Univention Bugzilla – Bug 54260
linux: Multiple issues (4.4)
Last modified: 2021-12-22 13:50:56 CET
New Debian linux 4.9.290-1 fixes: This update addresses the following issues: * ath9k: information disclosure via specifically timed and handcrafted traffic (CVE-2020-3702) * DCCP CCID structure use-after-free may lead to DoS or code execution (CVE-2020-16119) * Use After Free in unix_gc() which could result in a local privilege escalation (CVE-2021-0920) * joydev: zero size passed to joydev_handle_JSIOCSBTNMAP() (CVE-2021-3612) * SVM nested virtualization issue in KVM (AVIC support) (CVE-2021-3653) * missing size validations on inbound SCTP packets (CVE-2021-3655) * DoS in rb_per_cpu_empty() (CVE-2021-3679) * overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732) * a race out-of-bound read in vt (CVE-2021-3753) * nfc: Use-After-Free vulnerability of ndev->rf_conn_info object (CVE-2021-3760) * timer tree corruption leads to missing wakeup and system freeze (CVE-2021-20317) * In Overlayfs missing a check for a negative dentry before calling vfs_rename() (CVE-2021-20321) * new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies (CVE-2021-20322) * Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) * use-after-free in hso_free_net_device() in drivers/net/usb/hso.c (CVE-2021-37159) * data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (CVE-2021-38160) * arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page (CVE-2021-38198) * incorrect connection-setup ordering allows operators of remote NFSv4 servers to cause a DoS (CVE-2021-38199) * use-after-free and panic in drivers/usb/host/max3421-hcd.c by removing a MAX-3421 USB device in certain situations (CVE-2021-38204) * drivers/net/ethernet/xilinx/xilinx_emaclite.c prints the real IOMEM pointer (CVE-2021-38205) * race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem (CVE-2021-40490) * eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write (CVE-2021-41864) * slab out-of-bounds write in decode_data() in drivers/net/hamradio/6pack.c (CVE-2021-42008) * Heap buffer overflow in firedtv driver (CVE-2021-42739) * an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (CVE-2021-43389)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/linux_4.9.272-2A~4.4.0.202107271455.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/linux_4.9.290-1.dsc @@ -1,8 +1,763 @@ -4.9.272-2A~4.4.0.202107271455 [Tue, 27 Jul 2021 14:55:52 +0200] Univention builddaemon <buildd@univention.de>: +4.9.290-1 [Sun, 12 Dec 2021 22:40:16 +0100] Ben Hutchings <benh@debian.org>: - * UCS auto build. The following patches have been applied to the original source package - 0000-do-not-abort-on-gentrol.py - 0001-i40e-Be-much-more-verbose-about-what-we-can-and-cann + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.273 + - net/nfc/rawsock.c: fix a permission check bug + - bonding: init notify_work earlier to avoid uninitialized use + - netlink: disable IRQs for netlink_lock_table() + - net: mdiobus: get rid of a BUG_ON() + - cgroup: disable controllers at parse time + - wq: handle VM suspension in stall detection + - net/qla3xxx: fix schedule while atomic in ql_sem_spinlock + - [x86] scsi: vmw_pvscsi: Set correct residual data length + - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal + - [arm64] net: macb: ensure the device is available before accessing GEMGXL + control registers + - bnx2x: Fix missing error code in bnx2x_iov_init_one() + - drm: Lock pointer access in drm_master_release() + - kvm: avoid speculation-based attacks from out-of-range memslot accesses + - btrfs: return value from btrfs_mark_extent_written() in case of error + - cgroup1: don't allow '\n' in renaming + - USB: f_ncm: ncm_bitrate (speed) is unsigned + - [arm64,armhf] usb: dwc3: ep0: fix NULL pointer exception + - USB: serial: ftdi_sio: add NovaTech OrionMX product ID + - USB: serial: omninet: add device id for Zyxel Omni 56K Plus + - USB: serial: quatech2: fix control-request directions + - usb: gadget: eem: fix wrong eem header operation + - usb: fix various gadgets null ptr deref on 10gbps cabling. + - usb: fix various gadget panics on 10gbps cabling + - perf: Fix data race between pin_count increment/decrement + - NFS: Fix a potential NULL dereference in nfs_get_client() + - perf session: Correct buffer copying when peeking events + - kvm: fix previous commit for 32-bit builds + - NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. + - scsi: core: Fix error handling of scsi_host_alloc() + - scsi: core: Only put parent device if host state differs from + SHOST_CREATED + - ftrace: Do not blindly read the ip address in ftrace_bug() + - tracing: Correct the length check which causes memory corruption + - proc: only require mm_struct for writing + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.274 + - net: ieee802154: fix null deref in parse dev addr + - HID: hid-sensor-hub: Return error for hid_set_field() failure + - HID: Add BUS_VIRTUAL to hid_connect logging + - HID: usbhid: fix info leak in hid_submit_ctrl + - gfs2: Fix use-after-free in gfs2_glock_shrink_scan + - scsi: target: core: Fix warning on realtime kernels + - ethernet: myri10ge: Fix missing error code in myri10ge_probe() + - rtnetlink: Fix missing error code in rtnl_bridge_notify() + - net/x25: Return the correct errno code + - net: Return the correct errno code + - fib: Return the correct errno code + - mm: hwpoison: change PageHWPoison behavior on hugetlb pages + - batman-adv: Avoid WARN_ON timing related checks + - net: ipv4: fix memory leak in netlbl_cipsov4_add_std + - net: rds: fix memory leak in rds_recvmsg + - udp: fix race between close() and udp_abort() + - rtnetlink: Fix regression in