Accepted linux-signed-amd64 4.19.282+1 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted linux-signed-amd64 4.19.282+1 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 01 May 2023 06:50:20 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: linux-signed-amd64_4.19.282+1_source.changes
- Debian-source: linux-signed-amd64
- Debian-suite: oldstable
- Debian-version: 4.19.282+1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=i9Z61aYht9Wfff3ive1tPiCeQvla8yMUUKWIpliufNk=; b=PAfh53g2CseeCC+joKfxkfmZcz LKZjKpNbvoW5WI7dlotp92+D5TIFBdF+uJrCmNkDmDKl4OR96ibWIogbwDLOYkQD3TAFmlVr+U4px Fu1iSCKtn1+tDPFu6+V16R06naKJE6UxGmDPaliL1i8bTg8HE9ZHKPkMZhuwyBEk7vsA05D4RiGfa 6V6B2SApMX90EF3yAcG6PTXRG1EGRB+ukLsfRMQRWfA60OymWjMn6wYCEOfKltNwwcXQ5sMhLgk3+ 55CA3OibGkRqxtUnXX6lvYZlCkUodKr2eja7H8pwuq0k5qpDTc1YZY0BDWtv5TIfrmziiRLVYZ7MM V5Oa5aYw==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1ptNMa-004ZMQ-SJ@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 29 Apr 2023 22:07:39 +0200
Source: linux-signed-amd64
Architecture: source
Version: 4.19.282+1
Distribution: buster-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-amd64 (4.19.282+1) buster-security; urgency=high
.
* Sign kernel from linux 4.19.282-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.270
- mm/khugepaged: fix GUP-fast interaction by sending IPI
- mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
- block: unhash blkdev part inode when the part is deleted
- nfp: fix use-after-free in area_cache_get() (CVE-2022-3545)
- ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
- can: sja1000: fix size of OCR_MODE_MASK define
- can: mcba_usb: Fix termination command argument
- ASoC: ops: Correct bounds check for second channel on SX controls
- udf: Discard preallocation before extending file with a hole
- udf: Fix preallocation discarding at indirect extent boundary
- udf: Do not bother looking for prealloc extents if i_lenExtents matches
i_size
- udf: Fix extending file within last block
- usb: gadget: uvc: Prevent buffer overflow in setup handler
- USB: serial: option: add Quectel EM05-G modem
- USB: serial: cp210x: add Kamstrup RF sniffer PIDs
- USB: serial: f81534: fix division by zero on line-speed change
- igb: Initialize mailbox message for VF reset
- Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934)
- net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
- [arm*] usb: musb: remove extra check in musb_gadget_vbus_draw
- [armhf] soc: ti: smartreflex: Fix PM disable depth imbalance in
omap_sr_probe
- [armhf] dts: dove: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: armada-370: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: armada-375: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
- [armhf] dts: turris-omnia: Add ethernet aliases
- [armhf] dts: turris-omnia: Add switch port 6 node
- pstore/ram: Fix error return code in ramoops_probe()
- pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
- [x86] tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
- [arm64] cpuidle: dt: Return the correct numbers of parsed idle states
- fs: don't audit the capability check in simple_xattr_list()
- selftests/ftrace: event_triggers: wait longer for test_event_enable
- perf: Fix possible memleak in pmu_dev_alloc()
- timerqueue: Use rb_entry_safe() in timerqueue_getnext()
- ocfs2: fix memory leak in ocfs2_stack_glue_init()
- PNP: fix name memory leak in pnp_alloc_dev()
- [x86] perf/x86/intel/uncore: Fix reference count leak in
hswep_has_limit_sbox() (regression in 4.19.189)
- [x86] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
- lib/notifier-error-inject: fix error when writing -errno to debugfs file
- debugfs: fix error when writing negative value to atomic_t debugfs file
(regression in 4.19.160)
- ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
- [x86] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
- [x86] xen/events: only register debug interrupt for 2-level events
- [x86] xen: Fix memory leak in xen_smp_intr_init{_pv}()
- [x86] xen: Fix memory leak in xen_init_lock_cpu()
- xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
- PM: runtime: Improve path in rpm_idle() when no callback
- PM: runtime: Do not call __rpm_callback() from rpm_idle()
- [x86] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
- fs: sysv: Fix sysv_nblocks() returns wrong value
- relay: fix type mismatch when allocating memory in relay_create_buf()
- hfs: Fix OOB Write in hfs_asc2mac
- wifi: ath9k: hif_usb: fix memory leak of urbs in
ath9k_hif_usb_dealloc_tx_urbs() (regression in 4.19.154)
- wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
- wifi: rtl8xxxu: Fix reading the vendor of combo chips
- can: kvaser_usb: do not increase tx statistics when sending error message
frames
- can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
- can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to
{leaf,usbcan}_cmd_can_error_event
- can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
- can: kvaser_usb_leaf: Set Warning state even without bus errors
- can: kvaser_usb_leaf: Fix improved state not being reported
- can: kvaser_usb_leaf: Fix wrong CAN state after stopping
- can: kvaser_usb_leaf: Fix bogus restart events
- can: kvaser_usb: Add struct kvaser_usb_busparams
- can: kvaser_usb: Compare requested bittiming parameters with actual
parameters in do_set_{,data}_bittiming
- media: vivid: fix compose size exceed boundary
- mtd: Fix device name leak when register device failed in add_mtd_device()
- wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
- drm/radeon: Add the missed acpi_put_table() to fix memory leak
- regulator: core: fix unbalanced of node refcount in
regulator_dev_lookup()
- wifi: ath10k: Fix return value in ath10k_pci_init()
- [arm64] Input: elants_i2c - properly handle the reset GPIO when power is
off
- media: solo6x10: fix possible memory leak in solo_sysfs_init()
- HID: hid-sensor-custom: set fixed size for custom attributes
- bonding: Export skip slave logic to function
- media: imon: fix a race condition in send_packet()
- pinctrl: pinconf-generic: add missing of_node_put()
- media: dvb-core: Fix ignored return value in dvb_register_frontend()
- media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
(CVE-2023-28328)
- [arm*] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
- NFSv4.2: Fix a memory stomp in decode_attr_security_label
- NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
- [x86] ALSA: asihpi: fix missing pci_disable_device()
- drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
- drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
- wifi: cfg80211: Fix not unregister reg_pdev when
load_builtin_regdb_keys() fails
- regulator: core: fix module refcount leak in set_supply()
- media: saa7164: fix missing pci_disable_device()
- ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
