Univention Bugzilla – Bug 52905
linux: Multiple issues (4.4)
Last modified: 2021-03-24 15:58:55 CET
New Debian linux 4.9.258-1 fixes: This update addresses the following issues: * use-after-free in rwsem_down_write_slowpath in kernel/locking/rwsem.c (CVE-2019-19318) * use-after-free in __mutex_lock in kernel/locking/mutex.c (CVE-2019-19813) * out-of-bounds write in __btrfs_map_block in fs/btrfs/volumes.c (CVE-2019-19816) * Array index out of bounds access when setting extended attributes on journaling filesystems. (CVE-2020-27815) * use-after-free in the ftrace ring buffer resizing logic due to a race condition (CVE-2020-27825) * SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374) * An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568) * An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback. (CVE-2020-29569) * locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free (CVE-2020-29660) * locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661) * buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158) * path traversal in fs/nfsd/nfs3xdr.c may lead to Information Disclosure or RCE (CVE-2021-3178) * Use after free via PI futex state (CVE-2021-3347) * An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930) * An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c. (CVE-2021-26931) * An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c. (CVE-2021-26932) * iscsi: unrestricted access to sessions and handles (CVE-2021-27363) * out-of-bounds read in libiscsi module (CVE-2021-27364) * heap buffer overflow in the iSCSI subsystem (CVE-2021-27365) * An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931. (CVE-2021-28038)
--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/linux_4.9.246-2.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/linux_4.9.258-1.dsc @@ -1,3 +1,536 @@ +4.9.258-1 [Mon, 08 Mar 2021 01:17:32 +0100] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.247 + - perf event: Check ref_reloc_sym before using it + - mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() + - btrfs: fix lockdep splat when reading qgroup config on mount + - PCI: Add device even if driver attach failed + - btrfs: tree-checker: Enhance chunk checker to validate chunk profile + (CVE-2019-19816) + - btrfs: inode: Verify inode mode to avoid NULL pointer dereference + (CVE-2019-19813) + - [arm64] pgtable: Fix pte_accessible() + - ALSA: hda/hdmi: Use single mutex unlock in error paths + - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close + - HID: cypress: Support Varmilo Keyboards' media hotkeys + - [x86] Input: i8042 - allow insmod to succeed on devices without an i8042 + controller + - HID: hid-sensor-hub: Fix issue with devices with no report ID + - [x86] xen: don't unbind uninitialized lock_kicker_irq + - proc: don't allow async path resolution of /proc/self components + - [armhf] dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size + - scsi: libiscsi: Fix NOP race condition + - scsi: target: iscsi: Fix cmd abort fabric stop race + - [x86] perf/x86: fix sysfs type mismatches + - [arm64,armhf] phy: tegra: xusb: Fix dangling pointer on probe failure + - batman-adv: set .owner to THIS_MODULE + - scsi: ufs: Fix race between shutdown and runtime resume flow + - bnxt_en: fix error return code in bnxt_init_board() + - [x86] video: hyperv_fb: Fix the cache type when mapping the VRAM + - bnxt_en: Release PCI regions when DMA mask setup fails during probe. + - IB/mthca: fix return value of error branch in mthca_init_cq() + - net: ena: set initial DMA width to avoid intel iommu issue + - efivarfs: revert "fix memory leak in efivarfs_create()" + - can: gs_usb: fix endianess problem with candleLight firmware + - [x86] platform/x86: toshiba_acpi: Fix the wrong variable assignment + - perf probe: Fix to die_entrypc() returns error correctly + - USB: core: Change %pK for __user pointers to %px + - usb: gadget: f_midi: Fix memleak in f_midi_alloc + - usb: gadget: Fix memleak in gadgetfs_fill_super + - [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb + - regulator: avoid resolve_supply() infinite recursion + - regulator: workaround self-referent regulators + - USB: core: add endpoint-blacklist quirk + - USB: core: Fix regression in Hercules audio card + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.248 + - rose: Fix Null pointer dereference in rose_send_frame() + - usbnet: ipheth: fix connectivity with iOS 14 + - bonding: wait for sysfs kobject destruction before freeing struct slave + - netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING + traversal + - net/x25: prevent a couple of overflows + - cxgb3: fix error return code in t3_sge_alloc_qset() + - net/mlx5: Fix wrong address reclaim when command interface is down + - Input: xpad - support Ardwiino Controllers + - [x86] Input: i8042 - add ByteSpeed touchpad to noloop table + - spi: Fix controller unregister order harder + - RDMA/i40iw: Address an mmap handler exploit in i40iw + - btrfs: sysfs: init devices outside of the chunk_mutex + - [x86] pinctrl: baytrail: Replace WARN with dev_info_once when setting + direct-irq pin to output + - [x86] pinctrl: baytrail: Fix pin being driven low for a while on + gpiod_get(..., GPIOD_OUT_HIGH) + - vlan: consolidate VLAN parsing code and limit max parsing depth + - usb: gadget: f_fs: Use local copy of descriptors for userspace copy + - USB: serial: kl5kusb105: fix memleak on open + - USB: serial: ch341: add new Product ID for CH341A + - USB: serial: ch341: sort device-id entries + - USB: serial: option: add Fibocom NL668 variants + - USB: serial: option: add support for Thales Cinterion EXS82 + - tty: Fix ->pgrp locking in tiocspgrp() (CVE-2020-29661) + - ALSA: hda/realtek - Add new codec supported for ALC897 + - ALSA: hda/generic: Add option to enforce preferred_dacs pairs + - tty: Fix ->session locking (CVE-2020-29660) + - ftrace: Fix updating FTRACE_FL_TRAMP + - cifs: fix potential use-after-free in cifs_echo_request() + - [armhf] i2c: imx: Fix reset of I2SR_IAL flag + - [armhf] i2c: imx: Check for I2SR_IAL after every byte + - [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs + - spi: Introduce device-managed SPI controller allocation + - [arm64,armhf] spi: bcm2835: Fix use-after-free on unbind + - [arm64,armhf] spi: bcm2835: Release the DMA channel if probe fails after + dma_init + - tracing: Fix userstacktrace option for instances + - gfs2: check for empty rgrp tree in gfs2_ri_update + - [arm64] i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc() + - [x86] Input: i8042 - fix error return code in i8042_setup_aux() + - [x86] uprobes: Do not use prefixes.nbytes when looping over + prefixes.bytes + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.249 + - [arm64,armhf] spi: bcm2835aux: Fix use-after-free on unbind + - [arm64,armhf] spi: bcm2835aux: Restore err assignment in + bcm2835aux_spi_probe + - iwlwifi: pcie: limit memory read spin time + - [arm64] dts: rockchip: Assign a fixed index to mmc devices on rk3399 + boards. + - [x86] platform/x86: acer-wmi: add automatic keyboard background light + toggle key as KEY_LIGHTS_TOGGLE + - Input: cm109 - do not stomp on control URB + - [x86] Input: i8042 - add Acer laptops to the i8042 reset list + - [x86] pinctrl: amd: remove debounce filter setting in IRQ type setting + - scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" + - spi: Prevent adding devices below an unregistering controller + - net/mlx4_en: Avoid scheduling restart task if it is already running + - tcp: fix cwnd-limited bug for TSO deferral where we send nothing + - [arm64,armhf] net: stmmac: delete the eee_ctrl_timer after napi disabled + - [arm64] net: stmmac: dwmac-meson8b: fix mask definition of the + m250_sel mux + - net: bridge: vlan: fix error return code in __vlan_add() + - mac80211: mesh: fix mesh_pathtbl_init() error path + - USB: add RESET_RESUME quirk for Snapscan 1212 + - ALSA: usb-audio: Fix potential out-of-bounds shift + - ALSA: usb-audio: Fix control 'access overflow' errors from chmap + - xhci: Give USB2 ports time to enter U3 in bus suspend + - USB: sisusbvga: Make console support depend on BROKEN + - ALSA: pcm: oss: Fix potential out-of-bounds shift + - [x86] pinctrl: baytrail: Avoid clearing debounce value when turning it + off + - can: softing: softing_netdev_open(): fix error handling + - RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait + - [arm64,armhf] drm/tegra: sor: Disable clocks on error in tegra_sor_init() + - scsi: mpt3sas: Increase IOCInit request timeout to 30s + - dm table: Remove BUG_ON(in_interrupt()) + - [arm64,armhf] soc/tegra: fuse: Fix index bug in get_process_id + - USB: serial: option: add interface-number sanity check to flag handling + - USB: gadget: f_acm: add support for SuperSpeed Plus + - USB: gadget: f_midi: setup SuperSpeed Plus descriptors + - USB: gadget: f_rndis: fix bitrate for SuperSpeed and above + - usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus + - [armhf] usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to + imx6ul + - [armhf] dts: exynos: fix roles of USB 3.0 ports on Odroid XU + - [armhf] dts: exynos: fix USB 3.0 VBUS control and over-current pins on + Exynos5410 + - [armhf] dts: exynos: fix USB 3.0 pins supply being turned off on Odroid + XU + - [x86] HID: i2c-hid: add Vero K147 to descriptor override + - serial_core: Check for port state when tty is in error state + - media: msi2500: assign SPI bus number dynamically + - md: fix a warning caused by a race between concurrent md_ioctl()s + - Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() + - [x86] drm/gma500: fix double free of gma_connector + - RDMA/rxe: Compute PSN windows correctly + - ASoC: pcm: DRAIN support reactivation + - Bluetooth: Fix null pointer dereference in hci_event_packet() + - [armhf] spi: spi-ti-qspi: fix reference leak in ti_qspi_setup + - [arm64] spi: tegra20-slink: fix reference leak in slink ops of tegra20 + - [arm64,armhf] spi: tegra20-sflash: fix reference leak in + tegra_sflash_resume + - [arm64,armhf] spi: tegra114: fix reference leak in tegra spi ops + - RDMa/mthca: Work around -Wenum-conversion warning + - media: solo6x10: fix missing snd_card_free in error handling case + - [armhf] drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() + - Input: ads7846 - fix integer overflow on Rt calculation + - Input: ads7846 - fix unaligned access on 7845 + - [armhf] crypto: omap-aes - Fix PM disable depth imbalance in + omap_aes_probe + - RDMA/cxgb4: Validate the number of CQEs + - memstick: fix a double-free bug in memstick_check + - orinoco: Move context allocation after processing the skb + - media: siano: fix memory leak of debugfs members in smsdvb_hotplug + - [armhf] HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() + - NFSv4.2: condition READDIR's mask for security label based on LSM state + - SUNRPC: xprt_load_transport() needs to support the netid "rdma6" + - lockd: don't use interval-based rebinding over TCP + - NFS: switch nfsiod to be an UNBOUND workqueue. + - vfio-pci: Use io_remap_pfn_range() for PCI IO memory + - media: saa7146: fix array overflow in vidioc_s_audio() + - memstick: r592: Fix error return in r592_probe() + - dm ioctl: fix error return code in target_message + - [arm64,armhf] clocksource/drivers/arm_arch_timer: Correct fault + programming of CNTKCTL_EL1.EVNTI + - scsi: pm80xx: Fix error return in pm8001_pci_probe() + - seq_buf: Avoid type mismatch for seq_buf_init + - scsi: fnic: Fix error return code in fnic_probe() + - [armhf] usb: ehci-omap: Fix PM disable depth umbalance in + ehci_hcd_omap_probe + - speakup: fix uninitialized flush_lock + - nfsd: Fix message level for normal termination + - nfs_common: need lock during iterate through the list + - [x86] kprobes: Restore BTF if the single-stepping is cancelled + - [arm64,armhf] clk: tegra: Fix duplicated SE clock entry + - um: chan_xterm: Fix fd leak + - [armhf] net: allwinner: Fix some resources leak in the error handling + path of the probe and in the remove function + - [arm64] watchdog: qcom: Avoid context switch in restart handler + - [armhf] clk: ti: Fix memleak in ti_fapll_synth_setup + - perf record: Fix memory leak when using '--user-regs=?' to list