--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: linux: u2fzero driver crashes when the device is quickly removed
- From: Andrej Shadura <andrewsh@debian.org>
- Date: Fri, 17 Sep 2021 12:27:53 +0100
- Message-id: <163187807337.33582.2675402266940169396.reportbug@nuevo>
Source: linux
Severity: minor
Tags: patch upstream
Control: forwarded -1 https://bugzilla.kernel.org/show_bug.cgi?id=214437
Hi,
I ran into this bug in the code I wrote myself some years ago.
Sometimes the driver crashes with a buffer overflow upon the device
insertion. After the crash, often neither U2F nor RNG functionality is
available.
I ran into this bug on Ubuntu, but the code basically hasn’t changed a
lot since the driver was merged.
usb 2-2: USB disconnect, device number 18
detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1149!
invalid opcode: 0000 [#1] SMP PTI
CPU: 1 PID: 61299 Comm: hwrng Tainted: G IOE 5.11.0-25-generic #27-Ubuntu
Hardware name: LENOVO 20CM001UUK/20CM001UUK, BIOS N10ET27W (1.04 ) 12/01/2014
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55 48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48 8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS: 0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 00000002bec10004 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
u2fzero_rng_read.cold+0xc/0xc [hid_u2fzero]
hwrng_fillfn+0xd8/0x180
kthread+0x12f/0x150
? enable_best_rng+0x70/0x70
? __kthread_bind_mask+0x70/0x70
ret_from_fork+0x22/0x30
Modules linked in: hid_u2fzero hid_generic usbhid hid usb_serial_simple usbserial ccm xt_nat veth nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype br_netfilter bridge stp llc vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep snd_seq_dummy snd_hrtimer ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter overlay ip6_tables nft_compat ip_set nf_tables nfnetlink nls_iso8859_1 binfmt_misc joydev intel_rapl_msr mei_hdcp snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi uvcvideo snd_hda_intel btusb btrtl intel_rapl_common snd_intel_dspcfg soundwire_intel x86_pkg_temp_thermal soundwire_generic_allocation intel_powerclamp btbcm soundwire_cadence coretemp snd_hda_codec btintel snd_hda_core cdc_mbim kvm_intel cdc_wdm snd_hwdep bluetooth cdc_ncm cdc_ether snd_seq_midi ecdh_generic soundwire_bus snd_seq_midi_event cdc_acm ecc usbnet mii kvm
rmi_smbus snd_soc_core snd_compress rapl rmi_core intel_cstate ac97_bus snd_rawmidi snd_pcm_dmaengine videobuf2_vmalloc snd_pcm input_leds iwlmvm videobuf2_memops mac80211 serio_raw wmi_bmof efi_pstore videobuf2_v4l2 libarc4 videobuf2_common snd_seq iwlwifi snd_seq_device snd_timer videodev at24 intel_pch_thermal mc cfg80211 thinkpad_acpi nvram ledtrig_audio mei_me mei snd soundcore mac_hid sch_fq_codel pkcs8_key_parser msr parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs blake2b_generic xor raid6_pq libcrc32c dm_crypt crct10dif_pclmul i915 rtsx_pci_sdmmc crc32_pclmul i2c_algo_bit ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper lpc_ich drm_kms_helper syscopyarea sysfillrect psmouse sysimgblt fb_sys_fops cec ahci i2c_i801 libahci rc_core i2c_smbus e1000e rtsx_pci drm xhci_pci xhci_pci_renesas wmi video
---[ end trace e7936f97d201c167 ]---
RIP: 0010:fortify_panic+0x13/0x15
Code: 35 96 77 36 01 48 c7 c7 6b 01 81 8a e8 d3 c3 fe ff 41 5c 41 5d 5d c3 55 48 89 fe 48 c7 c7 b8 01 81 8a 48 89 e5 e8 ba c3 fe ff <0f> 0b 48 c7 c7 90 f7 48 8a e8 df ff ff ff 48 c7 c7 98 f7 48 8a e8
RSP: 0018:ffffb04803df3e28 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8de3bdc58ac0 RDI: ffff8de3bdc58ac0
RBP: ffffb04803df3e28 R08: 0000000000000000 R09: ffffb04803df3c20
R10: ffffb04803df3c18 R11: ffffffff8af53588 R12: ffff8de089aa7440
R13: ffff8de2c3862598 R14: 0000000000000000 R15: ffffb0480366f428
FS: 0000000000000000(0000) GS:ffff8de3bdc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa10098f000 CR3: 0000000194fa6005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Please see the patch attached.