- SUNRPC: Fix missing release socket in rpc_sockname()
- NFSv4.x: Fail client initialisation if state manager thread can't run
- mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
- mmc: toshsd: fix return value check of mmc_add_host()
- mmc: vub300: fix return value check of mmc_add_host()
- [armhf] mmc: wmt-sdmmc: fix return value check of mmc_add_host()
- [arm64] mmc: meson-gx: fix return value check of mmc_add_host()
- mmc: via-sdmmc: fix return value check of mmc_add_host()
- [x86] mmc: wbsd: fix return value check of mmc_add_host()
- [arm*] mmc: mmci: fix return value check of mmc_add_host()
- [armhf] clk: samsung: Fix memory leak in _samsung_clk_register_pll()
- wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
- wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
- blktrace: Fix output non-blktrace event when blk_classic option enabled
- [armhf] clk: socfpga: use clk_hw_register for a5/c5
- [x86] net: vmw_vsock: vmci: Check memcpy_from_msg()
- net: defxx: Fix missing err handling in dfx_init()
- drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
- ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
- [x86] net: farsync: Fix kmemleak when rmmods farsync
- net/tunnel: wait until all sk_user_data reader finish before releasing
the sock
- [i386] hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
- [i386] net: amd: lance: don't call dev_kfree_skb() under
spin_lock_irqsave()
- [amd64,arm64] net: amd-xgbe: Fix logic around active and passive cables
- [amd64,arm64] net: amd-xgbe: Check only the minimum speed for active/
passive cables
- Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
- Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
- Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
- [x86] Bluetooth: hci_bcsp: don't call kfree_skb() under
spin_lock_irqsave()
- Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
- Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
(regression in 4.19.254)
- [arm*] stmmac: fix potential division by 0 (regression in 4.19.122)
- apparmor: fix a memleak in multi_transaction_new()
- apparmor: fix lockdep warning when removing a namespace
- apparmor: Fix abi check to include v8 abi
- f2fs: fix normal discard process
- RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
- [x86] scsi: scsi_debug: Fix a warning in resp_write_scat()
- PCI: Check for alloc failure in pci_request_irq()
- [amd64] RDMA/hfi: Decrease PCI device reference count in error path
- RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create
failed
- scsi: hpsa: use local workqueues instead of system workqueues
- scsi: hpsa: Fix possible memory leak in hpsa_init_one()
- crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
- scsi: hpsa: Fix error handling in hpsa_add_sas_host()
- scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
- scsi: fcoe: Fix possible name leak when device_register() fails
- [x86] scsi: ipr: Fix WARNING in ipr_init()
- scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
- scsi: snic: Fix possible UAF in snic_tgt_create()
- [amd64] RDMA/hfi1: Fix error return code in parse_platform_config()
- orangefs: Fix sysfs not cleanup when dev init failed
- [x86] hwrng: amd - Fix PCI device refcount leak
- [i386] hwrng: geode - Fix PCI device refcount leak
- IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
- [arm*] serial: tegra: avoid reg access when clk disabled
- [arm*] serial: tegra: check for FIFO mode enabled status
- [arm*] serial: tegra: set maximum num of uart ports to 8
- [arm*] serial: tegra: add support to use 8 bytes trigger
- [arm*] serial: tegra: add support to adjust baud rate
- [arm*] serial: tegra: report clk rate errors
- [arm*] serial: tegra: Add PIO mode support
- [arm*] tty: serial: tegra: Activate RX DMA transfer by request
- [arm*] serial: tegra: Read DMA status before terminating
- [x86] usb: typec: Check for ops->exit instead of ops->enter in
altmode_exit
- [arm*] serial: amba-pl011: avoid SBSA UART accessing DMACR register
- [arm*] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
(regression in 4.19.253)
- [i386] serial: pch: Fix PCI device refcount leak in pch_request_dma()
- [x86] misc: sgi-gru: fix use-after-free error in gru_set_context_option,
gru_fault and gru_handle_user_call_os (CVE-2022-3424)
- misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
- usb: gadget: f_hid: optional SETUP/SET_REPORT mode
- usb: gadget: f_hid: fix f_hidg lifetime vs cdev
- usb: gadget: f_hid: fix refcount leak on error path
- chardev: fix error handling in cdev_device_add()
- [i386] i2c: pxa-pci: fix missing pci_disable_device() on error in
ce4100_i2c_probe
- [x86] staging: rtl8192u: Fix use after free in ieee80211_rx()
- [x86] staging: rtl8192e: Fix potential use-after-free in
rtllib_rx_Monitor()
- [x86] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
(CVE-2022-2873)
- usb: storage: Add check for kcalloc
- tracing/hist: Fix issue of losting command info in error_log
- [x86] fbdev: pm2fb: fix missing pci_disable_device()
- [x86] fbdev: via: Fix error in via_core_init()
- [x86] fbdev: vermilion: decrease reference count in error path
- [x86] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
- [armhf] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
- [armhf] HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
- power: supply: fix residue sysfs file in error handle route of
__power_supply_register()
- perf symbol: correction while adjusting symbol (regression in 4.19.255)
- [armhf] HSI: omap_ssi_core: Fix error handling in ssi_init()
- include/uapi/linux/swab: Fix potentially missing __always_inline
- [armhf] rtc: snvs: Allow a time difference on clock register read
- [amd64] iommu/amd: Fix pci device refcount leak in ppr_notifier()
- nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
(regression in 4.19.130)
- [x86] mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under
spin_lock_irqsave()
- [x86] mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under
spin_lock_irqsave()
- [x86] mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under
spin_lock_irqsave()
- nfc: pn533: Clear nfc_target before being used
- r6040: Fix kmemleak in probe and remove
- openvswitch: Fix flow lookup to use unmasked key
- skbuff: Account for tail adjustment during pull operations
- net_sched: reject TCF_EM_SIMPLE case for complex ematch module
- rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
- myri10ge: Fix an error handling path in myri10ge_probe()
- net: stream: purge sk_error_queue in sk_stream_kill_queues()
(regression in 4.19.218)
- fs: jfs: fix shift-out-of-bounds in dbAllocAG
- udf: Avoid double brelse() in udf_rename()
- fs: jfs: fix shift-out-of-bounds in dbDiscardAG
- ACPICA: Fix error code path in acpi_ds_call_control_method()
- nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