registers + - qlcnic: Fix error code in probe + - [armhf] clk: s2mps11: Fix a resource leak in error handling paths in the + probe function + - cfg80211: initialize rekey_data + - [armhf] Input: cros_ec_keyb - send 'scancodes' in addition to key events + - Input: goodix - add upside-down quirk for Teclast X98 Pro tablet + - media: gspca: Fix memory leak in probe + - [armhf] media: sunxi-cir: ensure IR is handled when it is continuous + - media: netup_unidvb: Don't leak SPI master in probe error path + - [x86] Input: cyapa_gen6 - fix out-of-bounds stack access + - Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources + walks" + - ACPI: PNP: compare the string length in the matching_id() + - ALSA: pcm: oss: Fix a few more UBSAN fixes + - ALSA: usb-audio: Disable sample read check if firmware doesn't give back + - [x86] staging: comedi: mf6x4: Fix AI end-of-conversion detection + - USB: serial: mos7720: fix parallel-port state restore + - USB: serial: keyspan_pda: fix dropped unthrottle interrupts + - USB: serial: keyspan_pda: fix write deadlock + - USB: serial: keyspan_pda: fix stalled writes + - USB: serial: keyspan_pda: fix write-wakeup use-after-free + - USB: serial: keyspan_pda: fix tx-unthrottle use-after-free + - USB: serial: keyspan_pda: fix write unthrottling + - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf + - btrfs: scrub: Don't use inode page cache in scrub_handle_errored_block() + - Btrfs: fix selftests failure due to uninitialized i_mode in test inodes + (CVE-2019-19318) + - btrfs: fix return value mixup in btrfs_get_extent + - ext4: fix a memory leak of ext4_free_data + - [arm64] KVM: arm64: Introduce handling of AArch32 TTBCR2 traps + - ceph: fix race in concurrent __ceph_remove_cap invocations + - jffs2: Fix GC exit abnormally + - jfs: Fix array index bounds check in dbAdjTree (CVE-2020-27815) + - drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() + - [arm64] soc: qcom: smp2p: Safely acquire spinlock without IRQs + - [armel] mtd: parser: cmdline: Fix parsing of part-names with colons + - iio: buffer: Fix demux update + - [armhf] iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on + error in rockchip_saradc_resume + - [arm64] clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 + - xen-blkback: set ring->xenblkd to NULL after kthread_stop() + (CVE-2020-29569) + - PCI: Fix pci_slot_release() NULL pointer dereference + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.250 + - [amd64] x86/entry/64: Add instruction suffix + - ALSA: hda/ca0132 - Fix work handling in delayed HP detection + - ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk + - ALSA: usb-audio: fix sync-ep altsetting sanity check + - ALSA: hda/realtek - Support Dell headset mode for ALC3271 + - ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines + - ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 + - vfio/pci: Move dummy_resources_list init in vfio_pci_probe() + - USB: serial: digi_acceleport: fix write-wakeup deadlocks + - net: ipv6: keep sk status consistent after datagram connect failure + - l2tp: fix races with ipv4-mapped ipv6 addresses + - uapi: move constants from <linux/kernel.h> to <linux/const.h> + - of: fix linker-section match-table corruption + - reiserfs: add check for an invalid ih_entry_count + - [x86] misc: vmw_vmci: fix kernel info-leak by initializing dbells in + vmci_ctx_get_chkpt_doorbells() + - media: gp8psk: initialize stats at power control logic + - ALSA: seq: Use bool for snd_seq_queue internal flags + - module: set MODULE_STATE_GOING state when a module fails to load + - quota: Don't overflow quota file offsets + - module: delay kobject uevent until after module init call + - kdev_t: always inline major/minor helper functions + - xen/xenbus: Fix possible out-of-memory triggered by front-end + (CVE-2020-29568): + + xen/xenbus: Allow watches discard events before queueing + + xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() + + xen/xenbus/xen_bus_type: Support will_handle watch callback + + xen/xenbus: Count pending messages for each watch + + xenbus/xenbus_backend: Disallow pending watch messages + - mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start + (CVE-2020-36158) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.251 + - kbuild: don't hardcode depmod path + - workqueue: Kick a worker based on the actual activation of delayed works + - lib/genalloc: fix the overflow when size is too big + - depmod: handle the case of /sbin/depmod without /sbin in PATH + - [x86] atm: idt77252: call pci_disable_device() on error path + - ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() + - [arm64] net: hns: fix return value check in __lb_other_process() + - net: hdlc_ppp: Fix issues when mod_timer is called while timer is running + - CDC-NCM: remove "connected" log message + - vhost_net: fix ubuf refcount incorrectly when sendmsg fails + - net: sched: prevent invalid Scell_log shift count + - virtio_net: Fix recursive call to cpus_read_lock() + - [x86] video: hyperv_fb: Fix the mmap() regression for v5.4.y and older + - usb: gadget: enable super speed plus + - USB: cdc-acm: blacklist another IR Droid device + - [armhf] usb: chipidea: ci_hdrc_imx: add missing put_device() call in + usbmisc_get_init_data() + - [x86] USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST + quirk set + - usb: uas: Add PNY USB Portable SSD to unusual_uas + - USB: serial: iuu_phoenix: fix DMA from stack + - USB: serial: option: add LongSung M5710 module support + - USB: yurex: fix control-URB timeout handling + - USB: usblp: fix DMA to stack + - ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks + - usb: gadget: f_uac2: reset wMaxPacketSize + - usb: gadget: function: printer: Fix a memory leak for interface descriptor + - USB: gadget: legacy: fix return error code in acm_ms_bind() + - usb: gadget: Fix spinlock lockup on usb_function_deactivate + - usb: gadget: configfs: Preserve function ordering after bind failure + - usb: gadget: configfs: Fix use-after-free issue with udc_name + - USB: serial: keyspan_pda: remove unused variable + - [x86] mm: Fix leak of pmd ptlock + - ALSA: hda/conexant: add a new hda codec CX11970 + - Revert "device property: Keep secondary firmware node secondary by type" + (regression in 4.9.242) + - netfilter: ipset: fix shift-out-of-bounds in htable_bits() + - netfilter: xt_RATEEST: reject non-null terminated string from userspace + - [x86] mtrr: Correct the range check before performing MTRR type lookups + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.252 + - target: bounds check XCOPY segment descriptor list + - target: simplify XCOPY wwn->se_dev lookup helper + - target: use XCOPY segment descriptor CSCD IDs + - xcopy: loop over devices using idr helper + - scsi: target: Fix XCOPY NAA identifier lookup (CVE-2020-28374) + - target: add XCOPY target/segment desc sense codes + - net: ip: always refragment ip defragmented packets + - net: fix pmtu check in nopmtudisc mode + - vmlinux.lds.h: Add PGO and AutoFDO input sections + - [x86] drm/i915: Fix mismatch between misplaced vma check and vma insert + - ubifs: wbuf: Don't leak kernel memory to flash + - [armhf] OMAP2+: omap_device: fix idling of devices during probe + - [x86] cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() + - [x86] iommu/intel: Fix memleak in intel_irq_remapping_alloc + - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups + - [arm64] KVM: arm64: Don't access PMCR_EL0 when no PMU is available + - block: fix use-after-free in disk_part_iter_next + - net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of + trimmed packet + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.253 + - ASoC: dapm: remove widget from dirty list on free + - ACPI: scan: Harden acpi_device_add() against device ID overflows + - mm/hugetlb: fix potential missing huge page size info + - ext4: fix bug for rename with RENAME_WHITEOUT + - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI + - Input: uinput - avoid FF flush when destroying device + - dump_common_audit_data(): fix racy accesses to ->d_name + - NFS: nfs_igrab_and_active must first reference the