Univention Bugzilla – Bug 55540
linux: Multiple issues (5.0)
Last modified: 2023-11-13 09:02:51 CET
New Debian linux 4.19.269-1 fixes: This update addresses the following issues: * use-after-free in nilfs_mdt_destroy (CVE-2022-2978) * race condition in kcm_tx_work() in net/kcm/kcmsock.c (CVE-2022-3521) * memory leak in ipv6_renew_options() (CVE-2022-3524) * use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c (CVE-2022-3564) * use-after-free in l1oip timer handlers (CVE-2022-3565) * Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594) * nilfs2: NULL pointer dereference in nilfs_bmap_lookup_at_level in fs/nilfs2/inode.c (CVE-2022-3621) * a USB-accessible buffer overflow in brcmfmac (CVE-2022-3628) * use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c (CVE-2022-3640) * Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. (CVE-2022-3643) * nilfs2: memory leak in nilfs_attach_log_writer in fs/nilfs2/segment.c (CVE-2022-3646) * nilfs2: use-after-free in nilfs_new_inode of fs/nilfs2/inode.c (CVE-2022-3649) * kernel: a stack overflow in do_proc_dointvec and proc_skip_spaces (CVE-2022-4378) * v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls (CVE-2022-20369) * cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions (CVE-2022-29901) * leak of sensitive information due to uninitialized data in stex_queuecommand_lck() in drivers/scsi/stex.c (CVE-2022-40768) * A race between ufx_ops_open() and ufx_usb_disconnect() may result in UAF (CVE-2022-41849) * Race condition in roccat_report_event in drivers/hid/hid-roccat.c (CVE-2022-41850) * Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). (CVE-2022-42328) * Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). (CVE-2022-42329) * Information leak in l2cap_parse_conf_req in net/bluetooth/l2cap_core.c (CVE-2022-42895) * use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896) * memory corruption in usbmon driver (CVE-2022-43750)
*** Bug 55538 has been marked as a duplicate of this bug. ***
--- mirror/ftp/pool/main/l/linux/linux_4.19.260-1.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/linux_4.19.269-1.dsc @@ -1,3 +1,564 @@ +4.19.269-1 [Tue, 20 Dec 2022 23:56:34 +0100] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.261 + - uas: add no-uas quirk for Hiksemi usb_disk + - usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS + - uas: ignore UAS for Thinkplus chips + - net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 + - libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 + - mm/page_alloc: fix race condition between build_all_zonelists and page + allocation + - mm: prevent page_frag_alloc() from corrupting the memory + - mm/migrate_device.c: flush TLB while holding PTL + - [arm64,armhf] soc: sunxi: sram: Actually claim SRAM regions + - [arm64,armhf] soc: sunxi: sram: Prevent the driver from being unbound + - [arm64,armhf] soc: sunxi: sram: Fix probe function ordering issues + - [arm64,armhf] soc: sunxi: sram: Fix debugfs info for A64 SRAM C + - Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in + suspend/resume time" + - usbnet: Fix memory leak in usbnet_disconnect() + - nvme: add new line after variable declatation + - nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.262 + - fs: fix UAF/GPF bug in nilfs_mdt_destroy (CVE-2022-2978) + - scsi: qedf: Fix a UAF bug in __qedf_probe() + - net/ieee802154: fix uninit value bug in dgram_sendmsg + - usb: mon: make mmapped memory read only (CVE-2022-43750) + - USB: serial: ftdi_sio: fix 300 bps rate for SIO + - mmc: core: Replace with already defined values for readability + - mmc: core: Terminate infinite loop in SD-UHS voltage switch + - [arm64] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() + - nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() + (CVE-2022-3621) + - nilfs2: fix leak of nilfs_root in case of writer thread creation failure + (CVE-2022-3646) + - nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure + - ceph: don't truncate file in atomic_open + - random: clamp credited irq bits to maximum mixed (regression in 4.19.249) + - [i386] ALSA: hda: Fix position reporting on Poulsbo + - scsi: stex: Properly zero out the passthrough command structure + (CVE-2022-40768) + - USB: serial: qcserial: add new usb-id for Dell branded EM7455 + - random: restore O_NONBLOCK support (regression in 4.19.249) + - random: avoid reading two cache lines on irq randomness (regression in + 4.19.249) + - random: use expired timer rather than wq for mixing fast pool (regression + in 4.19.249) + - wifi: mac80211_hwsim: avoid mac80211 warning on bad rate + - [x86] Input: xpad - add supported devices as contributed on github + - [x86] Input: xpad - fix wireless 360 controller breaking after suspend + - ALSA: oss: Fix potential deadlock at unregistration + - ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() + - ALSA: usb-audio: Fix potential memory leaks + - ALSA: usb-audio: Fix NULL dererence at error path + - [x86] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 + (regression in 4.19.260) + - [x86] usb: add quirks for Lenovo OneLink+ Dock + - can: kvaser_usb: Fix use of uninitialized completion + - can: kvaser_usb_leaf: Fix overread with an invalid command + - can: kvaser_usb_leaf: Fix TX queue out of sync after restart + - can: kvaser_usb_leaf: Fix CAN state after restart + - fs: dlm: fix race between test_bit() and queue_work() + - fs: dlm: handle -EBUSY first in lock arg validation + - HID: multitouch: Add memory barriers + - quota: Check next/prev free block number after reading from quota file + - [arm64] regulator: qcom_rpm: Fix circular deferral regression + - Revert "fs: check FMODE_LSEEK to control internal pipe splicing" + (regression in 4.19.256) + - PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge + - fbdev: smscufx: Fix use-after-free in ufx_ops_open() (CVE-2022-41849) + - btrfs: fix race between quota enable and quota rescan ioctl + - nilfs2: fix use-after-free bug of struct nilfs_root (CVE-2022-3649) + - ext4: avoid crash when inline data creation follows DIO write + - ext4: fix null-ptr-deref in ext4_write_info + - ext4: make ext4_lazyinit_thread freezable + - ext4: place buffer head allocation before handle start + - [amd64] livepatch: fix race between fork and KLP transition + - ftrace: Properly unset FTRACE_HASH_FL_MOD + - ring-buffer: Allow splice to read previous partially read pages + - ring-buffer: Check pending waiters when doing wake ups as well + - ring-buffer: Fix race between reset page and reading page + - [x86] KVM: x86/emulator: Fix handing of POP SS to correctly set + interruptibility + - [x86] KVM: nVMX: Unconditionally purge queued/injected events on nested + "exit" + - wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() + - wifi: mac80211: allow bw change during channel switch in mesh + - wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() + - [arm64] spi: qup: add missing clk_disable_unprepare on error in + spi_qup_resume() + - [arm64] spi: qup: add missing clk_disable_unprepare on error in + spi_qup_pm_resume_runtime() + - wifi: rtl8xxxu: Fix skb misuse in TX queue selection + - bpf: btf: fix truncated last_member_type_id in btf_struct_resolve + - wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration + - bpf: Ensure correct locking around vulnerable function find_vpid() + - netfilter: nft_fib: Fix for rpath check with VRF devices + - vhost/vsock: Use kvmalloc/kvfree for larger packets. + - [x86] mISDN: fix use-after-free bugs in l1oip timer handlers + (CVE-2022-3565) + - sctp: handle the error returned from sctp_auth_asoc_init_active_key + (regression in 4.19.199) + - tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited + - net: rds: don't hold sock lock when cancelling work from + rds_tcp_reset_callbacks() + - bnx2x: fix potential memory leak in bnx2x_tpa_stop() + - once: add DO_ONCE_SLOW() for sleepable contexts + - net: mvpp2: fix mvpp2 debugfs leak + - [arm64] drm: bridge: adv7511: fix CEC power down control register offset + - drm/mipi-dsi: Detach devices when removing the host + - [x86] platform/chrome: fix double-free in chromeos_laptop_prepare() + - [x86] platform/x86: msi-laptop: Fix old-ec check for backlight + registering + - [x86] platform/x86: msi-laptop: Fix resource cleanup + - [armhf] ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API + - [arm64] drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx + - ALSA: dmaengine: increment buffer pointer atomically + - [armhf] mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() + - [armhf] dts: kirkwood: lsxl: fix serial line + - [arm64] clk: tegra: Fix refcount leak in tegra210_clock_init + - [armhf] HSI: omap_ssi: Fix refcount leak in ssi_probe + - [armhf] HSI: omap_ssi_port: Fix dma_map_sg error check + - [arm64] tty: xilinx_uartps: Fix the ignore_status + - RDMA/rxe: Fix "kernel NULL pointer dereference" error + - RDMA/rxe: Fix the error caused by qp->sk + - dyndbg: let query-modname override actual module name + - ata: fix ata_id_sense_reporting_enabled() and + ata_id_has_sense_reporting() + - ata: fix ata_id_has_devslp() + - ata: fix ata_id_has_ncq_autosense() + - ata: fix ata_id_has_dipm() + - md/raid5: Ensure stripe_fill happens on non-read IO with journal + - xhci: Don't show warning for reinit on known broken suspend (regression + in 4.19.232) + - usb: gadget: function: fix dangling pnp_string in f_printer.c + - [x86] drivers: serial: jsm: fix some leaks in probe + - [arm64] phy: qualcomm: call clk_disable_unprepare in the error handling + - serial: 8250: Fix restoring termios speed after suspend + - [amd64] dmaengine: ioat: stop mod_timer from resurrecting deleted timer + in __cleanup() + - [arm64] spmi: pmic-arb: correct duplicate APID to PPID mapping logic + - [armhf] clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe + - [i386] hyperv: Fix 'struct hv_enlightened_vmcs' definition + - [arm64] crypto: cavium - prevent integer overflow loading firmware + - f2fs: fix race condition on setting FI_NO_EXTENT flag + - [x86] ACPI: video: Add Toshiba Satellite/Portege Z830 quirk + - [x86] powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue + - [x86] thermal: intel_powerclamp: Use get_cpu() instead of + smp_processor_id() to avoid crash + - NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data + - wifi: brcmfmac: fix invalid address access when enabling SCAN log level + - openvswitch: Fix double reporting of drops in dropwatch + - openvswitch: Fix overreporting of drops in dropwatch + - tcp: annotate data-race around tcp_md5sig_pool_populated + - wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() + - xfrm: Update ipcomp_scratches with NULL when freed + - wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() + - Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() + - Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times + - can: bcm: check the result of can_send() in bcm_can_tx() + - wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 + - wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 + - wifi: rt2x00: set SoC wmac clock register + - wifi: rt2x00: correctly set BBP register 86 for MT7620 + - net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory + - Bluetooth: L2CAP: Fix user-after-free + - r8152: Rate limit overflow messages (CVE-2022-3594) + - drm: Prevent drm_copy_field() to attempt copying a NULL pointer + - [arm64,armh] drm/vc4: vec: Fix timings for VEC modes + - [x86] drm: panel-orientation-quirks: Add quirk for Anbernic Win600 + - [x86] platform/x86: msi-laptop: Change DMI match / alias strings to fix + module autoloading + - drm/amdgpu: fix initial connector audio value + - media: cx88: Fix a null-ptr-deref bug in buffer_prepare() + - scsi: 3w-9xxx: Avoid disabling device if failing to enable it + - nbd: Fix hung when signal interrupts nbd_start_device_ioctl() + - ata: libahci_platform: Sanity check the DT child nodes number + - HID: roccat: Fix use-after-free in roccat_read() (CVE-2022-41850) + - md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d + - usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() + - [arm64,armhf] usb: musb: Fix musb_gadget.c rxstate overflow bug + - Revert "usb: storage: Add quirk for Samsung Fit flash" + - nvme: copy firmware_rev on each init + - usb: idmouse: fix an uninit-value in idmouse_open + - [arm64,armhf] clk: bcm2835: Make peripheral PLLC critical + - net: ieee802154: return -EINVAL for unknown addr type + - net/ieee802154: don't warn zero-sized raw_sendmsg() + - ext4: continue to expand file system when the target size doesn't reach + - md: Replace snprintf with scnprintf + - [arm64,armhf] efi: libstub: drop pointless get_memory_map() call + - inet: fully convert