--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: arm64: memory corruption bug
- From: Noah Meyerhans <noahm@debian.org>
- Date: Thu, 17 Dec 2020 20:08:28 +0000
- Message-id: <E1kpzZc-00015b-WC@barad-dur.morgul.net>
Package: src:linux
Version: 4.19.160-2
Severity: important
Tags: upstream fixed-upstream
Control: fixed -1 5.9.15-1
Control: fixed -1 5.10~rc7-1~exp1
Control: found -1 5.9.11-1
Opening a bug for visibility. Arguably this could be Severity: grave given
that memory corruption can lead to data loss. It has been fixed upstream in
4.19.161, 5.9.12, and 5.10. I'm not sure about the status for 4.9/stretch
LTS.
There is a memory corruption bug impacting arm64. The upstream fix was made
in 5.10 with commit ff1712f953e2 ("arm64: pgtable: Ensure dirty bit is
preserved across pte_wrprotect()"). The upstream commit [1] describes the
issue as:
With hardware dirty bit management, calling pte_wrprotect() on a
writable, dirty PTE will lose the dirty state and return a
read-only, clean entry.
Impact from the issue has been observed in the real world on systems running
redis, as described at https://github.com/redis/redis/issues/8124 (note in
particular comments [2] and [3], where the kernel connection is made).
1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff1712f953e27f0b0718762ec17d0adb15c9fd0b
2. https://github.com/redis/redis/issues/8124#issuecomment-745791340
3. https://github.com/redis/redis/issues/8124#issuecomment-745838911
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 4.19.171-1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 977615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 Jan 2021 23:03:16 +0100
Source: linux
Architecture: source
Version: 4.19.171-1
Distribution: buster-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 970736 972345 977048 977615
Changes:
linux (4.19.171-1) buster-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.161
- perf event: Check ref_reloc_sym before using it
- netfilter: clear skb->next in NF_HOOK_LIST() (CVE-2021-20177)
- btrfs: don't access possibly stale fs_info data for printing duplicate
device
- btrfs: fix lockdep splat when reading qgroup config on mount
- wireless: Use linux/stddef.h instead of stddef.h
- [arm64] KVM: vgic-v3: Drop the reporting of GICR_TYPER.Last for
userspace
- [x86] KVM: handle !lapic_in_kernel case in kvm_cpu_*_extint
- [x86] KVM: Fix split-irqchip vs interrupt injection window request
- [arm64] pgtable: Fix pte_accessible()
- [arm64] pgtable: Ensure dirty bit is preserved across pte_wrprotect()
(Closes: #977615)
- drm/atomic_helper: Stop modesets on unregistered connectors harder
- ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
- HID: cypress: Support Varmilo Keyboards' media hotkeys
- HID: add support for Sega Saturn
- Input: i8042 - allow insmod to succeed on devices without an i8042
controller
- HID: hid-sensor-hub: Fix issue with devices with no report ID
- HID: add HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE for Gamevice devices
- [x86] xen: don't unbind uninitialized lock_kicker_irq
- HID: Add Logitech Dinovo Edge battery quirk
- proc: don't allow async path resolution of /proc/self components
- nvme: free sq/cq dbbuf pointers when dbbuf set fails
- [arm64,armhf] dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size
- scsi: libiscsi: Fix NOP race condition
- scsi: target: iscsi: Fix cmd abort fabric stop race
- [x86] perf/x86: fix sysfs type mismatches
- [arm64,armhf] phy: tegra: xusb: Fix dangling pointer on probe failure
- scsi: ufs: Fix race between shutdown and runtime resume flow
- bnxt_en: fix error return code in bnxt_init_one()
- bnxt_en: fix error return code in bnxt_init_board()
- [x86] video: hyperv_fb: Fix the cache type when mapping the VRAM
- bnxt_en: Release PCI regions when DMA mask setup fails during probe.
