Accepted linux 3.16.84-1 (all source) into oldoldstable, oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jun 2020 14:00:02 +0100
Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-11
Source: linux
Architecture: all source
Version: 3.16.84-1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Description:
linux-doc-3.16 - Linux kernel specific documentation for version 3.16
linux-manual-3.16 - Linux kernel API manual pages for version 3.16
linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches
linux-support-3.16.0-11 - Support files for Linux 3.16
Changes:
linux (3.16.84-1) jessie-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.82
- ALSA: line6: Drop superfluous snd_device for PCM
- ALSA: line6: Fix memory leak at line6_init_pcm() error path
- pstore/ram: Write new dumps to start of recycled zones
- [armhf] net: davinci_cpdma: use dma_addr_t for DMA address
- [armhf] stmmac: fix oversized frame reception
- [armhf] net: stmmac: use correct DMA buffer size in the RX descriptor
- [armhf] net: stmmac: don't stop NAPI processing when dropping a packet
- workqueue: Fix spurious sanity check failures in destroy_workqueue()
- ath9k_hw: fix uninitialized variable data
- ar5523: check NULL before memcpy() in ar5523_cmd()
- [i386] drm/i810: Prevent underflow in ioctl
- usbvision: remove power_on_at_open and timed power off
- usbvision-video: two use after frees
- usbvision: fix locking error
- media: usbvision: Fix invalid accesses after device disconnect
- media: usbvision: Fix races among open, close, and disconnect
- sunrpc: fix crash when cache_head become valid before update
- [x86] PCI: Fix Intel ACS quirk UPDCR register address
- Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
- compat_ioctl: handle SIOCOUTQNSD
- [x86] ioapic: Prevent inconsistent state when moving an interrupt
- xfs: Sanity check flags of Q_XQUOTARM call
- cpuidle: Do not unset the driver if it is there already
- scsi: csiostor: Don't enable IRQs too early
- scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
- [armhf] clk: samsung: exynos5420: Preserve CPU clocks configuration
during suspend/resume
- quota: fix livelock in dquot_writeback_dquots
- quota: Check that quota is not dirty before release
- scsi: core: scsi_trace: Use get_unaligned_be*()
- blk-mq: fix deadlock when reading cpu_list
- blk-mq: avoid sysfs buffer overflow with too many CPU cores
- blk-mq: make sure that line break can be printed
- [x86] staging: rtl8192e: fix potential use after free
- jbd2: Fix possible overflow in jbd2_log_space_left()
- bnx2x: Enable Multi-Cos feature.
- PM / devfreq: Lock devfreq in trans_stat_show
- scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and
WRITE(6)
- [x86] usb: gadget: pch_udc: fix use after free
- usb: Allow USB device to be warm reset in suspended state
- appledisplay: fix error handling in the scheduled work
- inetpeer: fix data-race in inet_putpeer / inet_putpeer
- [x86] drm/i915/userptr: Try to acquire the page lock around
set_page_dirty()
- USB: serial: mos7720: fix remote wakeup
- USB: serial: mos7840: fix remote wakeup
- fuse: verify attributes
- fuse: verify nlink
- ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
- scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
- [armhf] tty: serial: imx: use the sg count from dma_map_sg
- RDMA/srpt: Report the SCSI residual to the initiator
- futex: Prevent robust futex exit race
- [x86] speculation: Fix incorrect MDS/TAA mitigation status
- Btrfs: fix negative subv_writers counter and data space leak after
buffered write
- btrfs: check page->mapping when loading free space cache
- Bluetooth: delete a stray unlock
