-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 Jun 2020 14:00:02 +0100 Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-11 Source: linux Architecture: all source Version: 3.16.84-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-11 - Support files for Linux 3.16 Changes: linux (3.16.84-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.82 - ALSA: line6: Drop superfluous snd_device for PCM - ALSA: line6: Fix memory leak at line6_init_pcm() error path - pstore/ram: Write new dumps to start of recycled zones - [armhf] net: davinci_cpdma: use dma_addr_t for DMA address - [armhf] stmmac: fix oversized frame reception - [armhf] net: stmmac: use correct DMA buffer size in the RX descriptor - [armhf] net: stmmac: don't stop NAPI processing when dropping a packet - workqueue: Fix spurious sanity check failures in destroy_workqueue() - ath9k_hw: fix uninitialized variable data - ar5523: check NULL before memcpy() in ar5523_cmd() - [i386] drm/i810: Prevent underflow in ioctl - usbvision: remove power_on_at_open and timed power off - usbvision-video: two use after frees - usbvision: fix locking error - media: usbvision: Fix invalid accesses after device disconnect - media: usbvision: Fix races among open, close, and disconnect - sunrpc: fix crash when cache_head become valid before update - [x86] PCI: Fix Intel ACS quirk UPDCR register address - Bluetooth: hci_core: fix init for HCI_USER_CHANNEL - compat_ioctl: handle SIOCOUTQNSD - [x86] ioapic: Prevent inconsistent state when moving an interrupt - xfs: Sanity check flags of Q_XQUOTARM call - cpuidle: Do not unset the driver if it is there already - scsi: csiostor: Don't enable IRQs too early - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() - [armhf] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume - quota: fix livelock in dquot_writeback_dquots - quota: Check that quota is not dirty before release - scsi: core: scsi_trace: Use get_unaligned_be*() - blk-mq: fix deadlock when reading cpu_list - blk-mq: avoid sysfs buffer overflow with too many CPU cores - blk-mq: make sure that line break can be printed - [x86] staging: rtl8192e: fix potential use after free - jbd2: Fix possible overflow in jbd2_log_space_left() - bnx2x: Enable Multi-Cos feature. - PM / devfreq: Lock devfreq in trans_stat_show - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) - [x86] usb: gadget: pch_udc: fix use after free - usb: Allow USB device to be warm reset in suspended state - appledisplay: fix error handling in the scheduled work - inetpeer: fix data-race in inet_putpeer / inet_putpeer - [x86] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() - USB: serial: mos7720: fix remote wakeup - USB: serial: mos7840: fix remote wakeup - fuse: verify attributes - fuse: verify nlink - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences - [armhf] tty: serial: imx: use the sg count from dma_map_sg - RDMA/srpt: Report the SCSI residual to the initiator - futex: Prevent robust futex exit race - [x86] speculation: Fix incorrect MDS/TAA mitigation status - Btrfs: fix negative subv_writers counter and data space leak after buffered write - btrfs: check page->mapping when loading free space cache - Bluetooth: delete a stray unlock - ext4: work around deleting a file with i_nlink == 0 safely (CVE-2019-19447) - [x86] scsi: qla4xxx: fix double free bug - scsi: bnx2i: fix potential use after free - iwlwifi: check kasprintf() return value - serial: serial_core: Perform NULL checks for break_ctl ops - [x86] KVM: fix presentation of TSX feature in ARCH_CAPABILITIES - [x86] KVM: do not modify masked bits of shared MSRs - [x86] PCI: Avoid AMD FCH XHCI USB PME# from D0 defect - [i386] ALSA: cs4236: fix error return comparison of an unsigned integer - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 - tty: vt: keyboard: reject invalid keycodes - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect - CIFS: Fix SMB2 oplock break processing - [x86] platform: hp-wmi: Fix ACPI errors caused by too small buffer - [x86] platform: hp-wmi: Fix ACPI errors caused by passing 0 as input size - macvlan: schedule bc_work even if error - PCI/MSI: Fix incorrect