- acct: fix potential integer overflow in encode_comp_t()
- hfs: fix OOB Read in __hfs_brec_find
- wifi: ath9k: verify the expected usb_endpoints are present
- wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
- bpf: make sure skb->len != 0 when redirecting to a tunneling device
- [i386] hamradio: baycom_epp: Fix return type of baycom_send_packet()
- wifi: brcmfmac: Fix potential shift-out-of-bounds in
brcmf_fw_alloc_request()
- igb: Do not free q_vector unless new one was allocated
- drm/amdgpu: Fix type of second parameter in trans_msg() callback
- drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
- md/raid1: stop mdx_raid1 thread when raid1 array run failed
- mrp: introduce active flags to prevent UAF when applicant uninit
- ppp: associate skb with a device at tx
- media: dvb-frontends: fix leak of memory fw
- media: dvbdev: adopts refcnt to avoid UAF
- media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
- blk-mq: fix possible memleak when register 'hctx' failed
- regulator: core: fix use_count leakage when handling boot-on
- [arm64] mmc: f-sdh30: Add quirks for broken timeout clock capability
- media: si470x: Fix use-after-free in si470x_int_in_callback()
- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
- [arm*] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in
rk_spdif_runtime_resume()
- [x86] ASoC: rt5670: Remove unbalanced pm_runtime_put()
- [arm*] usb: dwc3: core: defer probe on ulpi_read_id timeout
- HID: wacom: Ensure bootloader PID is usable in hidraw mode
- reiserfs: Add missing calls to reiserfs_security_free()
- media: dvbdev: fix refcnt bug
- ata: ahci: Fix PCS quirk application for suspend (regression in 4.19.77)
- HID: plantronics: Additional PIDs for double volume key presses quirk
- hfsplus: fix bug causing custom uid and gid being unable to be assigned
with mount
- ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
- ALSA: line6: correct midi status byte when receiving data from podxt
- ALSA: line6: fix stack overflow in line6_midi_transmit
- pnode: terminate at peers of source
- md: fix a crash in mempool_free
- mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
- SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
- media: stv0288: use explicitly signed char
- dm cache: Fix ABBA deadlock between shrink_slab and
dm_cache_metadata_abort
- dm thin: Use last transaction's pmd->root when commit failed
- dm thin: Fix UAF in run_timer_softirq()
- dm cache: Fix UAF in destroy()
- dm cache: set needs_check flag after aborting metadata
- [x86] microcode/intel: Do not retry microcode reloading on the APs
- tracing: Fix infinite loop in tracing_read_pipe on overflowed
print_trace_line
- media: dvb-core: Fix double free in dvb_register_device()
(regression in 4.19.77)
- media: dvb-core: Fix UAF due to refcount races at releasing
(CVE-2022-41218)
- md/bitmap: Fix bitmap chunk size overflow issues
- ipmi: fix long wait in unload when IPMI disconnect
- ipmi: fix use after free in _ipmi_destroy_user()
- PCI: Fix pci_device_is_present() for VFs by checking PF
- PCI/sysfs: Fix double free in error path
- [amd64] iommu/amd: Fix ivrs_acpihid cmdline parsing code
- device_cgroup: Roll back to original exceptions after copy failure
- drm/connector: send hotplug uevent on connector cleanup
- [x86] drm/vmwgfx: Validate the box size for the snooped cursor
(CVE-2022-36280)
- ext4: add inode table check in __ext4_get_inode_loc to aovid possible
infinite loop
- ext4: add helper to check quota inums
- ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
- ext4: init quota for 'old.inode' in 'ext4_rename'
- ext4: fix corruption when online resizing a 1K bigalloc fs
- ext4: fix error code return to user-space in ext4_get_branch()
- ext4: avoid BUG_ON when creating xattrs
- ext4: fix inode leak in ext4_xattr_inode_create() on an error path
- ext4: initialize quota before expanding inode in setproject ioctl
- ext4: avoid unaccounted block allocation when expanding inode
- ext4: allocate extended attribute value in vmalloc area
- btrfs: send: avoid unnecessary backref lookups when finding clone source
- btrfs: replace strncpy() with strscpy()
- dm thin: resume even if in FAIL mode
- perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
- perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as
unsinged data
- driver core: Set deferred_probe_timeout to a longer default if
CONFIG_MODULES is set
- ext4: goto right label 'failed_mount3a'
- ext4: correct inconsistent error msg in nojournal mode
- ext4: use kmemdup() to replace kmalloc + memcpy
- mbcache: don't reclaim used entries
- mbcache: add functions to delete entry if unused
- ext4: remove EA inode entry from mbcache on inode eviction
- ext4: unindent codeblock in ext4_xattr_block_set()
- ext4: fix race when reusing xattr blocks
- mbcache: automatically delete entries from cache on freeing
- ext4: fix deadlock due to mbcache entry corruption
- SUNRPC: ensure the matching upcall is in-flight upon downcall
- bpf: pull before calling skb_postpull_rcsum()
- qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
- nfc: Fix potential resource leaks
- [amd64,arm64] net: amd-xgbe: add missed tasklet_kill
- RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
- net: sched: atm: dont intepret cls results when asked to drop
(CVE-2023-23455)
- usb: rndis_host: Secure rndis_query check against int overflow
- udf: Fix extension of the last extent in the file
- [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071
tablet
- [x86] bugs: Flush IBP in ib_prctl_set() (CVE-2023-0045)
- nfsd: fix handling of readdir in v4root vs. mount upcall timeout
- ext4: don't allow journal inode to have encrypt flag
- hfs/hfsplus: use WARN_ON for sanity check
- hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
- mbcache: Avoid nesting of cache->c_list_lock under bit locks
- driver core: Fix bus_type.match() error handling in __driver_attach()
- net: sched: disallow noqueue for qdisc classes (CVE-2022-47929)
- perf auxtrace: Fix address filter duplicate symbol selection
- net/ulp: prevent ULP without clone op from entering the LISTEN status
(CVE-2023-0461)
- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
(CVE-2023-0266)
- cifs: Fix uninitialized memory read for smb311 posix symlink create
- [x86] platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight
during probe
- ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
(CVE-2023-0394)
- [x86] ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later
- quota: Factor out setup of quota inode
- ext4: fix bug_on in __es_tree_search caused by bad quota inode
- ext4: lost matching-pair of trace in ext4_truncate
- ext4: fix use-after-free in ext4_orphan_cleanup
- ext4: fix uninititialized value in 'ext4_evict_inode'
- netfilter: ipset: Fix overflow before widen in the bitmap_ip_create()
function.