- ext4: work around deleting a file with i_nlink == 0 safely
(CVE-2019-19447)
- [x86] scsi: qla4xxx: fix double free bug
- scsi: bnx2i: fix potential use after free
- iwlwifi: check kasprintf() return value
- serial: serial_core: Perform NULL checks for break_ctl ops
- [x86] KVM: fix presentation of TSX feature in ARCH_CAPABILITIES
- [x86] KVM: do not modify masked bits of shared MSRs
- [x86] PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
- [i386] ALSA: cs4236: fix error return comparison of an unsigned integer
- drm/radeon: fix bad DMA from INTERRUPT_CNTL2
- tty: vt: keyboard: reject invalid keycodes
- CIFS: Respect O_SYNC and O_DIRECT flags during reconnect
- CIFS: Fix SMB2 oplock break processing
- [x86] platform: hp-wmi: Fix ACPI errors caused by too small buffer
- [x86] platform: hp-wmi: Fix ACPI errors caused by passing 0 as input size
- macvlan: schedule bc_work even if error
- PCI/MSI: Fix incorrect MSI-X masking on resume
- [x86] ACPI / osl: speedup grace period in acpi_os_map_cleanup
- [x86] ACPI: OSL: only free map once in osl.c
- [x86] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
- openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
- openvswitch: remove another BUG_ON()
- cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
- CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
- net: bridge: deny dev_set_mac_address() when unregistering
- drm/radeon: fix r1xx/r2xx register checker for POT textures
- xen/blkback: Avoid unmapping unmapped grant pages
- hrtimer: Get rid of the resolution field in hrtimer_clock_base
- ALSA: pcm: oss: Avoid potential buffer overflows
- tcp: md5: fix potential overestimation of TCP option space
- tcp: syncookies: extend validity range
- tcp: fix rejected syncookies due to stale timestamps
- tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
- inet: protect against too small mtu values.
- deb-pkg: remove obsolete -isp option to dpkg-gencontrol
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.83
- libertas: don't exit from lbs_ibss_join_existing() with RCU read lock
held
- libertas: make lbs_ibss_join_existing() return error code on rates
overflow
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function
- mac80211: Do not send Layer 2 Update frame before authorization
(CVE-2019-5108)
- [x86] microcode/AMD: Add support for fam17h microcode loading
- ext4: wait for existing dio workers in ext4_alloc_file_blocks()
- ext4: only call ext4_truncate when size <= isize
- ext4: update c/mtime on truncate up
- quota: fix wrong condition in is_quota_modification()
- ext4: fix races between page faults and hole punching (CVE-2015-8839)
- ext4: move unlocked dio protection from ext4_alloc_file_blocks()
(CVE-2015-8839)
- ext4: fix races between buffered IO and collapse / insert range
(CVE-2015-8839)
- ext4: fix races of writeback with punch hole and zero range
(CVE-2015-8839)
- Btrfs: fix wrong max inline data size limit
- btrfs: new define for the inline extent data start
- btrfs: kill extent_buffer_page helper
- btrfs: cleanup, rename a few variables in btrfs_read_sys_array
- btrfs: add more checks to btrfs_read_sys_array
- btrfs: cleanup, stop casting for extent_map->lookup everywhere
- btrfs: handle invalid num_stripes in sys_array
- btrfs: Enhance chunk validation check
- Btrfs: add validadtion checks for chunk loading
- Btrfs: check inconsistence between chunk and block group
- Btrfs: fix em leak in find_first_block_group
- Btrfs: detect corruption when non-root leaf has zero item
- Btrfs: check btree node's nritems
- Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty
- Btrfs: memset to avoid stale content in btree node block
