Univention Bugzilla – Bug 56032
linux: Multiple issues (5.0)
Last modified: 2023-11-13 09:02:51 CET
New Debian linux 4.19.282-1 fixes: This update addresses the following issues: * an out-of-bounds vulnerability in i2c-ismt driver (CVE-2022-2873) * Use after Free in gru_set_context_option leading to kernel panic (CVE-2022-3424) * A flaw leading to a use-after-free in area_cache_get() (CVE-2022-3545) * Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed (CVE-2022-3707) * avoid double free in tun_free_netdev (CVE-2022-4744) * out-of-bounds write in vmw_kms_cursor_snoop (CVE-2022-36280) * Report vmalloc UAF in dvb-core/dmxdev (CVE-2022-41218) * integer overflow in l2cap_config_req() in net/bluetooth/l2cap_core.c (CVE-2022-45934) * NULL pointer dereference in traffic control subsystem (CVE-2022-47929) * The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045) * Move rwsem lock inside snd_ctl_elem_read to prevent UAF (CVE-2023-0266) * NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394) * A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458) * linux (CVE-2023-0459) * use-after-free in listening ULP sockets (CVE-2023-0461) * HID: check empty report_list in hid_validate_values() (CVE-2023-1073) * sctp: fail if no bound addresses can be used for a given scope (CVE-2023-1074) * Heap OOB Write in rds_rm_zerocopy_callback() (CVE-2023-1078) * Use After Free in asus_remove() (CVE-2023-1079) * use-after-free in drivers/media/rc/ene_ir.c due to race condition (CVE-2023-1118) * Use After Free vulnerability in traffic control index filter (tcindex) allows Privilege Escalation (CVE-2023-1281) * KVM: information leak in KVM_GET_DEBUGREGS ioctl on 32-bit systems (CVE-2023-1513) * use after free bug in xirc2ps_detach (CVE-2023-1670) * Use-after-free vulnerability in the Linux Kernel traffic control index filter (CVE-2023-1829) * use-after-free bug in remove function xgene_hwmon_remove (CVE-2023-1855) * Use after free in xen_9pfs_front_remove due to race condition (CVE-2023-1859) * Use after free bug in btsdio_remove due to race condition (CVE-2023-1989) * Use after free bug in ndlc_remove due to race condition (CVE-2023-1990) * Spectre v2 SMT mitigations problem (CVE-2023-1998) * UAF during login when accessing the shost ipaddress (CVE-2023-2162) * out-of-bounds write in xgene_slimpro_i2c_xfer() (CVE-2023-2194) * slab-out-of-bounds read vulnerabilities in cbq_classify (CVE-2023-23454) * denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion (CVE-2023-23455) * Integer overflow in function rndis_query_oid of rndis_wlan.c (CVE-2023-23559) * double free on sysctl allocation failure (CVE-2023-26545) * A denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c (CVE-2023-28328) * missing consistency checks for CR0 and CR4 (CVE-2023-30456) * The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. (CVE-2023-30772)
--- mirror/ftp/pool/main/l/linux/linux_4.19.269-1.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/linux_4.19.282-1.dsc @@ -1,3 +1,991 @@ +4.19.282-1 [Sat, 29 Apr 2023 22:07:39 +0200] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270 + - mm/khugepaged: fix GUP-fast interaction by sending IPI + - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths + - block: unhash blkdev part inode when the part is deleted + - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545) + - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + - can: sja1000: fix size of OCR_MODE_MASK define + - can: mcba_usb: Fix termination command argument + - ASoC: ops: Correct bounds check for second channel on SX controls + - udf: Discard preallocation before extending file with a hole + - udf: Fix preallocation discarding at indirect extent boundary + - udf: Do not bother looking for prealloc extents if i_lenExtents matches + i_size + - udf: Fix extending file within last block + - usb: gadget: uvc: Prevent buffer overflow in setup handler + - USB: serial: option: add Quectel EM05-G modem + - USB: serial: cp210x: add Kamstrup RF sniffer PIDs + - USB: serial: f81534: fix division by zero on line-speed change + - igb: Initialize mailbox message for VF reset + - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934) + - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + - [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw + - [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in + omap_sr_probe + - [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: turris-omnia: Add ethernet aliases + - [armhf] dts: turris-omnia: Add switch port 6 node + - pstore/ram: Fix error return code in ramoops_probe() + - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + - [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() + - [arm64] cpuidle: dt: Return the correct numbers of parsed idle states + - fs: don't audit the capability check in simple_xattr_list() + - selftests/ftrace: event_triggers: wait longer for test_event_enable + - perf: Fix possible memleak in pmu_dev_alloc() + - timerqueue: Use rb_entry_safe() in timerqueue_getnext() + - ocfs2: fix memory leak in ocfs2_stack_glue_init() + - PNP: fix name memory leak in pnp_alloc_dev() + - [x86] perf/x86/intel/uncore: Fix reference count leak in + hswep_has_limit_sbox() (regression in 4.19.189) + - [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() + - lib/notifier-error-inject: fix error when writing -errno to debugfs file + - debugfs: fix error when writing negative value to atomic_t debugfs file + (regression in 4.19.160) + - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + - [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + - [x86] xen/events: only register debug interrupt for 2-level events + - [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}() + - [x86] xen: Fix memory leak in xen_init_lock_cpu() + - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() + - PM: runtime: Improve path in rpm_idle() when no callback + - PM: runtime: Do not call __rpm_callback() from rpm_idle() + - [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() + - fs: sysv: Fix sysv_nblocks() returns wrong value + - relay: fix type mismatch when allocating memory in relay_create_buf() + - hfs: Fix OOB Write in hfs_asc2mac + - wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154) + - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() + - wifi: rtl8xxxu: Fix reading the vendor of combo chips + - can: kvaser_usb: do not increase tx statistics when sending error message + frames + - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device + - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to + {leaf,usbcan}_cmd_can_error_event + - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT + - can: kvaser_usb_leaf: Set Warning state even without bus errors + - can: kvaser_usb_leaf: Fix improved state not being reported + - can: kvaser_usb_leaf: Fix wrong CAN state after stopping + - can: kvaser_usb_leaf: Fix bogus restart events + - can: kvaser_usb: Add struct kvaser_usb_busparams + - can: kvaser_usb: Compare requested bittiming parameters with actual + parameters in do_set_{,data}_bittiming + - media: vivid: fix compose size exceed boundary + - mtd: Fix device name leak when register device failed in add_mtd_device() + - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port + - drm/radeon: Add the missed acpi_put_table() to fix memory leak + - regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + - wifi: ath10k: Fix return value in ath10k_pci_init() + - [arm64] Input: elants_i2c - properly handle the reset GPIO when power is + off + - media: solo6x10: fix possible memory leak in solo_sysfs_init() + - HID: hid-sensor-custom: set fixed size for custom attributes + - bonding: Export skip slave logic to function + - media: imon: fix a race condition in send_packet() + - pinctrl: pinconf-generic: add missing of_node_put() + - media: dvb-core: Fix ignored return value in dvb_register_frontend() + - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + (CVE-2023-28328) + - [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() + - NFSv4.2: Fix a memory stomp in decode_attr_security_label + - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn + - [x86] ALSA: asihpi: fix missing pci_disable_device() + - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + - wifi: cfg80211: Fix not unregister reg_pdev when + load_builtin_regdb_keys() fails + - regulator: core: fix module refcount leak in set_supply() + - media: saa7164: fix missing pci_disable_device() + - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + - SUNRPC: Fix missing release socket in rpc_sockname() + - NFSv4.x: Fail client initialisation if state manager thread can't run + - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + - mmc: toshsd: fix return value check of mmc_add_host() + - mmc: vub300: fix return value check of mmc_add_host() + - [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host() + - [arm64] mmc: meson-gx: fix return value check of mmc_add_host() + - mmc: via-sdmmc: fix return value check of mmc_add_host() + - [x86] mmc: wbsd: fix return value check of mmc_add_host() + - [arm*] mmc: mmci: fix return value check of mmc_add_host() + - [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll() + - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() + - blktrace: Fix output non-blktrace event when blk_classic option enabled + - [armhf] clk: socfpga: use clk_hw_register for a5/c5 + - [x86] net: vmw_vsock: vmci: Check memcpy_from_msg() + - net: defxx: Fix missing err handling in dfx_init() + - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() + - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + - [x86] net: farsync: Fix kmemleak when rmmods farsync + - net/tunnel: wait until all sk_user_data reader finish before releasing + the sock + - [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + - [i386] net: amd: lance: don't call dev_kfree_skb() under + spin_lock_irqsave() + - [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables + - [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/ + passive cables + - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + - [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under + spin_lock_irqsave() + - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() + (regression in 4.19.254) + - [arm*] stmmac: fix potential division by 0 (regression in 4.19.122) + - apparmor: fix a memleak in multi_transaction_new() + - apparmor: fix lockdep warning when removing a namespace + - apparmor: Fix abi check to include v8 abi + - f2fs: fix normal discard process + - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port + - [x86] scsi: scsi_debug: Fix a warning in resp_write_scat() + - PCI: Check for alloc failure in pci_request_irq() + - [amd64] RDMA/hfi: Decrease PCI device reference count in error path + - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create + failed + - scsi: hpsa: use local workqueues instead of system workqueues + - scsi: hpsa: Fix possible memory leak in hpsa_init_one() + - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak + - scsi: hpsa: Fix error handling in hpsa_add_sas_host() + - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + - scsi: fcoe: Fix possible name leak when device_register() fails + - [x86] scsi: ipr: Fix WARNING in ipr_init() + - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + - scsi: snic: Fix possible UAF in snic_tgt_create() + - [amd64] RDMA/hfi1: Fix error return code in parse_platform_config() + - orangefs: Fix sysfs not cleanup when dev init failed + - [x86] hwrng: amd - Fix PCI device refcount leak + - [i386] hwrng: geode - Fix PCI device refcount leak + - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + - [arm*] serial: tegra: avoid reg access when clk disabled + - [arm*] serial: tegra: check for FIFO mode enabled status + - [arm*] serial: tegra: set maximum num of uart ports to 8 + - [arm*] serial: tegra: add support to use 8 bytes trigger + - [arm*] serial: tegra: add support to adjust baud rate + - [arm*] serial: tegra: report clk rate errors + - [arm*] serial: tegra: Add PIO mode support + - [arm*] tty: serial: tegra: Activate RX DMA transfer by request + - [arm*] serial: tegra: Read DMA status before terminating + - [x86] usb: typec: Check for ops->exit instead of ops->enter in + altmode_exit + - [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register + - [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. + (regression in 4.19.253) + - [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma() + - [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os (CVE-2022-3424) + - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + - usb: gadget: f_hid: optional SETUP/SET_REPORT mode + - usb: gadget: f_hid: fix f_hidg lifetime vs cdev + - usb: gadget: f_hid: fix refcount leak on error path + - chardev: fix error handling in cdev_device_add() + - [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + - [x86] staging: rtl8192u: Fix use after free in ieee80211_rx() + - [x86] staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + - [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access() + (CVE-2022-2873) + - usb: storage: Add check for kcalloc + - tracing/hist: Fix issue of losting command info in error_log + - [x86] fbdev: pm2fb: fix missing pci_disable_device() + - [x86] fbdev: via: Fix error in via_core_init() + - [x86] fbdev: vermilion: decrease reference count in error path + - [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + - [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + - [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + - power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + - perf symbol: correction while adjusting symbol (regression in 4.19.255) + - [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init() + - include/uapi/linux/swab: Fix potentially missing __always_inline + - [armhf] rtc: snvs: Allow a time difference on clock register read + - [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier() + - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + (regression in 4.19.130) + - [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - nfc: pn533: Clear nfc_target before being used + - r6040: Fix kmemleak in probe and remove + - openvswitch: Fix flow lookup to use unmasked key + - skbuff: Account for tail adjustment during pull operations + - net_sched: reject TCF_EM_SIMPLE case for complex ematch module + - rxrpc: Fix missing unlock in rxrpc_do_sendmsg() + - myri10ge: Fix an error handling path in myri10ge_probe() + - net: stream: purge sk_error_queue in sk_stream_kill_queues() + (regression in 4.19.218) + - fs: jfs: fix shift-out-of-bounds in dbAllocAG + - udf: Avoid double brelse() in udf_rename() + - fs: jfs: fix shift-out-of-bounds in dbDiscardAG + - ACPICA: Fix error code path in acpi_ds_call_control_method() + - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + - acct: fix potential integer overflow in encode_comp_t() + - hfs: fix OOB Read in __hfs_brec_find + - wifi: ath9k: verify the expected usb_endpoints are present + - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + - bpf: make sure skb->len != 0 when redirecting to a tunneling device + - [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet() + - wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + - igb: Do not free q_vector unless new one was allocated + - drm/amdgpu: Fix type of second parameter in trans_msg() callback + - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() + - md/raid1: stop mdx_raid1 thread when raid1 array run failed + - mrp: introduce active flags to prevent UAF when applicant uninit + - ppp: associate skb with a device at tx + - media: dvb-frontends: fix leak of memory fw + - media: dvbdev: adopts refcnt to avoid UAF + - media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + - blk-mq: fix possible memleak when register 'hctx' failed + - regulator: core: fix use_count leakage when handling boot-on + - [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability + - media: si470x: Fix use-after-free in si470x_int_in_callback() + - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + - [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in + rk_spdif_runtime_resume() + - [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put() + - [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout + - HID: wacom: Ensure bootloader PID is usable in hidraw mode + - reiserfs: Add missing calls to reiserfs_security_free() + - media: dvbdev: fix refcnt bug + - ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77) + - HID: plantronics: Additional PIDs for double volume key presses quirk + - hfsplus: fix bug causing custom uid and gid being unable to be assigned + with mount + - ovl: Use ovl mounter's fsuid and fsgid in ovl_link() + - ALSA: line6: correct midi status byte when receiving data from podxt + - ALSA: line6: fix stack overflow in line6_midi_transmit + - pnode: terminate at peers of source + - md: fix a crash in mempool_free + - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING + - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + - media: stv0288: use explicitly signed char + - dm cache: Fix ABBA deadlock between shrink_slab and + dm_cache_metadata_abort + - dm thin: Use last transaction's pmd->root when commit failed + - dm thin: Fix UAF in run_timer_softirq() + - dm cache: Fix UAF in destroy() + - dm cache: set needs_check flag after aborting metadata + - [x86] microcode/intel: Do not retry microcode reloading on the APs + - tracing: Fix infinite loop in tracing_read_pipe on overflowed + print_trace_line + - media: dvb-core: Fix double free in dvb_register_device() + (regression in 4.19.77) + - media: dvb-core: Fix UAF due to refcount races at releasing + (CVE-2022-41218) + - md/bitmap: Fix bitmap chunk size overflow issues + - ipmi: fix long wait in unload when IPMI disconnect + - ipmi: fix use after free in _ipmi_destroy_user() + - PCI: Fix pci_device_is_present() for VFs by checking PF + - PCI/sysfs: Fix double free in error path + - [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code + - device_cgroup: Roll back to original exceptions after copy failure + - drm/connector: send hotplug uevent on connector cleanup + - [x86] drm/vmwgfx: Validate the box size for the snooped cursor + (CVE-2022-36280) + - ext4: add inode table check in __ext4_get_inode_loc to aovid possible + infinite loop + - ext4: add helper to check quota inums + - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode + - ext4: init quota for 'old.inode' in 'ext4_rename' + - ext4: fix corruption when online resizing a 1K bigalloc fs + - ext4: fix error code return to user-space in ext4_get_branch() + - ext4: avoid BUG_ON when creating xattrs + - ext4: fix inode leak in ext4_xattr_inode_create() on an error path + - ext4: initialize quota before expanding inode in setproject ioctl + - ext4: avoid unaccounted block allocation when expanding inode + - ext4: allocate extended attribute value in vmalloc area + - btrfs: send: avoid unnecessary backref lookups when finding clone source + - btrfs: replace strncpy() with strscpy() + - dm thin: resume even if in FAIL mode + - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor + - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as + unsinged data + - driver core: Set deferred_probe_timeout to a longer default if + CONFIG_MODULES is set + - ext4: goto right label 'failed_mount3a' + - ext4: correct inconsistent error msg in nojournal mode + - ext4: use kmemdup() to replace kmalloc + memcpy + - mbcache: don't reclaim used entries + - mbcache: add functions to delete entry if unused + - ext4: remove EA inode entry from mbcache on inode eviction + - ext4: unindent codeblock in ext4_xattr_block_set() + - ext4: fix race when reusing xattr blocks + - mbcache: automatically delete entries from cache on freeing + - ext4: fix deadlock due