- cxgb4: fix the panic caused by non smac rewrite
- [s390x] qeth: fix tear down of async TX buffers
- IB/mthca: fix return value of error branch in mthca_init_cq()
- net: ena: set initial DMA width to avoid intel iommu issue
- [arm64] optee: add writeback to valid memory type
- [arm64,armhf,x86] efivarfs: revert "fix memory leak in
efivarfs_create()" (Closes: #977048)
- can: gs_usb: fix endianess problem with candleLight firmware
- [x86] platform/x86: thinkpad_acpi: Send tablet mode switch at wakeup
time
- [x86] platform/x86: toshiba_acpi: Fix the wrong variable assignment
- USB: core: Change %pK for __user pointers to %px
- usb: gadget: f_midi: Fix memleak in f_midi_alloc
- USB: quirks: Add USB_QUIRK_DISCONNECT_SUSPEND quirk for Lenovo A630Z TIO
built-in usb-audio card
- usb: gadget: Fix memleak in gadgetfs_fill_super
- [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb
- USB: core: Fix regression in Hercules audio card
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.162
- ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init
- [s390x] net/af_iucv: set correct sk_protocol for child sockets
- rose: Fix Null pointer dereference in rose_send_frame()
- sock: set sk_err to ee_errno on dequeue from errq
- tcp: Set INET_ECN_xmit configuration in tcp_reinit_congestion_control
- tun: honor IOCB_NOWAIT flag
- i40e: Fix removing driver while bare-metal VFs pass traffic
- bonding: wait for sysfs kobject destruction before freeing struct slave
- netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING
traversal
- ipv4: Fix tos mask in inet_rtm_getroute()
- geneve: pull IP header before ECN decapsulation
- net: ip6_gre: set dev->hard_header_len when using header_ops
- cxgb3: fix error return code in t3_sge_alloc_qset()
- [arm64,armhf] net: mvpp2: Fix error return code in mvpp2_open()
- net/mlx5: Fix wrong address reclaim when command interface is down
- dt-bindings: net: correct interrupt flags in examples
- ALSA: usb-audio: US16x08: fix value count for level meters
- Input: xpad - support Ardwiino Controllers
- Input: i8042 - add ByteSpeed touchpad to noloop table
- tracing: Remove WARN_ON in start_thread()
- RDMA/i40iw: Address an mmap handler exploit in i40iw
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.163
- [x86] pinctrl: baytrail: Replace WARN with dev_info_once when setting
direct-irq pin to output
- [x86] pinctrl: baytrail: Fix pin being driven low for a while on
gpiod_get(..., GPIOD_OUT_HIGH)
- usb: gadget: f_fs: Use local copy of descriptors for userspace copy
- USB: serial: kl5kusb105: fix memleak on open
- USB: serial: ch341: add new Product ID for CH341A
- USB: serial: ch341: sort device-id entries
- USB: serial: option: add Fibocom NL668 variants
- USB: serial: option: add support for Thales Cinterion EXS82
- USB: serial: option: fix Quectel BG96 matching
- tty: Fix ->pgrp locking in tiocspgrp() (CVE-2020-29661)
- tty: Fix ->session locking (CVE-2020-29660)
- ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model
- ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294
- ALSA: hda/realtek - Add new codec supported for ALC897
- ALSA: hda/generic: Add option to enforce preferred_dacs pairs
- ftrace: Fix updating FTRACE_FL_TRAMP
- cifs: fix potential use-after-free in cifs_echo_request()
- [armhf] i2c: imx: Don't generate STOP condition if arbitration has been
lost
- scsi: mpt3sas: Fix ioctl timeout
- dm writecache: fix the maximum number of arguments
- dm: remove invalid sparse __acquires and __releases annotations
- mm: list_lru: set shrinker map bit when child nr_items is not zero
- mm/swapfile: do not sleep with a spin lock held
- [x86] uprobes: Do not use prefixes.nbytes when looping over
prefixes.bytes
- [armhf] i2c: imx: Fix reset of I2SR_IAL flag
- [armhf] i2c: imx: Check for I2SR_IAL after every byte
- speakup: Reject setting the speakup line discipline outside of speakup
(CVE-2020-27830)
- [amd64] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
- spi: Introduce device-managed SPI controller allocation
- [arm*] spi: bcm2835: Fix use-after-free on unbind
- [arm*] spi: bcm2835: Release the DMA channel if probe fails after
dma_init
- tracing: Fix userstacktrace option for instances
- gfs2: check for empty rgrp tree in gfs2_ri_update
- [arm64] i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc()
- dm writecache: remove BUG() and fail gracefully instead
- Input: i8042 - fix error return code in i8042_setup_aux()
- netfilter: nf_tables: avoid false-postive lockdep splat
- [x86] insn-eval: Use new for_each_insn_prefix() macro to loop over
prefixes bytes
- Revert "geneve: pull IP header before ECN decapsulation"
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.164
- [x86] lib: Change .weak to SYM_FUNC_START_WEAK for
arch/x86/lib/mem*_64.S
- [arm*] spi: bcm2835aux: Fix use-after-free on unbind
- [arm*] spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe
- iwlwifi: pcie: limit memory read spin time
- iwlwifi: mvm: fix kernel panic in case of assert during CSA
- scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE
- [arm64,armhf] irqchip/gic-v3-its: Unconditionally save/restore the ITS
state on suspend
- [x86] platform/x86: thinkpad_acpi: Do not report SW_TABLET_MODE on Yoga
11e
