Just released.
9.4.4-20180507
Updates in 2 source package(s), 4 binary package(s):
Source linux, binaries: linux-image-4.9.0-6-amd64:amd64 linux-image-4.9.0-6-arm64:arm64
linux (4.9.88-1) stretch-security; urgency=high
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.83
- ext4: fix a race in the ext4 shutdown path
- ext4: save error to disk in __ext4_grp_locked_error()
- console/dummy: leave .con_font_get set to NULL
- rtlwifi: rtl8821ae: Fix connection lost problem correctly
- target/iscsi: avoid NULL dereference in CHAP auth error path
- Btrfs: fix deadlock in run_delalloc_nocow
- Btrfs: fix crash due to not cleaning up tree log block's dirty bits
- Btrfs: fix extent state leak from tree log
- Btrfs: fix unexpected -EEXIST when creating new inode
- ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
- ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE
- [s390] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
- [x86] x86/entry/64/compat: Clear registers for compat syscalls, to
reduce speculation attack surface (hardening for Spectre)
- [x86] x86/speculation: Update Speculation Control microcode blacklist
- [x86] x86/speculation: Correct Speculation Control microcode blacklist
again
- [x86] KVM/x86: Reduce retpoline performance impact in
slot_handle_level_range(), by always inlining iterator helper methods
- [x86] X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- vfs: don't do RCU lookup of empty pathnames
- media: r820t: fix r820t_write_reg for KASAN
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.84
- cfg80211: check dev_set_name() return value
- xfrm: skip policies marked as dead while rehashing
- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker()
failed.
- xfrm: Fix stack-out-of-bounds read on socket policy lookup.
- xfrm: check id proto in validate_tmpl()
- sctp: set frag_point in sctp_setsockopt_maxseg correctly
- drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
- selinux: ensure the context is NUL terminated in
security_context_to_sid_core()
- [x86] KVM: x86: fix escape of guest dr6 to the host
- netfilter: x_tables: fix int overflow in xt_alloc_table_info()
- netfilter: x_tables: avoid out-of-bounds reads in
xt_request_find_{match|target}
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in
clusterip_tg_check()
- netfilter: on sockopt() acquire sock lock only in the required scope
- netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
- crypto: hash - prevent using keyed hashes without setting key
- [arm*] ARM: dts: Fix omap4 hang with GPS connected to USB by using
wakeupgen
- sctp: only update outstanding_bytes for transmitted queue when doing
prsctp_prune
- net_sched: red: Avoid devision by zero
- net_sched: red: Avoid illegal values
- btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
- 509: fix printing uninitialized stack memory when OID is empty
- dmaengine: at_hdmac: fix potential NULL pointer dereference in
atc_prep_dma_interleaved
- clk: fix a panic error caused by accessing NULL pointer
- xfrm: Fix stack-out-of-bounds with misconfigured transport mode
policies.
- drm/armada: fix leak of crtc structure
- [x86] mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
- [x86] x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
- hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
- [powerpc*] powerpc/64s: Fix conversion of slb_miss_common to use
RFI_TO_USER/KERNEL
- [powerpc*] powerpc/64s: Simple RFI macro conversions
- [powerpc*] powerpc/64s: Improve RFI L1-D cache flush fallback
- crypto: talitos - fix Kernel Oops on hashing an empty file
- ALSA: hda/ca0132 - fix possible NULL pointer use
- [x86] KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page
Ready" exceptions simultaneously
- crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.85
- netfilter: drop outermost socket lock in getsockopt()
- X.509: fix BUG_ON() when hash algorithm is unsupported
- PKCS#7: fix certificate chain verification
- RDMA/uverbs: Protect from command mask overflow