- Btrfs: improve check_node to avoid reading corrupted nodes
- Btrfs: kill BUG_ON in run_delayed_tree_ref
- Btrfs: memset to avoid stale content in btree leaf
- Btrfs: fix emptiness check for dirtied extent buffers at check_leaf()
- btrfs: struct-funcs, constify readers
- btrfs: Refactor check_leaf function for later expansion
- btrfs: Check if item pointer overlaps with the item itself
- btrfs: Add sanity check for EXTENT_DATA when reading out leaf
- btrfs: Add checker for EXTENT_CSUM
- btrfs: Move leaf and node validation checker to tree-checker.c
- btrfs: tree-checker: Enhance btrfs_check_node output
- btrfs: tree-checker: Fix false panic for sanity test
- btrfs: tree-checker: Add checker for dir item
- btrfs: tree-checker: use %zu format string for size_t
- btrfs: tree-check: reduce stack consumption in check_dir_item
- btrfs: tree-checker: Verify block_group_item (CVE-2018-14613)
- btrfs: tree-checker: Detect invalid and empty essential trees
(CVE-2018-14612)
- btrfs: validate type when reading a chunk (CVE-2018-14611)
- btrfs: Check that each block group has corresponding chunk at mount time
(CVE-2018-14610)
- btrfs: Verify that every chunk has corresponding block group at mount
time (CVE-2018-14612)
- btrfs: tree-checker: Check level for leaves and nodes
- btrfs: tree-checker: Fix misleading group system information
- btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
- dm: do not override error code returned from dm_get_device()
- dm flakey: return -EINVAL on interval bounds error in flakey_ctr()
- dm flakey: fix reads to be issued if drop_writes configured
- dm flakey: check for null arg_name in parse_features()
- [amd64] pti/efi: broken conversion from efi to kernel page table
(regression in 3.16.51-3+deb8u1)
- batman-adv: Fix DAT candidate selection on little endian systems
- netfilter: ctnetlink: netns exit must wait for callbacks
- taskstats: fix data-race
- dm btree: increase rebalance threshold in __rebalance2()
- dm thin metadata: Add support for a pre-commit callback
- [x86] pinctrl: baytrail: Relax GPIO request rules
- [x86] pinctrl: baytrail: Clear interrupt triggering from pins that are in
GPIO mode
- [x86] pinctrl: baytrail: Rework interrupt handling
- [x86] pinctrl: baytrail: Serialize all register access
- [x86] pinctrl: baytrail: Really serialize all register accesses
- netfilter: nf_tables: missing sanitization in data from userspace
- netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
- netfilter: bridge: make sure to pull arp header in br_nf_forward_arp()
- HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
- gpio: Fix error message on out-of-range GPIO in lookup table
- neighbour: remove neigh_cleanup() method
- bonding: fix bond_neigh_init()
- af_packet: set defaule value for tmo
- [x86] ACPI: PM: Avoid attaching ACPI PM domain to certain devices
- scsi: iscsi: qla4xxx: fix double free in probe
- staging: gigaset: fix general protection fault on probe
- staging: gigaset: fix illegal free on probe errors
- staging: gigaset: add endpoint-type sanity check
- usb: core: urb: fix URB structure initialization function
- usb: mon: Fix a deadlock in usbmon between mmap and read
- USB: serial: io_edgeport: fix epic endpoint lookup
- USB: idmouse: fix interface sanity checks
- USB: adutux: fix interface sanity check
- USB: atm: ueagle-atm: add missing endpoint check
- staging: rtl8188eu: fix interface sanity check
- staging: rtl8712: fix interface sanity check
- gpiolib: fix up emulated open drain outputs
- virtio-balloon: fix managed page counts when migrating pages between
zones
- HID: Fix slab-out-of-bounds read in hid_field_extract
- xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.
