diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-08 04:15:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-08 04:15:14 +0000 |
| commit | e549f10391e1fc78dab80e9b9ef524d214d4af40 (patch) | |
| tree | 5358015c2d151febc170684ed8ddf2011b3ac4af /debian/changelog | |
| parent | Merging upstream version 4.19.282. (diff) | |
| download | linux-e549f10391e1fc78dab80e9b9ef524d214d4af40.tar.xz linux-e549f10391e1fc78dab80e9b9ef524d214d4af40.zip | |
Adding debian version 4.19.282-1.debian/4.19.282-1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 990 |
1 files changed, 990 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index e93896c46..070b5a68d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,993 @@ +linux (4.19.282-1) buster-security; urgency=high + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270 + - mm/khugepaged: fix GUP-fast interaction by sending IPI + - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths + - block: unhash blkdev part inode when the part is deleted + - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545) + - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() + - can: sja1000: fix size of OCR_MODE_MASK define + - can: mcba_usb: Fix termination command argument + - ASoC: ops: Correct bounds check for second channel on SX controls + - udf: Discard preallocation before extending file with a hole + - udf: Fix preallocation discarding at indirect extent boundary + - udf: Do not bother looking for prealloc extents if i_lenExtents matches + i_size + - udf: Fix extending file within last block + - usb: gadget: uvc: Prevent buffer overflow in setup handler + - USB: serial: option: add Quectel EM05-G modem + - USB: serial: cp210x: add Kamstrup RF sniffer PIDs + - USB: serial: f81534: fix division by zero on line-speed change + - igb: Initialize mailbox message for VF reset + - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934) + - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type + - [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw + - [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in + omap_sr_probe + - [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port + - [armhf] dts: turris-omnia: Add ethernet aliases + - [armhf] dts: turris-omnia: Add switch port 6 node + - pstore/ram: Fix error return code in ramoops_probe() + - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + - [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() + - [arm64] cpuidle: dt: Return the correct numbers of parsed idle states + - fs: don't audit the capability check in simple_xattr_list() + - selftests/ftrace: event_triggers: wait longer for test_event_enable + - perf: Fix possible memleak in pmu_dev_alloc() + - timerqueue: Use rb_entry_safe() in timerqueue_getnext() + - ocfs2: fix memory leak in ocfs2_stack_glue_init() + - PNP: fix name memory leak in pnp_alloc_dev() + - [x86] perf/x86/intel/uncore: Fix reference count leak in + hswep_has_limit_sbox() (regression in 4.19.189) + - [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() + - lib/notifier-error-inject: fix error when writing -errno to debugfs file + - debugfs: fix error when writing negative value to atomic_t debugfs file + (regression in 4.19.160) + - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + - [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + - [x86] xen/events: only register debug interrupt for 2-level events + - [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}() + - [x86] xen: Fix memory leak in xen_init_lock_cpu() + - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() + - PM: runtime: Improve path in rpm_idle() when no callback + - PM: runtime: Do not call __rpm_callback() from rpm_idle() + - [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() + - fs: sysv: Fix sysv_nblocks() returns wrong value + - relay: fix type mismatch when allocating memory in relay_create_buf() + - hfs: Fix OOB Write in hfs_asc2mac + - wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154) + - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() + - wifi: rtl8xxxu: Fix reading the vendor of combo chips + - can: kvaser_usb: do not increase tx statistics when sending error message + frames + - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device + - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to + {leaf,usbcan}_cmd_can_error_event + - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT + - can: kvaser_usb_leaf: Set Warning state even without bus errors + - can: kvaser_usb_leaf: Fix improved state not being reported + - can: kvaser_usb_leaf: Fix wrong CAN state after stopping + - can: kvaser_usb_leaf: Fix bogus restart events + - can: kvaser_usb: Add struct kvaser_usb_busparams + - can: kvaser_usb: Compare requested bittiming parameters with actual + parameters in do_set_{,data}_bittiming + - media: vivid: fix compose size exceed boundary + - mtd: Fix device name leak when register device failed in add_mtd_device() + - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port + - drm/radeon: Add the missed acpi_put_table() to fix memory leak + - regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + - wifi: ath10k: Fix return value in ath10k_pci_init() + - [arm64] Input: elants_i2c - properly handle the reset GPIO when power is + off + - media: solo6x10: fix possible memory leak in solo_sysfs_init() + - HID: hid-sensor-custom: set fixed size for custom attributes + - bonding: Export skip slave logic to function + - media: imon: fix a race condition in send_packet() + - pinctrl: pinconf-generic: add missing of_node_put() + - media: dvb-core: Fix ignored return value in dvb_register_frontend() + - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + (CVE-2023-28328) + - [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() + - NFSv4.2: Fix a memory stomp in decode_attr_security_label + - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn + - [x86] ALSA: asihpi: fix missing pci_disable_device() + - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + - wifi: cfg80211: Fix not unregister reg_pdev when + load_builtin_regdb_keys() fails + - regulator: core: fix module refcount leak in set_supply() + - media: saa7164: fix missing pci_disable_device() + - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + - SUNRPC: Fix missing release socket in rpc_sockname() + - NFSv4.x: Fail client initialisation if state manager thread can't run + - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + - mmc: toshsd: fix return value check of mmc_add_host() + - mmc: vub300: fix return value check of