to mbcache entry corruption + - SUNRPC: ensure the matching upcall is in-flight upon downcall + - bpf: pull before calling skb_postpull_rcsum() + - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure + - nfc: Fix potential resource leaks + - [amd64,arm64] net: amd-xgbe: add missed tasklet_kill + - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC + - net: sched: atm: dont intepret cls results when asked to drop + (CVE-2023-23455) + - usb: rndis_host: Secure rndis_query check against int overflow + - udf: Fix extension of the last extent in the file + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 + tablet + - [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045) + - nfsd: fix handling of readdir in v4root vs. mount upcall timeout + - ext4: don't allow journal inode to have encrypt flag + - hfs/hfsplus: use WARN_ON for sanity check + - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + - mbcache: Avoid nesting of cache->c_list_lock under bit locks + - driver core: Fix bus_type.match() error handling in __driver_attach() + - net: sched: disallow noqueue for qdisc classes (CVE-2022-47929) + - perf auxtrace: Fix address filter duplicate symbol selection + - net/ulp: prevent ULP without clone op from entering the LISTEN status + (CVE-2023-0461) + - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF + (CVE-2023-0266) + - cifs: Fix uninitialized memory read for smb311 posix symlink create + - [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight + during probe + - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames + (CVE-2023-0394) + - [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later + - quota: Factor out setup of quota inode + - ext4: fix bug_on in __es_tree_search caused by bad quota inode + - ext4: lost matching-pair of trace in ext4_truncate + - ext4: fix use-after-free in ext4_orphan_cleanup + - ext4: fix uninititialized value in 'ext4_evict_inode' + - netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() + function. + - [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm + - EDAC/device: Fix period calculation in edac_device_reset_delay_period() + - hvc/xen: lock console list traversal + - nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() + - net/mlx5: Rename ptp clock info + - net/mlx5: Fix ptp max frequency adjustment range + - drm/virtio: Fix GEM handle creation UAF + - [arm64] cmpxchg_double*: hazard against entire exchange variable + - efi: fix NULL-deref in init error path (regression in 4.19.142) + - [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't + started + - [arm*] serial: tegra: Only print FIFO error message when an error occurs + - [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20 + and tegra30 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271 + - pNFS/filelayout: Fix coalescing test for single DS + - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats + - RDMA/srp: Move large values to a new enum for gcc13 + - f2fs: let's avoid panic if extent_tree is not created + - nilfs2: fix general protection fault in nilfs_btree_insert() + - xhci-pci: set the dma max_seg_size + - usb: xhci: Check endpoint is valid before dereferencing it + - xhci: Fix null pointer dereference when host dies + - xhci: Add a flag to disable USB3 lpm on a xhci root port level. + - prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458) + - USB: serial: option: add Quectel EM05-G (GR) modem + - USB: serial: option: add Quectel EM05-G (CS) modem + - USB: serial: option: add Quectel EM05-G (RS) modem + - USB: serial: option: add Quectel EC200U modem + - USB: serial: option: add Quectel EM05CN (SG) modem + - USB: serial: option: add Quectel EM05CN modem + - USB: misc: iowarrior: fix up header size for + USB_DEVICE_ID_CODEMERCS_IOW100 + - usb: core: hub: disable autosuspend for TI TUSB8041 + - [x86] comedi: adv_pci1760: Fix PWM instruction handling + - [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + - cifs: do not include page data when checking signature + - USB: serial: cp210x: add SCALANCE LPE-9000 device id + - usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() + - usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 + - [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272 + - [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + - [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map + - [amd64] IB/hfi1: Reject a zero-length user expected buffer + - [amd64] IB/hfi1: Reserve user expected TIDs + - [amd64] IB/hfi1: Fix expected receive setup error exit issues + - affs: initialize fsdata in affs_truncate() + - amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + - amd-xgbe: Delay AN timeout during KR training + - bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + - [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + - net: nfc: Fix use-after-free in local_cleanup() + - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + (CVE-2023-23559) + - net: usb: sr9700: Handle negative len + - net: mdio: validate parameter addr in mdiobus_get_phy() + - HID: check empty report_list in hid_validate_values() (CVE-2023-1073) + - usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + - usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + - net: mlx5: eliminate anonymous module_init & module_exit + - dmaengine: Fix double increment of client_count in dma_chan_get() + - [arm64] net: macb: fix PTP TX timestamp failure due to packet padding + - HID: betop: check shape of output reports + - tcp: avoid the lookup process failing to get sk in ehash table + - w1: fix deadloop in __w1_remove_master_device() + - w1: fix WARNING after calling w1_process() + - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state + - block: fix and cleanup bio_check_ro + - perf env: Do not return pointers to local variables + - fs: reiserfs: remove useless new_opts in reiserfs_remount + - Bluetooth: hci_sync: cancel cmd_timer if hci_open failed + - scsi: hpsa: Fix allocation size for scsi_host_alloc() + - module: Don't wait for GOING modules + - tracing: Make sure trace_printk() can output as soon as it can be used + - trace_events_hist: add check for return value of 'create_hist_field' + - smbd: Make upper layer decide when to destroy the transport + - cifs: Fix oops due to uncleared server->smbd_conn in reconnect + - EDAC/device: Respect any driver-supplied workqueue polling value + - net: fix UaF in netns ops registration error path (regression in + 4.19.264) + - netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + - netlink: remove hash::nelems check in netlink_insert + - netlink: annotate data races around nlk->portid + - netlink: annotate data races around dst_portid and dst_group + - netlink: annotate data races around sk_state + - ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + - netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + - [x86] netrom: Fix use-after-free of a listening socket. (regression in + 4.19.199) + - sctp: fail if no bound addresses can be used for a given scope + (CVE-2023-1074) + - net/tg3: resolve deadlock in tg3_reset_task() during EEH + - [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU + to RMI mode" (regression in 4.19.268) + - [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL + - [x86] drm/i915/display: fix compiler warning about array overrun + - [armhf] dts: imx: Fix pca9547 i2c-mux node name + - [armhf] dmaengine: imx-sdma: Fix a possible memory leak in + sdma_transfer_init + - panic: unset panic_on_warn inside panic() + - exit: Add and use make_task_dead. + - exit: Put an upper limit on how often we can oops + - exit: Expose "oops_count" to sysfs + - exit: Allow oops_limit to be disabled + - panic: Consolidate open-coded panic_on_warn checks + - panic: Introduce warn_limit + - panic: Expose "warn_count" to sysfs + - docs: Fix path paste-o for /sys/kernel/warn_count + - exit: Use READ_ONCE() for all oops/warn limit reads + - ipv6: ensure sane device mtu in tunnels + - [arm*] usb: host: xhci-plat: add wakeup entry at sysfs + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273 + - firewire: fix memory leak for payload of request subaction to IEC 61883-1 + FCP region + - [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() + - [x86] netrom: Fix use-after-free caused by accept on already connected + socket + - ata: libata: Fix sata_down_spd_limit() when no link speed is reported + - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + - scsi: target: core: Fix warning on RT kernels + - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress + (CVE-2023-2162) + - [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings + - [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API + - [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode + - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait + - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF + - [x86] Input: i8042 - merge quirk tables + - [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables + - [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table + - [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 + guests + - [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() + - [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set + - [x86] thermal: intel: int340x: Protect trip temperature from concurrent + updates + - fbcon: Check font dimension limits + - efi: Accept version 2 of memory attributes table + - iio: hid: fix the retval in accel_3d_capture_sample + - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps + - mm/swapfile: add cond_resched() in get_swap_pages() + - Squashfs: fix handling and sanity checking of xattr_ids count + - serial: 8250_dma: Fix DMA Rx completion race + - serial: 8250_dma: Fix DMA Rx rearm race + - [x86] thermal: intel: int340x: Add locking to + int340x_thermal_get_trip_type() + - btrfs: limit device extents to the device size + - [x86] ALSA: emux: Avoid potential array out-of-bound in + snd_emux_xg_control() + - [amd64] IB/hfi1: Restore allocated resources on failed copyout + - [arm64] net: phy: meson-gxl: add g12a support + - [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal + PHY + - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078) + - ALSA: pci: lx6464es: fix a debug loop + - [arm*] pinctrl: single: fix potential NULL dereference + - [x86] pinctrl: intel: Convert unsigned to unsigned int + - [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode + - net: USB: Fix wrong-direction WARNING in plusb.c + - usb: core: add quirk for Alcor Link AK9563 smartcard reader + - [arm64] dts: meson-gx: Make mmc host controller interrupts level- + sensitive + - [arm64] dts: meson-axg: Make mmc host controller interrupts level- + sensitive + - bpf: Always return target ifindex in bpf_fib_lookup + - migrate: hugetlb: check for hugetlb shared PMD in node migration + - [x86] net/rose: Fix to not accept on connected socket + - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association + - aio: fix mremap after fork null-deref + - netfilter: nft_tproxy: restrict to prerouting hook + - mmc: sdio: fix possible resource leaks in some error paths + - ALSA: hda/conexant: add a new hda codec SN6180 + - ALSA: hda/realtek - fixed wrong gpio assigned + - [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures + - i40e: add double of VLAN header when computing the max MTU + - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + - [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence + - bnxt_en: Fix mqprio and XDP ring checking logic + - [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode + - net: mpls: fix stale pointer if allocation fails during device rename + (CVE-2023-26545) + - ipv6: Fix datagram socket connection with DSCP. + - ipv6: Fix tcp socket connection with DSCP. + - i40e: Add checking for null for nlmsg_find_attr() + - [x86] kvm: initialize all of the kvm_debugregs structure before sending + it to userspace (CVE-2023-1513) + - nilfs2: fix underflow in second superblock position calculations + - [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register + access + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274 + - wifi: rtl8xxxu: gen2: Turn on the rate control + - random: always mix cycle counter in add_latent_entropy() + - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len + - alarmtimer: Prevent starvation by small intervals and SIG_IGN + - [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry + (CVE-2022-3707) + - mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + - uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459) + - bpf: add missing header file include + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275 + - [armhf] dts: rockchip: add power-domains property to dp node on rk3288 + - [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown + - btrfs: send: limit number of clones and allocated memory size + - [amd64] IB/hfi1: Assign npages earlier + - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). + - vc_screen: don't clobber return value in vcs_read + - USB: serial: option: add support for VW/Skoda "Carstick LTE" + - USB: core: Don't hold device lock while reading the "descriptors" sysfs + file + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276 + - HID: asus: Remove check for same LED brightness on set + - HID: asus: use spinlock to protect concurrent accesses + - HID: asus: use spinlock to safely schedule workers (CVE-2023-1079) + - [armhf] OMAP2+: Fix memory leak in realtime_counter_init() + - [armhf] imx: Call ida_simple_remove() for ida_simple_get + - [arm64] dts: meson-axg: enable SCPI + - blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + - block: bio-integrity: Copy flags when bio_integrity_payload is cloned + - wifi: rsi: Fix memory leak in rsi_coex_attach() + - wifi: libertas: fix memory leak in lbs_init_adapter() + - wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + - rtlwifi: fix -Wpointer-sign warning + - wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + - ipw2x00: switch from 'pci_' to 'dma_' API + - wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + - wifi: ipw2200: fix memory leak in ipw_wdev_init() + - wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() + - wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + - wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() + - [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + - [x86] ACPICA: Drop port I/O validation for some regions + - genirq: Fix the return type of kstat_cpu_irqs_sum() + - lib/mpi: Fix buffer overrun when SG is too long + - ACPICA: nsrepair: handle cases without a return value correctly + - [x86] wifi: orinoco: check return value of hermes_write_wordrec() + - wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function + - wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails + - wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() + - [x86] ACPI: battery: Fix missing NUL-termination with large strings + - crypto: seqiv - Handle EBUSY correctly + - Bluetooth: L2CAP: Fix potential user-after-free + - libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + - rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + - crypto: rsa-pkcs1pad - Use akcipher_request_complete + - wifi: iwl3945: Add missing check for create_singlethread_workqueue + - wifi: iwl4965: Add missing check for create_singlethread_workqueue() + - wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + - wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + - can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of + a bus error + - [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output + enable + - [arm*] drm/vc4: dpi: Fix format mapping for RGB565 + - [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + - ALSA: hda/ca0132: minor fix for allocation size + - drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + - [arm64] drm/msm: use strscpy instead of strncpy + - [arm64] drm/msm/dpu: Add check for pstates + - [arm*] gpu: host1x: Don't skip assigning syncpoints to channels + - [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + - scsi: aic94xx: Add missing check for dma_map_single() + - nfsd: fix race to check ls_layouts + - gfs2: jdata writepage fix + - perf llvm: Fix inadvertent file creation + - [arm64] perf tools: Fix auto-complete on aarch64 + - [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region + - Input: ads7846 - don't report pressure for ads7845 + - Input: ads7846 - don't check penirq immediately for 7845 + - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + - [armhf] media: platform: ti: Add missing check for devm_regulator_get + - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + (CVE-2023-1118) + - media: i2c: ov7670: 0 instead of -EINVAL was returned + - media: usb: siano: Fix use after free bugs caused by do_submit_urb + - [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel + - [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy + - wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + - rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + - [x86] thermal: intel: Fix unsigned comparison with less than zero + - timers: Prevent union confusion from unexpected restart_syscall() + - [x86] bugs: Reset speculation control settings on init + - wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack- + out-of-bounds + - inet: fix fast path in __inet_hash_connect() + - ACPI: Don't build ACPICA with '-Os' + - [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match + - drm/amd/display: Fix potential null-deref in dm_resume + - [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue + - dm thin: add cond_resched() to various workqueue loops + - dm cache: add cond_resched() to various workqueue loops + - wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu + - [arm64] rtc: pm8xxx: fix set-alarm race + - hfs: fix missing hfs_bnode_get() in __hfs_bnode_create + - fs: hfsplus: fix UAF issue in hfsplus_put_super + - f2fs: fix information leak in f2fs_move_inline_dirents() + - ocfs2: fix defrag path triggering jbd2 ASSERT + - ocfs2: fix non-auto defrag path not working issue + - udf: Truncate added extents on failed expansion + - udf: Do not bother merging very long extents + - udf: Do not update file length for failed writes to inline files + - udf: Fix file corruption when appending just after end of preallocated + extent + - [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows) + - [x86] crash: Disable virt in core NMI crash handler to avoid double + shootdown + - [x86] reboot: Disable virtualization in an emergency if SVM is supported + - [x86] reboot: Disable SVM, not just VMX, when stopping CPUs + - [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic + - [x86] kprobes: Fix arch_check_optimized_kprobe check within + optimized_kprobe range + - [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter + - [x86] microcode/AMD: Add a @cpu parameter to the reloading functions + - [x86] microcode/AMD: Fix mixed steppings support + - [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998) + - irqdomain: Fix association race + - irqdomain: Fix disassociation race + - irqdomain: Drop bogus fwspec-mapping error handling + - [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in + aureon_add_controls() + - ext4: optimize ea_inode block expansion + - ext4: refuse to create ea block when umounted + - wifi: rtl8xxxu: Use a longer retry limit of 48 + - wifi: cfg80211: Fix use after free for wext + - dm flakey: fix logic when corrupting a bio + - dm flakey: don't corrupt the zero page + - [armhf] dts: exynos: correct TMU phandle in Exynos4 + - [armhf] dts: exynos: correct TMU phandle in Odroid XU + - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + - scsi: qla2xxx: Fix link failure in NPIV environment + - scsi: qla2xxx: Fix erroneous link down + - scsi: ses: Don't attach if enclosure has no components + - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + - scsi: ses: Fix possible desc_ptr out-of-bounds accesses + - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + - [x86] PCI: Avoid FLR for AMD FCH AHCI adapters + - [x86] drm/radeon: Fix eDP for single-display iMac11,2 + - wifi: ath9k: use proper statements in conditionals + - net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829) + - fs/jfs: fix shift exponent db_agl2size negative + - ubi: ensure that VID header offset + VID header size <= alloc, size + - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted + - ubifs: Rectify space budget for ubifs_xrename() + - ubifs: Fix wrong dirty space budget for dirty inode + - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 + - ubifs: Reserve one leb for each journal head while doing budget + - ubi: Fix use-after-free when volume resizing failed + - ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() + - ubi: Fix possible null-ptr-deref in ubi_free_volume() + - ubifs: Re-statistic cleaned znode count if commit failed + - ubifs: dirty_cow_znode: Fix memleak in error handling path + - ubifs: ubifs_writepage: Mark page dirty after writing inode failed + - ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() + - ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed + - [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory + - netfilter: ctnetlink: fix possible refcount leak in + ctnetlink_create_conntrack() + - net: fix __dev_kfree_skb_any() vs drop monitor + - 9p/xen: fix version parsing + - 9p/xen: fix connection sequence + - 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv() + - nfc: fix memory leak of se_io context in nfc_genl_se_io + - tcp: tcp_check_req() can be called from process context + - vc_screen: modify vcs_size() handling in vcs_read() + - [x86] scsi: ipr: Work around fortify-string warning + - tracing: Add NULL checks for buffer in ring_buffer_free_read_page() + - [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 + - media: uvcvideo: Handle cameras with invalid descriptors + - media: uvcvideo: Handle errors from calls to usb_string + - media: uvcvideo: Silence memcpy() run-time false positive warnings + - tty: fix out-of-bounds access in tty_driver_lookup_tty() + - [x86] mei: bus-fixup:upon error print return values of send and receive + - USB: ene_usb6250: Allocate enough memory for full object + - [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero + - Bluetooth: hci_sock: purge socket queues in the destruct() callback + - tcp: Fix listen() regression in 4.19.270 + - media: uvcvideo: Provide sync and async uvc_ctrl_status_event + - media: uvcvideo: Fix race condition with usb_kill_urb + - f2fs: fix cgroup writeback accounting with fs-layer encryption + - [x86] thermal: intel: powerclamp: Fix cur_state for multi package system + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277 + - wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for + wext" + - [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling + a script + - [x86] staging: rtl8192e: Remove call_usermodehelper starting + RadioPower.sh + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278 + - fs: prevent out-of-bounds array speculation when closing a file + descriptor + - [x86] CPU/AMD: Disable XSAVES on AMD family 0x17 + - ext4: fix RENAME_WHITEOUT handling for inline directories (regression in + 4.19.183) + - ext4: fix another off-by-one fsmap error on 1k block filesystems + - ext4: move where set the MAY_INLINE_DATA flag is set + - ext4: fix WARNING in ext4_update_inline_data + - ext4: zero i_disksize when initializing the bootloader inode + - nfc: change order inside nfc_se_io error path + - udf: reduce leakage of blocks related to named streams + - udf: Remove pointless union in udf_inode_info + - udf: Preserve link count of system files + - udf: Detect system inodes linked into directory hierarchy + - kbuild: fix false-positive need-builtin calculation + - kbuild: generate modules.order only in directories visited by obj-y/m + - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + - tipc: improve function tipc_wait_for_cond() + - [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC + - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279 + - ext4: fix cgroup writeback accounting with fs-layer encryption + - fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in + 4.19.179) + - tcp: tcp_make_synack() can be called from process context + - nfc: pn533: initialize struct pn533_out_arg properly + - qed/qed_dev: guard against a possible division by zero + - net: tunnels: annotate lockless accesses to dev->needed_headroom + - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition + (CVE-2023-1990) + - net: usb: smsc75xx: Limit packet length to skb->len + - nvmet: avoid potential UAF in nvmet_req_complete() + - ipv4: Fix incorrect table ID in IOCTL path + - net: usb: smsc75xx: Move packet length check to prevent kernel panic in + skb_pull + - hwmon: (adt7475) Display smoothing attributes in correct order + - hwmon: (adt7475) Fix masking of hysteresis registers + - [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due + to race condition (CVE-2023-1855) + - jffs2: correct logic when creating a hole in jffs2_write_begin + - ext4: fail ext4_iget if special inode unallocated + - ext4: fix task hung in ext4_xattr_delete_inode + - [amd64] drm/amdkfd: Fix an illegal memory access + - tracing: Check field value in hist_field_name() + - ftrace: Fix invalid address access in lookup_rec() when index is 0 + - [x86] mm: Fix use of uninitialized buffer in sme_enable() + - [x86] drm/i915: Don't use stolen memory for ring buffers with LLC + - HID: core: Provide new max_buffer_size attribute to over-ride the default + - HID: uhid: Over-ride the default maximum data buffer value with our own + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280 + - power: supply: da9150: Fix use after free bug in da9150_charger_remove + due to race condition (CVE-2023-30772) + - i40evf: Change a VF mac without reloading the VF driver + - intel-ethernet: rename i40evf to iavf + - iavf: diet and reformat + - iavf: fix inverted Rx hash condition leading to disabled hash + - intel/igbvf: free irq on the error path in igbvf_request_msix() + - igbvf: Regard vf reset nack as success + - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() + - net: usb: smsc95xx: Limit packet length to skb->len + - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info + - [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach + (CVE-2023-1670) + - [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race + condition + - bpf: Adjust insufficient default bpf_jit_limit + - net/mlx5: Read the TC mapping of all priorities on ETS query + - erspan: do not use skb_mac_header() in ndo_start_xmit() + - hvc/xen: prevent concurrent accesses to the shared ring + - [arm64] net: mdio: thunder: Add missing fwnode_handle_put() + - [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD + address + - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to + unfinished work (CVE-2023-1989) + - [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs + - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 + - [x86] thunderbolt: Use const qualifier for `ring_interrupt_index` + - scsi: target: iscsi: Fix an error message in iscsi_check_key() + - scsi: ufs: core: Add soft dependency on governor_simpleondemand + - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + - net: usb: qmi_wwan: add Telit 0x1080 composition + - cifs: empty interface list when server doesn't support query interfaces + - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR + - usb: gadget: u_audio: don't let userspace block driver unbind + - igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256) + - dm thin: fix deadlock when swapping to thin device + - [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same + with current role + - [arm*] usb: chipidea: core: fix possible concurrent when switch role + - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() + - [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in + xgene_slimpro_i2c_xfer() (CVE-2023-2194) + - dm stats: check for and propagate alloc_percpu failure + - dm crypt: add cond_resched() to dmcrypt_write() + - sched/fair: sanitize vruntime of entity being placed + - sched/fair: Sanitize vruntime of entity being migrated + - tun: avoid double free in tun_free_netdev (CVE-2022-4744) + - ocfs2: fix data corruption after failed write (regression in 4.19.155) + - md: avoid signed overflow in slot_store() + - [x86] ALSA: asihpi: check pao in control_message() + - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + - [i386] fbdev: lxfb: Fix potential divide by zero + - scsi: megaraid_sas: Fix crash after a double completion + - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write + - i40e: fix registers dump after run ethtool adapter self test + - [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only + - [arm*] net: mvneta: make tx buffer array agnostic + - [arm*] Input: alps - fix compatibility with -funsigned-char + - [arm*] Input: focaltech - use explicitly signed char type + - cifs: prevent infinite recursion in CIFSGetDFSRefer() + - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + - xen/netback: don't do grant copy across page boundary (regression in + 4.19.269) + - [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo + (regression in 4.19.256) + - ALSA: usb-audio: Fix regression on detection of Roland VS-100 + (regression in 4.19.164) + - [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer + - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' + - gfs2: Always check inode size of inline inodes + - net: sched: cbq: dont intepret cls results when asked to drop + (CVE-2023-23454) + - cgroup/cpuset: Change cpuset_rwsem and hotplug lock order + - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression + in 4.19.232) + - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281 + - pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver + - pinctrl: amd: Use irqchip template + - pinctrl: amd: disable and mask interrupts on probe + - NFSv4: Convert struct nfs4_state to use refcount_t + - NFSv4: Check the return value of update_open_stateid() + - NFSv4: Fix hangs when recovering open state after a server reboot + - [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state() + - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded + sta + - icmp: guard against too small mtu + - net: don't let netpoll invoke NAPI if in xmit context + - sctp: check send stream number after wait_for_sndbuf + - ipv6: Fix an uninit variable access bug in __ip6_make_skb() + - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs + - USB: serial: option: add Telit FE990 compositions + - USB: serial: option: add Quectel RM500U-CN modem + - nilfs2: fix potential UAF of struct nilfs_sc_info in + nilfs_segctor_thread() + - nilfs2: fix sysfs interface lifetime + - [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW + - perf/core: Fix the same task check in perf_event_set_output + - ftrace: Mark get_lock_parent_ip() __always_inline + - ring-buffer: Fix race while reader and writer are on the same page + - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() + - [x86] ALSA: emu10k1: fix capture interrupt handler unlinking + - [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard + - [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation + - [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards + - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} + - Bluetooth: Fix race condition in hidp_session_thread + - mtdblock: tolerate corrected bit-flips + - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition (CVE-2023-1859) + - niu: Fix missing unwind goto in niu_alloc_channels() + - qlcnic: check pci_reset_function result + - sctp: fix a potential overflow in sctp_ifwdtsn_skip + - [arm64] net: macb: fix a memory corruption in extended buffer descriptor + mode + - udp6: fix potential access to stale information + - [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug + - [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + - [amd64] verify_pefile: relax wrapper length check + - scsi: ses: Handle enclosure with just a primary component gracefully + - [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in + D3hot + - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size + - ubi: Fix deadlock caused by recursively holding work_sem + - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() + - [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within + the limits + - [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4 + (CVE-2023-30456) + - [arm64] KVM: arm64: Factor out core register ID enumeration + - [arm64] KVM: arm64: Filter out invalid core register IDs in + KVM_GET_REG_LIST (regression in 4.19) + - [arm64] KVM: Fix system register enumeration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282 + - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + - virtio_net: bugfix overflow inside xdp_linearize_page() + - i40e: fix accessing vsi->active_filters without holding lock + - i40e: fix i40e_setup_misc_vector() error handling + - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + - e1000e: Disable TSO on i219-LM card to increase speed + - f2fs: Fix f2fs_truncate_partial_nodes ftrace event + - [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H + - scsi: megaraid_sas: Fix fw_crash_buffer_show() + - scsi: core: Improve scsi_vpd_inquiry() checks + - xen/netback: use same error messages for same errors + - nilfs2: initialize unused bytes in segment summary blocks + - memstick: fix memory leak if card device is never registered + - [x86] purgatory: Don't generate debug info for purgatory.ro + - Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in + 4.19.256) + - ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() + - ext4: fix use-after-free in ext4_xattr_set_entry + - udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). + - tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). + - inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). + - dccp: Call inet6_destroy_sock() via sk->sk_destruct(). + - sctp: Call inet6_destroy_sock() via sk->sk_destruct(). + + [ Ben Hutchings ] + * Bump ABI to 24 + * [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and + MODULE_SIG where we don't sign code (Closes: #825141) + * [rt] Update to 4.19.280-rt123: + - workqueue: Fix deadlock due to recursive locking of pool->lock + * [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt + 4.19.269-1 [Tue, 20 Dec 2022 23:56:34 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://piuparts.knut.univention.de/5.0-3/#3832164121893817210>
*** Bug 56031 has been marked as a duplicate of this bug. ***
--- mirror/ftp/pool/main/l/linux-signed-amd64/linux-signed-amd64_4.19.269+1.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/linux-signed-amd64_4.19.282+1.dsc @@ -1,6 +1,994 @@ -4.19.269+1 [Tue, 20 Dec 2022 23:56:34 +0100] Ben Hutchings <benh@debian.org>: +4.19.282+1 [Sat, 29 Apr 2023 22:07:39 +0200] Ben Hutchings <benh@debian.org>: - * Sign kernel from linux 4.19.269-1 + * Sign kernel from linux 4.19.282-1 + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270 + - mm/khugepaged: fix GUP-fast interaction by sending IPI + - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths + - block: unhash blkdev part inode when the part is deleted + - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545) + - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + - can: sja1000: fix size of OCR_MODE_MASK define + - can: mcba_usb: Fix termination command argument + - ASoC: ops: Correct bounds check for second channel on SX controls + - udf: Discard preallocation before extending file with a hole + - udf: Fix preallocation discarding at indirect extent boundary + - udf: Do not bother looking for prealloc extents if i_lenExtents matches + i_size + - udf: Fix extending file within last block + - usb: gadget: uvc: Prevent buffer overflow in setup handler + - USB: serial: option: add Quectel EM05-G modem + - USB: serial: cp210x: add Kamstrup RF sniffer PIDs + - USB: serial: f81534: fix division by zero on line-speed change + - igb: Initialize mailbox message for VF reset + - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934) + - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + - [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw + - [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in + omap_sr_probe + - [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: turris-omnia: Add ethernet aliases + - [armhf] dts: turris-omnia: Add switch port 6 node + - pstore/ram: Fix error return code in ramoops_probe() + - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + - [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() + - [arm64] cpuidle: dt: Return the correct numbers of parsed idle states + - fs: don't audit the capability check in simple_xattr_list() + - selftests/ftrace: event_triggers: wait longer for test_event_enable + - perf: Fix possible memleak in pmu_dev_alloc() + - timerqueue: Use rb_entry_safe() in timerqueue_getnext() + - ocfs2: fix memory leak in ocfs2_stack_glue_init() + - PNP: fix name memory leak in pnp_alloc_dev() + - [x86] perf/x86/intel/uncore: Fix reference count leak in + hswep_has_limit_sbox() (regression in 4.19.189) + - [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() + - lib/notifier-error-inject: fix error when writing -errno to debugfs file + - debugfs: fix error when writing negative value to atomic_t debugfs file + (regression in 4.19.160) + - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + - [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + - [x86] xen/events: only register debug interrupt for 2-level events + - [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}() + - [x86] xen: Fix memory leak in xen_init_lock_cpu() + - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() + - PM: runtime: Improve path in rpm_idle() when no callback + - PM: runtime: Do not call __rpm_callback() from rpm_idle() + - [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() + - fs: sysv: Fix sysv_nblocks() returns wrong value + - relay: fix type mismatch when allocating memory in relay_create_buf() + - hfs: Fix OOB Write in hfs_asc2mac + - wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154) + - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() + - wifi: rtl8xxxu: Fix reading the vendor of combo chips + - can: kvaser_usb: do not increase tx statistics when sending error message + frames + - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device + - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to + {leaf,usbcan}_cmd_can_error_event + - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT + - can: kvaser_usb_leaf: Set Warning state even without bus errors + - can: kvaser_usb_leaf: Fix improved state not being reported + - can: kvaser_usb_leaf: Fix wrong CAN state after stopping + - can: kvaser_usb_leaf: Fix bogus restart events + - can: kvaser_usb: Add struct kvaser_usb_busparams + - can: kvaser_usb: Compare requested bittiming parameters with actual + parameters in do_set_{,data}_bittiming + - media: vivid: fix compose size exceed boundary + - mtd: Fix device name leak when register device failed in add_mtd_device() + - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port + - drm/radeon: Add the missed acpi_put_table() to fix memory leak + - regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + - wifi: ath10k: Fix return value in ath10k_pci_init() + - [arm64] Input: elants_i2c - properly handle the reset GPIO when power is + off + - media: solo6x10: fix possible memory leak in solo_sysfs_init() + - HID: hid-sensor-custom: set fixed size for custom attributes + - bonding: Export