Changelog
linux (3.16.43-1) jessie; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40
- [x86] drm/i915/vlv: Make intel_crt_reset() per-encoder
- [x86] drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
- fbdev/efifb: Fix 16 color palette entry calculation
- [s390*] zfcp: fix fc_host port_type with NPIV
- [s390*] zfcp: fix ELS/GS request&response length for hardware data router
- [s390*] zfcp: close window with unblocked rport during rport gone
- [s390*] zfcp: retain trace level for SCSI and HBA FSF response records
- [s390*] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace
- [s390*] zfcp: trace on request for open and close of WKA port
- [s390*] zfcp: restore tracing of handle for port and LUN with HBA records
- [s390*] zfcp: fix D_ID field with actual value on tracing SAN responses
- [s390*] zfcp: fix payload trace length for SAN request&response
- [s390*] zfcp: trace full payload of all SAN records (req,resp,iels)
- clk: divider: Fix clk_divider_round_rate() to use clk_readl()
- [x86] dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access
- PCI: Mark Atheros AR9580 to avoid bus reset
- netfilter: restart search if moved to other chain
- uio: fix dmem_region_start computation
- platform: don't return 0 from platform_get_irq[_byname]() on error
- [arm64] debug: avoid resetting stepping state machine when TIF_SINGLESTEP
- ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel
- genirq/generic_chip: Add irq_unmap callback
- rtlwifi: Update regulatory database
- rtlwifi: Fix missing country code for Great Britain
- pwm: Unexport children before chip removal
- cx231xx: don't return error on success
- cx231xx: fix GPIOs for Pixelview SBTVD hybrid
- ext4: reinforce check of i_dtime when clearing high fields of uid and gid
- pstore/core: drop cmpxchg based updates
- pstore/ram: Use memcpy_toio instead of memcpy
- pstore/ram: Use memcpy_fromio() to save old buffer
- ipv4: accept u8 in IP_TOS ancillary data
- [armhf] phy: sun4i-usb: Use spinlock to guard phyctl register access
- dm: mark request_queue dead before destroying the DM device
- dm mpath: check if path's request_queue is dying in activate_path()
- ext4: bugfix for mmaped pages in mpage_release_unused_pages()
- [armhf] dts: exynos: Fix mismatched value for SD4 pull up/down
configuration on exynos4210
- reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
- sctp: do not return the transmit err back to sctp_sendmsg
- pkt_sched: fq: use proper locking in fq_dump_stats()
- [x86] iommu/amd: Free domain id when free a domain of struct
dma_ops_domain
- [powerpc*] nvram: Fix an incorrect partition merge
- ALSA: ali5451: Fix out-of-bound position reporting
- usb: misc: legousbtower: Fix NULL pointer deference
- net/mlx4_en: Fix wrong indentation
- net/mlx4_core: Fix deadlock when switching between polling and event fw
commands
- drm/radeon: narrow asic_init for virtualization
- [powerpc*] eeh: Null check uses of eeh_pe_bus_get
- ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants
- netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes
- netfilter: nf_tables: validate maximum value of u32 netlink attributes
- svcrdma: Tail iovec leaves an orphaned DMA mapping
- blkcg: Annotate blkg_hint correctly
- ALSA: hda - Adding one more ALC255 pin definition for headset problem
- mmc: block: don't use CMD23 with very old MMC cards
- [powerpc*] KVM: Book3S: Treat VTB as a per-subcore register, not
per-thread
- [powerpc*] KVM: BookE: Fix a sanity check
- [powerpc*] KVM: Book3s PR: Allow access to unprivileged MMCR2 register
- NFSv4: Open state recovery must account for file permission changes
- Revert "usbtmc: convert to devm_kzalloc"
- drm/radeon/si/dpm: fix phase shedding setup
- [powerpc*/*64*] vdso64: Use double word compare on pointers
- ext4: release bh in make_indexed_dir
- [s390*] con3270: fix use of uninitialised data
- [s390*] con3270: fix insufficient space padding
- fuse: invalidate dir dentry after chmod
- fuse: fix killing s[ug]id in setattr
- fuse: listxattr: verify xattr list
- crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
- staging: rtl8188eu: fix missing unlock on error in rtw_resume_process()
- staging: rtl8188eu: fix double unlock error in rtw_resume_process()
- UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
- ubi: Deal with interrupted erasures in WL
- ubi: Fix races around ubi_refill_pools()
- ubi: Fix Fastmap's update_vol()
- i40e: avoid NULL pointer dereference and recursive errors on early PCI
error
- [powerpc*] powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data()
- mfd: rtsx_usb: Avoid setting ucr->current_sg.status
- async_pq_val: fix DMA memory leak
- mm: filemap: fix mapping->nrpages double accounting in fuse
- netlink: do not enter direct reclaim from netlink_dump()
- IB/srp: Fix infinite loop when FMR sg[0].offset != 0
- [x86] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled
- mm/hugetlb: fix memory offline with hugepage size > memory block size
- mm/hugetlb: check for reserved hugepages during memory offline
- vfs,mm: fix a dead loop in truncate_inode_pages_range()
- [powerpc*] pseries: Fix stack corruption in htpe code
- [powerpc*/*64*] Fix incorrect return value from __copy_tofrom_user
- [x86] panic: replace smp_send_stop() with kdump friendly version in panic
path
- [mips*] panic: replace smp_send_stop() with kdump friendly version in
panic path
- compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release()
- ipc: remove use of seq_printf return value
- ipc/sem.c: fix complex_count vs. simple op race
- [mips*] ptrace: Fix regs_return_value for kernel context
- cifs: Display number of credits available
- cifs: Limit the overall credit acquired
- cifs: Set previous session id correctly on SMB3 reconnect
- cifs: SMB3: GUIDs should be constructed as random but valid uuids
- cifs: Clarify locking of cifs file and tcon structures and make more
granular
- cifs: Do not send SMB3 SET_INFO request if nothing is changing
- cifs: Cleanup missing frees on some ioctls
- fs/super.c: fix race between freeze_super() and thaw_super()
- scsi: Fix use-after-free
- mac80211: discard multicast and 4-addr A-MSDUs
- jbd2: fix incorrect unlock on j_list_lock
- drm/radeon: change vblank_time's calculation method to reduce
computational error.
