[linux] 01/01: Merge tag 'debian/3.16.43-2+deb8u4' into jessie
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Sep 18 23:34:20 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 8e26117bf8a45409ded5bd95ac2284c93b3865bf
Merge: 8f2c169 c0c1aab
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Sep 19 00:33:33 2017 +0100
Merge tag 'debian/3.16.43-2+deb8u4' into jessie
Release linux (3.16.43-2+deb8u4).
debian/changelog | 43 ++-
...roperly-check-l2cap-config-option-output-.patch | 353 +++++++++++++++++++++
...-the-required-netlink-attributes-presence.patch | 36 +++
.../sanitize-move_pages-permission-checks.patch | 73 +++++
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 ++++
...xxx-fix-an-integer-overflow-in-sysfs-code.patch | 58 ++++
...alize-rcv_mss-to-tcp_min_mss-instead-of-0.patch | 35 ++
...-aty-do-not-leak-uninitialized-padding-in.patch | 30 ++
.../bugfix/all/xen-fix-bio-vec-merging.patch | 61 ++++
...realtime_inode-should-be-false-if-no-rt-d.patch | 68 ++++
...don-t-allow-l2-to-access-the-hardware-cr8.patch | 35 ++
debian/patches/series | 10 +
12 files changed, 845 insertions(+), 12 deletions(-)
diff --cc debian/changelog
index ecd68f5,ea28b72..4e0ed73
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,437 -1,34 +1,456 @@@
+linux (3.16.47-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44
+ - [x86] drm/i915: relax uncritical udelay_range()
+ - adm80211: return an error if adm8211_alloc_rings() fails
+ - iio: st_pressure: Fix data sign
+ - rtlwifi: Fix alignment issues
+ - [mips*] Clear ISA bit correctly in get_frame_info()
+ - [mips*] Prevent unaligned accesses during stack unwinding
+ - [mips*] Fix get_frame_info() handling of microMIPS function size
+ - [mips*] Fix is_jump_ins() handling of 16b microMIPS instructions
+ - [mips*] Calculate microMIPS ra properly when unwinding the stack
+ - [mips*] Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
+ - [x86] scsi: storvsc: use tagged SRB requests if supported by the device
+ - [x86] scsi: storvsc: Fix a bug in the handling of SRB status flags
+ - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is
+ present
+ - [x86] scsi: storvsc: properly set residual data length on errors
+ - IB/mlx5: Fix retrieval of index to first hi class bfreg
+ - samples/seccomp: fix 64-bit comparison macros
+ - clk: wm831x: fix usleep_range with bad range
+ - [x86] hv: vmbus_post_msg: retry the hypercall on some transient errors
+ - [x86] hv_vmbus: Add gradually increased delay for retries in
+ vmbus_post_msg()
+ - [x86] Drivers: hv: vmbus: Reduce the delay between retries in
+ vmbus_post_msg()
+ - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
+ - [x86] hv: allocate synic pages for all present CPUs
+ - [x86] hv: init percpu_list in hv_synic_alloc()
+ - perf evlist: Fix typo in perf_evlist__start_workload()
+ - ext4: avoid deadlock when expanding inode size
+ - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
+ - tty: serial: msm: Fix module autoload
+ - ath5k: drop bogus warning on drv_set_key with unsupported cipher
+ - ASoC: rt5640: use msleep() for long delays
+ - RDMA/core: Fix incorrect structure packing for booleans
+ - IB/ipoib: Set device connection mode only when needed
+ - IB/ipoib: Fix deadlock over vlan_mutex
+ - IB/ipoib: Fix deadlock between rmmod and set_mode
+ - IB/ipoib: rtnl_unlock can not come after free_netdev
+ - IB/ipoib: Replace list_del of the neigh->list with list_del_init
+ - IB/ipoib: Change list_del to list_del_init in the tx object
+ - locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER
+ - USB: serial: ch341: fix modem-status handling