--
Cheers,
Andrej
>From 561ecacf79120c88158fb511ff406745cc7e2871 Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Thu, 16 Sep 2021 17:19:14 +0100
Subject: [PATCH] HID: u2fzero: ignore incomplete packets without data
Since the actual_length calculation is performed unsigned, packets
shorter than 7 bytes (e.g. packets without data or otherwise truncated)
or non-received packets ("zero" bytes) can cause buffer overflow.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
drivers/hid/hid-u2fzero.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 95e0807878c7..d70cd3d7f583 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
}
ret = u2fzero_recv(dev, &req, &resp);
- if (ret < 0)
+
+ /* ignore errors or packets without data */
+ if (ret < offsetof(struct u2f_hid_msg, init.data))
return 0;
/* only take the minimum amount of data it is safe to take */
--
2.31.1
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 5.14.12-1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 994535@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Oct 2021 08:39:01 +0200
Source: linux
Architecture: source
Version: 5.14.12-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 994535 996175
Changes:
linux (5.14.12-1) unstable; urgency=medium
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.10
- [arm64,armhf] media: cedrus: Fix SUNXI tile size calculation
- [arm64] ASoC: fsl_sai: register platform component before registering cpu
dai
- [armhf] ASoC: fsl_spdif: register platform component before registering
cpu dai
- [x86] ASoC: SOF: Fix DSP oops stack dump output contents
- [arm64] pinctrl: qcom: spmi-gpio: correct parent irqspec translation
- net/mlx4_en: Resolve bad operstate value
- [s390x] qeth: Fix deadlock in remove_discipline
- [s390x] qeth: fix deadlock during failing recovery
- [x86] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
(CVE-2021-3744, CVE-2021-3764)
- [m68k] Update ->thread.esp0 before calling syscall_trace() in
ret_from_signal
- [amd64] HID: amd_sfh: Fix potential NULL pointer dereference
- tty: Fix out-of-bound vmalloc access in imageblit
- cpufreq: schedutil: Use kobject release() method to free sugov_tunables
- scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS
- drm/amdgpu: adjust fence driver enable sequence
- drm/amdgpu: avoid over-handle of fence driver fini in s3 test (v2)
- drm/amdgpu: stop scheduler when calling hw_fini (v2)
- cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
- scsi: ufs: ufs-pci: Fix Intel LKF link stability
- ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION
- ALSA: firewire-motu: fix truncated bytes in message tracepoints
- ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
- [amd64,arm64] ACPI: NFIT: Use fallback node id when numa info in NFIT
table is incorrect
- fs-verity: fix signed integer overflow with i_size near S64_MAX
- hwmon: (tmp421) handle I2C errors
- hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary
structure field
- hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary
structure field
- hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary
structure field
- [arm64,armhf] gpio: pca953x: do not ignore i2c errors
- scsi: ufs: Fix illegal offset in UPIU event trace
- mac80211: fix use-after-free in CCMP/GCMP RX
- [x86] platform/x86/intel: hid: Add DMI switches allow list
- [x86] kvmclock: Move this_cpu_pvti into kvmclock.h
- [x86] ptp: Fix ptp_kvm_getcrosststamp issue for x86 ptp_kvm
- [x86] KVM: x86: Fix stack-out-of-bounds memory access from
ioapic_write_indirect()
- [x86] KVM: x86: nSVM: don't copy virt_ext from vmcb12
- [x86] KVM: x86: Clear KVM's cached guest CR3 at RESET/INIT
- [x86] KVM: x86: Swap order of CPUID entry "index" vs. "significant flag"
