reference count leaks. + - drm/radeon: fix multiple reference count leak + - drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms + - drm/amd/display: fix ref count leak in amdgpu_drm_ioctl + - drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config + - drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails + - scsi: lpfc: Fix shost refcount mismatch when deleting vport + - PCI: Fix pci_create_slot() reference count leak + - rtlwifi: rtl8192cu: Prevent leaking urb + - cec-api: prevent leaking memory through hole in structure + - drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open + - drm/nouveau: Fix reference count leak in nouveau_connector_detect + - scsi: iscsi: Do not put host in iscsi_set_flashnode_param() + - ceph: fix potential mdsc use-after-free crash + - scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() + - [x86] EDAC/ie31200: Fallback if host bridge device is already initialized + - media: davinci: vpif_capture: fix potential double free + - USB: sisusbvga: Fix a potential UB casued by left shifting a negative + value + - efi: provide empty efi_enter_virtual_mode implementation + - Revert "ath10k: fix DMA related firmware crashes on multiple devices" + - usb: gadget: f_tcm: Fix some resource leaks in some error paths + - jbd2: make sure jh have b_transaction set in refile/unfile_buffer + - jbd2: abort journal if free a async write error metadata buffer + - fs: prevent BUG_ON in submit_bh_wbc() + - scsi: ufs: Fix possible infinite loop in ufshcd_hold + - scsi: ufs: Improve interrupt handling for shared interrupts + - [x86] HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands + - btrfs: fix space cache memory leak after transaction abort + - fbcon: prevent user font height or width change from causing potential + out-of-bounds access + - vt: defer kfree() of vc_screenbuf in vc_do_resize() + - vt_ioctl: change VT_RESIZEX ioctl to check for error return from + vc_resize() + - [armhf] serial: samsung: Removes the IRQ not found warning + - [arm64,armhf] serial: pl011: Fix oops on -EPROBE_DEFER + - [arm64,armhf] serial: pl011: Don't leak amba_ports entry on driver + register error + - serial: 8250: change lock order in serial8250_do_startup() + - writeback: Protect inode->i_io_list with inode->i_lock + - writeback: Avoid skipping inode writeback + - writeback: Fix sync livelock due to b_dirty_time processing + - XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt + XEN data pointer which contains XEN specific information. + - xhci: Do warm-reset when both CAS and XDEV_RESUME are set + - PM: sleep: core: Fix the handling of pending runtime resume requests + - device property: Fix the secondary firmware node handling in + set_primary_fwnode() + - USB: yurex: Fix bad gfp argument + - usb: uas: Add quirk for PNY Pro Elite + - USB: quirks: Add no-lpm quirk for another Raydium touchscreen + - USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge + - usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe() + - overflow.h: Add allocation size calculation helpers + - USB: gadget: u_f: add overflow checks to VLA macros + - USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() + - USB: gadget: u_f: Unbreak offset calculation in VLAs + - usb: storage: Add unusual_uas entry for Sony PSZ drives + - btrfs: check the right error variable in btrfs_del_dir_entries_in_log + - HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() + - ALSA: usb-audio: Update documentation comment for MS2109 quirk + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.236 + - HID: core: Correctly handle ReportSize being zero + - HID: core: Sanitize event code and type when mapping input + - [x86] hwmon: (applesmc) check status earlier. + - nvmet: Disable keep-alive timer when kato is cleared to 0h + - ceph: don't allow setlease on cephfs + - xen/xenbus: Fix granting of vmalloc'd memory + - dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling + - batman-adv: Avoid uninitialized chaddr when handling DHCP + - batman-adv: bla: use netif_rx_ni when not in interrupt context + - dmaengine: at_hdmac: check return value of of_find_device_by_node() in + at_dma_xlate() + - netfilter: nf_tables: add NFTA_SET_USERDATA if not null + - netfilter: nf_tables: incorrect enum nft_list_attributes definition + - netfilter: nf_tables: fix destination