bridge VLAN configuration + - netfilter: synproxy: Fix out of bounds when parsing TCP options + - alx: Fix an error handling path in 'alx_probe()' + - [arm64,armhf] net: stmmac: dwmac1000: Fix extended MAC address registers + definition + - qlcnic: Fix an error handling path in 'qlcnic_probe()' + - netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + - net: cdc_ncm: switch to eth%d interface naming + - net: usb: fix possible use-after-free in smsc75xx_bind + - net: ipv4: fix memory leak in ip_mc_add1_src + - net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock + - be2net: Fix an error handling path in 'be_probe()' + - net: hamradio: fix memory leak in mkiss_close + - net: cdc_eem: fix tx fixup skb leak + - scsi: core: Put .shost_dev in failure path if host state changes to + RUNNING + - radeon: use memcpy_to/fromio for UVD fw upload + - tracing: Do no increment trace_clock_global() by one + - PCI: Mark some NVIDIA GPUs to avoid bus reset + - [armhf] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc + - can: bcm/raw/isotp: use per module netdevice notifier + - [arm64,armhf] usb: dwc3: core: fix kernel panic when do reboot + - tracing: Do not stop recording cmdlines when tracing is off + - tracing: Do not stop recording comms if the trace file is being read + - [x86] fpu: Reset state for all signal restore failures + - inet: use bigger hash table for IP ID generation + - i40e: Be much more verbose about what we can and cannot offload + - [arm64] perf: Disable PMU while processing counter overflows + - Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" + - mac80211: remove warning in ieee80211_get_sband() + - cfg80211: call cfg80211_leave_ocb when switching away from OCB + - mac80211: drop multicast fragments + - ping: Check return value of function 'ping_queue_rcv_skb' + - inet: annotate date races around sk->sk_txhash + - net: caif: fix memory leak in ldisc_open + - net/packet: annotate accesses to po->bind + - net/packet: annotate accesses to po->ifindex + - net: qed: Fix memcpy() overflow of qed_dcbx_params() + - nilfs2: fix memory leak in nilfs_sysfs_delete_device_group + - i2c: robotfuzz-osif: fix control-request directions + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.275 + - mm: thp: replace DEBUG_VM BUG with VM_WARN when unmap fails for split + - mm, futex: fix shared futex pgoff on shmem huge page + - scsi: sr: Return appropriate error code when disk is ejected + - drm/nouveau: fix dma_address check for CPU/GPU sync + - kthread_worker: split code for canceling the delayed work timer + - kthread: prevent deadlock when kthread_mod_delayed_work() races with + kthread_cancel_delayed_work_sync() + - xen/events: reset active flag for lateeoi events later + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.276 + - ALSA: usb-audio: fix rate on Ozone Z90 USB headset + - media: dvb-usb: fix wrong definition + - Input: usbtouchscreen - fix control-request directions + - net: can: ems_usb: fix use-after-free in ems_usb_disconnect() + - usb: gadget: eem: fix echo command packet response issue + - USB: cdc-acm: blacklist Heimann USB Appset device + - ntfs: fix validity check for file name attribute + - iov_iter_fault_in_readable() should do nothing in xarray case + - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl + (CVE-2021-3612) + - btrfs: clear defrag status of a root if starting transaction fails + - ext4: fix kernel infoleak via ext4_extent_header + - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit + - ext4: remove check for zero nr_to_scan in ext4_es_scan() + - ext4: fix avefreec in find_group_orlov + - SUNRPC: Fix the batch tasks count wraparound. + - SUNRPC: Should wake up the privileged task firstly. + - [x86] serial_cs: Add Option International GSM-Ready 56K/ISDN modem + - [x86] serial_cs: remove wrong GLOBETROTTER.cis entry + - ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() + - ssb: sdio: Don't overwrite const buffer if block_write fails + - seq_buf: Make trace_seq_putmem_hex() support data longer than 8 + - fuse: check connected before queueing on fpq->io + - [i386] spi: spi-topcliff-pch: Fix potential double free in + pch_spi_process_messages() + - media: cpia2: fix memory leak in cpia2_usb_probe + - media: cobalt: fix race condition in setting HPD + - media: pvrusb2: fix warning in pvr2_i2c_core_done + - [x86] crypto: qat - check return code of qat_hal_rd_rel_reg() + - [x86] crypto: qat - remove unused macro in FW loader + - media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release + - media: bt8xx: Fix a missing check bug in bt878_probe + - mmc: via-sdmmc: add a check against NULL pointer dereference + - crypto: shash - avoid comparing pointers to exported functions under CFI + - media: dvb_net: avoid speculation from net slot + - media: siano: fix device register error path + - btrfs: abort transaction if we fail to update the delayed inode + - btrfs: disable build on platforms having page size 256K + - [armhf] regulator: da9052: Ensure enough delay time for + .set_voltage_time_sel + - ACPI: processor idle: Fix up C-state latency if not ordered + - block_dump: remove block_dump feature in mark_inode_dirty() + - fs: dlm: cancel work sync othercon + - fs: dlm: fix memory leak when fenced + - ACPI: bus: Call kobject_put() in acpi_init() error path + - [x86] platform/x86: toshiba_acpi: Fix missing error code in + toshiba_acpi_setup_keyboard() + - ACPI: tables: Add custom DSDT file as makefile prerequisite + - [armhf] sata_highbank: fix deferred probing + - media: siano: Fix out-of-bounds warnings in + smscore_load_firmware_family2() + - [armhf] spi: spi-sun6i: Fix chipselect/clock bug + - ACPI: sysfs: Fix a buffer overrun