checks
- [x86] KVM: nVMX: Filter out all unsupported controls when eVMCS was
activated
- [x86] KVM: SEV: Update svm_vm_copy_asid_from for SEV-ES
- [x86] KVM: SEV: Pin guest memory for write for RECEIVE_UPDATE_DATA
- [x86] KVM: SEV: Acquire vcpu mutex when updating VMSA
- [x86] KVM: SEV: Allow some commands for mirror VM
- [x86] KVM: SVM: fix missing sev_decommission in sev_receive_start
- [x86] KVM: nVMX: Fix nested bus lock VM exit
- [x86] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue
- RDMA/cma: Do not change route.addr.src_addr.ss_family
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests
- nbd: use shifts rather than multiplies
- drm/amd/display: initialize backlight_ramping_override to false
- drm/amd/display: Pass PCI deviceid into DC
- drm/amd/display: Fix Display Flicker on embedded panels
- drm/amdgpu: force exit gfxoff on sdma resume for rmb s0ix
- drm/amdgpu: check tiling flags when creating FB on GFX8-
- drm/amdgpu: correct initial cp_hqd_quantum for gfx9
- [amd64] drm/i915/gvt: fix the usage of ww lock in gvt scheduler.
- ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
- bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog
- IB/cma: Do not send IGMP leaves for sendonly Multicast groups
- RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure
- netfilter: nf_tables: unlink table before deleting it
- netfilter: log: work around missing softdep backend module
- Revert "mac80211: do not use low data rates for data frames with no ack
flag"
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
- mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
- mac80211: mesh: fix potentially unaligned access
- mac80211-hwsim: fix late beacon hrtimer handling
- driver core: fw_devlink: Add support for
FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD
- net: mdiobus: Set FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD for mdiobus parents
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
- mptcp: don't return sockets in foreign netns
- mptcp: allow changing the 'backup' bit when no sockets are open
- [arm64] RDMA/hns: Work around broken constant propagation in gcc 8
- hwmon: (tmp421) report /PVLD condition as fault
- hwmon: (tmp421) fix rounding for negative values
- [arm64] net: enetc: fix the incorrect clearing of IF_MODE bits
- net: ipv4: Fix rtnexthop len when RTA_FLOW is present
- smsc95xx: fix stalled rx after link change
- [x86] drm/i915/request: fix early tracepoints
- [x86] drm/i915: Remove warning from the rps worker
- [arm64,armhf] dsa: mv88e6xxx: 6161: Use chip wide MAX MTU
- [arm64,armhf] dsa: mv88e6xxx: Fix MTU definition
- [arm64,armhf] dsa: mv88e6xxx: Include tagger overhead when setting MTU for
DSA and CPU ports
- e100: fix length calculation in e100_get_regs_len
- e100: fix buffer overrun in e100_get_regs
- [amd64] RDMA/hfi1: Fix kernel pointer leak
- [arm64] RDMA/hns: Fix the size setting error when copying CQE in
clean_cq()
- [arm64] RDMA/hns: Add the check of the CQE size of the user space
- bpf: Exempt CAP_BPF from checks against bpf_jit_limit
- [amd64] bpf, x86: Fix bpf mapping of atomic fetch implementation
- Revert "block, bfq: honor already-setup queue merges"
- scsi: csiostor: Add module softdep on cxgb4
- ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup
- [arm64] net: hns3: do not allow call hns3_nic_net_open repeatedly
- [arm64] net: hns3: remove tc enable checking
- [arm64] net: hns3: don't rollback when destroy mqprio fail
- [arm64] net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and
HCLGE_FLAG_DCB_ENABLE
- [arm64] net: hns3: fix show wrong state when add existing uc mac address