register zeroing + - [arm64] net: hns: Fix memleak in hns_nic_dev_probe + - [armhf] dmaengine: pl330: Fix burst length if burst size is smaller than + bus width + - bnxt_en: Check for zero dir entries in NVRAM. + - bnxt_en: Fix PCI AER error recovery flow + - fix regression in "epoll: Keep a reference on files added to the check + list" + - tg3: Fix soft lockup when tg3_reset_task() fails. + - [x86] iommu/vt-d: Serialize IOMMU GCMD register modifications + - [armhf] thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 + - include/linux/log2.h: add missing () around n in roundup_pow_of_two() + - btrfs: drop path before adding new uuid tree entry + - btrfs: Remove redundant extent_buffer_get in get_old_root + - btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind + - btrfs: set the lockdep class for log tree extent buffers + - uaccess: Add non-pagefault user-space read functions + - uaccess: Add non-pagefault user-space write function + - btrfs: fix potential deadlock in the search ioctl + - net: usb: qmi_wwan: add Telit 0x1050 composition + - drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201 + - qmi_wwan: new Telewell and Sierra device IDs + - usb: qmi_wwan: add D-Link DWM-222 A2 device ID + - ALSA: ca0106: fix error code handling + - ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check + - ALSA: firewire-digi00x: exclude Avid Adrenaline from detection + - block: allow for_each_bvec to support zero len bvec (CVE-2020-25641) + - block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h> + - libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks + - dm cache metadata: Avoid returning cmd->bm wild pointer on error + - dm thin metadata: Avoid returning cmd->bm wild pointer on error + - mm: slub: fix conversion of freelist_corrupted() + - vfio/type1: Support faulting PFNMAP vmas + - vfio-pci: Fault mmaps to enable vma tracking + - vfio-pci: Invalidate mmaps and block MMIO access on disabled memory + (CVE-2020-12888) + - [arm64] KVM: arm64: Add kvm_extable for vaxorcism code + - [arm64] KVM: arm64: Defer guest entry when an asynchronous exception is + pending + - [arm64] KVM: arm64: Survive synchronous exceptions caused by AT + instructions + - [arm64] KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous + exception + - net: refactor bind_bucket fastreuse into helper + - net: initialize fastreuse on inet_inherit_port + - vfio/pci: Fix SR-IOV VF handling with MMIO blocking + - checkpatch: fix the usage of capture group ( ... ) + - mm/hugetlb: fix a race between hugetlb sysctl handlers (CVE-2020-25285) + - cfg80211: regulatory: reject invalid hints + - net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() + - ALSA; firewire-tascam: exclude Tascam FE-8 from detection + - fs/affs: use octal for permissions + - affs: fix basic permission bits to actually work + - net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() + - bnxt: don't enable NAPI until rings are ready + - netlabel: fix problems with mapping removal + - net: usb: dm9601: Add USB ID of Keenetic Plus DSL + - sctp: not disable bh in the whole sctp_get_port_local() + - net: disable netpoll on fresh napis + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.237 + - [armhf] dts: socfpga: fix register entry for timer3 on Arria10 + - RDMA/rxe: Fix memleak in rxe_mem_init_user + - RDMA/rxe: Drop pointless checks in rxe_init_ports + - scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA + - [x86] drivers/net/wan/lapbether: Added needed_tailroom + - [x86] firestream: Fix memleak in fs_open + - ALSA: hda: Fix 2 channel swapping for Tegra + - [x86] drivers/net/wan/lapbether: Set network_header before transmitting + - xfs: initialize the shortform attr header padding entry + - [x86] drivers/net/wan/hdlc_cisco: Add hard_header_len + - ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled + - [x86] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data + leak. + - [x86] iio:magnetometer:ak8975 Fix alignment and data leak issues. + - [armhf] iio:accel:mma8452: Fix timestamp alignment and prevent data leak. + - USB: core: add helpers to retrieve endpoints + - [x86] staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() + - btrfs: fix wrong address when faulting in pages in the search ioctl + - regulator: push allocation in set_consumer_device_supply() out