[linux] 04/04: Merge branch 'jessie-security' into jessie
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Apr 2 01:34:15 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit e03156af9cd55f8f1493bab0a57c10717c74f1d8
Merge: 770f0e4 54fe5e5
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Apr 2 02:33:31 2017 +0100
Merge branch 'jessie-security' into jessie
Drop the redundant patches.
debian/changelog | 5 +
.../bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch | 58 +++++++
...tarting-iteration-in-mb_cache_entry_alloc.patch | 22 +++
...rict-timer_stats-to-initial-pid-namespace.patch | 37 +++++
...to-never-having-exectuables-on-proc-and-s.patch | 183 +++++++++++++++++++++
debian/patches/series | 4 +
6 files changed, 309 insertions(+)
diff --cc debian/changelog
index 2a58490,16d6533..eb3553c
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,578 -1,15 +1,583 @@@
-linux (3.16.39-1+deb8u3) UNRELEASED; urgency=medium
+linux (3.16.42-1) UNRELEASED; urgency=medium
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40
+ - [x86] drm/i915/vlv: Make intel_crt_reset() per-encoder
+ - [x86] drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
+ - fbdev/efifb: Fix 16 color palette entry calculation
+ - [s390*] zfcp: fix fc_host port_type with NPIV
+ - [s390*] zfcp: fix ELS/GS request&response length for hardware data router
+ - [s390*] zfcp: close window with unblocked rport during rport gone
+ - [s390*] zfcp: retain trace level for SCSI and HBA FSF response records
+ - [s390*] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace
+ - [s390*] zfcp: trace on request for open and close of WKA port
+ - [s390*] zfcp: restore tracing of handle for port and LUN with HBA records
+ - [s390*] zfcp: fix D_ID field with actual value on tracing SAN responses
+ - [s390*] zfcp: fix payload trace length for SAN request&response
+ - [s390*] zfcp: trace full payload of all SAN records (req,resp,iels)
+ - clk: divider: Fix clk_divider_round_rate() to use clk_readl()
+ - [x86] dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access
+ - PCI: Mark Atheros AR9580 to avoid bus reset
+ - netfilter: restart search if moved to other chain
+ - uio: fix dmem_region_start computation
+ - platform: don't return 0 from platform_get_irq[_byname]() on error
+ - [arm64] debug: avoid resetting stepping state machine when TIF_SINGLESTEP
+ - ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel
+ - genirq/generic_chip: Add irq_unmap callback
+ - rtlwifi: Update regulatory database
+ - rtlwifi: Fix missing country code for Great Britain
+ - pwm: Unexport children before chip removal
+ - cx231xx: don't return error on success
+ - cx231xx: fix GPIOs for Pixelview SBTVD hybrid
+ - ext4: reinforce check of i_dtime when clearing high fields of uid and gid
+ - pstore/core: drop cmpxchg based updates
+ - pstore/ram: Use memcpy_toio instead of memcpy
+ - pstore/ram: Use memcpy_fromio() to save old buffer
+ - ipv4: accept u8 in IP_TOS ancillary data
+ - [armhf] phy: sun4i-usb: Use spinlock to guard phyctl register access
+ - dm: mark request_queue dead before destroying the DM device
+ - dm mpath: check if path's request_queue is dying in activate_path()
+ - ext4: bugfix for mmaped pages in mpage_release_unused_pages()
+ - [armhf] dts: exynos: Fix mismatched value for SD4 pull up/down
+ configuration on exynos4210
+ - reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
+ - sctp: do not return the transmit err back to sctp_sendmsg
+ - pkt_sched: fq: use proper locking in fq_dump_stats()
+ - [x86] iommu/amd: Free domain id when free a domain of struct
+ dma_ops_domain
+ - [powerpc*] nvram: Fix an incorrect partition merge
+ - ALSA: ali5451: Fix out-of-bound position reporting