- xhci: make sure interrupts are restored to correct state
- IB/mlx4: Avoid executing gid task when device is being removed
- IB/mlx4: Follow mirror sequence of device add during device removal
- HID: hid-input: clear unmapped usages
- btrfs: do not call synchronize_srcu() in inode_tree_del
- Btrfs: fix removal logic of the tree mod log that leads to use-after-free
issues
- btrfs: abort transaction after failed inode updates in create_subvol
- btrfs: handle ENOENT in btrfs_uuid_tree_iterate
- btrfs: skip log replay on orphaned roots
- btrfs: do not leak reloc root if we fail to read the fs root
- Btrfs: fix infinite loop during nocow writeback due to race
- btrfs: Remove redundant btrfs_release_path from btrfs_unlink_subvol
- btrfs: do not delete mismatched root refs
- btrfs: check rw_devices, not num_devices for balance
- ext4: check for directory entries too close to block end
- 6pack,mkiss: fix possible deadlock
- tcp: do not send empty skb from tcp_write_xmit()
- ALSA: pcm: Avoid possible info leaks from PCM stream buffers
- ALSA: hda/ca0132 - Avoid endless loop
- tty: link tty and port before configuring it as console
- USB: EHCI: Do not return -EPIPE when hub is disconnected
- usbip: Fix error path of vhci_recv_ret_submit()
- [x86] kvm: x86: Host feature SSBD doesn't imply guest feature
SPEC_CTRL_SSBD
- [armhf] net: stmmac: 16KB buffer must be 16 byte aligned
- [armhf] net: stmmac: Enable 16KB buffer size
- netfilter: ebtables: convert BUG_ONs to WARN_ONs
- netfilter: ebtables: compat: reject all padding in matches/watchers
- [x86] platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128
bytes
- mod_devicetable: fix PHY module format
- [x86] efistub: Disable paging at mixed mode entry
- ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
- locks: print unsigned ino in /proc/locks
- netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
- tty: always relink the port
- USB: core: fix check for duplicate endpoints
- USB: core: add endpoint-blacklist quirk
- USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
- [armhf] usb: musb: dma: Correct parameter passed to IRQ handler
- can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
- tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
- vxlan: fix tos value before xmit
- ftrace: Avoid potential division by zero in function profiler
- staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
- kernel/trace: Fix do not unregister tracepoints when register
sched_migrate_task fail
- kobject: Export kobject_get_unless_zero()
- chardev: Avoid potential use-after-free in 'chrdev_open()'
- sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
- vlan: vlan_changelink() should propagate errors
- pkt_sched: fq: avoid hang when quantum 0
- pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
- macvlan: do not assume mac_header is set in macvlan_broadcast()
- netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
- ixgbevf: Remove limit of 10 entries for unicast filter list
- scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
- scsi: enclosure: Fix stale device oops with hot replug
- hidraw: Return EPOLLOUT from hidraw_poll
- HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
- HID: hidraw, uhid: Always report EPOLLOUT
- Input: aiptek - fix endpoint sanity check
- Input: gtco - fix endpoint sanity check
- Input: sur40 - fix interface sanity checks
- [x86] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
- iio: buffer: align the size of scan bytes to size of the largest element
- USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
- netfilter: fix a use-after-free in mtype_destroy()
- netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
- ALSA: usb-audio: add implicit fb quirk for Axe-Fx II
- ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk
- ALSA: usb-audio: fix sync-ep altsetting sanity check
- USB: serial: opticon: fix control-message timeouts
- r8152: add missing endpoint sanity check
- usb: core: hub: Improved device recognition on remote wakeup
- ALSA: seq: Fix racy access for queue timer in proc read
- scsi: fnic: fix invalid stack access
- block: fix an integer overflow in logical block size
- macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
- Input: keyspan-remote - fix control-message timeouts
- USB: serial: suppress driver bind attributes
- USB: serial: ch341: handle unbound port at reset_resume
