summaryrefslogtreecommitdiffstats
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'debian/changelog')
-rw-r--r--debian/changelog990
1 files changed, 990 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index e93896c46..070b5a68d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,993 @@
+linux (4.19.282-1) buster-security; urgency=high
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270
+ - mm/khugepaged: fix GUP-fast interaction by sending IPI
+ - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
+ - block: unhash blkdev part inode when the part is deleted
+ - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545)
+ - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
+ - can: sja1000: fix size of OCR_MODE_MASK define
+ - can: mcba_usb: Fix termination command argument
+ - ASoC: ops: Correct bounds check for second channel on SX controls
+ - udf: Discard preallocation before extending file with a hole
+ - udf: Fix preallocation discarding at indirect extent boundary
+ - udf: Do not bother looking for prealloc extents if i_lenExtents matches
+ i_size
+ - udf: Fix extending file within last block
+ - usb: gadget: uvc: Prevent buffer overflow in setup handler
+ - USB: serial: option: add Quectel EM05-G modem
+ - USB: serial: cp210x: add Kamstrup RF sniffer PIDs
+ - USB: serial: f81534: fix division by zero on line-speed change
+ - igb: Initialize mailbox message for VF reset
+ - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934)
+ - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
+ - [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw
+ - [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in
+ omap_sr_probe
+ - [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
+ - [armhf] dts: turris-omnia: Add ethernet aliases
+ - [armhf] dts: turris-omnia: Add switch port 6 node
+ - pstore/ram: Fix error return code in ramoops_probe()
+ - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
+ - [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
+ - [arm64] cpuidle: dt: Return the correct numbers of parsed idle states
+ - fs: don't audit the capability check in simple_xattr_list()
+ - selftests/ftrace: event_triggers: wait longer for test_event_enable
+ - perf: Fix possible memleak in pmu_dev_alloc()
+ - timerqueue: Use rb_entry_safe() in timerqueue_getnext()
+ - ocfs2: fix memory leak in ocfs2_stack_glue_init()
+ - PNP: fix name memory leak in pnp_alloc_dev()
+ - [x86] perf/x86/intel/uncore: Fix reference count leak in
+ hswep_has_limit_sbox() (regression in 4.19.189)
+ - [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
+ - lib/notifier-error-inject: fix error when writing -errno to debugfs file
+ - debugfs: fix error when writing negative value to atomic_t debugfs file
+ (regression in 4.19.160)
+ - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
+ - [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
+ - [x86] xen/events: only register debug interrupt for 2-level events
+ - [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}()
+ - [x86] xen: Fix memory leak in xen_init_lock_cpu()
+ - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
+ - PM: runtime: Improve path in rpm_idle() when no callback
+ - PM: runtime: Do not call __rpm_callback() from rpm_idle()
+ - [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
+ - fs: sysv: Fix sysv_nblocks() returns wrong value
+ - relay: fix type mismatch when allocating memory in relay_create_buf()
+ - hfs: Fix OOB Write in hfs_asc2mac
+ - wifi: ath9k: hif_usb: fix memory leak of urbs in
+ ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154)
+ - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
+ - wifi: rtl8xxxu: Fix reading the vendor of combo chips
+ - can: kvaser_usb: do not increase tx statistics when sending error message
+ frames
+ - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
+ - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to
+ {leaf,usbcan}_cmd_can_error_event
+ - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
+ - can: kvaser_usb_leaf: Set Warning state even without bus errors
+ - can: kvaser_usb_leaf: Fix improved state not being reported
+ - can: kvaser_usb_leaf: Fix wrong CAN state after stopping
+ - can: kvaser_usb_leaf: Fix bogus restart events
+ - can: kvaser_usb: Add struct kvaser_usb_busparams
+ - can: kvaser_usb: Compare requested bittiming parameters with actual
+ parameters in do_set_{,data}_bittiming
+ - media: vivid: fix compose size exceed boundary
+ - mtd: Fix device name leak when register device failed in add_mtd_device()
+ - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
+ - drm/radeon: Add the missed acpi_put_table() to fix memory leak
+ - regulator: core: fix unbalanced of node refcount in
+ regulator_dev_lookup()
+ - wifi: ath10k: Fix return value in ath10k_pci_init()
+ - [arm64] Input: elants_i2c - properly handle the reset GPIO when power is
+ off
+ - media: solo6x10: fix possible memory leak in solo_sysfs_init()
+ - HID: hid-sensor-custom: set fixed size for custom attributes
+ - bonding: Export skip slave logic to function
+ - media: imon: fix a race condition in send_packet()
+ - pinctrl: pinconf-generic: add missing of_node_put()
+ - media: dvb-core: Fix ignored return value in dvb_register_frontend()
+ - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
+ (CVE-2023-28328)
+ - [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
+ - NFSv4.2: Fix a memory stomp in decode_attr_security_label
+ - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
+ - [x86] ALSA: asihpi: fix missing pci_disable_device()
+ - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
+ - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
+ - wifi: cfg80211: Fix not unregister reg_pdev when
+ load_builtin_regdb_keys() fails
+ - regulator: core: fix module refcount leak in set_supply()
+ - media: saa7164: fix missing pci_disable_device()
+ - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
+ - SUNRPC: Fix missing release socket in rpc_sockname()
+ - NFSv4.x: Fail client initialisation if state manager thread can't run
+ - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
+ - mmc: toshsd: fix return value check of mmc_add_host()
+ - mmc: vub300: fix return value check of mmc_add_host()
+ - [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host()
+ - [arm64] mmc: meson-gx: fix return value check of mmc_add_host()
+ - mmc: via-sdmmc: fix return value check of mmc_add_host()
+ - [x86] mmc: wbsd: fix return value check of mmc_add_host()
+ - [arm*] mmc: mmci: fix return value check of mmc_add_host()
+ - [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll()
+ - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
+ - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
+ - blktrace: Fix output non-blktrace event when blk_classic option enabled
+ - [armhf] clk: socfpga: use clk_hw_register for a5/c5
+ - [x86] net: vmw_vsock: vmci: Check memcpy_from_msg()
+ - net: defxx: Fix missing err handling in dfx_init()
+ - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
+ - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
+ - [x86] net: farsync: Fix kmemleak when rmmods farsync
+ - net/tunnel: wait until all sk_user_data reader finish before releasing
+ the sock
+ - [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
+ - [i386] net: amd: lance: don't call dev_kfree_skb() under
+ spin_lock_irqsave()
+ - [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables
+ - [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/
+ passive cables
+ - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
+ - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
+ - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
+ - [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under
+ spin_lock_irqsave()
+ - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
+ - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
+ (regression in 4.19.254)
+ - [arm*] stmmac: fix potential division by 0 (regression in 4.19.122)
+ - apparmor: fix a memleak in multi_transaction_new()
+ - apparmor: fix lockdep warning when removing a namespace
+ - apparmor: Fix abi check to include v8 abi
+ - f2fs: fix normal discard process
+ - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
+ - [x86] scsi: scsi_debug: Fix a warning in resp_write_scat()
+ - PCI: Check for alloc failure in pci_request_irq()
+ - [amd64] RDMA/hfi: Decrease PCI device reference count in error path
+ - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create
+ failed
+ - scsi: hpsa: use local workqueues instead of system workqueues
+ - scsi: hpsa: Fix possible memory leak in hpsa_init_one()
+ - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
+ - scsi: hpsa: Fix error handling in hpsa_add_sas_host()
+ - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
+ - scsi: fcoe: Fix possible name leak when device_register() fails
+ - [x86] scsi: ipr: Fix WARNING in ipr_init()
+ - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
+ - scsi: snic: Fix possible UAF in snic_tgt_create()
+ - [amd64] RDMA/hfi1: Fix error return code in parse_platform_config()
+ - orangefs: Fix sysfs not cleanup when dev init failed
+ - [x86] hwrng: amd - Fix PCI device refcount leak
+ - [i386] hwrng: geode - Fix PCI device refcount leak
+ - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
+ - [arm*] serial: tegra: avoid reg access when clk disabled
+ - [arm*] serial: tegra: check for FIFO mode enabled status
+ - [arm*] serial: tegra: set maximum num of uart ports to 8
+ - [arm*] serial: tegra: add support to use 8 bytes trigger
+ - [arm*] serial: tegra: add support to adjust baud rate
+ - [arm*] serial: tegra: report clk rate errors
+ - [arm*] serial: tegra: Add PIO mode support
+ - [arm*] tty: serial: tegra: Activate RX DMA transfer by request
+ - [arm*] serial: tegra: Read DMA status before terminating
+ - [x86] usb: typec: Check for ops->exit instead of ops->enter in
+ altmode_exit
+ - [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register
+ - [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
+ (regression in 4.19.253)
+ - [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma()
+ - [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option,
+ gru_fault and gru_handle_user_call_os (CVE-2022-3424)
+ - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
+ - usb: gadget: f_hid: optional SETUP/SET_REPORT mode
+ - usb: gadget: f_hid: fix f_hidg lifetime vs cdev
+ - usb: gadget: f_hid: fix refcount leak on error path
+ - chardev: fix error handling in cdev_device_add()
+ - [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in
+ ce4100_i2c_probe
+ - [x86] staging: rtl8192u: Fix use after free in ieee80211_rx()
+ - [x86] staging: rtl8192e: Fix potential use-after-free in
+ rtllib_rx_Monitor()
+ - [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
+ (CVE-2022-2873)
+ - usb: storage: Add check for kcalloc
+ - tracing/hist: Fix issue of losting command info in error_log
+ - [x86] fbdev: pm2fb: fix missing pci_disable_device()
+ - [x86] fbdev: via: Fix error in via_core_init()
+ - [x86] fbdev: vermilion: decrease reference count in error path
+ - [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
+ - [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
+ - [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
+ - power: supply: fix residue sysfs file in error handle route of
+ __power_supply_register()
+ - perf symbol: correction while adjusting symbol (regression in 4.19.255)
+ - [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init()
+ - include/uapi/linux/swab: Fix potentially missing __always_inline
+ - [armhf] rtc: snvs: Allow a time difference on clock register read
+ - [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier()
+ - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
+ (regression in 4.19.130)
+ - [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+ - [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+ - [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under
+ spin_lock_irqsave()
+ - nfc: pn533: Clear nfc_target before being used
+ - r6040: Fix kmemleak in probe and remove
+ - openvswitch: Fix flow lookup to use unmasked key
+ - skbuff: Account for tail adjustment during pull operations
+ - net_sched: reject TCF_EM_SIMPLE case for complex ematch module
+ - rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
+ - myri10ge: Fix an error handling path in myri10ge_probe()
+ - net: stream: purge sk_error_queue in sk_stream_kill_queues()
+ (regression in 4.19.218)
+ - fs: jfs: fix shift-out-of-bounds in dbAllocAG
+ - udf: Avoid double brelse() in udf_rename()
+ - fs: jfs: fix shift-out-of-bounds in dbDiscardAG
+ - ACPICA: Fix error code path in acpi_ds_call_control_method()
+ - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
+ - acct: fix potential integer overflow in encode_comp_t()
+ - hfs: fix OOB Read in __hfs_brec_find
+ - wifi: ath9k: verify the expected usb_endpoints are present
+ - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
+ - bpf: make sure skb->len != 0 when redirecting to a tunneling device
+ - [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet()
+ - wifi: brcmfmac: Fix potential shift-out-of-bounds in