+ - usb: misc: legousbtower: Fix NULL pointer deference
+ - net/mlx4_en: Fix wrong indentation
+ - net/mlx4_core: Fix deadlock when switching between polling and event fw
+ commands
+ - drm/radeon: narrow asic_init for virtualization
+ - [powerpc*] eeh: Null check uses of eeh_pe_bus_get
+ - ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants
+ - netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes
+ - netfilter: nf_tables: validate maximum value of u32 netlink attributes
+ - svcrdma: Tail iovec leaves an orphaned DMA mapping
+ - blkcg: Annotate blkg_hint correctly
+ - ALSA: hda - Adding one more ALC255 pin definition for headset problem
+ - mmc: block: don't use CMD23 with very old MMC cards
+ - [powerpc*] KVM: Book3S: Treat VTB as a per-subcore register, not
+ per-thread
+ - [powerpc*] KVM: BookE: Fix a sanity check
+ - [powerpc*] KVM: Book3s PR: Allow access to unprivileged MMCR2 register
+ - NFSv4: Open state recovery must account for file permission changes
+ - Revert "usbtmc: convert to devm_kzalloc"
+ - drm/radeon/si/dpm: fix phase shedding setup
+ - [powerpc*/*64*] vdso64: Use double word compare on pointers
+ - ext4: release bh in make_indexed_dir
+ - [s390*] con3270: fix use of uninitialised data
+ - [s390*] con3270: fix insufficient space padding
+ - fuse: invalidate dir dentry after chmod
+ - fuse: fix killing s[ug]id in setattr
+ - fuse: listxattr: verify xattr list
+ - crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
+ - staging: rtl8188eu: fix missing unlock on error in rtw_resume_process()
+ - staging: rtl8188eu: fix double unlock error in rtw_resume_process()
+ - UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
+ - ubi: Deal with interrupted erasures in WL
+ - ubi: Fix races around ubi_refill_pools()
+ - ubi: Fix Fastmap's update_vol()
+ - i40e: avoid NULL pointer dereference and recursive errors on early PCI
+ error
+ - [powerpc*] powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data()
+ - mfd: rtsx_usb: Avoid setting ucr->current_sg.status
+ - async_pq_val: fix DMA memory leak
+ - mm: filemap: fix mapping->nrpages double accounting in fuse
+ - netlink: do not enter direct reclaim from netlink_dump()
+ - IB/srp: Fix infinite loop when FMR sg[0].offset != 0
+ - [x86] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled
+ - mm/hugetlb: fix memory offline with hugepage size > memory block size
+ - mm/hugetlb: check for reserved hugepages during memory offline
+ - vfs,mm: fix a dead loop in truncate_inode_pages_range()
+ - [powerpc*] pseries: Fix stack corruption in htpe code
+ - [powerpc*/*64*] Fix incorrect return value from __copy_tofrom_user
+ - [x86] panic: replace smp_send_stop() with kdump friendly version in panic
+ path
+ - [mips*] panic: replace smp_send_stop() with kdump friendly version in
+ panic path
+ - compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release()
+ - ipc: remove use of seq_printf return value
+ - ipc/sem.c: fix complex_count vs. simple op race
+ - [mips*] ptrace: Fix regs_return_value for kernel context
+ - cifs: Display number of credits available
+ - cifs: Limit the overall credit acquired
+ - cifs: Set previous session id correctly on SMB3 reconnect
+ - cifs: SMB3: GUIDs should be constructed as random but valid uuids
+ - cifs: Clarify locking of cifs file and tcon structures and make more
+ granular
+ - cifs: Do not send SMB3 SET_INFO request if nothing is changing
+ - cifs: Cleanup missing frees on some ioctls
+ - fs/super.c: fix race between freeze_super() and thaw_super()
+ - scsi: Fix use-after-free
+ - mac80211: discard multicast and 4-addr A-MSDUs
+ - jbd2: fix incorrect unlock on j_list_lock
+ - drm/radeon: change vblank_time's calculation method to reduce
+ computational error.