+ - USB: serial: ark3116: fix register-accessor error handling
+ - USB: serial: ark3116: fix open error handling
+ - USB: serial: ftdi_sio: fix modem-status error handling
+ - USB: serial: ftdi_sio: fix latency-timer error handling
+ - USB: serial: io_edgeport: fix epic-descriptor handling
+ - USB: serial: io_edgeport: fix descriptor error handling
+ - USB: serial: mct_u232: fix modem-status error handling
+ - USB: serial: quatech2: fix control-message error handling
+ - USB: serial: spcp8x5: fix modem-status handling
+ - USB: serial: ssu100: fix control-message error handling
+ - USB: serial: ti_usb_3410_5052: fix control-message error handling
+ - USB: serial: opticon: fix CTS retrieval at open
+ - staging: rtl: fix possible NULL pointer dereference
+ - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+ - blk-mq: Make bt_clear_tag() easier to read
+ - sbitmap: fix wakeup hang after sbq resize
+ - [armhf] usb: dwc3: gadget: skip Set/Clear Halt when invalid
+ - usb: gadget: define free_ep_req as universal function
+ - usb: gadget: f_hid: fix: Free out requests
+ - usb: gadget: f_hid: fix: Prevent accessing released memory
+ - usb: gadget: f_hid: Use spinlock instead of mutex
+ - W1: ds2490: Increase timeout when waiting for status
+ - w1: ds2490: USB transfer buffers need to be DMAable
+ - w1: don't leak refcount on slave attach failure in
+ w1_attach_slave_device()
+ - USB: serial: ftdi_sio: fix extreme low-latency setting
+ - iwlwifi: mvm: rs: Remove unused 'mcs' variable
+ - drm/ttm: Make sure BOs being swapped out are cacheable
+ - [armhf] clk: samsung: mark s3c...._clk_sleep_init() as __init
+ - drm/radeon: handle vfct with multiple vbios images
+ - ext4: trim allocation requests to group size
+ - ext4: use private version of page_zero_new_buffers() for data=journal mode
+ - ext4: fix data corruption in data=journal mode
+ - [arm*] KVM: Enforce unconditional flush to PoC when mapping to stage-2
+ - bcma: use (get|put)_device when probing/removing device driver
+ - staging: wlan-ng: add missing byte order conversion
+ - [x86] iommu/vt-d: Don't over-free page table directories
+ - uvcvideo: Fix a wrong macro
+ - USB: serial: digi_acceleport: fix OOB data sanity check
+ - USB: serial: digi_acceleport: fix incomplete rx sanity check
+ - USB: serial: keyspan_pda: fix receive sanity checks
+ - usb: misc: adutux: remove redundant error check on copy_to_user return
+ code
+ - [s390*] qdio: clear DSCI prior to scanning multiple input queues
+ - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+ - ext4: fix inline data error paths
+ - jbd2: don't leak modified metadata buffers on an aborted journal
+ - ext4: preserve the needs_recovery flag when the journal is aborted
+ - ext4: return EROFS if device is r/o and journal replay is needed
+ - [s390*] KVM: Disable dirty log retrieval for UCONTROL guests
+ - USB: serial: ftdi_sio: fix line-status over-reporting
+ - USB: serial: sierra: fix bogus alternate-setting assumption
+ - mwifiex: Avoid skipping WEP key deletion for AP
+ - ath9k: fix race condition in enabling/disabling IRQs
+ - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
+ - USB: serial: mos7840: fix another NULL-deref at open
+ - i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio
+ - KEYS: Fix an error code in request_master_key()
+ - serial: exar: Fix initialization of EXAR registers for ports > 0
+ - [x86] drivers: hv: Turn off write permission on the hypercall page
+ - [armhf] mmc: host: omap_hsmmc: avoid possible overflow of timeout value
+ - md linear: fix a race between linear_add() and linear_congested()
+ - md: ensure md devices are freed before module is unloaded.