- [arm64] net: hns3: reconstruct function hns3_self_test
- [arm64] net: hns3: fix always enable rx vlan filter problem after selftest
- [arm64] net: hns3: disable firmware compatible features when uninstall PF
- [arm64,armhf] net: phy: bcm7xxx: Fixed indirect MMD operations
- net: sched: flower: protect fl_walk() with rcu
- net: stmmac: fix EEE init issue when paired with EEE capable PHYs
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
- [x86] perf/x86/intel: Update event constraints for ICX
- sched/fair: Add ancestors of unthrottled undecayed cfs_rq
- sched/fair: Null terminate buffer when updating tunable_scaling
- [armhf] hwmon: (occ) Fix P10 VRM temp sensors
- [x86] kvm: fix objtool relocation warning
- nvme: add command id quirk for apple controllers
- elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
- driver core: fw_devlink: Improve handling of cyclic dependencies
- debugfs: debugfs_create_file_size(): use IS_ERR to check for error
- ext4: fix loff_t overflow in ext4_max_bitmap_size()
- ext4: fix reserved space counter leakage
- ext4: add error checking to ext4_ext_replay_set_iblocks()
- ext4: fix potential infinite loop in ext4_dx_readdir()
- ext4: flush s_error_work before journal destroy in ext4_fill_super
- HID: u2fzero: ignore incomplete packets without data (Closes: #994535)
- net: udp: annotate data race around udp_sk(sk)->corkflag
- usb: hso: remove the bailout parameter
- HID: betop: fix slab-out-of-bounds Write in betop_probe
- netfilter: ipset: Fix oversized kvmalloc() calls
- mm: don't allow oversized kvmalloc() calls
- HID: usbhid: free raw_report buffers in usbhid_stop
- [x86] crypto: aesni - xts_crypt() return if walk.nbytes is 0
- [x86] KVM: x86: Handle SRCU initialization failure during page track init
- netfilter: conntrack: serialize hash resizes and cleanups
- netfilter: nf_tables: Fix oversized kvmalloc() calls
- [amd64] HID: amd_sfh: Fix potential NULL pointer dereference - take 2
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.11
- [arm64,armhf] spi: rockchip: handle zero length transfers without timing
out
- afs: Add missing vnode validation checks
- nfsd: back channel stuck in SEQ4_STATUS_CB_PATH_DOWN
- btrfs: replace BUG_ON() in btrfs_csum_one_bio() with proper error handling
- btrfs: fix mount failure due to past and transient device flush error
- net: mdio: introduce a shutdown method to mdio device drivers
- xen-netback: correct success/error reporting for the SKB-with-fraglist
case
- [sparc64] fix pci_iounmap() when CONFIG_PCI is not set
- scsi: sd: Free scsi_disk device via put_device()
- [arm*] usb: dwc2: check return value after calling platform_get_resource()
- Xen/gntdev: don't ignore kernel unmapping error
- swiotlb-xen: ensure to issue well-formed XENMEM_exchange requests
- nvme-fc: update hardware queues before using them
- nvme-fc: avoid race between time out and tear down
- [arm64] thermal/drivers/tsens: Fix wrong check for tzd in irq handlers
- scsi: ses: Retry failed Send/Receive Diagnostic commands
- [arm64,armhf] irqchip/gic: Work around broken Renesas integration
- smb3: correct smb3 ACL security descriptor
- [x86] insn, tools/x86: Fix undefined behavior due to potential unaligned
accesses
- io_uring: allow conditional reschedule for intensive iterators
- block: don't call rq_qos_ops->done_bio if the bio isn't tracked
- KVM: do not shrink halt_poll_ns below grow_start
- [x86] KVM: x86: reset pdptrs_from_userspace when exiting smm
- [x86] kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[]
- [x86] KVM: x86: nSVM: restore int_vector in svm_clear_vintr
- [x86] perf/x86: Reset destroy callback on event init failure
- libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD.