- USB: serial: io_edgeport: handle unbound ports on URB completion
- USB: serial: io_edgeport: add missing active-port sanity check
- USB: serial: keyspan: handle unbound ports
- USB: serial: quatech2: handle unbound ports
- hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
- [armel,armhf] 8950/1: ftrace/recordmcount: filter relocation types
- mmc: sdhci: fix minimum clock rate for v3 controller
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU
- net: sonic: return NETDEV_TX_OK if failed to map buffer
- net/sonic: Add mutual exclusion for accessing shared state
- net/sonic: Use MMIO accessors
- net/sonic: Fix receive buffer handling
- net/sonic: Quiesce SONIC before re-initializing descriptor memory
- net_sched: fix datalen for ematch
- namei: allow restricted O_CREAT of FIFOs and regular files
- do_last(): fetch directory ->i_mode and ->i_uid before it's too late
- vfs: fix do_last() regression
- blktrace: re-write setting q->blk_trace
- blktrace: Protect q->blk_trace with RCU (CVE-2019-19768)
- blktrace: fix dereference after null check
- Input: add safety guards to input_set_keycode() (CVE-2019-20636)
- staging: android: ashmem: Disallow ashmem memory from being remapped
(CVE-2020-0009)
- net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
(CVE-2020-1749)
- [x86] KVM: nVMX: Don't emulate instructions in guest mode (CVE-2020-2732)
- vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649)
- tty: vt: Fix !TASK_RUNNING diagnostic warning from paste_selection()
- vt: selection, handle pending signals in paste_selection
- vt: selection, close sel_buffer race (CVE-2020-8648)
- vt: selection, push console lock down
- vt: selection, push sel_lock up
- floppy: check FDC index for errors before assigning it (CVE-2020-9383)
- vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
- mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
(CVE-2020-11565)
- media: ov519: add missing endpoint sanity checks (CVE-2020-11608)
- media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609)
- media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668)
- ptp: do not explicitly set drvdata in ptp_clock_register()
- ptp: use is_visible method to hide unused attributes
- ptp: create "pins" together with the rest of attributes
- chardev: add helper function to register char devs with a struct device
- ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
- ptp: fix the race between the release of ptp_clock and cdev
(CVE-2020-10690)
- ptp: free ptp device pin descriptors properly
- media-devnode: just return 0 instead of using a var
- media: Fix media_open() to clear filp->private_data in error leg
- drivers/media/media-devnode: clear private_data before put_device()
- media-devnode: add missing mutex lock in error handler
- media-devnode: fix namespace mess
- media-device: dynamically allocate struct media_devnode
- media: fix use-after-free in cdev_put() when app exits after driver
unbind
- media: fix media devnode ioctl/syscall and unregister race
- slcan: Don't transmit uninitialized stack data in padding
(CVE-2020-11494)
- futex: Fix inode life-time issue
- futex: Unbreak futex hashing
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.84
- fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
- propagate_one(): mnt_set_mountpoint() needs mount_lock
- spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
(CVE-2020-12769)
- padata: avoid race in reordering
- padata: get_next is never NULL
- padata: set cpu_index of unused CPUs to -1
- padata: ensure the reorder timer callback runs on the correct CPU
- padata: ensure padata_do_serial() runs on the correct CPU
- padata: Replace delayed timer with immediate workqueue in padata_reorder
- padata: initialize pd->cpu with effective cpumask
- padata: Remove broken queue flushing
- padata: purge get_cpu and reorder_via_wq from padata_do_serial
- crypto: pcrypt - Fix user-after-free on module unload
- crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
- padata: always acquire cpu_hotplug_lock before pinst->lock
- crypto: af_alg - Use bh_lock_sock in sk_destruct
- crypto: api - Check spawn->alg under lock in crypto_drop_spawn
- crypto: api - Fix race condition in crypto_spawn_alg
- [armhf] mmc: spi: Toggle SPI polarity, do not hardcode it
- reiserfs: Fix memory leak of journal device string
- reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
- ath9k: fix storage endpoint lookup