sk->sk_rx_dst to RCU rules + - [x86] thermal: intel_powerclamp: Use first online CPU as control_cpu + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.263 + - once: fix section mismatch on clang builds + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.264 + - ocfs2: clear dinode links count in case of error + - ocfs2: fix BUG when iput after ocfs2_mknod fails + - [x86] microcode/AMD: Apply the patch early on every logical thread + - [x86] hwmon/coretemp: Handle large core ID value + - [armhf] ata: ahci-imx: Fix MODULE_ALIAS + - ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS + - [arm64,armhf] KVM: arm64: vgic: Fix exit condition in scan_its_table() + - [arm64] media: venus: dec: Handle the case where find_format fails + - [arm64] errata: Remove AES hwcap for COMPAT tasks + - r8152: add PID for the Lenovo OneLink+ Dock + - btrfs: fix processing of delayed data refs during backref walking + - btrfs: fix processing of delayed tree block refs during backref walking + - [x86] ACPI: extlog: Handle multiple records + - tipc: Fix recognition of trial period + - tipc: fix an information leak in tipc_topsrv_kern_subscr + - HID: magicmouse: Do not set BTN_MOUSE on double report + - net/atm: fix proc_mpc_write incorrect return value + - net: sched: cake: fix null pointer access issue when cake_init() fails + - [amd64] iommu/vt-d: Clean up si_domain in the init_dmars() error path + - [arm64,armhf] media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP + buffers across ioctls (CVE-2022-20369) + - [x86] ACPI: video: Force backlight native for more TongFang devices + - [x86] hv_netvsc: Fix race between VF offering and VF association message + from host + - mm: /proc/pid/smaps_rollup: fix no vma's null-deref + - can: kvaser_usb: Fix possible completions during init_completion + - [x86] ALSA: Use del_timer_sync() before freeing timer + - USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM + - [arm64,armhf] usb: dwc3: gadget: Stop processing more requests on IMI + - [arm64,armhf] usb: dwc3: gadget: Don't set IMI for no_interrupt + - usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 + controller + - [x86] xhci: Remove device endpoints from bandwidth list when freeing the + device + - [x86] iio: light: tsl2583: Fix module unloading + - fbdev: smscufx: Fix several use-after-free bugs + - mac802154: Fix LQI recording + - [arm64] drm/msm/dsi: fix memory corruption with too many bridges + - [arm64] drm/msm/hdmi: fix memory corruption with too many bridges + - mmc: core: Fix kernel panic when remove non-standard SDIO card + - kernfs: fix use-after-free in __kernfs_remove + - perf auxtrace: Fix address filter symbol name match for modules + - Xen/gntdev: don't ignore kernel unmapping error + - xen/gntdev: Prevent leaking grants + - mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages + - net: ieee802154: fix error return code in dgram_bind() + - ALSA: ac97: fix possible memory leak in snd_ac97_dev_register() + - tipc: fix a null-ptr-deref in tipc_topsrv_accept + - [arm64] net: netsec: fix error handling in netsec_register_mdio() + - [amd64,arm64] amd-xgbe: fix the SFP compliance codes check for DAC cables + - [amd64,arm64] amd-xgbe: add the bit rate quirk for Molex cables + - net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed + - tcp: fix indefinite deferral of RTO with SACK reneging + - PM: hibernate: Allow hybrid sleep to work with s2idle + - media: vivid: s_fbuf: add more sanity checks + - media: vivid: dev->bitmap_cap wasn't freed in all cases + - media: v4l2-dv-timings: add sanity checks for blanking values + - media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced' + - i40e: Fix ethtool rx-flow-hash setting for X722 + - i40e: Fix VF hang when reset is triggered on another VF + - i40e: Fix flow-type by setting GL_HASH_INSET registers + - net: ksz884x: fix missing pci_disable_device() on error in pcidev_init() + - PM: domains: Fix handling of unavailable/disabled idle states + - openvswitch: switch from WARN to pr_warn + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.265 + - NFSv4.1: Handle RECLAIM_COMPLETE trunking errors + - NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot + - nfs4: Fix kmemleak when