of lock + - scsi: target: iscsi: Fix data digest calculation + - scsi: target: iscsi: Fix hang in iscsit_access_np() when getting + tpg->np_login_sem + - rbd: require global CAP_SYS_ADMIN for mapping and unmapping + (CVE-2020-25284) + - fbcon: remove soft scrollback code (CVE-2020-14390) + - fbcon: remove now unusued 'softback_lines' cursor() argument + - vgacon: remove software scrollback support + - [x86] KVM: VMX: Don't freeze guest when event delivery causes an APIC- + access exit + - video: fbdev: fix OOB read in vga_8planes_imageblit() + - usb: core: fix slab-out-of-bounds Read in read_descriptors + - USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter + - USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules + - usb: Fix out of sync data toggle if a configured device is reconfigured + - IB/rxe: Remove a pointless indirection layer + - RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars + - net: handle the return value of pskb_carve_frag_list() correctly + - NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation + recall + - scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort + - scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery + - SUNRPC: stop printk reading past end of string + - i2c: algo: pca: Reapply i2c bus settings after reset + - [armhf] clk: rockchip: Fix initialization of mux_pll_src_4plls_p + - [x86] Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload + - perf test: Free formats for perf pmu parse test + - fbcon: Fix user font detection test at fbcon_resize(). + - [x86] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD + zhaoxin notebook + - USB: UAS: fix disconnect by unplugging a hub + - usblp: fix race between disconnect() and read() + - [x86] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset + lists + - serial: 8250_pci: Add Realtek 816a and 816b + - ehci-hcd: Move include to keep CRC stable + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.238 + - af_key: pfkey_dump needs parameter validation + - KVM: fix memory leak in kvm_io_bus_unregister_dev() + - kprobes: fix kill kprobe which has been marked as gone + - RDMA/ucma: ucma_context reference leak in error path + - mtd: Fix comparison in map_word_andequal() + - hdlc_ppp: add range checks in ppp_cp_parse_cr() (CVE-2020-25643) + - ip: fix tos reflection in ack and reset packets + - tipc: use skb_unshare() instead in tipc_buf_append() + - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. + - net: phy: Avoid NPD upon phy_detach() when driver is unbound + - net: add __must_check to skb_put_padto() + - serial: 8250: Avoid error message on reprobe + - scsi: aacraid: fix illegal IO beyond last LBA + - [x86] gma/gma500: fix a memory disclosure bug due to uninitialized bytes + - [armel/marvell] ASoC: kirkwood: fix IRQ error handling + - ALSA: usb-audio: Add delay quirk for H570e USB headsets + - [armhf] PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out + - [armhf] clk/ti/adpll: allocate room for terminating null + - mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of + cfi_amdstd_setup() + - mfd: mfd-core: Protect against NULL call-back function pointer + - tracing: Adding NULL checks for trace_array descriptor pointer + - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock + - RDMA/i40iw: Fix potential use after free + - xfs: fix attr leaf header freemap.size underflow + - RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' + - debugfs: Fix !DEBUG_FS debugfs_create_automount + - CIFS: Properly process SMB3 lease breaks + - kernel/sys.c: avoid copying possible padding bytes in copy_to_user + - neigh_stat_seq_next() should increase position index + - rt_cpu_seq_next should increase position index + - seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier + - [armhf] media: ti-vpe: cal: Restrict DMA to avoid memory corruption + - ACPI: EC: Reference count query handlers under lock + - tracing: Set kernel_stack's caller size properly + - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter + - Bluetooth: Fix refcount use-after-free issue + - mm: pagewalk: fix termination condition in walk_pte_range() + - Bluetooth: prefetch channel before killing sock + - KVM: fix overflow of zero page refcount with ksm running + - ALSA: hda: Clear RIRB status before reading WP + - skbuff: fix a data race in