MSI-X masking on resume - [x86] ACPI / osl: speedup grace period in acpi_os_map_cleanup - [x86] ACPI: OSL: only free map once in osl.c - [x86] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() - openvswitch: remove another BUG_ON() - cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks - net: bridge: deny dev_set_mac_address() when unregistering - drm/radeon: fix r1xx/r2xx register checker for POT textures - xen/blkback: Avoid unmapping unmapped grant pages - hrtimer: Get rid of the resolution field in hrtimer_clock_base - ALSA: pcm: oss: Avoid potential buffer overflows - tcp: md5: fix potential overestimation of TCP option space - tcp: syncookies: extend validity range - tcp: fix rejected syncookies due to stale timestamps - tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() - inet: protect against too small mtu values. - deb-pkg: remove obsolete -isp option to dpkg-gencontrol https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.83 - libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held - libertas: make lbs_ibss_join_existing() return error code on rates overflow - cfg80211/mac80211: make ieee80211_send_layer2_update a public function - mac80211: Do not send Layer 2 Update frame before authorization (CVE-2019-5108) - [x86] microcode/AMD: Add support for fam17h microcode loading - ext4: wait for existing dio workers in ext4_alloc_file_blocks() - ext4: only call ext4_truncate when size <= isize - ext4: update c/mtime on truncate up - quota: fix wrong condition in is_quota_modification() - ext4: fix races between page faults and hole punching (CVE-2015-8839) - ext4: move unlocked dio protection from ext4_alloc_file_blocks() (CVE-2015-8839) - ext4: fix races between buffered IO and collapse / insert range (CVE-2015-8839) - ext4: fix races of writeback with punch hole and zero range (CVE-2015-8839) - Btrfs: fix wrong max inline data size limit - btrfs: new define for the inline extent data start - btrfs: kill extent_buffer_page helper - btrfs: cleanup, rename a few variables in btrfs_read_sys_array - btrfs: add more checks to btrfs_read_sys_array - btrfs: cleanup, stop casting for extent_map->lookup everywhere - btrfs: handle invalid num_stripes in sys_array - btrfs: Enhance chunk validation check - Btrfs: add validadtion checks for chunk loading - Btrfs: check inconsistence between chunk and block group - Btrfs: fix em leak in find_first_block_group - Btrfs: detect corruption when non-root leaf has zero item - Btrfs: check btree node's nritems - Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty - Btrfs: memset to avoid stale content in btree node block - Btrfs: improve check_node to avoid reading corrupted nodes - Btrfs: kill BUG_ON in run_delayed_tree_ref - Btrfs: memset to avoid stale content in btree leaf - Btrfs: fix emptiness check for dirtied extent buffers at check_leaf() - btrfs: struct-funcs, constify readers - btrfs: Refactor check_leaf function for later expansion - btrfs: Check if item pointer overlaps with the item itself - btrfs: Add sanity check for EXTENT_DATA when reading out leaf - btrfs: Add checker for EXTENT_CSUM - btrfs: Move leaf and node validation checker to tree-checker.c - btrfs: tree-checker: Enhance btrfs_check_node output - btrfs: tree-checker: Fix false panic for sanity test - btrfs: tree-checker: Add checker for dir item - btrfs: tree-checker: use %zu format string for size_t - btrfs: tree-check: reduce stack consumption in check_dir_item - btrfs: tree-checker: Verify block_group_item (CVE-2018-14613) - btrfs: tree-checker: Detect invalid and empty essential trees (CVE-2018-14612) - btrfs: validate type when reading a chunk (CVE-2018-14611) - btrfs: Check that each block group has corresponding chunk at mount time (CVE-2018-14610) - btrfs: Verify that every chunk has corresponding block group at mount time (CVE-2018-14612) - btrfs: tree-checker: Check level for leaves and nodes - btrfs: tree-checker: Fix misleading group system information - btrfs: ensure that a DUP or RAID1 block group has exactly two stripes - dm: do not override error code returned from dm_get_device() - dm flakey: return -EINVAL on interval bounds error in