mmc_add_host() + - [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host() + - [arm64] mmc: meson-gx: fix return value check of mmc_add_host() + - mmc: via-sdmmc: fix return value check of mmc_add_host() + - [x86] mmc: wbsd: fix return value check of mmc_add_host() + - [arm*] mmc: mmci: fix return value check of mmc_add_host() + - [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll() + - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() + - blktrace: Fix output non-blktrace event when blk_classic option enabled + - [armhf] clk: socfpga: use clk_hw_register for a5/c5 + - [x86] net: vmw_vsock: vmci: Check memcpy_from_msg() + - net: defxx: Fix missing err handling in dfx_init() + - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() + - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + - [x86] net: farsync: Fix kmemleak when rmmods farsync + - net/tunnel: wait until all sk_user_data reader finish before releasing + the sock + - [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + - [i386] net: amd: lance: don't call dev_kfree_skb() under + spin_lock_irqsave() + - [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables + - [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/ + passive cables + - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + - [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under + spin_lock_irqsave() + - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() + (regression in 4.19.254) + - [arm*] stmmac: fix potential division by 0 (regression in 4.19.122) + - apparmor: fix a memleak in multi_transaction_new() + - apparmor: fix lockdep warning when removing a namespace + - apparmor: Fix abi check to include v8 abi + - f2fs: fix normal discard process + - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port + - [x86] scsi: scsi_debug: Fix a warning in resp_write_scat() + - PCI: Check for alloc failure in pci_request_irq() + - [amd64] RDMA/hfi: Decrease PCI device reference count in error path + - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create + failed + - scsi: hpsa: use local workqueues instead of system workqueues + - scsi: hpsa: Fix possible memory leak in hpsa_init_one() + - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak + - scsi: hpsa: Fix error handling in hpsa_add_sas_host() + - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + - scsi: fcoe: Fix possible name leak when device_register() fails + - [x86] scsi: ipr: Fix WARNING in ipr_init() + - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + - scsi: snic: Fix possible UAF in snic_tgt_create() + - [amd64] RDMA/hfi1: Fix error return code in parse_platform_config() + - orangefs: Fix sysfs not cleanup when dev init failed + - [x86] hwrng: amd - Fix PCI device refcount leak + - [i386] hwrng: geode - Fix PCI device refcount leak + - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + - [arm*] serial: tegra: avoid reg access when clk disabled + - [arm*] serial: tegra: check for FIFO mode enabled status + - [arm*] serial: tegra: set maximum num of uart ports to 8 + - [arm*] serial: tegra: add support to use 8 bytes trigger + - [arm*] serial: tegra: add support to adjust baud rate + - [arm*] serial: tegra: report clk rate errors + - [arm*] serial: tegra: Add PIO mode support + - [arm*] tty: serial: tegra: Activate RX DMA transfer by request + - [arm*] serial: tegra: Read DMA status before terminating + - [x86] usb: typec: Check for ops->exit instead of ops->enter in + altmode_exit + - [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register + - [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. + (regression in 4.19.253) + - [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma() + - [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os (CVE-2022-3424) + - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + - usb: gadget: f_hid: optional SETUP/SET_REPORT mode + - usb: gadget: f_hid: fix f_hidg lifetime vs cdev + - usb: gadget: f_hid: fix refcount leak on error path + - chardev: fix error handling in cdev_device_add() + - [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + - [x86] staging: rtl8192u: Fix use after free in ieee80211_rx() + - [x86] staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + - [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access() + (CVE-2022-2873) + - usb: storage: Add check for kcalloc + - tracing/hist: Fix issue of losting command info in error_log + - [x86] fbdev: pm2fb: fix missing pci_disable_device() + - [x86] fbdev: via: Fix error in via_core_init() + - [x86] fbdev: vermilion: decrease reference count in error path + - [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + - [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + - [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + - power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + - perf symbol: correction while adjusting symbol (regression in 4.19.255) + - [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init() + - include/uapi/linux/swab: Fix potentially missing __always_inline + - [armhf] rtc: snvs: Allow a time difference on clock register read + - [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier() + - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + (regression in 4.19.130) + - [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + - nfc: pn533: Clear nfc_target before being used + - r6040: Fix kmemleak in probe and remove + - openvswitch: Fix flow lookup to use unmasked key + - skbuff: Account for tail adjustment during pull operations + - net_sched: reject TCF_EM_SIMPLE case for complex ematch module + - rxrpc: Fix missing unlock in rxrpc_do_sendmsg() + - myri10ge: Fix an error handling path in myri10ge_probe() + - net: stream: purge sk_error_queue in sk_stream_kill_queues() + (regression in 4.19.218) + - fs: jfs: fix shift-out-of-bounds in dbAllocAG + - udf: Avoid double brelse() in udf_rename() + - fs: jfs: fix shift-out-of-bounds in dbDiscardAG + - ACPICA: Fix error code path in acpi_ds_call_control_method() + - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + - acct: fix potential integer overflow in encode_comp_t() + - hfs: fix OOB Read in __hfs_brec_find + - wifi: ath9k: verify the expected usb_endpoints are present + - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + - bpf: make sure skb->len != 0 when redirecting to a tunneling device + - [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet() + - wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + - igb: Do not free q_vector unless new one was allocated + - drm/amdgpu: Fix type