+ brcmf_fw_alloc_request()
+ - igb: Do not free q_vector unless new one was allocated
+ - drm/amdgpu: Fix type of second parameter in trans_msg() callback
+ - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
+ - md/raid1: stop mdx_raid1 thread when raid1 array run failed
+ - mrp: introduce active flags to prevent UAF when applicant uninit
+ - ppp: associate skb with a device at tx
+ - media: dvb-frontends: fix leak of memory fw
+ - media: dvbdev: adopts refcnt to avoid UAF
+ - media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
+ - blk-mq: fix possible memleak when register 'hctx' failed
+ - regulator: core: fix use_count leakage when handling boot-on
+ - [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability
+ - media: si470x: Fix use-after-free in si470x_int_in_callback()
+ - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
+ - [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in
+ rk_spdif_runtime_resume()
+ - [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put()
+ - [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout
+ - HID: wacom: Ensure bootloader PID is usable in hidraw mode
+ - reiserfs: Add missing calls to reiserfs_security_free()
+ - media: dvbdev: fix refcnt bug
+ - ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77)
+ - HID: plantronics: Additional PIDs for double volume key presses quirk
+ - hfsplus: fix bug causing custom uid and gid being unable to be assigned
+ with mount
+ - ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
+ - ALSA: line6: correct midi status byte when receiving data from podxt
+ - ALSA: line6: fix stack overflow in line6_midi_transmit
+ - pnode: terminate at peers of source
+ - md: fix a crash in mempool_free
+ - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
+ - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
+ - media: stv0288: use explicitly signed char
+ - dm cache: Fix ABBA deadlock between shrink_slab and
+ dm_cache_metadata_abort
+ - dm thin: Use last transaction's pmd->root when commit failed
+ - dm thin: Fix UAF in run_timer_softirq()
+ - dm cache: Fix UAF in destroy()
+ - dm cache: set needs_check flag after aborting metadata
+ - [x86] microcode/intel: Do not retry microcode reloading on the APs
+ - tracing: Fix infinite loop in tracing_read_pipe on overflowed
+ print_trace_line
+ - media: dvb-core: Fix double free in dvb_register_device()
+ (regression in 4.19.77)
+ - media: dvb-core: Fix UAF due to refcount races at releasing
+ (CVE-2022-41218)
+ - md/bitmap: Fix bitmap chunk size overflow issues
+ - ipmi: fix long wait in unload when IPMI disconnect
+ - ipmi: fix use after free in _ipmi_destroy_user()
+ - PCI: Fix pci_device_is_present() for VFs by checking PF
+ - PCI/sysfs: Fix double free in error path
+ - [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code
+ - device_cgroup: Roll back to original exceptions after copy failure
+ - drm/connector: send hotplug uevent on connector cleanup
+ - [x86] drm/vmwgfx: Validate the box size for the snooped cursor
+ (CVE-2022-36280)
+ - ext4: add inode table check in __ext4_get_inode_loc to aovid possible
+ infinite loop
+ - ext4: add helper to check quota inums
+ - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
+ - ext4: init quota for 'old.inode' in 'ext4_rename'
+ - ext4: fix corruption when online resizing a 1K bigalloc fs
+ - ext4: fix error code return to user-space in ext4_get_branch()
+ - ext4: avoid BUG_ON when creating xattrs
+ - ext4: fix inode leak in ext4_xattr_inode_create() on an error path
+ - ext4: initialize quota before expanding inode in setproject ioctl
+ - ext4: avoid unaccounted block allocation when expanding inode
+ - ext4: allocate extended attribute value in vmalloc area
+ - btrfs: send: avoid unnecessary backref lookups when finding clone source
+ - btrfs: replace strncpy() with strscpy()
+ - dm thin: resume even if in FAIL mode
+ - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
+ - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as
+ unsinged data
+ - driver core: Set deferred_probe_timeout to a longer default if
+ CONFIG_MODULES is set
+ - ext4: goto right label 'failed_mount3a'
+ - ext4: correct inconsistent error msg in nojournal mode
+ - ext4: use kmemdup() to replace kmalloc + memcpy
+ - mbcache: don't reclaim used entries
+ - mbcache: add functions to delete entry if unused
+ - ext4: remove EA inode entry from mbcache on inode eviction
+ - ext4: unindent codeblock in ext4_xattr_block_set()
+ - ext4: fix race when reusing xattr blocks
+ - mbcache: automatically delete entries from cache on freeing
+ - ext4: fix deadlock due to mbcache entry corruption
+ - SUNRPC: ensure the matching upcall is in-flight upon downcall
+ - bpf: pull before calling skb_postpull_rcsum()
+ - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
+ - nfc: Fix potential resource leaks
+ - [amd64,arm64] net: amd-xgbe: add missed tasklet_kill
+ - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
+ - net: sched: atm: dont intepret cls results when asked to drop
+ (CVE-2023-23455)
+ - usb: rndis_host: Secure rndis_query check against int overflow
+ - udf: Fix extension of the last extent in the file
+ - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071
+ tablet
+ - [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045)
+ - nfsd: fix handling of readdir in v4root vs. mount upcall timeout
+ - ext4: don't allow journal inode to have encrypt flag
+ - hfs/hfsplus: use WARN_ON for sanity check
+ - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
+ - mbcache: Avoid nesting of cache->c_list_lock under bit locks
+ - driver core: Fix bus_type.match() error handling in __driver_attach()
+ - net: sched: disallow noqueue for qdisc classes (CVE-2022-47929)
+ - perf auxtrace: Fix address filter duplicate symbol selection
+ - net/ulp: prevent ULP without clone op from entering the LISTEN status
+ (CVE-2023-0461)
+ - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
+ (CVE-2023-0266)
+ - cifs: Fix uninitialized memory read for smb311 posix symlink create
+ - [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight
+ during probe
+ - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
+ (CVE-2023-0394)
+ - [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later
+ - quota: Factor out setup of quota inode
+ - ext4: fix bug_on in __es_tree_search caused by bad quota inode
+ - ext4: lost matching-pair of trace in ext4_truncate
+ - ext4: fix use-after-free in ext4_orphan_cleanup
+ - ext4: fix uninititialized value in 'ext4_evict_inode'
+ - netfilter: ipset: Fix overflow before widen in the bitmap_ip_create()
+ function.
