Bug 47490 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-08 07:41 CEST by Quality Assurance
Modified: 2018-08-22 14:26 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.0 (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-08 07:41:52 CEST
New Debian linux-latest 80+deb9u5 fixes:
This update addresses the following issue(s):
* 

Debian update 80+deb9u5

80+deb9u5 (Thu, 14 Jun 2018 15:07:03 +0100) * Update to 4.9.0-7
Comment 1 Quality Assurance univentionstaff 2018-08-08 19:07:11 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/linux-latest_80+deb9u4.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/linux-latest_80+deb9u5.dsc
@@ -1,3 +1,7 @@
+80+deb9u5 [Thu, 14 Jun 2018 15:07:03 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * Update to 4.9.0-7
+
 80+deb9u4 [Thu, 22 Feb 2018 08:32:44 +0100] Yves-Alexis Perez <corsac@debian.org>:
 
   * Update to 4.9.0-6

<http://10.200.17.11/4.3-1/#8358591334098079801>
Comment 2 Quality Assurance univentionstaff 2018-08-08 19:07:14 CEST
--- mirror/ftp/4.3/unmaintained/4.3-1/source/linux_4.9.88-1+deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/linux_4.9.110-3+deb9u1.dsc
@@ -1,3 +1,1025 @@
+4.9.110-3+deb9u1 [Fri, 03 Aug 2018 20:30:23 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  [ Romain Perier ]
+  * fs: Fix up non-directory creation in SGID directories (CVE-2018-13405)
+
+  [ Salvatore Bonaccorso ]
+  * tcp: free batches of packets in tcp_prune_ofo_queue()
+  * tcp: avoid collapses in tcp_prune_queue() if possible
+  * tcp: detect malicious patterns in tcp_collapse_ofo_queue()
+  * tcp: call tcp_drop() from tcp_data_queue_ofo()
+
+4.9.110-3 [Mon, 23 Jul 2018 17:47:13 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Salvatore Bonaccorso ]
+  * cdc_ncm: avoid padding beyond end of skb (Closes: #893393)
+  * Revert "sit: reload iphdr in ipip6_rcv" (Closes: #903776)
+
+4.9.110-2 [Wed, 18 Jul 2018 18:57:56 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Cyril Brulebois ]
+  * udeb: Add virtio_console to virtio-modules (Closes: #903122).
+
+  [ Ben Hutchings ]
+  * [x86] xen: Fix boot regression in PV domains (Closes: #903767):
+    - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths
+    - x86/cpu: Re-apply forced caps every time CPU caps are re-read
+  * ext4: fix false negatives *and* false positives in ext4_check_descriptors()
+    (Closes: #903838)
+  * xen-netfront: Fix regressions in 4.9.104 (Closes: #903914):
+    - Fix mismatched rtnl_unlock
+    - Update features after registering netdev
+
+4.9.110-1 [Thu, 05 Jul 2018 02:29:30 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.108
+    - tpm: do not suspend/resume if power stays on
+    - tpm: self test failure should not cause suspend to fail
+    - mmap: introduce sane default mmap limits
+    - mmap: relax file size limit for regular files
+    - btrfs: define SUPER_FLAG_METADUMP_V2
+    - drm: set FMODE_UNSIGNED_OFFSET for drm files
+    - bnx2x: use the right constant
+    - dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
+    - enic: set DMA mask to 47 bit
+    - ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
+    - ipv4: remove warning in ip_recv_error
+    - isdn: eicon: fix a missing-check bug
+    - net/packet: refine check for priv area size
+    - net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
+    - packet: fix reserve calculation
+    - qed: Fix mask for physical address in ILT entry
+    - sctp: not allow transport timeout value less than HZ/5 for hb_timer
+    - team: use netdev_features_t instead of u32
+    - vhost: synchronize IOTLB message with dev cleanup
+    - vrf: check the original netdevice for generating redirect
+    - net/mlx4: Fix irq-unsafe spinlock usage
+    - rtnetlink: validate attributes in do_setlink()
+    - net: phy: broadcom: Fix bcm_write_exp()
+    - net: metrics: add proper netlink validation
+    - dm bufio: avoid false-positive Wmaybe-uninitialized warning
+    - objtool: complete e390f9a port for v4.9.106
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.109
+    - [x86] fpu: Hard-disable lazy FPU mode
+    - bonding: correctly update link status during mii-commit phase
+    - bonding: fix active-backup transition
+    - bonding: require speed/duplex only for 802.3ad, alb and tlb
+    - nvme-pci: initialize queue memory before interrupts
+    - af_key: Always verify length of provided sadb_key
+    - [x86] crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the
+      crc32c code
+    - nvmet: Move serial number from controller to subsystem
+    - nvmet: don't report 0-bytes in serial number
+    - nvmet: don't overwrite identify sn/fr with 0-bytes
+    - gpio: No NULL owner
+    - [x86] KVM: introduce linear_{read,write}_system
+    - [x86] KVM: pass kvm_vcpu to kvm_read_guest_virt and
+      kvm_write_guest_virt_system
+    - usbip: vhci_sysfs: fix potential Spectre v1 (CVE-2017-5753)
+    - [armhf] serial: samsung: fix maxburst parameter for DMA transactions
+    - [armhf] serial: 8250: omap: Fix idling of clocks for unused uarts
+    - [x86] vmw_balloon: fixing double free when batching mode is off
+    - [armhf,arm64] tty: pl011: Avoid spuriously stuck-off interrupts
+    - [x86] kvm: use correct privilege level for sgdt/sidt/fxsave/fxrstor
+      access (CVE-2018-10853)
+    - [powerpc*] crypto: vmx - Remove overly verbose printk from AES init
+      routines
+    - [armhf] crypto: omap-sham - fix memleak
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.110
+    - xfrm6: avoid potential infinite loop in _decode_session6()
+    - netfilter: ebtables: handle string from userspace with care
+    - ipvs: fix buffer overflow with sync daemon and service
+    - iwlwifi: pcie: compare with number of IRQs requested for, not number of
+      CPUs
+    - atm: zatm: fix memcmp casting
+    - [x86] platform: asus-wmi: Fix NULL pointer dereference
+    - Revert "Btrfs: fix scrub to repair raid6 corruption"
+    - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
+    - Btrfs: make raid6 rebuild retry more
+    - [armhf] usb: musb: fix remote wakeup racing with suspend
+    - bonding: re-evaluate force_primary when the primary slave name changes
+    - ipv6: allow PMTU exceptions to local routes
+    - net/sched: act_simple: fix parsing of TCA_DEF_DATA
+    - tcp: verify the checksum of the first data segment in a new connection
+    - ext4: fix hole length detection in ext4_ind_map_blocks()
+    - ext4: update mtime in ext4_punch_hole even if no blocks are released
+    - ext4: fix fencepost error in check for inode count overflow during resize
+    - driver core: Don't ignore class_dir_create_and_add() failure.
+    - Btrfs: fix clone vs chattr NODATASUM race
+    - Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2()
+    - btrfs: scrub: Don't use inode pages for device replace
+    - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
+    - smb3: on reconnect set PreviousSessionId field
+    - cpufreq: Fix new policy initialization during limits updates via sysfs
+    - libata: zpodd: make arrays cdb static, reduces object code size
+    - libata: zpodd: small read overflow in eject_tray()
+    - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
+    - [x86] HID: intel_ish-hid: ipc: register more pm callbacks to support
+      hibernation
+    - vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
+    - fs/binfmt_misc.c: do not allow offset overflow
+
+  [ Ben Hutchings ]
+  * netfilter: xt_hashlimit: Fix integer divide round to zero.
+    (Closes: #872907)
+  * [arm64,powerpc*,x86] drm/ast: Add support for new chips and boards
+    (Closes: #860900):
+    - drm/ast: const'ify mode setting tables
+    - drm/ast: Remove spurrious include
+    - drm/ast: Fix calculation of MCLK
+    - drm/ast: Base support for AST2500
+    - drm/ast: Fixed vram size incorrect issue on POWER
+    - drm/ast: Factor mmc_test code in POST code
+    - drm/ast: Rename ast_init_dram_2300 to ast_post_chip_2300
+    - drm/ast: POST code for the new AST2500
+  * ext4: add corruption check in ext4_xattr_set_entry() (CVE-2018-10879)
+  * ext4: always verify the magic number in xattr blocks (CVE-2018-10879)
+  * ext4: always check block group bounds in ext4_init_block_bitmap()
+    (CVE-2018-10878)
+  * ext4: make sure bitmaps and the inode table don't overlap with bg
+    descriptors (CVE-2018-10878)
+  * ext4: only look at the bg_flags field if it is valid (CVE-2018-10876)
+  * ext4: verify the depth of extent tree in ext4_find_extent()
+    (CVE-2018-10877)
+  * ext4: clear i_data in ext4_inode_info when removing inline data
+    (CVE-2018-10881)
+  * ext4: never move the system.data xattr out of the inode body
+    (CVE-2018-10880)
+  * jbd2: don't mark block as modified if the handle is out of credits
+    (CVE-2018-10883)
+  * ext4: avoid running out of journal credits when appending to an inline file
+    (CVE-2018-10883)
+  * ext4: add more inode number paranoia checks (CVE-2018-10882)
+  * sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
+  * nvme: Ignore ABI changes
+  * tpm: Ignore ABI changes
+
+  [ Romain Perier ]
+  * jfs: Fix inconsistency between memory allocation and ea_buf->max_size
+    (CVE-2018-12233)
+
+4.9.107-1 [Wed, 13 Jun 2018 04:48:46 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.89
+    - drm: qxl: Don't alloc fbdev if emulation is not supported
+    - selinux: check for address length in selinux_socket_bind()
+    - [x86] x86/mm: Make mmap(MAP_32BIT) work correctly
+    - perf sort: Fix segfault with basic block 'cycles' sort dimension
+    - [x86] x86/mce: Handle broadcasted MCE gracefully with kexec
+    - ath10k: fix fetching channel during potential radar detection
+    - usb: misc: lvs: fix race condition in disconnect handling
+    - zd1211rw: fix NULL-deref at probe
+    - batman-adv: handle race condition for claims between gateways
+    - [x86] x86/boot/32: Defer resyncing initial_page_table until per-cpu is
+      set up
+    - media: i2c/soc_camera: fix ov6650 sensor getting wrong clock
+    - timers, sched_clock: Update timeout for clock wrap
+    - sched: act_csum: don't mangle TCP and UDP GSO packets
+    - PCI: hv: Properly handle PCI bus remove
+    - PCI: hv: Lock PCI bus on device eject
+    - i40e/i40evf: Fix use after free in Rx cleanup path
+    - scsi: be2iscsi: Check tag in beiscsi_mccq_compl_wait
+    - mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative()
+    - f2fs: relax node version check for victim data in gc
+    - drm/ttm: never add BO that failed to validate to the LRU list
+    - powerpc/mm/hugetlb: Filter out hugepage size not supported by page table
+      layout
+    - NFC: nfcmrvl: double free on error path
+    - [powerpc*] powerpc: Avoid taking a data miss on every userspace
+      instruction miss
+    - printk: Correctly handle preemption in console_unlock()
+    - drm: rcar-du: Handle event when disabling CRTCs
+    - apparmor: Make path_max parameter readonly
+    - iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
+    - kvm: nVMX: Disallow userspace-injected exceptions in guest mode
+    - [mips*] MIPS: BPF: Quit clobbering callee saved registers in JIT code.
+    - [mips*] MIPS: BPF: Fix multiple problems in JIT skb access helpers.
+    - [mips*] MIPS: r2-on-r6-emu: Fix BLEZL and BGTZL identification
+    - [mips*] MIPS: r2-on-r6-emu: Clear BLTZALL and BGEZALL debugfs counters
+    - v4l: vsp1: Prevent multiple streamon race commencing pipeline early
+    - regulator: isl9305: fix array size
+    - md/raid6: Fix anomily when recovering a single device in RAID6.
+    - [powerpc*] powerpc/nohash: Fix use of mmu_has_feature() in
+      setup_initial_memory_limit()
+    - usb: dwc2: Make sure we disconnect the gadget state
+    - [arm*] drivers/perf: arm_pmu: handle no platform_device
+    - [x86] kprobes/x86: Set kprobes pages read-only
+    - Bluetooth: Avoid bt_accept_unlink() double unlinking
+    - Bluetooth: 6lowpan: fix delay work init in add_peer_chan()
+    - wil6210: fix memory access violation in wil_memcpy_from/toio_32
+    - sched: Stop switched_to_rt() from sending IPIs to offline CPUs
+    - sched: Stop resched_cpu() from sending IPIs to offline CPUs
+    - mwifiex: cfg80211: do not change virtual interface during scan
+      processing
+    - media: cpia2: Fix a couple off by one bugs
+    - drm/amdkfd: Fix memory leaks in kfd topology
+    - [i386] x86/boot/32: Fix UP boot on Quark and possibly other platforms
+    - [i386] x86/vm86/32: Fix POPF emulation
+    - [i386] x86/speculation, objtool: Annotate indirect calls/jumps for
+      objtool on 32-bit kernels
+    - [x86] x86/speculation: Remove Skylake C2 from Speculation Control
+      microcode blacklist
+    - [x86] x86/mm: Fix vmalloc_fault to use pXd_large
+    - ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
+    - ALSA: seq: Fix possible UAF in snd_seq_check_queue()
+    - fs: Teach path_connected to handle nfs filesystems with multiple roots.
+    - lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
+    - btrfs: alloc_chunk: fix DUP stripe size handling
+    - btrfs: Fix use-after-free when cleaning up fs_devs with a single stale
+      device
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.90
+    - tpm: fix potential buffer overruns caused by bit glitches on the bus
+    - SMB3: Validate negotiate request must always be signed
+    - CIFS: Enable encryption during session setup phase (CVE-2018-1066)
+    - ath: Fix updating radar flags for coutry code India
+    - mwifiex: don't leak 'chan_stats' on reset
+    - [x86] x86/reboot: Turn off KVM when halting a CPU
+    - IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
+    - HSI: ssi_protocol: double free in ssip_pn_xmit()
+    - IB/mlx4: Take write semaphore when changing the vma struct
+    - IB/mlx4: Change vma from shared to private
+    - IB/mlx5: Take write semaphore when changing the vma struct
+    - IB/mlx5: Change vma from shared to private
+    - ibmvnic: Disable irq prior to close
+    - netfilter: xt_CT: fix refcnt leak on error path
+    - tipc: check return value of nlmsg_new
+    - wan: pc300too: abort path on failure
+    - qlcnic: fix unchecked return value
+    - infiniband/uverbs: Fix integer overflows
+    - pNFS: Fix use after free issues in pnfs_do_read()
+    - xprtrdma: Cancel refresh worker during buffer shutdown
+    - NFS: don't try to cross a mountpount when there isn't one there.
+    - mt7601u: check return value of alloc_skb
+    - libertas: check return value of alloc_workqueue
+    - rndis_wlan: add return value validation
+    - Btrfs: fix incorrect space accounting after failure to insert inline
+      extent
+    - Btrfs: send, fix file hole not being preserved due to inline extent
+    - Btrfs: fix extent map leak during fallocate error path
+    - mac80211: don't parse encrypted management frames in
+      ieee80211_frame_acked
+    - mtip32xx: use runtime tag to initialize command header
+    - [x86] x86/KASLR: Fix kexec kernel boot crash when KASLR randomization
+      fails
+    - mac80211: Fix possible sband related NULL pointer de-reference
+    - netfilter: x_tables: unlock on error in xt_find_table_lock()
+    - IB/hfi1: Fix softlockup issue
+    - ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
+    - drm/amdgpu: fix gpu reset crash
+    - qed: Unlock on error in qed_vf_pf_acquire()
+    - bnx2x: Align RX buffers
+    - [ppc*] power: supply: isp1704: Fix unchecked return value of
+      devm_kzalloc
+    - [ppc*] power: supply: pda_power: move from timer to delayed_work
+    - md/raid10: skip spare disk as 'first' disk
+    - ACPI / power: Delay turning off unused power resources after suspend
+    - tcm_fileio: Prevent information leak for short reads
+    - video: fbdev: udlfb: Fix buffer on stack
+    - sm501fb: don't return zero on failure path in sm501fb_start()
+    - pNFS: Fix a deadlock when coalescing writes and returning the layout
+    - net: hns: fix ethtool_get_strings overflow in hns driver
+    - cifs: small underflow in cnvrtDosUnixTm()
+    - ath10k: fix out of bounds access to local buffer
+    - block/mq: Cure cpu hotplug lock inversion
+    - Bluetooth: btqcomsmd: Fix skb double free corruption
+    - media: c8sectpfe: fix potential NULL pointer dereference in
+      c8sectpfe_timer_interrupt
+    - drm/msm: fix leak in failed get_pages
+    - RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
+    - rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
+    - media: bt8xx: Fix err 'bt878_probe()'
+    - dmaengine: zynqmp_dma: Fix race condition in the probe
+    - drm/tilcdc: ensure nonatomic iowrite64 is not used
+    - mmc: avoid removing non-removable hosts during suspend
+    - IB/ipoib: Avoid memory leak if the SA returns a different DGID
+    - RDMA/cma: Use correct size when writing netlink stats
+    - iommu/vt-d: clean up pr_irq if request_threaded_irq fails
+    - RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
+    - IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
+    - RDMA/ucma: Fix access to non-initialized CM_ID object
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.91
+    - libata: fix length validation of ATAPI-relayed SCSI commands
+    - libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
+    - libata: disable LPM for Crucial BX100 SSD 500GB drive
+    - libata: Enable queued TRIM for Samsung SSD 860
+    - libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
+    - libata: Make Crucial BX100 500GB LPM quirk apply to all firmware
+      versions
+    - libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
+    - nfsd: remove blocked locks on client teardown
+    - mm/vmalloc: add interfaces to free unmapped page table
+    - drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781)
+    - mtd: nand: fsl_ifc: Fix eccstat array overflow for IFC ver >= 2.0.0
+    - staging: ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822)
+    - can: cc770: Fix use after free in cc770_tx_interrupt()
+    - kvm/x86: fix icebp instruction handling (CVE-2018-1087)
+    - [x86] x86/entry/64: Don't use IST entry for #BP stack (CVE-2018-8897)
+    - bpf: skip unnecessary capability check
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.92
+    - scsi: sg: don't return bogus Sg_requests
+    - net sched actions: return explicit error when tunnel_key mode is not
+      specified
+    - ppp: avoid loop in xmit recursion detection code
+    - sch_netem: fix skb leak in netem_enqueue()
+    - ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
+    - net: Fix hlist corruptions in inet_evict_bucket()
+    - dccp: check sk for closed state in dccp_sendmsg() (CVE-2018-1130)
+    - ipv6: fix access to non-linear packet in
+      ndisc_fill_redirect_hdr_option()
+    - l2tp: do not accept arbitrary sockets
+    - net: ethernet: arc: Fix a potential memory leak if an optional regulator
+      is deferred
+    - netlink: avoid a double skb free in genlmsg_mcast()
+    - team: Fix double free in error path
+    - soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
+    - net: hns: Fix a skb used after free bug
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.93
+    - mtd: jedec_probe: Fix crash in jedec_read_mfr()
+    - ALSA: pcm: potential uninitialized return values
+    - perf/hwbp: Simplify the perf-hwbp code, fix documentation
+    (CVE-2018-1000199)
+    - kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
+    - arm64: avoid overflow in VA_START and PAGE_OFFSET
