Univention Bugzilla – Bug 53897
linux: Multiple issues (5.0)
Last modified: 2021-10-13 16:18:38 CEST
New Debian linux 4.19.208-1 fixes: This update addresses the following issues: * ath9k: information disclosure via specifically timed and handcrafted traffic (CVE-2020-3702) * DCCP CCID structure use-after-free may lead to DoS or code execution (CVE-2020-16119) * bpf verifier incorrect mod32 truncation (CVE-2021-3444) * eBPF 32-bit source register truncation on div/mod (CVE-2021-3600) * joydev: zero size passed to joydev_handle_JSIOCSBTNMAP() (CVE-2021-3612) * SVM nested virtualization issue in KVM (AVIC support) (CVE-2021-3653) * missing size validations on inbound SCTP packets (CVE-2021-3655) * SVM nested virtualization issue in KVM (VMLOAD/VMSAVE) (CVE-2021-3656) * DoS in rb_per_cpu_empty() (CVE-2021-3679) * overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732) * out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c (CVE-2021-3743) * a race out-of-bound read in vt (CVE-2021-3753) * Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) * Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory (CVE-2021-33624) * BPF program can obtain sensitive information from kernel memory via a speculative store bypass side-channel attack because of the possibility of uninitialized memory locations on the BPF stack (CVE-2021-34556) * allows loading unsigned kernel modules via init_module syscall (CVE-2021-35039) * BPF program can obtain sensitive information from kernel memory via a speculative store bypass side-channel attack because the technique used by the BPF verifier to manage speculation is unreliable (CVE-2021-35477) * use-after-free in hso_free_net_device() in drivers/net/usb/hso.c (CVE-2021-37159) * powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576) * data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (CVE-2021-38160) * arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page (CVE-2021-38198) * incorrect connection-setup ordering allows operators of remote NFSv4 servers to cause a DoS (CVE-2021-38199) * use-after-free and panic in drivers/usb/host/max3421-hcd.c by removing a MAX-3421 USB device in certain situations (CVE-2021-38204) * drivers/net/ethernet/xilinx/xilinx_emaclite.c prints the real IOMEM pointer (CVE-2021-38205) * race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem (CVE-2021-40490) * slab out-of-bounds write in decode_data() in drivers/net/hamradio/6pack.c (CVE-2021-42008) * An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. (CVE-2021-42252)
--- mirror/ftp/pool/main/l/linux/linux_4.19.194-3.dsc +++ apt/ucs_5.0-0-errata5.0-0/source/linux_4.19.208-1.dsc @@ -1,3 +1,1070 @@ +4.19.208-1 [Wed, 29 Sep 2021 20:53:57 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.195 + - perf/core: Fix endless multiplex timer + - net/nfc/rawsock.c: fix a permission check bug + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L + tablet + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 + tablet + - bonding: init notify_work earlier to avoid uninitialized use + - netlink: disable IRQs for netlink_lock_table() + - net: mdiobus: get rid of a BUG_ON() + - cgroup: disable controllers at parse time + - wq: handle VM suspension in stall detection + - net/qla3xxx: fix schedule while atomic in ql_sem_spinlock + - RDS tcp loopback connection can hang + - scsi: bnx2fc: Return failure if io_req is already in ABTS processing + - [x86] scsi: vmw_pvscsi: Set correct residual data length + - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal + - [arm64] net: macb: ensure the device is available before accessing GEMGXL + control registers + - nvme-fabrics: decode host pathing error for connect + - [mips*] Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER + - bnx2x: Fix missing error code in bnx2x_iov_init_one() + - [powerpc*] i2c: mpc: Make use of i2c_recover_bus() + - [powerpc*] i2c: mpc: implement erratum A-004447 workaround + - drm: Fix use-after-free read in drm_getunique() + - drm: Lock pointer access in drm_master_release() + - kvm: avoid speculation-based attacks from out-of-range memslot accesses + - [arm64,x86] staging: rtl8723bs: Fix uninitialized variables + - btrfs: return value from btrfs_mark_extent_written() in case of error + - cgroup1: don't allow '\n' in renaming + - USB: f_ncm: ncm_bitrate (speed) is unsigned + - usb: f_ncm: only first packet of aggregate needs to start timer + - usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms + - [arm64,armhf] usb: dwc3: ep0: fix NULL pointer exception + - [x86] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error + path + - usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind + - USB: serial: ftdi_sio: add NovaTech OrionMX product ID + - USB: serial: omninet: add device id for Zyxel Omni 56K Plus + - USB: serial: quatech2: fix control-request directions + - USB: serial: cp210x: fix alternate function for CP2102N QFN20 + - usb: gadget: eem: fix wrong eem header operation + - usb: fix various gadgets null ptr deref on 10gbps cabling. + - usb: fix various gadget panics on 10gbps cabling + - regulator: core: resolve supply for boot-on/always-on regulators + - [arm64] regulator: max77620: Use device_set_of_node_from_dev() + - RDMA/mlx4: Do not map the core_clock page to user space unless enabled + - perf: Fix data race between pin_count increment/decrement + - sched/fair: Make sure to update tg contrib for blocked load + - IB/mlx5: Fix initializing CQ fragments buffer + - NFS: Fix a potential NULL dereference in nfs_get_client() + - NFSv4: Fix deadlock between nfs4_evict_inode() and + nfs4_opendata_get_inode() + - perf session: Correct buffer copying when peeking events + - kvm: fix previous commit for 32-bit builds + - NFS: Fix use-after-free in nfs4_init_client() + - NFSv4: Fix second deadlock in nfs4_evict_inode() + - NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. + - scsi: core: Fix error handling of scsi_host_alloc() + - scsi: core: Put .shost_dev in failure path if host state changes to + RUNNING + - scsi: core: Only put parent device if host state differs from + SHOST_CREATED + - ftrace: Do not blindly read the ip address in ftrace_bug() + - tracing: Correct the length check which causes memory corruption + - proc: only require mm_struct for writing + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.196 + - net: ieee802154: fix null deref in parse dev addr + - HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 + - HID: hid-sensor-hub: Return error for hid_set_field() failure + - HID: Add BUS_VIRTUAL to hid_connect logging + - HID: usbhid: fix info leak in hid_submit_ctrl + - gfs2: Prevent direct-I/O write fallback errors from getting lost + - gfs2: Fix use-after-free in gfs2_glock_shrink_scan + - scsi: target: core: Fix warning on realtime kernels + - ethernet: myri10ge: Fix missing error code in myri10ge_probe() + - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V + - net: ipconfig: Don't override command-line hostnames or domains + - rtnetlink: Fix missing error code in rtnl_bridge_notify() + - net: Return the correct errno code + - fib: Return the correct errno code + - afs: Fix an IS_ERR() vs NULL check + - mm/memory-failure: make sure wait for page writeback in memory_failure + - batman-adv: Avoid WARN_ON timing related checks + - net: ipv4: fix memory leak in netlbl_cipsov4_add_std + - net: rds: fix memory leak in rds_recvmsg + - udp: fix race between close() and udp_abort() + - rtnetlink: Fix regression in bridge VLAN configuration + - net/mlx5e: Block offload of outer header csum for UDP tunnels + - netfilter: synproxy: Fix out of bounds when parsing TCP options + - sch_cake: Fix out of bounds when parsing TCP options and header + - alx: Fix an error handling path in 'alx_probe()' + - net: stmmac: dwmac1000: Fix extended MAC address registers definition + - net: add documentation to