+ - ipv6: correctly add local routes when lo goes up
+ - [s390*] scsi: zfcp: spin_lock_irqsave() is not nestable
+ - mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted
+ error
+ - mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused
+ - mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led
+ - memstick: rtsx_usb_ms: Runtime resume the device when polling for cards
+ - memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
+ - [arm64] kernel: Init MDCR_EL2 even in the absence of a PMU
+ - netfilter: nf_tables: underflow in nft_parse_u32_check()
+ - ALSA: hda - allow 40 bit DMA mask for NVidia devices
+ - isofs: Do not return EACCES for unknown filesystems
+ - bridge: multicast: restore perm router ports on multicast enable
+ - hwrng: core - Don't use a stack buffer in add_early_randomness()
+ - [x86] Input: i8042 - add XMG C504 to keyboard reset table
+ - ubifs: Fix xattr_names length in exit paths
+ - ubifs: Abort readdir upon error
+ - target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT
+ REACHABLE
+ - target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code
+ - [x86] xhci: add restart quirk for Intel Wildcatpoint PCH
+ - xhci: workaround for hosts missing CAS bit
+ - USB: serial: fix potential NULL-dereference at probe
+ - drm/radeon/si_dpm: Limit clocks on HD86xx part
+ - [arm64] KVM: Take S1 walks into account when determining S2 write faults
+ - [powerpc*] Convert cmp to cmpd in idle enter sequence
+ - ipv4: use the right lock for ping_group_range
+ - ACPI / APEI: Fix incorrect return value of ghes_proc()
+ - dm table: fix missing dm_put_target_type() in dm_table_add_target()
+ - [x86] mei: txe: don't clean an unprocessed interrupt cause.
+ - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough)
+ devices
+ - [x86] hv: do not lose pending heartbeat vmbus packets
+ - ALSA: hda - Fix surround output pins for ASRock B150M mobo
+ - drm/radeon: drop register readback in cayman_cp_int_cntl_setup
+ - drm/radeon/si_dpm: workaround for SI kickers
+ - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
+ - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
+ - tty: vt, fix bogus division in csi_J
+ - tty: limit terminal size to 4M chars
+ - vt: clear selection before resizing
+ - netfilter: nf_conntrack_sip: extend request line validation
+ - netfilter: nf_tables: fix type mismatch with error return from
+ nft_parse_u32_check
+ - btrfs: fix races on root_log_ctx lists
+ - lib/genalloc.c: start search from start of chunk
+ - [s390*] hypfs: Use get_free_page() instead of kmalloc to ensure page
+ alignment
+ - [x86] KVM: fix wbinvd_dirty_mask use-after-free
+ - GenWQE: Fix bad page access during abort of resource allocation
+ - ubifs: Fix regression in ubifs_readdir()
+ - md: be careful not lot leak internal curr_resync value into metadata.
+ - net/mlx5: Avoid passing dma address 0 to firmware
+ - packet: on direct_xmit, limit tso and csum to supported devices
+ - net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW
+ spec
+ - net/mlx4_en: Resolve dividing by zero in 32-bit system
+ - net/mlx4_en: Process all completions in RX rings after port goes up
+ - net/mlx4_en: Fix potential deadlock in port statistics flow
+ - [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions
+ - virtio: console: Unlock vqs while freeing buffers
+ - netfilter: nf_tables: destroy the set if fail to add transaction
+ - [x86] mei: bus: fix received data size check in NFC fixup
+ - ipv6: Don't use ufo handling on later transformed packets
+ - can: bcm: fix warning in bcm_connect/proc_register
+ - bgmac: stop clearing DMA receive control register right after it is set
+ - uwb: fix device reference leaks
+ - [armel,armhf] gpio/mvebu: Use irq_domain_add_linear
+ - PM / sleep: fix device reference leak in test_suspend
+ - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
+ - firewire: net: fix fragmented datagram_size off-by-one
+ - ipv4: allow local fragmentation in ip_finish_output_gso()
+ - i2c: core: fix NULL pointer dereference under race condition
+ - iio: hid-sensors: Fix compilation warning
+ - iio: hid-sensors: Increase the precision of scale to fix wrong reading
+ interpretation.