+    - xfrm_user: uncoditionally validate esn replay attribute struct
+    - RDMA/ucma: Check AF family prior resolving address
+    - RDMA/ucma: Fix use-after-free access in ucma_close
+    - RDMA/ucma: Ensure that CM_ID exists prior to access it
+    - RDMA/ucma: Check that device is connected prior to access it
+    - RDMA/ucma: Check that device exists prior to accessing it
+    - RDMA/ucma: Introduce safer rdma_addr_size() variants
+    - net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
+    - xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit
+      systems
+    - netfilter: bridge: ebt_among: add more missing match size checks
+    - Bluetooth: Fix missing encryption refresh on Security Request
+    - scsi: virtio_scsi: always read VPD pages for multiqueue too
+    - usb: dwc2: Improve gadget state disconnection handling
+    - [arm64] arm64: mm: Use non-global mappings for kernel space
+    - [arm64] arm64: mm: Move ASID from TTBR0 to TTBR1
+    - [arm64] arm64: mm: Allocate ASIDs in pairs
+    - [arm64] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper
+    - [arm64] arm64: mm: Invalidate both kernel and user ASIDs when performing
+      TLBI
+    - [arm64] arm64: factor out entry stack manipulation
+    - module: extend 'rodata=off' boot cmdline parameter to module mappings
+    - [arm64] entry: Add exception trampoline page for exceptions from EL0
+    - [arm64] mm: Map entry trampoline into trampoline and kernel page tables
+    - [arm64] entry: Explicitly pass exception level to kernel_ventry macro
+    - [arm64] entry: Hook up entry trampoline to exception vectors
+    - [arm64] tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
+    - [arm64] entry: Add fake CPU feature for unmapping the kernel at EL0
+    - [arm64] kaslr: Put kernel vectors address in separate data page
+    - [arm64] use RET instruction for exiting the trampoline
+    - [arm64] Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
+    - [arm64] Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry
+    - [arm64] Take into account ID_AA64PFR0_EL1.CSV3
+    - [arm64] Allow checking of a CPU-local erratum
+    - [arm64] capabilities: Handle duplicate entries for a capability
+    - [arm64] cputype: Add MIDR values for Cavium ThunderX2 CPUs
+    - [arm64] Turn on KPTI only on CPUs that need it
+    - [arm64] kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()
+    - [arm64] kpti: Add ->enable callback to remap swapper using nG mappings
+    - [arm64] Force KPTI to be disabled on Cavium ThunderX
+    - [arm64] entry: Reword comment about post_ttbr_update_workaround
+    - [arm64] idmap: Use "awx" flags for .idmap.text .pushsection directives
+    - media: usbtv: prevent double free in error case (CVE-2017-17975)
+    - crypto: ahash - Fix early termination in hash walk
+    - crypto: x86/cast5-avx - fix ECB encryption when long sg follows short
+      one
+    - net: hns: Fix ethtool private flags (CVE-2017-18222)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.94
+    - [x86] x86/asm: Don't use RBP as a temporary register in
+      csum_partial_copy_generic()
+    - IB/srpt: Avoid that aborting a command triggers a kernel warning
+    - af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
+    - bna: Avoid reading past end of buffer
+    - qlge: Avoid reading past end of buffer
+    - ubi: fastmap: Fix slab corruption
+    - drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow
+      tests
+    - perf/callchain: Force USER_DS when invoking perf_callchain_user()
+    - Input: elan_i2c - check if device is there before really probing
+    - KVM: PPC: Book3S PR: Check copy_to/from_user return values
+    - [arm64] arm64: perf: Ignore exclude_hv when kernel is running in HYP
+    - [arm] KVM: arm: Restore banked registers and physical timer access on
+      hyp_panic()
+    - [arm64] KVM: arm64: Restore host physical timer access on hyp_panic()
+    - usb: dwc3: keystone: check return value
+    - ata: libahci: properly propagate return value of platform_get_irq()
+    - ipmr: vrf: Find VIFs using the actual device
+    - uio: fix incorrect memory leak cleanup
+    - net: x25: fix one potential use-after-free issue
+    - USB: ene_usb6250: fix SCSI residue overwriting
+    - net/wan/fsl_ucc_hdlc: fix unitialized variable warnings
+    - net/wan/fsl_ucc_hdlc: fix incorrect memory allocation
+    - mlxsw: spectrum: Avoid possible NULL pointer dereference
+    - scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
+    - [powerpc*] powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
+    - ath5k: fix memory leak on buf on failed eeprom read
+    - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
+    - md-cluster: fix potential lock issue in add_new_disk
+    - ray_cs: Avoid reading past end of buffer
+    - net/wan/fsl_ucc_hdlc: fix muram allocation error
+    - perf/core: Fix error handling in perf_event_alloc()
+    - selinux: do not check open permission on sockets
+    - block: fix an error code in add_partition()
+    - libceph: NULL deref on crush_decode() error path
+    - perf report: Fix off-by-one for non-activation frames
+    - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
+    - scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
+    - fix race in drivers/char/random.c:get_reg()
+    - ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
+    - tcp: better validation of received ack sequences
+    - net: llc: add lock_sock in llc_ui_bind to avoid a race condition
+    - drm/msm: Take the mutex before calling msm_gem_new_impl
+    - thermal: power_allocator: fix one race condition issue for
+      thermal_instances list
+    - VFS: close race between getcwd() and d_move()
+    - PM / devfreq: Fix potential NULL pointer dereference in governor_store
+    - media: videobuf2-core: don't go out of the buffer range
+    - blk-mq: fix race between updating nr_hw_queues and switching io sched
+    - wl1251: check return from call to wl1251_acx_arp_ip_filter
+    - hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
+    - [x86] x86/efi: Disable runtime services on kexec kernel if booted with
+      efi=old_map
+    - ovl: filter trusted xattr for non-admin
+    - dmaengine: imx-sdma: Handle return value of clk_prepare_enable
+    - backlight: Report error on failure
+    - [arm64] arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT
+      usage
+    - net: freescale: fix potential null pointer dereference
+    - KVM: SVM: do not zero out segment attributes if segment is unusable or
+      not present
+    - clk: scpi: fix return type of __scpi_dvfs_round_rate
+    - drm/amdkfd: NULL dereference involving create_process()
+    - qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and
+      qlcnic_82xx_hw_read_wx_2M
+    - [arm64] arm64: kernel: restrict /dev/mem read() calls to linear region
+    - mISDN: Fix a sleep-in-atomic bug
+    - RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers
+    - RDMA/hfi1: fix array termination by appending NULL to attr array
+    - bio-integrity: Do not allocate integrity context for bio w/o data
+    - skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
+    - macsec: check return value of skb_to_sgvec always
+    - e1000e: fix race condition around skb_tstamp_tx()
+    - igb: fix race condition with PTP_TX_IN_PROGRESS bits
+    - cx25840: fix unchecked return values
+    - mceusb: sporadic RX truncation corruption fix
+    - nvme: fix hang in remove path
+    - KVM: nVMX: Update vmcs12->guest_linear_address on nested VM-exit
+    - crypto: omap-sham - buffer handling fixes for hashing later
+    - crypto: omap-sham - fix closing of hash with separate finalize call
+    - net: ena: fix race condition between submit and completion admin command
+    - [s390x] s390/dasd: fix hanging safe offline
+    - drm/vc4: Fix resource leak in 'vc4_get_hang_state_ioctl()' in error
+      handling path
+    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+      (CVE-2018-7757)
+    - blk-mq: fix kernel oops in blk_mq_tag_idle()
+    - ipv6: the entire IPv6 header chain must fit the first fragment
+    - net: fix possible out-of-bound read in skb_network_protocol()
+    - net/ipv6: Fix route leaking between VRFs
+    - net/ipv6: Increment OUTxxx counters after netfilter hook
+    - netlink: make sure nladdr has correct size in netlink_connect()
+    - net/sched: fix NULL dereference in the error path of tcf_bpf_init()
+    - pptp: remove a buggy dst release in pptp_connect()
+    - r8169: fix setting driver_data after register_netdev
+    - sctp: do not leak kernel memory to user space
+    - sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
+    - net: fool proof dev_valid_name()
+    - ip_tunnel: better validate user provided tunnel names
+    - ipv6: sit: better validate user provided tunnel names
+    - ip6_gre: better validate user provided tunnel names
+    - ip6_tunnel: better validate user provided tunnel names
+    - vti6: better validate user provided tunnel names
+    - net/sched: fix NULL dereference in the error path of tunnel_key_init()
+    - net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
+    - vhost: validate log when IOTLB is enabled
+    - vhost_net: add missing lock nesting notation
+    - net/mlx4_core: Fix memory leak while delete slave's resources
+    - vrf: Fix use after free and double free in vrf_finish_output
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.95
+    - media: v4l2-compat-ioctl32: don't oops on overlay
+    - parisc: Fix out of array access in match_pci_device()
+    - perf intel-pt: Fix overlap detection to identify consecutive buffers
+      correctly
+    - perf intel-pt: Fix timestamp following overflow
+    - perf/core: Fix use-after-free in uprobe_perf_close()
+    - [arm64] arm64: barrier: Add CSDB macros to control data-value prediction
+    - [arm64] arm64: Implement array_index_mask_nospec()
+    - [arm64] arm64: move TASK_* definitions to <asm/processor.h>
+    - [arm64] arm64: Make USER_DS an inclusive limit
+    - [arm64] arm64: Use pointer masking to limit uaccess speculation
+    - [arm64] arm64: entry: Ensure branch through syscall table is bounded
+      under speculation
+    - [arm64] arm64: uaccess: Prevent speculative use of the current
+      addr_limit
+    - [arm64] arm64: uaccess: Don't bother eliding access_ok checks in __{get,
+      put}_user
+    - [arm64] arm64: uaccess: Mask __user pointers for __arch_{clear,
+      copy_*}_user
+    - [arm64] arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
+    - [arm64] arm64: Run enable method for errata work arounds on late CPUs
+    - [arm64] arm64: cpufeature: Pass capability structure to ->enable
+      callback
+    - [arm64] arm64: Factor out TTBR0_EL1 post-update workaround into a
+      specific asm macro
+    - [arm64] arm64: Move post_ttbr_update_workaround to C code
+    - [arm64] arm64: Add skeleton to harden the branch predictor against
+      aliasing attacks
+    - [arm64] arm64: Move BP hardening to check_and_switch_context
+    - [arm64] arm64: KVM: Use per-CPU vector when BP hardening is enabled
+    - [arm64] arm64: entry: Apply BP hardening for high-priority synchronous
+      exceptions
+    - [arm64] arm64: entry: Apply BP hardening for suspicious interrupts from
+      EL0
+    - [arm64] arm64: cputype: Add missing MIDR values for Cortex-A72 and
+      Cortex-A75
+    - [arm64] arm64: cpu_errata: Allow an erratum to be match for all
+      revisions of a core
+    - [arm64] arm64: Implement branch predictor hardening for affected
+      Cortex-A CPUs
+    - [arm64] arm64: Branch predictor hardening for Cavium ThunderX2
+    - [arm64] arm64: KVM: Increment PC after handling an SMC trap
+    - [arm64] arm/arm64: KVM: Consolidate the PSCI include files
+    - [arm64] arm/arm64: KVM: Add PSCI_VERSION helper
+    - [arm64] arm/arm64: KVM: Add smccc accessors to PSCI code
+    - [arm64] arm/arm64: KVM: Implement PSCI 1.0 support
+    - [arm64] arm/arm64: KVM: Advertise SMCCC v1.1
+    - [arm64] arm64: KVM: Make PSCI_VERSION a fast path
+    - [arm64] arm/arm64: KVM: Turn kvm_psci_version into a static inline
+    - [arm64] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
+    - [arm64] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
+    - [arm64] firmware/psci: Expose PSCI conduit
+    - [arm64] firmware/psci: Expose SMCCC version through psci_ops
+    - [arm64] arm/arm64: smccc: Make function identifiers an unsigned quantity
+    - [arm64] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
+    - [arm64] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
+    - [arm64] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
+    - block/loop: fix deadlock after loop_set_status
+    - rtl8187: Fix NULL pointer dereference in priv->conf_mutex
+    - hwmon: (ina2xx) Fix access to uninitialized mutex
+    - slip: Check if rstate is initialized before uncompressing
+    - [arm64] arm64: futex: Mask __user pointers prior to dereference
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.96
+    - tty: make n_tty_read() always abort if hangup is in progress
+    - ubifs: Check ubifs_wbuf_sync() return code
+    - ubi: Fix error for write access
+    - resource: fix integer overflow at reallocation
+    - ipc/shm: fix use-after-free of shm file via remap_file_pages()
+    - usb: musb: gadget: misplaced out of bounds check
+    - xen-netfront: Fix hang on device removal
+    - regmap: Fix reversed bounds check in regmap_raw_write()
+    - USB: gadget: f_midi: fixing a possible double-free in f_midi
+    - USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
+    - smb3: Fix root directory when server returns inode number of zero
+    - HID: i2c-hid: fix size check and type usage
+    - random: use a tighter cap in credit_entropy_bits_safe()
+    - ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092)
+    - RDMA/rxe: Fix an out-of-bounds read
+    - ALSA: pcm: Fix UAF at PCM release via PCM timer access
+    - dmaengine: at_xdmac: fix rare residue corruption
+    - libnvdimm, namespace: use a safe lookup for dimm device name
+    - iommu/vt-d: Fix a potential memory leak
+    - mmc: jz4740: Fix race condition in IRQ mask update
+    - pwm: rcar: Fix a condition to prevent mismatch value setting to duty
+    - thermal: imx: Fix race condition in imx_thermal_probe()
+    - ext4: don't allow r/w mounts if metadata blocks overlap the superblock
+    - drm/amdgpu: Fix always_valid bos multiple LRU insertions.
+    - drm/amdgpu: Fix PCIe lane width calculation
+    - drm/rockchip: Clear all interrupts before requesting the IRQ
+    - drm/radeon: Fix PCIe lane width calculation
+    - ALSA: line6: Use correct endpoint type for midi output
+    - ALSA: rawmidi: Fix missing input substream checks in compat ioctls
+    - ALSA: hda - New VIA controller suppor no-snoop path
+    - random: fix crng_ready() test (CVE-2018-1108)
+    - random: crng_reseed() should lock the crng instance that it is modifying
+    - random: add new ioctl RNDRESEEDCRNG
+    - HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
+    - MIPS: uaccess: Add micromips clobbers to bzero invocation
+    - MIPS: memset.S: EVA & fault support for small_memset
+    - MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
+    - MIPS: memset.S: Fix clobber of v1 in last_fixup
+    - [powerpc*] powerpc/eeh: Fix enabling bridge MMIO windows
+    - [powerpc*] powerpc/lib: Fix off-by-one in alternate feature patching
+    - udf: Fix leak of UTF-16 surrogates into encoded strings
+    - jffs2_kill_sb(): deal with failed allocations
+    - hypfs_kill_super(): deal with failed allocations
+    - orangefs_kill_sb(): deal with allocation failures
+    - rpc_pipefs: fix double-dput()
+    - Don't leak MNT_INTERNAL away from internal mounts
+    - autofs: mount point create should honour passed in mode
+    - mm/filemap.c: fix NULL pointer in page_cache_tree_insert()
+    - fanotify: fix logic of events on child
+    - writeback: safer lock nesting
+    - block/mq: fix potential deadlock during cpu hotplug
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.97
+    - cifs: do not allow creating sockets except with SMB1 posix exensions
+    - [x86] x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
+    - drm/vc4: Fix memory leak during BO teardown
+    - drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
+    - power: supply: bq2415x: check for NULL acpi_id to avoid null pointer
+      dereference
+    - OF: Prevent unaligned access in of_alias_scan()
+    - jbd2: fix use after free in kjournald2()
+    - perf: Return proper values for user stack errors
+    - RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs
+    - mac80211_hwsim: fix use-after-free bug in hwsim_exit_net
+    - [s390] s390: introduce CPU alternatives
+    - [s390] s390: enable CPU alternatives unconditionally
+    - [s390] KVM: s390: wire up bpb feature
+    - [s390] s390: scrub registers on kernel entry and KVM exit
+    - [s390] s390: add optimized array_index_mask_nospec
+    - [s390] s390/alternative: use a copy of the facility bit mask
+    - [s390] s390: add options to change branch prediction behaviour for the
+      kernel
+    - [s390] s390: run user space and KVM guests with modified branch
+      prediction
+    - [s390] s390: introduce execute-trampolines for branches
+    - [s390] KVM: s390: force bp isolation for VSIE
+    - [s390] s390: Replace IS_ENABLED(EXPOLINE_*) with
+      IS_ENABLED(CONFIG_EXPOLINE_*)
+    - [s390] s390: do not bypass BPENTER for interrupt system calls
+    - [s390] s390/entry.S: fix spurious zeroing of r0
+    - [s390] s390: move nobp parameter functions to nospec-branch.c
+    - [s390] s390: add automatic detection of the spectre defense
+    - [s390] s390: report spectre mitigation via syslog
+    - [s390] s390: add sysfs attributes for spectre
+    - [s390] s390: correct nospec auto detection init order
+    - [s390] s390: correct module section names for expoline code revert
+    - KEYS: DNS: limit the length of option strings
+    - l2tp: check sockaddr length in pppol2tp_connect()
+    - net: validate attribute sizes in neigh_dump_table()
+    - llc: delete timers synchronously in llc_sk_free()
+    - tcp: don't read out-of-bounds opsize
+    - packet: fix bitfield update race
+    - pppoe: check sockaddr length in pppoe_connect()
+    - vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
+    - sctp: do not check port in sctp_inet6_cmp_addr
+    - llc: hold llc_sap before release_sock()
+    - llc: fix NULL pointer deref for SOCK_ZAPPED
+    - net: fix deadlock while clearing neighbor proxy table
+    - net: af_packet: fix race in PACKET_{R|T}X_RING
+    - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.98
+    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
+    - ext4: set h_journal if there is a failure starting a reserved handle
+    - ext4: add validity checks for bitmap block numbers (CVE-2018-1093)
+    - ext4: fix bitmap position validation
+    - random: set up the NUMA crng instances after the CRNG is fully
+      initialized
+    - random: fix possible sleeping allocation from irq context
+    - random: rate limit unseeded randomness warnings
+    - usbip: usbip_event: fix to not print kernel pointer address
+    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
+    - usbip: vhci_hcd: Fix usb device and sockfd leaks
+    - virtio_console: free buffers after reset
+    - drm/virtio: fix vq wait_event condition