allocate slot failed + - RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() + - [armhf] net: fec: fix improper use of NETDEV_TX_BUSY + - [i386] ata: pata_legacy: fix pdc20230_set_piomode() + - net: sched: Fix use after free in red_enqueue() + - net: tun: fix bugs for oversize packet when napi frags enabled + - [arm64,armhf] ipvs: use explicitly signed chars + - ipvs: fix WARNING in __ip_vs_cleanup_batch() + - ipvs: fix WARNING in ip_vs_app_net_cleanup() + - [x86] rose: Fix NULL pointer dereference in rose_send_frame() + - [x86] mISDN: fix possible memory leak in mISDN_register_device() + - btrfs: fix inode list leak during backref walking at + resolve_indirect_refs() + - btrfs: fix ulist leaks in error paths of qgroup self tests + - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + (CVE-2022-3564) + - Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() (CVE-2022-3640) + - net: mdio: fix undefined behavior in bit shift for __mdiobus_register + - net, neigh: Fix null-ptr-deref in neigh_table_clear() + - ipv6: fix WARNING in ip6_route_net_exit_late() + - media: dvb-frontends/drxk: initialize err to 0 + - HID: saitek: add madcatz variant of MMO7 mouse device ID + - Bluetooth: L2CAP: Fix attempting to access uninitialized memory + (CVE-2022-42895) + - block, bfq: protect 'bfqd->queued' by 'bfqd->lock' + - btrfs: fix type of parameter generation in btrfs_get_dentry + - tcp/udp: Make early_demux back namespacified. + - kprobe: reverse kp->flags when arm_kprobe failed + - capabilities: fix potential memleak on error path from + vfs_getxattr_alloc() + - ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices + - efi: random: reduce seed size to 32 bytes + - ext4: fix warning in 'ext4_da_release_space' + - [x86] KVM: x86: Mask off reserved bits in CPUID.80000008H + - [x86] KVM: x86: emulator: em_sysexit should update ctxt->mode + - [x86] KVM: x86: emulator: introduce emulator_recalc_and_set_mode + - [x86] KVM: x86: emulator: update the emulation mode after CR0 write + - wifi: brcmfmac: Fix potential buffer overflow in + brcmf_fweh_event_worker() (CVE-2022-3628) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.266 + - [amd64] Preparation for mitigating RETbleed: + + x86/cpufeature: Add facility to check for min microcode revisions + + x86/cpufeature: Fix various quality problems in the + <asm/cpu_device_hd.h> header + + x86/devicetable: Move x86 specific macro out of generic code + + x86/cpu: Add consistent CPU match macros + - [amd64] Add mitigation for RETbleed on Intel processors (CVE-2022-29901): + + x86/cpufeatures: Move RETPOLINE flags to word 11 + + x86/bugs: Report AMD retbleed vulnerability + + x86/bugs: Add AMD retbleed= boot parameter + + x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value + + x86/entry: Remove skip_r11rcx + + x86/entry: Add kernel IBRS implementation + + x86/bugs: Optimize SPEC_CTRL MSR writes + + x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS + + x86/bugs: Split spectre_v2_select_mitigation() and + spectre_v2_user_select_mitigation() + + x86/bugs: Report Intel retbleed vulnerability + + intel_idle: Disable IBRS during long idle + + x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n + + x86/speculation: Fix firmware entry SPEC_CTRL handling + + x86/speculation: Fix SPEC_CTRL write on SMT state change + + x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit + + x86/speculation: Remove x86_spec_ctrl_mask + + KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS + + KVM: VMX: Fix IBRS handling after vmexit + + x86/speculation: Fill RSB on vmexit for IBRS + + x86/common: Stamp out the stepping madness + + x86/cpu/amd: Enumerate BTC_NO + + x86/bugs: Add Cannon lake to RETBleed affected CPU list + + x86/speculation: Disable RRSBA behavior + + x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current + + x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.267 + - wifi: cfg80211: fix memory leak in query_regdb_file() + - [x86] HID: hyperv: fix possible memory leak in mousevsc_probe() + - net: gso: fix panic on frag_list with mixed head alloc types + - net: tun: Fix memory leaks of napi_get_frags + - bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer + - capabilities: fix undefined behavior