+ - nlm: Ensure callback code also checks that the files match
+ - IB/mlx5: Fix out-of-bound access
+ - IB/mlx5: Return error for unsupported signature type
+ - [powerpc*] xmon: Fix data-breakpoint
+ - ath9k: use correct OTP register offsets for the AR9340 and AR9550
+ - dm cache: fix corruption seen when using cache > 2TB
+ - [mips*] Fix special case in 64 bit IP checksumming.
+ - [mips*] OCTEON: Fix copy_from_user fault handling for large buffers
+ - sfc: do not device_attach if a reset is pending
+ - PM / QoS: Fix memory leak on resume_latency.notifiers
+ - mlx4: reduce OOM risk on arches with large pages
+ - [x86] KVM: VMX: use correct vmcs_read/write for guest segment
+ selector/base
+ - nfsd: update mtime on truncate
+ - nfsd: minor nfsd_setattr cleanup
+ - nfsd: special case truncates some more
+ - batman-adv: Fix double free during fragment merge error
+ - batman-adv: Fix transmission of final, 16th fragment
+ - drm/ttm: fix use-after-free races in vm fault handling
+ - NFSv4: Fix the underestimation of delegation XDR space reservation
+ - fuse: add missing FR_FORCE
+ - rdma_cm: fail iwarp accepts w/o connection params
+ - l2tp: Avoid schedule while atomic in exit_net
+ - net/dccp: fix use after free in tw_timer_handler()
+ - tcp: account for ts offset only if tsecr not zero
+ - scsi: aacraid: Fix memory leak in fib init path
+ - scsi: aacraid: Reorder Adapter status check
+ - mm: fix <linux/pagemap.h> stray kernel-doc notation
+ - [s390*] chsc: Add exception handler for CHSC instruction
+ - net/mlx4: Spoofcheck and zero MAC can't coexist
+ - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on
+ new probed PFs
+ - net/mlx4_en: Use __skb_fill_page_desc()
+ - f2fs: use for_each_set_bit to simplify the code
+ - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
+ - NFSv4: fix getacl head length estimation
+ - NFSv4: fix getacl ERANGE for some ACL buffer sizes
+ - vxlan: correctly validate VXLAN ID against VXLAN_N_VID
+ - mm/page_alloc: fix nodes for reclaim in fast path
+ - mm: vmpressure: fix sending wrong events on underflow
+ - mm: do not access page->mapping directly on page_endio
+ - ipv4: mask tos for input route
+ - net sched actions: decrement module reference count after table flush.
+ - mac80211: flush delayed work when entering suspend
+ - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
+ - ALSA: timer: Reject user params with too small ticks
+ - ALSA: ctxfi: Fallback DMA mask to 32bit
+ - ALSA: seq: Fix link corruption by event error handling
+ - net/mlx4: && vs & typo
+ - net: net_enable_timestamp() can be called from irq contexts
+ - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
+ - virtio-console: avoid DMA from stack
+ - net: ipv6: check route protocol when deleting routes
+ - [x86] platform: acer-wmi: setup accelerometer when machine has
+ appropriate notify event
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.45
+ - Allow stack to grow up to address space limit
- - [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46
+ - xfrm: policy: init locks early
+ - xen: do not re-use pirq number cached in pci device msi msg data
+ - scsi: libiscsi: add lock around task lists to fix list corruption
+ regression
+ - [x86] kprobes: Fix kernel panic when certain exception-handling addresses
+ are probed
+ - [s390*] KVM: Fix guest migration for huge guests resulting in panic
+ - batman-adv: Keep fragments equally sized
+ - net: phy: Do not perform software reset for Generic PHY
+ - [armhf] usb: dwc3: gadget: make Set Endpoint Configuration macros safe
+ - usb: gadget: function: f_fs: pass companion descriptor along
+ - USB: serial: digi_acceleport: fix OOB-event processing
+ - scsi: aacraid: Fix typo in blink status
+ - libceph: don't set weight to IN when OSD is destroyed
+ - [powerpc*] boot: Fix zImage TOC alignment
+ - scsi: lpfc: Add shutdown method for kexec
+ - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
+ - target: Fix VERIFY_16 handling in sbc_parse_cdb
+ - [mips*] End spinlocks with .insn
+ - USB: serial: io_ti: fix NULL-deref in interrupt callback
+ - USB: serial: safe_serial: fix information leak in completion handler
+ - dvb-usb: don't use stack for firmware load
+ - dvb-usb-firmware: don't do DMA on stack
+ - USB: iowarrior: fix NULL-deref in write
+ - md/raid1/10: fix potential deadlock
+ - udp: avoid ufo handling on IP payload compression packets
+ - [x86] platform/intel-mid: Correct MSI IRQ line for watchdog device