of second parameter in trans_msg() callback + - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() + - md/raid1: stop mdx_raid1 thread when raid1 array run failed + - mrp: introduce active flags to prevent UAF when applicant uninit + - ppp: associate skb with a device at tx + - media: dvb-frontends: fix leak of memory fw + - media: dvbdev: adopts refcnt to avoid UAF + - media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + - blk-mq: fix possible memleak when register 'hctx' failed + - regulator: core: fix use_count leakage when handling boot-on + - [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability + - media: si470x: Fix use-after-free in si470x_int_in_callback() + - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + - [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in + rk_spdif_runtime_resume() + - [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put() + - [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout + - HID: wacom: Ensure bootloader PID is usable in hidraw mode + - reiserfs: Add missing calls to reiserfs_security_free() + - media: dvbdev: fix refcnt bug + - ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77) + - HID: plantronics: Additional PIDs for double volume key presses quirk + - hfsplus: fix bug causing custom uid and gid being unable to be assigned + with mount + - ovl: Use ovl mounter's fsuid and fsgid in ovl_link() + - ALSA: line6: correct midi status byte when receiving data from podxt + - ALSA: line6: fix stack overflow in line6_midi_transmit + - pnode: terminate at peers of source + - md: fix a crash in mempool_free + - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING + - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails + - media: stv0288: use explicitly signed char + - dm cache: Fix ABBA deadlock between shrink_slab and + dm_cache_metadata_abort + - dm thin: Use last transaction's pmd->root when commit failed + - dm thin: Fix UAF in run_timer_softirq() + - dm cache: Fix UAF in destroy() + - dm cache: set needs_check flag after aborting metadata + - [x86] microcode/intel: Do not retry microcode reloading on the APs + - tracing: Fix infinite loop in tracing_read_pipe on overflowed + print_trace_line + - media: dvb-core: Fix double free in dvb_register_device() + (regression in 4.19.77) + - media: dvb-core: Fix UAF due to refcount races at releasing + (CVE-2022-41218) + - md/bitmap: Fix bitmap chunk size overflow issues + - ipmi: fix long wait in unload when IPMI disconnect + - ipmi: fix use after free in _ipmi_destroy_user() + - PCI: Fix pci_device_is_present() for VFs by checking PF + - PCI/sysfs: Fix double free in error path + - [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code + - device_cgroup: Roll back to original exceptions after copy failure + - drm/connector: send hotplug uevent on connector cleanup + - [x86] drm/vmwgfx: Validate the box size for the snooped cursor + (CVE-2022-36280) + - ext4: add inode table check in __ext4_get_inode_loc to aovid possible + infinite loop + - ext4: add helper to check quota inums + - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode + - ext4: init quota for 'old.inode' in 'ext4_rename' + - ext4: fix corruption when online resizing a 1K bigalloc fs + - ext4: fix error code return to user-space in ext4_get_branch() + - ext4: avoid BUG_ON when creating xattrs + - ext4: fix inode leak in ext4_xattr_inode_create() on an error path + - ext4: initialize quota before expanding inode in setproject ioctl + - ext4: avoid unaccounted block allocation when expanding inode + - ext4: allocate extended attribute value in vmalloc area + - btrfs: send: avoid unnecessary backref lookups when finding clone source + - btrfs: replace strncpy() with strscpy() + - dm thin: resume even if in FAIL mode + - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor + - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as + unsinged data + - driver core: Set deferred_probe_timeout to a longer default if + CONFIG_MODULES is set + - ext4: goto right label 'failed_mount3a' + - ext4: correct inconsistent error msg in nojournal mode + - ext4: use kmemdup() to replace kmalloc + memcpy + - mbcache: don't reclaim used entries + - mbcache: add functions to delete entry if unused + - ext4: remove EA inode entry from mbcache on inode eviction + - ext4: unindent codeblock in ext4_xattr_block_set() + - ext4: fix race when reusing xattr blocks + - mbcache: automatically delete entries from cache on freeing + - ext4: fix deadlock due to mbcache entry corruption + - SUNRPC: ensure the matching upcall is in-flight upon downcall + - bpf: pull before calling skb_postpull_rcsum() + - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure + - nfc: Fix potential resource leaks + - [amd64,arm64] net: amd-xgbe: add missed tasklet_kill + - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC + - net: sched: atm: dont intepret cls results when asked to drop + (CVE-2023-23455) + - usb: rndis_host: Secure rndis_query check against int overflow + - udf: Fix extension of the last extent in the file + - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 + tablet + - [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045) + - nfsd: fix handling of readdir in v4root vs. mount upcall timeout + - ext4: don't allow journal inode to have encrypt flag + - hfs/hfsplus: use WARN_ON for sanity check + - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + - mbcache: Avoid nesting of cache->c_list_lock under bit locks + - driver core: Fix bus_type.match() error handling in __driver_attach() + - net: sched: disallow noqueue for qdisc classes (CVE-2022-47929) + - perf auxtrace: Fix address filter duplicate symbol selection + - net/ulp: prevent ULP without clone op from entering the LISTEN status + (CVE-2023-0461) + - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF + (CVE-2023-0266) + - cifs: Fix uninitialized memory read for smb311 posix symlink create + - [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight + during probe + - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames + (CVE-2023-0394) + - [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later + - quota: Factor out setup of quota inode + - ext4: fix bug_on in __es_tree_search caused by bad quota inode + - ext4: lost matching-pair of trace in ext4_truncate + - ext4: fix use-after-free in ext4_orphan_cleanup + - ext4: fix uninititialized value in 'ext4_evict_inode' + - netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() + function. + - [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm + - EDAC/device: Fix period calculation in edac_device_reset_delay_period() + - hvc/xen: lock console list traversal + - nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() + - net/mlx5: Rename ptp clock info + - net/mlx5: Fix ptp max frequency adjustment range + - drm/virtio: Fix GEM handle creation UAF + - [arm64] cmpxchg_double*: hazard against entire exchange variable + - efi: fix NULL-deref in init error path (regression in 4.19.142) + - [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't + started + - [arm*] serial: tegra: Only print FIFO error message when an error occurs + - [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20 + and tegra30 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271 + - pNFS/filelayout: Fix coalescing test for single DS + - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats + - RDMA/srp: Move large values to a new enum for gcc13 + - f2fs: let's avoid panic if extent_tree is not created + - nilfs2: fix general protection fault in nilfs_btree_insert() + - xhci-pci: set the dma max_seg_size + - usb: xhci: Check endpoint is valid before dereferencing it + - xhci: Fix null pointer dereference when host dies + - xhci: Add a flag to disable USB3 lpm on a xhci root port level. + - prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458) + - USB: serial: option: add Quectel EM05-G (GR) modem + - USB: serial: option: add Quectel EM05-G (CS) modem + - USB: serial: option: add Quectel EM05-G (RS) modem + - USB: serial: option: add Quectel EC200U modem + - USB: serial: option: add Quectel EM05CN (SG) modem + - USB: serial: option: add Quectel EM05CN modem + - USB: misc: iowarrior: fix up header size for + USB_DEVICE_ID_CODEMERCS_IOW100 + - usb: core: hub: disable autosuspend for TI TUSB8041 + - [x86] comedi: adv_pci1760: Fix PWM instruction handling + - [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + - cifs: do not include page data when checking signature + - USB: serial: cp210x: add SCALANCE LPE-9000 device id + - usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() + - usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 + - [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272 + - [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + - [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map + - [amd64] IB/hfi1: Reject a zero-length user expected buffer + - [amd64] IB/hfi1: Reserve user expected TIDs + - [amd64] IB/hfi1: Fix expected receive setup error exit issues + - affs: initialize fsdata in affs_truncate() + - amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + - amd-xgbe: Delay AN timeout during KR training + - bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + - [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + - net: nfc: Fix use-after-free in local_cleanup() + - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + (CVE-2023-23559) + - net: usb: sr9700: Handle negative len + - net: mdio: validate parameter addr in mdiobus_get_phy() + - HID: check empty report_list in hid_validate_values() (CVE-2023-1073) + - usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + - usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + - net: mlx5: eliminate anonymous module_init & module_exit + - dmaengine: Fix double increment of client_count in dma_chan_get() + - [arm64] net: macb: fix PTP TX timestamp failure due to packet padding + - HID: betop: check shape of output reports + - tcp: avoid the lookup process failing to get sk in ehash table + - w1: fix deadloop in __w1_remove_master_device() + - w1: fix WARNING after calling w1_process() + - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state + - block: fix and cleanup bio_check_ro + - perf env: Do not return pointers to local variables + - fs: reiserfs: remove useless new_opts in reiserfs_remount + - Bluetooth: hci_sync: cancel cmd_timer if hci_open failed + - scsi: hpsa: Fix allocation size for scsi_host_alloc() + - module: Don't wait for GOING modules + - tracing: Make sure trace_printk() can output as soon as it can be used + - trace_events_hist: add check for return value of 'create_hist_field' + - smbd: Make upper layer decide when to destroy the transport + - cifs: Fix oops due to uncleared server->smbd_conn in reconnect + - EDAC/device: Respect any driver-supplied workqueue polling value + - net: fix UaF in netns ops registration error path (regression in + 4.19.264) + - netfilter: nft_set_rbtree: skip elements in transaction from garbage + collection + - netlink: remove hash::nelems check in netlink_insert + - netlink: annotate data races around nlk->portid + - netlink: annotate data races around dst_portid and dst_group + - netlink: annotate data races around sk_state + - ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() + - netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE + - [x86] netrom: Fix use-after-free of a listening socket. (regression in + 4.19.199) + - sctp: fail if no bound addresses can be used for a given scope + (CVE-2023-1074) + - net/tg3: resolve deadlock in tg3_reset_task() during EEH + - [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU + to RMI mode" (regression in 4.19.268) + - [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL + - [x86] drm/i915/display: fix compiler warning about array overrun + - [armhf] dts: imx: Fix pca9547 i2c-mux node name + - [armhf] dmaengine: imx-sdma: Fix a possible memory leak in + sdma_transfer_init + - panic: unset panic_on_warn inside panic() + - exit: Add and use make_task_dead. + - exit: Put an upper limit on how often we can oops + - exit: Expose "oops_count" to sysfs + - exit: Allow oops_limit to be disabled + - panic: Consolidate open-coded panic_on_warn checks + - panic: Introduce warn_limit + - panic: Expose "warn_count" to sysfs + - docs: Fix path paste-o for /sys/kernel/warn_count + - exit: Use READ_ONCE() for all oops/warn limit reads + - ipv6: ensure sane device mtu in tunnels + - [arm*] usb: host: xhci-plat: add wakeup entry at sysfs + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273 + - firewire: fix memory leak for payload of request subaction to IEC 61883-1 + FCP region + - [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() + - [x86] netrom: Fix use-after-free caused by accept on already connected + socket + - ata: libata: Fix sata_down_spd_limit() when no link speed is reported + - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + - scsi: target: core: Fix warning on RT kernels + - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress + (CVE-2023-2162) + - [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings + - [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API + - [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode + - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait + - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF + - [x86] Input: i8042 - merge quirk tables + - [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables + - [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table + - [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 + guests + - [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() + - [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set + - [x86] thermal: intel: int340x: Protect trip temperature from concurrent + updates + - fbcon: Check font dimension limits + - efi: Accept version 2 of memory attributes table + - iio: hid: fix the retval in accel_3d_capture_sample + - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps + - mm/swapfile: add cond_resched() in get_swap_pages() + - Squashfs: fix handling and sanity checking of xattr_ids count + - serial: 8250_dma: Fix DMA Rx completion race + - serial: 8250_dma: Fix DMA Rx rearm race + - [x86] thermal: intel: int340x: Add locking to + int340x_thermal_get_trip_type() + - btrfs: limit device extents to the device size + - [x86] ALSA: emux: Avoid potential array out-of-bound in + snd_emux_xg_control() + - [amd64] IB/hfi1: Restore allocated resources on failed copyout + - [arm64] net: phy: meson-gxl: add g12a support + - [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal + PHY + - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078) + - ALSA: pci: lx6464es: fix a debug loop + - [arm*] pinctrl: single: fix potential NULL dereference + - [x86] pinctrl: intel: Convert unsigned to unsigned int + - [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode + - net: USB: Fix wrong-direction WARNING in plusb.c + - usb: core: add quirk for Alcor Link AK9563 smartcard reader + - [arm64] dts: meson-gx: Make mmc host controller interrupts level- + sensitive + - [arm64] dts: meson-axg: Make mmc host controller interrupts level- + sensitive + - bpf: Always return target ifindex in bpf_fib_lookup + - migrate: hugetlb: check for hugetlb shared PMD in node migration + - [x86] net/rose: Fix to not accept on connected socket + - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association + - aio: fix mremap after fork null-deref + - netfilter: nft_tproxy: restrict to prerouting hook + - mmc: sdio: fix possible resource leaks in some error paths + - ALSA: hda/conexant: add a new hda codec SN6180 + - ALSA: hda/realtek - fixed wrong gpio assigned + - [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures + - i40e: add double of VLAN header when computing the max MTU + - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. + - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path + - [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence + - bnxt_en: Fix mqprio and XDP ring checking logic + - [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode + - net: mpls: fix stale pointer if allocation fails during device rename + (CVE-2023-26545) + - ipv6: Fix datagram socket connection with DSCP. + - ipv6: Fix tcp socket connection with DSCP. + - i40e: Add checking for null for nlmsg_find_attr() + - [x86] kvm: initialize all of the kvm_debugregs structure before sending + it to userspace (CVE-2023-1513) + - nilfs2: fix underflow in second superblock position calculations + - [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register + access + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274 + - wifi: rtl8xxxu: gen2: Turn on the rate control + - random: always mix cycle counter in add_latent_entropy() + - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len + - alarmtimer: Prevent starvation by small intervals and SIG_IGN + - [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry + (CVE-2022-3707) + - mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + - uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459) + - bpf: add missing header file include + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275 + - [armhf] dts: rockchip: add power-domains property to dp node on rk3288 + - [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown + - btrfs: send: limit number of clones and allocated memory size + - [amd64] IB/hfi1: Assign npages earlier + - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). + - vc_screen: don't clobber return value in vcs_read + - USB: serial: option: add support for VW/Skoda "Carstick LTE" + - USB: core: Don't hold device lock while reading the "descriptors" sysfs + file + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276 + - HID: asus: Remove check for same LED brightness on set + - HID: asus: use spinlock to protect concurrent accesses + - HID: asus: use spinlock to safely schedule workers (CVE-2023-1079) + - [armhf] OMAP2+: Fix memory leak in realtime_counter_init() + - [armhf] imx: Call ida_simple_remove() for ida_simple_get + - [arm64] dts: meson-axg: enable SCPI + - blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + - block: bio-integrity: Copy flags when bio_integrity_payload is cloned + - wifi: rsi: Fix memory leak in rsi_coex_attach() + - wifi: libertas: fix memory leak in lbs_init_adapter() + - wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + - rtlwifi: fix -Wpointer-sign warning + - wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + - ipw2x00: switch from 'pci_' to 'dma_' API + - wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + - wifi: ipw2200: fix memory leak in ipw_wdev_init() + - wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() + - wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + - wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() + - wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() + - [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + - [x86] ACPICA: Drop port I/O validation for some regions + - genirq: Fix the return type of kstat_cpu_irqs_sum() + - lib/mpi: Fix buffer overrun when SG is too long + - ACPICA: nsrepair: handle cases without a return value correctly + - [x86] wifi: orinoco: check return value of hermes_write_wordrec() + - wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function + - wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails + - wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() + - [x86] ACPI: battery: Fix missing NUL-termination with large strings + - crypto: seqiv - Handle EBUSY correctly + - Bluetooth: L2CAP: Fix