superblock + - ext4: fix superblock checksum failure when setting password salt + - [x86] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp + - mm, slub: consider rest of partial list if acquire_slab() fails + - net: sunrpc: interpret the return value of kstrtou32 correctly + - netfilter: conntrack: fix reading nf_conntrack_buckets + - usb: ohci: Make distrust_firmware param default to false + - nfsd4: readdirplus shouldn't return parent of export (CVE-2021-3178) + - net: cdc_ncm: correct overhead in delayed_ndp_size + - netxen_nic: fix MSI/MSI-x interrupts + - rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request + - net: dcb: Validate netlink message in DCB handler + - net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands + - net: sit: unregister_netdevice on newlink's error path + - net: avoid 32 x truesize under-estimation for tiny skbs + - rxrpc: Fix handling of an unsupported token type in rxrpc_read() + - tipc: fix NULL deref in tipc_link_xmit() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.254 + - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() + - ALSA: hda/via: Add minimum mute flag + - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error + - dm: avoid filesystem lookup in dm_get_dev_t() + - [x86] ASoC: Intel: haswell: Add missing pm_ops + - scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback + - drm/nouveau/bios: fix issue shadowing expansion ROMs + - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields + - can: dev: can_restart: fix use after free bug + - ehci: fix EHCI host controller initialization sequence + - USB: ehci: fix an interrupt calltrace error + - usb: udc: core: Use lock when write to soft_connect + - usb: bdc: Make bdc pci driver depend on BROKEN + - xhci: make sure TRB is fully written before giving it to the controller + - xhci: tegra: Delay for disabling LFPS detector + - bpf: Fix buggy rsh min/max bounds tracking + - compiler.h: Raise minimum version of GCC to 5.1 for arm64 + - netfilter: rpfilter: mask ecn bits before fib lookup + - skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too + - ipv6: create multicast route with RTPROT_KERNEL + - net_sched: avoid shift-out-of-bounds in tcindex_set_parms() + - [armhf] net: dsa: b53: fix an off by one in checking "vlan->vid" + - Revert "mm/slub: fix a memory leak in sysfs_slab_add()" + (regression in 4.9.228) + - tracing: Fix race in trace_open and buffer resize call (CVE-2020-27825) + - [x86] boot/compressed: Disable relocation relaxation + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.255 + - ACPI: sysfs: Prefer "compatible" modalias + - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() + - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family + - y2038: futex: Move compat implementation into futex.c + - futex: Move futex exit handling into futex code + - futex: Replace PF_EXITPIDONE with a state + - exit/exec: Seperate mm_release() + - futex: Split futex_mm_release() for exit/exec + - futex: Set task::futex_state to DEAD right after handling futex exit + - futex: Mark the begin of futex exit explicitly + - futex: Sanitize exit state handling + - futex: Provide state handling for exec() as well + - futex: Add mutex around futex exit + - futex: Provide distinct return value when owner is exiting + - futex: Prevent exit livelock + - [x86] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in + intel_arch_events[] + - [x86] KVM: x86: get smi pending status correctly + - leds: trigger: fix potential deadlock with libata + - mt7601u: fix kernel crash unplugging the device + - mt7601u: fix rx buffer refcounting + - netfilter: nft_dynset: add timeout extension to template + - xfrm: Fix oops in xfrm_replay_advance_bmp + - RDMA/cxgb4: Fix the reported max_recv_sge value + - iwlwifi: pcie: use jiffies for memory read spin time limit + - iwlwifi: pcie: reschedule in long-running memory reads + - mac80211: pause TX while changing interface type + - can: dev: prevent potential information leak in can_fill_info() + - [x86] iommu/vt-d: Gracefully handle DMAR units