+ - NFSv4: fix a reference leak caused WARNING messages
+ - ipv6: make ECMP route replacement less greedy
+ - isdn/gigaset: fix NULL-deref at probe
+ - net: wimax/i2400m: fix NULL-deref at probe
+ - dccp/tcp: fix routing redirect race
+ - USB: idmouse: fix NULL-deref at probe
+ - USB: uss720: fix NULL-deref at probe
+ - USB: wusbcore: fix NULL-deref at probe
+ - uwb: hwa-rc: fix NULL-deref at probe
+ - uwb: i1480-dfu: fix NULL-deref at probe
+ - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
+ - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
+ - futex: Add missing error handling to FUTEX_REQUEUE_PI
+ - ext4: mark inode dirty after converting inline directory
+ - [armhf] iio: adc: ti_am335x_adc: fix fifo overrun recovery
+ - net: properly release sk_frag.page
+ - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
+ - nl80211: fix dumpit error path RTNL deadlocks
+ - perf/core: Fix event inheritance on fork()
+ - mmc: ushc: fix NULL-deref at probe
+ - Input: iforce - validate number of endpoints before using them
+ - Input: cm109 - validate number of endpoints before using them
+ - Input: ims-pcu - validate number of endpoints before using them
+ - Input: yealink - validate number of endpoints before using them
+ - Input: hanwang - validate number of endpoints before using them
+ - Input: kbtab - validate number of endpoints before using them
+ - Input: sur40 - validate number of endpoints before using them
+ - net: ipv6: set route type for anycast routes
+ - USB: usbtmc: add missing endpoint sanity check
+ - ACM gadget: fix endianness in notifications
+ - usb: hub: Fix crash after failure to read BOS descriptor
+ - perf symbols: Fix symbols__fixup_end heuristic for corner cases
+ - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
+ - scsi: libsas: fix ata xfer length
+ - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
+ - net: unix: properly re-increment inflight counter of GC discarded
+ candidates
+ - bpf: try harder on clones when writing into skb
+ - sch_dsmark: fix invalid skb_cow() usage
+ - bna: integer overflow bug in debugfs
+ - [s390*] decompressor: fix initrd corruption caused by bss clear
+ - usb: gadget: uvc: Fix endianness mismatches
+ - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
+ wBytesPerInterval
+ - net/mlx5: Increase number of max QPs in default profile
+ - mmc: sdhci: Do not disable interrupts while waiting for clock
+ - libceph: force GFP_NOIO for socket allocations
+ - xen/acpi: upload PM state from init-domain to Xen
+ - [x86] KVM: clear bus pointer when destroyed
+ - KVM: kvm_io_bus_unregister_dev() should never fail
+ - hwmon: (asus_atk0110) fix uninitialized data access
+ - ALSA: seq: Fix race during FIFO resize
+ - net: phy: handle state correctly in phy_stop_machine
+ - IB/qib: fix false-postive maybe-uninitialized warning
+ - ext4: lock the xattr block before checksuming it
+ - USB: fix linked-list corruption in rh_call_control()
+ - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+ - [powerpc*] Disable HFSCR[TM] if TM is not supported
+ - virtio_balloon: init 1st buffer in stats vq
+ - virtio_balloon: prevent uninitialized variable use
+ - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
+ - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
+ - ACPI: Fix incompatibility with mcount-based function graph tracing
+ - xhci: Manually give back cancelled URB if we can't queue it for cancel
+ - l2tp: purge socket queues in the .destruct() callback
+ - [s390x] uaccess: get_user() should zero on failure (again)
+ - ubi/upd: Always flush after prepared for an update
+ - iscsi-target: Fix TMR reference leak during session shutdown
+ - [x86] drm/vmwgfx: Type-check lookups of fence objects
+ - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
+ vmw_get_cap_3d_ioctl()
+ - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
+ - [x86] drm/vmwgfx: Remove getparam error message
+ - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
+ - l2tp: fix race in l2tp_recv_common()
+ - l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
+ - l2tp: fix duplicate session creation
+ - l2tp: take a reference on sessions used in genetlink handlers
+ - kernel.h: make abs() work with 64-bit types
+ - include/linux/kernel.h: change abs() macro so it uses consistent return
+ type
+ - iio: core: Fix IIO_VAL_FRACTIONAL_LOG2 for negative values
+ - iio: hid-sensor-attributes: Fix sensor property setting failure.