potential user-after-free + - libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + - rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + - crypto: rsa-pkcs1pad - Use akcipher_request_complete + - wifi: iwl3945: Add missing check for create_singlethread_workqueue + - wifi: iwl4965: Add missing check for create_singlethread_workqueue() + - wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + - wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + - can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of + a bus error + - [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output + enable + - [arm*] drm/vc4: dpi: Fix format mapping for RGB565 + - [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + - ALSA: hda/ca0132: minor fix for allocation size + - drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + - [arm64] drm/msm: use strscpy instead of strncpy + - [arm64] drm/msm/dpu: Add check for pstates + - [arm*] gpu: host1x: Don't skip assigning syncpoints to channels + - [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + - scsi: aic94xx: Add missing check for dma_map_single() + - nfsd: fix race to check ls_layouts + - gfs2: jdata writepage fix + - perf llvm: Fix inadvertent file creation + - [arm64] perf tools: Fix auto-complete on aarch64 + - [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region + - Input: ads7846 - don't report pressure for ads7845 + - Input: ads7846 - don't check penirq immediately for 7845 + - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + - [armhf] media: platform: ti: Add missing check for devm_regulator_get + - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + (CVE-2023-1118) + - media: i2c: ov7670: 0 instead of -EINVAL was returned + - media: usb: siano: Fix use after free bugs caused by do_submit_urb + - [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel + - [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy + - wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + - rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + - [x86] thermal: intel: Fix unsigned comparison with less than zero + - timers: Prevent union confusion from unexpected restart_syscall() + - [x86] bugs: Reset speculation control settings on init + - wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack- + out-of-bounds + - inet: fix fast path in __inet_hash_connect() + - ACPI: Don't build ACPICA with '-Os' + - [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match + - drm/amd/display: Fix potential null-deref in dm_resume + - [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue + - dm thin: add cond_resched() to various workqueue loops + - dm cache: add cond_resched() to various workqueue loops + - wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu + - [arm64] rtc: pm8xxx: fix set-alarm race + - hfs: fix missing hfs_bnode_get() in __hfs_bnode_create + - fs: hfsplus: fix UAF issue in hfsplus_put_super + - f2fs: fix information leak in f2fs_move_inline_dirents() + - ocfs2: fix defrag path triggering jbd2 ASSERT + - ocfs2: fix non-auto defrag path not working issue + - udf: Truncate added extents on failed expansion + - udf: Do not bother merging very long extents + - udf: Do not update file length for failed writes to inline files + - udf: Fix file corruption when appending just after end of preallocated + extent + - [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows) + - [x86] crash: Disable virt in core NMI crash handler to avoid double + shootdown + - [x86] reboot: Disable virtualization in an emergency if SVM is supported + - [x86] reboot: Disable SVM, not just VMX, when stopping CPUs + - [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic + - [x86] kprobes: Fix arch_check_optimized_kprobe check within + optimized_kprobe range + - [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter + - [x86] microcode/AMD: Add a @cpu parameter to the reloading functions + - [x86] microcode/AMD: Fix mixed steppings support + - [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998) + - irqdomain: Fix association race + - irqdomain: Fix disassociation race + - irqdomain: Drop bogus fwspec-mapping error handling + - [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in + aureon_add_controls() + - ext4: optimize ea_inode block expansion + - ext4: refuse to create ea block when umounted + - wifi: rtl8xxxu: Use a longer retry limit of 48 + - wifi: cfg80211: Fix use after free for wext + - dm flakey: fix logic when corrupting a bio + - dm flakey: don't corrupt the zero page + - [armhf] dts: exynos: correct TMU phandle in Exynos4 + - [armhf] dts: exynos: correct TMU phandle in Odroid XU + - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + - scsi: qla2xxx: Fix link failure in NPIV environment + - scsi: qla2xxx: Fix erroneous link down + - scsi: ses: Don't attach if enclosure has no components + - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + - scsi: ses: Fix possible desc_ptr out-of-bounds accesses + - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + - [x86] PCI: Avoid FLR for AMD FCH AHCI adapters + - [x86] drm/radeon: Fix eDP for single-display iMac11,2 + - wifi: ath9k: use proper statements in conditionals + - net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829) + - fs/jfs: fix shift exponent db_agl2size negative + - ubi: ensure that VID header offset + VID header size <= alloc, size + - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted + - ubifs: Rectify space budget for ubifs_xrename() + - ubifs: Fix wrong dirty space budget for dirty inode + - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 + - ubifs: Reserve one leb for each journal head while doing budget + - ubi: Fix use-after-free when volume resizing failed + - ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() + - ubi: Fix possible null-ptr-deref in ubi_free_volume() + - ubifs: Re-statistic cleaned znode count if commit failed + - ubifs: dirty_cow_znode: Fix memleak in error handling path + - ubifs: ubifs_writepage: Mark page dirty after writing inode failed + - ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() + - ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed + - [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory + - netfilter: ctnetlink: fix possible refcount leak in + ctnetlink_create_conntrack() + - net: fix __dev_kfree_skb_any() vs drop monitor + - 9p/xen: fix version parsing + - 9p/xen: fix connection sequence + - 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv() + - nfc: fix memory leak of se_io context in nfc_genl_se_io + - tcp: tcp_check_req() can