- Revert "brcmfmac: use ISO3166 country code and 0 rev as fallback"
- [armhf] Revert "ARM: imx6q: drop of_platform_default_populate() from
init_machine"
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.12
- usb: cdc-wdm: Fix check for WWAN
- [arm64,armhf] usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle
- usb: gadget: f_uac2: fixed EP-IN wMaxPacketSize
- USB: cdc-acm: fix racy tty buffer accesses
- USB: cdc-acm: fix break reporting
- usb: typec: tcpm: handle SRC_STARTUP state if cc changes
- [x86] usb: typec: tipd: Remove dependency on "connector" child fwnode
- drm/amdgpu: During s0ix don't wait to signal GFXOFF
- drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows
- drm/nouveau/ga102-: support ttm buffer moves via copy engine
- [x86] drm/i915: Fix runtime pm handling in i915_gem_shrink
- [x86] drm/i915: Extend the async flip VT-d w/a to skl/bxt
- xen/privcmd: fix error handling in mmap-resource processing
- [arm64] mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk
- ovl: fix missing negative dentry check in ovl_rename()
- ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO
- nfsd: fix error handling of register_pernet_subsys() in init_nfsd()
- nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero
- SUNRPC: fix sign error causing rpcsec_gss drops
- xen/balloon: fix cancelled balloon action
- [armhf] dts: omap3430-sdp: Fix NAND device node
- scsi: ufs: core: Fix task management completion
- [riscv64] Flush current cpu icache before other cpus
- [armhf] bus: ti-sysc: Add break in switch statement in sysc_init_soc()
- iwlwifi: mvm: Fix possible NULL dereference
- [arm64] soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment
- [armhf] dts: imx: Add missing pinctrl-names for panel on M53Menlo
- [armhf] dts: imx: Fix USB host power regulator polarity on M53Menlo
- [amd64] PCI: hv: Fix sleep while in non-sleep context when removing child
devices from the bus
- iwlwifi: pcie: add configuration of a Wi-Fi adapter on Dell XPS 15
- netfilter: conntrack: fix boot failure with nf_conntrack.enable_hooks=1
- netfilter: nf_tables: add position handle in event notification
- netfilter: nf_tables: reverse order in rule replacement expansion
- [armel,armhf] bpf, arm: Fix register clobbering in div/mod implementation
- [armhf] soc: ti: omap-prm: Fix external abort for am335x pruss
- bpf: Fix integer overflow in prealloc_elems_and_freelist()
(CVE-2021-41864)
- net/mlx5e: IPSEC RX, enable checksum complete
- net/mlx5e: Keep the value for maximum number of channels in-sync
- net/mlx5: E-Switch, Fix double allocation of acl flow counter
- net/mlx5: Force round second at 1PPS out start time
- net/mlx5: Avoid generating event after PPS out in Real time mode
- net/mlx5: Fix length of irq_index in chars
- net/mlx5: Fix setting number of EQs of SFs
- net/mlx5e: Fix the presented RQ index in PTP stats
- phy: mdio: fix memory leak
- net_sched: fix NULL deref in fifo_set_limit()
- [arm64] net: mscc: ocelot: fix VCAP filters remaining active after being
deleted
- [arm64,armhf] net: stmmac: dwmac-rk: Fix ethernet on rk3399 based devices
- [mips*] Revert "add support for buggy MT7621S core detection"
- netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event
notification
- [i386] ptp_pch: Load module automatically if ID matches
- [armhf] dts: imx: change the spi-nor tx
- [arm64] dts: imx8: change the spi-nor tx