problem with description_show() + - ocfs2: fix snprintf() checking + - net: pch_gbe: Propagate error from devm_gpio_request_one() + - RDMA/rxe: Fix failure during driver load + - drm: qxl: ensure surf.data is ininitialized + - wireless: carl9170: fix LEDS build errors & warnings + - brcmsmac: mac80211_if: Fix a resource leak in an error handling path + - ath10k: Fix an error code in ath10k_add_interface() + - netlabel: Fix memory leak in netlbl_mgmt_add_common + - netfilter: nft_exthdr: check for IPv6 packet before further processing + - vxlan: add missing rcu_read_lock() in neigh_reduce() + - i40e: Fix error handling in i40e_vsi_open + - Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid + - writeback: fix obtain a reference to a freeing memcg css + - net: sched: fix warning in tcindex_alloc_perfect_hash + - tty: nozomi: Fix a resource leak in an error handling function + - iio: adis_buffer: do not return ints in irq handlers + - [x86] iio: accel: kxcjk-1013: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + - [x86] iio: gyro: bmg160: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + - [x86] char: pcmcia: error out if 'num_bytes_read' is greater than 4 in + set_protocol() + - tty: nozomi: Fix the error handling path of 'nozomi_card_init()' + - [x86] scsi: FlashPoint: Rename si_flags field + - of: Fix truncation of memory sizes on 32-bit platforms + - scsi: mpt3sas: Fix error return value in _scsih_expander_add() + - configfs: fix memleak in configfs_release_bin_file + - mm/huge_memory.c: don't discard hugepage if other processes are mapping + it + - mmc: vub300: fix control-request direction + - scsi: core: Retry I/O for Notify (Enable Spinup) Required error + - [i386] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() + - atm: iphase: fix possible use-after-free in ia_module_exit() + - mISDN: fix possible use-after-free in HFC_cleanup() + - atm: nicstar: Fix possible use-after-free in nicstar_cleanup() + - [rt] net: Treat __napi_schedule_irqoff() as __napi_schedule() on + PREEMPT_RT + - reiserfs: add check for invalid 1st journal block + - drm/virtio: Fix double free on probe failure + - udf: Fix NULL pointer dereference in udf_symlink function + - [arm64,armhf] clk: tegra: Ensure that PLLU configuration is applied + properly + - ipv6: use prandom_u32() for ID generation + - RDMA/cxgb4: Fix missing error code in create_qp() + - dm space maps: don't reset space map allocation cursor when committing + - selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC + - xfrm: Fix error reporting in xfrm_state_construct. + - [arm64,armhf] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP + - [arm64,armhf] wl1251: Fix possible buffer overflow in wl1251_cmd_scan + - atm: nicstar: use 'dma_free_coherent' instead of 'kfree' + - atm: nicstar: register the interrupt handler in the right place + - RDMA/rxe: Don't overwrite errno from ib_umem_get() + - sfc: avoid double pci_remove of VFs + - sfc: error code if SRIOV cannot be disabled + - wireless: wext-spy: Fix out-of-bounds warning + - RDMA/cma: Fix rdma_resolve_route() memory leak + - Bluetooth: Fix the HCI to MGMT status conversion table + - Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. + - sctp: add size validation when walking chunks (CVE-2021-3655) + - fuse: reject internal errno + - can: gw: synchronize rcu operations before removing gw job entry + - mac80211: fix memory corruption in EAPOL handling + - [x86] pinctrl/amd: Add device HID for new AMD GPIO controller + - mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode + - mmc: core: clear flags before allowing to retune + - [armhf] ata: ahci_sunxi: Disable DIPM + - [arm64,armhf] ASoC: tegra: Set driver_name=tegra for all machine drivers + - [x86] ipmi/watchdog: Stop watchdog timer when the current action is 'none' + - seq_buf: Fix overflow in seq_buf_putmem_hex() + - dm btree remove: assign new_root only when removal succeeds + - media: dtv5100: fix control-request directions + - media: zr364xx: fix memory leak in zr364xx_start_readpipe + - media: gspca/sq905: fix control-request direction + - media: gspca/sunplus: fix zero-length control requests + - media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K + - jfs: fix GPF in diFree + - [x86] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is + enabled + - [x86] KVM: X86: Disable hardware breakpoints unconditionally before + kvm_x86->run() + - scsi: core: Fix bad pointer dereference when ehandler kthread is invalid + - tracing: Do not reference char * as a string in histograms + - fscrypt: don't ignore minor_hash when hash is 0 + - [x86] misc/libmasm/module: Fix two use after free in ibmasm_init_one + - Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" + - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology + - [x86] tty: serial: 8250: serial_cs: Fix a memory leak in error handling + path + - fs/jfs: Fix missing error code in lmLogInit() + - scsi: iscsi: Add iscsi_cls_conn refcount helpers + - [i386] ALSA: sb: Fix potential double-free of CSP mixer elements + - [arm64] gpio: zynq: Check return value of pm_runtime_get_sync + - ASoC: soc-core: Fix the error return code in + snd_soc_of_parse_audio_routing() + - ALSA: bebob: add support for ToneWeal FW66 + - usb: gadget: f_hid: fix endianness issue with descriptors + - usb: gadget: hid: fix error return code in hid_bind() + - ALSA: hda: Add IRQ check for platform_get_irq() + - i2c: core: Disable client irq on reboot/shutdown + - lib/decompress_unlz4.c: correctly handle zero-padding around initrds. + - [x86] watchdog: Fix possible use-after-free in wdt_startup() + - [x86] watchdog: Fix possible use-after-free by calling del_timer_sync() + - [x86] fpu: Return proper error codes from user access functions + - ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty + - [arm64,armhf] pwm: tegra: Don't modify HW state in .remove callback + - [arm64] ACPI: AMBA: Fix resource name in /proc/iomem + - virtio-blk: Fix memory leak among suspend/resume procedure + - virtio_console: Assure used length from device is limited + (CVE-2021-38160) + - PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun + - nfs: fix acl memory leak of posix_acl_create() + - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode + - [x86] fpu: Limit xstate copy size in xstateregs_set() + - [i386] ALSA: isa: Fix error return code in snd_cmi8330_probe() + - [armhf] dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 + - [armhf] dts: exynos: fix PWM LED max brightness on Odroid XU4 + - rtc: fix snprintf() checking in is_rtc_hctosys() + - reset: bail if try_module_get() fails + - [armhf] dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema + - scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.277 + - [armhf] dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and + rk3288 + - [armhf] dts: rockchip: Fix power-controller node names for rk3288 + - [armhf] dts: imx6: phyFLEX: Fix UART hardware flow control + - [armhf] imx: pm-imx5: Fix references to imx5_cpu_suspend_info + - [arm64] dts: juno: Update SCPI nodes as per the YAML schema + - [arm64,armhf] rtc: max77686: Do not enforce (incorrect) interrupt trigger + type + - scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 + - sched/fair: Fix CFS bandwidth hrtimer expiry type + - net: ipv6: fix return value of ip6_skb_dst_mtu + - net: bridge: sync fdb to new unicast-filtering ports + - [arm64] net: qcom/emac: fix UAF in emac_remove + - net: ti: fix UAF in tlan_remove_one + - net: validate lwtstate->data before returning from skb_tunnel_info() + - tcp: annotate data races around tp->mtu_info + - ipv6: tcp: drop silly ICMPv6 packet too big messages + - ixgbe: Fix an error handling path in 'ixgbe_probe()' + - igb: Fix an error handling path in 'igb_probe()' + - fm10k: Fix an error handling path in 'fm10k_probe()' + - e1000e: Fix an error handling path in 'e1000_probe()' + - iavf: Fix an error handling path in 'iavf_probe()' + - igb: Check if num of q_vectors is smaller than max before array access + - perf lzma: Close lzma stream on exit + - perf test bpf: Free obj_buf + - perf probe-file: Delete namelist in del_events() on the error path + - net: fix uninit-value in caif_seqpkt_sendmsg + - [x86] net: decnet: Fix sleeping inside in af_decnet + - netrom: Decrease sock refcount when sock timers expire + - scsi: iscsi: Fix iface sysfs attr detection + - scsi: target: Fix protect handling in WRITE SAME(32) + - Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" + - proc: Avoid mixing integer types in mem_rw() + - [i386] ALSA: sb: Fix potential ABBA deadlock in CSP driver + - xhci: Fix lost USB 2 remote wake + - usb: hub: Disable USB 3 device initiated lpm if exit latency is too high + - USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS + - usb: max-3421: Prevent corruption of freed memory (CVE-2021-38204) + - USB: serial: option: add support for u-blox LARA-R6 family + - USB: serial: cp210x: fix comments for GE CS1000 + - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick + - tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. + (CVE-2021-3679) + - media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.278 + - [amd64] iommu/amd: Fix backport of + 140456f994195b568ecd7fc2287a34eadffef3ca (regression in 4.9.261) + - tipc: Fix backport of b77413446408fdd256599daf00d5be72b5f3e7c6 + (regression in 4.9.253) + - net: split out functions related to registering inflight socket files + - af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920) + - workqueue: fix UAF in pwq_unbound_release_workfn() + - net/802/mrp: fix memleak in mrp_request_join() + - net/802/garp: fix memleak in garp_request_join() + - sctp: move 198 addresses from unusable to private scope + - hfs: add missing clean-up in hfs_fill_super + - hfs: fix high memory mapping in hfs_bnode_read + - hfs: add lock nesting notation to hfs_find_init + - ocfs2: fix zero out valid data + - ocfs2: issue zeroout to EOF blocks + - can: usb_8dev: fix memory leak + - can: ems_usb: fix memory leak + - can: esd_usb2: fix memory leak + - NIU: fix incorrect error return, missed in previous revert + - nfc: nfcsim: fix use after free during module unload + - cfg80211: Fix possible memory leak in function cfg80211_bss_update + - netfilter: conntrack: adjust stop timestamp to real expiry value + - netfilter: nft_nat: allow to specify layer 4 protocol NAT only + - tipc: fix sleeping in tipc accept routine + - mlx4: Fix missing error code in mlx4_load_one() + - net: llc: fix skb_over_panic + - net/mlx5: Fix flow table chaining + - tulip: windbond-840: Fix missing pci_disable_device() in probe and remove + - sis900: Fix missing pci_disable_device() in probe and remove + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.279 + - btrfs: mark compressed range uptodate only if all bio succeed + - r8152: Fix potential PM refcount imbalance + - net: Fix zero-copy head len calculation. + - can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.280 + - ALSA: seq: Fix racy deletion of subscriber + - scsi: sr: Return correct event when media event code is 3 + - media: videobuf2-core: dequeue if start_streaming fails + - net: natsemi: Fix missing pci_disable_device() in probe and remove + - bnx2x: fix an error code in bnx2x_nic_load() + - net: pegasus: fix uninit-value in get_interrupt_interval + - net: vxge: fix use-after-free in vxge_device_unregister + - Bluetooth: defer cleanup of resources in hci_unregister_dev() + - USB: usbtmc: Fix RCU stall warning + - USB: serial: option: add Telit FD980 composition 0x1056 + - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 + - media: rtl28xxu: fix zero-length control request + - pipe: increase minimum default pipe size to 2 pages + - serial: 8250: Mask out floating 16/32-bit bus bits + - [x86] pcmcia: i82092: fix a null pointer dereference bug + - [x86] perf/x86/amd: Don't touch the AMD64_EVENTSEL_HOSTONLY bit inside + the guest + - reiserfs: add check for root_inode in reiserfs_fill_super + - reiserfs: check directory items on read from disk + - net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + - [arm64] USB:ehci:fix Kunpeng920 ehci hardware problem + - ppp: Fix generating ppp unit id when ifname is not specified + - net: xilinx_emaclite: Do not print real IOMEM pointer (CVE-2021-38205) + - ovl: prevent private clone if bind mount is not allowed (CVE-2021-3732) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.281 + - iio: adc: Fix incorrect exit of for-loop + - [x86] ASoC: intel: atom: Fix reference to PCM buffer address + - i2c: dev: zero out array used for i2c reads from userspace + - ACPI: NFIT: Fix support for virtual SPA ranges + - ppp: Fix generating ifname when empty IFLA_IFNAME is specified + - net: Fix memory leak in ieee802154_raw_deliver + - net: bridge: fix memleak in br_add_if() + - tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B + packets + - xen/events: Fix race in set_evtchn_to_irq + - PCI/MSI: Enable and mask MSI-X early + - PCI/MSI: Do not set invalid bits in MSI mask + - PCI/MSI: Correct misleading comments + - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() + - PCI/MSI: Protect msi_desc::masked for multi-MSI + - PCI/MSI: Mask all unused MSI-X entries + - PCI/MSI: Enforce that MSI-X table entry is masked for update + - PCI/MSI: Enforce MSI[X] entry updates to be visible + - mac80211: drop data frames without key on encrypted links + - [x86] KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl + (CVE-2021-3653) + - [x86] fpu: Make init_fpstate correct with optimized XSAVE + - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is + not yet available + - scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() + - scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() + - scsi: core: Avoid printing an error if target_alloc() returns -ENXIO + - Bluetooth: hidp: use correct wait queue when removing ctrl_wait + - vhost: Fix the calculation in vhost_overflow() + - net: 6pack: fix slab-out-of-bounds in decode_data (CVE-2021-42008) + - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 + - [arm64,armhf] mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default + - [arm64,armhf] mmc: dw_mmc: Fix hang on data CRC error + - ALSA: hda - fix the 'Capture Switch' value change notifications + - btrfs: prevent rename2 from exchanging a subvol with a directory from + different parents + - [x86] ASoC: intel: atom: Fix breakage for PCM buffer address setup + - locks: print a warning when mount fails due to lack of "mand" support + - fs: warn about impending deprecation of mandatory locks + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.282 + - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN + RX and TX error counters + - USB: serial: option: add new VID/PID to support Fibocom FG150 + - [arm64,armhf] usb: dwc3: gadget: Fix dwc3_calc_trbs_left() + - IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() + - e1000e: Fix the max snoop/no-snoop latency for 10M + - ip_gre: add validation for csum_start + - [armhf] net: marvell: fix MVNETA_TX_IN_PRGRS bit number + - virtio: Improve vq->broken access to avoid any compiler optimization + - vringh: Use wiov->used to check for read/write desc order + - net/rds: dma_map_sg is entitled to merge entries + - vt_kdsetmode: extend console locking (CVE-2021-3753) + - fbmem: add margin check to fb_check_caps() + - [x86] KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow + MMUs + - Revert "floppy: reintroduce O_NDELAY fix" (regression in 4.9.259) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.283 + - ext4: fix race writing to an inline_data file while its xattrs are + changing (CVE-2021-40490) + - qed: Fix the VF msix vectors flow + - qede: Fix memset corruption + - [x86] perf/x86/amd/ibs: Work around erratum #1197 + - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl + - ath: Avoid transmitting frames unencrypted after disassociation + (CVE-2020-3702): + + ath: Use safer key clearing with key cache entries + + ath9k: Clear key cache explicitly on disabling hardware + + ath: Export ath_hw_keysetmac() + + ath: Modify ath_key_delete() to not need full key entry + + ath9k: Postpone key cache entry deletion for TXQ frames reference it + - media: stkwebcam: fix memory leak in stk_camera_probe + - igmp: Add ip_mc_list lock in ip_check_mc_rcu + - USB: serial: mos7720: improve OOM-handling in read_mos_reg() + - net/sched: cls_flower: Use mask for addr_type + - PM / wakeirq: Enable dedicated wakeirq for suspend + - nvme-pci: Fix an error handling path in 'nvme_probe()' + - gfs2: Don't clear SGID when inheriting ACLs + - ipv4/icmp: l3mdev: Perform icmp error route lookup on source device + routing table (v2) + - mm/page_alloc: speed up the iteration of max_order + - [x86] reboot: Limit Dell Optiplex 990 quirk to early BIOS versions + - PCI: Call Max Payload Size-related fixup quirks early + - regmap: fix the offset of register error log + - [armhf] crypto: omap-sham - clear dma flags only after + omap_sham_update_dma_stop() + - udf: Check LVID earlier + - libata: fix ata_host_start() + - [x86] crypto: qat - do not ignore errors from enable_vf2pf_comms() + - [x86] crypto: qat - handle both source of interrupt in VF ISR + - [x86] crypto: qat - fix reuse of completion variable + - [x86] crypto: qat - fix naming for init/shutdown VF to PF notifications + - [x86] crypto: qat - do not export adf_iov_putmsg() + - udf_get_extendedattr() had no boundary checks. + - [x86] crypto: qat - use proper type for vf_mask + - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init + - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr + - media: go7007: remove redundant initialization + - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() + - tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos + - PCI: PM: Enable PME if it can be signaled from D3cold + - [arm64] soc: qcom: smsm: Fix missed interrupts if state changes while + masked + - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow + - Bluetooth: fix repeated calls to sco_sock_kill + - [arm64] drm/msm/dsi: Fix some reference counted resource leaks + - [armhf] usb: phy: twl6030: add IRQ checks + - Bluetooth: Move shutdown callback before flushing tx and rx queue + - Bluetooth: add timeout sanity check to hci_inquiry + - [armhf] i2c: s3c2410q: fix IRQ check + - [arm64,armhf] mmc: dw_mmc: Fix issue with uninitialized dma_slave_config + - CIFS: Fix a potencially linear read overflow + - [armel] usb: ehci-orion: Handle errors of clk_prepare_enable() in probe + - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() + - bcma: Fix memory leak for internally-handled cores + - ipv4: make exception cache less predictible (CVE-2021-20322) + - tty: Fix data race between tiocsti() and flush_to_ldisc() + - [x86] KVM: x86: Update vCPU's hv_clock before back to guest when + tsc_offset is adjusted + - [armel] clk: kirkwood: Fix a clocking boot regression + - fbmem: don't allow too huge resolutions + - PCI/MSI: Skip masking MSI-X on Xen PV + - [x86] xen: fix setting of max_pfn in shared_info + - [x86] VMCI: fix NULL pointer dereference when unmapping queue pair + - media: uvc: don't do DMA on stack + - media: rc-loopback: return number of emitters rather than error + - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs + - [armel,armhf] 9105/1: atags_to_fdt: don't warn about stack size + - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported + - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure + - [arm64,armhf] pinctrl: single: Fix error return code in + pcs_parse_bits_in_pinctrl_entry() + - PCI: Use pci_update_current_state() in pci_enable_device_flags() + - [x86] video: fbdev: kyro: fix a DoS bug by restricting user input + - netlink: Deal with ESRCH error in nlmsg_notify() + - usb: gadget: u_ether: fix a potential null pointer dereference + - usb: gadget: composite: Allow bMaxPower=0 if self-powered + - [x86] tty: serial: jsm: hold port lock when reporting modem line changes + - bpf/tests: Fix copy-and-paste error in double word test + - bpf/tests: Do not PASS tests without actually testing the result + - [x86] video: fbdev: kyro: Error out if 'pixclock' equals zero + - ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() + - flow_dissector: Fix out-of-bounds warnings + - serial: 8250: Define RX trigger levels for OxSemi 950 devices + - serial: 8250_pci: make setup_port() parameters explicitly unsigned + - Bluetooth: skip invalid hci_sync_conn_complete_evt + - [x86] ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps + for the matching in-/output + - [arm64] net: ethernet: stmmac: Do not use unreachable() in + ipq806x_gmac_probe() + - Bluetooth: avoid circular locks in sco_sock_connect + - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable + access in amdgpu_i2c_router_select_ddc_port() + - [armhf] tegra: tamonten: Fix UART pad setting + - rpc: fix gss_svc_init cleanup on failure + - gfs2: Don't call dlm after protocol is unmounted + - mmc: rtsx_pci: Fix long reads when clock is prescaled + - cifs: fix wrong release in sess_alloc_buffer() failed path + - Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST + quirk set" (regression in 4.9.251) + - [x86] usbip: give back URBs for unsent unlink requests during cleanup + - parport: remove non-zero check on count + - ath9k: fix OOB read ar9300_eeprom_restore_internal + - ath9k: fix sleeping in atomic context + - net: fix NULL pointer reference in cipso_v4_doi_free + - [x86] scsi: BusLogic: Fix missing pr_cont() use + - mm/hugetlb: initialize hugetlb_usage in mm_init + - memcg: enable accounting for pids in nested pid namespaces + - [x86] xen: reset legacy rtc flag for PV domU + - bnx2x: Fix enabling network interfaces without VFs + - net-caif: avoid user-triggerable WARN_ON(1) + - dccp: don't duplicate ccid when cloning dccp sock (CVE-2020-16119) + (regression in 4.9.108) + - net/l2tp: Fix reference count leak in l2tp_udp_recv_core + - r6040: Restore MDIO clock frequency after MAC reset + - tipc: increase timeout in tipc_sk_enqueue() + - events: Reuse value read using READ_ONCE instead of re-reading it + - net/af_unix: fix a data-race in unix_dgram_poll + - tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() + - [x86] mm: Fix kern_addr_valid() to cope with existing but not present + entries + - [armhf] mfd: Don't use irq_create_mapping() to resolve a mapping + - net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 + - ethtool: Fix an error code in cxgb2.c + - mtd: rawnand: cafe: Fix a resource leak in the error handling path of + 'cafe_nand_probe()' + - [armhf] net: dsa: b53: Fix calculating number of switch ports + - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.284 + - PM / wakeirq: Fix unbalanced IRQ enable for wakeirq + - sctp: validate chunk size