be called from process context + - vc_screen: modify vcs_size() handling in vcs_read() + - [x86] scsi: ipr: Work around fortify-string warning + - tracing: Add NULL checks for buffer in ring_buffer_free_read_page() + - [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 + - media: uvcvideo: Handle cameras with invalid descriptors + - media: uvcvideo: Handle errors from calls to usb_string + - media: uvcvideo: Silence memcpy() run-time false positive warnings + - tty: fix out-of-bounds access in tty_driver_lookup_tty() + - [x86] mei: bus-fixup:upon error print return values of send and receive + - USB: ene_usb6250: Allocate enough memory for full object + - [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero + - Bluetooth: hci_sock: purge socket queues in the destruct() callback + - tcp: Fix listen() regression in 4.19.270 + - media: uvcvideo: Provide sync and async uvc_ctrl_status_event + - media: uvcvideo: Fix race condition with usb_kill_urb + - f2fs: fix cgroup writeback accounting with fs-layer encryption + - [x86] thermal: intel: powerclamp: Fix cur_state for multi package system + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277 + - wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for + wext" + - [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling + a script + - [x86] staging: rtl8192e: Remove call_usermodehelper starting + RadioPower.sh + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278 + - fs: prevent out-of-bounds array speculation when closing a file + descriptor + - [x86] CPU/AMD: Disable XSAVES on AMD family 0x17 + - ext4: fix RENAME_WHITEOUT handling for inline directories (regression in + 4.19.183) + - ext4: fix another off-by-one fsmap error on 1k block filesystems + - ext4: move where set the MAY_INLINE_DATA flag is set + - ext4: fix WARNING in ext4_update_inline_data + - ext4: zero i_disksize when initializing the bootloader inode + - nfc: change order inside nfc_se_io error path + - udf: reduce leakage of blocks related to named streams + - udf: Remove pointless union in udf_inode_info + - udf: Preserve link count of system files + - udf: Detect system inodes linked into directory hierarchy + - kbuild: fix false-positive need-builtin calculation + - kbuild: generate modules.order only in directories visited by obj-y/m + - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + - tipc: improve function tipc_wait_for_cond() + - [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC + - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279 + - ext4: fix cgroup writeback accounting with fs-layer encryption + - fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in + 4.19.179) + - tcp: tcp_make_synack() can be called from process context + - nfc: pn533: initialize struct pn533_out_arg properly + - qed/qed_dev: guard against a possible division by zero + - net: tunnels: annotate lockless accesses to dev->needed_headroom + - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status + fails + - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition + (CVE-2023-1990) + - net: usb: smsc75xx: Limit packet length to skb->len + - nvmet: avoid potential UAF in nvmet_req_complete() + - ipv4: Fix incorrect table ID in IOCTL path + - net: usb: smsc75xx: Move packet length check to prevent kernel panic in + skb_pull + - hwmon: (adt7475) Display smoothing attributes in correct order + - hwmon: (adt7475) Fix masking of hysteresis registers + - [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due + to race condition (CVE-2023-1855) + - jffs2: correct logic when creating a hole in jffs2_write_begin + - ext4: fail ext4_iget if special inode unallocated + - ext4: fix task hung in ext4_xattr_delete_inode + - [amd64] drm/amdkfd: Fix an illegal memory access + - tracing: Check field value in hist_field_name() + - ftrace: Fix invalid address access in lookup_rec() when index is 0 + - [x86] mm: Fix use of uninitialized buffer in sme_enable() + - [x86] drm/i915: Don't use stolen memory for ring buffers with LLC + - HID: core: Provide new max_buffer_size attribute to over-ride the default + - HID: uhid: Over-ride the default maximum data buffer value with our own + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280 + - power: supply: da9150: Fix use after free bug in da9150_charger_remove + due to race condition (CVE-2023-30772) + - i40evf: Change a VF mac without reloading the VF driver + - intel-ethernet: rename i40evf to iavf + - iavf: diet and reformat + - iavf: fix inverted Rx hash condition leading to disabled hash + - intel/igbvf: free irq on the error path in igbvf_request_msix() + - igbvf: Regard vf reset nack as success + - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() + - net: usb: smsc95xx: Limit packet length to skb->len + - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info + - [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach + (CVE-2023-1670) + - [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race + condition + - bpf: Adjust insufficient default bpf_jit_limit + - net/mlx5: Read the TC mapping of all priorities on ETS query + - erspan: do not use skb_mac_header() in ndo_start_xmit() + - hvc/xen: prevent concurrent accesses to the shared ring + - [arm64] net: mdio: thunder: Add missing fwnode_handle_put() + - [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD + address + - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to + unfinished work (CVE-2023-1989) + - [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs + - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 + - [x86] thunderbolt: Use const qualifier for `ring_interrupt_index` + - scsi: target: iscsi: Fix an error message in iscsi_check_key() + - scsi: ufs: core: Add soft dependency on governor_simpleondemand + - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + - net: usb: qmi_wwan: add Telit 0x1080 composition + - cifs: empty interface list when server doesn't support query interfaces + - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR + - usb: gadget: u_audio: don't let userspace block driver unbind + - igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256) + - dm thin: fix deadlock when swapping to thin device + - [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same + with current role + - [arm*] usb: chipidea: core: fix possible concurrent when switch role + - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() + - [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in + xgene_slimpro_i2c_xfer() (CVE-2023-2194) + - dm stats: check for and propagate