- ipv6: correctly add local routes when lo goes up
- [s390*] scsi: zfcp: spin_lock_irqsave() is not nestable
- mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted
error
- mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused
- mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led
- memstick: rtsx_usb_ms: Runtime resume the device when polling for cards
- memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
- [arm64] kernel: Init MDCR_EL2 even in the absence of a PMU
- netfilter: nf_tables: underflow in nft_parse_u32_check()
- ALSA: hda - allow 40 bit DMA mask for NVidia devices
- isofs: Do not return EACCES for unknown filesystems
- bridge: multicast: restore perm router ports on multicast enable
- hwrng: core - Don't use a stack buffer in add_early_randomness()
- [x86] Input: i8042 - add XMG C504 to keyboard reset table
- ubifs: Fix xattr_names length in exit paths
- ubifs: Abort readdir upon error
- target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT
REACHABLE
- target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code
- [x86] xhci: add restart quirk for Intel Wildcatpoint PCH
- xhci: workaround for hosts missing CAS bit
- USB: serial: fix potential NULL-dereference at probe
- drm/radeon/si_dpm: Limit clocks on HD86xx part
- [arm64] KVM: Take S1 walks into account when determining S2 write faults
- [powerpc*] Convert cmp to cmpd in idle enter sequence
- ipv4: use the right lock for ping_group_range
- ACPI / APEI: Fix incorrect return value of ghes_proc()
- dm table: fix missing dm_put_target_type() in dm_table_add_target()
- [x86] mei: txe: don't clean an unprocessed interrupt cause.
- scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough)
devices
- [x86] hv: do not lose pending heartbeat vmbus packets
- ALSA: hda - Fix surround output pins for ASRock B150M mobo
- drm/radeon: drop register readback in cayman_cp_int_cntl_setup
- drm/radeon/si_dpm: workaround for SI kickers
- scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
- scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
- tty: vt, fix bogus division in csi_J
- tty: limit terminal size to 4M chars
- vt: clear selection before resizing
- netfilter: nf_conntrack_sip: extend request line validation
- netfilter: nf_tables: fix type mismatch with error return from
nft_parse_u32_check
- btrfs: fix races on root_log_ctx lists
- lib/genalloc.c: start search from start of chunk
- [s390*] hypfs: Use get_free_page() instead of kmalloc to ensure page
alignment
- [x86] KVM: fix wbinvd_dirty_mask use-after-free
- GenWQE: Fix bad page access during abort of resource allocation
- ubifs: Fix regression in ubifs_readdir()
- md: be careful not lot leak internal curr_resync value into metadata.
- net/mlx5: Avoid passing dma address 0 to firmware
- packet: on direct_xmit, limit tso and csum to supported devices
- net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW
spec
- net/mlx4_en: Resolve dividing by zero in 32-bit system
- net/mlx4_en: Process all completions in RX rings after port goes up
- net/mlx4_en: Fix potential deadlock in port statistics flow
- [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions
- virtio: console: Unlock vqs while freeing buffers
- netfilter: nf_tables: destroy the set if fail to add transaction
- [x86] mei: bus: fix received data size check in NFC fixup
- ipv6: Don't use ufo handling on later transformed packets
- can: bcm: fix warning in bcm_connect/proc_register
- bgmac: stop clearing DMA receive control register right after it is set
- uwb: fix device reference leaks
- [armel,armhf] gpio/mvebu: Use irq_domain_add_linear
- PM / sleep: fix device reference leak in test_suspend
- ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
- firewire: net: fix fragmented datagram_size off-by-one
- ipv4: allow local fragmentation in ip_finish_output_gso()
- i2c: core: fix NULL pointer dereference under race condition
- iio: hid-sensors: Fix compilation warning
- iio: hid-sensors: Increase the precision of scale to fix wrong reading
interpretation.