skip slave logic to function + - media: imon: fix a race condition in send_packet() + - pinctrl: pinconf-generic: add missing of_node_put() + - media: dvb-core: Fix ignored return value in dvb_register_frontend() + - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + (CVE-2023-28328) + - [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() + - NFSv4.2: Fix a memory stomp in decode_attr_security_label + - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn + - [x86] ALSA: asihpi: fix missing pci_disable_device() + - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + - wifi: cfg80211: Fix not unregister reg_pdev when + load_builtin_regdb_keys() fails + - regulator: core: fix module refcount leak in set_supply() + - media: saa7164: fix missing pci_disable_device() + - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + - SUNRPC: Fix missing release socket in rpc_sockname() + - NFSv4.x: Fail client initialisation if state manager thread can't run + - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + - mmc: toshsd: fix return value check of mmc_add_host() + - mmc: vub300: fix return value check of mmc_add_host() + - [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host() + - [arm64] mmc: meson-gx: fix return value check of mmc_add_host() + - mmc: via-sdmmc: fix return value check of mmc_add_host() + - [x86] mmc: wbsd: fix return value check of mmc_add_host() + - [arm*] mmc: mmci: fix return value check of mmc_add_host() + - [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll() + - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() + - blktrace: Fix output non-blktrace event when blk_classic option enabled + - [armhf] clk: socfpga: use clk_hw_register for a5/c5 + - [x86] net: vmw_vsock: vmci: Check memcpy_from_msg() + - net: defxx: Fix missing err handling in dfx_init() + - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() + - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + - [x86] net: farsync: Fix kmemleak when rmmods farsync + - net/tunnel: wait until all sk_user_data reader finish before releasing + the sock + - [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + - [i386] net: amd: lance: don't call dev_kfree_skb() under + spin_lock_irqsave() + - [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables + - [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/ + passive cables + - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + - [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under + spin_lock_irqsave() + - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() + (regression in 4.19.254) + - [arm*] stmmac: fix potential division by 0 (regression in 4.19.122) + - apparmor: fix a memleak in multi_transaction_new() + - apparmor: fix lockdep warning when removing a namespace + - apparmor: Fix abi check to include v8 abi + - f2fs: fix normal discard process + - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port + - [x86] scsi: scsi_debug: Fix a warning in resp_write_scat() + - PCI: Check for alloc failure in pci_request_irq() + - [amd64] RDMA/hfi: Decrease PCI device reference count in error path + - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create + failed + - scsi: hpsa: use local workqueues instead of system workqueues + - scsi: hpsa: Fix possible memory leak in hpsa_init_one() + - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak + - scsi: hpsa: Fix error handling in hpsa_add_sas_host() + - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + - scsi: fcoe: Fix possible name leak when device_register() fails + - [x86] scsi: ipr: Fix WARNING in ipr_init() + - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + - scsi: snic: Fix possible UAF in snic_tgt_create() + - [amd64] RDMA/hfi1: Fix error return code in parse_platform_config() + - orangefs: Fix sysfs not cleanup when dev init failed + - [x86] hwrng: amd - Fix PCI device refcount leak + - [i386] hwrng: geode - Fix PCI device refcount leak + - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + - [arm*] serial: tegra: avoid reg access when clk disabled + - [arm*] serial: tegra: check for FIFO mode enabled status + - [arm*] serial: tegra: set maximum num of uart ports to 8 + - [arm*] serial: tegra: add support to use 8 bytes trigger + - [arm*] serial: tegra: add support to adjust baud rate + - [arm*] serial: tegra: report clk rate errors + - [arm*] serial: tegra: Add PIO mode support + - [arm*] tty: serial: tegra: Activate RX DMA transfer by request + - [arm*] serial: tegra: Read DMA status before terminating + - [x86] usb: typec: Check for ops->exit instead of ops->enter in + altmode_exit + - [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register + - [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. + (regression in 4.19.253) + - [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma() + - [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os (CVE-2022-3424) + - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + - usb: gadget: f_hid: optional SETUP/SET_REPORT mode + - usb: gadget: f_hid: fix f_hidg lifetime vs cdev + - usb: gadget: f_hid: fix refcount leak on error path + - chardev: fix error handling in cdev_device_add() + - [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + - [x86] staging: rtl8192u: Fix use after free in ieee80211_rx() + - [x86] staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + - [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access() + (CVE-2022-2873) + - usb: storage: Add check for kcalloc + - tracing/hist: Fix issue of losting command info in error_log + - [x86] fbdev: pm2fb: fix missing pci_disable_device() + - [x86] fbdev: via: Fix error in via_core_init() + - [x86] fbdev: vermilion: decrease reference count in error path + - [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + - [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + - [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + - power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + - perf symbol: correction while adjusting symbol (regression in 4.19.255) + - [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init() + - include/uapi/linux/swab: Fix potentially missing __always_inline + - [armhf] rtc: snvs: Allow a time difference on clock register read + - [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier() + - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + (regression in 4.19.130) + - [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - nfc: pn533: Clear nfc_target before being used + - r6040: Fix kmemleak in probe and remove + - openvswitch: Fix flow lookup to use unmasked key + - skbuff: Account for tail adjustment during pull operations + - net_sched: reject TCF_EM_SIMPLE case for complex ematch module + - rxrpc: Fix missing unlock in rxrpc_do_sendmsg() + - myri10ge: Fix an error handling path in myri10ge_probe() + - net: stream: purge sk_error_queue in sk_stream_kill_queues() + (regression in 4.19.218) + - fs: jfs: fix shift-out-of-bounds in dbAllocAG + - udf: Avoid double brelse() in udf_rename() + - fs: jfs: fix shift-out-of-bounds in dbDiscardAG + - ACPICA: Fix error code path in acpi_ds_call_control_method() + - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + - acct: fix potential integer overflow in encode_comp_t() + - hfs: fix OOB Read in __hfs_brec_find + - wifi: ath9k: verify the expected usb_endpoints are present + - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + - bpf: make sure skb->len != 0 when redirecting to a tunneling device + - [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet() + - wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + - igb: Do not free q_vector unless new one was allocated + - drm/amdgpu: Fix type of second parameter in trans_msg() callback + - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() + - md/raid1: stop mdx_raid1 thread when raid1 array run failed + - mrp: introduce active flags to prevent UAF when applicant uninit + - ppp: associate skb with a device at tx + - media: dvb-frontends: fix leak of memory fw + - media: dvbdev: adopts refcnt to avoid UAF + - media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + - blk-mq: fix possible memleak when register 'hctx' failed + - regulator: core: fix use_count leakage when handling boot-on + - [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability + - media: si470x: Fix use-after-free in si470x_int_in_callback() + - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + - [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in + rk_spdif_runtime_resume() + - [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put() + - [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout + - HID: wacom: Ensure bootloader PID is usable in hidraw mode + - reiserfs: Add missing calls to reiserfs_security_free() + - media: dvbdev: fix refcnt bug + - ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77) + - HID: plantronics: Additional PIDs for double volume key presses quirk + - hfsplus: fix bug causing custom uid and gid being unable to be assigned + with mount + - ovl: Use ovl mounter's fsuid and fsgid in ovl_link() + - ALSA: line6: correct midi status byte when receiving data from podxt + - ALSA: line6: fix stack overflow in line6_midi_transmit + - pnode: terminate at peers of source + - md: fix a crash in mempool_free + - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING + - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + - media: stv0288: use explicitly signed char + - dm cache: Fix ABBA deadlock between shrink_slab and + dm_cache_metadata_abort + - dm thin: Use last transaction's pmd->root when commit failed + - dm thin: Fix UAF in run_timer_softirq() + - dm cache: Fix UAF in destroy() + - dm cache: set needs_check flag after aborting metadata + - [x86] microcode/intel: Do not retry microcode reloading on the APs + - tracing: Fix infinite loop in tracing_read_pipe on overflowed + print_trace_line + - media: dvb-core: Fix double free in dvb_register_device() + (regression in 4.19.77) + - media: dvb-core: Fix UAF due to refcount races at releasing + (CVE-2022-41218) + - md/bitmap: Fix bitmap chunk size overflow issues + - ipmi: fix long wait in unload when IPMI disconnect + - ipmi: fix use after free in _ipmi_destroy_user() + - PCI: Fix pci_device_is_present() for VFs by checking PF + - PCI/sysfs: Fix double free in error path + - [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code + - device_cgroup: Roll back to original exceptions after copy failure + - drm/connector: send hotplug uevent on connector cleanup + - [x86] drm/vmwgfx: Validate the box size for the snooped cursor + (CVE-2022-36280) + - ext4: add inode table check in __ext4_get_inode_loc to aovid possible + infinite loop + - ext4: add helper to check quota inums + - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode + - ext4: init quota for 'old.inode' in 'ext4_rename' + - ext4: fix corruption when online resizing a 1K bigalloc fs + - ext4: fix error code return to user-space in ext4_get_branch() + - ext4: avoid BUG_ON when creating xattrs + - ext4: fix inode leak in ext4_xattr_inode_create() on an error path + - ext4: initialize quota before expanding inode in setproject ioctl + - ext4: avoid unaccounted block allocation when expanding inode + - ext4: allocate extended attribute value in vmalloc area + - btrfs: send: avoid unnecessary backref lookups when finding clone source + - btrfs: replace strncpy() with strscpy() + - dm thin: resume even if in FAIL mode + - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor + - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as + unsinged data + - driver core: Set deferred_probe_timeout to a longer default if + CONFIG_MODULES is set + - ext4: goto right label 'failed_mount3a' + - ext4: correct inconsistent error msg in nojournal mode + - ext4: use kmemdup() to replace kmalloc + memcpy + - mbcache: don't reclaim used entries + - mbcache: add functions to delete entry if unused + - ext4: remove EA inode entry from mbcache on inode eviction + - ext4: unindent codeblock in ext4_xattr_block_set() + - ext4: fix race when reusing xattr blocks + - mbcache: automatically delete entries from cache on freeing + - ext4: fix deadlock due to mbcache entry corruption + - SUNRPC: ensure the matching upcall is in-flight upon downcall + - bpf: pull before calling skb_postpull_rcsum() + - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure + - nfc: Fix potential resource leaks + - [amd64,arm64] net: amd-xgbe: add missed tasklet_kill + - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC + - net: sched: atm: dont intepret cls results when asked to drop + (CVE-2023-23455) + - usb: rndis_host: Secure rndis_query check against int overflow + - udf: Fix extension of the last extent in the file + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 + tablet + - [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045) + - nfsd: fix handling of readdir in v4root vs. mount upcall timeout + - ext4: don't allow journal inode to have encrypt flag + - hfs/hfsplus: use WARN_ON for sanity check + - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + - mbcache: Avoid nesting of cache->c_list_lock under bit locks + - driver core: Fix bus_type.match() error handling in __driver_attach() + - net: sched: disallow noqueue for qdisc classes (CVE-2022-47929) + - perf auxtrace: Fix address filter duplicate symbol selection + - net/ulp: prevent ULP without clone op from entering the LISTEN status + (CVE-2023-0461) + - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF + (CVE-2023-0266) + - cifs: Fix uninitialized memory read for smb311 posix symlink create + - [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight + during probe + - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames + (CVE-2023-0394) + - [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later + - quota: Factor out setup of quota inode + - ext4: fix bug_on in __es_tree_search caused by bad quota inode + - ext4: lost matching-pair of trace in ext4_truncate + - ext4: fix use-after-free in ext4_orphan_cleanup + - ext4: fix uninititialized value in 'ext4_evict_inode' + - netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() + function. + - [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm + - EDAC/device: Fix period calculation in edac_device_reset_delay_period() + - hvc/xen: lock console list traversal + - nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() + - net/mlx5: Rename ptp clock info + - net/mlx5: Fix ptp max frequency adjustment range + - drm/virtio: Fix GEM handle creation UAF + - [arm64] cmpxchg_double*: hazard against entire exchange variable + - efi: fix NULL-deref in init error path (regression in 4.19.142) + - [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't + started + - [arm*] serial: tegra: Only print FIFO error message when an error occurs + - [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20 + and tegra30 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271 + - pNFS/filelayout: Fix coalescing test for single DS + - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats + - RDMA/srp: Move large values to a new enum for gcc13 + - f2fs: let's avoid panic if extent_tree is not created + - nilfs2: fix general protection fault in nilfs_btree_insert() + - xhci-pci: set the dma max_seg_size + - usb: xhci: Check endpoint is valid before dereferencing it + - xhci: Fix null pointer dereference when host dies + - xhci: Add a flag to disable USB3 lpm on a xhci root port level. + - prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458) + - USB: serial: option: add Quectel EM05-G (GR) modem + - USB: serial: option: add Quectel EM05-G (CS) modem + - USB: serial: option: add Quectel EM05-G (RS) modem + - USB: serial: option: add Quectel EC200U modem + - USB: serial: option: add Quectel EM05CN (SG) modem + - USB: serial: option: add Quectel EM05CN modem + - USB: misc: iowarrior: fix up header size for + USB_DEVICE_ID_CODEMERCS_IOW100 + - usb: core: hub: disable autosuspend for TI TUSB8041 + - [x86] comedi: adv_pci1760: Fix PWM instruction handling + - [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + - cifs: do not include page data when checking signature + - USB: serial: cp210x: add SCALANCE LPE-9000 device id + - usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() + - usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 + - [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272 + - [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + - [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map + - [amd64] IB/hfi1: Reject a zero-length user expected buffer + - [amd64] IB/hfi1: Reserve user expected TIDs + - [amd64] IB/hfi1: Fix expected receive setup error exit issues + - affs: initialize fsdata in affs_truncate() + - amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + - amd-xgbe: Delay AN timeout during KR training + - bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + - [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + - net: nfc: Fix use-after-free in local_cleanup() + - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + (CVE-2023-23559) + - net: usb: sr9700: Handle negative len + - net: mdio: validate parameter addr in mdiobus_get_phy() + - HID: check empty report_list in hid_validate_values() (CVE-2023-1073) + - usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + - usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + - net: mlx5: eliminate anonymous module_init & module_exit + - dmaengine: Fix double increment of client_count in dma_chan_get() + - [arm64] net: macb: fix PTP TX timestamp failure due to packet padding + - HID: betop: check shape of output reports + - tcp: avoid the lookup process failing to get sk in ehash table + - w1: fix deadloop in __w1_remove_master_device() + - w1: fix WARNING after calling w1_process() + - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state + - block: fix and cleanup bio_check_ro + - perf env: Do not return pointers to local variables + - fs: reiserfs: remove useless new_opts in reiserfs_remount + - Bluetooth: hci_sync: cancel cmd_timer if hci_open failed + - scsi: hpsa: Fix allocation size for scsi_host_alloc() + - module: Don't wait for GOING modules + - tracing: Make sure trace_printk() can output as soon as it can be used + - trace_events_hist: add check for return value of 'create_hist_field' + - smbd: Make upper layer decide when to destroy the transport + - cifs: Fix oops due to uncleared server->smbd_conn in reconnect + - EDAC/device: Respect any driver-supplied workqueue polling value + - net: fix UaF in netns ops registration error path (regression in + 4.19.264) + - netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + - netlink: remove hash::nelems check in netlink_insert + - netlink: annotate data races around nlk->portid + - netlink: annotate data races around dst_portid and dst_group + - netlink: annotate data races around sk_state + - ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + - netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + - [x86] netrom: Fix use-after-free of a listening socket. (regression in + 4.19.199) + - sctp: fail if no bound addresses can be used for a given scope + (CVE-2023-1074) + - net/tg3: resolve deadlock in tg3_reset_task() during EEH + - [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU + to RMI mode" (regression in 4.19.268) + - [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL + - [x86] drm/i915/display: fix compiler warning about array overrun + - [armhf] dts: imx: Fix pca9547 i2c-mux node name + - [armhf] dmaengine: imx-sdma: Fix a possible memory leak in + sdma_transfer_init + - panic: unset panic_on_warn inside panic() + - exit: Add and use make_task_dead. + - exit: Put an upper limit on how often we can oops + - exit: Expose "oops_count" to sysfs + - exit: Allow oops_limit to be disabled + - panic: Consolidate open-coded panic_on_warn checks + - panic: Introduce warn_limit + - panic: Expose "warn_count" to sysfs + - docs: Fix path paste-o for /sys/kernel/warn_count + - exit: Use READ_ONCE() for all oops/warn limit reads + - ipv6: ensure sane device mtu in tunnels + - [arm*] usb: host: xhci-plat: add wakeup entry at sysfs + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273 + - firewire: fix memory leak for payload of request subaction to IEC 61883-1 + FCP region + - [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() + - [x86] netrom: Fix use-after-free caused by accept on already connected + socket + - ata: libata: Fix sata_down_spd_limit() when no link speed is reported + - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + - scsi: target: core: Fix warning on RT kernels + - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress + (CVE-2023-2162) + - [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings + - [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API + - [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode + - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait + - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF + - [x86] Input: i8042 - merge quirk tables + - [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables + - [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table + - [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 + guests + - [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() + - [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set + - [x86] thermal: intel: int340x: Protect trip temperature from concurrent + updates + - fbcon: Check font dimension limits + - efi: Accept version 2 of memory attributes table + - iio: hid: fix the retval in accel_3d_capture_sample + - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps + - mm/swapfile: add cond_resched() in get_swap_pages() + - Squashfs: fix handling and sanity checking of xattr_ids count + - serial: 8250_dma: Fix DMA Rx completion race + - serial: 8250_dma: Fix DMA Rx rearm race + - [x86] thermal: intel: int340x: Add locking to + int340x_thermal_get_trip_type() + - btrfs: limit device extents to the device size + - [x86] ALSA: emux: Avoid potential array out-of-bound in + snd_emux_xg_control() + - [amd64] IB/hfi1: Restore allocated resources on failed copyout + - [arm64] net: phy: meson-gxl: add g12a support + - [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal + PHY + - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078) + - ALSA: pci: lx6464es: fix a debug loop + - [arm*] pinctrl: single: fix potential NULL dereference + - [x86] pinctrl: intel: Convert unsigned to unsigned int + - [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode + - net: USB: Fix wrong-direction WARNING in plusb.c + - usb: core: add quirk for Alcor Link AK9563 smartcard reader + - [arm64] dts: meson-gx: Make mmc host controller interrupts level- + sensitive + - [arm64] dts: meson-axg: Make mmc host controller interrupts level- + sensitive + - bpf: Always return target ifindex in bpf_fib_lookup + - migrate: hugetlb: check for hugetlb shared PMD in node migration + - [x86] net/rose: Fix to not accept on connected socket + - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association + - aio: fix mremap after fork null-deref + - netfilter: nft_tproxy: restrict to prerouting hook + - mmc: sdio: fix possible resource leaks in some error paths + - ALSA: hda/conexant: add a new hda codec SN6180 + - ALSA: hda/realtek - fixed wrong gpio assigned + - [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures + - i40e: add double of VLAN header when computing the max MTU + - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + - [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence + - bnxt_en: Fix mqprio and XDP ring checking logic + - [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode + - net: mpls: fix stale pointer if allocation fails during device rename + (CVE-2023-26545) + - ipv6: Fix datagram socket connection with DSCP. + - ipv6: Fix tcp socket connection with DSCP. + - i40e: Add checking for null for nlmsg_find_attr() + - [x86] kvm: initialize all of the kvm_debugregs structure before sending + it to userspace (CVE-2023-1513) + - nilfs2: fix underflow in second superblock position calculations + - [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register + access + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274 + - wifi: rtl8xxxu: gen2: Turn on the rate control + - random: always mix cycle counter in add_latent_entropy() + - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len + - alarmtimer: Prevent starvation by small intervals and SIG_IGN + - [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry + (CVE-2022-3707) + - mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + - uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459) + - bpf: add missing header file include + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275 + - [armhf] dts: rockchip: add power-domains property to dp node on rk3288 + - [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown + - btrfs: send: limit number of clones and allocated memory size + - [amd64] IB/hfi1: Assign npages earlier + - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). + - vc_screen: don't clobber return value in vcs_read + - USB: serial: option: add support for VW/Skoda "Carstick LTE" + - USB: core: Don't hold device lock while reading the "descriptors" sysfs + file + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276 + - HID: asus: Remove check for same LED brightness on set + - HID: asus: use spinlock to protect concurrent accesses + - HID: asus: use spinlock to safely schedule workers (CVE-2023-1079) + - [armhf] OMAP2+: Fix memory leak in realtime_counter_init() + - [armhf] imx: Call ida_simple_remove() for ida_simple_get + - [arm64] dts: meson-axg: enable SCPI + - blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + - block: bio-integrity: Copy flags when bio_integrity_payload is cloned + - wifi: rsi: Fix memory leak in rsi_coex_attach() + - wifi: libertas: fix memory leak in lbs_init_adapter() + - wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + - rtlwifi: fix -Wpointer-sign warning + - wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + - ipw2x00: switch from 'pci_' to 'dma_' API + - wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + - wifi: ipw2200: fix memory leak in ipw_wdev_init() + - wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() + - wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + - wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() + - [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + - [x86] ACPICA: Drop port I/O validation for some regions + - genirq: Fix the return type of kstat_cpu_irqs_sum() + - lib/mpi: Fix buffer overrun when SG is too long + - ACPICA: nsrepair: handle cases without a return value correctly + - [x86] wifi: orinoco: check return value of hermes_write_wordrec() + - wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function + - wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails + - wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() + - [x86] ACPI: battery: Fix missing NUL-termination with large strings + - crypto: seqiv - Handle EBUSY correctly + - Bluetooth: L2CAP: Fix potential user-after-free + - libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + - rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + - crypto: rsa-pkcs1pad - Use akcipher_request_complete + - wifi: iwl3945: Add missing check for create_singlethread_workqueue + - wifi: iwl4965: Add missing check for create_singlethread_workqueue() + - wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + - wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + - can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of + a bus error + - [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output + enable + - [arm*] drm/vc4: dpi: Fix format mapping for RGB565 + - [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + - ALSA: hda/ca0132: minor fix for allocation size + - drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + - [arm64] drm/msm: use strscpy instead of strncpy + - [arm64] drm/msm/dpu: Add check for pstates + - [arm*] gpu: host1x: Don't skip assigning syncpoints to channels + - [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + - scsi: aic94xx: Add missing check for dma_map_single() + - nfsd: fix race to check ls_layouts + - gfs2: jdata writepage fix + - perf llvm: Fix inadvertent file creation + - [arm64] perf tools: Fix auto-complete on aarch64 + - [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region + - Input: ads7846 - don't report pressure for ads7845 + - Input: ads7846 - don't check penirq immediately for 7845 + - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + - [armhf] media: platform: ti: Add missing check for devm_regulator_get + - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + (CVE-2023-1118) + - media: i2c: ov7670: 0 instead of -EINVAL was returned + - media: usb: siano: Fix use after free bugs caused by do_submit_urb + - [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel + - [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy + - wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + - rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + - [x86] thermal: intel: Fix unsigned comparison with less than zero + - timers: Prevent union confusion from unexpected restart_syscall() + - [x86] bugs: Reset speculation control settings on init + - wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack- + out-of-bounds + - inet: fix fast path in __inet_hash_connect() + - ACPI: Don't build ACPICA with '-Os' + - [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match + - drm/amd/display: Fix potential null-deref in dm_resume + - [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue + - dm thin: add cond_resched() to various workqueue loops + - dm cache: add cond_resched() to various workqueue loops + - wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu + - [arm64] rtc: pm8xxx: fix set-alarm race + - hfs: fix missing hfs_bnode_get() in __hfs_bnode_create + - fs: hfsplus: fix UAF issue in hfsplus_put_super + - f2fs: fix information leak in f2fs_move_inline_dirents() + - ocfs2: fix defrag path triggering jbd2 ASSERT + - ocfs2: fix non-auto defrag path not working issue + - udf: Truncate added extents on failed expansion + - udf: Do not bother merging very long extents + - udf: Do not update file length for failed writes to inline files + - udf: Fix file corruption when appending just after end of preallocated + extent + - [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows) + - [x86] crash: Disable virt in core NMI crash handler to avoid double + shootdown + - [x86] reboot: Disable virtualization in an emergency if SVM is supported + - [x86] reboot: Disable SVM, not just VMX, when stopping CPUs + - [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic + - [x86] kprobes: Fix arch_check_optimized_kprobe check within + optimized_kprobe range + - [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter + - [x86] microcode/AMD: Add a @cpu parameter to the reloading functions + - [x86] microcode/AMD: Fix mixed steppings support + - [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998) + - irqdomain: Fix association race + - irqdomain: Fix disassociation race + - irqdomain: Drop bogus fwspec-mapping error handling + - [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in + aureon_add_controls() + - ext4: optimize ea_inode block expansion + - ext4: refuse to create ea block when umounted + - wifi: rtl8xxxu: Use a longer retry limit of 48 + - wifi: cfg80211: Fix use after free for wext + - dm flakey: fix logic when corrupting a bio + - dm flakey: don't corrupt the zero page + - [armhf] dts: exynos: correct TMU phandle in Exynos4 + - [armhf] dts: exynos: correct TMU phandle in Odroid XU + - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + - scsi: qla2xxx: Fix link failure in NPIV environment + - scsi: qla2xxx: Fix erroneous link down + - scsi: ses: Don't attach if enclosure has no components + - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + - scsi: ses: Fix possible desc_ptr out-of-bounds accesses + - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + - [x86] PCI: Avoid FLR for AMD FCH AHCI adapters + - [x86] drm/radeon: Fix eDP for single-display iMac11,2 + - wifi: ath9k: use proper statements in conditionals + - net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829) + - fs/jfs: fix shift exponent db_agl2size negative + - ubi: ensure that VID header offset + VID header size <= alloc, size + - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted + - ubifs: Rectify space budget for ubifs_xrename() + - ubifs: Fix wrong dirty space budget for dirty inode + - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 + - ubifs: Reserve one leb for each journal head while doing budget + - ubi: Fix use-after-free when volume resizing failed + - ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() + - ubi: Fix possible null-ptr-deref in ubi_free_volume() + - ubifs: Re-statistic cleaned znode count if commit failed + - ubifs: dirty_cow_znode: Fix memleak in error handling path + - ubifs: ubifs_writepage: Mark page dirty after writing inode failed + - ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() + - ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed + - [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory + - netfilter: ctnetlink: fix possible refcount leak in + ctnetlink_create_conntrack() + - net: fix __dev_kfree_skb_any() vs drop monitor + - 9p/xen: fix version parsing + - 9p/xen: fix connection sequence + - 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv() + - nfc: fix memory leak of se_io context in nfc_genl_se_io + - tcp: tcp_check_req() can be called from process context + - vc_screen: modify vcs_size() handling in vcs_read() + - [x86] scsi: ipr: Work around fortify-string warning + - tracing: Add NULL checks for buffer in ring_buffer_free_read_page() + - [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 + - media: uvcvideo: Handle cameras with invalid descriptors + - media: uvcvideo: Handle errors from calls to usb_string + - media: uvcvideo: Silence memcpy() run-time false positive warnings + - tty: fix out-of-bounds access in tty_driver_lookup_tty() + - [x86] mei: bus-fixup:upon error print return values of send and receive + - USB: ene_usb6250: Allocate enough memory for full object + - [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero + - Bluetooth: hci_sock: purge socket queues in the destruct() callback + - tcp: Fix listen() regression in 4.19.270 + - media: uvcvideo: Provide sync and async uvc_ctrl_status_event + - media: uvcvideo: Fix race condition with usb_kill_urb + - f2fs: fix cgroup writeback accounting with fs-layer encryption + - [x86] thermal: intel: powerclamp: Fix cur_state for multi package system + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277 + - wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for + wext" + - [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling + a script + - [x86] staging: rtl8192e: Remove call_usermodehelper starting + RadioPower.sh + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278 + - fs: prevent out-of-bounds array speculation when closing a file + descriptor + - [x86] CPU/AMD: Disable XSAVES on AMD family 0x17 + - ext4: fix RENAME_WHITEOUT handling for inline directories (regression in + 4.19.183) + - ext4: fix another off-by-one fsmap error on 1k block filesystems + - ext4: move where set the MAY_INLINE_DATA flag is set + - ext4: fix WARNING in ext4_update_inline_data + - ext4: zero i_disksize when initializing the bootloader inode + - nfc: change order inside nfc_se_io error path + - udf: reduce leakage of blocks related to named streams + - udf: Remove pointless union in udf_inode_info + - udf: Preserve link count of system files + - udf: Detect system inodes linked into directory hierarchy + - kbuild: fix false-positive need-builtin calculation + - kbuild: generate modules.order only in directories visited by obj-y/m + - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + - tipc: improve function tipc_wait_for_cond() + - [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC + - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279 + - ext4: fix cgroup writeback accounting with fs-layer encryption + - fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in + 4.19.179) + - tcp: tcp_make_synack() can be called from process context + - nfc: pn533: initialize struct pn533_out_arg properly + - qed/qed_dev: guard against a possible division by zero + - net: tunnels: annotate lockless accesses to dev->needed_headroom + - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition + (CVE-2023-1990) + - net: usb: smsc75xx: Limit packet length to skb->len + - nvmet: avoid potential UAF in nvmet_req_complete() + - ipv4: Fix incorrect table ID in IOCTL path + - net: usb: smsc75xx: Move packet length check to prevent kernel panic in + skb_pull + - hwmon: (adt7475) Display smoothing attributes in correct order + - hwmon: (adt7475) Fix masking of hysteresis registers + - [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due + to race condition (CVE-2023-1855) + - jffs2: correct logic when creating a hole in jffs2_write_begin + - ext4: fail ext4_iget if special inode unallocated + - ext4: fix task hung in ext4_xattr_delete_inode + - [amd64] drm/amdkfd: Fix an illegal memory access + - tracing: Check field value in hist_field_name() + - ftrace: Fix invalid address access in lookup_rec() when index is 0 + - [x86] mm: Fix use of uninitialized buffer in sme_enable() + - [x86] drm/i915: Don't use stolen memory for ring buffers with LLC + - HID: core: Provide new max_buffer_size attribute to over-ride the default + - HID: uhid: Over-ride the default maximum data buffer value with our own + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280 + - power: supply: da9150: Fix use after free bug in da9150_charger_remove + due to race condition (CVE-2023-30772) + - i40evf: Change a VF mac without reloading the VF driver + - intel-ethernet: rename i40evf to iavf + - iavf: diet and reformat + - iavf: fix inverted Rx hash condition leading to disabled hash + - intel/igbvf: free irq on the error path in igbvf_request_msix() + - igbvf: Regard vf reset nack as success + - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() + - net: usb: smsc95xx: Limit packet length to skb->len + - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info + - [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach + (CVE-2023-1670) + - [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race + condition + - bpf: Adjust insufficient default bpf_jit_limit + - net/mlx5: Read the TC mapping of all priorities on ETS query + - erspan: do not use skb_mac_header() in ndo_start_xmit() + - hvc/xen: prevent concurrent accesses to the shared ring + - [arm64] net: mdio: thunder: Add missing fwnode_handle_put() + - [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD + address + - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to + unfinished work (CVE-2023-1989) + - [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs + - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 + - [x86] thunderbolt: Use const qualifier for `ring_interrupt_index` + - scsi: target: iscsi: Fix an error message in iscsi_check_key() + - scsi: ufs: core: Add soft dependency on governor_simpleondemand + - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + - net: usb: qmi_wwan: add Telit 0x1080 composition + - cifs: empty interface list when server doesn't support query interfaces + - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR + - usb: gadget: u_audio: don't let userspace block driver unbind + - igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256) + - dm thin: fix deadlock when swapping to thin device + - [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same + with current role + - [arm*] usb: chipidea: core: fix possible concurrent when switch role + - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() + - [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in + xgene_slimpro_i2c_xfer() (CVE-2023-2194) + - dm stats: check for and propagate alloc_percpu failure + - dm crypt: add cond_resched() to dmcrypt_write() + - sched/fair: sanitize vruntime of entity being placed + - sched/fair: Sanitize vruntime of entity being migrated + - tun: avoid double free in tun_free_netdev (CVE-2022-4744) + - ocfs2: fix data corruption after failed write (regression in 4.19.155) + - md: avoid signed overflow in slot_store() + - [x86] ALSA: asihpi: check pao in control_message() + - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + - [i386] fbdev: lxfb: Fix potential divide by zero + - scsi: megaraid_sas: Fix crash after a double completion + - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write + - i40e: fix registers dump after run ethtool adapter self test + - [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only + - [arm*] net: mvneta: make tx buffer array agnostic + - [arm*] Input: alps - fix compatibility with -funsigned-char + - [arm*] Input: focaltech - use explicitly signed char type + - cifs: prevent infinite recursion in CIFSGetDFSRefer() + - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + - xen/netback: don't do grant copy across page boundary (regression in + 4.19.269) + - [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo + (regression in 4.19.256) + - ALSA: usb-audio: Fix regression on detection of Roland VS-100 + (regression in 4.19.164) + - [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer + - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' + - gfs2: Always check inode size of inline inodes + - net: sched: cbq: dont intepret cls results when asked to drop + (CVE-2023-23454) + - cgroup/cpuset: Change cpuset_rwsem and hotplug lock order + - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression + in 4.19.232) + - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281 + - pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver + - pinctrl: amd: Use irqchip template + - pinctrl: amd: disable and mask interrupts on probe + - NFSv4: Convert struct nfs4_state to use refcount_t + - NFSv4: Check the return value of update_open_stateid() + - NFSv4: Fix hangs when recovering open state after a server reboot + - [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state() + - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded + sta + - icmp: guard against too small mtu + - net: don't let netpoll invoke NAPI if in xmit context + - sctp: check send stream number after wait_for_sndbuf + - ipv6: Fix an uninit variable access bug in __ip6_make_skb() + - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs + - USB: serial: option: add Telit FE990 compositions + - USB: serial: option: add Quectel RM500U-CN modem + - nilfs2: fix potential UAF of struct nilfs_sc_info in + nilfs_segctor_thread() + - nilfs2: fix sysfs interface lifetime + - [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW + - perf/core: Fix the same task check in perf_event_set_output + - ftrace: Mark get_lock_parent_ip() __always_inline + - ring-buffer: Fix race while reader and writer are on the same page + - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() + - [x86] ALSA: emu10k1: fix capture interrupt handler unlinking + - [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard + - [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation + - [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards + - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} + - Bluetooth: Fix race condition in hidp_session_thread + - mtdblock: tolerate corrected bit-flips + - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition (CVE-2023-1859) + - niu: Fix missing unwind goto in niu_alloc_channels() + - qlcnic: check pci_reset_function result + - sctp: fix a potential overflow in sctp_ifwdtsn_skip + - [arm64] net: macb: fix a memory corruption in extended buffer descriptor + mode + - udp6: fix potential access to stale information + - [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug + - [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + - [amd64] verify_pefile: relax wrapper length check + - scsi: ses: Handle enclosure with just a primary component gracefully + - [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in + D3hot + - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size + - ubi: Fix deadlock caused by recursively holding work_sem + - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() + - [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within + the limits + - [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4 + (CVE-2023-30456) + - [arm64] KVM: arm64: Factor out core register ID enumeration + - [arm64] KVM: arm64: Filter out invalid core register IDs in + KVM_GET_REG_LIST (regression in 4.19) + - [arm64] KVM: Fix system register enumeration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282 + - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + - virtio_net: bugfix overflow inside xdp_linearize_page() + - i40e: fix accessing vsi->active_filters without holding lock + - i40e: fix i40e_setup_misc_vector() error handling + - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + - e1000e: Disable TSO on i219-LM card to increase speed + - f2fs: Fix f2fs_truncate_partial_nodes ftrace event + - [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H + - scsi: megaraid_sas: Fix fw_crash_buffer_show() + - scsi: core: Improve scsi_vpd_inquiry() checks + - xen/netback: use same error messages for same errors + - nilfs2: initialize unused bytes in segment summary blocks + - memstick: fix memory leak if card device is never registered + - [x86] purgatory: Don't generate debug info for purgatory.ro + - Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in + 4.19.256) + - ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() + - ext4: fix use-after-free in ext4_xattr_set_entry + - udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). + - tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). + - inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). + - dccp: Call inet6_destroy_sock() via sk->sk_destruct(). + - sctp: Call inet6_destroy_sock() via sk->sk_destruct(). + + [ Ben Hutchings ] + * Bump ABI to 24 + * [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and + MODULE_SIG where we don't sign code (Closes: #825141) + * [rt] Update to 4.19.280-rt123: + - workqueue: Fix deadlock due to recursive locking of pool->lock + * [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt + +4.19.269-1 [Tue, 20 Dec 2022 23:56:34 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.261 <http://piuparts.knut.univention.de/5.0-3/#2945757476258133704>
--- mirror/ftp/pool/main/l/linux/linux_4.19.269-1.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/linux_4.19.282-1.dsc @@ -1,3 +1,991 @@ +4.19.282-1 [Sat, 29 Apr 2023 22:07:39 +0200] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270 + - mm/khugepaged: fix GUP-fast interaction by sending IPI + - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths + - block: unhash blkdev part inode when the part is deleted + - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545) + - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + - can: sja1000: fix size of OCR_MODE_MASK define + - can: mcba_usb: Fix termination command argument + - ASoC: ops: Correct bounds check for second channel on SX controls + - udf: Discard preallocation before extending file with a hole + - udf: Fix preallocation discarding at indirect extent boundary + - udf: Do not bother looking for prealloc extents if i_lenExtents matches + i_size + - udf: Fix extending file within last block + - usb: gadget: uvc: Prevent buffer overflow in setup handler + - USB: serial: option: add Quectel EM05-G modem + - USB: serial: cp210x: add Kamstrup RF sniffer PIDs + - USB: serial: f81534: fix division by zero on line-speed change + - igb: Initialize mailbox message for VF reset + - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934) + - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + - [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw + - [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in + omap_sr_probe + - [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: turris-omnia: Add ethernet aliases + - [armhf] dts: turris-omnia: Add switch port 6 node + - pstore/ram: Fix error return code in ramoops_probe() + - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + - [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() + - [arm64] cpuidle: dt: Return the correct numbers of parsed idle states + - fs: don't audit the capability check in simple_xattr_list() + - selftests/ftrace: event_triggers: wait longer for test_event_enable + - perf: Fix possible memleak in pmu_dev_alloc() + - timerqueue: Use rb_entry_safe() in timerqueue_getnext() + - ocfs2: fix memory leak in ocfs2_stack_glue_init() + - PNP: fix name memory leak in pnp_alloc_dev() + - [x86] perf/x86/intel/uncore: Fix reference count leak in + hswep_has_limit_sbox() (regression in 4.19.189) + - [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() + - lib/notifier-error-inject: fix error when writing -errno to debugfs file + - debugfs: fix error when writing negative value to atomic_t debugfs file + (regression in 4.19.160) + - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + - [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + - [x86] xen/events: only register debug interrupt for 2-level events + - [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}() + - [x86] xen: Fix memory leak in xen_init_lock_cpu() + - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() + - PM: runtime: Improve path in rpm_idle() when no callback + - PM: runtime: Do not call __rpm_callback() from rpm_idle() + - [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() + - fs: sysv: Fix sysv_nblocks() returns wrong value + - relay: fix type mismatch when allocating memory in relay_create_buf() + - hfs: Fix OOB Write in hfs_asc2mac + - wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154) + - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() + - wifi: rtl8xxxu: Fix reading the vendor of combo chips + - can: kvaser_usb: do not increase tx statistics when sending error message + frames + - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device + - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to + {leaf,usbcan}_cmd_can_error_event + - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT + - can: kvaser_usb_leaf: Set Warning state even without bus errors + - can: kvaser_usb_leaf: Fix improved state not being reported + - can: kvaser_usb_leaf: Fix wrong CAN state after stopping + - can: kvaser_usb_leaf: Fix bogus restart events + - can: kvaser_usb: Add struct kvaser_usb_busparams + - can: kvaser_usb: Compare requested bittiming parameters with actual + parameters in do_set_{,data}_bittiming + - media: vivid: fix compose size exceed boundary + - mtd: Fix device name leak when register device failed in add_mtd_device() + - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port + - drm/radeon: Add the missed acpi_put_table() to fix memory leak + - regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + - wifi: ath10k: Fix return value in ath10k_pci_init() + - [arm64] Input: elants_i2c - properly handle the reset GPIO when power is + off + - media: solo6x10: fix possible memory leak in solo_sysfs_init() + - HID: hid-sensor-custom: set fixed size for custom attributes + - bonding: Export skip slave logic to function + - media: imon: fix a race condition in send_packet() + - pinctrl: pinconf-generic: add missing of_node_put() + - media: dvb-core: Fix ignored return value in dvb_register_frontend() + - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + (CVE-2023-28328) + - [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() + - NFSv4.2: Fix a memory stomp in decode_attr_security_label + - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn + - [x86] ALSA: asihpi: fix missing pci_disable_device() + - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + - wifi: cfg80211: Fix not unregister reg_pdev when + load_builtin_regdb_keys() fails + - regulator: core: fix module refcount leak in set_supply() + - media: saa7164: fix missing pci_disable_device() + - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + - SUNRPC: Fix missing release socket in rpc_sockname() + - NFSv4.x: Fail client initialisation if state manager thread can't run + - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + - mmc: toshsd: fix return value check of mmc_add_host() + - mmc: vub300: fix return value check of mmc_add_host() + - [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host() + - [arm64] mmc: meson-gx: fix return value check of mmc_add_host() + - mmc: via-sdmmc: fix return value check of mmc_add_host() + - [x86] mmc: wbsd: fix return value check of mmc_add_host() + - [arm*] mmc: mmci: fix return value check of mmc_add_host() + - [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll() + - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() + - blktrace: Fix output non-blktrace event when blk_classic option enabled + - [armhf] clk: socfpga: use clk_hw_register for a5/c5 + - [x86] net: vmw_vsock: vmci: Check memcpy_from_msg() + - net: defxx: Fix missing err handling in dfx_init() + - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() + - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + - [x86] net: farsync: Fix kmemleak when rmmods farsync + - net/tunnel: wait until all sk_user_data reader finish before releasing + the sock + - [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + - [i386] net: amd: lance: don't call dev_kfree_skb() under + spin_lock_irqsave() + - [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables + - [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/ + passive cables + - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + - [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under + spin_lock_irqsave() + - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() + (regression in 4.19.254) + - [arm*] stmmac: fix potential division by 0 (regression in 4.19.122) + - apparmor: fix a memleak in multi_transaction_new() + - apparmor: fix lockdep warning when removing a namespace + - apparmor: Fix abi check to include v8 abi + - f2fs: fix normal discard process + - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port + - [x86] scsi: scsi_debug: Fix a warning in resp_write_scat() + - PCI: Check for alloc failure in pci_request_irq() + - [amd64] RDMA/hfi: Decrease PCI device reference count in error path + - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create + failed + - scsi: hpsa: use local workqueues instead of system workqueues + - scsi: hpsa: Fix possible memory leak in hpsa_init_one() + - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak + - scsi: hpsa: Fix error handling in hpsa_add_sas_host() + - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + - scsi: fcoe: Fix possible name leak when device_register() fails + - [x86] scsi: ipr: Fix WARNING in ipr_init() + - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + - scsi: snic: Fix possible UAF in snic_tgt_create() + - [amd64] RDMA/hfi1: Fix error return code in parse_platform_config() + - orangefs: Fix sysfs not cleanup when dev init failed + - [x86] hwrng: amd - Fix PCI device refcount leak + - [i386] hwrng: geode - Fix PCI device refcount leak + - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + - [arm*] serial: tegra: avoid reg access when clk disabled + - [arm*] serial: tegra: check for FIFO mode enabled status + - [arm*] serial: tegra: set maximum num of uart ports to 8 + - [arm*] serial: tegra: add support to use 8 bytes trigger + - [arm*] serial: tegra: add support to adjust baud rate + - [arm*] serial: tegra: report clk rate errors + - [arm*] serial: tegra: Add PIO mode support + - [arm*] tty: serial: tegra: Activate RX DMA transfer by request + - [arm*] serial: tegra: Read DMA status before terminating + - [x86] usb: typec: Check for ops->exit instead of ops->enter in + altmode_exit + - [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register + - [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. + (regression in 4.19.253) + - [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma() + - [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os (CVE-2022-3424) + - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + - usb: gadget: f_hid: optional SETUP/SET_REPORT mode + - usb: gadget: f_hid: fix f_hidg lifetime vs cdev + - usb: gadget: f_hid: fix refcount leak on error path + - chardev: fix error handling in cdev_device_add() + - [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + - [x86] staging: rtl8192u: Fix use after free in ieee80211_rx() + - [x86] staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + - [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access() + (CVE-2022-2873) + - usb: storage: Add check for kcalloc + - tracing/hist: Fix issue of losting command info in error_log + - [x86] fbdev: pm2fb: fix missing pci_disable_device() + - [x86] fbdev: via: Fix error in via_core_init() + - [x86] fbdev: vermilion: decrease reference count in error path + - [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + - [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + - [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + - power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + - perf symbol: correction while adjusting symbol (regression in 4.19.255) + - [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init() + - include/uapi/linux/swab: Fix potentially missing __always_inline + - [armhf] rtc: snvs: Allow a time difference on clock register read + - [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier() + - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + (regression in 4.19.130) + - [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - nfc: pn533: Clear nfc_target before being used + - r6040: Fix kmemleak in probe and remove + - openvswitch: Fix flow lookup to use unmasked key + - skbuff: Account for tail adjustment during pull operations + - net_sched: reject TCF_EM_SIMPLE case for complex ematch module + - rxrpc: Fix missing unlock in rxrpc_do_sendmsg() + - myri10ge: Fix an error handling path in myri10ge_probe() + - net: stream: purge sk_error_queue in sk_stream_kill_queues() + (regression in 4.19.218) + - fs: jfs: fix shift-out-of-bounds in dbAllocAG + - udf: Avoid double brelse() in udf_rename() + - fs: jfs: fix shift-out-of-bounds in dbDiscardAG + - ACPICA: Fix error code path in acpi_ds_call_control_method() + - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + - acct: fix potential integer overflow in encode_comp_t() + - hfs: fix OOB Read in __hfs_brec_find + - wifi: ath9k: verify the expected usb_endpoints are present + - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + - bpf: make sure skb->len != 0 when redirecting to a tunneling device + - [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet() + - wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + - igb: Do not free q_vector unless new one was allocated + - drm/amdgpu: Fix type of second parameter in trans_msg() callback + - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() + - md/raid1: stop mdx_raid1 thread when raid1 array run failed + - mrp: introduce active flags to prevent UAF when applicant uninit + - ppp: associate