socket.c + - net: make get_net_ns return error if NET_NS is disabled + - qlcnic: Fix an error handling path in 'qlcnic_probe()' + - netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + - ptp: ptp_clock: Publish scaled_ppm_to_ppb + - ptp: improve max_adj check against unreasonable values + - net: cdc_ncm: switch to eth%d interface naming + - net: usb: fix possible use-after-free in smsc75xx_bind + - [armhf] net: fec_ptp: fix issue caused by refactor the fec_devtype + - net: ipv4: fix memory leak in ip_mc_add1_src + - net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock + - be2net: Fix an error handling path in 'be_probe()' + - net: hamradio: fix memory leak in mkiss_close + - net: cdc_eem: fix tx fixup skb leak + - icmp: don't send out ICMP messages with a source address of 0.0.0.0 + - radeon: use memcpy_to/fromio for UVD fw upload + - hwmon: (scpi-hwmon) shows the negative temperature properly + - can: mcba_usb: fix memory leak in mcba_usb + - usb: core: hub: Disable autosuspend for Cypress CY7C65632 + - tracing: Do not stop recording cmdlines when tracing is off + - tracing: Do not stop recording comms if the trace file is being read + - tracing: Do no increment trace_clock_global() by one + - PCI: Mark TI C667X to avoid bus reset + - PCI: Mark some NVIDIA GPUs to avoid bus reset + - PCI: Add ACS quirk for Broadcom BCM57414 NIC + - PCI: Work around Huawei Intelligent NIC VF FLR erratum + - [arm64,armhf] dmaengine: pl330: fix wrong usage of spinlock flags in + dma_cyclc + - net: bridge: fix vlan tunnel dst null pointer dereference + - net: bridge: fix vlan tunnel dst refcnt when egressing + - mm/slub: clarify verification reporting + - mm/slub.c: include swab.h + - [armhf] net: fec_ptp: add clock rate zero check + - [arm64,armhf] KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read + - can: bcm/raw/isotp: use per module netdevice notifier + - inet: use bigger hash table for IP ID generation + - [arm64,armhf] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically + - [arm64,armhf] usb: dwc3: core: fix kernel panic when do reboot + - [x86] fpu: Reset state for all signal restore failures + - module: limit enabling module.sig_enforce (CVE-2021-35039) + - drm/nouveau: wait for moving fence after pinning v2 + - drm/radeon: wait for moving fence after pinning + - Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" + - mac80211: remove warning in ieee80211_get_sband() + - cfg80211: call cfg80211_leave_ocb when switching away from OCB + - mac80211: drop multicast fragments + - net: ethtool: clear heap allocations for ethtool function + - ping: Check return value of function 'ping_queue_rcv_skb' + - inet: annotate date races around sk->sk_txhash + - net/packet: annotate accesses to po->bind + - net/packet: annotate accesses to po->ifindex + - r8152: Avoid memcpy() over-reading of ETH_SS_STATS + - r8169: Avoid memcpy() over-reading of ETH_SS_STATS + - net: qed: Fix memcpy() overflow of qed_dcbx_params() + - [x86] PCI: Add AMD RS690 quirk to enable 64-bit DMA + - nilfs2: fix memory leak in nilfs_sysfs_delete_device_group + - i2c: robotfuzz-osif: fix control-request directions + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.197 + - mm: add VM_WARN_ON_ONCE_PAGE() macro + - mm/rmap: remove unneeded semicolon in page_not_mapped() + - mm/rmap: use page_not_mapped in try_to_unmap() + - mm/thp: fix __split_huge_pmd_locked() on shmem migration entry + - mm/thp: make is_huge_zero_pmd() safe and quicker + - mm/thp: try_to_unmap() use TTU_SYNC for safe splitting + - mm/thp: fix vma_address() if virtual address below file offset + - mm/thp: fix page_address_in_vma() on file THP tails + - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() + - mm: thp: replace DEBUG_VM BUG with VM_WARN when unmap fails for split + - mm: page_vma_mapped_walk(): use page for pvmw->page + - mm: page_vma_mapped_walk(): settle PageHuge on entry + - mm: page_vma_mapped_walk(): use pmde for *pvmw->pmd + - mm: page_vma_mapped_walk(): prettify PVMW_MIGRATION block + - mm: page_vma_mapped_walk(): crossing page table boundary + - mm: page_vma_mapped_walk(): add a level of indentation + - mm: page_vma_mapped_walk(): use goto instead of while (1) + - mm: page_vma_mapped_walk(): get vma_address_end() earlier + - mm/thp: fix page_vma_mapped_walk() if THP mapped by ptes + - mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk() + - mm, futex: fix shared futex pgoff on shmem huge page + - scsi: sr: Return appropriate error code when disk is ejected + - drm/nouveau: fix dma_address check for CPU/GPU sync + - ext4: eliminate bogus error in ext4_data_block_valid_rcu() + - kthread_worker: split code for canceling the delayed work timer + - kthread: prevent deadlock when kthread_mod_delayed_work() races with + kthread_cancel_delayed_work_sync() + - xen/events: reset active flag for lateeoi events later + - [x86] KVM: SVM: Call SEV Guest Decommission if ASID binding fails + - [armhf] OMAP: replace setup_irq() by request_irq() + - [armhf] clocksource/drivers/timer-ti-dm: Add clockevent and clocksource + support + - [armhf] clocksource/drivers/timer-ti-dm: Prepare to handle dra7 timer wrap + issue + - [armhf] clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata + i940 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.198 + - scsi: core: Retry I/O for Notify (Enable Spinup) Required error + - ALSA: usb-audio: fix rate on Ozone Z90 USB headset + - ALSA: usb-audio: Fix OOB access at proc output + - media: dvb-usb: fix wrong definition + - Input: usbtouchscreen - fix control-request directions + - net: can: ems_usb: fix use-after-free in ems_usb_disconnect() + - usb: gadget: eem: fix echo command packet response issue + - USB: cdc-acm: blacklist Heimann USB Appset device + - [arm64,armhf] usb: dwc3: Fix debugfs creation flow + - [x86] usb: typec: Add the missed altmode_id_remove() in + typec_register_altmode() + - xhci: solve a double free problem while doing s4 + - iov_iter_fault_in_readable() should do nothing in xarray case + - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl + (CVE-2021-3612) + - [armel,armhf] arm_pmu: Fix write counter incorrect in ARMv7 big-endian + mode + - btrfs: send: fix invalid path for unlink operations after parent + orphanization + - btrfs: clear defrag status of a root if starting transaction fails + - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a + transaction handle + - ext4: fix kernel infoleak via ext4_extent_header + - ext4: return error code when ext4_fill_flex_info() fails + - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit + - ext4: remove check for zero nr_to_scan in ext4_es_scan() + - ext4: fix avefreec in find_group_orlov + - ext4: use ext4_grp_locked_error in mb_find_extent + - can: gw: synchronize rcu operations before removing gw job entry + - can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue + in TX path + - SUNRPC: Fix the batch tasks count wraparound. + - SUNRPC: Should wake up the privileged task firstly. + - [s390x] cio: dont call css_wait_for_slow_path() inside a lock + - [x86] serial_cs: Add Option International GSM-Ready 56K/ISDN modem + - [x86] serial_cs: remove wrong GLOBETROTTER.cis entry + - ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() + - ssb: sdio: Don't overwrite const buffer if block_write fails + - rsi: Assign beacon rate settings to the correct rate_info descriptor field + - rsi: fix AP mode with WPA failure due to encrypted EAPOL + - tracing/histograms: Fix parsing of "sym-offset" modifier + - tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing + - seq_buf: Make trace_seq_putmem_hex() support data longer than 8 + - [powerpc*] stacktrace: Fix spurious "stale" traces in + raise_backtrace_ipi() + - fuse: check connected before queueing on fpq->io + - spi: Make of_register_spi_device also set the fwnode + - [i386] spi: spi-topcliff-pch: Fix