+    - tty: Don't call panic() at tty_ldisc_init()
+    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
+    - ALSA: dice: fix error path to destroy initialized stream data
+    - ALSA: opl3: Hardening for potential Spectre v1
+    - ALSA: asihpi: Hardening for potential Spectre v1
+    - ALSA: hdspm: Hardening for potential Spectre v1
+    - ALSA: rme9652: Hardening for potential Spectre v1
+    - ALSA: control: Hardening for potential Spectre v1
+    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
+    - ALSA: seq: oss: Hardening for potential Spectre v1
+    - ALSA: hda: Hardening for potential Spectre v1
+    - ALSA: hda/realtek - Add some fixes for ALC233
+    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
+    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
+    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
+    - kobject: don't use WARN for registration failures
+    - PCI: aardvark: Fix PCIe Max Read Request Size setting
+    - ARM: amba: Fix race condition with driver_override
+    - ARM: amba: Don't read past the end of sysfs "driver_override" buffer
+    - crypto: drbg - set freed buffers to NULL
+    - libceph: un-backoff on tick when we have a authenticated session
+    - libceph: reschedule a tick in finish_hunting()
+    - libceph: validate con->state at the top of try_write()
+    - [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
+      in timer interrupt
+    - [powerpc*] powerpc/eeh: Fix race with driver un/bind
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.99
+    - perf/core: Fix the perf_cpu_time_max_percent check (CVE-2018-18255)
+    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+    - Input: leds - fix out of bound access
+    - xfs: prevent creating negative-sized file via INSERT_RANGE
+    - RDMA/cxgb4: release hw resources on device removal
+    - RDMA/mlx5: Protect from shift operand overflow
+    - IB/mlx5: Use unlimited rate when static rate is not supported
+    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
+    - drm/vmwgfx: Fix a buffer object leak
+    - drm/bridge: vga-dac: Fix edid memory leak
+    - usb: musb: host: fix potential NULL pointer dereference
+    - usb: musb: trace: fix NULL pointer dereference in musb_g_tx()
+    - platform/x86: asus-wireless: Fix NULL pointer dereference
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.100
+    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
+    - crypto: af_alg - fix possible uninit-value in alg_bind()
+    - netlink: fix uninit-value in netlink_sendmsg
+    - net: fix rtnh_ok()
+    - net: initialize skb->peeked when cloning
+    - net: fix uninit-value in __hw_addr_add_ex()
+    - dccp: initialize ireq->ir_mark
+    - soreuseport: initialise timewait reuseport field
+    - tcp: fix TCP_REPAIR_QUEUE bound checking
+    - bdi: Fix oops in wb_workfn()
+    - [powerpc*] KVM: PPC: Book3S HV: Fix trap number return from
+      __kvmppc_vcore_entry
+    - f2fs: fix a dead loop in f2fs_fiemap() (CVE-2018-18257)
+    - arm64: Add work around for Arm Cortex-A55 Erratum 1024718
+    - gpioib: do not free unrequested descriptors
+    - rfkill: gpio: fix memory leak in probe error path
+    - net: atm: Fix potential Spectre v1
+    - atm: zatm: Fix potential Spectre v1
+    - tracing/uprobe_event: Fix strncpy corner case
+    - [x86] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event
+      cache_*
+    - [x86] perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
+    - [x86] perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
+    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
+    - [x86] perf/x86: Fix possible Spectre-v1 indexing for
+      x86_pmu::event_map()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.101
+    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
+    - llc: better deal with too small mtu
+    - net: ethernet: sun: niu set correct packet size in skb
+    - net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
+    - net/mlx4_en: Verify coalescing parameters are in range
+    - net_sched: fq: take care of throttled flows before reuse
+    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
+    - futex: Remove duplicated code and fix undefined behaviour
+    - proc: do not access cmdline nor environ from file-backed areas
+      (CVE-2018-1120)
+    - kernel/exit.c: avoid undefined behaviour when calling wait4()
+      (CVE-2018-10087)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.102
+    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
+      (CVE-2018-5814)
+    - [arm*] KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with
+      SRCU lock
+    - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
+      crashing
+    - s390: remove indirect branch from do_softirq_own_stack
+    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
+      definition for mixed mode
+    - Btrfs: fix xattr loss after power failure
+    - btrfs: fix crash when trying to resume balance without the resume flag
+    - [x86] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when running under Xen
+    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
+    - [x86] x86/nospec: Simplify alternative_msr_write()
+    - [x86] x86/bugs: Concentrate bug detection into a separate function
+    - [x86] x86/bugs: Concentrate bug reporting into a separate function
+    - [x86] x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
+    - [x86] x86/bugs, KVM: Support the combination of guest and host IBRS
+    - [x86] x86/bugs: Expose /sys/../spec_store_bypass
+    - [x86] x86/cpufeatures: Add X86_FEATURE_RDS
+    - [x86] x86/bugs: Provide boot parameters for the
+      spec_store_bypass_disable mitigation
+    - [x86] x86/bugs/intel: Set proper CPU features and setup RDS
+    - [x86] x86/bugs: Whitelist allowed SPEC_CTRL MSR values
+    - [x86] x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if
+      requested
+    - [x86] x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
+    - prctl: Add speculation control prctls
+    - [x86] process: Optimize TIF checks in __switch_to_xtra()
+    - [x86] process: Correct and optimize TIF_BLOCKSTEP switch
+    - [x86] process: Optimize TIF_NOTSC switch
+    - [x86] x86/process: Allow runtime control of Speculative Store Bypass
+      (CVE-2018-3639)
+    - [x86] x86/speculation: Add prctl for Speculative Store Bypass mitigation
+    - nospec: Allow getting/setting on non-current task
+    - proc: Provide details on speculation flaw mitigations
+    - seccomp: Enable speculation flaw mitigations
+    - [x86] x86/bugs: Make boot modes __ro_after_init
+    - prctl: Add force disable speculation
+    - seccomp: Use PR_SPEC_FORCE_DISABLE
+    - seccomp: Add filter flag to opt-out of SSB mitigation
+    - seccomp: Move speculation migitation control to arch code
+    - [x86] x86/speculation: Make "seccomp" the default mode for Speculative
+      Store Bypass
+    - KVM: SVM: Move spec control call after restore of GS
+    - [x86] x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
+    - [x86] x86/cpu/AMD: Fix erratum 1076 (CPB bit)
+    - [x86] x86/speculation: Add virtualized speculative store bypass disable
+      support
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.103
+    - net: test tailroom before appending to linear skb
+    - packet: in packet_snd start writing at link layer allocation
+    - sock_diag: fix use-after-free read in __sk_free
+    - ext2: fix a block leak
+    - [s390x] s390/crc32-vx: use expoline for indirect branches
+    - [s390x] s390/lib: use expoline for indirect branches
+    - [s390x] s390/ftrace: use expoline for indirect branches
+    - [s390x] s390/kernel: use expoline for indirect branches
+    - [s390x] s390: extend expoline to BC instructions
+    - [s390x] s390: use expoline thunks in the BPF JIT
+    - scsi: libsas: defer ata device eh commands to libata (CVE-2018-10021)
+    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
+      (CVE-2018-1000204)
+    - scsi: zfcp: fix infinite iteration on ERP ready list
+    - cfg80211: limit wiphy names to 128 bytes
+    - [x86] x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+    - usb: gadget: core: Fix use-after-free of usb_request
+    - usb: cdc_acm: prevent race at write to acm while system resumes
+    - USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
+    - usb: gadget: ffs: Execute copy_to_user() with USER_DS set
+    - usb: gadget: udc: change comparison to bitshift when dealing with a mask
+    - media: em28xx: USB bulk packet size fix
+    - scsi: fas216: fix sense buffer initialization
+    - scsi: sym53c8xx_2: iterator underflow in sym_getsync()
+    - scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
+    - scsi: qla2xxx: Avoid triggering undefined behavior in
+      qla2x00_mbx_completion()
+    - scsi: aacraid: fix shutdown crash when init fails
+    - scsi: aacraid: Insure command thread is not recursively stopped
+    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
+    - media: dmxdev: fix error code for invalid ioctls
+    - media: s3c-camif: fix out-of-bounds array access
+    - media: cx25821: prevent out-of-bounds read on array card
+    - serial: xuartps: Fix out-of-bounds access through DT alias
+    - serial: samsung: Fix out-of-bounds access through serial port index
+    - serial: mxs-auart: Fix out-of-bounds access through serial port index
+    - serial: imx: Fix out-of-bounds access through serial port index
+    - serial: fsl_lpuart: Fix out-of-bounds access through DT alias
+    - serial: arc_uart: Fix out-of-bounds access through DT alias
+    - rtc: hctosys: Ensure system time doesn't overflow time_t
+    - rtc: tx4939: avoid unintended sign extension on a 24 bit shift
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.104
+    - [mips] MIPS: c-r4k: Fix data corruption related to cache coherence
+    - affs_lookup(): close a race with affs_remove_link()
+    - aio: fix io_destroy(2) vs. lookup_ioctx() race
+    - do d_instantiate/unlock_new_inode combinations safely
+    - libata: Blacklist some Sandisk SSDs for NCQ
+    - libata: blacklist Micron 500IT SSD with MU01 firmware
+    - IB/hfi1: Use after free race condition in send context error path
+    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
+    - ipc/shm: fix shmat() nil address after round-down when remapping
+    - kernel/sys.c: fix potential Spectre v1 issue
+    - kernel/signal.c: avoid undefined behaviour in kill_something_info
+      (CVE-2018-10124)
+    - KVM/VMX: Expose SSBD properly to guests
+    - firewire-ohci: work around oversized DMA reads on JMicron controllers
+    - i40iw: Zero-out consumer key on allocate stag for FMR
+    - iommu/vt-d: Use domain instead of cache fetching
+    - mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()
+      (CVE-2018-8087)
+    - btrfs: Fix out of bounds access in btrfs_search_slot
+    - Btrfs: fix scrub to repair raid6 corruption
+    - HID: roccat: prevent an out of bounds read in
+      kovaplus_profile_activated()
+    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
+    - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
+    - gianfar: prevent integer wrapping in the rx handler
+    - tcp_nv: fix potential integer overflow in tcpnv_acked
+    - kvm: Map PFN-type memory regions as writable (if possible)
+    - mm/mempolicy: fix the check of nodemask from user
+    - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages
+    - mm: pin address_space before dereferencing it while isolating an LRU
+      page
+    - mm/fadvise: discard partial page if endbyte is also EOF
+    - drm/nouveau/pmu/fuc: don't use movw directly anymore
+    - netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure
+    - [x86] x86/power: Fix swsusp_arch_resume prototype
+    - firmware: dmi_scan: Fix handling of empty DMI strings
+    - xen-netfront: Fix race between device setup and open
+    - xen/grant-table: Use put_page instead of free_page
+    - RDS: IB: Fix null pointer issue
+    - [arm64] arm64: spinlock: Fix theoretical trylock() A-B-A with LSE
+      atomics
+    - bcache: fix for allocator and register thread race
+    - bcache: fix for data collapse after re-attaching an attached device
+    - bcache: return attach error when no cache set exist
+    - [x86] vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall
+      user page
+    - ptr_ring: prevent integer overflow when calculating size
+    - [arm] ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt
+    - iwlwifi: mvm: fix security bug in PN checking
+    - rxrpc: Work around usercopy check
+    - mac80211: fix a possible leak of station stats
+    - mac80211: fix calling sleeping function in atomic context
+    - md raid10: fix NULL deference in handle_write_completed()
+    - locking/xchg/alpha: Add unconditional memory barrier to cmpxchg()
+    - md: raid5: avoid string overflow warning
+    - kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
+    - PKCS#7: fix direct verification of SignerInfo signature
+    - locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs
+    - macvlan: fix use-after-free in macvlan_common_newlink()
+    - md: fix a potential deadlock of raid5/raid10 reshape
+    - md/raid1: fix NULL pointer dereference
+    - ceph: fix dentry leak when failing to init debugfs
+    - [arm] ARM: orion5x: Revert commit 4904dbda41c8. closes: #892057
+    - dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3
+    - bcache: fix kcrashes with fio in RAID5 backend dev
+    - RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA
+    - RDMA/qedr: Fix iWARP write and send with immediate
+    - IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs
+    - fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
+      sbusfb_ioctl_helper(). (CVE-2018-6412)
+    - fsl/fman: avoid sleeping in atomic context while adding an address
+    - net: qcom/emac: Use proper free methods during TX
+    - net: smsc911x: Fix unload crash when link is up
+    - IB/core: Fix possible crash to access NULL netdev
+    - batman-adv: fix header size check in batadv_dbg_arp()
+    - batman-adv: Fix skbuff rcsum on packet reroute
+    - vti4: Don't count header length twice on tunnel setup
+    - vti4: Don't override MTU passed on link creation via IFLA_MTU
+    - brcmfmac: Fix check for ISO3166 code
+    - mm/mempolicy.c: avoid use uninitialized preferred_node
+    - mm, thp: do not cause memcg oom for thp
+    - [x86] x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init
+    - fs/proc/proc_sysctl.c: fix potential page fault while unregistering
+      sysctl table
+    - swap: divide-by-zero when zero length swap file on ssd
+    - mm: fix races between address_space dereference and free in
+      page_evicatable
+    - Btrfs: fix NULL pointer dereference in log_dir_items
+    - btrfs: Fix possible softlock on single core machines
+    - xen/acpi: off by one in read_acpi_id()
+    - ACPI: acpi_pad: Fix memory leak in power saving threads
+    - [powerpc*] powerpc/perf: Prevent kernel address leak to userspace via
+      BHRB buffer
+    - [powerpc*] powerpc/perf: Fix kernel address leak via sampling registers
+    - net/mlx5: Protect from command bit overflow
+    - ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
+    - ipmi_ssif: Fix kernel panic at msg_done_handler
+    - [powerpc*] powerpc: Add missing prototype for arch_irq_work_raise()
+    - f2fs: fix to check extent cache in f2fs_drop_extent_tree
+    - dmaengine: pl330: fix a race condition in case of threaded irqs
+    - audit: return on memory error to avoid null pointer dereference
+    - netlabel: If PF_INET6, check sk_buff ip header version
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.105
+    - Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU"
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.106
+    - x86/xen: Add unwind hint annotations to xen_setup_gdt
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.107
+    - [arm64] arm64: lse: Add early clobbers to some input/output asm operands
+    - [powerpc*] powerpc/64s: Clear PCR on boot
+    - xfs: detect agfl count corruption and reset agfl
+    - tracing: Fix crash when freeing instances with event triggers
+    - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
+    - tcp: avoid integer overflows in tcp_rcv_space_adjust()
+    - [arm64] arm64: Add hypervisor safe helper for checking constant
+      capabilities
+    - [powerpc*] powerpc/rfi-flush: Move out of HARDLOCKUP_DETECTOR #ifdef
+    - [powerpc*] powerpc/pseries: Support firmware disable of RFI flush
+    - [powerpc*] powerpc/powernv: Support firmware disable of RFI flush
+    - [powerpc*] powerpc/rfi-flush: Always enable fallback flush on pseries
+    - [powerpc*] powerpc/rfi-flush: Differentiate enabled and patched flush
+      types
+    - [powerpc*] powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
+    - [powerpc*] powerpc: Add security feature flags for Spectre/Meltdown
+    - [powerpc*] powerpc/pseries: Set or clear security feature flags
+    - [powerpc*] powerpc/powernv: Set or clear security feature flags
+    - [powerpc*] powerpc/powernv: Use the security flags in
+      pnv_setup_rfi_flush()
+    - [powerpc*] powerpc/pseries: Use the security flags in
+      pseries_setup_rfi_flush()
+    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v1()
+    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v2()
+    - [powerpc*] powerpc/pseries: Fix clearing of security feature flags
+    - [powerpc*] powerpc: Move default security feature flags
+    - [powerpc*] powerpc/pseries: Restore default security feature flags on
+      setup
+    - [powerpc*] powerpc/64s: Fix section mismatch warnings from
+      setup_rfi_flush()
+    - [powerpc*] powerpc/64s: Add support for a store forwarding barrier at
+      kernel entry/exit
+    - net/mlx4_en: fix potential use-after-free with dma_unmap_page
+    - iio:kfifo_buf: check for uint overflow
+    - mm: fix the NULL mapping case in __isolate_lru_page()
+    - serial: pl011: add console matching function
+
+  [ Steve McIntyre ]
+  * Backports for Qualcomm Centriq machines. Closes: #896775
+    - [arm64] Backport support for Qualcomm Centriq onboard emac NIC
+    - [arm64] Backport workaround for erratum E1041
+
+  [ Romain Perier ]
+  * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)
+
+  [ Salvatore Bonaccorso ]
+  * nfsd: increase DRC cache limit (Closes: #898137)
+
+  [ Yves-Alexis Perez ]
+  * [rt] Update patchset to 4.9.98-rt76
+    - don't apply "drivers/net: Use disable_irq_nosync() in 8139too" since
+      it's already included upstream
+    - removed "rtmutex: Fix PI chain order integrity"
+    - fs/aio: simple simple work
+  * Bump ABI to 7
+    - remove all ignored ABI changes since ABI 6
+    - remove all patches reverting ABI changes since ABI 6
+  * [rt] "fs/dcache: disable preemption on i_dir_seq's write side" edited for
+    fuzz after 4.9.106.
+
+  [ Ben Hutchings ]
+  * random: Make getranndom() ready earlier (see #897599)
+
 4.9.88-1+deb9u1 [Mon, 07 May 2018 23:38:25 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.3-1/#8358591334098079801>
Comment 3 Philipp Hahn univentionstaff 2018-08-09 09:44:02 CEST
OK: patches
~OK: piuparts (linux-support-4.9.0-7 can be ignored)
OK: yaml
OK: errata-announce -V --only linux.yaml
OK: errata-announce -V --only linux-latest.yaml
OK: errata-announce -V --only univention-kernel-image.yaml
OK: errata-announce -V --only univention-kernel-image-signed.yaml

[4.3-1] ebba97bf4a Bug #47490: Update to 4.9.110-7 from Debian
 kernel/univention-kernel-image/debian/changelog | 6 ++++++
 kernel/univention-kernel-image/debian/rules     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

Package: univention-kernel-image
Version: 11.0.1-8A~4.3.0.201808090822
Branch: ucs_4.3-0
Scope: errata4.3-1

[4.3-1] 17a9394b45 Bug #47490: Update to linux-4.9.110-7
 .../univention-kernel-image-signed/debian/changelog   |   6 ++++++
 kernel/univention-kernel-image-signed/debian/control  |  10 +++++-----
 .../vmlinuz-4.9.0-6-amd64.efi.signed                  | Bin 4228720 -> 0 bytes
 .../vmlinuz-4.9.0-7-amd64.efi.signed                  | Bin 0 -> 4232816 bytes
 4 files changed, 11 insertions(+), 5 deletions(-)

Package: univention-kernel-image-signed
Version: 4.0.0-4A~4.3.0.201808090827
Branch: ucs_4.3-0
Scope: errata4.3-1

[4.3-1] 443ba49b5e Bug #47490: univention-kernel-image 11.0.1-8A~4.3.0.201808090822
 doc/errata/staging/linux.yaml                          |  1 +
 doc/errata/staging/univention-kernel-image-signed.yaml | 11 +++++++++++
 doc/errata/staging/univention-kernel-image.yaml        | 11 +++++++++++
 3 files changed, 23 insertions(+)

[4.3-1] b2c1af4200 Bug #47490: linux 4.9.110-3+deb9u1
 doc/errata/staging/linux.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[4.3-1] 9f82f42125 Bug #47490: linux 4.9.110-3+deb9u1
 doc/errata/staging/linux.yaml | 116 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 116 insertions(+)

[4.3-1] dbc764df55 Bug #47490: linux-latest 80+deb9u5
 doc/errata/staging/linux-latest.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

CVE-2017-5753 hw: cpu: speculative execution bounds-check bypass
CVE-2017-17975 kernel: use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c
CVE-2017-18222 kernel: Memory corruption in ethtool_get_strings function in hns driver
CVE-2017-18255 kernel: Integer overflow in events/core.c:perf_cpu_time_max_percent_handler() can allow for denial of service
CVE-2018-1066 kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel
CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
CVE-2018-1093 kernel: Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image
CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot
CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
CVE-2018-1130 kernel: a null pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash
CVE-2018-3639 hw: cpu: speculative store bypass
CVE-2018-5814 kernel: Race condition errors in USB over IP functionality can cause denial of service
CVE-2018-6412 kernel: Incorrect integer signedness in sbuslibc:sbusfb_ioctl_helper() allows for information leakage
CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
CVE-2018-8087 kernel: Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service
CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
CVE-2018-8822 kernel: Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
CVE-2018-8897 Kernel: error in exception handling leads to DoS
CVE-2018-10021 kernel: ata qc leak in drivers/scsi/libsas/sas_scsi_host.c allows local users to cause denial-of-service
CVE-2018-10087 kernel: Undefined behavior in kernel/exit.c:kernel_wait4() function allows local denial of service
CVE-2018-10124 kernel: Undefined behaviour with INT_MIN argument in kernel/signal.c:kill_something_info() allows for denial of service
CVE-2018-10853 kernel: kvm: guest userspace to guest kernel write
CVE-2018-10876 kernel: use-after-free in jbd2_journal_commit_transaction funtion
CVE-2018-10877 kernel: out-of-bound access in ext4_ext_drop_refs function with a crafted ext4 image
CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file
CVE-2018-10880 kernel: stack-out-of-bounds write in ext4_update_inline_data function
CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
CVE-2018-10882 kernel: stack-out-of-bounds write infs/jbd2/transaction.c
CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
CVE-2018-11506 kernel: Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact
CVE-2018-12233 kernel: Memory corruption in JFS setattr
CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS
CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO ioctl

OK: univention-install univention-kernel-image
OK: uname -r # 4.9.0-7-amd64
OK: vimdiff <(./linux-dmesg-norm 4.9.0-6-amd64) <(./linux-dmesg-norm 4.9.0-7-amd64)
  Speculative Store Bypass: Vulnerable
OK: kvm amd64 SeaBIOS
OK: kvm amd64 OVMF+SB
OK: xen1 amd64 kexec
Comment 4 Philipp Hahn univentionstaff 2018-08-15 10:23:36 CEST
Debian already has linux-4.9.110-3+deb9u2 with the following single change:

>$ dchdiff -l3 /mnt/build-storage/upstream/debian-security/pool/updates/main/l/linux/linux_4.9.110-3+deb9u2.debian.tar.xz 
>4.9.110-3+deb9u2 [Mon, 13 Aug 2018 21:31:37 +0200] Salvatore Bonaccorso <carnil@debian.org>:
>  * Revert "net: increase fragment memory usage limits"

This is CVE-2018-5391:
>7.5     CVE-2018-5391 IP fragments with random offsets allow a remote denial of service (FragmentSmack)

L1TF (CVE-2018-3646, CVSSv3:5.8) is not yet fixed; I expect the next Debian Linux kernel update shortly.

( ) Shall we release 4.9.110-3+deb9u1 today anyway? 
(x) Shall we import 4.9.110-3+deb9u2 now and release that one today/next week? (Requires signing)
( ) Shall we wait for the next round fixing L1TF?

IMHO deb9u2 now and whatever is current next week as deb9u1 already fixes several other vulnerabilities even more severe than L1TF, but introduces a new vulnerability.

>0.0	CVE-2018-10087	Undefined behavior in kernel/exit.c:kernel_wait4() function allows local denial of service
>0.0	CVE-2018-10124	Undefined behaviour with INT_MIN argument in kernel/signal.c:kill_something_info() allows for denial of service
>2.0	CVE-2018-10021	ata qc leak in drivers/scsi/libsas/sas_scsi_host.c allows local users to cause denial-of-service
>2.3	CVE-2018-1118	vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
>2.8	CVE-2018-1120	fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
>3.3	CVE-2018-6412	Incorrect integer signedness in sbuslibc:sbusfb_ioctl_helper() allows for information leakage
>3.3	CVE-2018-8087	Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service
>3.4	CVE-2017-18255	Integer overflow in events/core.c:perf_cpu_time_max_percent_handler() can allow for denial of service
>3.5	CVE-2017-17975	use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c
>4.1	CVE-2018-1000204	Infoleak caused by incorrect handling of the SG_IO ioctl
>4.2	CVE-2018-10879	use-after-free detected in ext4_xattr_set_entry with a crafted file
>4.2	CVE-2018-10881	out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
>4.4	CVE-2018-10940	incorrect memory bounds check in drivers/cdrom/cdrom.c
>4.4	CVE-2018-12233	Memory corruption in JFS setattr
>4.4	CVE-2018-13405	Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
>4.6	CVE-2018-1092	NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
>4.6	CVE-2018-1093	Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image
>4.8	CVE-2018-10878	out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
>4.8	CVE-2018-10882	stack-out-of-bounds write infs/jbd2/transaction.c
>4.8	CVE-2018-10883	stack-out-of-bounds write in jbd2_journal_dirty_metadata function
>5.0	CVE-2018-10876	use-after-free in jbd2_journal_commit_transaction funtion
>5.1	CVE-2017-18222	Memory corruption in ethtool_get_strings function in hns driver
>5.2	CVE-2018-10877	out-of-bound access in ext4_ext_drop_refs function with a crafted ext4 image
>5.3	CVE-2018-11506	Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact
>5.3	CVE-2018-5814	Race condition errors in USB over IP functionality can cause denial of service
>5.5	CVE-2017-5753	cpu: speculative execution bounds-check bypass
>5.5	CVE-2018-10880	stack-out-of-bounds write in ext4_update_inline_data function
>5.5	CVE-2018-1130	a null pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash
>5.5	CVE-2018-7757	Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
>5.6	CVE-2018-3639	cpu: speculative store bypass
---
>5.8	CVE-2018-3646	hw: cpu: L1 terminal fault (L1TF)
---
>5.9	CVE-2018-1108	drivers: getrandom(2) unblocks too early after system boot
>6.4	CVE-2018-8822	Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
>6.5	CVE-2018-1066	Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel
>6.5	CVE-2018-8897	error in exception handling leads to DoS
>7.0	CVE-2018-8781	Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
---
>7.5	CVE-2018-5391	IP fragments with random offsets allow a remote denial of service (FragmentSmack)
---
>7.8	CVE-2018-1000199	ptrace() incorrect error handling leads to corruption and DoS
>7.8	CVE-2018-10853	kvm: guest userspace to guest kernel write
>8.0	CVE-2018-1087	KVM: error in exception handling leads to wrong debug stack value
Comment 5 Arvid Requate univentionstaff 2018-08-15 12:11:22 CEST
As discussed, I'm reluctant to ship this today as it would confuse customers as to what we are trying to deliver. So my vote is to release something better next week.


( ) Shall we import 4.9.110-3+deb9u2 now and release that one today/next week? (Requires signing)
(x) Shall we wait for the next round fixing L1TF?
Comment 6 Philipp Hahn univentionstaff 2018-08-21 14:09:27 CEST
4.9-0-8 imported from Debian:
* Add L1 Terminal Fault fixes (CVE-2018-3620, CVE-2018-3646)
Comment 7 Philipp Hahn univentionstaff 2018-08-21 14:30:00 CEST
[4.3-1] cacdb26223 Bug #47490: Update to linux-4.9.110 2
 .../univention-kernel-image-signed/debian/changelog   |   6 ++++++
 .../vmlinuz-4.9.0-7-amd64.efi.signed                  | Bin 4232816 -> 0 bytes
 2 files changed, 6 insertions(+)

[4.3-1] 73211afecc Bug #47490: Update to linux-4.9.110
 kernel/univention-kernel-image-signed/debian/control  |  10 +++++-----
 .../vmlinuz-4.9.0-8-amd64.efi.signed                  | Bin 0 -> 4241008 bytes
 2 files changed, 5 insertions(+), 5 deletions(-)

Package: univention-kernel-image-signed
Version: 4.0.0-5A~4.3.0.201808211420
Branch: ucs_4.3-0
Scope: errata4.3-1

[4.3-1] 302cbf8710 Bug #47490: Update to 4.9.110-8 from Debian
 kernel/univention-kernel-image/debian/changelog | 6 ++++++
 kernel/univention-kernel-image/debian/rules     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

Package: univention-kernel-image
Version: 11.0.1-9A~4.3.0.201808211424
Branch: ucs_4.3-0
Scope: errata4.3-1

[4.3-1] 4690009d52 Bug #47490: linux-4.9.0-8
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 8 Quality Assurance univentionstaff 2018-08-21 17:27:08 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/univention-kernel-image_11.0.1-7A~4.3.0.201803021350.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/univention-kernel-image_11.0.1-9A~4.3.0.201808211424.dsc
@@ -1,6 +1,14 @@
-11.0.1-7A~4.3.0.201803021350 [Fri, 02 Mar 2018 13:50:57 +0100] Univention builddaemon <buildd@univention.de>:
+11.0.1-9A~4.3.0.201808211424 [Tue, 21 Aug 2018 14:24:39 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+11.0.1-9 [Tue, 21 Aug 2018 14:23:52 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #47490: Update to 4.9.110-8 from Debian
+
+11.0.1-8 [Thu, 09 Aug 2018 08:21:38 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #47490: Update to 4.9.110-7 from Debian
 
 11.0.1-7 [Fri, 02 Mar 2018 13:09:24 +0100] Philipp Hahn <hahn@univention.de>:
 

<http://10.200.17.11/4.3-1/#7727563526163334676>
Comment 9 Quality Assurance univentionstaff 2018-08-21 17:27:11 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/linux-latest_80+deb9u4.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/linux-latest_80+deb9u6.dsc
@@ -1,3 +1,11 @@
+80+deb9u6 [Sun, 19 Aug 2018 20:28:09 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Update to 4.9.0-8
+
+80+deb9u5 [Thu, 14 Jun 2018 15:07:03 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * Update to 4.9.0-7
+
 80+deb9u4 [Thu, 22 Feb 2018 08:32:44 +0100] Yves-Alexis Perez <corsac@debian.org>:
 
   * Update to 4.9.0-6

<http://10.200.17.11/4.3-1/#7727563526163334676>
Comment 10 Quality Assurance univentionstaff 2018-08-21 17:27:12 CEST
--- mirror/ftp/4.3/unmaintained/4.3-1/source/univention-kernel-image-signed_4.0.0-3A~4.3.0.201805091310.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/univention-kernel-image-signed_4.0.0-5A~4.3.0.201808211420.dsc
@@ -1,6 +1,14 @@
-4.0.0-3A~4.3.0.201805091310 [Wed, 09 May 2018 13:10:08 +0200] Univention builddaemon <buildd@univention.de>:
+4.0.0-5A~4.3.0.201808211420 [Tue, 21 Aug 2018 14:20:20 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+4.0.0-5 [Tue, 21 Aug 2018 14:18:45 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #47490: Update to linux-4.9.110-8
+
+4.0.0-4 [Thu, 09 Aug 2018 08:26:56 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #47490: Update to linux-4.9.110-7
 
 4.0.0-3 [Wed, 09 May 2018 13:05:07 +0200] Philipp Hahn <hahn@univention.de>:
 

<http://10.200.17.11/4.3-1/#7727563526163334676>
Comment 11 Quality Assurance univentionstaff 2018-08-21 17:27:15 CEST
--- mirror/ftp/4.3/unmaintained/4.3-1/source/linux_4.9.88-1+deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/linux_4.9.110-3+deb9u3.dsc
@@ -1,3 +1,1148 @@
+4.9.110-3+deb9u3 [Sun, 19 Aug 2018 15:36:38 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  [ Salvatore Bonaccorso ]
+  * Add L1 Terminal Fault fixes (CVE-2018-3620, CVE-2018-3646)
+    - [x86] speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
+    - [x86] mm: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
+    - [x86] speculation/l1tf: Change order of offset/type in swap entry
+    - [x86] speculation/l1tf: Protect swap entries against L1TF
+    - [x86] speculation/l1tf: Protect PROT_NONE PTEs against speculation
+    - [x86] speculation/l1tf: Make sure the first page is always reserved
+    - [x86] speculation/l1tf: Add sysfs reporting for l1tf
+    - [x86] speculation/l1tf: Disallow non privileged high MMIO PROT_NONE
+      mappings
+    - [x86] speculation/l1tf: Limit swap file size to MAX_PA/2
+    - [x86] bugs: Move the l1tf function and define pr_fmt properly
+    - [x86] smp: Provide topology_is_primary_thread()
+    - [x86] topology: Provide topology_smt_supported()
+    - cpu/hotplug: Make bringup/teardown of smp threads symmetric
+    - cpu/hotplug: Split do_cpu_down()
+    - cpu/hotplug: Provide knobs to control SMT
+    - [x86] cpu: Remove the pointless CPU printout
+    - [x86] cpu/AMD: Remove the pointless detect_ht() call
+    - [x86] cpu/common: Provide detect_ht_early()
+    - [x86] cpu/topology: Provide detect_extended_topology_early()
+    - [x86] cpu/intel: Evaluate smp_num_siblings early
+    - [x86] CPU/AMD: Do not check CPUID max ext level before parsing SMP
+      info
+    - [x86] cpu/AMD: Evaluate smp_num_siblings early
+    - [x86] apic: Ignore secondary threads if nosmt=force
+    - [x86] speculation/l1tf: Extend 64bit swap file size limit
+    - [x86] cpufeatures: Add detection of L1D cache flush support.
+    - [x86] CPU/AMD: Move TOPOEXT reenablement before reading
+      smp_num_siblings
+    - [x86] speculation/l1tf: Protect PAE swap entries against L1TF
+    - [x86] speculation/l1tf: Fix up pte->pfn conversion for PAE
+    - Revert "[x86] apic: Ignore secondary threads if nosmt=force"
+    - cpu/hotplug: Boot HT siblings at least once
+    - [x86] KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being
+      present
+    - [x86] KVM/VMX: Add module argument for L1TF mitigation
+    - [x86] KVM/VMX: Add L1D flush algorithm
+    - [x86] KVM/VMX: Add L1D MSR based flush
+    - [x86] KVM/VMX: Add L1D flush logic
+    - kvm: nVMX: Update MSR load counts on a VMCS switch
+    - [x86] KVM/VMX: Split the VMX MSR LOAD structures to have an
+      host/guest numbers
+    - [x86] KVM/VMX: Add find_msr() helper function
+    - [x86] KVM/VMX: Separate the VMX AUTOLOAD guest/host number
+      accounting
+    - [x86] KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only
+      MSRs
+    - [x86] KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required
+    - cpu/hotplug: Online siblings when SMT control is turned on
+    - [x86] litf: Introduce vmx status variable
+    - [x86] kvm: Drop L1TF MSR list approach
+    - [x86] l1tf: Handle EPT disabled state proper
+    - [x86] kvm: Move l1tf setup function
+    - [x86] kvm: Add static key for flush always
+    - [x86] kvm: Serialize L1D flush parameter setter
+    - [x86] kvm: Allow runtime control of L1D flush
+    - cpu/hotplug: Expose SMT control init function
+    - cpu/hotplug: Set CPU_SMT_NOT_SUPPORTED early
+    - [x86] bugs, kvm: Introduce boot-time control of L1TF mitigations
+    - Documentation: Add section about CPU vulnerabilities
+    - [x86] KVM/VMX: Initialize the vmx_l1d_flush_pages' content
+    - Documentation/l1tf: Fix typos
+    - cpu/hotplug: detect SMT disabled by BIOS
+    - [x86] KVM/VMX: Don't set l1tf_flush_l1d to true from vmx_l1d_flush()
+    - [x86] KVM/VMX: Replace 'vmx_l1d_flush_always' with
+      'vmx_l1d_flush_cond'
+    - [x86] KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush()
+    - [x86] irq: Demote irq_cpustat_t::__softirq_pending to u16
+    - [x86] KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d
+    - [x86] Don't include linux/irq.h from asm/hardirq.h
+    - [x86] irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d
+    - [x86] KVM/VMX: Don't set l1tf_flush_l1d from
+      vmx_handle_external_intr()
+    - Documentation/l1tf: Remove Yonah processors from not vulnerable
+      list
+    - [x86] KVM: x86: Add a framework for supporting MSR-based features
+    - KVM: SVM: Add MSR-based feature support for serializing LFENCE
+    - [x86] KVM: X86: Introduce kvm_get_msr_feature()
+    - [x86] KVM: X86: Allow userspace to define the microcode version
+    - KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR
+    - [x86] speculation: Simplify sysfs report of VMX L1TF vulnerability
+    - [x86] speculation: Use ARCH_CAPABILITIES to skip L1D flush on
+      vmentry
+    - KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry
+    - cpu/hotplug: Fix SMT supported evaluation
+    - [x86] speculation/l1tf: Invert all not present mappings
+    - [x86] speculation/l1tf: Make pmd/pud_mknotpresent() invert
+    - [x86] mm/pat: Make set_memory_np() L1TF safe
+    - [x86] mm/kmmio: Make the tracer robust against L1TF
+    - tools headers: Synchronise x86 cpufeatures.h for L1TF additions
+    - [x86] microcode: Do not upload microcode if CPUs are offline
+    - [x86] microcode: Allow late microcode loading with SMT disabled
+    - [x86] smp: fix non-SMP broken build due to redefinition of
+      apic_id_is_primary_thread
+    - cpu/hotplug: Non-SMP machines do not make use of booted_once
+    - [x86] init: fix build with CONFIG_SWAP=n
+    - [x86] speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED
+      architectures
+    - [x86] cpu/amd: Limit cpu_core_id fixup to families older than F17h
+    - [x86] CPU/AMD: Have smp_num_siblings and cpu_llc_id always be
+      present
+    - [x86] l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled
+    - [x86] i8259: Add missing include file
+    - [x86] speculation/l1tf: Exempt zeroed PTEs from inversion
+
+  [ Yves-Alexis Perez ]
+  * [rt] refresh 0284-cpu-rt-Rework-cpu-down-for-PREEMPT_RT and
+    0286-kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is- context after
+    applying L1TF fixes.
+  * [rt] update 0281-random-Make-it-work-on-rt to fix builds with recent
+    compilers.
+
+  [ Ben Hutchings ]
+  * Bump ABI to 8
+
+4.9.110-3+deb9u2 [Mon, 13 Aug 2018 21:31:37 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Revert "net: increase fragment memory usage limits"
+
+4.9.110-3+deb9u1 [Fri, 03 Aug 2018 20:30:23 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  [ Romain Perier ]
+  * fs: Fix up non-directory creation in SGID directories (CVE-2018-13405)
+
+  [ Salvatore Bonaccorso ]
+  * tcp: free batches of packets in tcp_prune_ofo_queue()
+  * tcp: avoid collapses in tcp_prune_queue() if possible
+  * tcp: detect malicious patterns in tcp_collapse_ofo_queue()
+  * tcp: call tcp_drop() from tcp_data_queue_ofo()
+
+4.9.110-3 [Mon, 23 Jul 2018 17:47:13 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Salvatore Bonaccorso ]
+  * cdc_ncm: avoid padding beyond end of skb (Closes: #893393)
+  * Revert "sit: reload iphdr in ipip6_rcv" (Closes: #903776)
+
+4.9.110-2 [Wed, 18 Jul 2018 18:57:56 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Cyril Brulebois ]
+  * udeb: Add virtio_console to virtio-modules (Closes: #903122).
+
+  [ Ben Hutchings ]
+  * [x86] xen: Fix boot regression in PV domains (Closes: #903767):
+    - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths
+    - x86/cpu: Re-apply forced caps every time CPU caps are re-read
+  * ext4: fix false negatives *and* false positives in ext4_check_descriptors()
+    (Closes: #903838)
+  * xen-netfront: Fix regressions in 4.9.104 (Closes: #903914):
+    - Fix mismatched rtnl_unlock
+    - Update features after registering netdev
+
+4.9.110-1 [Thu, 05 Jul 2018 02:29:30 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.108
+    - tpm: do not suspend/resume if power stays on
+    - tpm: self test failure should not cause suspend to fail
+    - mmap: introduce sane default mmap limits
+    - mmap: relax file size limit for regular files
+    - btrfs: define SUPER_FLAG_METADUMP_V2
+    - drm: set FMODE_UNSIGNED_OFFSET for drm files
+    - bnx2x: use the right constant
+    - dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
+    - enic: set DMA mask to 47 bit
+    - ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
+    - ipv4: remove warning in ip_recv_error
+    - isdn: eicon: fix a missing-check bug
+    - net/packet: refine check for priv area size
+    - net: usb: cdc_mbim: add flag FLAG_SEND_ZLP
+    - packet: fix reserve calculation
+    - qed: Fix mask for physical address in ILT entry
+    - sctp: not allow transport timeout value less than HZ/5 for hb_timer
+    - team: use netdev_features_t instead of u32
+    - vhost: synchronize IOTLB message with dev cleanup
+    - vrf: check the original netdevice for generating redirect
+    - net/mlx4: Fix irq-unsafe spinlock usage
+    - rtnetlink: validate attributes in do_setlink()
+    - net: phy: broadcom: Fix bcm_write_exp()
+    - net: metrics: add proper netlink validation
+    - dm bufio: avoid false-positive Wmaybe-uninitialized warning
+    - objtool: complete e390f9a port for v4.9.106
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.109
+    - [x86] fpu: Hard-disable lazy FPU mode
+    - bonding: correctly update link status during mii-commit phase
+    - bonding: fix active-backup transition
+    - bonding: require speed/duplex only for 802.3ad, alb and tlb
+    - nvme-pci: initialize queue memory before interrupts
+    - af_key: Always verify length of provided sadb_key
+    - [x86] crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the
+      crc32c code
+    - nvmet: Move serial number from controller to subsystem
+    - nvmet: don't report 0-bytes in serial number
+    - nvmet: don't overwrite identify sn/fr with 0-bytes
+    - gpio: No NULL owner
+    - [x86] KVM: introduce linear_{read,write}_system
+    - [x86] KVM: pass kvm_vcpu to kvm_read_guest_virt and
+      kvm_write_guest_virt_system
+    - usbip: vhci_sysfs: fix potential Spectre v1 (CVE-2017-5753)
+    - [armhf] serial: samsung: fix maxburst parameter for DMA transactions
+    - [armhf] serial: 8250: omap: Fix idling of clocks for unused uarts
+    - [x86] vmw_balloon: fixing double free when batching mode is off
+    - [armhf,arm64] tty: pl011: Avoid spuriously stuck-off interrupts
+    - [x86] kvm: use correct privilege level for sgdt/sidt/fxsave/fxrstor
+      access (CVE-2018-10853)
+    - [powerpc*] crypto: vmx - Remove overly verbose printk from AES init
+      routines
+    - [armhf] crypto: omap-sham - fix memleak
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.110
+    - xfrm6: avoid potential infinite loop in _decode_session6()
+    - netfilter: ebtables: handle string from userspace with care
+    - ipvs: fix buffer overflow with sync daemon and service
+    - iwlwifi: pcie: compare with number of IRQs requested for, not number of
+      CPUs
+    - atm: zatm: fix memcmp casting
+    - [x86] platform: asus-wmi: Fix NULL pointer dereference
+    - Revert "Btrfs: fix scrub to repair raid6 corruption"
+    - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
+    - Btrfs: make raid6 rebuild retry more
+    - [armhf] usb: musb: fix remote wakeup racing with suspend
+    - bonding: re-evaluate force_primary when the primary slave name changes
+    - ipv6: allow PMTU exceptions to local routes
+    - net/sched: act_simple: fix parsing of TCA_DEF_DATA
+    - tcp: verify the checksum of the first data segment in a new connection
+    - ext4: fix hole length detection in ext4_ind_map_blocks()
+    - ext4: update mtime in ext4_punch_hole even if no blocks are released
+    - ext4: fix fencepost error in check for inode count overflow during resize
+    - driver core: Don't ignore class_dir_create_and_add() failure.
+    - Btrfs: fix clone vs chattr NODATASUM race
+    - Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2()
+    - btrfs: scrub: Don't use inode pages for device replace
+    - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
+    - smb3: on reconnect set PreviousSessionId field
+    - cpufreq: Fix new policy initialization during limits updates via sysfs
+    - libata: zpodd: make arrays cdb static, reduces object code size
+    - libata: zpodd: small read overflow in eject_tray()
+    - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
+    - [x86] HID: intel_ish-hid: ipc: register more pm callbacks to support
+      hibernation
+    - vhost: fix info leak due to uninitialized memory (CVE-2018-1118)
+    - fs/binfmt_misc.c: do not allow offset overflow
+
+  [ Ben Hutchings ]
+  * netfilter: xt_hashlimit: Fix integer divide round to zero.
+    (Closes: #872907)
+  * [arm64,powerpc*,x86] drm/ast: Add support for new chips and boards
+    (Closes: #860900):
+    - drm/ast: const'ify mode setting tables
+    - drm/ast: Remove spurrious include
+    - drm/ast: Fix calculation of MCLK
+    - drm/ast: Base support for AST2500
+    - drm/ast: Fixed vram size incorrect issue on POWER
+    - drm/ast: Factor mmc_test code in POST code
+    - drm/ast: Rename ast_init_dram_2300 to ast_post_chip_2300
+    - drm/ast: POST code for the new AST2500
+  * ext4: add corruption check in ext4_xattr_set_entry() (CVE-2018-10879)
+  * ext4: always verify the magic number in xattr blocks (CVE-2018-10879)
+  * ext4: always check block group bounds in ext4_init_block_bitmap()
+    (CVE-2018-10878)
+  * ext4: make sure bitmaps and the inode table don't overlap with bg
+    descriptors (CVE-2018-10878)
+  * ext4: only look at the bg_flags field if it is valid (CVE-2018-10876)
+  * ext4: verify the depth of extent tree in ext4_find_extent()
+    (CVE-2018-10877)
+  * ext4: clear i_data in ext4_inode_info when removing inline data
+    (CVE-2018-10881)
+  * ext4: never move the system.data xattr out of the inode body
+    (CVE-2018-10880)
+  * jbd2: don't mark block as modified if the handle is out of credits
+    (CVE-2018-10883)
+  * ext4: avoid running out of journal credits when appending to an inline file
+    (CVE-2018-10883)
+  * ext4: add more inode number paranoia checks (CVE-2018-10882)
+  * sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506)
+  * nvme: Ignore ABI changes
+  * tpm: Ignore ABI changes
+
+  [ Romain Perier ]
+  * jfs: Fix inconsistency between memory allocation and ea_buf->max_size
+    (CVE-2018-12233)
+
+4.9.107-1 [Wed, 13 Jun 2018 04:48:46 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.89
+    - drm: qxl: Don't alloc fbdev if emulation is not supported
+    - selinux: check for address length in selinux_socket_bind()
+    - [x86] x86/mm: Make mmap(MAP_32BIT) work correctly
+    - perf sort: Fix segfault with basic block 'cycles' sort dimension
+    - [x86] x86/mce: Handle broadcasted MCE gracefully with kexec
+    - ath10k: fix fetching channel during potential radar detection
+    - usb: misc: lvs: fix race condition in disconnect handling
+    - zd1211rw: fix NULL-deref at probe
+    - batman-adv: handle race condition for claims between gateways
+    - [x86] x86/boot/32: Defer resyncing initial_page_table until per-cpu is
+      set up
+    - media: i2c/soc_camera: fix ov6650 sensor getting wrong clock
+    - timers, sched_clock: Update timeout for clock wrap
+    - sched: act_csum: don't mangle TCP and UDP GSO packets
+    - PCI: hv: Properly handle PCI bus remove
+    - PCI: hv: Lock PCI bus on device eject
+    - i40e/i40evf: Fix use after free in Rx cleanup path
+    - scsi: be2iscsi: Check tag in beiscsi_mccq_compl_wait
+    - mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative()
+    - f2fs: relax node version check for victim data in gc
+    - drm/ttm: never add BO that failed to validate to the LRU list
+    - powerpc/mm/hugetlb: Filter out hugepage size not supported by page table
+      layout
+    - NFC: nfcmrvl: double free on error path
+    - [powerpc*] powerpc: Avoid taking a data miss on every userspace
+      instruction miss
+    - printk: Correctly handle preemption in console_unlock()
+    - drm: rcar-du: Handle event when disabling CRTCs
+    - apparmor: Make path_max parameter readonly
+    - iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
+    - kvm: nVMX: Disallow userspace-injected exceptions in guest mode
+    - [mips*] MIPS: BPF: Quit clobbering callee saved registers in JIT code.
+    - [mips*] MIPS: BPF: Fix multiple problems in JIT skb access helpers.
+    - [mips*] MIPS: r2-on-r6-emu: Fix BLEZL and BGTZL identification
+    - [mips*] MIPS: r2-on-r6-emu: Clear BLTZALL and BGEZALL debugfs counters
+    - v4l: vsp1: Prevent multiple streamon race commencing pipeline early
+    - regulator: isl9305: fix array size
+    - md/raid6: Fix anomily when recovering a single device in RAID6.
+    - [powerpc*] powerpc/nohash: Fix use of mmu_has_feature() in
+      setup_initial_memory_limit()
+    - usb: dwc2: Make sure we disconnect the gadget state
+    - [arm*] drivers/perf: arm_pmu: handle no platform_device
+    - [x86] kprobes/x86: Set kprobes pages read-only
+    - Bluetooth: Avoid bt_accept_unlink() double unlinking
+    - Bluetooth: 6lowpan: fix delay work init in add_peer_chan()
+    - wil6210: fix memory access violation in wil_memcpy_from/toio_32
+    - sched: Stop switched_to_rt() from sending IPIs to offline CPUs
+    - sched: Stop resched_cpu() from sending IPIs to offline CPUs
+    - mwifiex: cfg80211: do not change virtual interface during scan
+      processing
+    - media: cpia2: Fix a couple off by one bugs
+    - drm/amdkfd: Fix memory leaks in kfd topology
+    - [i386] x86/boot/32: Fix UP boot on Quark and possibly other platforms
+    - [i386] x86/vm86/32: Fix POPF emulation
+    - [i386] x86/speculation, objtool: Annotate indirect calls/jumps for
+      objtool on 32-bit kernels
+    - [x86] x86/speculation: Remove Skylake C2 from Speculation Control
+      microcode blacklist
+    - [x86] x86/mm: Fix vmalloc_fault to use pXd_large
+    - ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
+    - ALSA: seq: Fix possible UAF in snd_seq_check_queue()
+    - fs: Teach path_connected to handle nfs filesystems with multiple roots.
+    - lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
+    - btrfs: alloc_chunk: fix DUP stripe size handling
+    - btrfs: Fix use-after-free when cleaning up fs_devs with a single stale
+      device
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.90
+    - tpm: fix potential buffer overruns caused by bit glitches on the bus
+    - SMB3: Validate negotiate request must always be signed
+    - CIFS: Enable encryption during session setup phase (CVE-2018-1066)
+    - ath: Fix updating radar flags for coutry code India
+    - mwifiex: don't leak 'chan_stats' on reset
+    - [x86] x86/reboot: Turn off KVM when halting a CPU
+    - IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow
+    - HSI: ssi_protocol: double free in ssip_pn_xmit()
+    - IB/mlx4: Take write semaphore when changing the vma struct
+    - IB/mlx4: Change vma from shared to private
+    - IB/mlx5: Take write semaphore when changing the vma struct
+    - IB/mlx5: Change vma from shared to private
+    - ibmvnic: Disable irq prior to close
+    - netfilter: xt_CT: fix refcnt leak on error path
+    - tipc: check return value of nlmsg_new
+    - wan: pc300too: abort path on failure
+    - qlcnic: fix unchecked return value
+    - infiniband/uverbs: Fix integer overflows
+    - pNFS: Fix use after free issues in pnfs_do_read()
+    - xprtrdma: Cancel refresh worker during buffer shutdown
+    - NFS: don't try to cross a mountpount when there isn't one there.
+    - mt7601u: check return value of alloc_skb
+    - libertas: check return value of alloc_workqueue
+    - rndis_wlan: add return value validation
+    - Btrfs: fix incorrect space accounting after failure to insert inline
+      extent
+    - Btrfs: send, fix file hole not being preserved due to inline extent
+    - Btrfs: fix extent map leak during fallocate error path
+    - mac80211: don't parse encrypted management frames in
+      ieee80211_frame_acked
+    - mtip32xx: use runtime tag to initialize command header
+    - [x86] x86/KASLR: Fix kexec kernel boot crash when KASLR randomization
+      fails
+    - mac80211: Fix possible sband related NULL pointer de-reference
+    - netfilter: x_tables: unlock on error in xt_find_table_lock()
+    - IB/hfi1: Fix softlockup issue
+    - ipmi/watchdog: fix wdog hang on panic waiting for ipmi response
+    - drm/amdgpu: fix gpu reset crash
+    - qed: Unlock on error in qed_vf_pf_acquire()
+    - bnx2x: Align RX buffers
+    - [ppc*] power: supply: isp1704: Fix unchecked return value of
+      devm_kzalloc
+    - [ppc*] power: supply: pda_power: move from timer to delayed_work
+    - md/raid10: skip spare disk as 'first' disk
+    - ACPI / power: Delay turning off unused power resources after suspend
+    - tcm_fileio: Prevent information leak for short reads
+    - video: fbdev: udlfb: Fix buffer on stack
+    - sm501fb: don't return zero on failure path in sm501fb_start()
+    - pNFS: Fix a deadlock when coalescing writes and returning the layout
+    - net: hns: fix ethtool_get_strings overflow in hns driver
+    - cifs: small underflow in cnvrtDosUnixTm()
+    - ath10k: fix out of bounds access to local buffer
+    - block/mq: Cure cpu hotplug lock inversion
+    - Bluetooth: btqcomsmd: Fix skb double free corruption
+    - media: c8sectpfe: fix potential NULL pointer dereference in
+      c8sectpfe_timer_interrupt
+    - drm/msm: fix leak in failed get_pages
+    - RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
+    - rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled.
+    - media: bt8xx: Fix err 'bt878_probe()'
+    - dmaengine: zynqmp_dma: Fix race condition in the probe
+    - drm/tilcdc: ensure nonatomic iowrite64 is not used
+    - mmc: avoid removing non-removable hosts during suspend
+    - IB/ipoib: Avoid memory leak if the SA returns a different DGID
+    - RDMA/cma: Use correct size when writing netlink stats
+    - iommu/vt-d: clean up pr_irq if request_threaded_irq fails
+    - RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS
+    - IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
+    - RDMA/ucma: Fix access to non-initialized CM_ID object
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.91
+    - libata: fix length validation of ATAPI-relayed SCSI commands
+    - libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
+    - libata: disable LPM for Crucial BX100 SSD 500GB drive
+    - libata: Enable queued TRIM for Samsung SSD 860
+    - libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
+    - libata: Make Crucial BX100 500GB LPM quirk apply to all firmware
+      versions
+    - libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
+    - nfsd: remove blocked locks on client teardown
+    - mm/vmalloc: add interfaces to free unmapped page table
+    - drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781)
+    - mtd: nand: fsl_ifc: Fix eccstat array overflow for IFC ver >= 2.0.0
+    - staging: ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822)
+    - can: cc770: Fix use after free in cc770_tx_interrupt()
+    - kvm/x86: fix icebp instruction handling (CVE-2018-1087)
+    - [x86] x86/entry/64: Don't use IST entry for #BP stack (CVE-2018-8897)
+    - bpf: skip unnecessary capability check
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.92
+    - scsi: sg: don't return bogus Sg_requests
+    - net sched actions: return explicit error when tunnel_key mode is not
+      specified
+    - ppp: avoid loop in xmit recursion detection code
+    - sch_netem: fix skb leak in netem_enqueue()
+    - ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
+    - net: Fix hlist corruptions in inet_evict_bucket()
+    - dccp: check sk for closed state in dccp_sendmsg() (CVE-2018-1130)
+    - ipv6: fix access to non-linear packet in
+      ndisc_fill_redirect_hdr_option()
+    - l2tp: do not accept arbitrary sockets
+    - net: ethernet: arc: Fix a potential memory leak if an optional regulator
+      is deferred
+    - netlink: avoid a double skb free in genlmsg_mcast()
+    - team: Fix double free in error path
+    - soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
+    - net: hns: Fix a skb used after free bug
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.93
+    - mtd: jedec_probe: Fix crash in jedec_read_mfr()
+    - ALSA: pcm: potential uninitialized return values
+    - perf/hwbp: Simplify the perf-hwbp code, fix documentation
+    (CVE-2018-1000199)
+    - kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
+    - arm64: avoid overflow in VA_START and PAGE_OFFSET
+    - xfrm_user: uncoditionally validate esn replay attribute struct
+    - RDMA/ucma: Check AF family prior resolving address
+    - RDMA/ucma: Fix use-after-free access in ucma_close
+    - RDMA/ucma: Ensure that CM_ID exists prior to access it
+    - RDMA/ucma: Check that device is connected prior to access it
+    - RDMA/ucma: Check that device exists prior to accessing it
+    - RDMA/ucma: Introduce safer rdma_addr_size() variants
+    - net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
+    - xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit
+      systems
+    - netfilter: bridge: ebt_among: add more missing match size checks
+    - Bluetooth: Fix missing encryption refresh on Security Request
+    - scsi: virtio_scsi: always read VPD pages for multiqueue too
+    - usb: dwc2: Improve gadget state disconnection handling
+    - [arm64] arm64: mm: Use non-global mappings for kernel space
+    - [arm64] arm64: mm: Move ASID from TTBR0 to TTBR1
+    - [arm64] arm64: mm: Allocate ASIDs in pairs
+    - [arm64] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper
+    - [arm64] arm64: mm: Invalidate both kernel and user ASIDs when performing
+      TLBI
+    - [arm64] arm64: factor out entry stack manipulation
+    - module: extend 'rodata=off' boot cmdline parameter to module mappings
+    - [arm64] entry: Add exception trampoline page for exceptions from EL0
+    - [arm64] mm: Map entry trampoline into trampoline and kernel page tables
+    - [arm64] entry: Explicitly pass exception level to kernel_ventry macro
+    - [arm64] entry: Hook up entry trampoline to exception vectors
+    - [arm64] tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
+    - [arm64] entry: Add fake CPU feature for unmapping the kernel at EL0
+    - [arm64] kaslr: Put kernel vectors address in separate data page
+    - [arm64] use RET instruction for exiting the trampoline
+    - [arm64] Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
+    - [arm64] Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry
+    - [arm64] Take into account ID_AA64PFR0_EL1.CSV3
+    - [arm64] Allow checking of a CPU-local erratum
+    - [arm64] capabilities: Handle duplicate entries for a capability
+    - [arm64] cputype: Add MIDR values for Cavium ThunderX2 CPUs
+    - [arm64] Turn on KPTI only on CPUs that need it
+    - [arm64] kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()
+    - [arm64] kpti: Add ->enable callback to remap swapper using nG mappings
+    - [arm64] Force KPTI to be disabled on Cavium ThunderX
+    - [arm64] entry: Reword comment about post_ttbr_update_workaround
+    - [arm64] idmap: Use "awx" flags for .idmap.text .pushsection directives
+    - media: usbtv: prevent double free in error case (CVE-2017-17975)
+    - crypto: ahash - Fix early termination in hash walk
+    - crypto: x86/cast5-avx - fix ECB encryption when long sg follows short
+      one
+    - net: hns: Fix ethtool private flags (CVE-2017-18222)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.94
+    - [x86] x86/asm: Don't use RBP as a temporary register in
+      csum_partial_copy_generic()
+    - IB/srpt: Avoid that aborting a command triggers a kernel warning
+    - af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
+    - bna: Avoid reading past end of buffer
+    - qlge: Avoid reading past end of buffer
+    - ubi: fastmap: Fix slab corruption
+    - drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow
+      tests
+    - perf/callchain: Force USER_DS when invoking perf_callchain_user()
+    - Input: elan_i2c - check if device is there before really probing
+    - KVM: PPC: Book3S PR: Check copy_to/from_user return values
+    - [arm64] arm64: perf: Ignore exclude_hv when kernel is running in HYP
+    - [arm] KVM: arm: Restore banked registers and physical timer access on
+      hyp_panic()
+    - [arm64] KVM: arm64: Restore host physical timer access on hyp_panic()
+    - usb: dwc3: keystone: check return value
+    - ata: libahci: properly propagate return value of platform_get_irq()
+    - ipmr: vrf: Find VIFs using the actual device
+    - uio: fix incorrect memory leak cleanup
+    - net: x25: fix one potential use-after-free issue
+    - USB: ene_usb6250: fix SCSI residue overwriting
+    - net/wan/fsl_ucc_hdlc: fix unitialized variable warnings
+    - net/wan/fsl_ucc_hdlc: fix incorrect memory allocation
+    - mlxsw: spectrum: Avoid possible NULL pointer dereference
+    - scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
+    - [powerpc*] powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
+    - ath5k: fix memory leak on buf on failed eeprom read
+    - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
+    - md-cluster: fix potential lock issue in add_new_disk
+    - ray_cs: Avoid reading past end of buffer
+    - net/wan/fsl_ucc_hdlc: fix muram allocation error
+    - perf/core: Fix error handling in perf_event_alloc()
+    - selinux: do not check open permission on sockets
+    - block: fix an error code in add_partition()
+    - libceph: NULL deref on crush_decode() error path
+    - perf report: Fix off-by-one for non-activation frames
+    - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
+    - scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
+    - fix race in drivers/char/random.c:get_reg()
+    - ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
+    - tcp: better validation of received ack sequences
+    - net: llc: add lock_sock in llc_ui_bind to avoid a race condition
+    - drm/msm: Take the mutex before calling msm_gem_new_impl
+    - thermal: power_allocator: fix one race condition issue for
+      thermal_instances list
+    - VFS: close race between getcwd() and d_move()
+    - PM / devfreq: Fix potential NULL pointer dereference in governor_store
+    - media: videobuf2-core: don't go out of the buffer range
+    - blk-mq: fix race between updating nr_hw_queues and switching io sched
+    - wl1251: check return from call to wl1251_acx_arp_ip_filter
+    - hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
+    - [x86] x86/efi: Disable runtime services on kexec kernel if booted with
+      efi=old_map
+    - ovl: filter trusted xattr for non-admin
+    - dmaengine: imx-sdma: Handle return value of clk_prepare_enable
+    - backlight: Report error on failure
+    - [arm64] arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT
+      usage
+    - net: freescale: fix potential null pointer dereference
+    - KVM: SVM: do not zero out segment attributes if segment is unusable or
+      not present
+    - clk: scpi: fix return type of __scpi_dvfs_round_rate
+    - drm/amdkfd: NULL dereference involving create_process()
+    - qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and
+      qlcnic_82xx_hw_read_wx_2M
+    - [arm64] arm64: kernel: restrict /dev/mem read() calls to linear region
+    - mISDN: Fix a sleep-in-atomic bug
+    - RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers
+    - RDMA/hfi1: fix array termination by appending NULL to attr array
+    - bio-integrity: Do not allocate integrity context for bio w/o data
+    - skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
+    - macsec: check return value of skb_to_sgvec always
+    - e1000e: fix race condition around skb_tstamp_tx()
+    - igb: fix race condition with PTP_TX_IN_PROGRESS bits
+    - cx25840: fix unchecked return values
+    - mceusb: sporadic RX truncation corruption fix
+    - nvme: fix hang in remove path
+    - KVM: nVMX: Update vmcs12->guest_linear_address on nested VM-exit
+    - crypto: omap-sham - buffer handling fixes for hashing later
+    - crypto: omap-sham - fix closing of hash with separate finalize call
+    - net: ena: fix race condition between submit and completion admin command
+    - [s390x] s390/dasd: fix hanging safe offline
+    - drm/vc4: Fix resource leak in 'vc4_get_hang_state_ioctl()' in error
+      handling path
+    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()
+      (CVE-2018-7757)
+    - blk-mq: fix kernel oops in blk_mq_tag_idle()
+    - ipv6: the entire IPv6 header chain must fit the first fragment
+    - net: fix possible out-of-bound read in skb_network_protocol()
+    - net/ipv6: Fix route leaking between VRFs
+    - net/ipv6: Increment OUTxxx counters after netfilter hook
+    - netlink: make sure nladdr has correct size in netlink_connect()
+    - net/sched: fix NULL dereference in the error path of tcf_bpf_init()
+    - pptp: remove a buggy dst release in pptp_connect()
+    - r8169: fix setting driver_data after register_netdev
+    - sctp: do not leak kernel memory to user space
+    - sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
+    - net: fool proof dev_valid_name()
+    - ip_tunnel: better validate user provided tunnel names
+    - ipv6: sit: better validate user provided tunnel names
+    - ip6_gre: better validate user provided tunnel names
+    - ip6_tunnel: better validate user provided tunnel names
+    - vti6: better validate user provided tunnel names
+    - net/sched: fix NULL dereference in the error path of tunnel_key_init()
+    - net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
+    - vhost: validate log when IOTLB is enabled
+    - vhost_net: add missing lock nesting notation
+    - net/mlx4_core: Fix memory leak while delete slave's resources
+    - vrf: Fix use after free and double free in vrf_finish_output
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.95
+    - media: v4l2-compat-ioctl32: don't oops on overlay
+    - parisc: Fix out of array access in match_pci_device()
+    - perf intel-pt: Fix overlap detection to identify consecutive buffers
+      correctly
+    - perf intel-pt: Fix timestamp following overflow
+    - perf/core: Fix use-after-free in uprobe_perf_close()
+    - [arm64] arm64: barrier: Add CSDB macros to control data-value prediction
+    - [arm64] arm64: Implement array_index_mask_nospec()
+    - [arm64] arm64: move TASK_* definitions to <asm/processor.h>
+    - [arm64] arm64: Make USER_DS an inclusive limit
+    - [arm64] arm64: Use pointer masking to limit uaccess speculation
+    - [arm64] arm64: entry: Ensure branch through syscall table is bounded
+      under speculation
+    - [arm64] arm64: uaccess: Prevent speculative use of the current
+      addr_limit
+    - [arm64] arm64: uaccess: Don't bother eliding access_ok checks in __{get,
+      put}_user
+    - [arm64] arm64: uaccess: Mask __user pointers for __arch_{clear,
+      copy_*}_user
+    - [arm64] arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
+    - [arm64] arm64: Run enable method for errata work arounds on late CPUs
+    - [arm64] arm64: cpufeature: Pass capability structure to ->enable
+      callback
+    - [arm64] arm64: Factor out TTBR0_EL1 post-update workaround into a
+      specific asm macro
+    - [arm64] arm64: Move post_ttbr_update_workaround to C code
+    - [arm64] arm64: Add skeleton to harden the branch predictor against
+      aliasing attacks
+    - [arm64] arm64: Move BP hardening to check_and_switch_context
+    - [arm64] arm64: KVM: Use per-CPU vector when BP hardening is enabled
+    - [arm64] arm64: entry: Apply BP hardening for high-priority synchronous
+      exceptions
+    - [arm64] arm64: entry: Apply BP hardening for suspicious interrupts from
+      EL0
+    - [arm64] arm64: cputype: Add missing MIDR values for Cortex-A72 and
+      Cortex-A75
+    - [arm64] arm64: cpu_errata: Allow an erratum to be match for all
+      revisions of a core
+    - [arm64] arm64: Implement branch predictor hardening for affected
+      Cortex-A CPUs
+    - [arm64] arm64: Branch predictor hardening for Cavium ThunderX2
+    - [arm64] arm64: KVM: Increment PC after handling an SMC trap
+    - [arm64] arm/arm64: KVM: Consolidate the PSCI include files
+    - [arm64] arm/arm64: KVM: Add PSCI_VERSION helper
+    - [arm64] arm/arm64: KVM: Add smccc accessors to PSCI code
+    - [arm64] arm/arm64: KVM: Implement PSCI 1.0 support
+    - [arm64] arm/arm64: KVM: Advertise SMCCC v1.1
+    - [arm64] arm64: KVM: Make PSCI_VERSION a fast path
+    - [arm64] arm/arm64: KVM: Turn kvm_psci_version into a static inline
+    - [arm64] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
+    - [arm64] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
+    - [arm64] firmware/psci: Expose PSCI conduit
+    - [arm64] firmware/psci: Expose SMCCC version through psci_ops
+    - [arm64] arm/arm64: smccc: Make function identifiers an unsigned quantity
+    - [arm64] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
+    - [arm64] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
+    - [arm64] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
+    - block/loop: fix deadlock after loop_set_status
+    - rtl8187: Fix NULL pointer dereference in priv->conf_mutex
+    - hwmon: (ina2xx) Fix access to uninitialized mutex
+    - slip: Check if rstate is initialized before uncompressing
+    - [arm64] arm64: futex: Mask __user pointers prior to dereference
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.96
+    - tty: make n_tty_read() always abort if hangup is in progress
+    - ubifs: Check ubifs_wbuf_sync() return code
+    - ubi: Fix error for write access
+    - resource: fix integer overflow at reallocation
+    - ipc/shm: fix use-after-free of shm file via remap_file_pages()
+    - usb: musb: gadget: misplaced out of bounds check
+    - xen-netfront: Fix hang on device removal
+    - regmap: Fix reversed bounds check in regmap_raw_write()
+    - USB: gadget: f_midi: fixing a possible double-free in f_midi
+    - USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
+    - smb3: Fix root directory when server returns inode number of zero
+    - HID: i2c-hid: fix size check and type usage
+    - random: use a tighter cap in credit_entropy_bits_safe()
+    - ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092)
+    - RDMA/rxe: Fix an out-of-bounds read
+    - ALSA: pcm: Fix UAF at PCM release via PCM timer access
+    - dmaengine: at_xdmac: fix rare residue corruption
+    - libnvdimm, namespace: use a safe lookup for dimm device name
+    - iommu/vt-d: Fix a potential memory leak
+    - mmc: jz4740: Fix race condition in IRQ mask update
+    - pwm: rcar: Fix a condition to prevent mismatch value setting to duty
+    - thermal: imx: Fix race condition in imx_thermal_probe()
+    - ext4: don't allow r/w mounts if metadata blocks overlap the superblock
+    - drm/amdgpu: Fix always_valid bos multiple LRU insertions.
+    - drm/amdgpu: Fix PCIe lane width calculation
+    - drm/rockchip: Clear all interrupts before requesting the IRQ
+    - drm/radeon: Fix PCIe lane width calculation
+    - ALSA: line6: Use correct endpoint type for midi output
+    - ALSA: rawmidi: Fix missing input substream checks in compat ioctls
+    - ALSA: hda - New VIA controller suppor no-snoop path
+    - random: fix crng_ready() test (CVE-2018-1108)
+    - random: crng_reseed() should lock the crng instance that it is modifying
+    - random: add new ioctl RNDRESEEDCRNG
+    - HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
+    - MIPS: uaccess: Add micromips clobbers to bzero invocation
+    - MIPS: memset.S: EVA & fault support for small_memset
+    - MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
+    - MIPS: memset.S: Fix clobber of v1 in last_fixup
+    - [powerpc*] powerpc/eeh: Fix enabling bridge MMIO windows
+    - [powerpc*] powerpc/lib: Fix off-by-one in alternate feature patching
+    - udf: Fix leak of UTF-16 surrogates into encoded strings
+    - jffs2_kill_sb(): deal with failed allocations
+    - hypfs_kill_super(): deal with failed allocations
+    - orangefs_kill_sb(): deal with allocation failures
+    - rpc_pipefs: fix double-dput()
+    - Don't leak MNT_INTERNAL away from internal mounts
+    - autofs: mount point create should honour passed in mode
+    - mm/filemap.c: fix NULL pointer in page_cache_tree_insert()
+    - fanotify: fix logic of events on child
+    - writeback: safer lock nesting
+    - block/mq: fix potential deadlock during cpu hotplug
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.97
+    - cifs: do not allow creating sockets except with SMB1 posix exensions
+    - [x86] x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
+    - drm/vc4: Fix memory leak during BO teardown
+    - drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
+    - power: supply: bq2415x: check for NULL acpi_id to avoid null pointer
+      dereference
+    - OF: Prevent unaligned access in of_alias_scan()
+    - jbd2: fix use after free in kjournald2()
+    - perf: Return proper values for user stack errors
+    - RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs
+    - mac80211_hwsim: fix use-after-free bug in hwsim_exit_net
+    - [s390] s390: introduce CPU alternatives
+    - [s390] s390: enable CPU alternatives unconditionally
+    - [s390] KVM: s390: wire up bpb feature
+    - [s390] s390: scrub registers on kernel entry and KVM exit
+    - [s390] s390: add optimized array_index_mask_nospec
+    - [s390] s390/alternative: use a copy of the facility bit mask
+    - [s390] s390: add options to change branch prediction behaviour for the
+      kernel
+    - [s390] s390: run user space and KVM guests with modified branch
+      prediction
+    - [s390] s390: introduce execute-trampolines for branches
+    - [s390] KVM: s390: force bp isolation for VSIE
+    - [s390] s390: Replace IS_ENABLED(EXPOLINE_*) with
+      IS_ENABLED(CONFIG_EXPOLINE_*)
+    - [s390] s390: do not bypass BPENTER for interrupt system calls
+    - [s390] s390/entry.S: fix spurious zeroing of r0
+    - [s390] s390: move nobp parameter functions to nospec-branch.c
+    - [s390] s390: add automatic detection of the spectre defense
+    - [s390] s390: report spectre mitigation via syslog
+    - [s390] s390: add sysfs attributes for spectre
+    - [s390] s390: correct nospec auto detection init order
+    - [s390] s390: correct module section names for expoline code revert
+    - KEYS: DNS: limit the length of option strings
+    - l2tp: check sockaddr length in pppol2tp_connect()
+    - net: validate attribute sizes in neigh_dump_table()
+    - llc: delete timers synchronously in llc_sk_free()
+    - tcp: don't read out-of-bounds opsize
+    - packet: fix bitfield update race
+    - pppoe: check sockaddr length in pppoe_connect()
+    - vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
+    - sctp: do not check port in sctp_inet6_cmp_addr
+    - llc: hold llc_sap before release_sock()
+    - llc: fix NULL pointer deref for SOCK_ZAPPED
+    - net: fix deadlock while clearing neighbor proxy table
+    - net: af_packet: fix race in PACKET_{R|T}X_RING
+    - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.98
+    - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
+    - ext4: set h_journal if there is a failure starting a reserved handle
+    - ext4: add validity checks for bitmap block numbers (CVE-2018-1093)
+    - ext4: fix bitmap position validation
+    - random: set up the NUMA crng instances after the CRNG is fully
+      initialized
+    - random: fix possible sleeping allocation from irq context
+    - random: rate limit unseeded randomness warnings
+    - usbip: usbip_event: fix to not print kernel pointer address
+    - usbip: usbip_host: fix to hold parent lock for device_attach() calls
+    - usbip: vhci_hcd: Fix usb device and sockfd leaks
+    - virtio_console: free buffers after reset
+    - drm/virtio: fix vq wait_event condition
+    - tty: Don't call panic() at tty_ldisc_init()
+    - tty: Use __GFP_NOFAIL for tty_ldisc_get()
+    - ALSA: dice: fix error path to destroy initialized stream data
+    - ALSA: opl3: Hardening for potential Spectre v1
+    - ALSA: asihpi: Hardening for potential Spectre v1
+    - ALSA: hdspm: Hardening for potential Spectre v1
+    - ALSA: rme9652: Hardening for potential Spectre v1
+    - ALSA: control: Hardening for potential Spectre v1
+    - ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
+    - ALSA: seq: oss: Hardening for potential Spectre v1
+    - ALSA: hda: Hardening for potential Spectre v1
+    - ALSA: hda/realtek - Add some fixes for ALC233
+    - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
+    - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
+    - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
+    - kobject: don't use WARN for registration failures
+    - PCI: aardvark: Fix PCIe Max Read Request Size setting
+    - ARM: amba: Fix race condition with driver_override
+    - ARM: amba: Don't read past the end of sysfs "driver_override" buffer
+    - crypto: drbg - set freed buffers to NULL
+    - libceph: un-backoff on tick when we have a authenticated session
+    - libceph: reschedule a tick in finish_hunting()
+    - libceph: validate con->state at the top of try_write()
+    - [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
+      in timer interrupt
+    - [powerpc*] powerpc/eeh: Fix race with driver un/bind
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.99
+    - perf/core: Fix the perf_cpu_time_max_percent check (CVE-2018-18255)
+    - ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+    - Input: leds - fix out of bound access
+    - xfs: prevent creating negative-sized file via INSERT_RANGE
+    - RDMA/cxgb4: release hw resources on device removal
+    - RDMA/mlx5: Protect from shift operand overflow
+    - IB/mlx5: Use unlimited rate when static rate is not supported
+    - IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
+    - drm/vmwgfx: Fix a buffer object leak
+    - drm/bridge: vga-dac: Fix edid memory leak
+    - usb: musb: host: fix potential NULL pointer dereference
+    - usb: musb: trace: fix NULL pointer dereference in musb_g_tx()
+    - platform/x86: asus-wireless: Fix NULL pointer dereference
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.100
+    - ipvs: fix rtnl_lock lockups caused by start_sync_thread
+    - crypto: af_alg - fix possible uninit-value in alg_bind()
+    - netlink: fix uninit-value in netlink_sendmsg
+    - net: fix rtnh_ok()
+    - net: initialize skb->peeked when cloning
+    - net: fix uninit-value in __hw_addr_add_ex()
+    - dccp: initialize ireq->ir_mark
+    - soreuseport: initialise timewait reuseport field
+    - tcp: fix TCP_REPAIR_QUEUE bound checking
+    - bdi: Fix oops in wb_workfn()
+    - [powerpc*] KVM: PPC: Book3S HV: Fix trap number return from
+      __kvmppc_vcore_entry
+    - f2fs: fix a dead loop in f2fs_fiemap() (CVE-2018-18257)
+    - arm64: Add work around for Arm Cortex-A55 Erratum 1024718
+    - gpioib: do not free unrequested descriptors
+    - rfkill: gpio: fix memory leak in probe error path
+    - net: atm: Fix potential Spectre v1
+    - atm: zatm: Fix potential Spectre v1
+    - tracing/uprobe_event: Fix strncpy corner case
+    - [x86] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event
+      cache_*
+    - [x86] perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
+    - [x86] perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
+    - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
+    - [x86] perf/x86: Fix possible Spectre-v1 indexing for
+      x86_pmu::event_map()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.101
+    - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
+    - llc: better deal with too small mtu
+    - net: ethernet: sun: niu set correct packet size in skb
+    - net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
+    - net/mlx4_en: Verify coalescing parameters are in range
+    - net_sched: fq: take care of throttled flows before reuse
+    - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
+    - futex: Remove duplicated code and fix undefined behaviour
+    - proc: do not access cmdline nor environ from file-backed areas
+      (CVE-2018-1120)
+    - kernel/exit.c: avoid undefined behaviour when calling wait4()
+      (CVE-2018-10087)
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.102
+    - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
+      (CVE-2018-5814)
+    - [arm*] KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with
+      SRCU lock
+    - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
+      crashing
+    - s390: remove indirect branch from do_softirq_own_stack
+    - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
+      definition for mixed mode
+    - Btrfs: fix xattr loss after power failure
+    - btrfs: fix crash when trying to resume balance without the resume flag
+    - [x86] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when running under Xen
+    - btrfs: fix reading stale metadata blocks after degraded raid1 mounts
+    - [x86] x86/nospec: Simplify alternative_msr_write()
+    - [x86] x86/bugs: Concentrate bug detection into a separate function
+    - [x86] x86/bugs: Concentrate bug reporting into a separate function
+    - [x86] x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
+    - [x86] x86/bugs, KVM: Support the combination of guest and host IBRS
+    - [x86] x86/bugs: Expose /sys/../spec_store_bypass
+    - [x86] x86/cpufeatures: Add X86_FEATURE_RDS
+    - [x86] x86/bugs: Provide boot parameters for the
+      spec_store_bypass_disable mitigation
+    - [x86] x86/bugs/intel: Set proper CPU features and setup RDS
+    - [x86] x86/bugs: Whitelist allowed SPEC_CTRL MSR values
+    - [x86] x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if
+      requested
+    - [x86] x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
+    - prctl: Add speculation control prctls
+    - [x86] process: Optimize TIF checks in __switch_to_xtra()
+    - [x86] process: Correct and optimize TIF_BLOCKSTEP switch
+    - [x86] process: Optimize TIF_NOTSC switch
+    - [x86] x86/process: Allow runtime control of Speculative Store Bypass
+      (CVE-2018-3639)
+    - [x86] x86/speculation: Add prctl for Speculative Store Bypass mitigation
+    - nospec: Allow getting/setting on non-current task
+    - proc: Provide details on speculation flaw mitigations
+    - seccomp: Enable speculation flaw mitigations
+    - [x86] x86/bugs: Make boot modes __ro_after_init
+    - prctl: Add force disable speculation
+    - seccomp: Use PR_SPEC_FORCE_DISABLE
+    - seccomp: Add filter flag to opt-out of SSB mitigation
+    - seccomp: Move speculation migitation control to arch code
+    - [x86] x86/speculation: Make "seccomp" the default mode for Speculative
+      Store Bypass
+    - KVM: SVM: Move spec control call after restore of GS
+    - [x86] x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
+    - [x86] x86/cpu/AMD: Fix erratum 1076 (CPB bit)
+    - [x86] x86/speculation: Add virtualized speculative store bypass disable
+      support
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.103
+    - net: test tailroom before appending to linear skb
+    - packet: in packet_snd start writing at link layer allocation
+    - sock_diag: fix use-after-free read in __sk_free
+    - ext2: fix a block leak
+    - [s390x] s390/crc32-vx: use expoline for indirect branches
+    - [s390x] s390/lib: use expoline for indirect branches
+    - [s390x] s390/ftrace: use expoline for indirect branches
+    - [s390x] s390/kernel: use expoline for indirect branches
+    - [s390x] s390: extend expoline to BC instructions
+    - [s390x] s390: use expoline thunks in the BPF JIT
+    - scsi: libsas: defer ata device eh commands to libata (CVE-2018-10021)
+    - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
+      (CVE-2018-1000204)
+    - scsi: zfcp: fix infinite iteration on ERP ready list
+    - cfg80211: limit wiphy names to 128 bytes
+    - [x86] x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+    - usb: gadget: core: Fix use-after-free of usb_request
+    - usb: cdc_acm: prevent race at write to acm while system resumes
+    - USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
+    - usb: gadget: ffs: Execute copy_to_user() with USER_DS set
+    - usb: gadget: udc: change comparison to bitshift when dealing with a mask
+    - media: em28xx: USB bulk packet size fix
+    - scsi: fas216: fix sense buffer initialization
+    - scsi: sym53c8xx_2: iterator underflow in sym_getsync()
+    - scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
+    - scsi: qla2xxx: Avoid triggering undefined behavior in
+      qla2x00_mbx_completion()
+    - scsi: aacraid: fix shutdown crash when init fails
+    - scsi: aacraid: Insure command thread is not recursively stopped
+    - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
+    - media: dmxdev: fix error code for invalid ioctls
+    - media: s3c-camif: fix out-of-bounds array access
+    - media: cx25821: prevent out-of-bounds read on array card
+    - serial: xuartps: Fix out-of-bounds access through DT alias
+    - serial: samsung: Fix out-of-bounds access through serial port index
+    - serial: mxs-auart: Fix out-of-bounds access through serial port index
+    - serial: imx: Fix out-of-bounds access through serial port index
+    - serial: fsl_lpuart: Fix out-of-bounds access through DT alias
+    - serial: arc_uart: Fix out-of-bounds access through DT alias
+    - rtc: hctosys: Ensure system time doesn't overflow time_t
+    - rtc: tx4939: avoid unintended sign extension on a 24 bit shift
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.104
+    - [mips] MIPS: c-r4k: Fix data corruption related to cache coherence
+    - affs_lookup(): close a race with affs_remove_link()
+    - aio: fix io_destroy(2) vs. lookup_ioctx() race
+    - do d_instantiate/unlock_new_inode combinations safely
+    - libata: Blacklist some Sandisk SSDs for NCQ
+    - libata: blacklist Micron 500IT SSD with MU01 firmware
+    - IB/hfi1: Use after free race condition in send context error path
+    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
+    - ipc/shm: fix shmat() nil address after round-down when remapping
+    - kernel/sys.c: fix potential Spectre v1 issue
+    - kernel/signal.c: avoid undefined behaviour in kill_something_info
+      (CVE-2018-10124)
+    - KVM/VMX: Expose SSBD properly to guests
+    - firewire-ohci: work around oversized DMA reads on JMicron controllers
+    - i40iw: Zero-out consumer key on allocate stag for FMR
+    - iommu/vt-d: Use domain instead of cache fetching
+    - mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()
+      (CVE-2018-8087)
+    - btrfs: Fix out of bounds access in btrfs_search_slot
+    - Btrfs: fix scrub to repair raid6 corruption
+    - HID: roccat: prevent an out of bounds read in
+      kovaplus_profile_activated()
+    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
+    - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
+    - gianfar: prevent integer wrapping in the rx handler
+    - tcp_nv: fix potential integer overflow in tcpnv_acked
+    - kvm: Map PFN-type memory regions as writable (if possible)
+    - mm/mempolicy: fix the check of nodemask from user
+    - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages
+    - mm: pin address_space before dereferencing it while isolating an LRU
+      page
+    - mm/fadvise: discard partial page if endbyte is also EOF
+    - drm/nouveau/pmu/fuc: don't use movw directly anymore
+    - netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure
+    - [x86] x86/power: Fix swsusp_arch_resume prototype
+    - firmware: dmi_scan: Fix handling of empty DMI strings
+    - xen-netfront: Fix race between device setup and open
+    - xen/grant-table: Use put_page instead of free_page
+    - RDS: IB: Fix null pointer issue
+    - [arm64] arm64: spinlock: Fix theoretical trylock() A-B-A with LSE
+      atomics
+    - bcache: fix for allocator and register thread race
+    - bcache: fix for data collapse after re-attaching an attached device
+    - bcache: return attach error when no cache set exist
+    - [x86] vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall
+      user page
+    - ptr_ring: prevent integer overflow when calculating size
+    - [arm] ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt
+    - iwlwifi: mvm: fix security bug in PN checking
+    - rxrpc: Work around usercopy check
+    - mac80211: fix a possible leak of station stats
+    - mac80211: fix calling sleeping function in atomic context
+    - md raid10: fix NULL deference in handle_write_completed()
+    - locking/xchg/alpha: Add unconditional memory barrier to cmpxchg()
+    - md: raid5: avoid string overflow warning
+    - kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
+    - PKCS#7: fix direct verification of SignerInfo signature
+    - locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs
+    - macvlan: fix use-after-free in macvlan_common_newlink()
+    - md: fix a potential deadlock of raid5/raid10 reshape
+    - md/raid1: fix NULL pointer dereference
+    - ceph: fix dentry leak when failing to init debugfs
+    - [arm] ARM: orion5x: Revert commit 4904dbda41c8. closes: #892057
+    - dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3
+    - bcache: fix kcrashes with fio in RAID5 backend dev
+    - RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA
+    - RDMA/qedr: Fix iWARP write and send with immediate
+    - IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs
+    - fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
+      sbusfb_ioctl_helper(). (CVE-2018-6412)
+    - fsl/fman: avoid sleeping in atomic context while adding an address
+    - net: qcom/emac: Use proper free methods during TX
+    - net: smsc911x: Fix unload crash when link is up
+    - IB/core: Fix possible crash to access NULL netdev
+    - batman-adv: fix header size check in batadv_dbg_arp()
+    - batman-adv: Fix skbuff rcsum on packet reroute
+    - vti4: Don't count header length twice on tunnel setup
+    - vti4: Don't override MTU passed on link creation via IFLA_MTU
+    - brcmfmac: Fix check for ISO3166 code
+    - mm/mempolicy.c: avoid use uninitialized preferred_node
+    - mm, thp: do not cause memcg oom for thp
+    - [x86] x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init
+    - fs/proc/proc_sysctl.c: fix potential page fault while unregistering
+      sysctl table
+    - swap: divide-by-zero when zero length swap file on ssd
+    - mm: fix races between address_space dereference and free in
+      page_evicatable
+    - Btrfs: fix NULL pointer dereference in log_dir_items
+    - btrfs: Fix possible softlock on single core machines
+    - xen/acpi: off by one in read_acpi_id()
+    - ACPI: acpi_pad: Fix memory leak in power saving threads
+    - [powerpc*] powerpc/perf: Prevent kernel address leak to userspace via
+      BHRB buffer
+    - [powerpc*] powerpc/perf: Fix kernel address leak via sampling registers
+    - net/mlx5: Protect from command bit overflow
+    - ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
+    - ipmi_ssif: Fix kernel panic at msg_done_handler
+    - [powerpc*] powerpc: Add missing prototype for arch_irq_work_raise()
+    - f2fs: fix to check extent cache in f2fs_drop_extent_tree
+    - dmaengine: pl330: fix a race condition in case of threaded irqs
+    - audit: return on memory error to avoid null pointer dereference
+    - netlabel: If PF_INET6, check sk_buff ip header version
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.105
+    - Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU"
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.106
+    - x86/xen: Add unwind hint annotations to xen_setup_gdt
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.107
+    - [arm64] arm64: lse: Add early clobbers to some input/output asm operands
+    - [powerpc*] powerpc/64s: Clear PCR on boot
+    - xfs: detect agfl count corruption and reset agfl
+    - tracing: Fix crash when freeing instances with event triggers
+    - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
+    - tcp: avoid integer overflows in tcp_rcv_space_adjust()
+    - [arm64] arm64: Add hypervisor safe helper for checking constant
+      capabilities
+    - [powerpc*] powerpc/rfi-flush: Move out of HARDLOCKUP_DETECTOR #ifdef
+    - [powerpc*] powerpc/pseries: Support firmware disable of RFI flush
+    - [powerpc*] powerpc/powernv: Support firmware disable of RFI flush
+    - [powerpc*] powerpc/rfi-flush: Always enable fallback flush on pseries
+    - [powerpc*] powerpc/rfi-flush: Differentiate enabled and patched flush
+      types
+    - [powerpc*] powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
+    - [powerpc*] powerpc: Add security feature flags for Spectre/Meltdown
+    - [powerpc*] powerpc/pseries: Set or clear security feature flags
+    - [powerpc*] powerpc/powernv: Set or clear security feature flags
+    - [powerpc*] powerpc/powernv: Use the security flags in
+      pnv_setup_rfi_flush()
+    - [powerpc*] powerpc/pseries: Use the security flags in
+      pseries_setup_rfi_flush()
+    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v1()
+    - [powerpc*] powerpc/64s: Wire up cpu_show_spectre_v2()
+    - [powerpc*] powerpc/pseries: Fix clearing of security feature flags
+    - [powerpc*] powerpc: Move default security feature flags
+    - [powerpc*] powerpc/pseries: Restore default security feature flags on
+      setup
+    - [powerpc*] powerpc/64s: Fix section mismatch warnings from
+      setup_rfi_flush()
+    - [powerpc*] powerpc/64s: Add support for a store forwarding barrier at
+      kernel entry/exit
+    - net/mlx4_en: fix potential use-after-free with dma_unmap_page
+    - iio:kfifo_buf: check for uint overflow
+    - mm: fix the NULL mapping case in __isolate_lru_page()
+    - serial: pl011: add console matching function
+
+  [ Steve McIntyre ]
+  * Backports for Qualcomm Centriq machines. Closes: #896775
+    - [arm64] Backport support for Qualcomm Centriq onboard emac NIC
+    - [arm64] Backport workaround for erratum E1041
+
+  [ Romain Perier ]
+  * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)
+
+  [ Salvatore Bonaccorso ]
+  * nfsd: increase DRC cache limit (Closes: #898137)
+
+  [ Yves-Alexis Perez ]
+  * [rt] Update patchset to 4.9.98-rt76
+    - don't apply "drivers/net: Use disable_irq_nosync() in 8139too" since
+      it's already included upstream
+    - removed "rtmutex: Fix PI chain order integrity"
+    - fs/aio: simple simple work
+  * Bump ABI to 7
+    - remove all ignored ABI changes since ABI 6
+    - remove all patches reverting ABI changes since ABI 6
+  * [rt] "fs/dcache: disable preemption on i_dir_seq's write side" edited for
+    fuzz after 4.9.106.
+
+  [ Ben Hutchings ]
+  * random: Make getranndom() ready earlier (see #897599)
+
 4.9.88-1+deb9u1 [Mon, 07 May 2018 23:38:25 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.3-1/#7727563526163334676>
Comment 12 Philipp Hahn univentionstaff 2018-08-21 17:29:17 CEST
OK: yaml
OK: errata-announce
OK: patch

[4.3-1] 1c2df942b1 Bug #47490: linux-latest 80+deb9u6
 doc/errata/staging/linux-latest.yaml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

[4.3-1] 37f7f0fd27 Bug #47490: linux-latest 80+deb9u6
 doc/errata/staging/linux-latest.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

[4.3-1] dbc764df55 Bug #47490: linux-latest 80+deb9u5
 doc/errata/staging/{shared-mime-info.yaml => linux-latest.yaml} | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[4.3-1] 9a89b356b8 Bug #47483: shared-mime-info 1.8-1+deb9u1
 .../staging/{univention-kvm-virtio.yaml => shared-mime-info.yaml} | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[4.3-1] daf89693e5 Bug #47321: Yaml
 doc/errata/staging/univention-kvm-virtio.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)