+ - iscsi-target: Drop work-around for legacy GlobalSAN initiator
+ - af_key: Add lock to key dump
+ - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
+ - [powerpc*] Don't try to fix up misaligned load-with-reservation
+ instructions
+ - l2tp: take reference on sessions being dumped
+ - [powerpc*] kernel: Use kprobe blacklist for asm functions
+ - [powerpc*/*64*] Fix flush_(d|i)cache_range() called from modules
+ - crypto: caam - fix RNG deinstantiation error checking
+ - ring-buffer: Fix return value check in test_ringbuffer()
+ - CIFS: Handle mismatched open calls
+ - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
+ - virtio_console: fix uninitialized variable use
+ - xen, fbfront: fix connecting to backend
+ - scsi: sr: Sanity check returned mode data
+ - ptrace: fix PTRACE_LISTEN race corrupting task->state
+ - l2tp: don't mask errors in pppol2tp_setsockopt()
+ - l2tp: don't mask errors in pppol2tp_getsockopt()
+ - [x86] vdso: Ensure vdso32_enabled gets set to valid values only
+ - [x86] vdso: Plug race between mapping and ELF header setup
+ - CIFS: remove bad_network_name flag
+ - [s390x] mm: fix CMMA vs KSM vs others
+ - [mips*] KGDB: Use kernel context for sleeping threads
+ - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
+ - zram: do not use copy_page with non-page aligned address
+ - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
+ - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram
+ - p9_client_readdir() fix
+ - cifs: Do not send echoes before Negotiate is complete
+ - KEYS: Change the name of the dead type to ".dead" to prevent user access
+ - [x86] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
+ - tracing: Allocate the snapshot buffer before enabling probe
+ - ACPI / power: Avoid maybe-uninitialized warning
+ - ring-buffer: Have ring_buffer_iter_empty() return true when empty
+ - mac80211: reject ToDS broadcast data frames
+ - smsc75xx: use skb_cow_head() to deal with cloned skbs
+ - cx82310_eth: use skb_cow_head() to deal with cloned skbs
+ - sr9700: use skb_cow_head() to deal with cloned skbs
+ - net: ipv6: send unsolicited NA if enabled for all interfaces
+ - [x86] Input: i8042 - add Clevo P650RS to the i8042 reset list
+ - macvlan: Fix device ref leak when purging bc_queue
+ - team: fix memory leaks
+ - ipv6: move stub initialization after ipv6 setup completion
+ - ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
- - ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
- - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
- (CVE-2017-1000380)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47
+ - pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+ - [x86] staging: comedi: jr3_pci: fix possible null pointer dereference
+ - [x86] staging: comedi: jr3_pci: cope with jiffies wraparound
+ - zd1211rw: fix NULL-deref at probe
+ - usb: hub: Fix error loop seen after hub communication errors
+ - usb: hub: Do not attempt to autosuspend disconnected devices
+ - serial_ir: iommap is a memory address, not bool
+ - mceusb: fix NULL-deref at probe
+ - USB: Proper handling of Race Condition when two USB class drivers try to
+ call init_usb_class simultaneously
+ - cdc-acm: fix possible invalid access when processing notification