- [x86] platform/x86: thinkpad_acpi: Add BAT1 is primary battery quirk for
Thinkpad Yoga 11e 4th gen
- [x86] platform/x86: acer-wmi: add automatic keyboard background light
toggle key as KEY_LIGHTS_TOGGLE
- [x86] platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion
13 x360 PC
- Input: cm109 - do not stomp on control URB
- Input: i8042 - add Acer laptops to the i8042 reset list
- pinctrl: amd: remove debounce filter setting in IRQ type setting
- mmc: block: Fixup condition for CMD13 polling for RPMB requests
- kbuild: avoid static_assert for genksyms
- scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()"
- [x86] membarrier: Get rid of a dubious optimization
- [x86] apic/vector: Fix ordering in vector assignment
- [arm64] PCI: qcom: Add missing reset for ipq806x
- mac80211: mesh: fix mesh_pathtbl_init() error path
- [arm64,armhf] net: stmmac: free tx skb buffer in stmmac_resume()
- tcp: select sane initial rcvq_space.space for big MSS
- tcp: fix cwnd-limited bug for TSO deferral where we send nothing
- net/mlx4_en: Avoid scheduling restart task if it is already running
- lan743x: fix for potential NULL pointer dereference with bare card
- net/mlx4_en: Handle TX error CQE
- [arm64,armhf] net: stmmac: delete the eee_ctrl_timer after napi disabled
- [arm64,armhf] net: stmmac: dwmac-meson8b: fix mask definition of the
m250_sel mux
- net: bridge: vlan: fix error return code in __vlan_add()
- USB: add RESET_RESUME quirk for Snapscan 1212
- ALSA: usb-audio: Fix potential out-of-bounds shift
- ALSA: usb-audio: Fix control 'access overflow' errors from chmap
- xhci: Give USB2 ports time to enter U3 in bus suspend
- USB: UAS: introduce a quirk to set no_write_same
- ALSA: pcm: oss: Fix potential out-of-bounds shift
- [x86] drm/xen-front: Fix misused IS_ERR_OR_NULL checks
- drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi
- [x86] pinctrl: baytrail: Avoid clearing debounce value when turning it
off
- [arm*] gpio: mvebu: fix potential user-after-free on probe
- scsi: bnx2i: Requires MMU
- xsk: Fix xsk_poll()'s return type
- can: softing: softing_netdev_open(): fix error handling
- block: factor out requeue handling from dispatch code
- netfilter: x_tables: Switch synchronization to RCU
- RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait
- ixgbe: avoid premature Rx buffer reuse
- [arm64,armhf] drm/tegra: replace idr_init() by idr_init_base()
- kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling
- [arm64,armhf] drm/tegra: sor: Disable clocks on error in
tegra_sor_init()
- [arm64] syscall: exit userspace before unmasking exceptions
- vxlan: Add needed_headroom for lower device
- vxlan: Copy needed_tailroom from lowerdev
- scsi: mpt3sas: Increase IOCInit request timeout to 30s
- dm table: Remove BUG_ON(in_interrupt())
- [arm64] soc/tegra: fuse: Fix index bug in get_process_id
- USB: serial: option: add interface-number sanity check to flag handling
- USB: gadget: f_acm: add support for SuperSpeed Plus
- USB: gadget: f_midi: setup SuperSpeed Plus descriptors
- usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus
- USB: gadget: f_rndis: fix bitrate for SuperSpeed and above
- [arm64,armhf] usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING
flag to imx6ul
- [armhf] dts: exynos: fix roles of USB 3.0 ports on Odroid XU
- [armhf] dts: exynos: fix USB 3.0 pins supply being turned off on Odroid
XU
- scsi: megaraid_sas: Check user-provided offsets
- HID: i2c-hid: add Vero K147 to descriptor override
- serial_core: Check for port state when tty is in error state
- Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
- quota: Sanity-check quota file headers on load
- media: msi2500: assign SPI bus number dynamically
- crypto: af_alg - avoid undefined behavior accessing salg_name
- md: fix a warning caused by a race between concurrent md_ioctl()s
- perf cs-etm: Change tuple from traceID-CPU# to traceID-metadata
- perf cs-etm: Move definition of 'traceid_list' global variable from
header file
- [x86] drm/gma500: fix double free of gma_connector
- selinux: fix error initialization in inode_doinit_with_dentry()
- RDMA/rxe: Compute PSN windows correctly
- [x86] mm/ident_map: Check for errors from ident_pud_init()
- [armel,armhf] p2v: fix handling of LPAE translation in BE mode
- [x86] apic: Fix x2apic enablement without interrupt remapping
- sched/deadline: Fix sched_dl_global_validate()
- sched: Reenable interrupts in do_sched_yield()
- [arm64] crypto: inside-secure - Fix sizeof() mismatch
- [powerpc*] 64: Set up a kernel stack for secondaries before
cpu_restore()
- [arm64] drm/msm/dsi_pll_10nm: restore VCO rate during restore_state
- ASoC: pcm: DRAIN support reactivation
- selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling
- Bluetooth: Fix null pointer dereference in hci_event_packet()
- Bluetooth: hci_h5: fix memory leak in h5_close
- [armhf] spi: spi-ti-qspi: fix reference leak in ti_qspi_setup
- [arm64] spi: tegra20-slink: fix reference leak in slink ops of tegra20
- [arm64,armhf] spi: tegra20-sflash: fix reference leak in
tegra_sflash_resume
- [arm64,armhf] spi: tegra114: fix reference leak in tegra spi ops
- mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure
- RDMa/mthca: Work around -Wenum-conversion warning