+ - [armhf] net: ethernet: ti: cpsw: fix device and of_node leaks
+ - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
+ - rtnl: reset calcit fptr in rtnl_unregister()
+ - USB: cdc-acm: fix TIOCMIWAIT
+ - PM / sleep: don't suspend parent when async child suspend_{noirq, late}
+ fails
+ - [x86] ALSA: hda - Fix mic regression by ASRock mobo fixup
+ - swapfile: fix memory corruption via malformed swapfile
+ - coredump: fix unfreezable coredumping task
+ - dib0700: fix nec repeat handling
+ - scsi: mpt3sas: Fix secure erase premature termination
+ - neigh: check error pointer instead of NULL for ipv4_neigh_lookup()
+ - ipv4: use new_gw for redirect neigh lookup
+ - fuse: fix fuse_write_end() if zero bytes were copied
+ - [armhf] usb: chipidea: move the lock initialization to core file
+ - rtnetlink: fix rtnl_vfinfo_size
+ - mfd: core: Fix device reference leak in mfd_clone_cell
+ - nvme/pci: Don't free queues on error
+ - IB/uverbs: Fix leak of XRC target QPs
+ - IB/cm: Mark stale CM id's whenever the mad agent was unregistered
+ - IB/core: Avoid unsigned int overflow in sg_alloc_table
+ - IB/mlx5: Use cache line size to select CQE stride
+ - IB/mlx5: Resolve soft lock on massive reg MRs
+ - IB/mlx5: Fix NULL pointer dereference on debug print
+ - IB/mlx4: Fix create CQ error flow
+ - mwifiex: printk() overflow with 32-byte SSIDs
+ - of_mdio: fix node leak in of_phy_register_fixed_link error path
+ - cfg80211: limit scan results cache size
+ - [armhf] net: ethernet: ti: cpsw: fix bad register access in probe error
+ path
+ - [armhf] net: ethernet: ti: cpsw: fix mdio device reference leak
+ - [armhf] net: ethernet: ti: cpsw: fix secondary-emac probe error path
+ - KVM: Disable irq while unregistering user notifier
+ - [x86] KVM: fix missed SRCU usage in kvm_lapic_set_vapic_addr
+ - ext4: sanity check the block and cluster size at mount time
+ - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
+ (CVE-2016-10200)
+ - apparmor: fix change_hat not finding hat after policy replacement
+ - [x86] traps: Ignore high word of regs->cs in early_fixup_exception()
+ - xc2028: Fix use-after-free bug properly
+ - [armhf] net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not
+ implemented
+ - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode
+ to device managed flow steering
+ - pwm: Fix device reference leak
+ - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT"
+ failed in 64bit kernel
+ - [powerpc*] eeh: Fix deadlock when PE frozen state can't be cleared
+ - batman-adv: Check for alloc errors when preparing TT local data
+ - locking/rtmutex: Prevent dequeue vs. unlock race
+ - ipv4: Set skb->protocol properly for local output
+ - ipv6: Set skb->protocol properly for local output
+ - tipc: check minimum bearer MTU
+ - [x86] perf: Fix full width counter, counter overflow
+ - fuse: fix clearing suid, sgid for chown()
+ - can: raw: raw_setsockopt: limit number of can_filter that can be set
+ - can: peak: fix bad memory access and free sequence
+ - ser_gigaset: return -ENOMEM on error instead of success
+ - vfs,mm: fix return value of read() at s_maxbytes
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41
+ - mnt: Add a per mount namespace limit on the number of mounts
+ (CVE-2016-6213)
+ - ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42
+ - net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
+ - ite-cir: initialize use_demodulator before using it
+ - usb: gadget: composite: correctly initialize ep->maxpacket
+ - usb: gadget: composite: always set ep->mult to a sensible value
+ - [armhf] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs
+ - [amd64] drm/gma500: Add compat ioctl
+ - enic: set skb->hash type properly
+ - xfs: fix up xfs_swap_extent_forks inline extent handling
+ - scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits
+ for 30secs before reset
+ - PCI: Check for PME in targeted sleep state
+ - USB: UHCI: report non-PME wakeup signalling for Intel hardware
+ - [armhf] dts: imx6q-cm-fx6: fix fec pinctrl
+ - [powerpc] ibmebus: Fix device reference leaks in sysfs interface
+ - [powerpc] ibmebus: Fix further device reference leaks
+ - [powerpc*] pci/rpadlpar: Fix device reference leaks
+ - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
+ - dm rq: fix a race condition in rq_completed()
+ - ext4: fix mballoc breakage with 64k block size