+ - [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm
+ - EDAC/device: Fix period calculation in edac_device_reset_delay_period()
+ - hvc/xen: lock console list traversal
+ - nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
+ - net/mlx5: Rename ptp clock info
+ - net/mlx5: Fix ptp max frequency adjustment range
+ - drm/virtio: Fix GEM handle creation UAF
+ - [arm64] cmpxchg_double*: hazard against entire exchange variable
+ - efi: fix NULL-deref in init error path (regression in 4.19.142)
+ - [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't
+ started
+ - [arm*] serial: tegra: Only print FIFO error message when an error occurs
+ - [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20
+ and tegra30
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271
+ - pNFS/filelayout: Fix coalescing test for single DS
+ - net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
+ - RDMA/srp: Move large values to a new enum for gcc13
+ - f2fs: let's avoid panic if extent_tree is not created
+ - nilfs2: fix general protection fault in nilfs_btree_insert()
+ - xhci-pci: set the dma max_seg_size
+ - usb: xhci: Check endpoint is valid before dereferencing it
+ - xhci: Fix null pointer dereference when host dies
+ - xhci: Add a flag to disable USB3 lpm on a xhci root port level.
+ - prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458)
+ - USB: serial: option: add Quectel EM05-G (GR) modem
+ - USB: serial: option: add Quectel EM05-G (CS) modem
+ - USB: serial: option: add Quectel EM05-G (RS) modem
+ - USB: serial: option: add Quectel EC200U modem
+ - USB: serial: option: add Quectel EM05CN (SG) modem
+ - USB: serial: option: add Quectel EM05CN modem
+ - USB: misc: iowarrior: fix up header size for
+ USB_DEVICE_ID_CODEMERCS_IOW100
+ - usb: core: hub: disable autosuspend for TI TUSB8041
+ - [x86] comedi: adv_pci1760: Fix PWM instruction handling
+ - [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind
+ - cifs: do not include page data when checking signature
+ - USB: serial: cp210x: add SCALANCE LPE-9000 device id
+ - usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
+ - usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210
+ - [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272
+ - [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
+ - [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map
+ - [amd64] IB/hfi1: Reject a zero-length user expected buffer
+ - [amd64] IB/hfi1: Reserve user expected TIDs
+ - [amd64] IB/hfi1: Fix expected receive setup error exit issues
+ - affs: initialize fsdata in affs_truncate()
+ - amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
+ - amd-xgbe: Delay AN timeout during KR training
+ - bpf: Fix pointer-leak due to insufficient speculative store bypass
+ mitigation
+ - [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in
+ rockchip_usb2phy_power_on()
+ - net: nfc: Fix use-after-free in local_cleanup()
+ - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
+ (CVE-2023-23559)
+ - net: usb: sr9700: Handle negative len
+ - net: mdio: validate parameter addr in mdiobus_get_phy()
+ - HID: check empty report_list in hid_validate_values() (CVE-2023-1073)
+ - usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
+ - usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
+ - net: mlx5: eliminate anonymous module_init & module_exit
+ - dmaengine: Fix double increment of client_count in dma_chan_get()
+ - [arm64] net: macb: fix PTP TX timestamp failure due to packet padding
+ - HID: betop: check shape of output reports
+ - tcp: avoid the lookup process failing to get sk in ehash table
+ - w1: fix deadloop in __w1_remove_master_device()
+ - w1: fix WARNING after calling w1_process()
+ - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
+ - block: fix and cleanup bio_check_ro
+ - perf env: Do not return pointers to local variables
+ - fs: reiserfs: remove useless new_opts in reiserfs_remount
+ - Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
+ - scsi: hpsa: Fix allocation size for scsi_host_alloc()
+ - module: Don't wait for GOING modules
+ - tracing: Make sure trace_printk() can output as soon as it can be used
+ - trace_events_hist: add check for return value of 'create_hist_field'
+ - smbd: Make upper layer decide when to destroy the transport
+ - cifs: Fix oops due to uncleared server->smbd_conn in reconnect
+ - EDAC/device: Respect any driver-supplied workqueue polling value
+ - net: fix UaF in netns ops registration error path (regression in
+ 4.19.264)
+ - netfilter: nft_set_rbtree: skip elements in transaction from garbage
+ collection
+ - netlink: remove hash::nelems check in netlink_insert
+ - netlink: annotate data races around nlk->portid
+ - netlink: annotate data races around dst_portid and dst_group
+ - netlink: annotate data races around sk_state
+ - ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
+ - netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
+ - [x86] netrom: Fix use-after-free of a listening socket. (regression in
+ 4.19.199)
+ - sctp: fail if no bound addresses can be used for a given scope
+ (CVE-2023-1074)
+ - net/tg3: resolve deadlock in tg3_reset_task() during EEH
+ - [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU
+ to RMI mode" (regression in 4.19.268)
+ - [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL
+ - [x86] drm/i915/display: fix compiler warning about array overrun
+ - [armhf] dts: imx: Fix pca9547 i2c-mux node name
+ - [armhf] dmaengine: imx-sdma: Fix a possible memory leak in
+ sdma_transfer_init
+ - panic: unset panic_on_warn inside panic()
+ - exit: Add and use make_task_dead.