- rsi: fix use-after-free on failed probe and unbind
- brcmfmac: Fix use after free in brcmf_sdio_readframes()
- brcmfmac: abort and release host after error
- brcmfmac: fix interface sanity check
- orinoco_usb: fix interface sanity check
- rsi_91x_usb: fix interface sanity check
- zd1211rw: fix storage endpoint lookup
- brcmfmac: Fix memory leak in brcmf_usbdev_qinit
- scsi: qla2xxx: Fix mtcp dump collection failure
- media: iguanair: add sanity checks
- media: iguanair: fix endpoint sanity check
- efi: Use early_mem*() instead of early_io*()
- [x86] efi/x86: Map the entire EFI vendor string before copying it
- PCI: Don't disable bridge BARs when assigning bus resources
- power: supply: sbs-battery: Fix a signedness bug in
sbs_get_battery_capacity()
- dm space map common: fix to ensure new block isn't already in use
- [armhf] usb: dwc3: turn off VBUS when leaving host mode
- usb: gadget: f_ncm: Use atomic_t to track in-flight request
- usb: gadget: f_ecm: Use atomic_t to track in-flight request
- staging: wlan-ng: ensure error return is actually returned
- ubifs: Fix deadlock in concurrent bulk-read and writepage
- [x86] cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
- jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info
when load journal
- [x86] KVM: x86: Don't let userspace set host-reserved cr4 bits
- [x86] KVM: nVMX: vmread should not set rflags to specify success in case
of #PF
- [x86] kvm: avoid unused variable warning
- [x86] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
- USB: serial: ir-usb: add missing endpoint sanity check
- USB: serial: ir-usb: fix link-speed handling
- USB: serial: ir-usb: fix IrLAP framing
- media: uvcvideo: Avoid cyclic entity chains due to malformed USB
descriptors
- [x86] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
- tracing: Fix very unlikely race of registering two stat tracers
- tracing: Fix tracing_stat return values in error handling paths
- jbd2: switch to use jbd2_journal_abort() when failed to submit the commit
record
- ext4, jbd2: ensure panic when aborting with zero errno
- iwlegacy: ensure loop counter addr does not wrap and cause an infinite
loop
- CIFS: Fix task struct use-after-free on reconnect
- net_sched: ematch: reject invalid TCF_EM_SIMPLE
- [x86] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
- [x86] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF
attacks
- [x86] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF
attacks
- [x86] KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF
attacks
- [x86] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF
attacks
- [x86] kvm: x86: use macros to compute bank MSRs
- [x86] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF
attacks in x86.c
- [x86] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF
attacks
- KVM: Check for a bad hva before dropping into the ghc slow path
- Btrfs: fix race between adding and putting tree mod seq elements and
nodes
- mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
- media/v4l2-core: set pages dirty upon releasing DMA buffers
- tcp: clear tp->total_retrans in tcp_disconnect()
- ALSA: dummy: Fix PCM format loop in proc output
- clocksource: Prevent double add_timer_on() for watchdog_timer
- cls_rsvp: fix rsvp_policy
- nfs: use kmap/kunmap directly
- NFS: Fix memory leaks and corruption in readdir
- NFS: Directory page cache pages need to be locked when read
- cifs: fail i/o on soft mounts if sessionsetup errors out
- bonding/alb: properly access headers in bond_alb_xmit()
- sunrpc: expiry_time should be seconds not timeval
.
[ Ben Hutchings ]
* debian/README.source: Refer to upload checklist in kernel-team.git
* chaoskey: Apply bug fixes from upstream:
- USB: chaoskey: fix Alea quirk on big-endian hosts
- USB: chaoskey: fix use-after-free on release
- USB: chaoskey: fix error case of a timeout
* Bump ABI to 11
* selinux: Fix netlink message permission checks:
- selinux: cleanup error reporting in selinux_nlmsg_perm()
- selinux: convert WARN_ONCE() to printk() in selinux_nlmsg_perm()
- selinux: Print 'sclass' as string when unrecognized netlink message
occurs
- selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
- selinux: properly handle multiple messages in selinux_netlink_send()
(CVE-2020-10751)
* USB: core: Fix serialisation of SG URB operations:
- drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB
submit.