+ - ext4: fix stack memory corruption with 64k block size
+ - IB/core: Save QP in ib_flow structure
+ - IB/mlx5: Put non zero value in max_ah
+ - IB/mlx5: Wait for all async command completions to complete
+ - IB/IPoIB: Remove can't use GFP_NOIO warning
+ - IB/mlx4: Set traffic class in AH
+ - IB/mlx4: Put non zero value in max_ah device attribute
+ - IB/mlx4: Fix port query for 56Gb Ethernet links
+ - scsi: mvsas: fix command_active typo
+ - ssb: Fix error routine when fallback SPROM fails
+ - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
+ - [armhf] USB: phy: am335x-control: fix device and of_node leaks
+ - ext4: fix in-superblock mount options processing
+ - ext4: use more strict checks for inodes_per_block on mount
+ - ext4: add sanity checking to count_overhead()
+ - [powerpc*] KVM: Book3S HV: Save/restore XER in checkpointed register state
+ - dm crypt: mark key as invalid until properly loaded
+ - f2fs: set ->owner for debugfs status file's file_operations
+ - xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
+ - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
+ - md/raid5: limit request size according to implementation limits
+ - thermal: hwmon: Properly report critical temperature in sysfs
+ - USB: serial: kl5kusb105: fix open error path
+ - USB: serial: kl5kusb105: abort on open exception path
+ - [powerpc] ps3: Fix system hang with GCC 5 builds
+ - Btrfs: fix tree search logic when replaying directory entry deletes
+ - [armhf,arm64] bus: vexpress-config: fix device reference leak
+ - block: protect iterate_bdevs() against concurrent close
+ - NFS: Fix a performance regression in readdir
+ - xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
+ - mmc: sdhci: Fix recovery from tuning timeout
+ - CIFS: Fix missing nls unload in smb2_reconnect()
+ - CIFS: Fix a possible memory corruption in push locks
+ - CIFS: Fix a possible memory corruption during reconnect
+ - [x86] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T
+ - [x86] ALSA: hda - Add the top speaker pin config for HP Spectre x360
+ - [x86] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
+ - drm/radeon: Hide the HW cursor while it's out of bounds
+ - drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
+ - drm/radeon: add additional pci revision to dpm workaround
+ - [armhf] xen: Use alloc_percpu rather than __alloc_percpu
+ - clk: clk-wm831x: fix a logic error
+ - hotplug: Make register and unregister notifier API symmetric
+ - iw_cxgb4: Fix error return code in c4iw_rdev_open()
+ - dm space map metadata: fix 'struct sm_metadata' leak on failed create
+ - md: MD_RECOVERY_NEEDED is set for mddev->recovery
+ - cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts
+ - hwmon: (ds620) Fix overflows seen when writing temperature limits
+ - [i386] ftrace: Set ftrace_stub to weak to prevent gcc from using short
+ jumps to it
+ - fgraph: Handle a case where a tracer ignores set_graph_notrace
+ - nfs_write_end(): fix handling of short copies
+ - ext4: reject inodes with negative size
+ - ext4: return -ENOMEM instead of success
+ - [s390*] vmlogrdr: fix IUCV buffer allocation
+ - [armhf] hwmon: (g762) Fix overflows and crash seen when writing limit
+ attributes
+ - ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
+ - libceph: verify authorize reply on connect
+ - fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes
+ - fsnotify: Fix possible use-after-free in inode iteration on umount
+ - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
+ - IB/mlx4: Fix out-of-range array index in destroy qp flow
+ - Btrfs: delayed-inode: replace root args iff only fs_info used
+ - btrfs: limit async_work allocation and worker func duration
+ - block_dev: don't test bdev->bd_contains when it is not stable
+ - IB/mad: Fix an array index check
+ - IPoIB: Avoid reading an uninitialized member variable
+ - IB/multicast: Check ib_find_pkey() return value
+ - [s390x] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
+ - [s390x] scsi: zfcp: do not trace pure benign residual HBA responses at
+ default level
+ - [s390x] scsi: zfcp: fix rport unblock race with LUN recovery
+ - scsi: avoid a permanent stop of the scsi device's request queue
+ - target/iscsi: Fix double free in lio_target_tiqn_addtpg()
+ - [x86] drivers/gpu/drm/ast: Fix infinite loop if read fails
+ - NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