skb_queue_len() + - audit: CONFIG_CHANGE don't log internal bookkeeping as an event + - selinux: sel_avc_get_stat_idx should increase position index + - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available + - scsi: lpfc: Fix coverity errors in fmdi attribute handling + - [armhf] drm/omap: fix possible object reference leak + - RDMA/rxe: Fix configuration of atomic queue pair attributes + - [x86] KVM: x86: fix incorrect comparison in trace event + - [x86] pkeys: Add check for pkey "overflow" + - bpf: Remove recursion prevention from rcu free callback + - dmaengine: tegra-apb: Prevent race conditions on channel's freeing + - media: go7007: Fix URB type for interrupt handling + - Bluetooth: guard against controllers sending zero'd events + - timekeeping: Prevent 32bit truncation in scale64_check_overflow() + - drm/amdgpu: increase atombios cmd timeout + - Bluetooth: L2CAP: handle l2cap config request during open state + - media: tda10071: fix unsigned sign extension overflow + - xfs: don't ever return a stale pointer from __xfs_dir3_free_read + - tracing: Use address-of operator on section symbols + - serial: 8250_port: Don't service RX FIFO if throttled + - [armhf] serial: 8250_omap: Fix sleeping function called from invalid + context during probe + - [armhf] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX + timeout + - cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn + - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' + - svcrdma: Fix leak of transport addresses + - ubifs: Fix out-of-bounds memory access caused by abnormal value of + node_len + - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra + endpoint descriptor + - mm/filemap.c: clear page error before actual read + - mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area + - [x86] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race + - bdev: Reduce time holding bd_mutex in sync in blkdev_close() + - drivers: char: tlclk.c: Avoid data race between init and interrupt + handler + - atm: fix a memory leak of vcc->user_back + - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete + - [armhf] tty: serial: samsung: Correct clock selection logic + - ALSA: hda: Fix potential race in unsol event handler + - fuse: don't check refcount after stealing page + - e1000: Do not perform reset in reset_task if we are already down + - printk: handle blank console arguments passed in. + - btrfs: don't force read-only after error in drop snapshot + - vfio/pci: fix memory leaks of eventfd ctx + - perf util: Fix memory leak of prefix_if_not_in + - perf kcore_copy: Fix module map when there are no modules loaded + - ceph: fix potential race in ceph_check_caps + - mtd: parser: cmdline: Support MTD names containing one or more colons + - [x86] speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline + - vfio/pci: Clear error and request eventfd ctx after releasing + - cifs: Fix double add page to memcg when cifs_readpages + - vfio/pci: fix racy on error and request eventfd ctx + - i2c: core: Call i2c_acpi_install_space_handler() before + i2c_acpi_register_devices() + - objtool: Fix noreturn detection for ignored functions + - ieee802154/adf7242: check status of adf7242_read_reg + - mwifiex: Increase AES key storage size to 256 bits + - batman-adv: bla: fix type misuse for backbone_gw hash indexing + - [x86] atm: eni: fix the missed pci_disable_device() for eni_init_one() + - batman-adv: mcast/TT: fix wrongly dropped or rerouted packets + - mac802154: tx: fix use-after-free + - batman-adv: Add missing include for in_interrupt() + - batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh + - ALSA: asihpi: fix iounmap in error handler + - kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() + - lib/string.c: implement stpcpy + - ata: define AC_ERR_OK + - ata: make qc_prep return ata_completion_errors + - ata: sata_mv, avoid trigerrable BUG_ON + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.239 + - vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock + - vsock/virtio: stop workers during the .remove() + - USB: gadget: f_ncm: Fix NDP16 datagram validation + - [x86] Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 + - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config + - net: dec: de2104x: Increase receive ring size for Tulip + - rndis_host: increase sleep time