- [x86] boot: Avoid using Intel mnemonics in AT&T syntax asm
- EDAC/device: Fix period calculation in edac_device_reset_delay_period()
- hvc/xen: lock console list traversal
- nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
- net/mlx5: Rename ptp clock info
- net/mlx5: Fix ptp max frequency adjustment range
- drm/virtio: Fix GEM handle creation UAF
- [arm64] cmpxchg_double*: hazard against entire exchange variable
- efi: fix NULL-deref in init error path (regression in 4.19.142)
- [arm*] tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't
started
- [arm*] serial: tegra: Only print FIFO error message when an error occurs
- [arm*] serial: tegra: Change lower tolerance baud rate limit for tegra20
and tegra30
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.271
- pNFS/filelayout: Fix coalescing test for single DS
- net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
- RDMA/srp: Move large values to a new enum for gcc13
- f2fs: let's avoid panic if extent_tree is not created
- nilfs2: fix general protection fault in nilfs_btree_insert()
- xhci-pci: set the dma max_seg_size
- usb: xhci: Check endpoint is valid before dereferencing it
- xhci: Fix null pointer dereference when host dies
- xhci: Add a flag to disable USB3 lpm on a xhci root port level.
- prlimit: do_prlimit needs to have a speculation check (CVE-2023-0458)
- USB: serial: option: add Quectel EM05-G (GR) modem
- USB: serial: option: add Quectel EM05-G (CS) modem
- USB: serial: option: add Quectel EM05-G (RS) modem
- USB: serial: option: add Quectel EC200U modem
- USB: serial: option: add Quectel EM05CN (SG) modem
- USB: serial: option: add Quectel EM05CN modem
- USB: misc: iowarrior: fix up header size for
USB_DEVICE_ID_CODEMERCS_IOW100
- usb: core: hub: disable autosuspend for TI TUSB8041
- [x86] comedi: adv_pci1760: Fix PWM instruction handling
- [arm*] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind
- cifs: do not include page data when checking signature
- USB: serial: cp210x: add SCALANCE LPE-9000 device id
- usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
- usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210
- [i386] serial: pch_uart: Pass correct sg to dma_unmap_sg()
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.272
- [armhf] dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
- [amd64] intel_ish-hid: Add check for ishtp_dma_tx_map
- [amd64] IB/hfi1: Reject a zero-length user expected buffer
- [amd64] IB/hfi1: Reserve user expected TIDs
- [amd64] IB/hfi1: Fix expected receive setup error exit issues
- affs: initialize fsdata in affs_truncate()
- amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
- amd-xgbe: Delay AN timeout during KR training
- bpf: Fix pointer-leak due to insufficient speculative store bypass
mitigation
- [arm64] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in
rockchip_usb2phy_power_on()
- net: nfc: Fix use-after-free in local_cleanup()
- wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
(CVE-2023-23559)
- net: usb: sr9700: Handle negative len
- net: mdio: validate parameter addr in mdiobus_get_phy()
- HID: check empty report_list in hid_validate_values() (CVE-2023-1073)
- usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
- usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
- net: mlx5: eliminate anonymous module_init & module_exit
- dmaengine: Fix double increment of client_count in dma_chan_get()
- [arm64] net: macb: fix PTP TX timestamp failure due to packet padding
- HID: betop: check shape of output reports
- tcp: avoid the lookup process failing to get sk in ehash table
- w1: fix deadloop in __w1_remove_master_device()
- w1: fix WARNING after calling w1_process()
- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
- block: fix and cleanup bio_check_ro
- perf env: Do not return pointers to local variables
- fs: reiserfs: remove useless new_opts in reiserfs_remount
- Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
- scsi: hpsa: Fix allocation size for scsi_host_alloc()
- module: Don't wait for GOING modules
- tracing: Make sure trace_printk() can output as soon as it can be used
- trace_events_hist: add check for return value of 'create_hist_field'
- smbd: Make upper layer decide when to destroy the transport
- cifs: Fix oops due to uncleared server->smbd_conn in reconnect
- EDAC/device: Respect any driver-supplied workqueue polling value
- net: fix UaF in netns ops registration error path (regression in
4.19.264)
- netfilter: nft_set_rbtree: skip elements in transaction from garbage
collection
- netlink: remove hash::nelems check in netlink_insert
- netlink: annotate data races around nlk->portid
- netlink: annotate data races around dst_portid and dst_group
- netlink: annotate data races around sk_state
- ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
- netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
- [x86] netrom: Fix use-after-free of a listening socket. (regression in
4.19.199)
- sctp: fail if no bound addresses can be used for a given scope
(CVE-2023-1074)
- net/tg3: resolve deadlock in tg3_reset_task() during EEH
- [x86] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU
to RMI mode" (regression in 4.19.268)
- [x86] i8259: Mark legacy PIC interrupts with IRQ_LEVEL
- [x86] drm/i915/display: fix compiler warning about array overrun
- [armhf] dts: imx: Fix pca9547 i2c-mux node name
- [armhf] dmaengine: imx-sdma: Fix a possible memory leak in
sdma_transfer_init
- panic: unset panic_on_warn inside panic()
- exit: Add and use make_task_dead.