+ - ath9k_htc: fix NULL-deref at probe
+ - IPoIB: Remove unnecessary test for NULL before debugfs_remove()
+ - IB/IPoIB: ibX: failed to create mcg debug file
+ - gspca: konica: add missing endpoint sanity check
+ - dib0700: fix NULL-deref at probe
+ - usbvision: fix NULL-deref at probe
+ - cx231xx-cards: fix NULL-deref at probe
+ - cx231xx-audio: fix init error path
+ - cx231xx-audio: fix NULL-deref at probe
+ - uvcvideo: Fix empty packet statistic
+ - padata: free correct variable
+ - [armhf] serial: omap: fix runtime-pm handling on unbind
+ - [armhf] serial: omap: suspend device on probe errors
+ - PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
+ - vfio/type1: Remove locked page accounting workqueue
+ - [x86] perf/pebs: Fix handling of PEBS buffer overflows
+ - [x86] perf: Fix spurious NMI with PEBS Load Latency event
+ - ftrace: Fix removing of second function probe
+ - net: ipv6: send unsolicited NA on admin up
+ - digitv: limit messages to buffer size
+ - zr364xx: enforce minimum size when reading header
+ - PCI: Ignore write combining when mapping I/O port space
+ - PCI: Fix another sanity check bug in /proc/pci mmap
+ - PCI: Only allow WC mmap on prefetchable resources
+ - PCI: Freeze PME scan before suspending devices
+ - ttusb2: limit messages to buffer size
+ - dw2102: limit messages to buffer size
+ - ov2640: fix vflip control
+ - ath9k: off by one in ath9k_hw_nvram_read_array()
+ - [armhf,arm64] KVM: fix races in kvm_psci_vcpu_on
+ - usb: host: xhci: print correct command ring address
+ - mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
+ - [x86] boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
+ - NFS: Use GFP_NOIO for two allocations in writeback
+ - IB/ipoib: Update broadcast object if PKey value was changed in index 0
+ - HSI: ssi_protocol: double free in ssip_pn_xmit()
+ - IB/mlx4: Fix ib device initialization error flow
+ - [powerpc*] pseries: Fix of_node_put() underflow during DLPAR remove
+ - [powerpc*] sysfs: Fix reference leak of cpu device_nodes present at boot
+ - netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice
+ - netfilter: ctnetlink: make it safer when updating ct->status
+ - dm btree: fix for dm_btree_find_lowest_key()
+ - dm era: save spacemap metadata root after the pre-commit
+ - PCI: Disable boot interrupt quirk for ASUS M2N-LR
+ - fanotify: don't expose EOPENSTALE to userspace
+ - usb: Make sure usb/phy/of gets built-in
+ - [x86] mm: Fix flush_tlb_page() on Xen
+ - usb: misc: legousbtower: Fix buffers on stack
+ - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
+ - dm ioctl: prevent stack leak in dm ioctl call
+ - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
+ - IB/core: If the MGID/MLID pair is not on the list return an error
+ - IB/core: For multicast functions, verify that LIDs are multicast LIDs
+ - libata: reject passthrough WRITE SAME requests
+ - ext4: evict inline data when writing to memory map
+ - Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
+ - [armhf] Input: twl4030-pwrbutton - use correct device for irq request
+ - ip6_tunnel: Fix missing tunnel encapsulation limit option
+ - ipv6: Need to export ipv6_push_frag_opts for tunneling now.