- [armhf] imx6: disable the GIC CPU interface before calling stby-poweroff
sequence
- [x86] drm/i915/audio: Use BIOS provided value for RKL HDA link
- [x86] drm/i915/jsl: Add W/A 1409054076 for JSL
- [x86] drm/i915/tc: Fix TypeC port init/resume time sanitization
- [x86] drm/i915/bdb: Fix version check
- netfs: Fix READ/WRITE confusion when calling iov_iter_xarray()
- afs: Fix afs_launder_page() to set correct start file position
- net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size()
- net: bridge: fix under estimation in br_get_linkxstats_size()
- net/sched: sch_taprio: properly cancel timer from taprio_destroy()
- net: sfp: Fix typo in state machine debug string
- net: pcs: xpcs: fix incorrect CL37 AN sequence
- netlink: annotate data races around nlk->bound
- drm/amdgpu: handle the case of pci_channel_io_frozen only in
amdgpu_pci_resume
- [armhf] bus: ti-sysc: Use CLKDM_NOAUTO for dra7 dcan1 for errata i893
- [arm64,armhf] drm/sun4i: dw-hdmi: Fix HDMI PHY clock setup
- drm/nouveau: avoid a use-after-free when BO init fails
- drm/nouveau/kms/nv50-: fix file release memory leak
- drm/nouveau/debugfs: fix file release memory leak
- net: pcs: xpcs: fix incorrect steps on disable EEE
- net: stmmac: trigger PCS EEE to turn off on link down
- [amd64,arm64] gve: Correct available tx qpl check
- [amd64,arm64] gve: Avoid freeing NULL pointer
- [amd64,arm64] gve: Properly handle errors in gve_assign_qpl
- rtnetlink: fix if_nlmsg_stats_size() under estimation
- [amd64,arm64] gve: fix gve_get_stats()
- [amd64,arm64] gve: report 64bit tx_bytes counter from
gve_handle_report_stats()
- i40e: fix endless loop under rtnl
- i40e: Fix freeing of uninitialized misc IRQ vector
- iavf: fix double unlock of crit_lock
- net: prefer socket bound to interface when not in VRF
- [powerpc*] iommu: Report the correct most efficient DMA mask for PCI
devices
- i2c: acpi: fix resource leak in reconfiguration device addition
- [riscv64] explicitly use symbol offsets for VDSO
- [riscv64] vdso: Refactor asm/vdso.h
- [riscv64] vdso: Move vdso data page up front
- [riscv64] vdso: make arch_setup_additional_pages wait for mmap_sem for
write killable
- [s390x] bpf, s390: Fix potential memory leak about jit_data
- [riscv64] Include clone3() on rv32
- scsi: iscsi: Fix iscsi_task use after free
- [powerpc*] bpf: Fix BPF_MOD when imm == 1
- [powerpc*] bpf: Fix BPF_SUB when imm == 0x80000000
- [powerpc*] 64s: fix program check interrupt emergency stack path
- [powerpc*] traps: do not enable irqs in _exception
- [powerpc*] 64s: Fix unrecoverable MCE calling async handler from NMI
- [powerpc*] pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init
- [i386] x86/platform/olpc: Correct ifdef symbol to intended
CONFIG_OLPC_XO15_SCI
- [x86] fpu: Restore the masking out of reserved MXCSR bits
- [x86] entry: Correct reference to intended CONFIG_64_BIT
- [x86] hpet: Use another crystalball to evaluate HPET usability
- [arm64,armhf] dsa: tag_dsa: Fix mask for trunked packets
.
[ Ben Hutchings ]
* debian/.gitignore: Ignore debian/tests/control again
* integrity: Drop "MODSIGN: load blacklist from MOKx" as redundant after 5.13
* tools/perf: Fix warning introduced by "tools/perf: pmu-events: Fix
reproducibility"
* debian/rules.real: Stop invoking obsolete headers_check target
* libcpupower: Update symbols file for changes in 5.13.9-1~exp1
.