in the query-response loop + - drivers/net/wan/hdlc: Set skb->protocol before transmitting + - mac80211: do not allow bigger VHT MPDUs than the hardware supports + - nfs: Fix security label length not being reset + - [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED + - random32: Restore __latent_entropy attribute on net_rand_state + - net/packet: fix overflow in tpacket_rcv (CVE-2020-14386) + - epoll: do not insert into poll queues until all sanity checks are done + - epoll: replace ->visited/visited_list with generation count + - epoll: EPOLL_CTL_ADD: close the race in decision to take fast path + - ep_create_wakeup_source(): dentry name can change under you... + - netfilter: ctnetlink: add a range check for l3/l4 protonum + (CVE-2020-25211) + - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h + - Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts + - fbcon: Fix global-out-of-bounds read in fbcon_get_font() + - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() + - usermodehelper: reset umask to default before executing user process + - [x86] platform/x86: thinkpad_acpi: initialize tp_nvram_state variable + - [x86] platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when + reuse + - driver core: Fix probe_count imbalance in really_probe() + - perf top: Fix stdio interface input handling with glibc 2.28+ + - [armhf] mtd: rawnand: sunxi: Fix the probe error path + - ftrace: Move RCU is watching check after recursion check + - macsec: avoid use-after-free in macsec_handle_frame() + - mm/khugepaged: fix filemap page_to_pgoff(page) != offset + - sctp: fix sctp_auth_init_hmacs() error path + - team: set dev->needed_headroom in team_setup_by_port() + - net: team: fix memory leak in __team_options_register + - openvswitch: handle DNAT tuple collision + - drm/amdgpu: prevent double kfree ttm->sg + - xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate + - xfrm: clone whole liftime_cur structure in xfrm_do_migrate + - [arm64,armhf] net: stmmac: removed enabling eee in EEE set callback + - xfrm: Use correct address family in xfrm_state_find + - bonding: set dev->needed_headroom in bond_setup_by_slave() + - [arm64] mdio: fix mdio-thunder.c dependency & build error + - rxrpc: Fix rxkad token xdr encoding + - rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() + - rxrpc: Fix some missing _bh annotations on locking conn->state_lock + - rxrpc: Fix server keyring leak + - perf: Fix task_function_call() error handling + - mm: khugepaged: recalculate min_free_kbytes after memory hotplug as + expected by khugepaged + - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.240 + - Bluetooth: A2MP: Fix not initializing all members (CVE-2020-12352) + - Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel + (CVE-2020-12351) + - Bluetooth: MGMT: Fix not checking if BT_HS is enabled + - Bluetooth: fix kernel oops in store_pending_adv_report (CVE-2020-24490) + - Bluetooth: Consolidate encryption handling in hci_encrypt_cfm + - Bluetooth: Fix update of connection state in `hci_encrypt_cfm` + - Bluetooth: Disconnect if E0 is used for Level 4 + - media: usbtv: Fix refcounting mixup + - USB: serial: option: add Cellient MPL200 card + - USB: serial: option: Add Telit FT980-KS composition + - [x86] staging: comedi: check validity of wMaxPacketSize of usb endpoints + found + - USB: serial: pl2303: add device-id for HP GC device + - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters + - reiserfs: Initialize inode keys properly + - reiserfs: Fix oops during mount + - crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA + + [ Ben Hutchings ] + * [rt] Add new signing key for Clark Williams + * [rt] Update to 4.9.240-rt155 + * [rt] mm, page_alloc: Restore "fix core hung in free_pcppages_bulk()" + * [rt] net: Restore use of tofree_queue in flush_backlog() + * Bump ABI to 14 + 4.9.228-1 [Sun, 05 Jul 2020 22:29:47 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://10.200.17.11/4.4-6/#2288575411309166934>
OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: amd64 @ HW OK: i386 @ kvm OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: YAML OK: announce-errata -V
<https://errata.software-univention.de/#/?erratum=4.4x827> <https://errata.software-univention.de/#/?erratum=4.4x828> <https://errata.software-univention.de/#/?erratum=4.4x829>