flakey_ctr() - dm flakey: fix reads to be issued if drop_writes configured - dm flakey: check for null arg_name in parse_features() - [amd64] pti/efi: broken conversion from efi to kernel page table (regression in 3.16.51-3+deb8u1) - batman-adv: Fix DAT candidate selection on little endian systems - netfilter: ctnetlink: netns exit must wait for callbacks - taskstats: fix data-race - dm btree: increase rebalance threshold in __rebalance2() - dm thin metadata: Add support for a pre-commit callback - [x86] pinctrl: baytrail: Relax GPIO request rules - [x86] pinctrl: baytrail: Clear interrupt triggering from pins that are in GPIO mode - [x86] pinctrl: baytrail: Rework interrupt handling - [x86] pinctrl: baytrail: Serialize all register access - [x86] pinctrl: baytrail: Really serialize all register accesses - netfilter: nf_tables: missing sanitization in data from userspace - netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() - netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll - gpio: Fix error message on out-of-range GPIO in lookup table - neighbour: remove neigh_cleanup() method - bonding: fix bond_neigh_init() - af_packet: set defaule value for tmo - [x86] ACPI: PM: Avoid attaching ACPI PM domain to certain devices - scsi: iscsi: qla4xxx: fix double free in probe - staging: gigaset: fix general protection fault on probe - staging: gigaset: fix illegal free on probe errors - staging: gigaset: add endpoint-type sanity check - usb: core: urb: fix URB structure initialization function - usb: mon: Fix a deadlock in usbmon between mmap and read - USB: serial: io_edgeport: fix epic endpoint lookup - USB: idmouse: fix interface sanity checks - USB: adutux: fix interface sanity check - USB: atm: ueagle-atm: add missing endpoint check - staging: rtl8188eu: fix interface sanity check - staging: rtl8712: fix interface sanity check - gpiolib: fix up emulated open drain outputs - virtio-balloon: fix managed page counts when migrating pages between zones - HID: Fix slab-out-of-bounds read in hid_field_extract - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour. - xhci: make sure interrupts are restored to correct state - IB/mlx4: Avoid executing gid task when device is being removed - IB/mlx4: Follow mirror sequence of device add during device removal - HID: hid-input: clear unmapped usages - btrfs: do not call synchronize_srcu() in inode_tree_del - Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues - btrfs: abort transaction after failed inode updates in create_subvol - btrfs: handle ENOENT in btrfs_uuid_tree_iterate - btrfs: skip log replay on orphaned roots - btrfs: do not leak reloc root if we fail to read the fs root - Btrfs: fix infinite loop during nocow writeback due to race - btrfs: Remove redundant btrfs_release_path from btrfs_unlink_subvol - btrfs: do not delete mismatched root refs - btrfs: check rw_devices, not num_devices for balance - ext4: check for directory entries too close to block end - 6pack,mkiss: fix possible deadlock - tcp: do not send empty skb from tcp_write_xmit() - ALSA: pcm: Avoid possible info leaks from PCM stream buffers - ALSA: hda/ca0132 - Avoid endless loop - tty: link tty and port before configuring it as console - USB: EHCI: Do not return -EPIPE when hub is disconnected - usbip: Fix error path of vhci_recv_ret_submit() - [x86] kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD - [armhf] net: stmmac: 16KB buffer must be 16 byte aligned - [armhf] net: stmmac: Enable 16KB buffer size - netfilter: ebtables: convert BUG_ONs to WARN_ONs - netfilter: ebtables: compat: reject all padding in matches/watchers - [x86] platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes - mod_devicetable: fix PHY module format - [x86] efistub: Disable paging at mixed mode entry - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code - locks: print unsigned ino in /proc/locks - netfilter: arp_tables: init netns pointer in xt_tgchk_param struct - tty: always relink the port - USB: core: fix check for duplicate endpoints - USB: core: add endpoint-blacklist quirk - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 - [armhf] usb: musb: dma: Correct parameter passed to IRQ handler - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK - vxlan: fix tos value before xmit - ftrace: Avoid potential division by zero in function profiler - staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail - kobject: Export kobject_get_unless_zero() - chardev: Avoid potential use-after-free in 'chrdev_open()' - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY - vlan: vlan_changelink() should propagate errors - pkt_sched: fq: avoid hang when quantum 0 - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM - macvlan: do not assume mac_header is set in macvlan_broadcast() - netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present - ixgbevf: Remove limit of 10 entries for unicast filter list - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI - scsi: enclosure: Fix stale device oops with hot replug - hidraw: Return EPOLLOUT from hidraw_poll - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll - HID: hidraw, uhid: Always report EPOLLOUT - Input: aiptek - fix endpoint sanity check - Input: gtco - fix endpoint sanity check - Input: sur40 - fix interface sanity checks - [x86] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 - iio: buffer: align the size of scan bytes to size of the largest element - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx - netfilter: fix a use-after-free in mtype_destroy() - netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct - ALSA: usb-audio: add implicit fb quirk for Axe-Fx II - ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk - ALSA: usb-audio: fix sync-ep altsetting sanity check - USB: serial: opticon: fix control-message timeouts - r8152: add missing endpoint sanity check - usb: core: hub: Improved device recognition on remote wakeup - ALSA: seq: Fix racy access for queue timer in proc read - scsi: fnic: fix invalid stack access - block: fix an integer overflow in logical block size - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() - Input: keyspan-remote - fix control-message timeouts - USB: serial: suppress driver bind attributes - USB: serial: ch341: handle unbound port at reset_resume - USB: serial: io_edgeport: handle unbound ports on URB completion - USB: serial: io_edgeport: add missing active-port sanity check - USB: serial: keyspan: handle unbound ports - USB: serial: quatech2: handle unbound ports - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input - [armel,armhf] 8950/1: ftrace/recordmcount: filter relocation types - mmc: sdhci: fix minimum clock rate for v3 controller - can, slip: Protect tty->disc_data in write_wakeup and close with RCU - net: sonic: return NETDEV_TX_OK if failed to map buffer - net/sonic: Add mutual exclusion for accessing shared state - net/sonic: Use MMIO accessors - net/sonic: Fix receive buffer handling - net/sonic: Quiesce SONIC before re-initializing descriptor memory - net_sched: fix datalen for ematch - namei: allow restricted O_CREAT of FIFOs and regular files - do_last(): fetch directory ->i_mode and ->i_uid before it's too late - vfs: fix do_last() regression - blktrace: re-write setting q->blk_trace - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768) - blktrace: fix dereference after null check - Input: add safety guards to input_set_keycode() (CVE-2019-20636) - staging: android: ashmem: Disallow ashmem memory from being remapped (CVE-2020-0009) - net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (CVE-2020-1749) - [x86] KVM: nVMX: Don't emulate instructions in guest mode (CVE-2020-2732) - vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649) - tty: vt: Fix !TASK_RUNNING diagnostic warning from paste_selection() - vt: selection, handle pending signals in paste_selection - vt: selection, close sel_buffer race (CVE-2020-8648) - vt: selection, push console lock down - vt: selection, push sel_lock up - floppy: check FDC index for errors before assigning it (CVE-2020-9383) - vhost: Check docket sk_family instead of call getname (CVE-2020-10942) - mm: mempolicy: require at least one nodeid for MPOL_PREFERRED (CVE-2020-11565) - media: ov519: add missing endpoint sanity checks (CVE-2020-11608) - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609) - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668) - ptp: do not explicitly set drvdata in ptp_clock_register() - ptp: use is_visible method to hide unused attributes - ptp: create "pins" together with the rest of attributes - chardev: add helper function to register char devs with a struct device - ptp: Fix pass zero to ERR_PTR() in ptp_clock_register - ptp: fix the race between the release of ptp_clock and cdev (CVE-2020-10690) - ptp: free ptp device pin descriptors properly - media-devnode: just return 0 instead of using a var - media: Fix media_open() to clear filp->private_data in error leg - drivers/media/media-devnode: clear private_data before put_device() - media-devnode: add missing mutex lock in error handler - media-devnode: fix namespace mess - media-device: dynamically allocate struct media_devnode - media: fix use-after-free in cdev_put() when app exits after driver unbind - media: fix media devnode ioctl/syscall and unregister race - slcan: Don't transmit uninitialized stack data in padding (CVE-2020-11494) - futex: Fix inode life-time issue - futex: Unbreak futex hashing https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.84 - fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) - propagate_one(): mnt_set_mountpoint() needs mount_lock - spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls (CVE-2020-12769) - padata: avoid race in reordering - padata: get_next is never NULL - padata: set cpu_index of unused CPUs to -1 - padata: ensure the reorder timer callback runs on the correct CPU - padata: ensure padata_do_serial() runs on the correct CPU - padata: Replace delayed timer with immediate workqueue in padata_reorder - padata: initialize pd->cpu with effective cpumask - padata: Remove broken queue flushing - padata: purge get_cpu and reorder_via_wq from padata_do_serial - crypto: pcrypt - Fix user-after-free on module unload - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request - padata: always acquire cpu_hotplug_lock before pinst->lock - crypto: af_alg - Use bh_lock_sock in sk_destruct - crypto: api - Check spawn->alg under lock in crypto_drop_spawn - crypto: api - Fix race condition in crypto_spawn_alg - [armhf] mmc: spi: Toggle SPI polarity, do not hardcode it - reiserfs: Fix memory leak of journal device string - reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling - ath9k: fix storage endpoint lookup - rsi: fix use-after-free on failed probe and unbind - brcmfmac: Fix use after free in brcmf_sdio_readframes() - brcmfmac: abort and release host after error - brcmfmac: fix interface sanity check - orinoco_usb: fix interface sanity check - rsi_91x_usb: fix interface sanity check - zd1211rw: fix storage endpoint lookup - brcmfmac: Fix memory leak in brcmf_usbdev_qinit - scsi: qla2xxx: Fix mtcp dump collection failure - media: iguanair: add sanity checks - media: iguanair: fix endpoint sanity check - efi: Use early_mem*() instead of early_io*() - [x86] efi/x86: Map the entire EFI vendor string before copying it - PCI: Don't disable bridge BARs when assigning bus resources - power: supply: sbs-battery: Fix a signedness bug in sbs_get_battery_capacity() - dm space map common: fix to ensure new block isn't already in use - [armhf] usb: dwc3: turn off VBUS when leaving host mode - usb: gadget: f_ncm: Use atomic_t to track in-flight request - usb: gadget: f_ecm: Use atomic_t to track in-flight request - staging: wlan-ng: ensure error return is actually returned - ubifs: Fix deadlock in concurrent bulk-read and writepage - [x86] cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR - jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal - [x86] KVM: x86: Don't let userspace set host-reserved cr4 bits - [x86] KVM: nVMX: vmread should not set rflags to specify success in case of #PF - [x86] kvm: avoid unused variable warning - [x86] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM - USB: serial: ir-usb: add missing endpoint sanity check - USB: serial: ir-usb: fix link-speed handling - USB: serial: ir-usb: fix IrLAP framing - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors - [x86] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails - tracing: Fix very unlikely race of registering two stat tracers - tracing: Fix tracing_stat return values in error handling paths - jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record - ext4, jbd2: ensure panic when aborting with zero errno - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop - CIFS: Fix task struct use-after-free on reconnect - net_sched: ematch: reject invalid TCF_EM_SIMPLE - [x86] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks - [x86] KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks - [x86] KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks - [x86] kvm: x86: use macros to compute bank MSRs - [x86] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c - [x86] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks - KVM: Check for a bad hva before dropping into the ghc slow path - Btrfs: fix race between adding and putting tree mod seq elements and nodes - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() - media/v4l2-core: set pages dirty upon releasing DMA buffers - tcp: clear tp->total_retrans in tcp_disconnect() - ALSA: dummy: Fix PCM format loop in proc output - clocksource: Prevent double add_timer_on() for watchdog_timer - cls_rsvp: fix rsvp_policy - nfs: use kmap/kunmap directly - NFS: Fix memory leaks and corruption in readdir - NFS: Directory page cache pages need to be locked when read - cifs: fail i/o on soft mounts if sessionsetup errors out - bonding/alb: properly access headers in bond_alb_xmit() - sunrpc: expiry_time should be seconds not timeval . [ Ben Hutchings ] * debian/README.source: Refer to upload checklist in kernel-team.git * chaoskey: Apply bug fixes from upstream: - USB: chaoskey: fix Alea quirk on big-endian hosts - USB: chaoskey: fix use-after-free on release - USB: chaoskey: fix error case of a timeout * Bump ABI to 11 * selinux: Fix netlink message permission checks: - selinux: cleanup error reporting in selinux_nlmsg_perm() - selinux: convert WARN_ONCE() to printk() in selinux_nlmsg_perm() - selinux: Print 'sclass' as string when unrecognized netlink message occurs - selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() - selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) * USB: core: Fix serialisation of SG URB operations: - drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. - drivers: usb: core: Minimize irq disabling in usb_sg_cancel() - USB: core: Fix free-while-in-use bug in the USB S-Glibrary (CVE-2020-12464) * scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652) * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (CVE-2020-12653) * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (CVE-2020-12654) * scsi: sg: Fix various bugs: - sg: O_EXCL and other lock handling - sg: prevent integer overflow when converting from sectors to bytes - scsi: sg: Change next_cmd_len handling to mirror upstream - scsi: sg: protect accesses to 'reserved' page array - scsi: sg: reset 'res_in_use' after unlinking reserved array - scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE - scsi: sg: recheck MMAP_IO request length with lock held - scsi: sg: remove 'save_scat_len' - scsi: sg: use standard lists for sg_requests - scsi: sg: off by one in sg_ioctl() - scsi: sg: factor out sg_fill_request_table() - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE - scsi: sg: Re-fix off by one in sg_fill_request_table() - scsi: sg: disable SET_FORCE_LOW_DMA - scsi: sg: check for valid direction before starting the request - scsi: sg: close race condition in sg_remove_sfp_usercontext() - scsi: sg: fix SG_DXFER_FROM_DEV transfers - scsi: sg: fix static checker warning in sg_is_valid_dxfer - scsi: sg: only check for dxfer_len greater than 256M - scsi: sg: don't return bogus Sg_requests - scsi: sg: fix minor memory leak in error path - scsi: sg: add sg_remove_request in sg_common_write - scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) * signal: Extend exec_id to 64bits (CVE-2020-12826) * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) * ext4: Fix various bugs: - ext4: Make checks for metadata_csum feature safer - ext4: protect journal inode's blocks using block_validity (CVE-2019-19319) - ext4: unsigned int compared against zero - ext4: fix block validity checks for journal inodes using indirect blocks - ext4: don't perform block validity checks on the journal inode - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992) * [x86] Add support for mitigation of Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543): - x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping - x86/cpu: Add a steppings field to struct x86_cpu_id - x86/cpu: Add 'table' argument to cpu_matches() - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation - x86/speculation: Add SRBDS vulnerability and mitigation documentation - x86/speculation: Add Ivy Bridge to affected list * random: always use batched entropy for get_random_u{32,64} * slip, slcan: Fix various bugs: - slcan: Fix memory leak in error path - can: slcan: Fix use-after-free Read in slcan_open - slcan: not call free_netdev before rtnl_unlock in slcan_open - slip: Fix memory leak in slip_open error path - slip: Fix use-after-free Read in slip_open - slip: not call free_netdev before rtnl_unlock in slip_open * net-sysfs: Fix reference counting bugs: - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject - net-sysfs: fix netdev_queue_add_kobject() breakage - net-sysfs: Call dev_hold always in netdev_queue_add_kobject - net-sysfs: Call dev_hold always in rx_queue_add_kobject Checksums-Sha1: 030962a231240fbe327c19a2ef415146a2e6230d 143027 linux_3.16.84-1.dsc a924a5dc556df6322f0b3d76422cd8429058762a 82095884 linux_3.16.84.orig.tar.xz b14c07487576434f5d95643bdb7277878b6dbc94 1231412 linux_3.16.84-1.debian.tar.xz 584cbeb80a25ba97b45c390c6fde3a5f30205c80 482206 linux-support-3.16.0-11_3.16.84-1_all.deb d6b21dd1ab0827f0f35e2ef8e09cbda89eba7bc4 8438628 linux-doc-3.16_3.16.84-1_all.deb 10479c9dd6f35f3754399529d8fac0c7b9548e25 3841170 linux-manual-3.16_3.16.84-1_all.deb 49f8c6431ed140c43ed2004fcddbfe5b460805d3 83968596 linux-source-3.16_3.16.84-1_all.deb Checksums-Sha256: 1181b4ab818eaca2a8d7de7d1a3b751077dc1389fcb1d8111924d5df36c7d720 143027 linux_3.16.84-1.dsc 17f0a7a1c8279c971509801eef4f60af49f85fec41649cbec77bc95a5db887f9 82095884 linux_3.16.84.orig.tar.xz f8c5f05043084d4b1e6468fddaf471d61935a38f5f81357bd2b271481a567947 1231412 linux_3.16.84-1.debian.tar.xz c489a3e88907fc945226fef1f0a32c220147170384e17cb13f1a2448f59f9c49 482206 linux-support-3.16.0-11_3.16.84-1_all.deb 48a228d246b5ac62346ec248b7a70fb35f02379bca5896f191ada0a0c481ea90 8438628 linux-doc-3.16_3.16.84-1_all.deb 9f5fe16a6ea52f70a073dae78288e8c2f713e05d0e919aa777a66da6211219b5 3841170 linux-manual-3.16_3.16.84-1_all.deb 7c0bd34cef156f4c4cf43e7097bcb268450c7663ee4a1eb65617dedb73200b0c 83968596 linux-source-3.16_3.16.84-1_all.deb Files: 69294d0b6aa127040a41221a8a2b3b60 143027 kernel optional linux_3.16.84-1.dsc 3adda6bff68237af6aa9b1b9422d183f 82095884 kernel optional linux_3.16.84.orig.tar.xz a5dc589c8ff3d380b2667fb9fe17082e 1231412 kernel optional linux_3.16.84-1.debian.tar.xz d56874fbb06f8a6824b7f1a094dbf292 482206 devel optional linux-support-3.16.0-11_3.16.84-1_all.deb f881ed4a866bd50c3457ede9edd2e240 8438628 doc optional linux-doc-3.16_3.16.84-1_all.deb 40eb0bdc12edcda3759e031dd9bd5e99 3841170 doc optional linux-manual-3.16_3.16.84-1_all.deb ac026e35f595b2e27207a1b74f4a40a8 83968596 kernel optional linux-source-3.16_3.16.84-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl7fmtEACgkQ57/I7JWG EQkWphAAsUmfTdCMz/N22V/ZWFGRAviAT/xp5Erf8s7myWOyNowpX8tOHOG2BwJX pJZD+LndTZ8SNOG9unUC7bwoQxTOTO+KeZlOM8reyjzzNskc8ZaByLOpMWwgOb3m Oh98IPzJyFzOtIZdpw7I90DcOtIFKGkrxKCtHJPdcRcgKLTiGGLINc80LFVUPWRi /g1Lswhf4KVUTYPkZ+J6xqso6BCB7FcE0PP2VSuxfqcFTtOaYCHWFifAX0qs4W6t GRHdiwH0kZJX8XPl0CXnu0ylfBUuhA/2DeWl4B1YnDfLL6dAHVDXEIYs14XoCzBi 6QV34yre32ZdxnOW/xsHcYewS0PsbFE/S1oLVmb+Aus8iNJMORaZfuyWRESiKWPs lLAfu2Ebyl1RgDzjdmgfApr8/Co3sb8cng3ZtWkEnl/7dLzaQdyMbj2gwr8MHWbx O8O/hCwC6iklOMs/Mufgoz1LkbduRaDJBH7GqduQekqQ+N6AGVYWfJd+J8VXHddq /oUDbAcTprSTjsDqT2+A0fJVtFzs0Zf68GpdXLmRCMEFrUzskaeFhW6YTYhDR7mY PynPYv5Popyv0c0x9Cbtjf59V/VDwlB95qa7gbVC51so+m2NMfRsjqVShpcrLPmX aLEHd5bmRFzfHc5uEulnyUxlOa6OJLf1LKX6hd6SzW5whUFXvxo= =s7ar -----END PGP SIGNATURE-----