- [x86] crypto: qat - fix status check in qat_hal_put_rel_rd_xfer()
- [x86] media: tm6000: Fix sizeof() mismatches
- scsi: core: Fix VPD LUN ID designator priorities
- media: solo6x10: fix missing snd_card_free in error handling case
- [armhf] drm/omap: dmm_tiler: fix return error code in omap_dmm_probe()
- Input: ads7846 - fix race that causes missing releases
- Input: ads7846 - fix integer overflow on Rt calculation
- Input: ads7846 - fix unaligned access on 7845
- spi: fix resource leak for drivers without .remove callback
- [armhf] Input: omap4-keypad - fix runtime PM error handling
- RDMA/cxgb4: Validate the number of CQEs
- memstick: fix a double-free bug in memstick_check
- orinoco: Move context allocation after processing the skb
- [arm64] dmaengine: mv_xor_v2: Fix error return code in mv_xor_v2_probe()
- media: siano: fix memory leak of debugfs members in smsdvb_hotplug
- [armhf] HSI: omap_ssi: Don't jump to free ID in ssi_add_controller()
- [arm64] dts: rockchip: Set dr_mode to "host" for OTG on rk3328-roc-cc
- [x86] power: supply: bq24190_charger: fix reference leak
- genirq/irqdomain: Don't try to free an interrupt that has no mapping
- PCI: Bounds-check command-line resource alignment requests
- PCI: Fix overflow in command-line resource alignment requests
- [arm64] dts: meson: fix spi-max-frequency on Khadas VIM2
- [x86] platform/x86: dell-smbios-base: Fix error return code in
dell_smbios_init
- ath10k: Fix the parsing error in service available event
- ath10k: Fix an error handling path
- ath10k: Release some resources in an error handling path
- NFSv4.2: condition READDIR's mask for security label based on LSM state
- SUNRPC: xprt_load_transport() needs to support the netid "rdma6"
- lockd: don't use interval-based rebinding over TCP
- NFS: switch nfsiod to be an UNBOUND workqueue.
- vfio-pci: Use io_remap_pfn_range() for PCI IO memory
- media: saa7146: fix array overflow in vidioc_s_audio()
- memstick: r592: Fix error return in r592_probe()
- net/mlx5: Properly convey driver version to firmware
- dm ioctl: fix error return code in target_message
- [arm64,armhf] clocksource/drivers/arm_arch_timer: Correct fault
programming of CNTKCTL_EL1.EVNTI
- [armhf] cpufreq: highbank: Add missing MODULE_DEVICE_TABLE
- scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe
- scsi: pm80xx: Fix error return in pm8001_pci_probe()
- seq_buf: Avoid type mismatch for seq_buf_init
- [x86] scsi: fnic: Fix error return code in fnic_probe()
- [powerpc*] pseries/hibernation: drop pseries_suspend_begin() from
suspend ops
- [powerpc*] pseries/hibernation: remove redundant cacheinfo update
- [armhf] usb: ehci-omap: Fix PM disable depth umbalance in
ehci_hcd_omap_probe
- speakup: fix uninitialized flush_lock
- nfsd: Fix message level for normal termination
- nfs_common: need lock during iterate through the list
- [x86] kprobes: Restore BTF if the single-stepping is cancelled
- [arm64,armhf] clk: tegra: Fix duplicated SE clock entry
- mac80211: don't set set TDLS STA bandwidth wider than possible
- watchdog: Fix potential dereferencing of null pointer
- [armhf] net: allwinner: Fix some resources leak in the error handling
path of the probe and in the remove function
- [arm64,x86] libnvdimm/label: Return -ENXIO for no slot in
__blk_label_update
- [arm64] watchdog: qcom: Avoid context switch in restart handler
- [armhf] clk: ti: Fix memleak in ti_fapll_synth_setup
- qlcnic: Fix error code in probe
- [armhf] clk: s2mps11: Fix a resource leak in error handling paths in the
probe function
- [arm64,armhf] clk: sunxi-ng: Make sure divider tables have sentinel
- [armhf] sunxi: Add machine match for the Allwinner V3 SoC
- cfg80211: initialize rekey_data
- lwt: Disable BH too in run_lwt_bpf()
- [arm64,armhf] Input: cros_ec_keyb - send 'scancodes' in addition to key
events
- Input: goodix - add upside-down quirk for Teclast X98 Pro tablet
- media: gspca: Fix memory leak in probe
- [armhf] media: sunxi-cir: ensure IR is handled when it is continuous
- media: netup_unidvb: Don't leak SPI master in probe error path
- [x86] Input: cyapa_gen6 - fix out-of-bounds stack access
- ALSA: hda/ca0132 - Change Input Source enum strings.
- PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup()
- Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources
walks"
- ACPI: PNP: compare the string length in the matching_id()
- ALSA: hda: Fix regressions on clear and reconfig sysfs
- ALSA: hda/realtek - Enable headset mic of ASUS X430UN with ALC256
- ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255
- ALSA: pcm: oss: Fix a few more UBSAN fixes
- ALSA: hda/realtek: Add quirk for MSI-GP73
- ALSA: hda/realtek: Apply jack fixup for Quanta NL3
- ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO
devices
- ALSA: usb-audio: Disable sample read check if firmware doesn't give back
- [s390x] smp: perform initial CPU reset also for SMT siblings
- [s390x] dasd: fix hanging device offline processing
- [s390x] dasd: prevent inconsistent LCU device data
- [s390x] dasd: fix list corruption of pavgroup group list
- [s390x] dasd: fix list corruption of lcu list
- [x86] staging: comedi: mf6x4: Fix AI end-of-conversion detection
- [powerpc*] perf: Exclude kernel samples while counting events in user
space.
- crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()
- [x86] EDAC/amd64: Fix PCI component registration
- USB: serial: mos7720: fix parallel-port state restore
- USB: serial: digi_acceleport: fix write-wakeup deadlocks
- USB: serial: keyspan_pda: fix dropped unthrottle interrupts
- USB: serial: keyspan_pda: fix write deadlock
- USB: serial: keyspan_pda: fix stalled writes
- USB: serial: keyspan_pda: fix write-wakeup use-after-free
- USB: serial: keyspan_pda: fix tx-unthrottle use-after-free
- USB: serial: keyspan_pda: fix write unthrottling
- ext4: fix a memory leak of ext4_free_data
- ext4: fix deadlock with fs freezing and EA inodes
- [arm64] KVM: Introduce handling of AArch32 TTBCR2 traps
- [armhf] dts: pandaboard: fix pinmux for gpio user button of Pandaboard
ES
- [powerpc*] Fix incorrect stw{, ux, u, x} instructions in __set_pte_at
- [powerpc*] rtas: Fix typo of ibm,open-errinjct in RTAS filter
- [powerpc*] xmon: Change printk() to pr_cont()
- ceph: fix race in concurrent __ceph_remove_cap invocations
- SMB3: avoid confusing warning message on mount to Azure
- SMB3.1.1: do not log warning message if server doesn't populate salt
- ubifs: wbuf: Don't leak kernel memory to flash
- jffs2: Fix GC exit abnormally
- jfs: Fix array index bounds check in dbAdjTree (CVE-2020-27815)
- drm/dp_aux_dev: check aux_dev before use in
drm_dp_aux_dev_get_by_minor()
- [armel] mtd: parser: cmdline: Fix parsing of part-names with colons
- scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc()
- scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free()
- iio: buffer: Fix demux update
- [arm64,armhf] iio: adc: rockchip_saradc: fix missing
clk_disable_unprepare() on error in rockchip_saradc_resume
- md/cluster: block reshape with remote resync job
- md/cluster: fix deadlock when node is doing resync job
- [arm64,armhf] pinctrl: sunxi: Always call chained_irq_{enter, exit} in
sunxi_pinctrl_irq_handler
- [arm64] clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
(CVE-2020-29569)
- xen/xenbus: Allow watches discard events before queueing
(CVE-2020-29568)
- xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path()
(CVE-2020-29568)
- xen/xenbus/xen_bus_type: Support will_handle watch callback
(CVE-2020-29568)
- xen/xenbus: Count pending messages for each watch (CVE-2020-29568)
- xenbus/xenbus_backend: Disallow pending watch messages (CVE-2020-29568)
- libnvdimm/namespace: Fix reaping of invalidated block-window-namespace
labels
- [x86] platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha
12
- PCI: Fix pci_slot_release() NULL pointer dereference
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.165
- md/raid10: initialize r10_bio->read_slot before use.
- fscrypt: add fscrypt_is_nokey_name()
- ext4: prevent creating duplicate encrypted filenames
- f2fs: prevent creating duplicate encrypted filenames
- ubifs: prevent creating duplicate encrypted filenames
- vfio/pci: Move dummy_resources_list init in vfio_pci_probe()
- ext4: don't remount read-only with errors=continue on reboot
- uapi: move constants from <linux/kernel.h> to <linux/const.h>
- [x86] KVM: SVM: relax conditions for allowing MSR_IA32_SPEC_CTRL
accesses
- [x86] KVM: reinstate vendor-agnostic check on SPEC_CTRL cpuid bits
- [powerpc*] bitops: Fix possible undefined behaviour with fls() and
fls64()
- xen/gntdev.c: Mark pages as dirty
- null_blk: Fix zone size initialization
- of: fix linker-section match-table corruption
- Bluetooth: hci_h5: close serdev device and free hu in h5_close
- reiserfs: add check for an invalid ih_entry_count
- [x86] misc: vmw_vmci: fix kernel info-leak by initializing dbells in
vmci_ctx_get_chkpt_doorbells()
- media: gp8psk: initialize stats at power control logic
- ALSA: seq: Use bool for snd_seq_queue internal flags
- ALSA: rawmidi: Access runtime->avail always in spinlock
- fcntl: Fix potential deadlock in send_sig{io, urg}()
- [arm64,armhf] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init
- module: set MODULE_STATE_GOING state when a module fails to load
- quota: Don't overflow quota file offsets
- NFSv4: Fix a pNFS layout related use-after-free race when freeing the
inode
- module: delay kobject uevent until after module init call
- ALSA: pcm: Clear the full allocated memory at hw_params
- dm verity: skip verity work if I/O error when system is shutting down
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.166
- kdev_t: always inline major/minor helper functions
- mwifiex: Fix possible buffer overflows in
mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158)
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.167
- workqueue: Kick a worker based on the actual activation of delayed works
- scsi: ufs: Fix wrong print message in dev_err()
- scsi: ufs-pci: Ensure UFS device is in PowerDown mode for
suspend-to-disk ->poweroff()
- scsi: scsi_transport_spi: Set RQF_PM for domain validation commands
- lib/genalloc: fix the overflow when size is too big
- proc: change ->nlink under proc_subdir_lock