+ - [x86] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from
+ vlv_init_display_clock_gating
+ - fs: exec: apply CLOEXEC before changing dumpable task flags
+ - [x86] Input: i8042 - add Pegatron touchpad to noloop table
+ - net, sched: fix soft lockup in tc_classify
+ - [armhf] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
+ - [armhf net: stmmac: Fix error path after register_netdev move
+ - net/mlx4_core: Use-after-free causes a resource leak in flow-steering
+ detach
+ - net/mlx4_en: Fix bad WQE issue
+ - net/mlx4: Remove BUG_ON from ICM allocation routine
+ - [armhf] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
+ - [armhf] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
+ - [armhf] usb: dwc3: gadget: always unmap EP0 requests
+ - [armhf] usb: gadget: composite: Test get_alt() presence instead of
+ set_alt()
+ - [armhf] usb: gadgetfs: restrict upper bound on device configuration size
+ - [armhf] USB: gadgetfs: fix unbounded memory allocation bug
+ - [armhf] USB: gadgetfs: fix use-after-free bug
+ - [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors
+ - btrfs: fix error handling when run_delayed_extent_op fails
+ - btrfs: fix locking when we put back a delayed ref that's too new
+ - xhci: free xhci virtual devices with leaf nodes first
+ - usb: xhci: fix possible wild pointer
+ - usb: host: xhci: Fix possible wild pointer when handling abort command
+ - xhci: Handle command completion and timeout race
+ - usb: xhci: hold lock over xhci_abort_cmd_ring()
+ - USB: serial: cyberjack: fix NULL-deref at open
+ - USB: serial: garmin_gps: fix memory leak on failed URB submit
+ - USB: serial: io_edgeport: fix NULL-deref at open
+ - USB: serial: io_ti: fix NULL-deref at open
+ - USB: serial: io_ti: fix another NULL-deref at open
+ - USB: serial: iuu_phoenix: fix NULL-deref at open
+ - USB: serial: keyspan_pda: verify endpoints at probe
+ - USB: serial: kobil_sct: fix NULL-deref in write
+ - USB: serial: mos7720: fix NULL-deref at open
+ - USB: serial: mos7720: fix use-after-free on probe errors
+ - USB: serial: mos7720: fix parport use-after-free on probe errors
+ - USB: serial: mos7720: fix parallel probe
+ - USB: serial: mos7840: fix NULL-deref at open
+ - USB: serial: mos7840: fix misleading interrupt-URB comment
+ - USB: serial: omninet: fix NULL-derefs at open and disconnect
+ - USB: serial: oti6858: fix NULL-deref at open
+ - USB: serial: pl2303: fix NULL-deref at open
+ - USB: serial: quatech2: fix sleep-while-atomic in close
+ - USB: serial: spcp8x5: fix NULL-deref at open
+ - USB: serial: ti_usb_3410_5052: fix NULL-deref at open
+ - [x86] iommu/amd: Fix the left value check of cmd buffer
+ - [x86] mei: move write cb to completion on credentials failures
+ - ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
+ - [x86] cpu: Fix bootup crashes by sanitizing the argument of the
+ 'clearcpuid=' command-line option
+ - [armhf] usb: musb: Fix trying to free already-free IRQ 4
+ - usb: hub: Move hub_port_disable() to fix warning if PM is disabled
+ - USB: fix problems with duplicate endpoint addresses
+ - selftests: do not require bash to run netsocktests testcase
+ - HID: hid-cypress: validate length of report (CVE-2017-7273)
+ - ata: sata_mv:- Handle return value of devm_ioremap.
+ - drm/radeon: drop verde dpm quirks
+ - [x86] boot: Add missing declaration of string functions
+ - USB: ch341: remove redundant close from open error path
+ - USB: ch341: set tty baud speed according to tty struct
+ - USB: serial: ch341: add register and USB request definitions
+ - USB: serial: ch341: reinitialize chip on reconfiguration
+ - USB: serial: ch341: fix initial modem-control state
+ - USB: serial: ch341: fix open and resume after B0
+ - USB: serial: ch341: fix modem-control and B0 handling
+ - USB: serial: ch341: fix open error handling
+ - USB: serial: ch341: fix resume after reset
+ - USB: serial: ch341: fix baud rate and line-control handling
+ - gro: Enter slow-path if there is no tailroom
+ - gro: Disable frag0 optimization on IPv6 ext headers
+ - ocfs2: fix crash caused by stale lvb with fsdlm plugin
+ - mm/hugetlb.c: fix reservation race when freeing surplus pages
+ - sysrq: attach sysrq handler correctly for 32-bit kernel
+ - USB: serial: ch341: fix control-message error handling
+ - gro: use min_t() in skb_gro_reset_offset()
+ - [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