potential double free in + pch_spi_process_messages() + - media: cpia2: fix memory leak in cpia2_usb_probe + - media: pvrusb2: fix warning in pvr2_i2c_core_done + - [x86] crypto: qat - check return code of qat_hal_rd_rel_reg() + - [x86] crypto: qat - remove unused macro in FW loader + - sched/fair: Fix ascii art by relpacing tabs + - media: em28xx: Fix possible memory leak of em28xx struct + - media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release + - media: bt8xx: Fix a missing check bug in bt878_probe + - media: dvd_usb: memory leak in cinergyt2_fe_attach + - mmc: via-sdmmc: add a check against NULL pointer dereference + - crypto: shash - avoid comparing pointers to exported functions under CFI + - media: dvb_net: avoid speculation from net slot + - media: siano: fix device register error path + - btrfs: fix error handling in __btrfs_update_delayed_inode + - btrfs: abort transaction if we fail to update the delayed inode + - btrfs: disable build on platforms having page size 256K + - [armhf] regulator: da9052: Ensure enough delay time for + .set_voltage_time_sel + - HID: do not use down_interruptible() when unbinding devices + - ACPI: processor idle: Fix up C-state latency if not ordered + - [x86] hv_utils: Fix passing zero to 'PTR_ERR' warning + - lib: vsprintf: Fix handling of number field widths in vsscanf + - ACPI: EC: Make more Asus laptops use ECDT _GPE + - block_dump: remove block_dump feature in mark_inode_dirty() + - fs: dlm: cancel work sync othercon + - random32: Fix implicit truncation warning in prandom_seed_state() + - fs: dlm: fix memory leak when fenced + - ACPICA: Fix memory leak caused by _CID repair function + - ACPI: bus: Call kobject_put() in acpi_init() error path + - [x86] platform/x86: toshiba_acpi: Fix missing error code in + toshiba_acpi_setup_keyboard() + - clocksource: Retry clock read if long delays detected + - HID: wacom: Correct base usage for capacitive ExpressKey status bits + - [armhf] sata_highbank: fix deferred probing + - [mips*] pata_octeon_cf: avoid WARN_ON() in ata_host_activate() + - [x86] crypto: ccp - Fix a resource leak in an error handling path + - media: rc: i2c: Fix an error message + - media: gspca/gl860: fix zero-length control requests + - media: siano: Fix out-of-bounds warnings in + smscore_load_firmware_family2() + - btrfs: clear log tree recovering status if starting transaction fails + - [armhf] spi: spi-sun6i: Fix chipselect/clock bug + - ACPI: sysfs: Fix a buffer overrun problem with description_show() + - blk-wbt: introduce a new disable state to prevent false positive by + rwb_enabled() + - blk-wbt: make sure throttle is enabled properly + - ocfs2: fix snprintf() checking + - [arm64,armhf] net: mvpp2: Put fwnode in error case during ->probe() + - [i386] net: pch_gbe: Propagate error from devm_gpio_request_one() + - [arm64] drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on + error in cdn_dp_grf_write() + - RDMA/rxe: Fix failure during driver load + - drm: qxl: ensure surf.data is ininitialized + - ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others + - [arm64] wcn36xx: Move hal_buf allocation to devm_kmalloc in probe + - ssb: Fix error return code in ssb_bus_scan() + - brcmfmac: fix setting of station info chains bitmask + - brcmfmac: correctly report average RSSI in station info + - brcmsmac: mac80211_if: Fix a resource leak in an error handling path + - ath10k: Fix an error code in ath10k_add_interface() + - RDMA/mlx5: Don't add slave port to unaffiliated list + - netfilter: nft_exthdr: check for IPv6 packet before further processing + - netfilter: nft_osf: check for TCP packet before further processing + - netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols + - RDMA/rxe: Fix qp reference counting for atomic ops + - pkt_sched: sch_qfq: fix qfq_change_class() error path + - vxlan: add missing rcu_read_lock() in neigh_reduce() + - net/ipv4: swap flow ports when validating source + - ieee802154: hwsim: Fix memory leak in hwsim_add_one + - ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() + - mac80211: remove iwlwifi specific workaround NDPs of null_response + - ipv6: exthdrs: do not blindly use init_net + - bpf: Do not change gso_size during bpf_skb_change_proto() + - i40e: Fix error handling in i40e_vsi_open + - i40e: Fix autoneg disabling for non-10GBaseT links + - ipv6: fix out-of-bound access in ip6_parse_tlv() + - Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid + - Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event + - writeback: fix obtain a reference to a freeing memcg css + - net: lwtunnel: handle MTU calculation in forwading + - net: sched: fix warning in tcindex_alloc_perfect_hash + - RDMA/mlx5: Don't access NULL-cleared mpi pointer + - tty: nozomi: Fix a resource leak in an error handling function + - mwifiex: re-fix for unaligned accesses + - [arm64] ASoC: hisilicon: fix missing clk_disable_unprepare() on error in + hi6210_i2s_startup() + - [x86] char: pcmcia: error out if 'num_bytes_read' is greater than 4 in + set_protocol() + - tty: nozomi: Fix the error handling path of 'nozomi_card_init()' + - scsi: FlashPoint: Rename si_flags field + - serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates + - of: Fix truncation of memory sizes on 32-bit platforms + - [armhf] mtd: rawnand: marvell: add missing clk_disable_unprepare() on + error in marvell_nfc_resume() + - scsi: mpt3sas: Fix error return value in _scsih_expander_add() + - configfs: fix memleak in configfs_release_bin_file + - [powerpc*] Offline CPU in stop_this_cpu() + - [arm64] serial: mvebu-uart: correctly calculate minimal possible baudrate + - vfio/pci: Handle concurrent vma faults + - mm/huge_memory.c: don't discard hugepage if other processes are mapping it + - mmc: block: Disable CMDQ on the ioctl path + - mmc: vub3000: fix control-request direction + - drm/amd/amdgpu/sriov disable all ip hw status by default + - [i386] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() + - hugetlb: clear huge pte during flush function on mips platform + - atm: iphase: fix possible use-after-free in ia_module_exit() + - mISDN: fix possible use-after-free in HFC_cleanup() + - atm: nicstar: Fix possible use-after-free in nicstar_cleanup() + - net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT + - reiserfs: add check for invalid 1st journal block + - drm/virtio: Fix double free on probe failure + - udf: Fix NULL pointer dereference in udf_symlink function + - e100: handle eeprom as little endian + - [arm64,armhf] clk: tegra: Ensure that PLLU configuration is applied + properly + - ipv6: use prandom_u32() for ID generation + - RDMA/cxgb4: Fix missing error code in create_qp() + - dm space maps: don't reset space map allocation cursor when committing + - [armhf] pinctrl: mcp23s08: fix race condition in irq handler + - ice: set the value of global config lock timeout longer + - virtio_net: Remove BUG() to avoid machine dead + - [arm64,armhf] net: mvpp2: check return value after calling + platform_get_resource() + - [amd64] fjes: check return value after calling platform_get_resource() + - selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC + - xfrm: Fix error reporting in xfrm_state_construct. + - [arm64,armhf] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP + - [arm64,armhf] wl1251: Fix possible buffer overflow in wl1251_cmd_scan + - net: fix mistake path for netdev_features_strings + - rtl8xxxu: Fix device info for RTL8192EU devices + - atm: nicstar: use 'dma_free_coherent' instead of 'kfree' + - atm: nicstar: register the interrupt handler in the right place + - vsock: notify server to shutdown when client has pending signal + - RDMA/rxe: Don't overwrite errno from ib_umem_get() + - iwlwifi: mvm: don't change band on bound PHY contexts + - iwlwifi: pcie: free IML DMA memory allocation + - sfc: avoid double pci_remove of VFs + - sfc: error code if SRIOV cannot be disabled + - wireless: wext-spy: Fix out-of-bounds warning + - net: ip: avoid OOM kills with large UDP sends over loopback + - RDMA/cma: Fix rdma_resolve_route() memory leak + - Bluetooth: Fix the HCI to MGMT status conversion table + - Bluetooth: Shutdown controller after workqueues are flushed or cancelled + - Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. + - sctp: validate from_addr_param return (CVE-2021-3655) + - sctp: add size validation when walking chunks (CVE-2021-3655) + - fscrypt: don't ignore minor_hash when hash is 0 + - bdi: Do not use freezable workqueue + - [arm64] serial: mvebu-uart: clarify the baud rate derivation + - [arm64] serial: mvebu-uart: fix calculation of clock divisor + - fuse: reject internal errno + - [powerpc*] barrier: Avoid collision with clang's __lwsync macro + - usb: gadget: f_fs: Fix setting of device and driver data cross-references + - drm/radeon: Add the missed drm_gem_object_put() in + radeon_user_framebuffer_create() + - pinctrl/amd: Add device HID for new AMD GPIO controller + - [arm64] drm/msm/mdp4: Fix modifier support enabling + - mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode + - mmc: core: clear flags before allowing to retune + - mmc: core: Allow UHS-I voltage switch for SDSC cards if supported + - [armhf] ata: ahci_sunxi: Disable DIPM + - cpu/hotplug: Cure the cpusets trainwreck + - [arm64,armhf] clocksource/arm_arch_timer: Improve Allwinner A64 timer + workaround + - [arm64,armhf] ASoC: tegra: Set driver_name=tegra for all machine drivers + - qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute + - ipmi/watchdog: Stop watchdog timer when the current action is 'none' + - seq_buf: Fix overflow in seq_buf_putmem_hex() + - tracing: Simplify & fix saved_tgids logic + - tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT + - dm btree remove: assign new_root only when removal succeeds + - PCI: Leave Apple Thunderbolt controllers on for s2idle or standby + - [arm64] PCI: aardvark: Fix checking for PIO Non-posted Request + - media: subdev: disallow ioctl for saa6588/davinci + - media: dtv5100: fix control-request directions + - media: zr364xx: fix memory leak in zr364xx_start_readpipe + - media: gspca/sq905: fix control-request direction + - media: gspca/sunplus: fix zero-length control requests + - media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K + - [armhf] pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() + - jfs: fix GPF in diFree + - [x86] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is + enabled + - [x86] KVM: X86: Disable hardware breakpoints unconditionally before + kvm_x86->run() + - scsi: core: Fix bad pointer dereference when ehandler kthread is invalid + - tracing: Do not reference char * as a string in histograms + - [arm64] PCI: aardvark: Don't rely on jiffies while holding spinlock + - [arm64] PCI: aardvark: Fix kernel panic during PIO transfer + - [x86] misc/libmasm/module: Fix two use after free in ibmasm_init_one + - Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" + - w1: ds2438: fixing bug that would always get page0 + - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology + - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the + SGLs + - scsi: core: Cap scsi_host cmd_per_lun at can_queue + - [x86] tty: serial: 8250: serial_cs: Fix a memory leak in error handling + path + - scsi: scsi_dh_alua: Check for negative result value + - fs/jfs: Fix missing error code in lmLogInit() + - scsi: iscsi: Add iscsi_cls_conn refcount helpers + - scsi: iscsi: Fix conn use after free during resets + - scsi: iscsi: Fix shost->max_id use + - scsi: qedi: Fix null ref during abort handling + - [armhf] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE + - [s390x] sclp_vt220: fix console name to match device (Closes: #961056) + - [i386] ALSA: sb: Fix potential double-free of CSP mixer elements + - [powerpc*] ps3: Add dma_mask to ps3_dma_region + - [arm64] gpio: zynq: Check return value of pm_runtime_get_sync + - [arm64,armhf] gpio: pca953x: Add support for the On Semi pca9655 + - ASoC: soc-core: Fix the error return code in + snd_soc_of_parse_audio_routing() + - ALSA: bebob: add support for ToneWeal FW66 + - usb: gadget: f_hid: fix endianness issue with descriptors + - [powerpc*] boot: Fixup device-tree on little endian + - [arm64,armhf] ALSA: hda: Add IRQ check for platform_get_irq() + - [x86] intel_th: Wait until port is in reset before programming it + - i2c: core: Disable client irq on reboot/shutdown + - lib/decompress_unlz4.c: correctly handle zero-padding around initrds. + - [x86] power: supply: max17042: Do not enforce (incorrect) interrupt + trigger type + - [armel,armhf] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE + - [x86] watchdog: Fix possible use-after-free in wdt_startup() + - [x86] watchdog: Fix possible use-after-free by calling del_timer_sync() + - [x86] watchdog: iTCO_wdt: Account for rebooting on second timeout + - [x86] fpu: Return proper error codes from user access functions + - [arm64,armhf] PCI: tegra: Add missing MODULE_DEVICE_TABLE + - orangefs: fix orangefs df output. + - ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty + - NFS: nfs_find_open_context() may only select open files + - [arm64,armhf] pwm: tegra: Don't modify HW state in .remove callback + - [arm64] ACPI: AMBA: Fix resource name in /proc/iomem + - [x86] ACPI: video: Add quirk for the Dell Vostro 3350 + - virtio-blk: Fix memory leak among suspend/resume procedure + - virtio_net: Fix error handling in virtnet_restore() + - virtio_console: Assure used length from device is limited (CVE-2021-38160) + - f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs + - PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun + - NFSv4: Initialise connection to the server in nfs4_alloc_client() + (CVE-2021-38199) + - nfs: fix acl memory leak of posix_acl_create() + - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode + - [x86] fpu: Limit xstate copy size in xstateregs_set() + - virtio_net: move tx vq operation under tx queue lock + - [i386] ALSA: isa: Fix error return code in snd_cmi8330_probe() + - NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times + - rtc: fix snprintf() checking in is_rtc_hctosys() + - [arm64,armhf] reset: bail if try_module_get() fails + - [armhf] dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema + - scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() + - net: bridge: multicast: fix PIM hello router port marking race + - scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.199 + - [armhf] dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and + rk3288 + - [armhf] imx: pm-imx5: Fix references to imx5_cpu_suspend_info + - [armhf] dts: rockchip: fix supply properties in io-domains nodes + - [arm64,armhf] soc/tegra: fuse: Fix Tegra234-only builds + - thermal/core: Correct function name thermal_zone_device_unregister() + - [arm64,armhf] rtc: max77686: Do not enforce (incorrect) interrupt trigger + type + - scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 + - scsi: libsas: Add LUN number check in .slave_alloc callback + - scsi: libfc: Fix array index out of bound exception + - sched/fair: Fix CFS bandwidth hrtimer expiry type + - mm: slab: fix kmem_cache_create failed when sysfs node not destroyed + - dm writecache: return the exact table values that were set + - dm writecache: fix writing beyond end of underlying device when shrinking + - [arm64,armhf] net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz + - net: ipv6: fix return value of ip6_skb_dst_mtu + - netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo + - net: bridge: sync fdb to new unicast-filtering ports + - [arm64] net: qcom/emac: fix UAF in emac_remove + - net: ti: fix UAF in tlan_remove_one + - net: send SYNACK packet with accepted fwmark + - net: validate lwtstate->data before returning from skb_tunnel_info() + - dma-buf/sync_file: Don't leak fences on merge failure + - tcp: annotate data races around tp->mtu_info + - ipv6: tcp: drop silly ICMPv6 packet too big messages + - udp: annotate data races around unix_sk(sk)->gso_size + - net: ip_tunnel: fix mtu calculation for ETHER tunnel devices + - igb: Fix use-after-free error during reset + - ixgbe: Fix an error handling path in 'ixgbe_probe()' + - igb: Fix an error handling path in 'igb_probe()' + - e1000e: Fix an error handling path in 'e1000_probe()' + - iavf: Fix an error handling path in 'iavf_probe()' + - igb: Check if num of q_vectors is smaller than max before array access + - igb: Fix position of assignment to *ring + - ipv6: fix 'disable_policy' for fwd packets + - nvme-pci: do not call nvme_dev_remove_admin from nvme_remove + - liquidio: Fix unintentional sign extension issue on left shift of u16 + - net: fix uninit-value in caif_seqpkt_sendmsg + - net: decnet: Fix sleeping inside in af_decnet + - [powerpc*] KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak + - netrom: Decrease sock refcount when sock timers expire + - scsi: iscsi: Fix iface sysfs attr detection + - scsi: target: Fix protect handling in WRITE SAME(32) + - net/tcp_fastopen: fix data races around tfo_active_disable_stamp + - net/sched: act_skbmod: Skip non-Ethernet packets + - nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not RESETTING + - Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" + - sctp: update active_key for asoc when old key is being replaced + - net: sched: cls_api: Fix the the wrong parameter + - [arm64,armhf] drm/panel: raspberrypi-touchscreen: Prevent double-free + - proc: Avoid mixing integer types in mem_rw() + - [s390x] ftrace: fix ftrace_update_ftrace_func implementation + - ALSA: usb-audio: Add registration quirk for JBL Quantum headsets + - [i386] ALSA: sb: Fix potential ABBA deadlock in CSP driver + - xhci: Fix lost USB 2 remote wake + - [powerpc*] KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + (CVE-2021-37576) + - usb: hub: Disable USB 3 device initiated lpm if exit latency is too high + - usb: hub: Fix link power management max exit latency (MEL) calculations + - USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS + - USB: serial: option: add support for u-blox LARA-R6 family + - USB: serial: cp210x: fix comments for GE CS1000 + - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick + - [arm*] usb: dwc2: gadget: Fix sending zero length packet in DDMA mode. + - tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. + (CVE-2021-3679) + - media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() + - ixgbe: Fix packet corruption due to missing DMA sync + - drm: Return -ENOTTY for non-drm ioctls + - KVM: do not assume PTE is writable after follow_pfn + - KVM: do not allow mapping valid but non-reference-counted pages + (CVE-2021-22543) + - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() + - [arm64,armhf] net: dsa: mv88e6xxx: use correct .stats_set_histogram() on + Topaz + - btrfs: compression: don't try to compress if we don't have enough pages + - PCI: Mark AMD Navi14 GPU ATS as broken + - xhci: add xhci_get_virt_ep() helper + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.200 + - [x86] KVM: determine if an exception has an error code only when injecting + it. + - net: split out functions related to registering inflight socket files + - af_unix: fix garbage collect vs MSG_PEEK + - workqueue: fix UAF in pwq_unbound_release_workfn() + - net/802/mrp: fix memleak in mrp_request_join() + - net/802/garp: fix memleak in garp_request_join() + - net: annotate data race around sk_ll_usec + - sctp: move 198 addresses from unusable to private scope + - hfs: add missing clean-up in hfs_fill_super + - hfs: fix high memory mapping in hfs_bnode_read + - hfs: add lock nesting notation to hfs_find_init + - cifs: fix the out of range assignment to bit fields in + parse_server_interfaces + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.201 + - virtio_net: Do not pull payload in skb->head + - gro: ensure frag0 meets IP header alignment + - [x86] asm: Ensure asm/proto.h can be included stand-alone + - btrfs: fix rw device counting in __btrfs_free_extra_devids + - [x86] kvm: fix vcpu-id indexed array sizes + - ocfs2: fix zero out valid data + - ocfs2: issue zeroout to EOF blocks + - can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF + - can: mcba_usb_start(): add missing urb->transfer_dma initialization + - can: usb_8dev: fix memory leak + - can: ems_usb: fix memory leak + - can: esd_usb2: fix memory leak + - NIU: fix incorrect error return, missed in previous revert + - nfc: nfcsim: fix use after free during module unload + - cfg80211: Fix possible memory leak in function cfg80211_bss_update + - netfilter: conntrack: adjust stop timestamp to real expiry value + - netfilter: nft_nat: allow to specify layer 4 protocol NAT only + - i40e: Fix logic of disabling queues + - i40e: Fix log TC creation failure when max num of queues is exceeded + - tipc: fix sleeping in tipc accept routine + - mlx4: Fix missing error code in mlx4_load_one() + - net: llc: fix skb_over_panic + - net/mlx5: Fix flow table chaining + - sctp: fix return value check in __sctp_rcv_asconf_lookup + - tulip: windbond-840: Fix missing pci_disable_device() in probe and remove + - sis900: Fix missing pci_disable_device() in probe and remove + - [powerpc*] pseries: Fix regression while building external modules + - i40e: Add additional info to PHY type error + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.202 + - btrfs: mark compressed range uptodate only if all bio succeed + - r8152: Fix potential PM refcount imbalance + - qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union() + - net: Fix zero-copy head len calculation. + - bdi: move bdi_dev_name out of line + - bdi: use bdi_dev_name() to get device name + - bdi: add a ->dev_name field to struct backing_dev_info + - Revert "Bluetooth: Shutdown controller after workqueues are flushed or + cancelled" + - [x86] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" + - padata: validate cpumask without removed CPU during offline + - padata: add separate cpuhp node for CPUHP_PADATA_DEAD + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.203 + - Revert "ACPICA: Fix memory leak caused by _CID repair function" + - ALSA: seq: Fix racy deletion of subscriber + - [armhf] imx: add missing iounmap() + - ALSA: usb-audio: fix incorrect clock source setting + - scsi: sr: Return correct event when media event code is 3 + - media: videobuf2-core: dequeue if start_streaming fails + - net: natsemi: Fix missing pci_disable_device() in probe and remove + - sctp: move the active_key update after sh_keys is added + - nfp: update ethtool reporting of pauseframe control + - net: ipv6: fix returned variable type in ip6_skb_dst_mtu + - bnx2x: fix an error code in bnx2x_nic_load() + - net: pegasus: fix uninit-value in get_interrupt_interval + - [armhf] net: fec: fix use-after-free in fec_drv_remove + - net: vxge: fix use-after-free in vxge_device_unregister + - Bluetooth: defer cleanup of resources in hci_unregister_dev() + - USB: usbtmc: Fix RCU stall warning + - USB: serial: option: add Telit FD980 composition 0x1056 + - USB: serial: ch341: fix character loss at high transfer rates + - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 + - firmware_loader: use -ETIMEDOUT instead of -EAGAIN in + fw_load_sysfs_fallback + - firmware_loader: fix use-after-free in firmware_fallback_sysfs + - ALSA: usb-audio: Add registration quirk for JBL Quantum 600 + - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers + - usb: gadget: f_hid: fixed NULL pointer dereference + - usb: gadget: f_hid: idle uses the highest byte for duration + - tracing/histogram: Rename "cpu" to "common_cpu" + - [arm64] optee: Clear stale cache entries during initialization + - staging: rtl8723bs: Fix a resource leak in sd_int_dpc + - media: rtl28xxu: fix zero-length control request + - pipe: increase minimum default pipe size to 2 pages + - ext4: fix potential htree corruption when growing large_dir directories + - serial: 8250: Mask out floating 16/32-bit bus bits + - [mips*] Malta: Do not byte-swap accesses to the CBUS UART + - [x86] pcmcia: i82092: fix a null pointer dereference bug + - [x86] KVM: accept userspace interrupt only if no event is injected + - [x86] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds + - [armhf] spi: meson-spicc: fix memory leak in meson_spicc_remove + - qmi_wwan: add network device usage statistics for qmimux devices + - libata: fix ata_pio_sector for CONFIG_HIGHMEM + - reiserfs: add check for root_inode in reiserfs_fill_super + - reiserfs: check directory items on read from disk + - net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + - [armhf] imx: add mmdc ipg clock operation for mmdc + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.204 + - [x86] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB + - bpf: Inherit expanded/patched seen count from old aux data + (CVE-2021-33624) + - bpf: Do not mark insn as seen under speculative path verification + (CVE-2021-33624) + - bpf: Fix leakage under speculation on mispredicted branches + (CVE-2021-33624) + - [x86] KVM: MMU: Use the correct inherited permissions to get shadow page + (CVE-2021-38198) + - USB:ehci:fix Kunpeng920 ehci hardware problem + - ppp: Fix generating ppp unit id when ifname is not specified + - ovl: prevent private clone if bind mount is not allowed CVE-2021-3732) + - net: xilinx_emaclite: Do not print real IOMEM pointer (CVE-2021-38205) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.205 + - [x86] ASoC: intel: atom: Fix reference to PCM buffer address + - i2c: dev: zero out array used for i2c reads from userspace + - [amd64,arm64] ACPI: NFIT: Fix support for virtual SPA ranges + - ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi + - ieee802154: hwsim: fix GPF in hwsim_new_edge_nl + - ppp: Fix generating ifname when empty IFLA_IFNAME is specified + - net: Fix memory leak in ieee802154_raw_deliver + - net: igmp: fix data-race in igmp_ifc_timer_expire() + - net: bridge: fix memleak in br_add_if() + - tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B + packets + - net: igmp: increase size of mr_ifc_count + - xen/events: Fix race in set_evtchn_to_irq + - vsock/virtio: avoid potential deadlock when vsock device remove + - [powerpc*] kprobes: Fix kprobe Oops happens in booke + - genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP + - [x86] msi: Force affinity setup before startup + - [x86] ioapic: Force affinity setup before startup + - genirq/msi: Ensure deactivation on teardown + - PCI/MSI: Enable and mask MSI-X early + - PCI/MSI: Do not set invalid bits in MSI mask + - PCI/MSI: Correct misleading comments + - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() + - PCI/MSI: Protect msi_desc::masked for multi-MSI + - PCI/MSI: Mask all unused MSI-X entries + - PCI/MSI: Enforce that MSI-X table entry is masked for update + - PCI/MSI: Enforce MSI[X] entry updates to be visible + - [amd64] iommu/vt-d: Fix agaw for a supported 48 bit guest address width + - mac80211: drop data frames without key on encrypted links + - [x86] KVM: nSVM: always intercept VMLOAD/VMSAVE when nested + (CVE-2021-3656) + - [x86] KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl + (CVE-2021-3653) + - [x86] fpu: Make init_fpstate correct with optimized XSAVE + - ath: Use safer key clearing with key cache entries (CVE-2020-3702) + - ath9k: Clear key cache explicitly on disabling hardware (CVE-2020-3702) + - ath: Export ath_hw_keysetmac() (CVE-2020-3702) + - ath: Modify ath_key_delete() to not need full key entry (CVE-2020-3702) + - ath9k: Postpone key cache entry deletion for TXQ frames reference it + (CVE-2020-3702) + - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is + not yet available + - scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() + - scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() + - scsi: core: Avoid printing an error if target_alloc() returns -ENXIO + - net: usb: lan78xx: don't modify phy_device state concurrently + - Bluetooth: hidp: use correct wait queue when removing ctrl_wait + - [arm64] cpufreq: armada-37xx: forbid cpufreq for 1.2 GHz variant + - vhost: Fix the calculation in vhost_overflow() + - bnxt: don't lock the tx queue from napi poll + - bnxt: disable napi before canceling DIM + - net: 6pack: fix slab-out-of-bounds in decode_data + - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 + - [arm64,armhf] net: mdio-mux: Don't ignore memory allocation errors + - [arm64,armhf] net: mdio-mux: Handle -EPROBE_DEFER correctly + - [arm64,armhf] mmc: dw_mmc: Fix hang on data CRC error + - ALSA: hda - fix the 'Capture Switch' value change notifications + - btrfs: prevent rename2 from exchanging a subvol with a directory from + different parents + - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI + - [x86] ASoC: intel: atom: Fix breakage for PCM buffer address setup + - locks: print a warning when mount fails due to lack of "mand" support + - fs: warn about impending deprecation of mandatory locks + - netfilter: nft_exthdr: fix endianness of tcp option cast + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.206 + - net: qrtr: fix another OOB Read in qrtr_endpoint_post (CVE-2021-3743) + - bpf: Do not use ax register in interpreter on div/mod + - bpf: Fix 32 bit src register truncation on div/mod (CVE-2021-3600) + - bpf: Fix truncation handling for mod32 dst reg wrt zero (CVE-2021-3444) + - netfilter: conntrack: collect all entries in one cycle + - once: Fix panic when module unload + - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX + and TX error counters + - Revert "USB: serial: ch341: fix character loss at high transfer rates" + - USB: serial: option: add new VID/PID to support Fibocom FG150 + - [arm64,armhf] usb: dwc3: gadget: Fix dwc3_calc_trbs_left() + - [arm64,armhf] usb: dwc3: gadget: Stop EP0 transfers during pullup disable + - [amd64] IB/hfi1: Fix possible null-pointer dereference in + _extend_sdma_tx_descs() + - e1000e: Fix the max snoop/no-snoop latency for 10M + - ip_gre: add validation for csum_start + - [arm64] xgene-v2: Fix a resource leak in the error handling path of + 'xge_probe()' + - [arm64,armhf] net: marvell: fix MVNETA_TX_IN_PRGRS bit number + - [arm64] net: hns3: fix get wrong pfc_en when query PFC configuration + - usb: gadget: u_audio: fix race condition on endpoint stop + - opp: remove WARN when no valid OPPs remain + - virtio: Improve vq->broken access to avoid any compiler optimization + - virtio_pci: Support surprise removal of virtio pci device + - [amd64] vringh: Use wiov->used to check for read/write desc order + - qed: qed ll2 race condition fixes + - qed: Fix null-pointer dereference in qed_rdma_create_qp() + - drm: Copy drm_wait_vblank to user before returning + - drm/nouveau/disp: power down unused DP links during init + - net/rds: dma_map_sg is entitled to merge entries + - vt_kdsetmode: extend console locking (CVE-2021-3753) + - fbmem: add margin check to fb_check_caps() + - [x86] KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow + MMUs + - Revert "floppy: reintroduce O_NDELAY fix" + - net: don't unconditionally copy_from_user a struct ifreq for socket ioctls + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.207 + - ext4: fix race writing to an inline_data file while its xattrs are + changing (CVE-2021-40490) + - [armhf] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar + U/V formats + - qed: Fix the VF msix vectors flow + - [arm64] net: macb: Add a NULL check on desc_ptp + - qede: Fix memset corruption + - [x86] perf/x86/intel/pt: Fix mask of num_address_ranges + - [x86] perf/x86/amd/ibs: Work around erratum #1197 + - [armel,armhf] 8918/2: only build return_address() if needed + - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl + - clk: fix build warning for orphan_list + - media: stkwebcam: fix memory leak in stk_camera_probe + - [armhf] imx: add missing clk_disable_unprepare() + - [armhf] imx: fix missing 3rd argument in macro imx_mmdc_perf_init + - igmp: Add ip_mc_list lock in ip_check_mc_rcu + - ipv4/icmp: l3mdev: Perform icmp error route lookup on source device + routing table (v2) + - SUNRPC/nfs: Fix return value for nfs4_callback_compound() + - [powerpc*] module64: Fix comment in R_PPC64_ENTRY handling + - [powerpc*] boot: Delete unneeded .globl _zimage_start + - mm/page_alloc: speed up the iteration of max_order + - Revert "btrfs: compression: don't try to compress if we don't have enough + pages" + - ALSA: usb-audio: Add registration quirk for JBL Quantum 800 + - [x86] reboot: Limit Dell Optiplex 990 quirk to early BIOS versions + - PCI: Call Max Payload Size-related fixup quirks early + - locking/mutex: Fix HANDOFF condition + - regmap: fix the offset of register error log + - sched/deadline: Fix reset_on_fork reporting of DL tasks + - power: supply: axp288_fuel_gauge: Report register-address on readb / + writeb errors + - sched/deadline: Fix missing clock update in migrate_task_rq_dl() + - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() + - udf: Check LVID earlier + - isofs: joliet: Fix iocharset=utf8 mount option + - bcache: add proper error unwinding in bcache_device_init + - nvme-rdma: don't update queue count when failing to set io queues + - [x86] power: supply: max17042_battery: fix typo in MAx17042_TOFF + - [s390x] cio: add dev_busid sysfs entry for each subchannel + - libata: fix ata_host_start() + - [x86] crypto: qat - do not ignore errors from enable_vf2pf_comms() + - [x86] crypto: qat - handle both source of interrupt in VF ISR + - [x86] crypto: qat - fix reuse of completion variable + - [x86] crypto: qat - fix naming for init/shutdown VF to PF notifications + - [x86] crypto: qat - do not export adf_iov_putmsg() + - fcntl: fix potential deadlock for &fasync_struct.fa_lock + - udf_get_extendedattr() had no boundary checks. + - lib/mpi: use kcalloc in mpi_resize + - [x86] crypto: qat - use proper type for vf_mask + - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init + - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr + - media: go7007: remove redundant initialization + - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() + - tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos + - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect + - [arm64] media: venus: venc: Fix potential null pointer dereference on + pointer fmt + - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently + - PCI: PM: Enable PME if it can be signaled from D3cold + - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow + - [arm64] drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary + LMs + - Bluetooth: fix repeated calls to sco_sock_kill + - [arm64] drm/msm/dsi: Fix some reference counted resource leaks + - [armhf] usb: phy: twl6030: add IRQ checks + - Bluetooth: Move shutdown callback before flushing tx and rx queue + - mac80211: Fix insufficient headroom issue for AMSDU + - Bluetooth: add timeout sanity check to hci_inquiry + - [armhf] i2c: s3c2410: fix IRQ check + - [arm64,armhf] mmc: dw_mmc: Fix issue with uninitialized dma_slave_config + - CIFS: Fix a potencially linear read overflow + - [arm*] usb: ehci-orion: Handle errors of clk_prepare_enable() in probe + - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() + - bcma: Fix memory leak for internally-handled cores + - ipv4: make exception cache less predictible + - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed + - ipv4: fix endianness issue in inet_rtm_getroute_build_skb() + - netns: protect netns ID lookups with RCU + - fscrypt: add fscrypt_symlink_getattr() for computing st_size + - ext4: report correct st_size for encrypted symlinks + - f2fs: report correct st_size for encrypted symlinks + - ubifs: report correct st_size for encrypted symlinks + - tty: Fix data race between tiocsti() and flush_to_ldisc() + - [x86] KVM: Update vCPU's hv_clock before back to guest when tsc_offset is + adjusted + - fbmem: don't allow too huge resolutions + - [arm64,armhf] backlight: pwm_bl: Improve bootloader/kernel device handover + - [armel] clk: kirkwood: Fix a clocking boot regression + - btrfs: reset replace target device to allocation state on close + - blk-zoned: allow zone management send operations without CAP_SYS_ADMIN + - blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN + - PCI/MSI: Skip masking MSI-X on Xen PV + - [powerpc*] perf/hv-gpci: Fix counter value parsing + - xen: fix setting of max_pfn in shared_info + - 9p/xen: Fix end of loop tests for list_for_each_entry + - bpf/verifier: per-register parent pointers + - bpf: correct slot_type marking logic to allow more stack slot sharing + - bpf: Support variable offset stack access from helpers + - bpf: Reject indirect var_off stack access in raw mode + - bpf: Reject indirect var_off stack access in unpriv mode + - bpf: Sanity check max value for var_off stack access + - bpf: track spill/fill of constants + - bpf: Introduce BPF nospec instruction for mitigating Spectre v4 + (CVE-2021-34556, CVE-2021-35477) + - bpf: Fix leakage due to insufficient speculative store bypass mitigation + (CVE-2021-34556, CVE-2021-35477) + - bpf: verifier: Allocate idmap scratch in verifier env + - bpf: Fix pointer arithmetic mask tightening under state pruning + - [arm64] head: avoid over-mapping in map_memory + - block: bfq: fix bfq_set_next_ioprio_data() + - [x86] power: supply: max17042: handle fails of reading status register + - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() + - [x86] VMCI: fix NULL pointer dereference when unmapping queue pair + - media: uvc: don't do DMA on stack + - media: rc-loopback: return number of emitters rather than error + - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs + - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported + - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure + - [arm64] PCI: xilinx-nwl: Enable the clock through CCF + - [arm64] PCI: aardvark: Increase polling delay to 1.5s while waiting for + PIO response + - [arm64] PCI: aardvark: Fix masking and unmasking legacy INTx interrupts + - HID: input: do not report stylus battery state as "full" + - RDMA/iwcm: Release resources if iw_cm module initialization fails + - docs: Fix infiniband uverbs minor number + - [armhf] pinctrl: samsung: Fix pinctrl bank pin count + - [powerpc*] stacktrace: Include linux/delay.h + - [arm64,armhf] pinctrl: single: Fix error return code in + pcs_parse_bits_in_pinctrl_entry() + - scsi: qedi: Fix error codes in qedi_alloc_global_queues() + - [x86] platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from + run_smbios_call + - fscache: Fix cookie key hashing + - f2fs: fix to account missing .skipped_gc_rwsem + - f2fs: fix to unmap pages from userspace process in punch_hole() + - [mips*] Malta: fix alignment of the devicetree buffer + - userfaultfd: prevent concurrent API initialization + - media: dib8000: rewrite the init prbs logic + - PCI: Use pci_update_current_state() in pci_enable_device_flags() + - tipc: keep the skb in rcv queue until the whole data is read + - video: fbdev: kyro: fix a DoS bug by restricting user input + - netlink: Deal with ESRCH error in nlmsg_notify() + - usb: gadget: u_ether: fix a potential null pointer dereference + - usb: gadget: composite: Allow bMaxPower=0 if self-powered + - tty: serial: jsm: hold port lock when reporting modem line changes + - video: fbdev: kyro: Error out if 'pixclock' equals zero + - ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() + - flow_dissector: Fix out-of-bounds warnings + - [s390x] jump_label: print real address in a case of a jump label bug + - serial: 8250: Define RX trigger levels for OxSemi 950 devices + - serial: 8250_pci: make setup_port() parameters explicitly unsigned + - Bluetooth: skip invalid hci_sync_conn_complete_evt + - bonding: 3ad: fix the concurrency between __bond_release_one() and + bond_3ad_state_machine_handler() + - [x86] ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps + for the matching in-/output + - media: v4l2-dv-timings.c: fix wrong condition in two for-loops + - [armhf] dts: imx53-ppd: Fix ACHC entry + - [arm64] dts: qcom: sdm660: use reg value for memory node + - [arm64] net: ethernet: stmmac: Do not use unreachable() in + ipq806x_gmac_probe() + - Bluetooth: schedule SCO timeouts with delayed_work + - Bluetooth: avoid circular locks in sco_sock_connect + - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable + access in amdgpu_i2c_router_select_ddc_port() + - Bluetooth: Fix handling of LE Enhanced Connection Complete + - tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD + - rpc: fix gss_svc_init cleanup on failure + - [x86] staging: rts5208: Fix get_ms_information() heap buffer size + - gfs2: Don't call dlm after protocol is unmounted + - of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS + - [arm64] mmc: sdhci-of-arasan: Check return value of non-void funtions + - mmc: rtsx_pci: Fix long reads when clock is prescaled + - mmc: core: Return correct emmc response in case of ioctl error + - cifs: fix wrong release in sess_alloc_buffer() failed path + - Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST + quirk set" + - [armhf] usb: musb: musb_dsps: request_irq() after initializing musb + - usbip: give back URBs for unsent unlink requests during cleanup + - usbip:vhci_hcd USB port can get stuck in the disabled state + - [arm64,armhf] ASoC: rockchip: i2s: Fix regmap_ops hang + - [arm64,armhf] ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B + - parport: remove non-zero check on count + - ath9k: fix OOB read ar9300_eeprom_restore_internal + - ath9k: fix sleeping in atomic context + - ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup() + - [x86] scsi: BusLogic: Fix missing pr_cont() use + - scsi: qla2xxx: Sync queue idx with queue_pair_map idx + - [powerpc*] cpufreq: powernv: Fix init_chip_info initialization in numa=off + - mm/hugetlb: initialize hugetlb_usage in mm_init + - memcg: enable accounting for pids in nested pid namespaces + - [arm64,armhf] platform/chrome: cros_ec_proto: Send command again when + timeout occurs + - drm/amdgpu: Fix BUG_ON assert + - dm thin metadata: Fix use-after-free in dm_bm_set_read_only + - [x86] xen: reset legacy rtc flag for PV domU + - bnx2x: Fix enabling network interfaces without VFs + - [arm64] sve: Use correct size when reinitialising SVE state + - PM: base: power: don't try to use non-existing RTC for storing data + - PCI: Add AMD GPU multi-function power dependencies + - [x86] mm: Fix kern_addr_valid() to cope with existing but not present + entries + - tipc: fix an use-after-free issue in tipc_recvmsg + - dccp: don't duplicate ccid when cloning dccp sock (CVE-2020-16119) + - net/l2tp: Fix reference count leak in l2tp_udp_recv_core + - r6040: Restore MDIO clock frequency after MAC reset + - tipc: increase timeout in tipc_sk_enqueue() + - net/mlx5: Fix potential sleeping in atomic context + - events: Reuse value read using READ_ONCE instead of re-reading it + - net/af_unix: fix a data-race in unix_dgram_poll + - [arm64,armhf] net: dsa: destroy the phylink instance on any error in + dsa_slave_phy_setup + - tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() + - qed: Handle management FW error + - [arm64] net: hns3: pad the short tunnel frame before sending to hardware + - mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() + - [s390x] KVM: index kvm->arch.idle_mask by vcpu_idx + - dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation + - [armhf] mfd: Don't use irq_create_mapping() to resolve a mapping + - PCI: Add ACS quirks for Cavium multi-function devices + - net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 + - block, bfq: honor already-setup queue merges + - ethtool: Fix an error code in cxgb2.c + - mfd: axp20x: Update AXP288 volatile ranges + - PCI: Fix pci_dev_str_match_path() alloc while atomic bug + - [arm64] KVM: Handle PSCI resets before userspace touches vCPU state + - mtd: rawnand: cafe: Fix a resource leak in the error handling path of + 'cafe_nand_probe()' + - [armhf] net: dsa: b53: Fix calculating number of switch ports + - netfilter: socket: icmp6: fix use-after-scope + - fq_codel: reject silly quantum parameters + - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom + - ip_gre: validate csum_start only on pull + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.208 + - [s390x] bpf: Fix optimizing out zero-extensions + - KVM: remember position in kvm->vcpus array + - rcu: Fix missed wakeup of exp_wq waiters + - apparmor: remove duplicate macro list_entry_is_head() + - tracing/kprobe: Fix kprobe_on_func_entry() modification + - sctp: validate chunk size in __rcv_asconf_lookup (CVE-2021-3655) + - sctp: add param size validation for SCTP_PARAM_SET_PRIMARY (CVE-2021-3655) + - dmaengine: acpi: Avoid comparison GSI with Linux vIRQ + - [armhf] thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() + - 9p/trans_virtio: Remove sysfs file on probe failure + - prctl: allow to setup brk for et_dyn executables + - nilfs2: use refcount_dec_and_lock() to fix potential UAF + - profiling: fix shift-out-of-bounds bugs + - drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() + - ceph: lockdep annotations for try_nonblocking_invalidate + - nilfs2: fix memory leak in nilfs_sysfs_create_device_group + - nilfs2: fix NULL pointer in nilfs_##name##_attr_release + - nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group + - nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group + - nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group + - nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group + - [arm64,armhf] pwm: rockchip: Don't modify HW state in .remove() callback + - blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() + - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV + + [ Salvatore Bonaccorso ] + * [rt] Update to 4.19.195-rt82 + * [rt] Update to 4.19.196-rt83 + * Bump ABI to 18 + * [rt] Update to 4.19.197-rt84 + * Refresh "fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers" + * [rt] Update to 4.19.198-rt85 + * Refresh "scsi: hisi_sas: Create separate host attributes per HBA" + * [rt] Update to 4.19.199-rt86 + * [rt] Update to 4.19.206-rt87 + * [rt] Update to 4.19.207-rt88 + * hso: fix bailout in error case of probe + * usb: hso: fix error handling code of hso_create_net_device (CVE-2021-37159) + * usb: hso: remove the bailout parameter + 4.19.194-3 [Sun, 18 Jul 2021 08:52:00 +0200] Salvatore Bonaccorso <carnil@debian.org>: * [x86] KVM: SVM: Periodically schedule when unregistering regions on destroy <http://piuparts.knut.univention.de/5.0-0/#6056554636984610172>
<http://piuparts.knut.univention.de/5.0-0/#825249739756717746>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts new package names OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: uname -a OK: dmesg -H OK: dmesg | grep --color -e Lockdown -e secure -e Loaded OK ./linux-dmesg-norm -a [5.0-0] 2a7b6f6994 Bug #53897: linux 4.19.208-1 doc/errata/staging/linux.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) [5.0-0] 513bb2d01a Bug #53897: linux 4.19.208-1 doc/errata/staging/linux.yaml | 89 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x125> <https://errata.software-univention.de/#/?erratum=5.0x126> <https://errata.software-univention.de/#/?erratum=5.0x127>