+ - exit: Put an upper limit on how often we can oops
+ - exit: Expose "oops_count" to sysfs
+ - exit: Allow oops_limit to be disabled
+ - panic: Consolidate open-coded panic_on_warn checks
+ - panic: Introduce warn_limit
+ - panic: Expose "warn_count" to sysfs
+ - docs: Fix path paste-o for /sys/kernel/warn_count
+ - exit: Use READ_ONCE() for all oops/warn limit reads
+ - ipv6: ensure sane device mtu in tunnels
+ - [arm*] usb: host: xhci-plat: add wakeup entry at sysfs
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273
+ - firewire: fix memory leak for payload of request subaction to IEC 61883-1
+ FCP region
+ - [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init()
+ - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()
+ - [x86] netrom: Fix use-after-free caused by accept on already connected
+ socket
+ - ata: libata: Fix sata_down_spd_limit() when no link speed is reported
+ - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
+ - scsi: target: core: Fix warning on RT kernels
+ - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
+ (CVE-2023-2162)
+ - [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings
+ - [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API
+ - [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode
+ - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait
+ - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
+ - [x86] Input: i8042 - merge quirk tables
+ - [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables
+ - [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table
+ - [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2
+ guests
+ - [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup()
+ - [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set
+ - [x86] thermal: intel: int340x: Protect trip temperature from concurrent
+ updates
+ - fbcon: Check font dimension limits
+ - efi: Accept version 2 of memory attributes table
+ - iio: hid: fix the retval in accel_3d_capture_sample
+ - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps
+ - mm/swapfile: add cond_resched() in get_swap_pages()
+ - Squashfs: fix handling and sanity checking of xattr_ids count
+ - serial: 8250_dma: Fix DMA Rx completion race
+ - serial: 8250_dma: Fix DMA Rx rearm race
+ - [x86] thermal: intel: int340x: Add locking to
+ int340x_thermal_get_trip_type()
+ - btrfs: limit device extents to the device size
+ - [x86] ALSA: emux: Avoid potential array out-of-bound in
+ snd_emux_xg_control()
+ - [amd64] IB/hfi1: Restore allocated resources on failed copyout
+ - [arm64] net: phy: meson-gxl: add g12a support
+ - [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal
+ PHY
+ - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078)
+ - ALSA: pci: lx6464es: fix a debug loop
+ - [arm*] pinctrl: single: fix potential NULL dereference
+ - [x86] pinctrl: intel: Convert unsigned to unsigned int
+ - [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode
+ - net: USB: Fix wrong-direction WARNING in plusb.c
+ - usb: core: add quirk for Alcor Link AK9563 smartcard reader
+ - [arm64] dts: meson-gx: Make mmc host controller interrupts level-
+ sensitive
+ - [arm64] dts: meson-axg: Make mmc host controller interrupts level-
+ sensitive
+ - bpf: Always return target ifindex in bpf_fib_lookup
+ - migrate: hugetlb: check for hugetlb shared PMD in node migration
+ - [x86] net/rose: Fix to not accept on connected socket
+ - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association
+ - aio: fix mremap after fork null-deref
+ - netfilter: nft_tproxy: restrict to prerouting hook
+ - mmc: sdio: fix possible resource leaks in some error paths
+ - ALSA: hda/conexant: add a new hda codec SN6180
+ - ALSA: hda/realtek - fixed wrong gpio assigned
+ - [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures
+ - i40e: add double of VLAN header when computing the max MTU
+ - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
+ - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
+ - [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence
+ - bnxt_en: Fix mqprio and XDP ring checking logic
+ - [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode
+ - net: mpls: fix stale pointer if allocation fails during device rename
+ (CVE-2023-26545)
+ - ipv6: Fix datagram socket connection with DSCP.
+ - ipv6: Fix tcp socket connection with DSCP.
+ - i40e: Add checking for null for nlmsg_find_attr()
+ - [x86] kvm: initialize all of the kvm_debugregs structure before sending
+ it to userspace (CVE-2023-1513)
+ - nilfs2: fix underflow in second superblock position calculations
+ - [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register
+ access
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274
+ - wifi: rtl8xxxu: gen2: Turn on the rate control
+ - random: always mix cycle counter in add_latent_entropy()
+ - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len
+ - alarmtimer: Prevent starvation by small intervals and SIG_IGN
+ - [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
+ (CVE-2022-3707)
+ - mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
+ - uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459)
+ - bpf: add missing header file include
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275
+ - [armhf] dts: rockchip: add power-domains property to dp node on rk3288
+ - [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown
+ - btrfs: send: limit number of clones and allocated memory size
+ - [amd64] IB/hfi1: Assign npages earlier
+ - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
+ - vc_screen: don't clobber return value in vcs_read
+ - USB: serial: option: add support for VW/Skoda "Carstick LTE"
+ - USB: core: Don't hold device lock while reading the "descriptors" sysfs
+ file
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276
+ - HID: asus: Remove check for same LED brightness on set
+ - HID: asus: use spinlock to protect concurrent accesses
+ - HID: asus: use spinlock to safely schedule workers (CVE-2023-1079)
+ - [armhf] OMAP2+: Fix memory leak in realtime_counter_init()
+ - [armhf] imx: Call ida_simple_remove() for ida_simple_get
+ - [arm64] dts: meson-axg: enable SCPI
+ - blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx
+ - block: bio-integrity: Copy flags when bio_integrity_payload is cloned
+ - wifi: rsi: Fix memory leak in rsi_coex_attach()
+ - wifi: libertas: fix memory leak in lbs_init_adapter()
+ - wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
+ - rtlwifi: fix -Wpointer-sign warning
+ - wifi: rtlwifi: Fix global-out-of-bounds bug in
+ _rtl8812ae_phy_set_txpower_limit()
+ - ipw2x00: switch from 'pci_' to 'dma_' API
+ - wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()
+ - wifi: ipw2200: fix memory leak in ipw_wdev_init()
+ - wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
+ - wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
+ - wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave()
+ - wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave()
+ - wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
+ - wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
+ - [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
+ - [x86] ACPICA: Drop port I/O validation for some regions
+ - genirq: Fix the return type of kstat_cpu_irqs_sum()
+ - lib/mpi: Fix buffer overrun when SG is too long
+ - ACPICA: nsrepair: handle cases without a return value correctly
+ - [x86] wifi: orinoco: check return value of hermes_write_wordrec()
+ - wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no
+ callback function
+ - wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
+ - wifi: ath9k: Fix potential stack-out-of-bounds write in
+ ath9k_wmi_rsp_callback()
+ - [x86] ACPI: battery: Fix missing NUL-termination with large strings
+ - crypto: seqiv - Handle EBUSY correctly
+ - Bluetooth: L2CAP: Fix potential user-after-free
+ - libbpf: Fix alen calculation in libbpf_nla_dump_errormsg()
+ - rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
+ - crypto: rsa-pkcs1pad - Use akcipher_request_complete
+ - wifi: iwl3945: Add missing check for create_singlethread_workqueue
+ - wifi: iwl4965: Add missing check for create_singlethread_workqueue()
+ - wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
+ - wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
+ - can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of
+ a bus error
+ - [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output
+ enable
+ - [arm*] drm/vc4: dpi: Fix format mapping for RGB565
+ - [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
+ - ALSA: hda/ca0132: minor fix for allocation size
+ - drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
+ - [arm64] drm/msm: use strscpy instead of strncpy
+ - [arm64] drm/msm/dpu: Add check for pstates
+ - [arm*] gpu: host1x: Don't skip assigning syncpoints to channels
+ - [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
+ - scsi: aic94xx: Add missing check for dma_map_single()
+ - nfsd: fix race to check ls_layouts
+ - gfs2: jdata writepage fix
+ - perf llvm: Fix inadvertent file creation
+ - [arm64] perf tools: Fix auto-complete on aarch64
+ - [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region
+ - Input: ads7846 - don't report pressure for ads7845
+ - Input: ads7846 - don't check penirq immediately for 7845
+ - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
+ - [armhf] media: platform: ti: Add missing check for devm_regulator_get
+ - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
+ (CVE-2023-1118)
+ - media: i2c: ov7670: 0 instead of -EINVAL was returned
+ - media: usb: siano: Fix use after free bugs caused by do_submit_urb
+ - [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel
+ - [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy
+ - wifi: brcmfmac: Fix potential stack-out-of-bounds in
+ brcmf_c_preinit_dcmds()
+ - rcu: Suppress smp_processor_id() complaint in
+ synchronize_rcu_expedited_wait()
+ - [x86] thermal: intel: Fix unsigned comparison with less than zero
+ - timers: Prevent union confusion from unexpected restart_syscall()
+ - [x86] bugs: Reset speculation control settings on init
+ - wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-
+ out-of-bounds
+ - inet: fix fast path in __inet_hash_connect()
+ - ACPI: Don't build ACPICA with '-Os'
+ - [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match
+ - drm/amd/display: Fix potential null-deref in dm_resume
+ - [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue
+ - dm thin: add cond_resched() to various workqueue loops
+ - dm cache: add cond_resched() to various workqueue loops
+ - wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
+ - [arm64] rtc: pm8xxx: fix set-alarm race
+ - hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
+ - fs: hfsplus: fix UAF issue in hfsplus_put_super
+ - f2fs: fix information leak in f2fs_move_inline_dirents()
+ - ocfs2: fix defrag path triggering jbd2 ASSERT
+ - ocfs2: fix non-auto defrag path not working issue
+ - udf: Truncate added extents on failed expansion
+ - udf: Do not bother merging very long extents
+ - udf: Do not update file length for failed writes to inline files
+ - udf: Fix file corruption when appending just after end of preallocated
+ extent
+ - [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows)
+ - [x86] crash: Disable virt in core NMI crash handler to avoid double
+ shootdown
+ - [x86] reboot: Disable virtualization in an emergency if SVM is supported
+ - [x86] reboot: Disable SVM, not just VMX, when stopping CPUs
+ - [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic
+ - [x86] kprobes: Fix arch_check_optimized_kprobe check within
+ optimized_kprobe range
+ - [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter
+ - [x86] microcode/AMD: Add a @cpu parameter to the reloading functions
+ - [x86] microcode/AMD: Fix mixed steppings support
+ - [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998)
+ - irqdomain: Fix association race
+ - irqdomain: Fix disassociation race
+ - irqdomain: Drop bogus fwspec-mapping error handling
+ - [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in
+ aureon_add_controls()
+ - ext4: optimize ea_inode block expansion
+ - ext4: refuse to create ea block when umounted
+ - wifi: rtl8xxxu: Use a longer retry limit of 48
+ - wifi: cfg80211: Fix use after free for wext
+ - dm flakey: fix logic when corrupting a bio
+ - dm flakey: don't corrupt the zero page
+ - [armhf] dts: exynos: correct TMU phandle in Exynos4
+ - [armhf] dts: exynos: correct TMU phandle in Odroid XU
+ - rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
+ - scsi: qla2xxx: Fix link failure in NPIV environment
+ - scsi: qla2xxx: Fix erroneous link down
+ - scsi: ses: Don't attach if enclosure has no components
+ - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
+ - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
+ - scsi: ses: Fix possible desc_ptr out-of-bounds accesses
+ - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
+ - [x86] PCI: Avoid FLR for AMD FCH AHCI adapters
+ - [x86] drm/radeon: Fix eDP for single-display iMac11,2
+ - wifi: ath9k: use proper statements in conditionals
+ - net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829)
+ - fs/jfs: fix shift exponent db_agl2size negative
+ - ubi: ensure that VID header offset + VID header size <= alloc, size
+ - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
+ - ubifs: Rectify space budget for ubifs_xrename()
+ - ubifs: Fix wrong dirty space budget for dirty inode
+ - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1
+ - ubifs: Reserve one leb for each journal head while doing budget
+ - ubi: Fix use-after-free when volume resizing failed
+ - ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
+ - ubi: Fix possible null-ptr-deref in ubi_free_volume()