+ - xhci: fix deadlock at host remove by running watchdog correctly
+ - [x86] KVM: flush pending lapic jump label updates on module unload
+ - i2c: fix kernel memory disclosure in dev interface
+ - svcrpc: don't leak contexts on PROC_DESTROY
+ - netfilter: rpfilter: fix incorrect loopback packet judgment
+ - be2net: fix status check in be_cmd_pmac_add()
+ - net/mlx4_core: Fix racy CQ (Completion Queue) free
+ - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to
+ VGT transitions
+ - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
+ - clocksource/exynos_mct: Clear interrupt when cpu is shut down
+ - ubifs: Fix journal replay wrt. xattr nodes
+ - qla2xxx: Fix crash due to null pointer access
+ - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device
+ pointer
+ - ceph: fix bad endianness handling in parse_reply_info_extra
+ - [arm64] ptrace: Preserve previous registers for short regset write
+ - [arm64] ptrace: Avoid uninitialised struct padding in fpr_set()
+ - [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint
+ fields
+ - net: fix harmonize_features() vs NETIF_F_HIGHDMA
+ - [arm64] avoid returning from bad_mode
+ - tcp: initialize max window for a new fastopen socket
+ - nbd: fix use-after-free of rq/bio in the xmit path
+ - nbd: only set MSG_MORE when we have more to send
+ - [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write
+ - [powerpc*] Ignore reserved field in DCSR and PVR reads and writes
+ - [x86] platform: intel_mid_powerbtn: Set IRQ_ONESHOT
+ - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
+ - [arm64] crypto: aes-blk - honour iv_out requirement in CBC and CTR modes
+ - [powerpc*] Add missing error check to prom_find_boot_cpu()
+ - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
+ - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
+ - SUNRPC: cleanup ida information when removing sunrpc module
+ - netfilter: nft_log: restrict the log prefix length to 127
+ - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
+ - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc()
+ - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+ - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
+ - can: bcm: fix hrtimer/tasklet termination in bcm op removal
+ - perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
+ - [armel,armhf] 8643/3: ptrace: Preserve previous registers for short
+ regset write
+ - drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
+ - mmc: sdhci: Ignore unexpected CARD_INT interrupts
+ - svcrpc: fix oops in absence of krb5 module
+ - net: use a work queue to defer net_disable_timestamp() work
+ - mm, fs: check for fatal signals in do_generic_file_read()
+ - netlabel: out of bound access in cipso_v4_validate()
+ - mac80211: Fix adding of mesh vendor IEs
+ - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
+ - [x86] drm/i915: fix use-after-free in page_flip_completed()
+ - ALSA: seq: Fix race at creating a queue
+ - target: Use correct SCSI status during EXTENDED_COPY exception
+ - target: Fix early transport_generic_handle_tmr abort scenario
+ - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
+ - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
+ - ping: fix a null pointer dereference
+ - [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
+ on failed send
+ - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
+ - l2tp: do not use udp_ioctl()
+ - futex: Move futex_init() to core_initcall
+ - mmc: core: fix multi-bit bus width without high-speed mode
+ - vfs: fix uninitialized flags in splice_to_pipe()
+ - packet: call fanout_release, while UNREGISTERING a netdev
+ - packet: Do not call fanout_release from atomic contexts
+ - printk: use rcuidle console tracepoint
+ - sg: Fix missing sanity check in /dev/sg
+ - sched/cputime: Fix invalid gtime in proc
+ - decnet: Do not build routes to devices without decnet private data.
+ - route: do not cache fib route info on local routes with oif
+ - sch_htb: update backlog as well
+ - sch_dsmark: update backlog as well
+ - netem: Segment GSO packets on enqueue
+ - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only
+ - net: bridge: fix old ioctl unlocked net device walk
+ - udp: prevent skbs lingering in tunnel socket queues
+ - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
+ - sit: correct IP protocol used in ipip6_err
+ - ipmr/ip6mr: Initialize the last assert time of mfc entries.