+ - dm bufio: avoid a possible ABBA deadlock
+ - [arm64] KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses
+ - [x86] drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
+ - [powerpc*] eeh: Avoid use after free in eeh_handle_special_event()
+ - tcp: fix wraparound issue in tcp_lp
+ - cifs: small underflow in cnvrtDosUnixTm()
+ - CIFS: Set unicode flag on cifs echo request to avoid Mac error
+ - tg3: don't clear stats while tg3_close
+ - CIFS: fix oplock break deadlocks
+ - CIFS: SMB3: Work around mount failure when using SMB3 dialect to Macs
+ - ceph: fix memory leak in __ceph_setxattr()
+ - of: fix sparse warning in of_pci_range_parser_one
+ - target/fileio: Fix zero-length READ and WRITE handling
+ - fs/xattr.c: zero out memory copied to userspace in getxattr
+ - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init()
+ - virtio_net: fix support for small rings
+ - net/mlx4_en: Change the error print to debug print
+ - net/mlx4_en: Avoid adding steering rules with invalid ring
+ - [arm64] ensure extension of smp_store_release value
+ - [arm64] uaccess: ensure extension of access_ok() addr
- - timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
- - packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
- - ipv6: Should use consistent conditional judgement for ip6 fragment
- between __ip6_append_data and ip6_finish_output
- - udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ - usb: misc: legousbtower: Fix memory leak
+ - net/mlx4: Fix the check in attaching steering rules
+
+ [ Ben Hutchings ]
- * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
- CVE-2017-1000371)
- * xfrm: policy: check policy direction value (CVE-2017-11600)
+ * SCSI: Revert "scsi: scsi_error: count medium access timeout only once per
+ EH run" to avoid ABI change
+ * ttm: Avoid ABI change for ttm_ref_object_add() require_existing param
+ * cxgbi, IB, libiscsi, l2tp, rds: Ignore ABI changes
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 22:03:56 +0100
+
+ linux (3.16.43-2+deb8u4) jessie-security; urgency=high
+
+ * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
+ * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
+ CVE-2017-1000371)
+ * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
+ * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+ (CVE-2017-1000380)
+ * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
+ * xfrm: policy: check policy direction value (CVE-2017-11600)
+ * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
+ * ipv6: Should use consistent conditional judgement for ip6 fragment
+ between __ip6_append_data and ip6_finish_output
+ * udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511)
+ * nl80211: check for the required netlink attributes presence (CVE-2017-12153)
+ * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
+ * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
+ * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106)
+ * Sanitize 'move_pages()' permission checks (CVE-2017-14140)
+ * video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+ (CVE-2017-14156)
+ * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+ (CVE-2017-14340)
+ * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+ (CVE-2017-14489)
+ * Bluetooth: Properly check L2CAP config option output buffer length
+ (CVE-2017-1000251) (Closes: #875881)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Mon, 18 Sep 2017 04:35:20 +0100
+
linux (3.16.43-2+deb8u3) jessie-security; urgency=high
* regulator: core: Fix regualtor_ena_gpio_free not to access pin after
diff --cc debian/patches/series
index cc75fca,6545a4e..6d55bc9
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -678,10 -679,70 +678,20 @@@ bugfix/all/pie-aslr/binfmt_elf-use-elf_
# Security fixes
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
-bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
-bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
-bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
-bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
-bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
-bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
-bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
-bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
-bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
-bugfix/all/mm-huge_memory.c-fix-up-mm-huge_memory.c-respect-fol.patch
-bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
-bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
-bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
-bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
-bugfix/all/media-dvb-usb-v2-avoid-use-after-free.patch
-bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
-bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
-bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
-bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
-bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
-bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
-bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
-bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
-bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
-bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
-bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
-bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
-bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
-bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
-bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
-bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
-bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
-bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
-bugfix/all/dentry-name-snapshots.patch
-bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
-bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
-bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
-bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
-bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
-bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
+ bugfix/all/xen-fix-bio-vec-merging.patch
+ bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+ bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+ bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
+ bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
+ bugfix/all/sanitize-move_pages-permission-checks.patch
+ bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+ bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch
+ bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+ bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list