- exit: Put an upper limit on how often we can oops
- exit: Expose "oops_count" to sysfs
- exit: Allow oops_limit to be disabled
- panic: Consolidate open-coded panic_on_warn checks
- panic: Introduce warn_limit
- panic: Expose "warn_count" to sysfs
- docs: Fix path paste-o for /sys/kernel/warn_count
- exit: Use READ_ONCE() for all oops/warn limit reads
- ipv6: ensure sane device mtu in tunnels
- [arm*] usb: host: xhci-plat: add wakeup entry at sysfs
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.273
- firewire: fix memory leak for payload of request subaction to IEC 61883-1
FCP region
- [arm*] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init()
- ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()
- [x86] netrom: Fix use-after-free caused by accept on already connected
socket
- ata: libata: Fix sata_down_spd_limit() when no link speed is reported
- net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
- scsi: target: core: Fix warning on RT kernels
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
(CVE-2023-2162)
- [arm*] i2c: rk3x: fix a bunch of kernel-doc warnings
- [arm64] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API
- [arm64] usb: dwc3: qcom: enable vbus override when in OTG dr-mode
- usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait
- vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
- [x86] Input: i8042 - merge quirk tables
- [x86] Input: i8042 - add TUXEDO devices to i8042 quirk tables
- [x86] Input: i8042 - add Clevo PCX0DX to i8042 quirk table
- [x86] nVMX x86: Check VMX-preemption timer controls on vmentry of L2
guests
- [x86] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup()
- [x86] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set
- [x86] thermal: intel: int340x: Protect trip temperature from concurrent
updates
- fbcon: Check font dimension limits
- efi: Accept version 2 of memory attributes table
- iio: hid: fix the retval in accel_3d_capture_sample
- mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps
- mm/swapfile: add cond_resched() in get_swap_pages()
- Squashfs: fix handling and sanity checking of xattr_ids count
- serial: 8250_dma: Fix DMA Rx completion race
- serial: 8250_dma: Fix DMA Rx rearm race
- [x86] thermal: intel: int340x: Add locking to
int340x_thermal_get_trip_type()
- btrfs: limit device extents to the device size
- [x86] ALSA: emux: Avoid potential array out-of-bound in
snd_emux_xg_control()
- [amd64] IB/hfi1: Restore allocated resources on failed copyout
- [arm64] net: phy: meson-gxl: add g12a support
- [arm64] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal
PHY
- rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078)
- ALSA: pci: lx6464es: fix a debug loop
- [arm*] pinctrl: single: fix potential NULL dereference
- [x86] pinctrl: intel: Convert unsigned to unsigned int
- [x86] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode
- net: USB: Fix wrong-direction WARNING in plusb.c
- usb: core: add quirk for Alcor Link AK9563 smartcard reader
- [arm64] dts: meson-gx: Make mmc host controller interrupts level-
sensitive
- [arm64] dts: meson-axg: Make mmc host controller interrupts level-
sensitive
- bpf: Always return target ifindex in bpf_fib_lookup
- migrate: hugetlb: check for hugetlb shared PMD in node migration
- [x86] net/rose: Fix to not accept on connected socket
- nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association
- aio: fix mremap after fork null-deref
- netfilter: nft_tproxy: restrict to prerouting hook
- mmc: sdio: fix possible resource leaks in some error paths
- ALSA: hda/conexant: add a new hda codec SN6180
- ALSA: hda/realtek - fixed wrong gpio assigned
- [armhf,i386] hugetlb: check for undefined shift on 32 bit architectures
- i40e: add double of VLAN header when computing the max MTU
- dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
- [arm*] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence
- bnxt_en: Fix mqprio and XDP ring checking logic
- [arm*] net: stmmac: Restrict warning on disabling DMA store and fwd mode
- net: mpls: fix stale pointer if allocation fails during device rename
(CVE-2023-26545)
- ipv6: Fix datagram socket connection with DSCP.
- ipv6: Fix tcp socket connection with DSCP.
- i40e: Add checking for null for nlmsg_find_attr()
- [x86] kvm: initialize all of the kvm_debugregs structure before sending
it to userspace (CVE-2023-1513)
- nilfs2: fix underflow in second superblock position calculations
- [arm64] net: phy: meson-gxl: Add generic dummy stubs for MMD register
access
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.274
- wifi: rtl8xxxu: gen2: Turn on the rate control
- random: always mix cycle counter in add_latent_entropy()
- can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len
- alarmtimer: Prevent starvation by small intervals and SIG_IGN
- [x86] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
(CVE-2022-3707)
- mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
- uaccess: Add speculation barrier to copy_from_user() (CVE-2023-0459)
- bpf: add missing header file include
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.275
- [armhf] dts: rockchip: add power-domains property to dp node on rk3288
- [amd64,arm64] ACPI: NFIT: fix a potential deadlock during NFIT teardown
- btrfs: send: limit number of clones and allocated memory size
- [amd64] IB/hfi1: Assign npages earlier
- net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
- vc_screen: don't clobber return value in vcs_read
- USB: serial: option: add support for VW/Skoda "Carstick LTE"
- USB: core: Don't hold device lock while reading the "descriptors" sysfs
file
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.276
- HID: asus: Remove check for same LED brightness on set
- HID: asus: use spinlock to protect concurrent accesses
- HID: asus: use spinlock to safely schedule workers (CVE-2023-1079)
- [armhf] OMAP2+: Fix memory leak in realtime_counter_init()
- [armhf] imx: Call ida_simple_remove() for ida_simple_get
- [arm64] dts: meson-axg: enable SCPI
- blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx
- block: bio-integrity: Copy flags when bio_integrity_payload is cloned
- wifi: rsi: Fix memory leak in rsi_coex_attach()
- wifi: libertas: fix memory leak in lbs_init_adapter()
- wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
- rtlwifi: fix -Wpointer-sign warning
- wifi: rtlwifi: Fix global-out-of-bounds bug in
_rtl8812ae_phy_set_txpower_limit()
- ipw2x00: switch from 'pci_' to 'dma_' API
- wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()
- wifi: ipw2200: fix memory leak in ipw_wdev_init()
- wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
- wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
- wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave()
- wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave()
- wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
- wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
- [x86] wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
- [x86] ACPICA: Drop port I/O validation for some regions
- genirq: Fix the return type of kstat_cpu_irqs_sum()