skb with a device at tx + - media: dvb-frontends: fix leak of memory fw + - media: dvbdev: adopts refcnt to avoid UAF + - media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + - blk-mq: fix possible memleak when register 'hctx' failed + - regulator: core: fix use_count leakage when handling boot-on + - [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability + - media: si470x: Fix use-after-free in si470x_int_in_callback() + - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + - [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in + rk_spdif_runtime_resume() + - [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put() + - [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout + - HID: wacom: Ensure bootloader PID is usable in hidraw mode + - reiserfs: Add missing calls to reiserfs_security_free() + - media: dvbdev: fix refcnt bug + - ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77) + - HID: plantronics: Additional PIDs for double volume key presses quirk + - hfsplus: fix bug causing custom uid and gid being unable to be assigned + with mount + - ovl: Use ovl mounter's fsuid and fsgid in ovl_link() + - ALSA: line6: correct midi status byte when receiving data from podxt + - ALSA: line6: fix stack overflow in line6_midi_transmit + - pnode: terminate at peers of source + - md: fix a crash in mempool_free + - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING + - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + - media: stv0288: use explicitly signed char + - dm cache: Fix ABBA deadlock between shrink_slab and + dm_cache_metadata_abort + - dm thin: Use last transaction's pmd->root when commit failed + - dm thin: Fix UAF in run_timer_softirq() + - dm cache: Fix UAF in destroy() + - dm cache: set needs_check flag after aborting metadata + - [x86] microcode/intel: Do not retry microcode reloading on the APs + - tracing: Fix infinite loop in tracing_read_pipe on overflowed + print_trace_line + - media: dvb-core: Fix double free in dvb_register_device() + (regression in 4.19.77) + - media: dvb-core: Fix UAF due to refcount races at releasing + (CVE-2022-41218) + - md/bitmap: Fix bitmap chunk size overflow issues + - ipmi: fix long wait in unload when IPMI disconnect + - ipmi: fix use after free in _ipmi_destroy_user() + - PCI: Fix pci_device_is_present() for VFs by checking PF + - PCI/sysfs: Fix double free in error path + - [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code + - device_cgroup: Roll back to original exceptions after copy failure + - drm/connector: send hotplug uevent on connector cleanup + - [x86] drm/vmwgfx: Validate the box size for the snooped cursor + (CVE-2022-36280) + - ext4: add inode table check in __ext4_get_inode_loc to aovid possible + infinite loop + - ext4: add helper to check quota inums + - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode + - ext4: init quota for 'old.inode' in 'ext4_rename' + - ext4: fix corruption when online resizing a 1K bigalloc fs + - ext4: fix error code return to user-space in ext4_get_branch() + - ext4: avoid BUG_ON when creating xattrs + - ext4: fix inode leak in ext4_xattr_inode_create() on an error path + - ext4: initialize quota before expanding inode in setproject ioctl + - ext4: avoid unaccounted block allocation when expanding inode + - ext4: allocate extended attribute value in vmalloc area + - btrfs: send: avoid unnecessary backref lookups when finding clone source + - btrfs: replace strncpy() with strscpy() + - dm thin: resume even if in FAIL mode + - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor + - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as + unsinged data + - driver core: Set deferred_probe_timeout to a longer default if + CONFIG_MODULES is set + - ext4: goto right label 'failed_mount3a' + - ext4: correct inconsistent error msg in nojournal mode + - ext4: use kmemdup() to replace kmalloc + memcpy + - mbcache: don't reclaim used entries + - mbcache: add functions to delete entry if unused + - ext4: remove EA inode entry from mbcache on inode eviction + - ext4: unindent codeblock in ext4_xattr_block_set() + - ext4: fix race when reusing xattr blocks + - mbcache: automatically delete entries from cache on freeing + - ext4: fix deadlock due to mbcache entry corruption + - SUNRPC: ensure the matching upcall is in-flight upon downcall + - bpf: pull before calling skb_postpull_rcsum() + - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure + - nfc: Fix potential resource leaks + - [amd64,arm64] net: amd-xgbe: add missed tasklet_kill + - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC + - net: sched: atm: dont intepret cls results when asked to drop + (CVE-2023-23455) + - usb: rndis_host: Secure rndis_query check against int overflow + - udf: Fix extension of the last extent in the file + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 + tablet + - [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045) + - nfsd: fix handling of readdir in v4root vs. mount upcall timeout + - ext4: don't allow journal inode to have encrypt flag + - hfs/hfsplus: use WARN_ON for sanity check + - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + - mbcache: Avoid nesting of cache->c_list_lock under bit locks + - driver core: Fix bus_type.match() error handling in __driver_attach() + - net: sched: disallow noqueue for qdisc classes (CVE-2022-47929) + - perf auxtrace: Fix address filter duplicate symbol selection + - net/ulp: prevent ULP without clone op from entering the LISTEN status + (CVE-2023-0461) + - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF + (CVE-2023-0266) + - cifs: Fix uninitialized memory read for smb311 posix symlink create + - [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight + during probe + - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames + (CVE-2023-0394) + - [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later + - quota: Factor out setup of quota inode + - ext4: fix bug_on in __es_tree_search caused by bad quota inode + - ext4: lost matching-pair of trace in ext4_truncate + - ext4: fix use-after-free in ext4_orphan_cleanup + - ext4: fix uninititialized value in 'ext4_evict_inode' + - netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() + function. + - [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm + - EDAC/device: Fix period calculation in edac_device_reset_delay_period() + - hvc/xen: lock console list traversal + - nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() + - net/mlx5: Rename ptp clock info + - net/mlx5: Fix ptp max frequency adjustment range + - drm/virtio: Fix GEM handle creation UAF + - [arm64] cmpxchg_double*: hazard against entire exchange variable + - efi: fix NULL-deref in init error path (regression in 4.19.142) + - [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't + started + - [arm*] serial: tegra: Only print FIFO error message when an error occurs + - [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20 + and tegra30 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271 + - pNFS/filelayout: Fix coalescing test for single DS + - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats + - RDMA/srp: Move large values to a new enum for gcc13 + - f2fs: let's avoid panic if extent_tree is not created + - nilfs2: fix general protection fault in nilfs_btree_insert() + - xhci-pci: set the dma max_seg_size + - usb: xhci: Check endpoint is valid before dereferencing it + - xhci: Fix null pointer dereference when host dies + - xhci: Add a flag to disable USB3 lpm on a xhci root port level. + - prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458) + - USB: serial: option: add Quectel EM05-G (GR) modem + - USB: serial: option: add Quectel EM05-G (CS) modem + - USB: serial: option: add Quectel EM05-G (RS) modem + - USB: serial: option: add Quectel EC200U modem + - USB: serial: option: add Quectel EM05CN (SG) modem + - USB: serial: option: add Quectel EM05CN modem + - USB: misc: iowarrior: fix up header size for + USB_DEVICE_ID_CODEMERCS_IOW100 + - usb: core: hub: disable autosuspend for TI TUSB8041 + - [x86] comedi: adv_pci1760: Fix PWM instruction handling + - [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + - cifs: do not include page data when checking signature + - USB: serial: cp210x: add SCALANCE LPE-9000 device id + - usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() + - usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 + - [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272 + - [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + - [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map + - [amd64] IB/hfi1: Reject a zero-length user expected buffer + - [amd64] IB/hfi1: Reserve user expected TIDs + - [amd64] IB/hfi1: Fix expected receive setup error exit issues + - affs: initialize fsdata in affs_truncate() + - amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + - amd-xgbe: Delay AN timeout during KR training + - bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + - [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + - net: nfc: Fix use-after-free in local_cleanup() + - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + (CVE-2023-23559) + - net: usb: sr9700: Handle negative len + - net: mdio: validate parameter addr in mdiobus_get_phy() + - HID: check empty report_list in hid_validate_values() (CVE-2023-1073) + - usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + - usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + - net: mlx5: eliminate anonymous module_init & module_exit + - dmaengine: Fix double increment of client_count in dma_chan_get() + - [arm64] net: macb: fix PTP TX timestamp failure due to packet padding + - HID: betop: check shape of output reports + - tcp: avoid the lookup process failing to get sk in ehash table + - w1: fix deadloop in __w1_remove_master_device() + - w1: fix WARNING after calling w1_process() + - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state + - block: fix and cleanup bio_check_ro + - perf env: Do not return pointers to local variables + - fs: reiserfs: remove useless new_opts in reiserfs_remount + - Bluetooth: hci_sync: cancel cmd_timer if hci_open failed + - scsi: hpsa: Fix allocation size for scsi_host_alloc() + - module: Don't wait for GOING modules + - tracing: Make sure trace_printk() can output as soon as it can be used + - trace_events_hist: add check for return value of 'create_hist_field' + - smbd: Make upper layer decide when to destroy the transport + - cifs: Fix oops due to uncleared server->smbd_conn in reconnect + - EDAC/device: Respect any driver-supplied workqueue polling value + - net: fix UaF in netns ops registration error path (regression in + 4.19.264) + - netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + - netlink: remove hash::nelems check in netlink_insert + - netlink: annotate data races around nlk->portid + - netlink: annotate data races around dst_portid and dst_group + - netlink: annotate data races around sk_state + - ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + - netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + - [x86] netrom: Fix use-after-free of a listening socket. (regression in + 4.19.199) + - sctp: fail if no bound addresses can be used for a given scope + (CVE-2023-1074) + - net/tg3: resolve deadlock in tg3_reset_task() during EEH + - [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU + to RMI mode" (regression in 4.19.268) + - [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL + - [x86] drm/i915/display: fix compiler warning about array overrun + - [armhf] dts: imx: Fix pca9547 i2c-mux node name + - [armhf] dmaengine: imx-sdma: Fix a possible memory leak in + sdma_transfer_init + - panic: unset panic_on_warn inside panic() + - exit: Add and use make_task_dead. + - exit: Put an upper limit on how often we can oops + - exit: Expose "oops_count" to sysfs + - exit: Allow oops_limit to be disabled + - panic: Consolidate open-coded panic_on_warn checks + - panic: Introduce warn_limit + - panic: Expose "warn_count" to sysfs + - docs: Fix path paste-o for /sys/kernel/warn_count + - exit: Use READ_ONCE() for all oops/warn limit reads + - ipv6: ensure sane device mtu in tunnels + - [arm*] usb: host: xhci-plat: add wakeup entry at sysfs + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273 + - firewire: fix memory leak for payload of request subaction to IEC 61883-1 + FCP region + - [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() + - [x86] netrom: Fix use-after-free caused by accept on already connected + socket + - ata: libata: Fix sata_down_spd_limit() when no link speed is reported + - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + - scsi: target: core: Fix warning on RT kernels + - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress + (CVE-2023-2162) + - [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings + - [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API + - [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode + - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait + - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF + - [x86] Input: i8042 - merge quirk tables + - [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables + - [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table + - [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 + guests + - [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() + - [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set + - [x86] thermal: intel: int340x: Protect trip temperature from concurrent + updates + - fbcon: Check font dimension limits + - efi: Accept version 2 of memory attributes table + - iio: hid: fix the retval in accel_3d_capture_sample + - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps + - mm/swapfile: add cond_resched() in get_swap_pages() + - Squashfs: fix handling and sanity checking of xattr_ids count + - serial: 8250_dma: Fix DMA Rx completion race + - serial: 8250_dma: Fix DMA Rx rearm race + - [x86] thermal: intel: int340x: Add locking to + int340x_thermal_get_trip_type() + - btrfs: limit device extents to the device size + - [x86] ALSA: emux: Avoid potential array out-of-bound in + snd_emux_xg_control() + - [amd64] IB/hfi1: Restore allocated resources on failed copyout + - [arm64] net: phy: meson-gxl: add g12a support + - [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal + PHY + - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078) + - ALSA: pci: lx6464es: fix a debug loop + - [arm*] pinctrl: single: fix potential NULL dereference + - [x86] pinctrl: intel: Convert unsigned to unsigned int + - [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode + - net: USB: Fix wrong-direction WARNING in plusb.c + - usb: core: add quirk for Alcor Link AK9563 smartcard reader + - [arm64] dts: meson-gx: Make mmc host controller interrupts level- + sensitive + - [arm64] dts: meson-axg: Make mmc host controller interrupts level- + sensitive + - bpf: Always return target ifindex in bpf_fib_lookup + - migrate: hugetlb: check for hugetlb shared PMD in node migration + - [x86] net/rose: Fix to not accept on connected socket + - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association + - aio: fix mremap after fork null-deref + - netfilter: nft_tproxy: restrict to prerouting hook + - mmc: sdio: fix possible resource leaks in some error paths + - ALSA: hda/conexant: add a new hda codec SN6180 + - ALSA: hda/realtek - fixed wrong gpio assigned + - [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures + - i40e: add double of VLAN header when computing the max MTU + - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + - [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence + - bnxt_en: Fix mqprio and XDP ring checking logic + - [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode + - net: mpls: fix stale pointer if allocation fails during device rename + (CVE-2023-26545) + - ipv6: Fix datagram socket connection with DSCP. + - ipv6: Fix tcp socket connection with DSCP. + - i40e: Add checking for null for nlmsg_find_attr() + - [x86] kvm: initialize all of the kvm_debugregs structure before sending + it to userspace (CVE-2023-1513) + - nilfs2: fix underflow in second superblock position calculations + - [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register + access + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274 + - wifi: rtl8xxxu: gen2: Turn on the rate control + - random: always mix cycle counter in add_latent_entropy() + - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len + - alarmtimer: Prevent starvation by small intervals and SIG_IGN + - [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry + (CVE-2022-3707) + - mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + - uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459) + - bpf: add missing header file include + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275 + - [armhf] dts: rockchip: add power-domains property to dp node on rk3288 + - [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown + - btrfs: send: limit number of clones and allocated memory size + - [amd64] IB/hfi1: Assign npages earlier + - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). + - vc_screen: don't clobber return value in vcs_read + - USB: serial: option: add support for VW/Skoda "Carstick LTE" + - USB: core: Don't hold device lock while reading the "descriptors" sysfs + file + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276 + - HID: asus: Remove check for same LED brightness on set + - HID: asus: use spinlock to protect concurrent accesses + - HID: asus: use spinlock to safely schedule workers (CVE-2023-1079) + - [armhf] OMAP2+: Fix memory leak in realtime_counter_init() + - [armhf] imx: Call ida_simple_remove() for ida_simple_get + - [arm64] dts: meson-axg: enable SCPI + - blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + - block: bio-integrity: Copy flags when bio_integrity_payload is cloned + - wifi: rsi: Fix memory leak in rsi_coex_attach() + - wifi: libertas: fix memory leak in lbs_init_adapter() + - wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + - rtlwifi: fix -Wpointer-sign warning + - wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + - ipw2x00: switch from 'pci_' to 'dma_' API + - wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + - wifi: ipw2200: fix memory leak in ipw_wdev_init() + - wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() + - wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + - wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() + - [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + - [x86] ACPICA: Drop port I/O validation for some regions + - genirq: Fix the return type of kstat_cpu_irqs_sum() + - lib/mpi: Fix buffer overrun when SG is too long + - ACPICA: nsrepair: handle cases without a return value correctly + - [x86] wifi: orinoco: check return value of hermes_write_wordrec() + - wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function + - wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails + - wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() + - [x86] ACPI: battery: Fix missing NUL-termination with large strings + - crypto: seqiv - Handle EBUSY correctly + - Bluetooth: L2CAP: Fix potential user-after-free + - libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + - rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + - crypto: rsa-pkcs1pad - Use akcipher_request_complete + - wifi: iwl3945: Add missing check for create_singlethread_workqueue + - wifi: iwl4965: Add missing check for create_singlethread_workqueue() + - wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + - wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + - can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of + a bus error + - [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output + enable + - [arm*] drm/vc4: dpi: Fix format mapping for RGB565 + - [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + - ALSA: hda/ca0132: minor fix for allocation size + - drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + - [arm64] drm/msm: use strscpy instead of strncpy + - [arm64] drm/msm/dpu: Add check for pstates + - [arm*] gpu: host1x: Don't skip assigning syncpoints to channels + - [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + - scsi: aic94xx: Add missing check for dma_map_single() + - nfsd: fix race to check ls_layouts + - gfs2: jdata writepage fix + - perf llvm: Fix inadvertent file creation + - [arm64] perf tools: Fix auto-complete on aarch64 + - [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region + - Input: ads7846 - don't report pressure for ads7845 + - Input: ads7846 - don't check penirq immediately for 7845 + - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + - [armhf] media: platform: ti: Add missing check for devm_regulator_get + - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + (CVE-2023-1118) + - media: i2c: ov7670: 0 instead of -EINVAL was returned + - media: usb: siano: Fix use after free bugs caused by do_submit_urb + - [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel + - [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy + - wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + - rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + - [x86] thermal: intel: Fix unsigned comparison with less than zero + - timers: Prevent union confusion from unexpected restart_syscall() + - [x86] bugs: Reset speculation control settings on init + - wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack- + out-of-bounds + - inet: fix fast path in __inet_hash_connect() + - ACPI: Don't build ACPICA with '-Os' + - [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match + - drm/amd/display: Fix potential null-deref in dm_resume + - [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue + - dm thin: add cond_resched() to various workqueue loops + - dm cache: add cond_resched() to various workqueue loops + - wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu + - [arm64] rtc: pm8xxx: fix set-alarm race + - hfs: fix missing hfs_bnode_get() in __hfs_bnode_create + - fs: hfsplus: fix UAF issue in hfsplus_put_super + - f2fs: fix information leak in f2fs_move_inline_dirents() + - ocfs2: fix defrag path triggering jbd2 ASSERT + - ocfs2: fix non-auto defrag path not working issue + - udf: Truncate added extents on failed expansion + - udf: Do not bother merging very long extents + - udf: Do not update file length for failed writes to inline files + - udf: Fix file corruption when appending just after end of preallocated + extent + - [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows) + - [x86] crash: Disable virt in core NMI crash handler to avoid double + shootdown + - [x86] reboot: Disable virtualization in an emergency if SVM is supported + - [x86] reboot: Disable SVM, not just VMX, when stopping CPUs + - [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic + - [x86] kprobes: Fix arch_check_optimized_kprobe check within + optimized_kprobe range + - [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter + - [x86] microcode/AMD: Add a @cpu parameter to the reloading functions + - [x86] microcode/AMD: Fix mixed steppings support + - [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998) + - irqdomain: Fix association race + - irqdomain: Fix disassociation race + - irqdomain: Drop bogus fwspec-mapping error handling + - [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in + aureon_add_controls() + - ext4: optimize ea_inode block expansion + - ext4: refuse to create ea block when umounted + - wifi: rtl8xxxu: Use a longer retry limit of 48 + - wifi: cfg80211: Fix use after free for wext + - dm flakey: fix logic when corrupting a bio + - dm flakey: don't corrupt the zero page + - [armhf] dts: exynos: correct TMU phandle in Exynos4 + - [armhf] dts: exynos: correct TMU phandle in Odroid XU + - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + - scsi: qla2xxx: Fix link failure in NPIV environment + - scsi: qla2xxx: Fix erroneous link down + - scsi: ses: Don't attach if enclosure has no components + - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + - scsi: ses: Fix possible desc_ptr out-of-bounds accesses + - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + - [x86] PCI: Avoid FLR for AMD FCH AHCI adapters + - [x86] drm/radeon: Fix eDP for single-display iMac11,2 + - wifi: ath9k: use proper statements in conditionals + - net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829) + - fs/jfs: fix shift exponent db_agl2size negative + - ubi: ensure that VID header offset + VID header size <= alloc, size + - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted + - ubifs: Rectify space budget for ubifs_xrename() + - ubifs: Fix wrong dirty space budget for dirty inode + - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 + - ubifs: Reserve one leb for each journal head while doing budget + - ubi: Fix use-after-free when volume resizing failed + - ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() + - ubi: Fix possible null-ptr-deref in ubi_free_volume() + - ubifs: Re-statistic cleaned znode count if commit failed + - ubifs: dirty_cow_znode: Fix memleak in error handling path + - ubifs: ubifs_writepage: Mark page dirty after writing inode failed + - ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() + - ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed + - [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory + - netfilter: ctnetlink: fix possible refcount leak in + ctnetlink_create_conntrack() + - net: fix __dev_kfree_skb_any() vs drop monitor + - 9p/xen: fix version parsing + - 9p/xen: fix connection sequence + - 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv() + - nfc: fix memory leak of se_io context in nfc_genl_se_io + - tcp: tcp_check_req() can be called from process context + - vc_screen: modify vcs_size() handling in vcs_read() + - [x86] scsi: ipr: Work around fortify-string warning + - tracing: Add NULL checks for buffer in ring_buffer_free_read_page() + - [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 + - media: uvcvideo: Handle cameras with invalid descriptors + - media: uvcvideo: Handle errors from calls to usb_string + - media: uvcvideo: Silence memcpy() run-time false positive warnings + - tty: fix out-of-bounds access in tty_driver_lookup_tty() + - [x86] mei: bus-fixup:upon error print return values of send and receive + - USB: ene_usb6250: Allocate enough memory for full object + - [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero + - Bluetooth: hci_sock: purge socket queues in the destruct() callback + - tcp: Fix listen() regression in 4.19.270 + - media: uvcvideo: Provide sync and async uvc_ctrl_status_event + - media: uvcvideo: Fix race condition with usb_kill_urb + - f2fs: fix cgroup writeback accounting with fs-layer encryption + - [x86] thermal: intel: powerclamp: Fix cur_state for multi package system + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277 + - wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for + wext" + - [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling + a script + - [x86] staging: rtl8192e: Remove call_usermodehelper starting + RadioPower.sh + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278 + - fs: prevent out-of-bounds array speculation when closing a file + descriptor + - [x86] CPU/AMD: Disable XSAVES on AMD family 0x17 + - ext4: fix RENAME_WHITEOUT handling for inline directories (regression in + 4.19.183) + - ext4: fix another off-by-one fsmap error on 1k block filesystems + - ext4: move where set the MAY_INLINE_DATA flag is set + - ext4: fix WARNING in ext4_update_inline_data + - ext4: zero i_disksize when initializing the bootloader inode + - nfc: change order inside nfc_se_io error path + - udf: reduce leakage of blocks related to named streams + - udf: Remove pointless union in udf_inode_info + - udf: Preserve link count of system files + - udf: Detect system inodes linked into directory hierarchy + - kbuild: fix false-positive need-builtin calculation + - kbuild: generate modules.order only in directories visited by obj-y/m + - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + - tipc: improve function tipc_wait_for_cond() + - [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC + - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279 + - ext4: fix cgroup writeback accounting with fs-layer encryption + - fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in + 4.19.179) + - tcp: tcp_make_synack() can be called from process context + - nfc: pn533: initialize struct pn533_out_arg properly + - qed/qed_dev: guard against a possible division by zero + - net: tunnels: annotate lockless accesses to dev->needed_headroom + - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition + (CVE-2023-1990) + - net: usb: smsc75xx: Limit packet length to skb->len + - nvmet: avoid potential UAF in nvmet_req_complete() + - ipv4: Fix incorrect table ID in IOCTL path + - net: usb: smsc75xx: Move packet length check to prevent kernel panic in + skb_pull + - hwmon: (adt7475) Display smoothing attributes in correct order + - hwmon: (adt7475) Fix masking of hysteresis registers + - [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due + to race condition (CVE-2023-1855) + - jffs2: correct logic when creating a hole in jffs2_write_begin + - ext4: fail ext4_iget if special inode unallocated + - ext4: fix task hung in ext4_xattr_delete_inode + - [amd64] drm/amdkfd: Fix an illegal memory access + - tracing: Check field value in hist_field_name() + - ftrace: Fix invalid address access in lookup_rec() when index is 0 + - [x86] mm: Fix use of uninitialized buffer in sme_enable() + - [x86] drm/i915: Don't use stolen memory for ring buffers with LLC + - HID: core: Provide new max_buffer_size attribute to over-ride the default + - HID: uhid: Over-ride the default maximum data buffer value with our own + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280 + - power: supply: da9150: Fix use after free bug in da9150_charger_remove + due to race condition (CVE-2023-30772) + - i40evf: Change a VF mac without reloading the VF driver + - intel-ethernet: rename i40evf to iavf + - iavf: diet and reformat + - iavf: fix inverted Rx hash condition leading to disabled hash + - intel/igbvf: free irq on the error path in igbvf_request_msix() + - igbvf: Regard vf reset nack as success + - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() + - net: usb: smsc95xx: Limit packet length to skb->len + - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info + - [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach + (CVE-2023-1670) + - [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race + condition + - bpf: Adjust insufficient default bpf_jit_limit + - net/mlx5: Read the TC mapping of all priorities on ETS query + - erspan: do not use skb_mac_header() in ndo_start_xmit() + - hvc/xen: prevent concurrent accesses to the shared ring + - [arm64] net: mdio: thunder: Add missing fwnode_handle_put() + - [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD + address + - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to + unfinished work (CVE-2023-1989) + - [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs + - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 + - [x86] thunderbolt: Use const qualifier for `ring_interrupt_index` + - scsi: target: iscsi: Fix an error message in iscsi_check_key() + - scsi: ufs: core: Add soft dependency on governor_simpleondemand + - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + - net: usb: qmi_wwan: add Telit 0x1080 composition + - cifs: empty interface list when server doesn't support query interfaces + - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR + - usb: gadget: u_audio: don't let userspace block driver unbind + - igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256) + - dm thin: fix deadlock when swapping to thin device + - [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same + with current role + - [arm*] usb: chipidea: core: fix possible concurrent when switch role + - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() + - [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in + xgene_slimpro_i2c_xfer() (CVE-2023-2194) + - dm stats: check for and propagate alloc_percpu failure + - dm crypt: add cond_resched() to dmcrypt_write() + - sched/fair: sanitize vruntime of entity being placed + - sched/fair: Sanitize vruntime of entity being migrated + - tun: avoid double free in tun_free_netdev (CVE-2022-4744) + - ocfs2: fix data corruption after failed write (regression in 4.19.155) + - md: avoid signed overflow in slot_store() + - [x86] ALSA: asihpi: check pao in control_message() + - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + - [i386] fbdev: lxfb: Fix potential divide by zero + - scsi: megaraid_sas: Fix crash after a double completion + - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write + - i40e: fix registers dump after run ethtool adapter self test + - [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only + - [arm*] net: mvneta: make tx buffer array agnostic + - [arm*] Input: alps - fix compatibility with -funsigned-char + - [arm*] Input: focaltech - use explicitly signed char type + - cifs: prevent infinite recursion in CIFSGetDFSRefer() + - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + - xen/netback: don't do grant copy across page boundary (regression in + 4.19.269) + - [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo + (regression in 4.19.256) + - ALSA: usb-audio: Fix regression on detection of Roland VS-100 + (regression in 4.19.164) + - [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer + - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' + - gfs2: Always check inode size of inline inodes + - net: sched: cbq: dont intepret cls results when asked to drop + (CVE-2023-23454) + - cgroup/cpuset: Change cpuset_rwsem and hotplug lock order + - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression + in 4.19.232) + - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281 + - pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver + - pinctrl: amd: Use irqchip template + - pinctrl: amd: disable and mask interrupts on probe + - NFSv4: Convert struct nfs4_state to use refcount_t + - NFSv4: Check the return value of update_open_stateid() + - NFSv4: Fix hangs when recovering open state after a server reboot + - [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state() + - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded + sta + - icmp: guard against too small mtu + - net: don't let netpoll invoke NAPI if in xmit context + - sctp: check send stream number after wait_for_sndbuf + - ipv6: Fix an uninit variable access bug in __ip6_make_skb() + - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs + - USB: serial: option: add Telit FE990 compositions + - USB: serial: option: add Quectel RM500U-CN modem + - nilfs2: fix potential UAF of struct nilfs_sc_info in + nilfs_segctor_thread() + - nilfs2: fix sysfs interface lifetime + - [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW + - perf/core: Fix the same task check in perf_event_set_output + - ftrace: Mark get_lock_parent_ip() __always_inline + - ring-buffer: Fix race while reader and writer are on the same page + - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() + - [x86] ALSA: emu10k1: fix capture interrupt handler unlinking + - [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard + - [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation + - [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards + - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} + - Bluetooth: Fix race condition in hidp_session_thread + - mtdblock: tolerate corrected bit-flips + - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition (CVE-2023-1859) + - niu: Fix missing unwind goto in niu_alloc_channels() + - qlcnic: check pci_reset_function result + - sctp: fix a potential overflow in sctp_ifwdtsn_skip + - [arm64] net: macb: fix a memory corruption in extended buffer descriptor + mode + - udp6: fix potential access to stale information + - [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug + - [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + - [amd64] verify_pefile: relax wrapper length check + - scsi: ses: Handle enclosure with just a primary component gracefully + - [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in + D3hot + - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size + - ubi: Fix deadlock caused by recursively holding work_sem + - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() + - [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within + the limits + - [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4 + (CVE-2023-30456) + - [arm64] KVM: arm64: Factor out core register ID enumeration + - [arm64] KVM: arm64: Filter out invalid core register IDs in + KVM_GET_REG_LIST (regression in 4.19) + - [arm64] KVM: Fix system register enumeration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282 + - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + - virtio_net: bugfix overflow inside xdp_linearize_page() + - i40e: fix accessing vsi->active_filters without holding lock + - i40e: fix i40e_setup_misc_vector() error handling + - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + - e1000e: Disable TSO on i219-LM card to increase speed + - f2fs: Fix f2fs_truncate_partial_nodes ftrace event + - [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H + - scsi: megaraid_sas: Fix fw_crash_buffer_show() + - scsi: core: Improve scsi_vpd_inquiry() checks + - xen/netback: use same error messages for same errors + - nilfs2: initialize unused bytes in segment summary blocks + - memstick: fix memory leak if card device is never registered + - [x86] purgatory: Don't generate debug info for purgatory.ro + - Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in + 4.19.256) + - ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() + - ext4: fix use-after-free in ext4_xattr_set_entry + - udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). + - tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). + - inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). + - dccp: Call inet6_destroy_sock() via sk->sk_destruct(). + - sctp: Call inet6_destroy_sock() via sk->sk_destruct(). + + [ Ben Hutchings ] + * Bump ABI to 24 + * [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and + MODULE_SIG where we don't sign code (Closes: #825141) + * [rt] Update to 4.19.280-rt123: + - workqueue: Fix deadlock due to recursive locking of pool->lock + * [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt + 4.19.269-1 [Tue, 20 Dec 2022 23:56:34 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://piuparts.knut.univention.de/5.0-3/#2945757476258133704>
OK: bug OK: yaml OK: announce_errata OK: patch ~OK: piuparts OK apt-get install -t apt linux-latest-amd64 OK amd64 @ kvm + SeaBIOS OK amd64 @ kvm + OVMF + SB FAIL: mokutil --sb-state There seems to be an incompatible change with the 4M version and EFI variables no longer work. OK dmesg -H | grep -i secure IGN amd64 @ xenX OK uname -a OK dmesg -H OK ./linux-dmesg-norm -a OK Rebuild latest ISO with new D-I: isotests/ucs_5.0-2-latest-amd64.iso [5.0-3] fff5b52285 Bug #56032: linux 4.19.282-1 doc/errata/staging/linux.yaml | 83 +++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 42 deletions(-) [5.0-3] 7ef559e2d0 Bug #56032: linux 4.19.282-1 doc/errata/staging/linux.yaml | 113 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x658> <https://errata.software-univention.de/#/?erratum=5.0x659> <https://errata.software-univention.de/#/?erratum=5.0x660>