with no supported address + widths + - NFC: fix resource leak when target index is invalid + - NFC: fix possible resource leak + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.256 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.257 + - [armhf] net: dsa: bcm_sf2: put device node before return + - net_sched: reject silly cell_log in qdisc_get_rtab() + - futex: Fix PI futex use-after-free (CVE-2021-3347): + + futex,rt_mutex: Provide futex specific rt_mutex API + + futex: Remove rt_mutex_deadlock_account_*() + + futex: Rework inconsistent rt_mutex/futex_q state + + futex: Avoid violating the 10th rule of futex + + futex: Replace pointless printk in fixup_owner() + + futex: Provide and use pi_state_update_owner() + + rtmutex: Remove unused argument from rt_mutex_proxy_unlock() + + futex: Use pi_state_update_owner() in put_pi_state() + + futex: Simplify fixup_pi_state_owner() + + futex: Handle faults correctly for PI futexes + - scsi: libfc: Avoid invoking response handler twice if ep is already + completed + - mac80211: fix fast-rx encryption check + - scsi: ibmvfc: Set default timeout to avoid crash during migration + - objtool: Don't fail on missing symbol table + - stable: clamp SUBLEVEL in 4.4 and 4.9 + - USB: serial: cp210x: add pid/vid for WSDA-200-USB + - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 + - USB: serial: option: Adding support for Cinterion MV31 + - [x86] Input: i8042 - unbreak Pegatron C15B + - [x86] net: lapb: Copy the skb before sending a packet + - elfcore: fix building with clang + - USB: gadget: legacy: fix an error code in eth_bind() + - USB: usblp: don't call usb_set_interface if there's a single alt + - [arm64,armhf] usb: dwc2: Fix endpoint direction check in ep_from_windex + - mac80211: fix station rate table updates on assoc + - kretprobe: Avoid re-registration of the same kretprobe earlier + - xhci: fix bounce buffer usage for non-sg list case + - cifs: report error instead of invalid when revalidating a dentry fails + - mmc: core: Limit retries when analyse of SDIO tuples fails + - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page + - mm: hugetlb: fix a race between isolating and freeing page + - mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active + - mm: thp: fix MADV_REMOVE deadlock on shmem THP + - [x86] build: Disable CET instrumentation in the kernel + - [x86] apic: Add extra serialization for non-serializing MSRs + - Input: xpad - sync supported devices with fork on GitHub + - ACPI: thermal: Do not call acpi_thermal_check() directly + - [x86] iommu/vt-d: Do not use flush-queue when caching-mode is on + - ALSA: hda/realtek - Fix typo of pincfg for Dell quirk + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.258 + - mm: memcontrol: fix NULL pointer crash in test_clear_page_writeback() + - fgraph: Initialize tracing_graph_pause at task creation + - af_key: relax availability checks for skb size calculation + - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() + - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap + - iwlwifi: mvm: guard against device removal in reprobe + - SUNRPC: Move simple_get_bytes and simple_get_netobj into private header + - SUNRPC: Handle 0 length opaque XDR object data properly + - include/trace/events/writeback.h: fix -Wstringop-truncation warnings + - memcg: fix a crash in wb_workfn when a device disappears + - futex: Ensure the correct return value from futex_lock_pi() + - futex: Change locking rules + - futex: Cure exit race + - squashfs: add more sanity checks in id lookup + - squashfs: add more sanity checks in inode lookup + - squashfs: add more sanity checks in xattr id lookup + - tracing: Do not count ftrace events in top level enable output + - tracing: Check length before giving out the filter buffer + - ovl: skip getxattr of security labels + - memblock: do not start bottom-up allocations with kernel_end + - bpf: Check for integer overflow when using roundup_pow_of_two() + - netfilter: xt_recent: Fix attempt to update deleted entry + - xen/netback: avoid race in