in bit shift for CAP_TO_MASK + - [x86] hamradio: fix issue of dev reference count leakage in + bpq_device_event() + - [arm64,armhf] drm/vc4: Fix missing platform_unregister_drivers() call in + vc4_drm_register() + - ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network + - tipc: fix the msg->req tlv len check in + tipc_nl_compat_name_table_dump_header + - [arm64] drivers: net: xgene: disable napi when register irq failed in + xgene_enet_open() + - net: cxgb3_main: disable napi when bind qsets failed in cxgb_up() + - ethernet: s2io: disable napi when start nic failed in s2io_card_up() + - [armhf] net: mv643xx_eth: disable napi when init rxq or txq failed in + mv643xx_eth_open() + - net: macvlan: fix memory leaks of macvlan_common_newlink + - [arm64] efi: Fix handling of misaligned runtime regions and drop warning + - [x86] ALSA: hda/ca0132: add quirk for EVGA Z390 DARK + - ALSA: usb-audio: Add quirk entry for M-Audio Micro + - ALSA: usb-audio: Add DSD support for Accuphase DAC-60 + - vmlinux.lds.h: Fix placement of '.data..decrypted' section + - nilfs2: fix deadlock in nilfs_count_free_blocks() + - nilfs2: fix use-after-free bug of ns_writer on remount + - [x86] drm/i915/dmabuf: fix sg_table handling in map_dma_buf + - [x86] platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi + - udf: Fix a slab-out-of-bounds write bug in udf_find_entry() + - net: tun: call napi_schedule_prep() to ensure we own a napi + - [x86] cpu: Restore AMD's DE_CFG MSR after resume + - NFSv4: Retry LOCK on OLD_STATEID during delegation return + - btrfs: remove pointless and double ulist frees in error paths of qgroup + tests + - Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm + - ASoC: core: Fix use-after-free in snd_soc_exit() + - [armhf] serial: imx: Add missing .thaw_noirq hook + - tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send + - ASoC: soc-utils: Remove __exit for snd_soc_util_exit() + - block: sed-opal: kmalloc the cmd/resp buffers + - [x86] parport_pc: Avoid FIFO port location truncation + - ata: libata-transport: fix double ata_host_put() in ata_tport_add() + - [x86] mISDN: fix possible memory leak in mISDN_dsp_element_register() + - [x86] mISDN: fix misuse of put_device() in mISDN_register_device() + - bnxt_en: Remove debugfs when pci_register_driver failed + - [x86] xen/pcpu: fix possible memory leak in register_pcpu() + - drbd: use after free in drbd_create_device() + - cifs: Fix wrong return value checking when GETFLAGS + - [x86] net: thunderbolt: Fix error handling in tbnet_init() + - ftrace: Optimize the allocation for mcount entries + - ftrace: Fix null pointer dereference in ftrace_add_mod() + - ring_buffer: Do not deactivate non-existant pages + - ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() + - speakup: fix a segfault caused by switching consoles + - USB: serial: option: add Sierra Wireless EM9191 + - USB: serial: option: remove old LARA-R6 PID + - USB: serial: option: add u-blox LARA-R6 00B modem + - USB: serial: option: add u-blox LARA-L6 modem + - USB: serial: option: add Fibocom FM160 0x0111 composition + - usb: add NO_LPM quirk for Realforce 87U Keyboard + - iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() + - dm ioctl: fix misbehavior if list_versions races with module loading + - serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs + - mmc: core: properly select voltage range without power cycle + - mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put() + - [x86] misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() + - scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() + - serial: 8250: Flush DMA Rx on RLSI + - macvlan: enforce a consistent minimal mtu + - tcp: cdg: allow tcp_cdg_release() to be called multiple times + - kcm: avoid potential race in kcm_tx_work (CVE-2022-3521) + - bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb() + - 9p: trans_fd/p9_conn_cancel: drop client lock earlier + - gfs2: Check sb_bsize_shift after reading superblock + - gfs2: Switch from strlcpy to strscpy + - 9p/trans_fd: always use O_NONBLOCK read/write + - mm: fs: initialize fsdata passed to write_begin/write_end interface + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.268 + - wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support + - audit: fix undefined behavior in bit shift for AUDIT_BIT + - wifi: mac80211: Fix ack frame idr leak when mesh has no route + - [x86] drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 + (SW5-017) + - af_key: Fix send_acquire race with pfkey_register + - [armhf] dts: am335x-pcm-953: Define fixed regulators in root node + - [armhf] ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove + - [arm64,armhf] bus: sunxi-rsb: Support atomic transfers + - [i386] net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() + - 9p/fd: fix issue of list_del corruption in p9_fd_cancel() + - net/mlx4: Check retval of mlx4_bitmap_init + - net/qla3xxx: fix potential memleak in ql3xxx_send() + - [x86] Drivers: hv: vmbus: fix double free in the error path of + vmbus_add_channel_work() + - net/mlx5: Fix FW tracer timestamp calculation + - tipc: set con sock in tipc_conn_alloc + - tipc: add an extra conn_get in tipc_conn_alloc + - tipc: check skb_linearize() return value in tipc_disc_rcv() + - xfrm: Fix ignored return value in xfrm6_init() + - bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending() + - dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). + - [arm64] net: thunderx: Fix the ACPI memory leak + - [arm64] dts: rockchip: lower rk3399-puma-haikou SD controller clock + frequency + - iio: core: Fix entry not deleted when iio_register_sw_trigger_type() + fails + - ceph: do not update snapshot context when there is no new snapshot + - ceph: avoid putting the realm twice when decoding snaps fails + - nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty + - Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode + - [x86] xen/platform-pci: add missing free_irq() in error path + - [x86] platform/x86: asus-wmi: add missing pci_dev_put() in + asus_wmi_set_xusb2pr() + - [x86] platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 + (SW5-017) + - [x86] platform/x86: hp-wmi: Ignore Smart Experience App event + - tcp: configurable source port perturb table size + - net: usb: qmi_wwan: add Telit 0x103a composition + - dm integrity: flush the journal on suspend + - btrfs: free btrfs_path before copying root refs to userspace + - btrfs: free btrfs_path before copying fspath to userspace + - btrfs: free btrfs_path before copying subvol info to userspace + - drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASAN + - drm/amdgpu: always register an MMU notifier for userptr + - btrfs: free btrfs_path before copying inodes to userspace + - [armhf] spi: spi-imx: Fix spi_bus_clk if requested clock is higher than + input clock + - proc: avoid integer type confusion in get_proc_long (CVE-2022-4378) + - proc: proc_skip_spaces() shouldn't think it is working on C strings + (CVE-2022-4378) + - v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails + - [x86] hwmon: (i5500_temp) fix missing pci_disable_device() + - [x86] hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + - of: property: decrement node refcount in of_fwnode_get_reference_args() + - net/mlx5: Fix uninitialized variable bug in outlen_write() + - qlcnic: fix sleep-in-atomic-context bugs caused by msleep + - net: phy: fix null-ptr-deref while probe() failed + - net/9p: Fix a potential socket leak in p9_socket_open + - net: tun: Fix use-after-free in tun_detach() + - packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + - [x86] hwmon: (coretemp) Check for null before removing sysfs attrs + - btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + - error-injection: Add prompt for function error injection + - nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() + - [x86] bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from + S3 + - [x86] pinctrl: intel: Save and restore pins in "direct IRQ" mode + - [arm64] Fix panic() when Spectre-v2 causes Spectre-BHB to re-allocate KVM + vectors + - [arm64] errata: Fix KVM Spectre-v2 mitigation selection for + Cortex-A57/A72 + - ASoC: ops: Fix bounds check for _sx controls + - [amd64] iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() + - tcp/udp: Fix memory leak in ipv6_renew_options(). (CVE-2022-3524) + - nvme: restrict management ioctls to admin + - [x86] tsx: Add a feature bit for TSX