+ - ubifs: Re-statistic cleaned znode count if commit failed
+ - ubifs: dirty_cow_znode: Fix memleak in error handling path
+ - ubifs: ubifs_writepage: Mark page dirty after writing inode failed
+ - ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
+ - ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
+ - [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory
+ - netfilter: ctnetlink: fix possible refcount leak in
+ ctnetlink_create_conntrack()
+ - net: fix __dev_kfree_skb_any() vs drop monitor
+ - 9p/xen: fix version parsing
+ - 9p/xen: fix connection sequence
+ - 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
+ - nfc: fix memory leak of se_io context in nfc_genl_se_io
+ - tcp: tcp_check_req() can be called from process context
+ - vc_screen: modify vcs_size() handling in vcs_read()
+ - [x86] scsi: ipr: Work around fortify-string warning
+ - tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
+ - [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
+ - media: uvcvideo: Handle cameras with invalid descriptors
+ - media: uvcvideo: Handle errors from calls to usb_string
+ - media: uvcvideo: Silence memcpy() run-time false positive warnings
+ - tty: fix out-of-bounds access in tty_driver_lookup_tty()
+ - [x86] mei: bus-fixup:upon error print return values of send and receive
+ - USB: ene_usb6250: Allocate enough memory for full object
+ - [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero
+ - Bluetooth: hci_sock: purge socket queues in the destruct() callback
+ - tcp: Fix listen() regression in 4.19.270
+ - media: uvcvideo: Provide sync and async uvc_ctrl_status_event
+ - media: uvcvideo: Fix race condition with usb_kill_urb
+ - f2fs: fix cgroup writeback accounting with fs-layer encryption
+ - [x86] thermal: intel: powerclamp: Fix cur_state for multi package system
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277
+ - wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for
+ wext"
+ - [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling
+ a script
+ - [x86] staging: rtl8192e: Remove call_usermodehelper starting
+ RadioPower.sh
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278
+ - fs: prevent out-of-bounds array speculation when closing a file
+ descriptor
+ - [x86] CPU/AMD: Disable XSAVES on AMD family 0x17
+ - ext4: fix RENAME_WHITEOUT handling for inline directories (regression in
+ 4.19.183)
+ - ext4: fix another off-by-one fsmap error on 1k block filesystems
+ - ext4: move where set the MAY_INLINE_DATA flag is set
+ - ext4: fix WARNING in ext4_update_inline_data
+ - ext4: zero i_disksize when initializing the bootloader inode
+ - nfc: change order inside nfc_se_io error path
+ - udf: reduce leakage of blocks related to named streams
+ - udf: Remove pointless union in udf_inode_info
+ - udf: Preserve link count of system files
+ - udf: Detect system inodes linked into directory hierarchy
+ - kbuild: fix false-positive need-builtin calculation
+ - kbuild: generate modules.order only in directories visited by obj-y/m
+ - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
+ - tipc: improve function tipc_wait_for_cond()
+ - [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC
+ - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279
+ - ext4: fix cgroup writeback accounting with fs-layer encryption
+ - fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in
+ 4.19.179)
+ - tcp: tcp_make_synack() can be called from process context
+ - nfc: pn533: initialize struct pn533_out_arg properly
+ - qed/qed_dev: guard against a possible division by zero
+ - net: tunnels: annotate lockless accesses to dev->needed_headroom
+ - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status
+ fails
+ - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
+ (CVE-2023-1990)
+ - net: usb: smsc75xx: Limit packet length to skb->len
+ - nvmet: avoid potential UAF in nvmet_req_complete()
+ - ipv4: Fix incorrect table ID in IOCTL path
+ - net: usb: smsc75xx: Move packet length check to prevent kernel panic in
+ skb_pull
+ - hwmon: (adt7475) Display smoothing attributes in correct order
+ - hwmon: (adt7475) Fix masking of hysteresis registers
+ - [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due
+ to race condition (CVE-2023-1855)
+ - jffs2: correct logic when creating a hole in jffs2_write_begin
+ - ext4: fail ext4_iget if special inode unallocated
+ - ext4: fix task hung in ext4_xattr_delete_inode
+ - [amd64] drm/amdkfd: Fix an illegal memory access
+ - tracing: Check field value in hist_field_name()
+ - ftrace: Fix invalid address access in lookup_rec() when index is 0
+ - [x86] mm: Fix use of uninitialized buffer in sme_enable()
+ - [x86] drm/i915: Don't use stolen memory for ring buffers with LLC
+ - HID: core: Provide new max_buffer_size attribute to over-ride the default
+ - HID: uhid: Over-ride the default maximum data buffer value with our own
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280
+ - power: supply: da9150: Fix use after free bug in da9150_charger_remove
+ due to race condition (CVE-2023-30772)
+ - i40evf: Change a VF mac without reloading the VF driver
+ - intel-ethernet: rename i40evf to iavf
+ - iavf: diet and reformat
+ - iavf: fix inverted Rx hash condition leading to disabled hash
+ - intel/igbvf: free irq on the error path in igbvf_request_msix()
+ - igbvf: Regard vf reset nack as success
+ - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
+ - net: usb: smsc95xx: Limit packet length to skb->len
+ - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
+ - [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+ (CVE-2023-1670)
+ - [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race
+ condition
+ - bpf: Adjust insufficient default bpf_jit_limit
+ - net/mlx5: Read the TC mapping of all priorities on ETS query
+ - erspan: do not use skb_mac_header() in ndo_start_xmit()
+ - hvc/xen: prevent concurrent accesses to the shared ring
+ - [arm64] net: mdio: thunder: Add missing fwnode_handle_put()
+ - [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD
+ address
+ - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to
+ unfinished work (CVE-2023-1989)
+ - [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
+ - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
+ - [x86] thunderbolt: Use const qualifier for `ring_interrupt_index`
+ - scsi: target: iscsi: Fix an error message in iscsi_check_key()
+ - scsi: ufs: core: Add soft dependency on governor_simpleondemand
+ - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
+ - net: usb: qmi_wwan: add Telit 0x1080 composition
+ - cifs: empty interface list when server doesn't support query interfaces
+ - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
+ - usb: gadget: u_audio: don't let userspace block driver unbind
+ - igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256)
+ - dm thin: fix deadlock when swapping to thin device
+ - [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same