- proc: fix lookup in /proc/net subdirectories after setns(2)
- i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs
- [arm64,armhf] net: mvpp2: Add TCAM entry to drop flow control pause
frames
- [arm64,armhf] net: mvpp2: prs: fix PPPoE with ipv6 packet parse
- atm: idt77252: call pci_disable_device() on error path
- [arm64,armhf] net: mvpp2: Fix GoP port 3 Networking Complex Control
configurations
- qede: fix offload for IPIP tunnel packets
- virtio_net: Fix recursive call to cpus_read_lock()
- net-sysfs: take the rtnl lock when storing xps_cpus
- net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS
- ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst()
- [arm64] net: hns: fix return value check in __lb_other_process()
- erspan: fix version 1 check in gre_parse_header()
- net: hdlc_ppp: Fix issues when mod_timer is called while timer is
running
- CDC-NCM: remove "connected" log message
- net: usb: qmi_wwan: add Quectel EM160R-GL
- r8169: work around power-saving bug on some chip versions
- vhost_net: fix ubuf refcount incorrectly when sendmsg fails
- net: sched: prevent invalid Scell_log shift count
- net-sysfs: take the rtnl lock when storing xps_rxqs
- net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc
- Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close
- [x86] video: hyperv_fb: Fix the mmap() regression for v5.4.y and older
- crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
- usb: gadget: enable super speed plus
- USB: cdc-acm: blacklist another IR Droid device
- USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
- [arm64] usb: dwc3: ulpi: Use VStsDone to detect PHY regs access
completion
- [arm64,armhf] usb: chipidea: ci_hdrc_imx: add missing put_device() call
in usbmisc_get_init_data()
- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk
set
- usb: usbip: vhci_hcd: protect shift size
- USB: serial: iuu_phoenix: fix DMA from stack
- USB: serial: option: add LongSung M5710 module support
- USB: serial: option: add Quectel EM160R-GL
- USB: yurex: fix control-URB timeout handling
- USB: usblp: fix DMA to stack
- ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks
- usb: gadget: f_uac2: reset wMaxPacketSize
- usb: gadget: function: printer: Fix a memory leak for interface
descriptor
- usb: gadget: u_ether: Fix MTU size mismatch with RX packet size
- usb: gadget: Fix spinlock lockup on usb_function_deactivate
- usb: gadget: configfs: Preserve function ordering after bind failure
- usb: gadget: configfs: Fix use-after-free issue with udc_name
- USB: serial: keyspan_pda: remove unused variable
- [x86] mm: Fix leak of pmd ptlock
- ALSA: hda/via: Fix runtime PM for Clevo W35xSS
- ALSA: hda/conexant: add a new hda codec CX11970
- ALSA: hda/realtek - Fix speaker volume control on Lenovo C940
- btrfs: send: fix wrong file path when there is an inode with a pending
rmdir
- Revert "device property: Keep secondary firmware node secondary by type"
- [x86] xen/pvh: correctly setup the PV EFI interface for dom0
- netfilter: x_tables: Update remaining dereference to RCU
- netfilter: ipset: fix shift-out-of-bounds in htable_bits()
- netfilter: xt_RATEEST: reject non-null terminated string from userspace
- [x86] mtrr: Correct the range check before performing MTRR type lookups
- scsi: target: Fix XCOPY NAA identifier lookup (CVE-2020-28374)
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.168
- net: cdc_ncm: correct overhead in delayed_ndp_size (Closes: #970736)
- [arm64] net: hns3: fix the number of queues actually used by ARQ
- [arm64,armhf] net: stmmac: dwmac-sun8i: Balance internal PHY resource
references
- [arm64,armhf] net: stmmac: dwmac-sun8i: Balance internal PHY power
- net: vlan: avoid leaks on register_vlan_dev() failures
- net: ip: always refragment ip defragmented packets
- net: fix pmtu check in nopmtudisc mode
- net: ipv6: fib: flush exceptions when purging route
- vmlinux.lds.h: Add PGO and AutoFDO input sections
- [x86] drm/i915: Fix mismatch between misplaced vma check and vma insert
- [amd64] spi: pxa2xx: Fix use-after-free on unbind
- HID: wacom: Fix memory leakage caused by kfifo_alloc
- [armhf] OMAP2+: omap_device: fix idling of devices during probe
- [x86] cpufreq: powernow-k8: pass policy rather than use
cpufreq_cpu_get()
- [amd64] iommu/intel: Fix memleak in intel_irq_remapping_alloc
- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups
- net/mlx5e: Fix two double free cases
- regmap: debugfs: Fix a memory leak when calling regmap_attach_dev
- [arm64] KVM: Don't access PMCR_EL0 when no PMU is available
- block: fix use-after-free in disk_part_iter_next
- net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of
trimmed packet
- regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init()
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.169
- ASoC: dapm: remove widget from dirty list on free
- [x86] hyperv: check cpu mask after interrupt has been disabled
- [mips*] boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