xenvif_rx_ring_slots_available() + - netfilter: conntrack: skip identical origin tuple in same zone only + - [arm64,armhf] usb: dwc3: ulpi: Replace CPU-based busyloop with + Protocol-based one + - [x86] net/vmw_vsock: improve locking in vsock_connect_timeout() + - net: watchdog: hold device global xmit lock during tx disable + - vsock/virtio: update credit only if socket is not closed + - vsock: fix locking in vsock_shutdown() + - trace: Use -mcount-record for dynamic ftrace + - tracing: Avoid calling cc-option -mrecord-mcount for every Makefile + - xen: Fix crash or memory leak on failure (CVE-2021-26932): + + [x86] Xen/x86: don't bail early from clear_foreign_p2m_mapping() + + [x86] Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() + + Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() + + Xen/gntdev: correct error checking in gntdev_map_grant_pages() + + [arm64,armhf] xen/arm: don't ignore return errors from + set_phys_to_machine + - xen: Fix crash on allocation failure (CVE-2021-26931): + + xen-blkback: don't "handle" error by BUG() + + xen-netback: don't "handle" error by BUG() + + xen-scsiback: don't "handle" error by BUG() + - xen-blkback: fix error handling in xen_blkbk_map() (CVE-2021-26930) + - scsi: qla2xxx: Fix crash during driver load on big endian machines + - kvm: check tlbs_dirty directly + + [ Ben Hutchings ] + * sunrpc/xprt: Ignore ABI changes + * [rt] Update to 4.9.254-rt169 + * Bump ABI to 15 + * futex: Fix regressions introduced by incomplete stable backports: + - futex: Fix OWNER_DEAD fixup + - futex: fix dead code in attach_to_pi_owner() + - futex: Cleanup variable names for futex_top_waiter() + - futex: Cleanup refcounting + - futex: Pull rt_mutex_futex_unlock() out from under hb->lock + - futex: Futex_unlock_pi() determinism + - futex: Fix pi_state->owner serialization + - futex: Fix more put_pi_state() vs. exit_pi_state_list() races + - futex: Don't enable IRQs unconditionally in put_pi_state() + * [rt] futex: Undo stable fixes until they are merged with the rt branch + * xen/netback: fix spurious event detection for common event case + (regression in 4.9.244) + * media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values + (regression in 4.9.241) + * Bluetooth: Fix initializing response id after clearing struct + (regression in 4.9.240) + * mm/hugetlb.c: fix unnecessary address expansion of pmd sharing + (regression in 4.9.234) + * scsi: iscsi: Restrict sessions and handles to admin capabilities + (CVE-2021-27363, CVE-2021-27364) + * sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output + * scsi: iscsi: Verify lengths on passthrough PDUs (CVE-2021-27365) + * scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE + (CVE-2021-27365) + * Xen/gnttab: handle p2m update errors on a per-slot basis (CVE-2021-28038) + * xen-netback: respect gnttab_map_refs()'s return value (CVE-2021-28038) + 4.9.246-2 [Thu, 17 Dec 2020 13:51:31 +0100] Ben Hutchings <benh@debian.org>: * [arm64] Fix FTBFS after Xen netback fix: <http://piuparts.knut.univention.de/4.4-7/#976711378379796073>
Install test in 4.4-7 fail
Created attachment 10646 [details] install-failed.png Seem that linux-image-4.9.0-14-amd64-signed and/or linux-image-4.9.0-14-amd64 have a problem
6be94848 Update to linux-4.9.258-1 univention-kernel-image 12.0.0-7A~4.4.0.202103182228 I also rebuilt univention-kernel-image-signed 5.0.0-16A~4.4.0.202103182253, previously only version 5.0.0-15 was build due to issues in our buildsystem. OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: i386 @ kvm OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: YAML
OK - update univention-kernel-image OK - installation linux-image-4.9.0-15-amd64,linux-image-4.9.0-15-amd64-signed OK - kernel version (uname -a Linux master 4.9.0-15-amd64) OK - univention-kernel-image-signed.yaml OK - univention-kernel-image.yaml TODO Jenkins Tests
OK - Jenkins Test OK - linux.yaml
<https://errata.software-univention.de/#/?erratum=4.4x931> <https://errata.software-univention.de/#/?erratum=4.4x932> <https://errata.software-univention.de/#/?erratum=4.4x933>