- iio: buffer: check if a buffer has been set up when poll is called
- iio: adis_lib: Initialize trigger before requesting interrupt
- irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
- ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and
io_watchdog_func()
- usb: ohci: Proper handling of ed_rm_list to handle race condition
between usb_kill_urb() and finish_unlinks()
- ]arm64] arm64: Disable unhandled signal log messages by default
- Revert "usb: musb: host: don't start next rx urb if current one failed"
- X.509: fix NULL dereference when restricting key with unsupported_sig
- mm: avoid spurious 'bad pmd' warning messages
- [x86] x86/entry/64: Clear extra registers beyond syscall arguments, to
reduce speculation attack surface
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.86
- i2c: designware: must wait for enable
- f2fs: fix a bug caused by NULL extent tree (CVE-2017-18193)
- mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
- mtd: nand: brcmnand: Zero bitflip is not an error
- [arm*] ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
- sget(): handle failures of register_shrinker()
- drm/nouveau/pci: do a msi rearm on init
- mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl
- tipc: error path leak fixes in tipc_enable_bearer()
- tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
- tg3: Add workaround to restrict 5762 MRRS to 2048
- tg3: Enable PHY reset in MTU change path for 5720
- bnx2x: Improve reliability in case of nested PCI errors
- IB/mlx5: Fix mlx5_ib_alloc_mr error flow
- genirq: Guard handle_bad_irq log messages
- IB/mlx4: Fix mlx4_ib_alloc_mr error flow
- IB/ipoib: Fix race condition in neigh creation
- xfs: quota: fix missed destroy of qi_tree_lock
- xfs: quota: check result of register_shrinker()
- macvlan: Fix one possible double free
- e1000: fix disabling already-disabled warning
- drm/ttm: check the return value of kzalloc
- nl80211: Check for the required netlink attribute presence
- bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
- xen-netfront: enable device after manual module load
- mdio-sun4i: Fix a memory leak
- xen/gntdev: Fix off-by-one error when unmapping with holes
- xen/gntdev: Fix partial gntdev_mmap() cleanup
- sctp: make use of pre-calculated len
- net: gianfar_ptp: move set_fipers() to spinlock protecting area
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.87
- [x86] tpm: st33zp24: fix potential buffer overruns caused by bit
glitches on the bus
- [x86] tpm_i2c_infineon: fix potential buffer overruns caused by bit
glitches on the bus
- [x86] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit
glitches on the bus
- [x86] tpm_tis: fix potential buffer overruns caused by bit glitches on
the bus
- [x86] tpm: constify transmit data pointers
- [x86] tpm-dev-common: Reject too short writes
- ALSA: usb-audio: Add a quirck for B&W PX headphones
- ALSA: hda: Add a power_save blacklist
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
- timers: Forward timer base before migrating timers
- [hppa] parisc: Fix ordering of cache and TLB flushes
- dax: fix vma_is_fsdax() helper
- [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend
- [x86] platform/intel-mid: Handle Intel Edison reboot correctly
- media: m88ds3103: don't call a non-initalized function
- nospec: Allow index argument to have const-qualified type
- [armel,armhf] mvebu: Fix broken PL310_ERRATA_753970 selects
- KVM: mmu: Fix overlap between public and private memslots
- [x86] KVM: Remove indirect MSR op calls from SPEC_CTRL
- [x86] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the
RDMSR path as unlikely()
- PCI/ASPM: Deal with missing root ports in link state handling
- dm io: fix duplicate bio completion due to missing ref count
- [armhf] dts: LogicPD SOM-LV: Fix I2C1 pinmux
- [armhf] dts: LogicPD Torpedo: Fix I2C1 pinmux
- [x86] mm: Give each mm TLB flush generation a unique ID
- [x86] speculation: Use Indirect Branch Prediction Barrier in context
switch
- md: only allow remove_and_add_spares when no sync_thread running.