- ACPI: scan: Harden acpi_device_add() against device ID overflows
- mm/hugetlb: fix potential missing huge page size info
- dm snapshot: flush merged data before committing metadata
- dm integrity: fix the maximum number of arguments
- r8152: Add Lenovo Powered USB-C Travel Hub
- ext4: fix bug for rename with RENAME_WHITEOUT
- btrfs: fix transaction leak and crash after RO remount caused by qgroup
rescan
- bfq: Fix computation of shallow depth
- [arm64] drm/msm: Call msm_init_vram before binding the gpu
- dump_common_audit_data(): fix racy accesses to ->d_name
- [x86] ASoC: Intel: fix error code cnl_set_dsp_D0()
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
- pNFS: Mark layout for return if return-on-close was not sent
- NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter
- NFS: nfs_igrab_and_active must first reference the superblock
- ext4: fix superblock checksum failure when setting password salt
- [amd64] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
- RDMA/mlx5: Fix wrong free of blue flame register on error
- mm, slub: consider rest of partial list if acquire_slab() fails
- net: sunrpc: interpret the return value of kstrtou32 correctly
- dm: eliminate potential source of excessive kernel log noise
- ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
- ALSA: fireface: Fix integer overflow in transmit_midi_msg()
- netfilter: conntrack: fix reading nf_conntrack_buckets
- netfilter: nf_nat: Fix memleak in nf_nat_init
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.170
- usb: ohci: Make distrust_firmware param default to false
- dm integrity: fix flush with external metadata device
- nfsd4: readdirplus shouldn't return parent of export (CVE-2021-3178)
- udp: Prevent reuseport_select_sock from reading uninitialized socks
- netxen_nic: fix MSI/MSI-x interrupts
- [arm64,armhf] net: mvpp2: Remove Pause and Asym_Pause support
- rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
- esp: avoid unneeded kmap_atomic call
- net: dcb: Validate netlink message in DCB handler
- net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
- rxrpc: Call state should be read with READ_ONCE() under some
circumstances
- [arm64,armhf] net: stmmac: Fixed mtu channged by cache aligned
- net: sit: unregister_netdevice on newlink's error path
- net: avoid 32 x truesize under-estimation for tiny skbs
- rxrpc: Fix handling of an unsupported token type in rxrpc_read()
- tipc: fix NULL deref in tipc_link_xmit()
- net: introduce skb_list_walk_safe for skb segment walking
- net: skbuff: disambiguate argument and member for skb_list_walk_safe
helper
- net: ipv6: Validate GSO SKB before finish IPv6 processing
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.171
- ALSA: hda/via: Add minimum mute flag
- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error
- btrfs: fix lockdep splat in btrfs_recover_relocation
- mmc: core: don't initialize block size from ext_csd if not present
- [arm64] mmc: sdhci-xenon: fix 1.8v regulator stabilization
- dm: avoid filesystem lookup in dm_get_dev_t()
- dm integrity: fix a crash if "recalculate" used without "internal_hash"
- drm/atomic: put state on error path
- [x86] ASoC: Intel: haswell: Add missing pm_ops
- scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback
- scsi: qedi: Correct max length of CHAP secret
- HID: Ignore battery for Elan touchscreen on ASUS UX550
- xen: Fix event channel callback via INTX/GSI
- drm/nouveau/bios: fix issue shadowing expansion ROMs
- drm/nouveau/privring: ack interrupts the same way as RM
- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields
- drm/nouveau/mmu: fix vram heap sizing
- drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0
- scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
- i2c: octeon: check correct size of maximum RECV_LEN packet
- [x86] platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11
from allow-list
- can: dev: can_restart: fix use after free bug
- can: vxcan: vxcan_xmit: fix use after free bug
- can: peak_usb: fix use after free bugs
- [mips*] irqchip/mips-cpu: Set IPI domain parent chip
- [x86] intel_th: pci: Add Alder Lake-P support
- [arm64] serial: mvebu-uart: fix tx lost characters at power off
- ehci: fix EHCI host controller initialization sequence
- usb: udc: core: Use lock when write to soft_connect
- xhci: make sure TRB is fully written before giving it to the controller
- [arm64,armhf] xhci: tegra: Delay for disabling LFPS detector
- driver core: Extend device_is_dependent()
- netfilter: rpfilter: mask ecn bits before fib lookup
- skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
- udp: mask TOS bits in udp_v4_early_demux()
- ipv6: create multicast route with RTPROT_KERNEL
- net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
- net_sched: reject silly cell_log in qdisc_get_rtab()
- ipv6: set multicast flag on the multicast route
- net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
- [armhf] net: dsa: b53: fix an off by one in checking "vlan->vid"
.