+ - net: alx: Work around the DMA RX overflow issue
+ - cdc_ncm: workaround for EM7455 "silent" data interface
+ - bonding: set carrier off for devices created through netlink
+ - net: fix sk_mem_reclaim_partial()
+ - tcp: fix overflow in __tcp_retransmit_skb()
+ - net: avoid sk_forward_alloc overflows
+ - tcp: fix wrong checksum calculation on MTU probing
+ - net: Add netdev all_adj_list refcnt propagation to fix panic
+ - net: sctp, forbid negative length
+ - net: clear sk_err_soft in sk_clone_lock()
+ - net: mangle zero checksum in skb_checksum_help()
+ - dccp: do not send reset to already closed sockets
+ - dccp: fix out of bound access in dccp_v4_err()
+ - ipv6: dccp: fix out of bound access in dccp_v6_err()
+ - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
+ - sctp: assign assoc_id earlier in __sctp_connect
+ - sock: fix sendmmsg for partial sendmsg
+ - ip6_tunnel: disable caching when the traffic class is inherited
+ - net: sky2: Fix shutdown crash
+ - net/sched: pedit: make sure that offset is valid
+ - net/dccp: fix use-after-free in dccp_invalid_packet
+ - [x86] netvsc: reduce maximum GSO size
+ - ipv6: handle -EFAULT from skb_copy_bits
+ - drop_monitor: add missing call to genlmsg_end
+ - drop_monitor: consider inserted data in genlmsg_end
+ - igmp: Make igmp group member RFC 3376 compliant
+ - r8152: fix the sw rx checksum is unavailable
+ - tcp: fix tcp_fastopen unaligned access complaints on sparc
+ - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
+ - net: socket: fix recvmmsg not returning error from sock_error
+ - can: Fix kernel panic at security_sock_rcv_skb
+ - ipv6: fix ip6_tnl_parse_tlv_enc_lim()
+ - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
+ - tcp: fix 0 divide in __tcp_select_window()
+ - tun: Fix TUN_PKT_STRIP setting
+ - tun: read vnet_hdr_sz once
+ - macvtap: read vnet_hdr_size once
+ - mlx4: Invoke softirqs after napi_reschedule
+ - sit: fix a double free on error path
+ - igmp: do not remove igmp souce list info when set link down
+ - mld: do not remove mld souce list info when set link down
+ - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
+ - [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
+ (regression in 3.16.7-ckt24)
+
+ [ Ben Hutchings ]
+ * locking/mutex: Don't assume TASK_RUNNING (Closes: #841171)
+ * can, tcp: Ignore ABI changes
+ * [arm64] ptrace: Avoid ABI change in 3.16.42
+ * [x86] Revert "x86/panic: replace smp_send_stop() with kdump friendly
+ version in panic path" to avoid ABI change
+ * net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()"
+ * vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..."
+ * mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32"
+ * ext4: fix fencepost in s_first_meta_bg validation (regression in 3.16.41)
+ * timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
+ * mbcache: Reschedule before restarting iteration in mb_cache_entry_alloc()
+ (mitigates CVE-2015-8952)
- * mnt: Add a per mount namespace limit on the number of mounts (CVE-2016-6213)
+ * vfs: Commit to never having executables on proc and sysfs
+ * aio: mark AIO pseudo-fs noexec (CVE-2016-10044)
- * l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200)
- * ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
- -- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Mar 2017 23:29:39 +0000
+ [ Salvatore Bonaccorso ]
+ * sunrpc: fix refcounting problems with auth_gss messages.
+ Thanks to Raphael Geissert <geissert at debian.org> (Closes: #852708)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 01 Jan 2017 22:44:31 +0000
linux (3.16.39-1+deb8u2) jessie-security; urgency=high
diff --cc debian/patches/series
index b6ae870,2364ac8..5799f95
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -659,6 -660,57 +659,10 @@@ features/all/chaoskey/hwrng-chaoskey-Fi
features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
# Security fixes
-bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
-bugfix/all/perf-fix-race-in-swevent-hash.patch
-bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
-bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
-bugfix/all/hid-core-prevent-out-of-bound-readings.patch
-bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
-bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
-features/all/net-add-__sock_queue_rcv_skb.patch
-bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
-bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
-bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
-bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
-bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
-bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
-bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
-bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
-bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
-bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
-bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
-bugfix/all/perf-Fix-event-ctx-locking.patch
-bugfix/all/perf-do-not-double-free.patch
-bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
-bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
-bugfix/all/fbdev-color-map-copying-bounds-checking.patch
-bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
-bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
-bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
-bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
-bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
-bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch
-bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch
-bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
-bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
-bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
-bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
-bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
-bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
-bugfix/all/net-sock-add-sock_efree.patch
-bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch
-bugfix/all/packet-fix-races-in-fanout_add.patch
-bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch
-bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
-bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
-bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
+ bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
+ bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
-bugfix/all/mnt-add-a-per-mount-namespace-limit-on-the-number-of.patch
+ bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch
+ bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch
-bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
-bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list