- netlink: put module reference if dump start fails
- [x86] apic/vector: Handle legacy irq data correctly
- bridge: check brport attr show in brport_show
- fib_semantics: Don't match route with mismatching tclassid
- hdlc_ppp: carrier detect ok, don't turn off negotiation
- ipv6 sit: work around bogus gcc-8 -Wrestrict warning
- net: fix race on decreasing number of TX queues
- net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
- netlink: ensure to loop over all netns in genlmsg_multicast_allns()
- ppp: prevent unregistered channels from connecting to PPP units
- udplite: fix partial checksum initialization
- sctp: fix dst refcnt leak in sctp_v4_get_dst
- net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
- tcp: Honor the eor bit in tcp_mtu_probe
- rxrpc: Fix send in rxrpc_send_data_packet()
- tcp_bbr: better deal with suboptimal GSO
- sctp: fix dst refcnt leak in sctp_v6_get_dst()
- [s390x] qeth: fix underestimated count of buffer elements
- [s390x] qeth: fix SETIP command handling
- [s390x] qeth: fix overestimated count of buffer elements
- [s390x] qeth: fix IP removal on offline cards
- [s390x] qeth: fix double-free on IP add/remove race
- [s390x] qeth: fix IP address lookup for L3 devices
- [s390x] qeth: fix IPA command submission race
- sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803)
- net: mpls: Pull common label check into helper
- mpls, nospec: Sanitize array index in mpls_label_ok()
- bpf: fix wrong exposure of map_flags into fdinfo for lpm
- bpf: fix mlock precharge on arraymaps
- bpf, x64: implement retpoline for tail call
- bpf, arm64: fix out of bounds access in tail call
- btrfs: preserve i_mode if __btrfs_set_acl() fails
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.88
- RDMA/ucma: Limit possible option size
- RDMA/ucma: Check that user doesn't overflow QP state
- RDMA/mlx5: Fix integer overflow while resizing CQ
- [x86] drm/i915: Try EDID bitbanging on HDMI after failed read
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
- [x86] drm/i915: Always call to intel_display_set_init_power() in
resume_early.
- workqueue: Allow retrieval of current task's work struct
- drm: Allow determining if current task is output poll worker
- drm/nouveau: Fix deadlock on runtime suspend
- drm/radeon: Fix deadlock on runtime suspend
- drm/amdgpu: Fix deadlock on runtime suspend
- drm/amdgpu: Notify sbios device ready before send request
- drm/radeon: fix KV harvesting
- drm/amdgpu: fix KV harvesting
- drm/amdgpu:Correct max uvd handles
- drm/amdgpu:Always save uvd vcpu_bo in VM Mode
- [mips*/octeon] irq: Check for null return on kzalloc allocation
- loop: Fix lost writes caused by missing flag
- virtio_ring: fix num_free handling in error case
- [s390x] KVM: fix memory overwrites when not using SCA entries
- kbuild: Handle builtin dtb file names containing hyphens
- IB/mlx5: Fix incorrect size of klms in the memory region
- bcache: fix crashes in duplicate cache device register
- bcache: don't attach backing with duplicate UUID
- [x86] MCE: Serialize sysfs changes (CVE-2018-7995)
- perf tools: Fix trigger class trigger_on()
- [x86] spectre_v2: Don't check microcode versions when running under
hypervisors
- ALSA: hda/realtek: Limit mic boost on T480
- ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
- ALSA: hda/realtek - Make dock sound work on ThinkPad L570
- ALSA: seq: Don't allow resizing pool in use
- ALSA: seq: More protection for concurrent write and ioctl races
- ALSA: hda: add dock and led support for HP EliteBook 820 G3
- ALSA: hda: add dock and led support for HP ProBook 640 G2
- nospec: Kill array_index_nospec_mask_check()
- nospec: Include <asm/barrier.h> dependency
- Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
- [x86] speculation: Use IBRS if available before calling into firmware
- [x86] retpoline: Support retpoline builds with Clang
- [x86] speculation, objtool: Annotate indirect calls/jumps for objtool
- [x86] boot, objtool: Annotate indirect jump in secondary_startup_64()
- [x86] speculation: Move firmware_restrict_branch_speculation_*() from C
to CPP
- [x86] paravirt, objtool: Annotate indirect calls
- watchdog: hpwdt: SMBIOS check
- watchdog: hpwdt: Check source of NMI
- watchdog: hpwdt: fix unused variable warning
- watchdog: hpwdt: Remove legacy NMI sourcing.
- [armhf] omap2: hide omap3_save_secure_ram on non-OMAP3 builds
- Input: tca8418_keypad - remove double read of key event register
- tc358743: fix register i2c_rd/wr function fix
- netfilter: add back stackpointer size checks (CVE-2018-1065)
- netfilter: x_tables: fix missing timer initialization in xt_LED
- netfilter: nat: cope with negative port range
- netfilter: IDLETIMER: be syzkaller friendly
- netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
(CVE-2018-1068)
- netfilter: bridge: ebt_among: add missing match size checks
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
- netfilter: x_tables: pass xt_counters struct instead of packet counter
- netfilter: x_tables: pass xt_counters struct to counter allocator
- netfilter: x_tables: pack percpu counter allocations
- ext4: inplace xattr block update fails to deduplicate blocks
- ubi: Fix race condition between ubi volume creation and udev
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
- NFS: Fix an incorrect type in struct nfs_direct_req
- NFS: Fix unstable write completion
- [x86] module: Detect and skip invalid relocations
- [x86] Treat R_X86_64_PLT32 as R_X86_64_PC32
- serial: sh-sci: prevent lockup on full TTY buffers
- tty/serial: atmel: add new version check for usart
- uas: fix comparison for error code
- [x86] staging: comedi: fix comedi_nsamples_left.
- USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
- usbip: vudc: fix null pointer dereference on udc->lock
- usb: quirks: add control message delay for 1b1c:1b20
- usb: usbmon: Read text within supplied buffer size
- usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
- serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
- serial: core: mark port as initialized in autoconfig
- earlycon: add reg-offset to physical address before mapping
- PCI: dwc: Fix enumeration end when reaching root subordinate
[Yves-Alexis Perez]
* [powerpc*] drop RFI patches, now included upstream
[ Salvatore Bonaccorso ]
* [rt] Refresh 0001-timer-make-the-base-lock-raw.patch context
* [rt] Update to 4.9.84-rt62
* blkcg: fix double free of new_blkg in blkcg_init_queue (CVE-2018-7480)
* CIFS: Enable encryption during session setup phase (CVE-2018-1066)
* staging: ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822)
* [arm64] net: hns: Fix a skb used after free bug (CVE-2017-18218)
* media: usbtv: prevent double free in error case (CVE-2017-17975)
* [arm64] net: hns: fix ethtool_get_strings overflow in hns driver
* [arm64] net: hns: Fix ethtool private flags (CVE-2017-18222)
* scsi: libsas: fix memory leak in sas_smp_get_phy_events() (CVE-2018-7757)
* ext4: add validity checks for bitmap block numbers (CVE-2018-1093)
* ext4: fix bitmap position validation
* ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092)
* random: fix crng_ready() test (CVE-2018-1108)
* random: set up the NUMA crng instances after the CRNG is fully initialized
* random: crng_reseed() should lock the crng instance that it is modifying
* random: fix possible sleeping allocation from irq context
* perf/hwbp: Simplify the perf-hwbp code, fix documentation
(CVE-2018-1000199)
[ Ben Hutchings ]
* [x86] Revert "x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping"
to avoid an ABI change
* [x86] mm: Avoid ABI change for addition of ctx_id
* [x86] cpu: Avoid ABI change in 4.9.83
* crypto: hash: Avoid ABI change in 4.9.84
* fs: Avoid ABI change in 4.9.85
* [x86] nospec: Ignore ABI change for removal of __clear_rsb and __fill_rsb,
previously exported for use by KVM
* [x86] Ignore ABI change for cpu_tlbstate, apparently not used externally
* jbd2: Ignore ABI changes
* tpm_tis: Ignore ABI changes
* ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
(CVE-2017-18216)
* ocfs2: ip_alloc_sem should be taken in ocfs2_get_block() (CVE-2017-18224)
* f2fs: fix a panic caused by NULL flush_cmd_control (CVE-2017-18241)
* f2fs: fix a dead loop in f2fs_fiemap() (CVE-2017-18257)
* mm/hugetlb.c: don't call region_abort if region_chg fails
* hugetlbfs: fix offset overflow in hugetlbfs mmap
* hugetlbfs: check for pgoff value overflow (CVE-2018-7740)
* mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl()
(CVE-2018-8087)
* drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781)
* xfs: set format back to extents if xfs_bmap_extents_to_btree
(CVE-2018-10323)
* debian/lib/python/debian_linux/gencontrol.py: Allow uploads to *-security
with a simple revision
Source tzdata, binaries: tzdata:amd64 tzdata:arm64
tzdata (2018e-0+deb9u1) stretch; urgency=medium
[ Aurelien Jarno ]
* New upstream version, affecting the following future timestamp:
- North Korea switches back to +09 on 2018-05-05.
https://cloud.debian.org/images/openstack/current-9/
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code
is in use on a military site..." -- Simon Booth
Attachment:
signature.asc
Description: PGP signature