[ Salvatore Bonaccorso ]
* [rt] Update to 4.19.165-rt70
* Bump ABI to 14
* [rt] Refresh "net/core: protect users of napi_alloc_cache against
reentrance"
* futex: Move futex exit handling into futex code
* futex: Replace PF_EXITPIDONE with a state
* exit/exec: Seperate mm_release()
* futex: Split futex_mm_release() for exit/exec
* futex: Set task::futex_state to DEAD right after handling futex exit
* futex: Mark the begin of futex exit explicitly
* futex: Sanitize exit state handling
* futex: Provide state handling for exec() as well
* futex: Add mutex around futex exit
* futex: Provide distinct return value when owner is exiting
* futex: Prevent exit livelock
* [rt] Refresh "softirq: Split softirq locks"
* [arm*] gpio: mvebu: fix pwm .get_state period calculation
* Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
* futex: Ensure the correct return value from futex_lock_pi()
* futex: Replace pointless printk in fixup_owner()
* futex: Provide and use pi_state_update_owner()
* rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
* futex: Use pi_state_update_owner() in put_pi_state()
* futex: Simplify fixup_pi_state_owner()
* futex: Handle faults correctly for PI futexes
* [rt] Refresh "rtmutex: Handle the various new futex race conditions"
* [rt] Refresh "rtmutex: add sleeping lock implementation"
* [rt] Refresh "Revert "rtmutex: Handle the various new futex race
conditions""
* [rt] Refresh "futex: Make the futex_hash_bucket lock raw"
* [rt] Refresh "futex: Delay deallocation of pi_state"
* [rt] Refresh "futex: Make the futex_hash_bucket spinlock_t again and bring
back its old state"
* HID: wacom: Correct NULL dereference on AES pen proximity
* tracing: Fix race in trace_open and buffer resize call (CVE-2020-27825)
.
[ Uwe Kleine-König ]
* [arm64] Enable support for NXP's PCF85063 RTC (Closes: #972345)
Checksums-Sha1:
cec64089bf234ebd16918a122f7b86ec5ed5dee3 191615 linux_4.19.171-1.dsc
37c3c0616d91bc7d3665ae98c201e772b6b6ab88 107575880 linux_4.19.171.orig.tar.xz
006bf55ea1b29f3a4e582025189376f510f6b326 1479940 linux_4.19.171-1.debian.tar.xz
096ef9560e2bef9324ca40332511d79304fe2fb6 6275 linux_4.19.171-1_source.buildinfo
Checksums-Sha256:
1da387cd31a15b60acf2c6500bd44a7cf5458a945bad1b1dee77533d8b53d2cc 191615 linux_4.19.171-1.dsc
a675203341bfc2876a6361874c40b40190017c95bd51917372e13ef82652bcb0 107575880 linux_4.19.171.orig.tar.xz
c7e1c1474c99227245ac73ab68dfcd36778728edfb0dba04496b3625de5d84b3 1479940 linux_4.19.171-1.debian.tar.xz
7293a0d04abd2ce8e8e3925e96f48859c107fa979388637b664e642d0890bc89 6275 linux_4.19.171-1_source.buildinfo
Files:
86a9cb65e87d95c2a0f3da25a5ae0b4a 191615 kernel optional linux_4.19.171-1.dsc
0db4d008c7ce5a97f13d28e72a209dd0 107575880 kernel optional linux_4.19.171.orig.tar.xz
d804066531e03f77b2fea895b7fec3eb 1479940 kernel optional linux_4.19.171-1.debian.tar.xz
4fd511ebfb9c283defa9dd72684b62ac 6275 kernel optional linux_4.19.171-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmAUhs5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EIHwP/ikUBcU3jEDEb7qKgjGTmK1RFUiopb91
QUeKsCYLhYgJWalfizjdfWP8EKVvYk/zs6nmeFCjXzXRiVDKPCEDdxN3tzdusG5G
9PyPqUXuvvYHQKVPik1tw5NDwbtHsYEXVWabxWF9XLe1AaUmTOQyuApSz9+9rw+y
Pm2Ro5LzBey3vfaMjIBA0ccS26XUVpbyF/M7GB2RL0iWM6ZjnsGKVCMaYK9/mLLx
niEszr97uuz+JKUjtpykTOZWMI7yDXoW+3IAORRmB5Rsr4lCXabLvlbiJNNsOHEC
CiuPiEnbXHXhCDrD7YoT3Tzkmc6MMlqvzQI2t82qB1azHV9wLKxTnIJxUF9JxWfq
8etAw7QygfizD1/KtjSgODkt4v5J1j3SkG4KWwMuKCm+MFScT7TWkhkdYmg2mH4x
cvbnHYClHp+QQujtLc/b3k50y+QivxIPEX1AEb+z9y0mVFHB/cVFgvgGwLX1BTyD
bFod86oQKnteknvnXDPBWc59YlPhZtwc1qB/b316wP7Nsiw8eruP8Mu2TF5JBEqz
WG5vJtfwFKwUJk3N96KANJEJ3jGmYKXHvkvI066tJJDXmtqahFo3orL+PXrWp9Wt
Tc5FEBYnuJ//1VLpU1nLN+I10fH8bP4brlxAQNXT5D5mwCI9agxOjlR1Jns+g2Qc
4RtYWQJLttT+
=xn6U
-----END PGP SIGNATURE-----
--- End Message ---