alloc_percpu failure + - dm crypt: add cond_resched() to dmcrypt_write() + - sched/fair: sanitize vruntime of entity being placed + - sched/fair: Sanitize vruntime of entity being migrated + - tun: avoid double free in tun_free_netdev (CVE-2022-4744) + - ocfs2: fix data corruption after failed write (regression in 4.19.155) + - md: avoid signed overflow in slot_store() + - [x86] ALSA: asihpi: check pao in control_message() + - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + - [i386] fbdev: lxfb: Fix potential divide by zero + - scsi: megaraid_sas: Fix crash after a double completion + - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write + - i40e: fix registers dump after run ethtool adapter self test + - [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only + - [arm*] net: mvneta: make tx buffer array agnostic + - [arm*] Input: alps - fix compatibility with -funsigned-char + - [arm*] Input: focaltech - use explicitly signed char type + - cifs: prevent infinite recursion in CIFSGetDFSRefer() + - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL + - xen/netback: don't do grant copy across page boundary (regression in + 4.19.269) + - [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo + (regression in 4.19.256) + - ALSA: usb-audio: Fix regression on detection of Roland VS-100 + (regression in 4.19.164) + - [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer + - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' + - gfs2: Always check inode size of inline inodes + - net: sched: cbq: dont intepret cls results when asked to drop + (CVE-2023-23454) + - cgroup/cpuset: Change cpuset_rwsem and hotplug lock order + - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression + in 4.19.232) + - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281 + - pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver + - pinctrl: amd: Use irqchip template + - pinctrl: amd: disable and mask interrupts on probe + - NFSv4: Convert struct nfs4_state to use refcount_t + - NFSv4: Check the return value of update_open_stateid() + - NFSv4: Fix hangs when recovering open state after a server reboot + - [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state() + - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded + sta + - icmp: guard against too small mtu + - net: don't let netpoll invoke NAPI if in xmit context + - sctp: check send stream number after wait_for_sndbuf + - ipv6: Fix an uninit variable access bug in __ip6_make_skb() + - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs + - USB: serial: option: add Telit FE990 compositions + - USB: serial: option: add Quectel RM500U-CN modem + - nilfs2: fix potential UAF of struct nilfs_sc_info in + nilfs_segctor_thread() + - nilfs2: fix sysfs interface lifetime + - [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW + - perf/core: Fix the same task check in perf_event_set_output + - ftrace: Mark get_lock_parent_ip() __always_inline + - ring-buffer: Fix race while reader and writer are on the same page + - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() + - [x86] ALSA: emu10k1: fix capture interrupt handler unlinking + - [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard + - [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation + - [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards + - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} + - Bluetooth: Fix race condition in hidp_session_thread + - mtdblock: tolerate corrected bit-flips + - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition (CVE-2023-1859) + - niu: Fix missing unwind goto in niu_alloc_channels() + - qlcnic: check pci_reset_function result + - sctp: fix a potential overflow in sctp_ifwdtsn_skip + - [arm64] net: macb: fix a memory corruption in extended buffer descriptor + mode + - udp6: fix potential access to stale information + - [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug + - [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + - [amd64] verify_pefile: relax wrapper length check + - scsi: ses: Handle enclosure with just a primary component gracefully + - [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in + D3hot + - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size + - ubi: Fix deadlock caused by recursively holding work_sem + - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() + - [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within + the limits + - [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4 + (CVE-2023-30456) + - [arm64] KVM: arm64: Factor out core register ID enumeration + - [arm64] KVM: arm64: Filter out invalid core register IDs in + KVM_GET_REG_LIST (regression in 4.19) + - [arm64] KVM: Fix system register enumeration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282 + - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + - virtio_net: bugfix overflow inside xdp_linearize_page() + - i40e: fix accessing vsi->active_filters without holding lock + - i40e: fix i40e_setup_misc_vector() error handling + - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() + - e1000e: Disable TSO on i219-LM card to increase speed + - f2fs: Fix f2fs_truncate_partial_nodes ftrace event + - [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H + - scsi: megaraid_sas: Fix fw_crash_buffer_show() + - scsi: core: Improve scsi_vpd_inquiry() checks + - xen/netback: use same error messages for same errors + - nilfs2: initialize unused bytes in segment summary blocks + - memstick: fix memory leak if card device is never registered + - [x86] purgatory: Don't generate debug info for purgatory.ro + - Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in + 4.19.256) + - ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() + - ext4: fix use-after-free in ext4_xattr_set_entry + - udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). + - tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). + - inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). + - dccp: Call inet6_destroy_sock() via sk->sk_destruct(). + - sctp: Call inet6_destroy_sock() via sk->sk_destruct(). + + [ Ben Hutchings ] + * Bump ABI to 24 + * [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and + MODULE_SIG where we don't sign code (Closes: #825141) + * [rt] Update to 4.19.280-rt123: + - workqueue: Fix deadlock due to recursive locking of pool->lock + * [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt + + -- Ben Hutchings <benh@debian.org> Sat, 29 Apr 2023 22:07:39 +0200 + linux (4.19.269-1) buster-security; urgency=high * New upstream stable update: |