+ with current role
+ - [arm*] usb: chipidea: core: fix possible concurrent when switch role
+ - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
+ - [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in
+ xgene_slimpro_i2c_xfer() (CVE-2023-2194)
+ - dm stats: check for and propagate alloc_percpu failure
+ - dm crypt: add cond_resched() to dmcrypt_write()
+ - sched/fair: sanitize vruntime of entity being placed
+ - sched/fair: Sanitize vruntime of entity being migrated
+ - tun: avoid double free in tun_free_netdev (CVE-2022-4744)
+ - ocfs2: fix data corruption after failed write (regression in 4.19.155)
+ - md: avoid signed overflow in slot_store()
+ - [x86] ALSA: asihpi: check pao in control_message()
+ - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
+ - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
+ - [i386] fbdev: lxfb: Fix potential divide by zero
+ - scsi: megaraid_sas: Fix crash after a double completion
+ - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
+ - i40e: fix registers dump after run ethtool adapter self test
+ - [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
+ - [arm*] net: mvneta: make tx buffer array agnostic
+ - [arm*] Input: alps - fix compatibility with -funsigned-char
+ - [arm*] Input: focaltech - use explicitly signed char type
+ - cifs: prevent infinite recursion in CIFSGetDFSRefer()
+ - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
+ - xen/netback: don't do grant copy across page boundary (regression in
+ 4.19.269)
+ - [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo
+ (regression in 4.19.256)
+ - ALSA: usb-audio: Fix regression on detection of Roland VS-100
+ (regression in 4.19.164)
+ - [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer
+ - ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
+ - gfs2: Always check inode size of inline inodes
+ - net: sched: cbq: dont intepret cls results when asked to drop
+ (CVE-2023-23454)
+ - cgroup/cpuset: Change cpuset_rwsem and hotplug lock order
+ - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression
+ in 4.19.232)
+ - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281
+ - pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver
+ - pinctrl: amd: Use irqchip template
+ - pinctrl: amd: disable and mask interrupts on probe
+ - NFSv4: Convert struct nfs4_state to use refcount_t
+ - NFSv4: Check the return value of update_open_stateid()
+ - NFSv4: Fix hangs when recovering open state after a server reboot
+ - [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state()
+ - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded
+ sta
+ - icmp: guard against too small mtu
+ - net: don't let netpoll invoke NAPI if in xmit context
+ - sctp: check send stream number after wait_for_sndbuf
+ - ipv6: Fix an uninit variable access bug in __ip6_make_skb()
+ - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
+ - USB: serial: option: add Telit FE990 compositions
+ - USB: serial: option: add Quectel RM500U-CN modem
+ - nilfs2: fix potential UAF of struct nilfs_sc_info in
+ nilfs_segctor_thread()
+ - nilfs2: fix sysfs interface lifetime
+ - [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW
+ - perf/core: Fix the same task check in perf_event_set_output
+ - ftrace: Mark get_lock_parent_ip() __always_inline
+ - ring-buffer: Fix race while reader and writer are on the same page
+ - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
+ - [x86] ALSA: emu10k1: fix capture interrupt handler unlinking
+ - [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
+ - [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation
+ - [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
+ - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
+ - Bluetooth: Fix race condition in hidp_session_thread
+ - mtdblock: tolerate corrected bit-flips
+ - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race
+ condition (CVE-2023-1859)
+ - niu: Fix missing unwind goto in niu_alloc_channels()
+ - qlcnic: check pci_reset_function result
+ - sctp: fix a potential overflow in sctp_ifwdtsn_skip
+ - [arm64] net: macb: fix a memory corruption in extended buffer descriptor
+ mode
+ - udp6: fix potential access to stale information
+ - [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug
+ - [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
+ - [amd64] verify_pefile: relax wrapper length check
+ - scsi: ses: Handle enclosure with just a primary component gracefully
+ - [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in
+ D3hot
+ - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
+ - ubi: Fix deadlock caused by recursively holding work_sem
+ - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
+ - [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within
+ the limits
+ - [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4
+ (CVE-2023-30456)
+ - [arm64] KVM: arm64: Factor out core register ID enumeration
+ - [arm64] KVM: arm64: Filter out invalid core register IDs in
+ KVM_GET_REG_LIST (regression in 4.19)
+ - [arm64] KVM: Fix system register enumeration
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282
+ - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
+ - virtio_net: bugfix overflow inside xdp_linearize_page()
+ - i40e: fix accessing vsi->active_filters without holding lock
+ - i40e: fix i40e_setup_misc_vector() error handling
+ - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
+ - e1000e: Disable TSO on i219-LM card to increase speed
+ - f2fs: Fix f2fs_truncate_partial_nodes ftrace event
+ - [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H
+ - scsi: megaraid_sas: Fix fw_crash_buffer_show()
+ - scsi: core: Improve scsi_vpd_inquiry() checks
+ - xen/netback: use same error messages for same errors
+ - nilfs2: initialize unused bytes in segment summary blocks
+ - memstick: fix memory leak if card device is never registered
+ - [x86] purgatory: Don't generate debug info for purgatory.ro
+ - Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in
+ 4.19.256)
+ - ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
+ - ext4: fix use-after-free in ext4_xattr_set_entry
+ - udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
+ - tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
+ - inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
+ - dccp: Call inet6_destroy_sock() via sk->sk_destruct().
+ - sctp: Call inet6_destroy_sock() via sk->sk_destruct().
+
+ [ Ben Hutchings ]
+ * Bump ABI to 24
+ * [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and
+ MODULE_SIG where we don't sign code (Closes: #825141)
+ * [rt] Update to 4.19.280-rt123:
+ - workqueue: Fix deadlock due to recursive locking of pool->lock
+ * [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt
+
+ -- Ben Hutchings <benh@debian.org> Sat, 29 Apr 2023 22:07:39 +0200
+
linux (4.19.269-1) buster-security; urgency=high
* New upstream stable update: