-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Mar 2019 18:05:41 +0000
Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-8
Source: linux
Architecture: all source
Version: 3.16.64-1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
linux-doc-3.16 - Linux kernel specific documentation for version 3.16
linux-manual-3.16 - Linux kernel API manual pages for version 3.16
linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches
linux-support-3.16.0-8 - Support files for Linux 3.16
Changes:
linux (3.16.64-1) jessie-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.60
- [x86] drm/i915: Try EDID bitbanging on HDMI after failed read
- [x86] drm/i915: Log a message when rejecting LRM to OACONTROL
- [x86] drm/i915: Fix command parser to validate multiple register access
with the same command.
- [x86] drm/i915/cmdparser: Do not check past the cmd length.
- regmap: Correct offset handling in regmap_volatile_range
- regmap: Support bulk reads for devices without raw formatting
- regmap: Don't use format_val in regmap_bulk_read
- HID: i2c-hid: fix size check and type usage
- HID: i2c-hid: Fix "incomplete report" noise
- HID: core: Fix size as type u32
- jbd2: if the journal is aborted then don't allow update of the log tail
- ext4: don't update checksum of new initialized bitmaps
- media: cx25821: prevent out-of-bounds read on array card
- [armhf] serial: arc_uart: Fix out-of-bounds access through DT alias
- [armhf] serial: imx: Fix out-of-bounds access through serial port index
- rtl8187: Fix NULL pointer dereference in priv->conf_mutex
- IB/srp: Fix srp_abort()
- staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
- [x86] crypto: cast5-avx - fix ECB encryption when long sg follows short
one
- [x86] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
- [x86] watchdog: f71808e_wdt: Fix WD_EN register read
- vt: change SGR 21 to follow the standards
- media: rc: oops in ir_timer_keyup after device unplug
- [armhf] usb: dwc3: pci: Properly cleanup resource
- ext4: protect i_disksize update by i_data_sem in direct write path
- USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
- [armhf] crypto - Fix random regeneration of S_shipped
- [x86] ACPI / hotplug / PCI: Check presence of slot itself in
get_slot_status()
- ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation
- ALSA: pcm: Avoid potential races between OSS ioctls and read/write
- ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams
- pinctrl: pinctrl-single: Fix pcs_request_gpio() when bits_per_mux != 0
- Btrfs: fix unexpected cow in run_delalloc_nocow
- ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls
- hwmon: (nct6775) Fix writing pwmX_mode
- ipc,shm: move BUG_ON check into shm_lock
- ipc: convert invalid scenarios to use WARN_ON
- ipc/shm: handle removed segments gracefully in shm_mmap()
- ipc/util: Helpers for making the sysvipc operations pid namespace aware
- ipc/shm: Fix shmctl(..., IPC_STAT, ...) between pid namespaces.
- ipc/shm: fix use-after-free of shm file via remap_file_pages()
- ipc/msg: Fix msgctl(..., IPC_STAT, ...) between pid namespaces
- ipc/sem: make semctl setting sempid consistent
- ipc/sem: Fix semctl(..., GETPID, ...) between pid namespaces
- [armhf] usb: musb: gadget: misplaced out of bounds check
- iio:buffer: make length types match kfifo types
- iio:kfifo_buf: check for uint overflow
- [x86] xen/acpi: off by one in read_acpi_id()
- crypto: ahash - Fix early termination in hash walk
- btrfs: Refactor transaction handling in received subvolume ioctl
- btrfs: Handle error from btrfs_uuid_tree_rem call in
_btrfs_ioctl_set_received_subvol
- ext4: add bounds checking to ext4_xattr_find_entry()
- Btrfs: fix copy_items() return value when logging an inode
- btrfs: tests/qgroup: Fix wrong tree backref level
- ext4: correctly detect when an xattr value has an invalid size
- ext4: add extra checks to ext4_xattr_block_get()
- sky2: Increase D3 delay to sky2 stops working after suspend
- cifs: fix memory leak in SMB2_open()
- ext4: force revalidation of directory pointer after seekdir(2)
- ALSA: pcm: Fix UAF at PCM release via PCM timer access
- [armhf] rtc: snvs: Fix usage of snvs_rtc_enable
- drm/radeon: Fix PCIe lane width calculation
- RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device
- ubifs: Check ubifs_wbuf_sync() return code
- ubi: Fix error for write access
- ubi: Reject MLC NAND
- [x86] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
- media: v4l2-compat-ioctl32: don't oops on overlay
- Btrfs: fix NULL pointer dereference in log_dir_items
- Btrfs: bail out on error during replay_dir_deletes
- btrfs: Fix possible softlock on single core machines
- ip_tunnel: better validate user provided tunnel names
- ipv6: sit: better validate user provided tunnel names
- ip6_gre: better validate user provided tunnel names
- ip6_tunnel: better validate user provided tunnel names
- vti6: better validate user provided tunnel names
- hugetlbfs: fix bug in pgoff overflow checking
- ocfs2/dlm: wait for dlm recovery done when migrating all lock resources
- block_invalidatepage(): only release page if the full page was invalidated
- ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation
- crypto: af_alg - fix possible uninit-value in alg_bind()
- netlink: fix uninit-value in netlink_sendmsg
- net: fix rtnh_ok()
- net: initialize skb->peeked when cloning
- net: fix uninit-value in __hw_addr_add_ex()
- soreuseport: initialise timewait reuseport field
- sctp: do not leak kernel memory to user space
- HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
- fanotify: fix logic of events on child
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
- scsi: qla2xxx: Avoid double completion of abort command
- [x86] apic: Fix signedness bug in APIC ID validity checks
- tracing/uprobe_event: Fix strncpy corner case
- fs/proc/proc_sysctl.c: fix potential page fault while unregistering
sysctl table
- fs/reiserfs/journal.c: add missing resierfs_warning() arg
- [x86] drm/radeon: make MacBook Pro d3_delay quirk more generic
- [x86] drm/radeon: add PX quirk for Asus K73TK
- l2tp: fix races in tunnel creation
- l2tp: fix race in duplicate tunnel detection
- ALSA: line6: Use correct endpoint type for midi output
- tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
- sctp: do not check port in sctp_inet6_cmp_addr
- net: fix deadlock while clearing neighbor proxy table
- l2tp: hold reference on tunnels in netlink dumps
- l2tp: hold reference on tunnels printed in pppol2tp proc file
- l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file
- resource: fix integer overflow at reallocation
- jffs2_kill_sb(): deal with failed allocations
- rpc_pipefs: fix double-dput()
- ceph: always update atime/mtime/ctime for new inode
- team: avoid adding twice the same option to the event list
- net: af_packet: fix race in PACKET_{R|T}X_RING
- netfilter: nf_tables: can't fail after linking rule into active rule list
- RDMA/ucma: ucma_context reference leak in error path
- [armhf] KVM: Close VMID generation race
- [x86] tsc: Prevent 32bit truncation in calc_hpet_ref()
- [x86] acpi: Prevent X2APIC id 0xffffffff from being accounted
- [x86] mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y
- vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
- KEYS: DNS: limit the length of option strings
- ext4: set h_journal if there is a failure starting a reserved handle
- scsi: mptsas: Disable WRITE SAME
- scsi: sd: Defer spinning up drive while SANITIZE is in progress
- ALSA: rawmidi: Fix missing input substream checks in compat ioctls
- vfs: Don't leak MNT_INTERNAL away from internal mounts
- [x86] xhci: Fix USB ports for Dell Inspiron 5775
- cifs: do not allow creating sockets except with SMB1 posix exensions
- autofs: mount point create should honour passed in mode
- mm/filemap.c: fix NULL pointer in page_cache_tree_insert()
- USB: Increment wakeup count on remote wakeup.
- usbip: vhci_hcd: check rhport before using in vhci_hub_control()
- usbip: vhci_hcd: Fix usb device and sockfd leaks
- usb: core: Add quirk for HP v222w 16GB Mini
- l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow
- llc: hold llc_sap before release_sock()
- llc: fix NULL pointer deref for SOCK_ZAPPED
- ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
- drivers: tty: Merge alloc_tty_struct and initialize_tty_struct
- drivers: tty: Fix use-after-free in pty_common_install
- tty: handle the case where we cannot restore a line discipline
- tty: Avoid possible error pointer dereference at tty_ldisc_restore().
- tty: Don't call panic() at tty_ldisc_init()
- hwmon: (nct6683) Enable EC access if disabled at boot
- tcp: don't read out-of-bounds opsize
- RDMA/ucma: Introduce safer rdma_addr_size() variants
- RDMA/ucma: Allow resolving address w/o specifying source address
- bonding: do not set slave_dev npinfo before slave_enable_netpoll in
bond_enslave
- ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
- l2tp: check sockaddr length in pppol2tp_connect()
- pppoe: check sockaddr length in pppoe_connect()
- [x86] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
- team: fix netconsole setup over team
- mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
- mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
- mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
- packet: fix bitfield update race
- ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
- ALSA: seq: oss: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: control: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: hda: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: opl3: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: asihpi: used parts of message/response are zeroed before use
- ALSA: asihpi: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: hdspm: Hardening for potential Spectre v1 (CVE-2017-5753)
- ALSA: rme9652: Hardening for potential Spectre v1 (CVE-2017-5753)
- tty: Use __GFP_NOFAIL for tty_ldisc_get()
- virtio_console: don't tie bufs to a vq
- virtio: add ability to iterate over vqs
- virtio_console: free buffers after reset
- virtio_console: drop custom control queue cleanup
- virtio_console: move removal code
- virtio_console: reset on out of memory
- [x86] smpboot: Don't use mwait_play_dead() on AMD systems
- libceph: validate con->state at the top of try_write()
- tracing/uprobe: Drop isdigit() check in create_trace_uprobe
- uprobe: Find last occurrence of ':' when parsing uprobe PATH:OFFSET
- tracing: Deletion of an unnecessary check before iput()
- tracing: Fix bad use of igrab in trace_uprobe.c
- libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
- RDMA/mlx5: Protect from shift operand overflow
- IB/mlx5: Use unlimited rate when static rate is not supported
- ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
- sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
- RDMA/cxgb4: release hw resources on device removal
- RDMA/iwpm: fix memory leak on map_info
- iw_cxgb4: Atomically flush per QP HW CQEs
- net: support compat 64-bit time in {s,g}etsockopt
- ALSA: aloop: Add missing cable lock to ctl API callbacks
- tracepoint: Do not warn on ENOMEM
- [armhf] usb: musb: host: fix potential NULL pointer dereference
- tcp: fix TCP_REPAIR_QUEUE bound checking
- ALSA: pcm: Check PCM state at xfern compat ioctl
- USB: serial: visor: handle potential invalid device configuration
- clocksource: Initialize cs->wd_list
- sctp: fix the issue that the cookie-ack with auth can't get processed
- [amd64] bpf: fix memleak when not converging after image
- net_sched: fq: take care of throttled flows before reuse
- ipv4: fix fnhe usage by non-cached routes
- qmi_wwan: do not steal interfaces from class drivers
- USB: Accept bulk endpoints with 1024-byte maxpacket
- dccp: fix tasklet usage
- bdi: Fix oops in wb_workfn()
- atm: zatm: Fix potential Spectre v1 (CVE-2017-5753)
- net: atm: Fix potential Spectre v1 (CVE-2017-5753)
- sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
- sched/autogroup: Fix 64-bit kernel nice level adjustment
- sched/autogroup: Fix possible Spectre-v1 indexing for
sched_prio_to_weight[] (CVE-2017-5753)
- [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
(CVE-2017-5753)
- [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
(CVE-2017-5753)
- llc: better deal with too small mtu
- can: kvaser_usb: Increase correct stats counter in
kvaser_usb_rx_can_msg()
- ipvs: fix stats update from local clients
- [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
- libata: Blacklist some Sandisk SSDs for NCQ
- RDMA/mlx5: Don't assume that medium blueFlame register exists
- cifs: Allocate validate negotiation request through kmalloc
- batman-adv: Avoid race in TT TVLV allocator helper
- net/mlx4_en: Verify coalescing parameters are in range
- smb3: directory sync should not return an error
- tracing: Fix regex_match_front() to not over compare the test string
- ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
- Btrfs: ensure tmpfile inode is always persisted with link count of 0
- Btrfs: use insert_inode_locked4 for inode creation
- Btrfs: don't leave dangling dentry if symlink creation failed
- f2fs: reposition unlock_new_inode to prevent accessing invalid inode
- f2fs: call f2fs_unlock_op after error was handled
- f2fs: go out for insert_inode_locked failure
- udf: avoid unneeded up_write when fail to add entry in ->symlink
- udf: merge the pieces inserting a new non-directory object into directory
- udf: fix the udf_iget() vs. udf_new_inode() races
- ufs: deal with nfsd/iget races
- ufs: Fix warning from unlock_new_inode()
- ufs: Fix possible deadlock when looking up directories
- vfs: do d_instantiate/unlock_new_inode combinations safely
- batman-adv: Fix TT sync flags for intermediate TT responses
- batman-adv: prevent TT request storms by not sending inconsistent TT
TLVLs
- ALSA: control: fix a redundant-copy issue
- [x86] kexec: Avoid double free_page() upon do_kexec_load() failure
- [x86] efi: Avoid potential crashes, fix the
'struct efi_pci_io_protocol_32' definition for mixed mode
- xfrm6: avoid potential infinite loop in _decode_session6()
- [x86] drm/i915/userptr: reject zero user_size
- Btrfs: send, fix invalid access to commit roots due to concurrent
snapshotting
- net/mlx4_core: Fix error handling in mlx4_init_port_info.
- [x86] tracing/xen: Remove zero data size trace events
trace_xen_mmu_flush_tlb{_all}
- [x86] VMXNET3: Check for map error in vmxnet3_set_mc
- [x86] vmxnet3: fix checks for dma mapping errors
- [x86] vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc()
- [x86] vmxnet3: set the DMA mask before the first DMA map operation
- mmap: introduce sane default mmap limits
- drm: set FMODE_UNSIGNED_OFFSET for drm files
- mmap: relax file size limit for regular files
- i2c: viperboard: return message count on master_xfer success
- tick/broadcast: Use for_each_cpu() specially on UP kernels
- tcp: purge write queue in tcp_connect_init()
- afs: Ignore AFS_ACE_READ and AFS_ACE_WRITE for directories
- afs: Fix directory permissions check
- string: provide strscpy()
- netfilter: ebtables: handle string from userspace with care
- net: test tailroom before appending to linear skb
- ALSA: timer: Call notifier in the same spinlock
- ALSA: timer: Fix pause event notification
- xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
- libata: blacklist Micron 500IT SSD with MU01 firmware
- affs_lookup(): close a race with affs_remove_link()
- ext2: fix a block leak
- aio: fix io_destroy(2) vs. lookup_ioctx() race
- ipvs: fix buffer overflow with sync daemon and service
- net/mlx4: Fix irq-unsafe spinlock usage
- vfs: fix io_destroy()/aio_complete() race
- [x86] KVM: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed
- ppp: fix device unregistration upon netns deletion
- ppp: fix lockdep splat in ppp_dev_uninit()
- ppp: fix race in ppp device destruction
- ppp: Fix null pointer dereference on registration failure
- ppp: unlock all_ppp_mutex before registering device
- ppp: remove the PPPIOCDETACH ioctl
- enic: set DMA mask to 47 bit
- Revert "ipc/shm: Fix shmat mmap nil-page protection"
- ipc/shm: fix shmat() nil address after round-down when remapping
- kernel/sys.c: fix potential Spectre v1 issue (CVE-2017-5753)
- tracing: Fix crash when freeing instances with event triggers
- [x86] drm/i915: Disable LVDS on Radiant P845
- selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
- [armhf] net: ethernet: ti: cpdma: correct error handling for chan create
- [armhf] net: davinci_emac: Fix runtime pm calls for davinci_emac
- [armhf] net: ethernet: davinci_emac: fix error handling in probe()
- ip_tunnel: restore binding to ifaces with a large mtu
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.61
- [armhf] Revert "mtd: nand: omap2: Fix subpage write"
- fuse: atomic_o_trunc should truncate pagecache
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
- media: v4l2-compat-ioctl32: prevent go past max size
- media: rc: mce_kbd decoder: fix stuck keys
- [i386] PCI: ibmphp: Fix use-before-set in get_max_bus_speed()
- mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready()
- usb: do not reset if a low-speed or full-speed device timed out
- sctp: fix identification of new acks for SFR-CACC
- [x86] iommu/vt-d: Ratelimit each dmar fault printing
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
- perf: fix invalid bit in diagnostic entry
- PM / wakeup: Only update last time for active wakeup sources
- ext4: update mtime in ext4_punch_hole even if no blocks are released
- ext4: factor out helper ext4_sample_last_mounted()
- vfs: add the sb_start_intwrite_trylock() helper
- ext4: do not update s_last_mounted of a frozen fs
- [arm*] tty: pl011: Avoid spuriously stuck-off interrupts
- w1: support auto-load of w1_bq27000 module.
- 1wire: family module autoload fails because of upper/lower case mismatch.
- driver core: Don't ignore class_dir_create_and_add() failure.
- sbitmap: fix race in wait batch accounting
- [armhf] net: ethernet: davinci_emac: Fix printing of base address
- RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events
- ipmi:bt: Set the timeout before doing a capabilities check
- ext4: check if in-inode xattr is corrupted in
ext4_expand_extra_isize_ea()
- ext4: correct endianness conversion in __xattr_check_inode()
- ext4: don't read out of bounds when checking for in-inode xattrs
- ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
- PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on
resume
- IB/isert: Fix for lib/dma_debug check_sync warning
- IB/qib: Fix DMA api warning with debug kernel
- perf/core: Fix group scheduling with mixed hw and sw events
- ext4: fix fencepost error in check for inode count overflow during resize
- Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
- Btrfs: don't return ino to ino cache if inode item removal fails
- Btrfs: reserve space for O_TMPFILE orphan item deletion
- libata: zpodd: make arrays cdb static, reduces object code size
- libata: zpodd: small read overflow in eject_tray()
- tpm: fix race condition in tpm_common_write()
- mtd: cfi_cmdset_0002: Change write buffer to check correct value
- mtd: cfi_cmdset_0002: Change definition naming to retry write operation
- mtd: cfi_cmdset_0002: Change erase functions to retry for error
- mtd: cfi_cmdset_0002: Change erase functions to check chip good only
- fuse: fix control dir setup and teardown
- fuse: don't keep dead fuse_conn at fuse_fill_super().
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
- NFSv4: Fix possible 1-byte stack overflow in
nfs_idmap_read_and_verify_message
- ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
- RDMA/mlx4: Discard unknown SQP work requests
- [x86] msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
- IB/isert: fix T10-pi check mask setting
- net/packet: refine check for priv area size
- of: platform: stop accessing invalid dev in of_platform_device_destroy
- [x86] PCI: shpchp: Fix AMD POGO identification
- l2tp: fix refcount leakage on PPPoL2TP sockets
- ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
- net: metrics: add proper netlink validation
- rtnetlink: validate attributes in do_setlink()
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
- bnx2x: use the right constant
- pagemap: hide physical addresses from non-privileged users
- mm: /proc/pid/pagemap: hide swap entries from unprivileged users
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
- fs/binfmt_misc.c: do not allow offset overflow
- net/sched: act_simple: fix parsing of TCA_DEF_DATA
- ksm: add cond_resched() to the rmap_walks
- mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
- l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
- l2tp: only accept PPP sessions in pppol2tp_connect()
- l2tp: prevent pppol2tp_connect() from creating kernel sockets
- l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
- cfg80211: initialize sinfo in cfg80211_get_station
- l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
- l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
- ext4: include the illegal physical block in the bad map ext4_error msg
- ext4: add more mount time checks of the superblock
- netfilter: nf_queue: augment nfqa_cfg_policy
- [armhf] mtd: rawnand: mxc: set spare area size register explicitly
- xfrm_user: prevent leaking 2 bytes of kernel memory
- scsi: target: Fix truncated PR-in ReadKeys response
- udf: Detect incorrect directory size
- [x86] Call fixup_exception() before notify_die() in math_error()
- [x86] speculation: Fix up array_index_nospec_mask() asm constraint
- [x86] spectre_v1: Disable compiler optimizations over
array_index_mask_nospec() (CVE-2017-5753)
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
- xen-netfront: fix locking in connect error path
- xen-netfront: use different locks for Rx and Tx stats
- xen-netfront: Use static attribute groups for sysfs entries
- xen-netfront: properly destroy queues when removing device
- xen-netfront: Remove the meaningless code
- net/xen-netfront: only clean up queues if present
- xen-netfront: Improve error handling during initialization
- xen-netfront: avoid crashing on resume after a failure in
talk_to_netback()
- xen-netfront: Fix race between device setup and open
- xen-netfront: Fix mismatched rtnl_unlock
- xen-netfront: Update features after registering netdev
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
- Input: elantech - report the middle button of the touchpad
- Input: elantech - enable middle button of touchpads on ThinkPad P52
- Input: elantech - fix V4 report decoding for module with middle key
- xen: Remove unnecessary BUG_ON from __unbind_from_irq()
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
- [x86] mce: Do not overwrite MCi_STATUS in mce_no_way_out()
- time: Make sure jiffies_to_msecs() preserves non-zero time periods
- vhost_net: validate sock before trying to put its fd
- ipv6: mcast: fix unsolicited report interval after receiving querys
- batman-adv: Avoid storing non-TT-sync flags on singular entries too
- batman-adv: unify flags access style in tt global add
- batman-adv: Fix multicast TT issues with bogus ROAM flags
- xfrm: fix missing dst_release() after policy blocking lbcast and multicast
- xfrm: free skb if nlsk pointer is NULL
- RDMA/uverbs: Protect from attempts to create flows on unsupported QP
- RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
- netfilter: nf_log: don't hold nf_log_mutex during user access
- nfsd: silence sparse warning about accessing credentials
- scsi: sg: mitigate read/write abuse
- block: Fix transfer when chunk sectors exceeds max
- net/mlx5: Fix incorrect raw command length parsing
- net/mlx5: Fix command interface race in polling mode
- dm thin: handle running out of data space vs concurrent discard
- n_tty: Fix stall at n_tty_receive_char_special().
- n_tty: Access echo_* variables carefully.
- tty: vt, remove reduntant check
- tty: vt, get rid of weird source code flow
- vt: prevent leaking uninitialized data to userspace via /dev/vcs*
- ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
- ext4: Fix WARN_ON_ONCE in ext4_commit_super()
- ext4: check superblock mapped prior to committing
- sched/fair: Fix bandwidth timer clock drift condition
- [x86] cpufeatures: Hide AMD-specific speculation flags
- [x86] bugs: Add AMD's variant of SSB_NO (CVE-2018-3639)
- [x86] bugs: Add AMD's SPEC_CTRL MSR usage
- [x86] bugs: Switch the selection of mitigation from CPU vendor to CPU
features
- [x86] bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
- RDMA/uverbs: Don't fail in creation of multiple flows
- tracing: Fix missing return symbol in function_graph output
- mm: hugetlb: yield when prepping struct pages
- smsc75xx: Add workaround for gigabit link up hardware errata.
- USB: serial: ch341: fix type promotion bug in ch341_control_in()
- drm/udl: fix display corruption of the last line
- cifs: Fix use after free of a mid_q_entry
- cifs: Fix infinite loop when using hard mount option
- cifs: store the leaseKey in the fid on SMB2_open
- cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
- USB: serial: keyspan_pda: fix modem-status error handling
- USB: serial: mos7840: fix status-register error handling
- xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
- usb: quirks: add delay quirks for Corsair Strafe
- [x86] ibmasm: don't write out of bounds in read handler
- [armhf] mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl
states
- HID: hiddev: fix potential Spectre v1 (CVE-2017-5753)
- ext4: fix inline data updates with checksums enabled
- RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
- ext4: check for allocation block validity with block group locked
- skbuff: Unconditionally copy pfmemalloc in __skb_clone()
- qlogic: check kstrtoul() for errors
- mm, elf: handle vm_brk error
- binfmt_elf: fix calculations for bss padding
- mm: refuse wrapped vm_brk requests
- fs, elf: make sure to page align bss in load_elf_library
- mm: do not bug_on on incorrect length in __mm_populate()
- string: drop __must_check from strscpy()
- reiserfs: fix buffer overflow with long warning messages
- drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
- drm/nouveau: Remove bogus crtc check in pmops_runtime_idle
- drm: re-enable error handling
- [i386] apm: Don't access __preempt_count with zeroed fs
- KEYS: DNS: fix parsing multiple options
- [x86] MCE: Remove min interval polling limitation
- random: mix rdrand with entropy sent in from userspace
- net: cxgb3_main: fix potential Spectre v1 (CVE-2017-5753)
- scsi: qla2xxx: Fix ISP recovery on unload
- scsi: qla2xxx: Return error when TMF returns
- [x86] crypto: padlock-aes - Fix Nano workaround data corruption
- usb: core: handle hub C_PORT_OVER_CURRENT condition
- fat: fix memory allocation failure handling of match_strdup()
- net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
- multicast: do not restore deleted record source filter mode to new one
- atl1c: reserve min skb headroom
- can: constify of_device_id array
- can: dev: Consolidate and unify state change handling
- net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
- fscache: Allow cancelled operations to be enqueued
- cachefiles: Fix refcounting bug in backing-file read monitoring
- fscache: Fix reference overput in fscache_attach_object() error handling
- cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag
- cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
- tracing: Fix double free of event_trigger_data
- ring_buffer: tracing: Inherit the tracing setting to next ring buffer
- tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
- tracing: Fix possible double free in event_enable_trigger_func()
- tracing: Quiet gcc warning about maybe unused link variable
- kthread, tracing: Don't expose half-written comm when creating kthreads
- ipv4: remove BUG_ON() from fib_compute_spec_dst
- net: socket: fix potential spectre v1 gadget in socketcall
- squashfs: be more careful about metadata corruption
- can: ems_usb: Fix memory leak on ems_usb_disconnect()
- virtio_balloon: fix another race between migration and ballooning
- netlink: Do not subscribe to non-existent groups
- netlink: Don't shift with UB on nlk->ngroups
- squashfs: more metadata hardening
- nohz: Fix local_timer_softirq_pending()
- scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management
enabled
- l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
- netlink: Don't shift on 64 for ngroups
- vfs: root dentries need RCU-delayed freeing
- packet: refine ring v3 block size test to hold one frame
- [x86] vsock: split dwork to avoid reinitializations
- dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
- vfs: fix mntput/mntput race
- vfs: fix __legitimize_mnt()/mntput() race
- VFS: Impose ordering on accesses of d_inode and d_flags
- vfs: use ->d_seq to get coherency between ->d_inode and ->d_flags
- vfs: unify dentry_iput() and dentry_unlink_inode()
- vfs: make sure that __dentry_kill() always invalidates d_seq, unhashed or
not
- xen/netfront: don't cache skb_shinfo()
- [i386] ALSA: msnd: add some missing curly braces
- media: v4l: event: Prevent freeing event subscriptions while accessed
- ceph: fix llistxattr on symlink
- ceph: use lookup request to revalidate dentry
- ceph: don't set req->r_locked_dir in ceph_d_revalidate
- ceph: fix endianness of getattr mask in ceph_d_revalidate
- dm bufio: avoid sleeping while holding the dm_bufio lock
- dm bufio: drop the lock when doing GFP_NOIO allocation
- fs/proc: Stop trying to report thread stacks
- leds: do not overflow sysfs buffer in led_trigger_show
- HID: reject input outside logical range only if null state is set
- HID: clamp input to logical range if no null state
- usbip: stub_rx: fix static checker warning on unnecessary checks
- [x86] KVM: fix escape of guest dr6 to the host
- iio: iio-trig-periodic-rtc: Free trigger resource correctly
- p54: memset(0) whole array
- usb: misc: usb3503: Update error code in print message
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.62
- [x86] EDAC: i7core: Return proper error codes for kzalloc() errors
- [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove
- audit: Fix extended comparison of GID/EGID
- kprobes: Make list and blacklist root user read only
- USB: serial: sierra: fix potential deadlock at close
- [x86] platform: ideapad-laptop: Add Y520-15IKBN to no_hw_rfkill
- [x86] platform: ideapad-laptop: Apply no_hw_rfkill to Y20-15IKBM, too
- rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
- IB/srpt: Support HCAs with more than two ports
- crypto: vmac - require a block cipher with 128-bit block size
- crypto: memzero_explicit - make sure to clear out sensitive data
- crypto: vmac - separate tfm and request context
- alarmtimer: Prevent overflow for relative nanosleep (CVE-2018-13053)
- scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
buffer size
- libertas: fix suspend and resume for SDIO connected cards
- USB: serial: kobil_sct: fix modem-status error handling
- [x86] staging: rts5208: fix missing error check on call to
rtsx_write_register
- vxlan: fix a potential issue when create a new vxlan fdb entry.
- vxlan: add new fdb alloc and create helpers
- vxlan: fix default fdb entry netlink notify ordering during netdev create
- [x86] vmci: type promotion bug in qp_host_get_user_memory()
- [armhf] pwm: tiehrpwm: Don't use emulation mode bits to control PWM
output
- [armhf] pwm: tiehrpwm: Fix disabling of output of PWMs
- [x86] mei: bus: type promotion bug in mei_nfc_if_version()
- uart: fix race between uart_put_char() and uart_shutdown()
- tty: fix termios input-speed encoding
- tty: fix termios input-speed encoding when using BOTHER
- [armhf] mtd: rawnand: mxc: remove __init qualifier from mxcnd_probe_dt
- mtdchar: fix overflows in adjustment of `count`
- binfmt_elf: Respect error return from `regset->active'
- xen-netfront: fix queue name setting
- ALSA: memalloc: Don't exceed over the requested size
- PCI: hotplug: Don't leak pci_slot on registration failure
- PCI: pciehp: Fix use-after-free on unplug
- PCI: pciehp: Fix unprotected list iteration in IRQ handler
- [armhf] fbdev: omapfb: off by one in omapfb_register_client()
- fb: fix lost console when the user unplugs a USB adapter
- video: udlfb: Remove noisy warnings
- video: udlfb: Fix unaligned access
- udlfb: fix semaphore value leak
- udlfb: fix display corruption of the last line
- udlfb: don't switch if we are switching to the same videomode
- udlfb: make a local copy of fb_ops
- udlfb: set optimal write delay
- udlfb: handle allocation failure
- udlfb: set line_length in dlfb_ops_set_par
- xfrm: fix 'passing zero to ERR_PTR()' warning
- ALSA: seq: Fix poll() error return
- ALSA: vx: Fix possible transfer overflow
- ALSA: vx222: Fix invalid endian conversions
- ALSA: vxpocket: Fix invalid endian conversions
- [x86] ALSA: cs5535audio: Fix invalid endian conversion
- fuse: don't wake up reserved req in fuse_conn_kill()
- fuse: flush requests on umount
- fuse: Fix oops at process_init_reply()
- fuse: Don't access pipe->buffers without pipe_lock()
- fuse: Add missed unlock_page() to fuse_readpages_fill()
- scsi: virtio_scsi: fix pi_bytes{out,in} on 4 KiB block size devices
- ALSA: virmidi: Fix too long output trigger loop
- media: dvb-usb-v2/gl861: ensure USB message buffers DMA'able
- media: gl861: fix probe of dvb_usb_gl861
- [armhf] net: mvneta: fix mtu change on port without link
- [armhf] pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
- udl-kms: change down_interruptible to down
- udl-kms: handle allocation failure
- udl-kms: fix crash due to uninitialized memory
- ath10k: prevent active scans on potential unusable channels
- ext4: check for NUL characters in extended attribute's name
- tracing: Do not call start/stop() functions when tracing_on does not
change
- ext4: fix spectre gadget in ext4_mb_regular_allocator() (CVE-2017-5753)
- IB/IPoIB: Set ah valid flag in multicast send flow
- uio: potential double frees if __uio_register_device() fails
- scsi: core: Avoid that SCSI device removal through sysfs triggers a
deadlock
- xfrm: Validate address prefix lengths in the xfrm selector.
- crypto: blkcipher - fix crash flushing dcache in error path
- crypto: ablkcipher - fix crash flushing dcache in error path
- ieee802154: 6lowpan: ensure header compression does not corrupt ipv6
header
- net: 6lowpan: fix reserved space for single frames
- mac802154: common tx error path
- mac802154: tx: cleanup crc calculation
- mac802154: tx: use put_unaligned_le16 for copy crc
- net: mac802154: tx: expand tailroom if necessary
- percpu_counter: batch size aware __percpu_counter_compare()
- btrfs: use correct compare function of dirty_metadata_bytes
- Btrfs: fix btrfs_write_inode vs delayed iput deadlock
- btrfs: rename total_bytes to avoid confusion
- dm cache metadata: save in-core policy_hint_size to on-disk superblock
- smb3: fill in statfs fsid and correct namelen
- cifs: add missing debug entries for kconfig options
- [armel/kirkwood,armhf] PCI: mvebu: Fix I/O space end address calculation
- media: rtl28xxu: be sure that it won't go past the array size
- scsi: aic94xx: fix an error code in aic94xx_init()
- b43/leds: Ensure NUL-termination of LED name string
- b43legacy/leds: Ensure NUL-termination of LED name string
- uprobes: Use synchronize_rcu() not synchronize_sched()
- net/9p/client.c: version pointer uninitialized
- 9p/net: Fix zero-copy path in the 9p virtio transport
- net/9p/trans_fd.c: fix race-condition by flushing workqueue before the
kfree()
- fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr
failed
- 9p: fix multiple NULL-pointer-dereferences
- 9p/virtio: fix off-by-one error in sg list bounds check
- [armhf] KVM: Skip updating PMD entry if no change
- [armhf] KVM: Skip updating PTE entry if no change
- l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
- ubifs: Fix synced_i_size calculation for xattr inodes
- ubifs: Fix memory leak in lprobs self-check
- ubifs: Check data node size before truncate
- [x86] drm/i915: set DP Main Stream Attribute for color range on DDI
platforms
- netfilter: nft_set: fix allocation size overflow in privsize callback.
- netfilter: nf_tables: fix register ordering
- tracing/blktrace: Fix to allow setting same value
- [x86] process: Re-export start_thread()
- iscsi-target: nullify session in failed login sequence
- ISCSI: fix minor memory leak
- iscsi target: fix session creation failure handling
- fs/quota: Fix spectre gadget in do_quotactl (CVE-2017-5753)
- reiserfs: fix broken xattr handling (heap corruption, bad retval)
- apparmor: remove no-op permission check in policy_unpack
- getxattr: use correct xattr length
- mm: move tlb_table_flush to tlb_flush_mmu_free
- mm/tlb: Remove tlb_remove_table() non-concurrent condition
- cifs: check kmalloc before use
- hwmon: (nct6775) Fix potential Spectre v1 (CVE-2017-5753)
- ext4: check to make sure the rename(2)'s destination is not freed
- [x86] spectre: Add missing family 6 check to microcode check
- [x86] speculation/l1tf: Increase l1tf memory limit for Nehalem+
- USB: serial: io_ti: fix array underflow in completion handler
- USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
- ext4: avoid divide by zero fault when deleting corrupted inline
directories
- usb: gadget: udc: net2280: do not rely on 'driver' argument
- usb: gadget: net2280: fix pullup handling
- USB: net2280: Fix erroneous synchronization change
- ipv6: fix cleanup ordering for pingv6 registration
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
- ipmi: Move BT capabilities detection to the detect call
- [x86] microcode/intel: Check microcode revision before updating sibling
threads
- [x86] microcode: Make sure boot_cpu_data.microcode is up-to-date
- [x86] microcode: Update the new microcode revision unconditionally
- igmp: fix incorrect unsolicit report count when join group
- igmp: fix incorrect unsolicit report count after link down and up
- SMB3: Backup intent flag missing for directory opens with backupuid
mounts
- smb3: check for and properly advertise directory lease support
- cifs: connect to servername instead of IP for IPC$ share
- xfrm6: call kfree_skb when skb is toobig
- ext4: fix online resize's handling of a too-small final block group
- ext4: prevent online resize with backup superblock
- ext4: fix online resizing for bigalloc file systems with a 1k block size
- nbd: don't allow invalid blocksize settings
- RDMA/ucma: check fd type in ucma_migrate_id()
- RDMA/cxgb4: Only call CQ completion handler if it is armed
- iw_cxgb4: atomically flush the qp
- iw_cxgb4: only allow 1 flush on user qps
- cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
- USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB
controller
- USB: yurex: Fix buffer over-read in yurex_write()
- USB: Add quirk to support DJI CineSSD
- usb: uas: add support for more quirk flags
- usb: Don't die twice if PCI xhci host is not responding in resume
- usb: Avoid use-after-free by flushing endpoints early in
usb_set_interface()
- usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in
u132_get_frame()
- usb: misc: uss720: Fix two sleep-in-atomic-context bugs
- IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
- hwmon: (nct6775) Set weight source to zero correctly
- batman-adv: Prevent duplicated gateway_node entry
- batman-adv: Use kref_get for batadv_nc_get_nc_node
- batman-adv: Prevent duplicated nc_node entry
- [x86] process: Don't mix user/kernel regs in 64bit __show_regs()
- batman-adv: Place kref_get for softif_vlan near use
- batman-adv: Prevent duplicated softif_vlan entry
- batman-adv: Prevent duplicated global TT entry
- batman-adv: Prevent duplicated tvlv handler
- dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion
deadlock
- RDMA/cma: Protect cma dev list with lock
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in
connector_detect()
- hwmon: (nct6775) Fix access to fan pulse registers
- [x86] mm: Use WRITE_ONCE() when setting PTEs
- ALSA: bebob: use address returned by kmalloc() instead of kernel stack
for streaming DMA mapping
- ALSA: emu10k1: fix possible info leak to userspace on
SNDRV_EMU10K1_IOCTL_INFO
- [x86] drm/i915/bdw: Increase IPS disable timeout to 100ms
- drm: udl: Destroy framebuffer only if it was initialized
- [x86] platform: alienware-wmi: Correct a memory leak
- [x86] boot: Move EISA setup to a separate file
- [x86] EISA: Don't probe EISA bus for Xen PV guests
- misc: hmc6352: fix potential Spectre v1 (CVE-2017-5753)
- cifs: prevent integer overflow in nxt_dir_entry()
- CIFS: fix wrapping bugs in num_entries()
- cifs: integer overflow in in SMB2_ioctl()
- pstore: Fix incorrect persistent ram buffer mapping
- ext4: don't mark mmp buffer head dirty
- pppoe: fix reception of frames with no mac header
- ipv6: fix possible use-after-free in ip6_xmit()
- ring-buffer: Allow for rescheduling when removing pages
- tty: vt_ioctl: fix potential Spectre v1 (CVE-2017-5753)
- [x86] Input: elantech - enable middle button of touchpad on ThinkPad P72
- [armel,armhf] 8799/1: mm: fix pci_ioremap_io() offset check
- [x86] paravirt: Fix some warning messages
- ip6_tunnel: be careful when accessing the inner header
- USB: usbdevfs: sanitize flags more
- USB: usbdevfs: restore warning for nonsensical flags
- USB: leave LPM alone if possible when binding/unbinding interface drivers
- USB: remove LPM management from usb_driver_claim_interface()
- USB: fix error handling in usb_driver_claim_interface()
- USB: handle NULL config in usb_find_alt_setting()
- regulator: fix crash caused by null driver data
- ubifs: Check for name being NULL while mounting
- mm: shmem.c: Correctly annotate new inodes for lockdep
- ocfs2: fix ocfs2 read block panic
- ip_tunnel: be careful when accessing the inner header
- [armhf] fbdev/omapfb: fix omapfb_memory_read infoleak
- bcache: don't embed 'return' statements in closure macros
- bcache: Remove deprecated create_workqueue
- bcache: explicitly destroy mutex while exiting
- bcache: do not assign in if condition in bcache_init()
- bcache: add separate workqueue for journal_write to avoid deadlock
- PCI: Reprogram bridge prefetch registers on resume
- asix: Check for supported Wake-on-LAN modes
- ax88179_178a: Check for supported Wake-on-LAN modes
- sr9800: Check for supported Wake-on-LAN modes
- r8152: Check for supported Wake-on-LAN Modes
- smsc75xx: Check for Wake-on-LAN modes
- smsc95xx: Check for Wake-on-LAN modes
- qlcnic: fix Tx descriptor corruption on 82xx devices
- pstore/ram: Fix failure-path memory leak in ramoops_init
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
- net: sched: act_ipt: check for underflow in __tcf_ipt_init()
- [x86] vdso: Fix asm constraints on vDSO syscall fallbacks
- perf/core: Protect PMU device removal with a 'pmu_bus_running' check, to
fix CONFIG_DEBUG_TEST_DRIVER_REMOVE=y kernel panic
- perf/core: Fix perf_pmu_unregister() locking
- perf/ring_buffer: Prevent concurent ring buffer access
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
- smb2: fix missing files in root share directory listing
- drm: fb-helper: Reject all pixel format changing requests
- PM / core: Clear the direct_complete flag on errors
- team: Forbid enslaving team device to itself
- ipv6: Compute net once in raw6_send_hdrinc
- ipv6: take rcu lock in rawv6_send_hdrinc()
- proc: restrict kernel stack dumps to root (CVE-2018-17972)
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
- ocfs2: fix locking for res->tracking and dlm->tracking_list
- mm: madvise(MADV_DODUMP): allow hugetlbfs pages
- usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
- dm cache: destroy migration_cache if cache target registration failed
- libertas: call into generic suspend code before turning off power
- net: make skb_partial_csum_set() more robust against overflows
- net: ipv4: update fnhe_pmtu when first hop's MTU changes
- [x86] percpu: Fix this_cpu_read()
- USB: fix the usbfs flag sanitization for control transfers
- IB/ucm: Fix Spectre v1 vulnerability (CVE-2017-5753)
- RDMA/ucma: Fix Spectre v1 vulnerability (CVE-2017-5753)
- usb: gadget: storage: Fix Spectre v1 vulnerability (CVE-2017-5753)
- ptp: fix Spectre v1 vulnerability (CVE-2017-5753)
- cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
- r8169: fix NAPI handling under high load
- net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
- cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE
- KEYS: encrypted: fix buffer overread in valid_master_desc()
(CVE-2017-13305)
- wil6210: missing length check in wmi_set_ie (CVE-2018-5848)
- posix-timers: Sanitize overrun handling (CVE-2018-12896)
- mm: cleancache: fix corruption on missed inode invalidation
(CVE-2018-16862)
- mremap: properly flush TLB before releasing the page (CVE-2018-18281)
- xfs: don't fail when converting shortform attr to long form during
ATTR_REPLACE (CVE-2018-18690)
- cdrom: fix improper type cast, which can leat to information leak.
(CVE-2018-18710)
- xen-netfront: fix warn message as irq device name has '/'
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.63
- [x86] asm: Add pud/pmd mask interfaces to handle large PAT bit
- [x86] asm: Move PUD_PAGE macros to page_types.h
- [x86] asm: Fix pud/pmd interfaces to handle large PAT bit
- [x86] mm: Simplify p[g4um]d_page() macros
- [x86] mm: Fix regression with huge pages on PAE
- ipv6: Fix another sparse warning on rt6i_node
- timer/debug: Change /proc/timer_list from 0444 to 0400 (CVE-2017-5967)
- [i386/686-pae] use 64 bit atomic xchg function in
native_ptep_get_and_clear
- [x86] staging: comedi: quatech_daqp_cs: fix bug in daqp_ao_insn_write()
- [x86] staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao
(*insn_write)
- [x86] staging: comedi: quatech_daqp_cs: fix no-op loop
daqp_ao_insn_write()
- media: v4l: event: Add subscription to list before calling "add"
operation
- libertas_tf: prevent underflow in process_cmdrequest()
- [armhf] dts: exynos: Disable pull control for MAX8997 interrupts on Origen
- [x86] corruption-check: Fix panic in memory_corruption_check() when boot
option without value is provided
- media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
- signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid
namespace init
- scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
- scsi: qla2xxx: shutdown chip if reset fail
- media: em28xx: use a default format if TRY_FMT fails
- media: em28xx: fix input name for Terratec AV 350
- media: em28xx: make v4l2-compliance happier by starting sequence on zero
- media: tvp5150: fix width alignment during set_selection()
- PCI/ASPM: Fix link_state teardown on device removal
- [armhf] usb: chipidea: Prevent unbalanced IRQ disable
- crypto: lrw - Fix out-of bounds access on counter overflow
- media: pci: cx23885: handle adding to list failure
- net: phy: Stop with excessive soft reset
- fuse: fix blocked_waitq wakeup
- [x86] EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
- [x86] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
- ext4: fix EXT4_IOC_SWAP_BOOT
- [x86] VMCI: Resource wildcard match fixed
- ext4: initialize retries variable in ext4_da_write_inline_data_begin()
- [x86] hibernate: Fix nosave_regions setup for hibernation
- IB/mthca: Fix error return code in __mthca_init_one()
- ALSA: usb-audio: update quirk for B&W PX to remove microphone
- USB: serial: cypress_m8: fix interrupt-out transfer length
- printk: Fix panic caused by passing log_buf_len to command line
- [x86] mach64: fix image corruption due to reading accelerator registers
- bcache: fix wrong cache_misses statistics
- bcache: fix miss key refill->end in writeback
- media: cx231xx: fix potential sign-extension overflow on large shift
- [x86] staging: comedi: ni_mio_common: protect register write overflow
- [x86] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
- [x86] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
- ext4: fix use-after-free race in ext4_remount()'s error path
- gfs2_meta: ->mount() can get NULL dev_name
- iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
- libertas: don't set URB_ZERO_PACKET on IN USB transfer
- btrfs: fix error handling in btrfs_dev_replace_start
- btrfs: wait on caching when putting the bg cache
- Btrfs: don't clean dirty pages during buffered writes
- tun: Consistently configure generic netdev params via rtnetlink
- jffs2: free jffs2_sb_info through jffs2_kill_sb()
- IB/{cm, umad}: Handle av init error
- IB/cm: Fix sleeping while spin lock is held
- IB/cm: Avoid AV ah_attr overwriting during LAP message handling
- RDMA/cm: Respect returned status of cm_init_av_by_path
- [armhf] clk: s2mps11: Fix matching when built as module and DT node
contains compatible
- [x86] KVM: remove code for lazy FPU handling
- [x86] KVM: nVMX: Always reflect #NM VM-exits to L1
- Btrfs: fix null pointer dereference on compressed write path error
- [x86] drm/i915: Large page offsets for pread/pwrite
- xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat
- [x86] ACPICA: AML interpreter: add region addresses in global list during
initialization
- dm ioctl: harden copy_params()'s copy_from_user() from malicious users
- xen-swiotlb: use actually allocated size on check physical continuous
- genirq: Fix race on spurious interrupt detection
- libceph: bump CEPH_MSG_MAX_DATA_LEN
- Btrfs: fix use-after-free when dumping free space
- qlcnic: fix a return in qlcnic_dcb_get_capability()
- llc: do not use sk_eat_skb()
- of: add helper to lookup compatible child node
- smb3: allow stats which track session and share reconnects to be reset
- smb3: do not attempt cifs operation in smb3 query info error path
- HID: hiddev: fix potential Spectre v1 (CVE-2017-5753)
- ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
called
- hugetlbfs: dirty pages as they are added to pagecache
- net: sched: gred: pass the right attribute to gred_change_table_def()
- ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
- nfsd: Fix an Oops in free_session()
- lockd: fix access beyond unterminated strings in prints
- rtnetlink: Disallow FDB configuration for non-Ethernet device
- Cramfs: fix abad comparison when wrap-arounds occur
- smb3: on kerberos mount if server doesn't specify auth type use krb5
- netfilter: x_tables: add and use xt_check_proc_name
- netfilter: xt_IDLETIMER: add sysfs filename checking routine
- ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
- memory_hotplug: cond_resched in __remove_pages
- ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
- ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
- ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
- ext4: add missing brelse() update_backups()'s error path
- [x86] clockevents/drivers/i8253: Add support for PIT shutdown quirk
- [x86] hyper-v: Enable PIT shutdown quirk
- sunrpc: correct the computation for page_ptr when truncating
- xfrm: Fix bucket count reported to userspace
- Btrfs: fix cur_offset in the error case for nocow
- Btrfs: fix data corruption due to cloning of eof block
- ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while
resizing
- ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
- ext4: avoid buffer leak in ext4_orphan_add() after prior errors
- ext4: avoid possible double brelse() in add_new_gdb() on error path
- USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub
- usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
- USB: quirks: Add no-lpm quirk for Raydium touchscreens
- USB: misc: appledisplay: add 20" Apple Cinema Display
- ext4: fix possible leak of sbi->s_group_desc_leak in error path
- ext4: release bs.bh before re-using in ext4_xattr_block_find()
- ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
- ext4: fix buffer leak in __ext4_read_dirblock() on error path
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
- mount: Prevent MNT_DETACH from disconnecting locked mounts
- HID: Add quirk for Microsoft PIXART OEM mouse
- termios, tty/tty_baudrate.c: fix buffer overrun
- SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
- [armhf] net: stmmac: Fix RX packet size > 8191
- mac80211_hwsim: Replace bogus hrtimer clockid
- mac80211_hwsim: Timer should be initialized before device registered
- mac80211: Clear beacon_int in ieee80211_do_stop
- ALSA: oss: Use kvzalloc() for local buffer allocations
- fuse: fix leaked notify reply
- can: raw: check for CAN FD capable netdev in raw_sendmsg()
- can: dev: can_get_echo_skb(): factor out non sending code to
__can_get_echo_skb()
- can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame
to access frame length
- can: dev: __can_get_echo_skb(): Don't crash the kernel if
can_priv::echo_skb is accessed out of bounds
- can: dev: __can_get_echo_skb(): print error message, if trying to echo
non existing skb
- usb: xhci: fix uninitialized completion when USB3 port got wrong status
- usb: xhci: fix timeout for transition from RExit to U0
- sysv: return 'err' instead of 0 in __sysv_write_inode
- floppy: fix race condition in __floppy_read_block_0()
- [x86] Drivers: hv: kvp: Fix the recent regression caused by incorrect
clean-up
- uio: Fix an Oops on load
- batman-adv: Check total_size when queueing fragments
- batman-adv: Use only queued fragments when merging
- batman-adv: Expand merged fragment buffer for full packet
- netfilter: nf_tables: don't use position attribute on rule replacement
- libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD
- libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q.
- libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9
- libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
- NFSv4: Don't exit the state manager without clearing
NFS4CLNT_MANAGER_RUNNING
- btrfs: Always try all copies when reading extent buffers
- netfilter: nf_tables: fix oob access
- netfilter: nf_tables: fix use-after-free when deleting compat expressions
- Btrfs: ensure path name is null terminated at btrfs_control_ioctl
- usb: core: Fix hub port connection events lost
- l2tp: fix a sock refcnt leak in l2tp_tunnel_register
- usb: xhci: Prevent bus suspend if a port connect change or polling state
is detected
- net/mlx4: Fix UBSAN warning of signed integer overflow
- iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed
numbers
- net-gro: reset skb->pkt_type in napi_reuse_skb()
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
- hwmon: (w83795) temp4_type has writable permission
- [x86] drm/ast: Remove existing framebuffers before loading driver
- exportfs: fix 'passing zero to ERR_PTR()' warning
- [x86] drm/i915: Disable LP3 watermarks on all SNB machines
- HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
- usb: cdc-acm: add entry for Hiro (Conexant) modem
- HID: Add quirk for Primax PIXART OEM mice
- [x86] ACPI / platform: Add SMB0001 HID to forbidden_id_list
- iser: set sector for ambiguous mr status errors
- [x86] drm/ast: change resolution may cause screen blurred
- [x86] drm/ast: fixed cursor may disappear sometimes
- Btrfs: fix race between enabling quotas and subvolume creation
- uprobes: Fix handle_swbp() vs. unregister() + register() race once more
- btrfs: relocation: set trans to be NULL after ending transaction
- exportfs: do not read dentry after free
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
- team: no need to do team_notify_peers or team_mcast_rejoin when disabling
port
- [i386] ALSA: wss: Fix invalid snd_free_pages() at error path
- ALSA: control: fix failure to return numerical ID in 'add' event
- ALSA: control: Fix race between adding and removing a user element
- [armhf] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
- USB: usb-storage: Add new IDs to ums-realtek
- usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
- [x86] Drivers: hv: vmbus: check the creation_status in
vmbus_establish_gpadl()
- kvm: mmu: Fix race in emulated page table writes
- [x86] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
- [x86] ALSA: hda: Add support for AMD Stoney Ridge
- hfs: do not free node before using
- tun: forbid iface creation with rtnl ops
- SUNRPC: Fix leak of krb5p encode pages
- SUNRPC: Fix a potential race in xprt_connect()
- ALSA: usb-audio: Avoid nested autoresume calls
- ALSA: usb-audio: Replace probing flag with active refcount
- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in
card.c (CVE-2018-19824)
- media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
- mmc: core: use mrq->sbc when sending CMD23 for RPMB
- [armhf] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
- rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
- staging: rtl8712: Fix possible buffer overrun
- usb: appledisplay: Add 27" Apple Cinema Display
- usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
- mac80211: fix reordering of buffered broadcast packets
- mac80211: ignore NullFunc frames in the duplicate detection
- USB: check usb_get_extra_descriptor for proper size (CVE-2018-20169)
- cifs: Fix separator when building path from dentry
- [x86] xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
- xhci: Prevent U1/U2 link pm states if exit latency is too long
- bnx2fc: fix an error code in _bnx2fc_create()
- scsi: bnx2fc: Fix NULL dereference in error handling
- net/mlx4_core: Correctly set PFC param if global pause is turned off.
- USB: serial: option: add HP lt4132
- aio: fix spectre gadget in lookup_ioctx (CVE-2017-5753)
- tracing: Fix memory leak in set_trigger_filter()
- tracing: Fix memory leak of instance function hash filters
- fuse: cleanup fuse_file refcounting
- fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
- scsi: sd: use mempool for discard special page
- [x86] vhost: make sure used idx is seen before log in vhost_add_used_n()
- [x86] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened
channels
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
- [armhf] mmc: omap_hsmmc: fix DMA API warning
- mmc: core: Reset HPI enabled state during re-init and in case of errors
- mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
- [x86] VSOCK: Send reset control packet when socket is partially bound
- [x86] KVM: Fix NULL deref in vcpu_scan_ioapic
- [x86] KVM: Handle MSR_IA32_PERF_CTL
- [x86] KVM: Add MSR_AMD64_DC_CFG to the list of ignored MSRs
- [x86] kvm: Add AMD's EX_CFG to the list of ignored MSRs
- [x86] mtrr: Don't copy uninitialized gentry fields back to userspace
- vxlan: Fix error path in __vxlan_dev_create()
- vxge: ensure data0 is initialized in when fetching firmware version
information
- drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code
- drm/ioctl: Fix Spectre v1 vulnerabilities (CVE-2017-5753)
- ipv6: tunnels: fix two use-after-free
- [x86] vdso: Fix vDSO syscall fallback asm constraint regression
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.64
- xfs: don't BUG() on mixed direct and mapped I/O (CVE-2016-10741)
- mm: cma: fix incorrect type conversion for size during dma allocation
- swiotlb: clean up reporting (CVE-2018-5953)
- sunrpc: use-after-free in svc_process_common() (CVE-2018-16884)
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
(CVE-2018-19985)
- net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
(CVE-2018-20511)
- can: gw: ensure DLC boundaries after CAN frame modification
(CVE-2019-3701)
- HID: debug: fix error handling in hid_debug_events_read()
- HID: debug: improve hid_debug_event()
- HID: debug: fix the ring buffer implementation (CVE-2019-3819)
- KVM: Protect device ops->create and list_add with kvm->lock
- KVM: use after free in kvm_ioctl_create_device() (CVE-2016-10150)
- kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
- [x86] KVM: nVMX: unconditionally cancel preemption timer in free_nested
(CVE-2019-7221)
- [x86] KVM: work around leak of uninitialized stack contents
(CVE-2019-7222)
.
[ Ben Hutchings ]
* [x86] mm: Really use WRITE_ONCE() when setting PTEs
* timer/debug: Change /proc/timer_stats from 0644 to 0600 (CVE-2017-5967)
* Revert "timer: Restrict timer_stats to initial PID namespace"
* Bump ABI to 8
* mm: enforce min addr even if capable() in expand_downwards()
(CVE-2019-9213)
Checksums-Sha1:
6f14cd980d79127f49e6e49b63b8a85c439a2cc7 140642 linux_3.16.64-1.dsc
ea818df5d53b69a1b5723ef710f4791a2424e3f8 82030984 linux_3.16.64.orig.tar.xz
37157025217981cc2ccf5fbc8f7813f3166b3c13 1158404 linux_3.16.64-1.debian.tar.xz
b897cd2cfd160ae2ef4f4ec31b4cde5f48dbc359 447532 linux-support-3.16.0-8_3.16.64-1_all.deb
d37711696e1b9a48bf4d643828028d1b358d3766 8396934 linux-doc-3.16_3.16.64-1_all.deb
fc2e5f8c0365c40ee850e595a6e5188366df8fb4 3783728 linux-manual-3.16_3.16.64-1_all.deb
ebb78f343e6bb05074a84a8d877160237236f63c 83944036 linux-source-3.16_3.16.64-1_all.deb
Checksums-Sha256:
db821d3dcc07e21f53150c589c95ef4b5910b48ce5d3aa3725a26376addde9ed 140642 linux_3.16.64-1.dsc
9b790f2a34a33be968c76dfb1c71c4a5dbede590b5d5e8b18d2a2a8c1b95a036 82030984 linux_3.16.64.orig.tar.xz
7c6c0276d7b35a3dbe51c5102682cbb1c842c65e7cdee929c5635438c95a3294 1158404 linux_3.16.64-1.debian.tar.xz
000015a912e17a79fa341a993f43b3c069e94050c18b108daef60baa9aa8076c 447532 linux-support-3.16.0-8_3.16.64-1_all.deb
ba834600decc15aef03c956b368e939002232ad31ef2a8621ab9f5f36ca62702 8396934 linux-doc-3.16_3.16.64-1_all.deb
e0d85ab48a7b7815f51220c43ef17a78ce517c0ccc8cce7ed6e85d9f24632f2c 3783728 linux-manual-3.16_3.16.64-1_all.deb
ba35215f33db45e1dacb23db9ad68c84d539f3b83a57e8b80d067a69a8989837 83944036 linux-source-3.16_3.16.64-1_all.deb
Files:
74bfaefa91cdafc71b781ea3e2966969 140642 kernel optional linux_3.16.64-1.dsc
827d49dff5c82ba249e75b5b825af406 82030984 kernel optional linux_3.16.64.orig.tar.xz
5adb3d4096f520938321c258f1adb6dd 1158404 kernel optional linux_3.16.64-1.debian.tar.xz
bc3bfc1f1b3ed5b64a9193f9d22d048e 447532 devel optional linux-support-3.16.0-8_3.16.64-1_all.deb
7c5be0a6203af85feedd68c397f52caf 8396934 doc optional linux-doc-3.16_3.16.64-1_all.deb
2c55fe90a75d22c60b1691d47d27db83 3783728 doc optional linux-manual-3.16_3.16.64-1_all.deb
4249a92d689fbd44a7dd97ecd4899b33 83944036 kernel optional linux-source-3.16_3.16.64-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlyaTucACgkQ57/I7JWG
EQkJwQ//TZ+UWO8VkyAcuX4dbBHxDyM36WpHrDy51dyj1i5aA6d5WHef8DuD74Tm
eJT55pLaS0GBTERmUXX7JFc88yzHvL1mi5BQ1Hh4RnicfQCmQ54ePVXmyQnhlI9S
jEDImk6A447yVmJDijX12jtog+V13x3237bu/a51+D1GkFlRdH7d5spjW7947raZ
zx7l/EYK0+ErUFKswlkpZOSMOBtC1vw7L1AlxJ8RuKcCPvzpwnHesFW6zNKpR7wK
abIIxa+1Yh2WkQauSQ78E7l5R47tuijJF4J3glIw1l8B4hJt8IwnJPmtjLfs07+9
Y+Lnhf//UW9QclceyBQP8pDYNqELLmIXv3EHlKGMVa1THziaG+DXpV3CEeNTFdJH
LzBVeI1fOT90SpY9tlCkA1wMsXmpI96CQFIzqqa1filIQtpyhlNclrVWyu9QXzdV
ZicsoB9qn9NnFnWUV1VzH5dVnbQ/NmrL66OOgs/fXBMZRkCaFL2u53qvT+B6k2L5
gDHpOGFjSKRrVwtzi+DpLQm69ticQk2bwKNhJHxuw4G2XrUQKeNbqv8SbDfuU6TC
e2aMKE5dsVMczjIPBiaW6G6RE76t79Lsf9WYrFIX89b+ObPsOhXzMOhN/8liWynG
67Xq8U6ImfD5hJh7KJzPbdqZg8snd2Y1c0FZfksg56WY5++0OF4=
=OBIO
-----END PGP SIGNATURE-----