in __rcv_asconf_lookup + - sctp: add param size validation for SCTP_PARAM_SET_PRIMARY + - dmaengine: acpi: Avoid comparison GSI with Linux vIRQ + - 9p/trans_virtio: Remove sysfs file on probe failure + - prctl: allow to setup brk for et_dyn executables + - profiling: fix shift-out-of-bounds bugs + - ceph: lockdep annotations for try_nonblocking_invalidate + - nilfs2: fix memory leak in nilfs_sysfs_create_device_group + - nilfs2: fix NULL pointer in nilfs_##name##_attr_release + - nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group + - nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group + - nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group + - nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group + - blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() + - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV + - sctp: validate from_addr_param return + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.285 + - ocfs2: drop acl cache for directories too + - [armf] usb: musb: tusb6010: uninitialized data in + tusb_fifo_write_unaligned() + - cifs: fix incorrect check for null pointer in header_assemble + - [x86] xen/x86: fix PV trap handling on secondary processors + - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c + - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter + - USB: serial: mos7840: remove duplicated 0xac24 device ID + - USB: serial: option: add Telit LN920 compositions + - USB: serial: option: remove duplicate USB device ID + - USB: serial: option: add device id for Foxconn T99W265 + - [arm64] serial: mvebu-uart: fix driver's tx_empty callback + - net: hso: fix muxed tty registration + - net/mlx4_en: Don't allow aRFS for encapsulated packets + - scsi: iscsi: Adjust iface sysfs attr detection + - blktrace: Fix uaf in blk_trace access after removing by sysfs + - [arm64,armhf] net: stmmac: allow CSR clock of 300MHz + - qnx4: avoid stringop-overread errors + - [arm64] Mark __stack_chk_guard as __ro_after_init + - net: 6pack: Fix tx timeout and slot time + - [arm64] dts: marvell: armada-37xx: Extend PCIe MEM space + - qnx4: work around gcc false positive warning bug + - tty: Fix out-of-bound vmalloc access in imageblit + - cpufreq: schedutil: Use kobject release() method to free sugov_tunables + - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory + - mac80211: fix use-after-free in CCMP/GCMP RX + - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 + - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap + - hwmon: (tmp421) fix rounding for negative values + - e100: fix length calculation in e100_get_regs_len + - e100: fix buffer overrun in e100_get_regs + - ext4: fix potential infinite loop in ext4_dx_readdir() + - net: udp: annotate data race around udp_sk(sk)->corkflag + - ARM: 9079/1: ftrace: Add MODULE_PLTS support + - [arm64] Extend workaround for erratum 1024718 to all versions of + Cortex-A55 + - HID: betop: fix slab-out-of-bounds Write in betop_probe + - netfilter: ipset: Fix oversized kvmalloc() calls + - HID: usbhid: free raw_report buffers in usbhid_stop + - cred: allow get_cred() and put_cred() to be given NULL. + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.286 + - af_unix: fix races in sk_peer_pid and sk_peer_cred accesses + - xen-netback: correct success/error reporting for the SKB-with-fraglist + case + - scsi: sd: Free scsi_disk device via put_device() + - libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD. + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.287 + - USB: cdc-acm: fix racy tty buffer accesses + - USB: cdc-acm: fix break reporting + - ovl: fix missing negative dentry check in ovl_rename() (CVE-2021-20321) + - nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero + - [armhf] dts: omap3430-sdp: Fix NAND device node + - bpf: Fix integer overflow in prealloc_elems_and_freelist() + (CVE-2021-41864) + - phy: mdio: fix memory leak + - net_sched: fix NULL deref in fifo_set_limit() + - [x86] ptp_pch: Load module automatically if ID matches + - [armhf] imx6: disable the GIC CPU interface before calling stby-poweroff + sequence + - net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() + - netlink: annotate data races around nlk->bound + - drm/nouveau/debugfs: fix file release memory leak + - rtnetlink: fix if_nlmsg_stats_size() under estimation + - i40e: fix endless loop under rtnl + - HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS + - netfilter: ip6_tables: zero-initialize fragment offset + - mac80211: Drop frames from invalid MAC address in ad-hoc mode + - scsi: ses: Fix unsigned comparison with less than zero + - scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" + - [x86] perf/x86: Reset destroy callback on event init failure + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.288 + - ALSA: seq: Fix a potential UAF by wrong private_free call order + - xhci: Enable trust tx length quirk for Fresco FL11 USB controller + - cb710: avoid NULL pointer subtraction + - [x86] efi/cper: use stack buffer for error record decoding + - efi: Change down_interruptible() in virt_efi_reset_system() to + down_trylock() + - Input: xpad - add support for another USB ID of Nacon GC-100 + - USB: serial: qcserial: add EM9191 QDL support + - USB: serial: option: add Telit LE910Cx composition 0x1204 + - ethernet: s2io: fix setting mac address during resume + - nfc: fix error handling of nfc_proto_register() + - NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() + - NFC: digital: fix possible memory leak in digital_in_send_sdd_req() + - [i386] pata_legacy: fix a couple uninitialized variable bugs + - [arm64] drm/msm: Fix null pointer dereference on pointer edp + - [arm64] drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling + - r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 + - NFSD: Keep existing listeners on portlist error + - netfilter: ipvs: make global sysctl readonly in non-init netns + - can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE + state notification + - can: peak_pci: peak_pci_remove(): fix UAF + - ocfs2: fix data corruption after conversion from inline format + - ocfs2: mount fails with buffer overflow in strlen + - elfcore: correct reference to CONFIG_UML + - vfs: check fd has read access in kernel_read_file_from_fd() + - ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset + - ASoC: DAPM: Fix missing kctl change notifications + - nfc: nci: fix the UAF of rf_conn_info object (CVE-2021-3760) + - isdn: cpai: check ctr->cnr to avoid array index out of bound + (CVE-2021-43389) + - isdn: mISDN: Fix sleeping function called from invalid context + - [x86] platform/x86: intel_scu_ipc: Update timeout value in comment + - ALSA: hda: avoid write to STATESTS if controller is in reset + - tracing: Have all levels of checks prevent recursion + - [armel,armhf] 9122/1: select HAVE_FUTEX_CMPXCHG + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.289 + - usbnet: sanity check for maxpacket + - usbnet: fix error return code in usbnet_probe() + - ata: sata_mv: Fix the error handling of mv_chip_id() + - nfc: port100: fix using -ERRNO as command type mask + - mmc: vub300: fix control-message timeouts + - [armhf] mmc: dw_mmc: exynos: fix the finding clock sample value + - mmc: sdhci: Map more voltage level to SDHCI_POWER_330 + - net: lan78xx: fix division by zero in send path + - regmap: Fix possible double-free in regcache_rbtree_exit() + - net: batman-adv: fix error handling + - sctp: use init_tag from inithdr for ABORT chunk + - sctp: add vtag check in sctp_sf_violation + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.290 + - scsi: core: Put LLD module refcnt after SCSI device is released + - mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS + - arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed + - net: hso: register netdev later to avoid a race condition + - usb: hso: fix error handling code of hso_create_net_device + (CVE-2021-37159) + - IB/qib: Use struct_size() helper + - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields + - [armhf] usb: musb: Balance list entry in musb_gadget_queue + - usb-storage: Add compatibility quirk flags for iODD 2531/2541 + - printk/console: Allow to disable console output by using console="" or + console=null (regression in 4.9.238) + - isofs: Fix out of bound access for corrupted isofs image + - [x86] comedi: dt9812: fix DMA buffers on stack + - [x86] comedi: ni_usb6501: fix NULL-deref in command paths + - [x86] comedi: vmk80xx: fix transfer-buffer overflows + - [x86] comedi: vmk80xx: fix bulk-buffer overflow + - [x86] comedi: vmk80xx: fix bulk and interrupt message timeouts + - staging: r8712u: fix control-message timeout + - [x86] staging: rtl8192u: fix control-message timeouts + - rsi: fix control-message timeout + + [ Ben Hutchings ] + * crypto: Ignore removal of internal symbol shash_no_setkey + * [rt] Update to 4.9.286-rt189 + * crypto/qat: Ignore ABI changes + * sctp: Ignore ABI changes + * Bump ABI to 17 + * timerqueue: Fix potential timer tree corruption and system hang + (CVE-2021-20317): + - rbtree: cache leftmost node internally + - lib/timerqueue: Rely on rbtree semantics for next timer + * KVM: Fix bugs in hva_to_pfn_remapped(): + - mm: add follow_pte_pmd() + - KVM: do not assume PTE is writable after follow_pfn + - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() + - KVM: do not allow mapping valid but non-reference-counted pages + (CVE-2021-22543) + * [x86] KVM: Fix bugs in shadow page table management: + - KVM: nVMX: fix EPT permissions as reported in exit qualification + - KVM: MMU: drop vcpu param in gpte_access + - KVM: X86: MMU: Use the correct inherited permissions to get shadow + page (CVE-2021-38198) + * NFSv4: Initialise connection to the server in nfs4_alloc_client() + (CVE-2021-38199) + * media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() + (CVE-2021-42739) 4.9.272-2 [Mon, 19 Jul 2021 22:08:03 +0200] Ben Hutchings <benh@debian.org>: <http://piuparts.knut.univention.de/4.4-8/#6200001377238929405>
r19491 | patches/linux/4.4-0-0-ucs/4.9.272-2-errata4.4-8/0001-i40e-Be-much-more-verbose-about-what-we-can-and-cann.quilt got included into <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.274> → patch no longer needed Package: univention-kernel-image Version: 12.0.0-9A~4.4.0.202112211012 Branch: ucs_4.4-0 Scope: errata4.4-8 Package: univention-kernel-image-signed Version: 5.0.0-19A~4.4.0.202112211004 Branch: ucs_4.4-0 Scope: errata4.4-8 [4.4-8] 5c535bc904 Bug #54260: linux 4.9.290-1 doc/errata/staging/linux-latest.yaml | 82 ++++++++++++++++++++++++++++++++++++++ doc/errata/staging/linux.yaml | 24 ++++++----- doc/errata/staging/univention-kernel-image-signed.yaml | 82 ++++++++++++++++++++++++++++++++++++++ doc/errata/staging/univention-kernel-image.yaml | 82 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 259 insertions(+), 11 deletions(-)
OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo IGN: amd64 @ xenX OK: i386 @ kvm OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: YAML OK: announce-errata -V OK: <https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-8/job/BuildDVD/267/>
<https://errata.software-univention.de/#/?erratum=4.4x1131> <https://errata.software-univention.de/#/?erratum=4.4x1132> <https://errata.software-univention.de/#/?erratum=4.4x1133> <https://errata.software-univention.de/#/?erratum=4.4x1134>