- lib/mpi: Fix buffer overrun when SG is too long
- ACPICA: nsrepair: handle cases without a return value correctly
- [x86] wifi: orinoco: check return value of hermes_write_wordrec()
- wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no
callback function
- wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
- wifi: ath9k: Fix potential stack-out-of-bounds write in
ath9k_wmi_rsp_callback()
- [x86] ACPI: battery: Fix missing NUL-termination with large strings
- crypto: seqiv - Handle EBUSY correctly
- Bluetooth: L2CAP: Fix potential user-after-free
- libbpf: Fix alen calculation in libbpf_nla_dump_errormsg()
- rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
- crypto: rsa-pkcs1pad - Use akcipher_request_complete
- wifi: iwl3945: Add missing check for create_singlethread_workqueue
- wifi: iwl4965: Add missing check for create_singlethread_workqueue()
- wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
- wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
- can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of
a bus error
- [arm*] drm/vc4: dpi: Add option for inverting pixel clock and output
enable
- [arm*] drm/vc4: dpi: Fix format mapping for RGB565
- [arm64] drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
- ALSA: hda/ca0132: minor fix for allocation size
- drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
- [arm64] drm/msm: use strscpy instead of strncpy
- [arm64] drm/msm/dpu: Add check for pstates
- [arm*] gpu: host1x: Don't skip assigning syncpoints to channels
- [x86] ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
- scsi: aic94xx: Add missing check for dma_map_single()
- nfsd: fix race to check ls_layouts
- gfs2: jdata writepage fix
- perf llvm: Fix inadvertent file creation
- [arm64] perf tools: Fix auto-complete on aarch64
- [armhf] mtd: rawnand: sunxi: Fix the size of the last OOB region
- Input: ads7846 - don't report pressure for ads7845
- Input: ads7846 - don't check penirq immediately for 7845
- clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
- [armhf] media: platform: ti: Add missing check for devm_regulator_get
- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
(CVE-2023-1118)
- media: i2c: ov7670: 0 instead of -EINVAL was returned
- media: usb: siano: Fix use after free bugs caused by do_submit_urb
- [arm64] rpmsg: glink: Avoid infinite loop on intent for missing channel
- [armhf] dts: exynos: Use Exynos5420 compatible for the MIPI video phy
- wifi: brcmfmac: Fix potential stack-out-of-bounds in
brcmf_c_preinit_dcmds()
- rcu: Suppress smp_processor_id() complaint in
synchronize_rcu_expedited_wait()
- [x86] thermal: intel: Fix unsigned comparison with less than zero
- timers: Prevent union confusion from unexpected restart_syscall()
- [x86] bugs: Reset speculation control settings on init
- wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-
out-of-bounds
- inet: fix fast path in __inet_hash_connect()
- ACPI: Don't build ACPICA with '-Os'
- [x86] ACPI: video: Fix Lenovo Ideapad Z570 DMI match
- drm/amd/display: Fix potential null-deref in dm_resume
- [arm64] drm/msm/dsi: Add missing check for alloc_ordered_workqueue
- dm thin: add cond_resched() to various workqueue loops
- dm cache: add cond_resched() to various workqueue loops
- wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
- [arm64] rtc: pm8xxx: fix set-alarm race
- hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
- fs: hfsplus: fix UAF issue in hfsplus_put_super
- f2fs: fix information leak in f2fs_move_inline_dirents()
- ocfs2: fix defrag path triggering jbd2 ASSERT
- ocfs2: fix non-auto defrag path not working issue
- udf: Truncate added extents on failed expansion
- udf: Do not bother merging very long extents
- udf: Do not update file length for failed writes to inline files
- udf: Fix file corruption when appending just after end of preallocated
extent
- [x86] virt: Force GIF=1 prior to disabling SVM (for reboot flows)
- [x86] crash: Disable virt in core NMI crash handler to avoid double
shootdown
- [x86] reboot: Disable virtualization in an emergency if SVM is supported
- [x86] reboot: Disable SVM, not just VMX, when stopping CPUs
- [x86] kprobes: Fix __recover_optprobed_insn check optimizing logic
- [x86] kprobes: Fix arch_check_optimized_kprobe check within
optimized_kprobe range
- [x86] microcode/amd: Remove load_microcode_amd()'s bsp parameter
- [x86] microcode/AMD: Add a @cpu parameter to the reloading functions
- [x86] microcode/AMD: Fix mixed steppings support
- [x86] speculation: Allow enabling STIBP with legacy IBRS (CVE-2023-1998)
- irqdomain: Fix association race
- irqdomain: Fix disassociation race
- irqdomain: Drop bogus fwspec-mapping error handling
- [x86] ALSA: ice1712: Do not left ice->gpio_mutex locked in
aureon_add_controls()
- ext4: optimize ea_inode block expansion
- ext4: refuse to create ea block when umounted
- wifi: rtl8xxxu: Use a longer retry limit of 48
- wifi: cfg80211: Fix use after free for wext
- dm flakey: fix logic when corrupting a bio
- dm flakey: don't corrupt the zero page
- [armhf] dts: exynos: correct TMU phandle in Exynos4
- [armhf] dts: exynos: correct TMU phandle in Odroid XU
- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
- scsi: qla2xxx: Fix link failure in NPIV environment
- scsi: qla2xxx: Fix erroneous link down
- scsi: ses: Don't attach if enclosure has no components
- scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
- scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
- scsi: ses: Fix possible desc_ptr out-of-bounds accesses
- scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
- [x86] PCI: Avoid FLR for AMD FCH AHCI adapters
- [x86] drm/radeon: Fix eDP for single-display iMac11,2
- wifi: ath9k: use proper statements in conditionals
- net/sched: Retire tcindex classifier (CVE-2023-1281, CVE-2023-1829)
- fs/jfs: fix shift exponent db_agl2size negative
- ubi: ensure that VID header offset + VID header size <= alloc, size
- ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
- ubifs: Rectify space budget for ubifs_xrename()
- ubifs: Fix wrong dirty space budget for dirty inode
- ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1
- ubifs: Reserve one leb for each journal head while doing budget
- ubi: Fix use-after-free when volume resizing failed
- ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
- ubi: Fix possible null-ptr-deref in ubi_free_volume()
- ubifs: Re-statistic cleaned znode count if commit failed
- ubifs: dirty_cow_znode: Fix memleak in error handling path
- ubifs: ubifs_writepage: Mark page dirty after writing inode failed
- ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
- ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
- [x86] watchdog: pcwd_usb: Fix attempting to access uninitialized memory
- netfilter: ctnetlink: fix possible refcount leak in
ctnetlink_create_conntrack()
- net: fix __dev_kfree_skb_any() vs drop monitor
- 9p/xen: fix version parsing
- 9p/xen: fix connection sequence
- 9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
- nfc: fix memory leak of se_io context in nfc_genl_se_io
