-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 14 Feb 2023 23:38:19 +0100 Source: linux-5.10 Architecture: source Version: 5.10.162-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Closes: 825141 1008501 1027430 1027483 Changes: linux-5.10 (5.10.162-1~deb10u1) buster-security; urgency=high . * Rebuild for buster: - Change ABI number to 0.deb10.21 . linux (5.10.162-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.159 - [armhf] dts: rockchip: fix node name for hym8563 rtc - [armhf] dts: rockchip: fix ir-receiver node names - [arm64] dts: rockchip: fix ir-receiver node names - [armel,armhf] 9266/1: mm: fix no-MMU ZERO_PAGE() implementation - 9p/fd: Use P9_HDRSZ for header size - ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event - btrfs: send: avoid unaligned encoded writes when attempting to clone range - ASoC: soc-pcm: Add NULL check in BE reparenting - [armhf] regulator: twl6030: fix get status of twl6032 regulators - fbcon: Use kzalloc() in fbcon_prepare_logo() - [arm64,armhf] usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End Transfer - 9p/xen: check logical size for buffer size - net: usb: qmi_wwan: add u-blox 0x1342 composition - mm/khugepaged: take the right locks for page table retraction - mm/khugepaged: fix GUP-fast interaction by sending IPI - mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths - rtc: mc146818: Prevent reading garbage - rtc: mc146818: Detect and handle broken RTCs - rtc: mc146818: Dont test for bit 0-5 in Register D - rtc: cmos: remove stale REVISIT comments - rtc: mc146818-lib: change return values of mc146818_get_time() - rtc: Check return value from mc146818_get_time() - rtc: mc146818-lib: fix RTC presence check - rtc: mc146818-lib: extract mc146818_avoid_UIP - rtc: cmos: avoid UIP when writing alarm time - rtc: cmos: avoid UIP when reading alarm time - rtc: cmos: Replace spin_lock_irqsave with spin_lock in hard IRQ - rtc: mc146818: Reduce spinlock section in mc146818_set_time() - media: videobuf2-core: take mmap_lock in vb2_get_unmapped_area() - media: v4l2-dv-timings.c: fix too strict blanking sanity checks - memcg: fix possible use-after-free in memcg_write_event_control() - mm/gup: fix gup_pud_range() for dax - Bluetooth: btusb: Add debug message for CSR controllers - Bluetooth: Fix crash when replugging CSR fake controllers - [s390x] KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field - [x86] drm/vmwgfx: Don't use screen objects when SEV is active - drm/shmem-helper: Remove errant put in error path - drm/shmem-helper: Avoid vm_open error paths - HID: usbhid: Add ALWAYS_POLL quirk for some mice - HID: hid-lg4ff: Add check for empty lbuf - HID: core: fix shift-out-of-bounds in hid_report_raw_event - can: af_can: fix NULL pointer dereference in can_rcv_filter - mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page (CVE-2022-3623) - rtc: cmos: Disable irq around direct invocation of cmos_interrupt() - rtc: mc146818-lib: fix locking in mc146818_set_time - rtc: mc146818-lib: fix signedness bug in mc146818_get_time() - netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one - ieee802154: cc2520: Fix error return code in cc2520_hw_init() - netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark - e1000e: Fix TX dispatch condition - igb: Allocate MSI-X vector when testing - [arm64,armhf] drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420 - af_unix: Get user_ns from in_skb in unix_diag_get_exact(). - [x86] vmxnet3: correctly report encapsulated LRO packet - Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() - Bluetooth: Fix not cleanup led when bt_init fails - mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() - xen-netfront: Fix NULL sring after live migration - [arm64,armhf] net: mvneta: Prevent out of bounds read in mvneta_config_rss() - i40e: Fix not setting default xps_cpus after reset - i40e: Fix for VF MAC address 0 - i40e: Disallow ip4 and ip6 l4_4_bytes - nvme initialize core quirks before calling nvme_init_subsystem - net: stmmac: fix "snps,axi-config" node property parsing - ip_gre: do not report erspan version on GRE interface - [arm64] net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq - [arm64] net: hisilicon: Fix potential use-after-free in hisi_femac_rx() - [arm64] net: hisilicon: Fix potential use-after-free in hix5hd2_rx() - tipc: Fix potential OOB in tipc_link_proto_rcv() - ipv4: Fix incorrect route flushing when source address is deleted - ipv4: Fix incorrect route flushing when table ID 0 is used - tipc: call tipc_lxc_xmit without holding node_read_lock - [x86] net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() - ipv6: avoid use-after-free in ip6_fragment() - [arm64,armhf] net: mvneta: Fix an out of bounds check - macsec: add missing attribute validation for offload - can: esd_usb: Allow REC and TEC to return to zero https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.160 - [x86] smpboot: Move rcu_cpu_starting() earlier - vfs: fix copy_file_range() regression in cross-fs copies - vfs: fix copy_file_range() averts filesystem freeze protection - nfp: fix use-after-free in area_cache_get() (CVE-2022-3545) - fuse: always revalidate if exclusive create - io_uring: add missing item types for splice request (CVE-2022-4696) - ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() - can: mcba_usb: Fix termination command argument - [armel,armhf] ASoC: cs42l51: Correct PGA Volume minimum value - nvme-pci: clear the prp2 field when not used - ASoC: ops: Correct bounds check for second channel on SX controls https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.161 - udf: Discard preallocation before extending file with a hole - udf: Fix preallocation discarding at indirect extent boundary - udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size - udf: Fix extending file within last block - usb: gadget: uvc: Prevent buffer overflow in setup handler - USB: serial: option: add Quectel EM05-G modem - USB: serial: cp210x: add Kamstrup RF sniffer PIDs - USB: serial: f81232: fix division by zero on line-speed change - USB: serial: f81534: fix division by zero on line-speed change - xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N - igb: Initialize mailbox message for VF reset - HID: ite: Add support for Acer S1002 keyboard-dock - HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E - HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 - HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk - Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934) - net: loopback: use NET_NAME_PREDICTABLE for name_assign_type https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.162 - kernel: provide create_io_thread() helper - iov_iter: add helper to save iov_iter state - saner calling conventions for unlazy_child() - fs: add support for LOOKUP_CACHED - fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy* - Make sure nd->path.mnt and nd->path.dentry are always valid pointers - fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED - tools headers UAPI: Sync openat2.h with the kernel sources - net: provide __sys_shutdown_sock() that takes a socket - net: add accept helper not installing fd - signal: Add task_sigpending() helper - fs: make do_renameat2() take struct filename - file: Rename __close_fd_get_file close_fd_get_file - fs: provide locked helper variant of close_fd_get_file() - entry: Add support for TIF_NOTIFY_SIGNAL - task_work: Use TIF_NOTIFY_SIGNAL if available - [x86] Wire up TIF_NOTIFY_SIGNAL - [arm64] add support for TIF_NOTIFY_SIGNAL - [powerpc*] add support for TIF_NOTIFY_SIGNAL - [mips*] add support for TIF_NOTIFY_SIGNAL - [s390x] add support for TIF_NOTIFY_SIGNAL - [armel,armhf] add support for TIF_NOTIFY_SIGNAL - task_work: remove legacy TWA_SIGNAL path - kernel: remove checking for TIF_NOTIFY_SIGNAL - coredump: Limit what can interrupt coredumps - kernel: allow fork with TIF_NOTIFY_SIGNAL pending - entry/kvm: Exit to user mode when TIF_NOTIFY_SIGNAL is set - arch: setup PF_IO_WORKER threads like PF_KTHREAD - arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() - [x86] process: setup io_threads more like normal user space threads - kernel: stop masking signals in create_io_thread() - kernel: don't call do_exit() for PF_IO_WORKER threads - task_work: add helper for more targeted task_work canceling - io_uring: import 5.15-stable io_uring - signal: kill JOBCTL_TASK_WORK - task_work: unconditionally run task_work from get_signal() - net: remove cmsg restriction from io_uring based send/recvmsg calls - Revert "proc: don't allow async path resolution of /proc/thread-self components" - Revert "proc: don't allow async path resolution of /proc/self components" - eventpoll: add EPOLL_URING_WAKE poll wakeup flag - eventfd: provide a eventfd_signal_mask() helper - io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups . [ Salvatore Bonaccorso ] * linux-kbuild: Include scripts/pahole-flags.sh (Closes: #1008501) * Bump ABI to 21 * Refresh "Export symbols needed by Android drivers" * ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio (Closes: #1027430, #1027483) * ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire (Closes: #1027430, #1027483) * [rt] Update to 5.10.162-rt78 * i2c: ismt: Fix an out-of-bounds bug in ismt_access() (CVE-2022-2873) * [x86] drm/vmwgfx: Validate the box size for the snooped cursor (CVE-2022-36280) * media: dvb-core: Fix UAF due to refcount races at releasing (CVE-2022-41218) * net: sched: disallow noqueue for qdisc classes (CVE-2022-47929) * ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF (CVE-2023-0266) * net: sched: cbq: dont intepret cls results when asked to drop (CVE-2023-23454) * net: sched: atm: dont intepret cls results when asked to drop (CVE-2023-23455) * netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits (CVE-2023-0179) * ipv6: raw: Deduct extension header length in rawv6_push_pending_frames (CVE-2023-0394) * [rt] arm64: make _TIF_WORK_MASK bits contiguous . [ Ben Hutchings ] * Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code (Closes: #825141) Checksums-Sha1: de7da0668d2d95a803faa431c95bddd8296fe5e4 42421 linux-5.10_5.10.162-1~deb10u1.dsc a7bd87581cd0dcb6bf25a7b49987280fe65669b5 121805464 linux-5.10_5.10.162.orig.tar.xz a6ca55cc4d62deba56c6103b5c4e48f16624a102 1551640 linux-5.10_5.10.162-1~deb10u1.debian.tar.xz 53f85eb2dd5b24cb746f8077ff822fda1621670d 13716 linux-5.10_5.10.162-1~deb10u1_source.buildinfo Checksums-Sha256: 5c78aee5e69b45a8b4c14f18e1ca40952867b909ca01a52fdf04d41bad7d2b19 42421 linux-5.10_5.10.162-1~deb10u1.dsc 264a5de5a4bff3cdd6bdc36b29b18d4419b910f0c24bf9f1f14ba3840064d75c 121805464 linux-5.10_5.10.162.orig.tar.xz f8615ba6fe202dd044ad71843dc64c21f607e187c8ca2f4b962bb987b61c8a4b 1551640 linux-5.10_5.10.162-1~deb10u1.debian.tar.xz 9fceff5cea21ec693895ebe4382b4c0fc6d4609adb277b917f4781bbe34743a3 13716 linux-5.10_5.10.162-1~deb10u1_source.buildinfo Files: 45b9e2e2c24f7012132007510868cb6e 42421 kernel optional linux-5.10_5.10.162-1~deb10u1.dsc ff00d381fed0c3688568277641ed59e2 121805464 kernel optional linux-5.10_5.10.162.orig.tar.xz b9d8296147bb166e5f424be0f8c1ea60 1551640 kernel optional linux-5.10_5.10.162-1~deb10u1.debian.tar.xz f18cba6e3ca7787ea199ee9ddb9f1cf1 13716 kernel optional linux-5.10_5.10.162-1~deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmPz+4QACgkQ57/I7JWG EQl33w//egK2JTSnfjwadm9+zMlT20DLcprwOEEc/XyBBRucsQT3VpZIdgIfNjUZ FiqaiOICW3h8DE/xvAPjwCrOmZ+5Lmmw2PKNCPNY9YXjv1ioADemCQycnz5OQnjS 2Ja7Bg+fL5XVDJEKqA1DAHy476/o/PNw4KDvn6OHeXuT3LZaXzueptyDMDW/t+7x mear9Bgwzb5dlavUZDm+t/r5AhoVedBG1cLO/p4nmY46JdzDh9goOHyVJCiZTlIS wLPvnGWjqb3UX78jPLv3xpORgFpE8H0ubjpCnyK+32I60uQpolM7ZwwFJ0PShhyj zjax6aDo6hX3DZ8kGxJASBOUHHv8aIhrQpYxS0vqxXyPdhnD/Tbs2t/sT7HMvDzJ bTJkJRFAr5LPowluWUu48K+2Kly8H/++UKWKRULsndyR8hUN3AL3gZVbd4NaeHfZ RObClDqRzBGvitHJbk2DsZF011B0D6fR1f9tMow+c6o2qOW2Hw2p0GZL40S8n60J e3pysejdTOHqhFtgBrk8vTOfZSVN7BmJTL4ymctViJzzzPpRYAIhwyZZy/qkFazR amz+0QS9+tlcpovjpWrAzEvxvEYjjZh4l03GxTJkPPvVYmKdgAb/eiXfSHi9+nFw HanCkgONxOaaCYhn2enpNIwlDHxTXIdaiTJt/jX69iTsQdeIutQ= =uH79 -----END PGP SIGNATURE-----