- drivers: usb: core: Minimize irq disabling in usb_sg_cancel()
- USB: core: Fix free-while-in-use bug in the USB S-Glibrary
(CVE-2020-12464)
* scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
* scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652)
* mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
(CVE-2020-12653)
* mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
(CVE-2020-12654)
* scsi: sg: Fix various bugs:
- sg: O_EXCL and other lock handling
- sg: prevent integer overflow when converting from sectors to bytes
- scsi: sg: Change next_cmd_len handling to mirror upstream
- scsi: sg: protect accesses to 'reserved' page array
- scsi: sg: reset 'res_in_use' after unlinking reserved array
- scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
- scsi: sg: recheck MMAP_IO request length with lock held
- scsi: sg: remove 'save_scat_len'
- scsi: sg: use standard lists for sg_requests
- scsi: sg: off by one in sg_ioctl()
- scsi: sg: factor out sg_fill_request_table()
- scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
- scsi: sg: Re-fix off by one in sg_fill_request_table()
- scsi: sg: disable SET_FORCE_LOW_DMA
- scsi: sg: check for valid direction before starting the request
- scsi: sg: close race condition in sg_remove_sfp_usercontext()
- scsi: sg: fix SG_DXFER_FROM_DEV transfers
- scsi: sg: fix static checker warning in sg_is_valid_dxfer
- scsi: sg: only check for dxfer_len greater than 256M
- scsi: sg: don't return bogus Sg_requests
- scsi: sg: fix minor memory leak in error path
- scsi: sg: add sg_remove_request in sg_common_write
- scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
* signal: Extend exec_id to 64bits (CVE-2020-12826)
* USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
* ext4: Fix various bugs:
- ext4: Make checks for metadata_csum feature safer
- ext4: protect journal inode's blocks using block_validity (CVE-2019-19319)
- ext4: unsigned int compared against zero
- ext4: fix block validity checks for journal inodes using indirect blocks
- ext4: don't perform block validity checks on the journal inode
- ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992)
* [x86] Add support for mitigation of Special Register Buffer Data Sampling
(SRBDS) (CVE-2020-0543):
- x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
- x86/cpu: Add a steppings field to struct x86_cpu_id
- x86/cpu: Add 'table' argument to cpu_matches()
- x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
mitigation
- x86/speculation: Add SRBDS vulnerability and mitigation documentation
- x86/speculation: Add Ivy Bridge to affected list
* random: always use batched entropy for get_random_u{32,64}
* slip, slcan: Fix various bugs:
- slcan: Fix memory leak in error path
- can: slcan: Fix use-after-free Read in slcan_open
- slcan: not call free_netdev before rtnl_unlock in slcan_open
- slip: Fix memory leak in slip_open error path
- slip: Fix use-after-free Read in slip_open
- slip: not call free_netdev before rtnl_unlock in slip_open