- tcp: tcp_check_req() can be called from process context
- vc_screen: modify vcs_size() handling in vcs_read()
- [x86] scsi: ipr: Work around fortify-string warning
- tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
- [x86] firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
- media: uvcvideo: Handle cameras with invalid descriptors
- media: uvcvideo: Handle errors from calls to usb_string
- media: uvcvideo: Silence memcpy() run-time false positive warnings
- tty: fix out-of-bounds access in tty_driver_lookup_tty()
- [x86] mei: bus-fixup:upon error print return values of send and receive
- USB: ene_usb6250: Allocate enough memory for full object
- [arm64] phy: rockchip-typec: Fix unsigned comparison with less than zero
- Bluetooth: hci_sock: purge socket queues in the destruct() callback
- tcp: Fix listen() regression in 4.19.270
- media: uvcvideo: Provide sync and async uvc_ctrl_status_event
- media: uvcvideo: Fix race condition with usb_kill_urb
- f2fs: fix cgroup writeback accounting with fs-layer encryption
- [x86] thermal: intel: powerclamp: Fix cur_state for multi package system
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.277
- wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for
wext"
- [x86] staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling
a script
- [x86] staging: rtl8192e: Remove call_usermodehelper starting
RadioPower.sh
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.278
- fs: prevent out-of-bounds array speculation when closing a file
descriptor
- [x86] CPU/AMD: Disable XSAVES on AMD family 0x17
- ext4: fix RENAME_WHITEOUT handling for inline directories (regression in
4.19.183)
- ext4: fix another off-by-one fsmap error on 1k block filesystems
- ext4: move where set the MAY_INLINE_DATA flag is set
- ext4: fix WARNING in ext4_update_inline_data
- ext4: zero i_disksize when initializing the bootloader inode
- nfc: change order inside nfc_se_io error path
- udf: reduce leakage of blocks related to named streams
- udf: Remove pointless union in udf_inode_info
- udf: Preserve link count of system files
- udf: Detect system inodes linked into directory hierarchy
- kbuild: fix false-positive need-builtin calculation
- kbuild: generate modules.order only in directories visited by obj-y/m
- scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
- tipc: improve function tipc_wait_for_cond()
- [x86] drm/i915: Don't use BAR mappings for ring buffers with LLC
- ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.279
- ext4: fix cgroup writeback accounting with fs-layer encryption
- fs: sysfs_emit_at: Remove PAGE_SIZE alignment check (regression in
4.19.179)
- tcp: tcp_make_synack() can be called from process context
- nfc: pn533: initialize struct pn533_out_arg properly
- qed/qed_dev: guard against a possible division by zero
- net: tunnels: annotate lockless accesses to dev->needed_headroom
- net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status
fails
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
(CVE-2023-1990)
- net: usb: smsc75xx: Limit packet length to skb->len
- nvmet: avoid potential UAF in nvmet_req_complete()
- ipv4: Fix incorrect table ID in IOCTL path
- net: usb: smsc75xx: Move packet length check to prevent kernel panic in
skb_pull
- hwmon: (adt7475) Display smoothing attributes in correct order
- hwmon: (adt7475) Fix masking of hysteresis registers
- [arm64] hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due
to race condition (CVE-2023-1855)
- jffs2: correct logic when creating a hole in jffs2_write_begin
- ext4: fail ext4_iget if special inode unallocated
- ext4: fix task hung in ext4_xattr_delete_inode
- [amd64] drm/amdkfd: Fix an illegal memory access
- tracing: Check field value in hist_field_name()
- ftrace: Fix invalid address access in lookup_rec() when index is 0
- [x86] mm: Fix use of uninitialized buffer in sme_enable()
- [x86] drm/i915: Don't use stolen memory for ring buffers with LLC
- HID: core: Provide new max_buffer_size attribute to over-ride the default
- HID: uhid: Over-ride the default maximum data buffer value with our own
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.280
- power: supply: da9150: Fix use after free bug in da9150_charger_remove
due to race condition (CVE-2023-30772)
- i40evf: Change a VF mac without reloading the VF driver
- intel-ethernet: rename i40evf to iavf
- iavf: diet and reformat
- iavf: fix inverted Rx hash condition leading to disabled hash
- intel/igbvf: free irq on the error path in igbvf_request_msix()
- igbvf: Regard vf reset nack as success
- scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
- net: usb: smsc95xx: Limit packet length to skb->len
- qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
- [x86] xirc2ps_cs: Fix use after free bug in xirc2ps_detach
(CVE-2023-1670)
- [arm64] net: qcom/emac: Fix use after free bug in emac_remove due to race
condition
- bpf: Adjust insufficient default bpf_jit_limit
- net/mlx5: Read the TC mapping of all priorities on ETS query
- erspan: do not use skb_mac_header() in ndo_start_xmit()
- hvc/xen: prevent concurrent accesses to the shared ring
- [arm64] net: mdio: thunder: Add missing fwnode_handle_put()
- [arm64 ]Bluetooth: btqcomsmd: Fix command timeout after setting BD
address
- Bluetooth: btsdio: fix use after free bug in btsdio_remove due to
unfinished work (CVE-2023-1989)
- [x86] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
- uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
- [x86] thunderbolt: Use const qualifier for `ring_interrupt_index`
- scsi: target: iscsi: Fix an error message in iscsi_check_key()
- scsi: ufs: core: Add soft dependency on governor_simpleondemand
- net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
- net: usb: qmi_wwan: add Telit 0x1080 composition
- cifs: empty interface list when server doesn't support query interfaces
- scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
- usb: gadget: u_audio: don't let userspace block driver unbind
- igb: revert rtnl_lock() that causes deadlock (regression in 4.19.256)
- dm thin: fix deadlock when swapping to thin device
- [arm*] usb: chipdea: core: fix return -EINVAL if request role is the same
with current role
- [arm*] usb: chipidea: core: fix possible concurrent when switch role
- nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
- [arm64] i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (CVE-2023-2194)
- dm stats: check for and propagate alloc_percpu failure
- dm crypt: add cond_resched() to dmcrypt_write()
- sched/fair: sanitize vruntime of entity being placed
- sched/fair: Sanitize vruntime of entity being migrated
- tun: avoid double free in tun_free_netdev (CVE-2022-4744)
- ocfs2: fix data corruption after failed write (regression in 4.19.155)
- md: avoid signed overflow in slot_store()
- [x86] ALSA: asihpi: check pao in control_message()
- ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
- sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
- [i386] fbdev: lxfb: Fix potential divide by zero
- scsi: megaraid_sas: Fix crash after a double completion