control MSR support + - [x86] pm: Add enumeration check before spec MSRs save/restore setup + (regression in 4.19.238) + - Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM + (CVE-2022-42896) + - [x86] ioremap: Fix page aligned size calculation in __ioremap_caller() + - mmc: sdhci: use FIELD_GET for preset value bit masks + - mmc: sdhci: Fix voltage switch delay + - ipc/sem: Fix dangling sem_array access in semtimedop race + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.269 + - [armhf] dts: rockchip: fix node name for hym8563 rtc + - [armhf] dts: rockchip: fix ir-receiver node names + - [armhf] dts: rockchip: disable arm_global_timer on rk3066 and rk3188 + - ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event + - ASoC: soc-pcm: Add NULL check in BE reparenting + - [armhf] regulator: twl6030: fix get status of twl6032 regulators + - fbcon: Use kzalloc() in fbcon_prepare_logo() + - 9p/xen: check logical size for buffer size + - net: usb: qmi_wwan: add u-blox 0x1342 composition + - xen/netback: Ensure protocol headers don't fall in the non-linear area + (CVE-2022-3643) + - xen/netback: don't call kfree_skb() with interrupts disabled + (CVE-2022-42328, CVE-2022-42329) + - media: v4l2-dv-timings.c: fix too strict blanking sanity checks + - memcg: fix possible use-after-free in memcg_write_event_control() + - HID: hid-lg4ff: Add check for empty lbuf + - HID: core: fix shift-out-of-bounds in hid_report_raw_event + - ieee802154: cc2520: Fix error return code in cc2520_hw_init() + - e1000e: Fix TX dispatch condition + - igb: Allocate MSI-X vector when testing + - Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() + - Bluetooth: Fix not cleanup led when bt_init fails + - mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() + - xen-netfront: Fix NULL sring after live migration + - [arm64,armhf] net: mvneta: Prevent out of bounds read in + mvneta_config_rss() + - i40e: Fix not setting default xps_cpus after reset + - i40e: Fix for VF MAC address 0 + - i40e: Disallow ip4 and ip6 l4_4_bytes + - nvme initialize core quirks before calling nvme_init_subsystem + - [arm64,armhf] net: stmmac: fix "snps,axi-config" node property parsing + - [arm64] net: hisilicon: Fix potential use-after-free in hisi_femac_rx() + - [arm64] net: hisilicon: Fix potential use-after-free in hix5hd2_rx() + - tipc: Fix potential OOB in tipc_link_proto_rcv() + - xen/netback: fix build warning + - net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() + - ipv6: avoid use-after-free in ip6_fragment() + - [arm64,armhf] net: mvneta: Fix an out of bounds check + - can: esd_usb: Allow REC and TEC to return to zero + + [ Ben Hutchings ] + * Bump ABI to 23 + * [rt] Add new signing key for Daniel Wagner + * [rt] Update to 4.9.265-rt117: + - Revert "random: Use local locks for crng context access" + - random: Bring back the local_locks + - local_lock: Provide INIT_LOCAL_LOCK(). + - Revert "workqueue: Use local irq lock instead of irq disable regions" + - timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers + - rcu: Update rcuwait + - workqueue: Use rcuwait for wq_manager_wait + - timers: Prepare support for PREEMPT_RT + - timers: Move clearing of base::timer_running under base:: Lock + - timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers + * efi: random: Properly limit the size of the random seed + * [rt] Revert "percpu: include irqflags.h for raw_local_irq_save()" which now + causes an #include loop + * [x86] debug: Keep FUNCTION_ERROR_INJECTION enabled + 4.19.260-1 [Thu, 29 Sep 2022 02:47:06 +0200] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://piuparts.knut.univention.de/5.0-2/#165298276343362809>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts OK: uname -r OK: dmesg -H OK: amd64 @ kvm OK: amd64 @ kvm + SB OK: mokutil --sb-state OK: reboot [5.0-2] 614af20562 Bug #55540: linux 4.19.269-1 doc/errata/staging/linux.yaml | 68 +++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 38 deletions(-) [5.0-2] bab879fe25 Bug #55540: linux 4.19.269-1 doc/errata/staging/linux.yaml | 93 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x539> <https://errata.software-univention.de/#/?erratum=5.0x540> <https://errata.software-univention.de/#/?erratum=5.0x541>