[ John Paul Adrian Glaubitz ]
* [alpha] Re-enable CONFIG_EISA which was disabled upstream by accident
.
[ Salvatore Bonaccorso ]
* Bump ABI to 3
* mm/secretmem: Fix NULL page->mapping dereference in page_is_secretmem()
(Closes: #996175)
.
[ Aurelien Jarno ]
* [riscv64] Improve HiFive Unmatched support: enable SENSORS_LM90.
Checksums-Sha1:
75dbe53dcc9a5e53c3486d440ba68d95cc6d3a92 191803 linux_5.14.12-1.dsc
070d5daf592d6901c6debe0d07e17ef4e39c0874 126473020 linux_5.14.12.orig.tar.xz
d56172ad0b1f2bb5c2436e5757742abe94fb0038 1411484 linux_5.14.12-1.debian.tar.xz
9dad5d371d92fdfbaaaca46918af3bf3a30372ac 6297 linux_5.14.12-1_source.buildinfo
Checksums-Sha256:
69e1e21776be2987eb7c2a19946662e60d6a87980ba0eecff33a4b49d95c81b1 191803 linux_5.14.12-1.dsc
373ff99e8294da91fec041d27f34942ae39ecdd5a28bde893653d4f18c1b788c 126473020 linux_5.14.12.orig.tar.xz
b7adc4cb8c5eca7ebc70b3752b8b7825da01fc0d2264e2673725550196fa4d2b 1411484 linux_5.14.12-1.debian.tar.xz
7a2bd64cccdeec3a93744fe99134d1cf6d8312707c3b50c66eacb5482b98e4d4 6297 linux_5.14.12-1_source.buildinfo
Files:
19c9f19a695a6eb5dcdd847d04deb4d1 191803 kernel optional linux_5.14.12-1.dsc
183e065b81037c58ad27a5d3a31abcae 126473020 kernel optional linux_5.14.12.orig.tar.xz
0464edc5eaac09a9c95416cde8bd47f4 1411484 kernel optional linux_5.14.12-1.debian.tar.xz
ab376c38c1cdb3e3f57ee7c0caac2f20 6297 kernel optional linux_5.14.12-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmFn0UxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ESywP/jWlHvBsWBLloC8hVI/qkD69iRrirI/x
yC7NRoIhfoZBJBLqEFHexNppiizG1pTHXW7oS3RuUMy96wiTUsCGF39N7ZxRRZBy
E1KC2UBMfXVA21aCsKhiswrEZmIC7pyXLcQhhlIkY2ddIAiTlD5P0ceiRd7PGBFF
6IGZUNv7XoKPO346AYH0aXOjUe5d2QxUaVtZCYmEw4BZDrImJ51DJ+V04KXKrbt1
sCVj0Tx5/8tznI4LVN5o6Jd0QUaTkxj3RfKhHvmEntcJvsPI1MsS/A8ffF0vorxK
YTYnlWB531wgtOTaigM6+zJYbCttcNMsZs+ilhJxQLz3uy+TMu5sMY5WDSrf7Fu3
vH0vxlGSl7DHHcN+sHLqH4gp2XLpBnrafnqCbod9yodmXpxNLtgkH7QAY7s4wPmj
/eM04r13BZmjPIdKpgbXy9yJEk6e1UcuMFdNRmGH3GJubhdZHqVk5ommt/Zsh+G2
vcmC9rx2OYd+LDbawAKChoWJj5rMJzHny+DlIe7ZbwItKs0ikoEiwx9trVsGkGzb
v8tDXilLDnfCu0vhv7/boRvYnF9KKVtsKipSoi4JAwBKnH/v48k9GTKV4no1zc5p
ZlpaI6j9hNbIIcXbnt+MagAZ+Qsb0FlE4XmyIVcBK2swSqVAFbObN/mj/w2JIgmB
lNCiJTqysAPs
=3EP/
-----END PGP SIGNATURE-----
--- End Message ---