- can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
- i40e: fix registers dump after run ethtool adapter self test
- [arm*] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
- [arm*] net: mvneta: make tx buffer array agnostic
- [arm*] Input: alps - fix compatibility with -funsigned-char
- [arm*] Input: focaltech - use explicitly signed char type
- cifs: prevent infinite recursion in CIFSGetDFSRefer()
- cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
- xen/netback: don't do grant copy across page boundary (regression in
4.19.269)
- [x86] ALSA: hda/conexant: Partial revert of a quirk for Lenovo
(regression in 4.19.256)
- ALSA: usb-audio: Fix regression on detection of Roland VS-100
(regression in 4.19.164)
- [armhf] drm/etnaviv: fix reference leak when mmaping imported buffer
- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
- gfs2: Always check inode size of inline inodes
- net: sched: cbq: dont intepret cls results when asked to drop
(CVE-2023-23454)
- cgroup/cpuset: Change cpuset_rwsem and hotplug lock order
- cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock (regression
in 4.19.232)
- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.281
- pinctrl: Added IRQF_SHARED flag for amd-pinctrl driver
- pinctrl: amd: Use irqchip template
- pinctrl: amd: disable and mask interrupts on probe
- NFSv4: Convert struct nfs4_state to use refcount_t
- NFSv4: Check the return value of update_open_stateid()
- NFSv4: Fix hangs when recovering open state after a server reboot
- [arm64] pwm: cros-ec: Explicitly set .polarity in .get_state()
- wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded
sta
- icmp: guard against too small mtu
- net: don't let netpoll invoke NAPI if in xmit context
- sctp: check send stream number after wait_for_sndbuf
- ipv6: Fix an uninit variable access bug in __ip6_make_skb()
- USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
- USB: serial: option: add Telit FE990 compositions
- USB: serial: option: add Quectel RM500U-CN modem
- nilfs2: fix potential UAF of struct nilfs_sc_info in
nilfs_segctor_thread()
- nilfs2: fix sysfs interface lifetime
- [x86] ALSA: hda/realtek: Add quirk for Clevo X370SNW
- perf/core: Fix the same task check in perf_event_set_output
- ftrace: Mark get_lock_parent_ip() __always_inline
- ring-buffer: Fix race while reader and writer are on the same page
- mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
- [x86] ALSA: emu10k1: fix capture interrupt handler unlinking
- [x86] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
- [x86] ALSA: i2c/cs8427: fix iec958 mixer control deactivation
- [x86] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
- Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
- Bluetooth: Fix race condition in hidp_session_thread
- mtdblock: tolerate corrected bit-flips
- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race
condition (CVE-2023-1859)
- niu: Fix missing unwind goto in niu_alloc_channels()
- qlcnic: check pci_reset_function result
- sctp: fix a potential overflow in sctp_ifwdtsn_skip
- [arm64] net: macb: fix a memory corruption in extended buffer descriptor
mode
- udp6: fix potential access to stale information
- [arm64] power: supply: cros_usbpd: reclassify "default case!" as debug
- [x86] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
- [amd64] verify_pefile: relax wrapper length check
- scsi: ses: Handle enclosure with just a primary component gracefully
- [x86] PCI: Add quirk for AMD XHCI controller that loses MSI-X state in
D3hot
- ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
- ubi: Fix deadlock caused by recursively holding work_sem
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
- [arm64] watchdog: sbsa_wdog: Make sure the timeout programming is within
the limits
- [x86] KVM: nVMX: add missing consistency checks for CR0 and CR4
(CVE-2023-30456)
- [arm64] KVM: arm64: Factor out core register ID enumeration
- [arm64] KVM: arm64: Filter out invalid core register IDs in
KVM_GET_REG_LIST (regression in 4.19)
- [arm64] KVM: Fix system register enumeration
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.282
- net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
- virtio_net: bugfix overflow inside xdp_linearize_page()
- i40e: fix accessing vsi->active_filters without holding lock
- i40e: fix i40e_setup_misc_vector() error handling
- mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
- e1000e: Disable TSO on i219-LM card to increase speed
- f2fs: Fix f2fs_truncate_partial_nodes ftrace event
- [x86] Input: i8042 - add quirk for Fujitsu Lifebook A574/H
- scsi: megaraid_sas: Fix fw_crash_buffer_show()
- scsi: core: Improve scsi_vpd_inquiry() checks
- xen/netback: use same error messages for same errors
- nilfs2: initialize unused bytes in segment summary blocks
- memstick: fix memory leak if card device is never registered
- [x86] purgatory: Don't generate debug info for purgatory.ro
- Revert "ext4: fix use-after-free in ext4_xattr_set_entry" (regression in
4.19.256)
- ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
- ext4: fix use-after-free in ext4_xattr_set_entry
- udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
- tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
- inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
- dccp: Call inet6_destroy_sock() via sk->sk_destruct().
- sctp: Call inet6_destroy_sock() via sk->sk_destruct().
.
[ Ben Hutchings ]
* Bump ABI to 24
* [armhf] Disable LOCK_DOWN_KERNEL, LOCK_DOWN_IN_EFI_SECURE_BOOT, and
MODULE_SIG where we don't sign code (Closes: #825141)
* [rt] Update to 4.19.280-rt123:
- workqueue: Fix deadlock due to recursive locking of pool->lock
* [rt] netpoll: Fix netif_local_xmit_active() for 4.19-rt
Checksums-Sha1:
bfad0e545d0ea1d8ddba4ecdd3d1b41b00075438 7929 linux-signed-amd64_4.19.282+1.dsc
05e2c4412f3ef3bffaca892946ac4dec48d14274 2701128 linux-signed-amd64_4.19.282+1.tar.xz
Checksums-Sha256:
25c05cd5a6948c84efec01aff7e5cc7cd59a8e4e9d412a750754fd653086c1b9 7929 linux-signed-amd64_4.19.282+1.dsc
2dd4d7c17dfbf1de8e187d59fa344f1af23135f4da0794367f8349cb90b97bd9 2701128 linux-signed-amd64_4.19.282+1.tar.xz
Files:
361f86926f9b8f4be03917c73b25d900 7929 kernel optional linux-signed-amd64_4.19.282+1.dsc
b1567673bd6fa3e2cfa2ef20bf07e403 2701128 kernel optional linux-signed-amd64_4.19.282+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmRPQGMACgkQi0FRiLdO
NzZMzA/9HwRnXDFuqpfr+mIO3YM1yogxcGkmfZ5twh6MU7A8A4Gm4aSjn2VKw0es
PehkWg2P7oftPLi+mEiqX2iz5UwR3SbinoK0hdu7fYf4KQCoUUQxrDlyMXiRNEoF
f1EcdjJISeloagmTdBhnvPf2xudj7LqNNyjgH0nFkgb4ZoZQp5mqLUONHlhaPTUg
zKe9G/rnUeCf68XRgwYtGMQbIj0U6ur62xBkmidD3DXE3VJZu/VUS6+LeGaymky7
+HzEYCxZNe1kIkJFjlPo6j7FagYjH6w30aO5PaWNadSheGfCKK2FegAl34HX3m31
qMrQWZ6PoKpHh3iydf7W7Q7sdFfiI8C3AKDutJfPMOdU9nvLfvhmpVxxqRK+0Svi
EzhJRlWRwnwxo7wWBFoRsklbGf7SGm04GusTYtzptTGYmUXqbx/GNdF89d6UqjjT
p7PdM3w6y46Zc2ZEnWJ4S0RO1HUGHpcCepZuYC14yxmv+7lgsR0g1hJuVpzr9o5s
OZ5vDjPeR3GCM8Q/20WDazvV/bYtEtz6pcV5VZOr2wxBZreMPtfdYAAvrs7rdInI
JTzLOB7fUikxmb5KFfAQWDbCZnA1/dzUtBRRarkXJuUTGAYN05A1xHeByY/aEaPR
nSqQXw9Y8sbWNd/CRHGOE3NbUOXwgt7ou508/GYknvK7wxMio5w=
=J1kB
-----END PGP SIGNATURE-----