* net-sysfs: Fix reference counting bugs:
- net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
- net-sysfs: fix netdev_queue_add_kobject() breakage
- net-sysfs: Call dev_hold always in netdev_queue_add_kobject
- net-sysfs: Call dev_hold always in rx_queue_add_kobject
Checksums-Sha1:
030962a231240fbe327c19a2ef415146a2e6230d 143027 linux_3.16.84-1.dsc
a924a5dc556df6322f0b3d76422cd8429058762a 82095884 linux_3.16.84.orig.tar.xz
b14c07487576434f5d95643bdb7277878b6dbc94 1231412 linux_3.16.84-1.debian.tar.xz
584cbeb80a25ba97b45c390c6fde3a5f30205c80 482206 linux-support-3.16.0-11_3.16.84-1_all.deb
d6b21dd1ab0827f0f35e2ef8e09cbda89eba7bc4 8438628 linux-doc-3.16_3.16.84-1_all.deb
10479c9dd6f35f3754399529d8fac0c7b9548e25 3841170 linux-manual-3.16_3.16.84-1_all.deb
49f8c6431ed140c43ed2004fcddbfe5b460805d3 83968596 linux-source-3.16_3.16.84-1_all.deb
Checksums-Sha256:
1181b4ab818eaca2a8d7de7d1a3b751077dc1389fcb1d8111924d5df36c7d720 143027 linux_3.16.84-1.dsc
17f0a7a1c8279c971509801eef4f60af49f85fec41649cbec77bc95a5db887f9 82095884 linux_3.16.84.orig.tar.xz
f8c5f05043084d4b1e6468fddaf471d61935a38f5f81357bd2b271481a567947 1231412 linux_3.16.84-1.debian.tar.xz
c489a3e88907fc945226fef1f0a32c220147170384e17cb13f1a2448f59f9c49 482206 linux-support-3.16.0-11_3.16.84-1_all.deb
48a228d246b5ac62346ec248b7a70fb35f02379bca5896f191ada0a0c481ea90 8438628 linux-doc-3.16_3.16.84-1_all.deb
9f5fe16a6ea52f70a073dae78288e8c2f713e05d0e919aa777a66da6211219b5 3841170 linux-manual-3.16_3.16.84-1_all.deb
7c0bd34cef156f4c4cf43e7097bcb268450c7663ee4a1eb65617dedb73200b0c 83968596 linux-source-3.16_3.16.84-1_all.deb
Files:
69294d0b6aa127040a41221a8a2b3b60 143027 kernel optional linux_3.16.84-1.dsc
3adda6bff68237af6aa9b1b9422d183f 82095884 kernel optional linux_3.16.84.orig.tar.xz
a5dc589c8ff3d380b2667fb9fe17082e 1231412 kernel optional linux_3.16.84-1.debian.tar.xz
d56874fbb06f8a6824b7f1a094dbf292 482206 devel optional linux-support-3.16.0-11_3.16.84-1_all.deb
f881ed4a866bd50c3457ede9edd2e240 8438628 doc optional linux-doc-3.16_3.16.84-1_all.deb
40eb0bdc12edcda3759e031dd9bd5e99 3841170 doc optional linux-manual-3.16_3.16.84-1_all.deb
ac026e35f595b2e27207a1b74f4a40a8 83968596 kernel optional linux-source-3.16_3.16.84-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl7fmtEACgkQ57/I7JWG
EQkWphAAsUmfTdCMz/N22V/ZWFGRAviAT/xp5Erf8s7myWOyNowpX8tOHOG2BwJX
pJZD+LndTZ8SNOG9unUC7bwoQxTOTO+KeZlOM8reyjzzNskc8ZaByLOpMWwgOb3m
Oh98IPzJyFzOtIZdpw7I90DcOtIFKGkrxKCtHJPdcRcgKLTiGGLINc80LFVUPWRi
/g1Lswhf4KVUTYPkZ+J6xqso6BCB7FcE0PP2VSuxfqcFTtOaYCHWFifAX0qs4W6t
GRHdiwH0kZJX8XPl0CXnu0ylfBUuhA/2DeWl4B1YnDfLL6dAHVDXEIYs14XoCzBi
6QV34yre32ZdxnOW/xsHcYewS0PsbFE/S1oLVmb+Aus8iNJMORaZfuyWRESiKWPs
lLAfu2Ebyl1RgDzjdmgfApr8/Co3sb8cng3ZtWkEnl/7dLzaQdyMbj2gwr8MHWbx
O8O/hCwC6iklOMs/Mufgoz1LkbduRaDJBH7GqduQekqQ+N6AGVYWfJd+J8VXHddq
/oUDbAcTprSTjsDqT2+A0fJVtFzs0Zf68GpdXLmRCMEFrUzskaeFhW6YTYhDR7mY
PynPYv5Popyv0c0x9Cbtjf59V/VDwlB95qa7gbVC51so+m2NMfRsjqVShpcrLPmX
aLEHd5bmRFzfHc5uEulnyUxlOa6OJLf1LKX6hd6SzW5whUFXvxo=
=s7ar
-----END PGP SIGNATURE-----