- [armhf] net: ethernet: ti: cpsw: fix device and of_node leaks
- scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
- rtnl: reset calcit fptr in rtnl_unregister()
- USB: cdc-acm: fix TIOCMIWAIT
- PM / sleep: don't suspend parent when async child suspend_{noirq, late}
fails
- [x86] ALSA: hda - Fix mic regression by ASRock mobo fixup
- swapfile: fix memory corruption via malformed swapfile
- coredump: fix unfreezable coredumping task
- dib0700: fix nec repeat handling
- scsi: mpt3sas: Fix secure erase premature termination
- neigh: check error pointer instead of NULL for ipv4_neigh_lookup()
- ipv4: use new_gw for redirect neigh lookup
- fuse: fix fuse_write_end() if zero bytes were copied
- [armhf] usb: chipidea: move the lock initialization to core file
- rtnetlink: fix rtnl_vfinfo_size
- mfd: core: Fix device reference leak in mfd_clone_cell
- nvme/pci: Don't free queues on error
- IB/uverbs: Fix leak of XRC target QPs
- IB/cm: Mark stale CM id's whenever the mad agent was unregistered
- IB/core: Avoid unsigned int overflow in sg_alloc_table
- IB/mlx5: Use cache line size to select CQE stride
- IB/mlx5: Resolve soft lock on massive reg MRs
- IB/mlx5: Fix NULL pointer dereference on debug print
- IB/mlx4: Fix create CQ error flow
- mwifiex: printk() overflow with 32-byte SSIDs
- of_mdio: fix node leak in of_phy_register_fixed_link error path
- cfg80211: limit scan results cache size
- [armhf] net: ethernet: ti: cpsw: fix bad register access in probe error
path
- [armhf] net: ethernet: ti: cpsw: fix mdio device reference leak
- [armhf] net: ethernet: ti: cpsw: fix secondary-emac probe error path
- KVM: Disable irq while unregistering user notifier
- [x86] KVM: fix missed SRCU usage in kvm_lapic_set_vapic_addr
- ext4: sanity check the block and cluster size at mount time
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
(CVE-2016-10200)
- apparmor: fix change_hat not finding hat after policy replacement
- [x86] traps: Ignore high word of regs->cs in early_fixup_exception()
- xc2028: Fix use-after-free bug properly
- [armhf] net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not
implemented
- net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode
to device managed flow steering
- pwm: Fix device reference leak
- netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT"
failed in 64bit kernel
- [powerpc*] eeh: Fix deadlock when PE frozen state can't be cleared
- batman-adv: Check for alloc errors when preparing TT local data
- locking/rtmutex: Prevent dequeue vs. unlock race
- ipv4: Set skb->protocol properly for local output
- ipv6: Set skb->protocol properly for local output
- tipc: check minimum bearer MTU
- [x86] perf: Fix full width counter, counter overflow
- fuse: fix clearing suid, sgid for chown()
- can: raw: raw_setsockopt: limit number of can_filter that can be set
- can: peak: fix bad memory access and free sequence
- ser_gigaset: return -ENOMEM on error instead of success
- vfs,mm: fix return value of read() at s_maxbytes
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41
- mnt: Add a per mount namespace limit on the number of mounts
(CVE-2016-6213)
- ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42
- net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
- ite-cir: initialize use_demodulator before using it
- usb: gadget: composite: correctly initialize ep->maxpacket
- usb: gadget: composite: always set ep->mult to a sensible value
- [armhf] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs
- [amd64] drm/gma500: Add compat ioctl
- enic: set skb->hash type properly
- xfs: fix up xfs_swap_extent_forks inline extent handling
- scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits
for 30secs before reset
- PCI: Check for PME in targeted sleep state
- USB: UHCI: report non-PME wakeup signalling for Intel hardware
- [armhf] dts: imx6q-cm-fx6: fix fec pinctrl
- [powerpc] ibmebus: Fix device reference leaks in sysfs interface
- [powerpc] ibmebus: Fix further device reference leaks
- [powerpc*] pci/rpadlpar: Fix device reference leaks
- usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
- dm rq: fix a race condition in rq_completed()
- ext4: fix mballoc breakage with 64k block size
- ext4: fix stack memory corruption with 64k block size
- IB/core: Save QP in ib_flow structure
- IB/mlx5: Put non zero value in max_ah
- IB/mlx5: Wait for all async command completions to complete
- IB/IPoIB: Remove can't use GFP_NOIO warning
- IB/mlx4: Set traffic class in AH
- IB/mlx4: Put non zero value in max_ah device attribute
- IB/mlx4: Fix port query for 56Gb Ethernet links
- scsi: mvsas: fix command_active typo
- ssb: Fix error routine when fallback SPROM fails
- usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
- [armhf] USB: phy: am335x-control: fix device and of_node leaks
- ext4: fix in-superblock mount options processing
- ext4: use more strict checks for inodes_per_block on mount
- ext4: add sanity checking to count_overhead()
- [powerpc*] KVM: Book3S HV: Save/restore XER in checkpointed register state
- dm crypt: mark key as invalid until properly loaded
- f2fs: set ->owner for debugfs status file's file_operations
- xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
- ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
- md/raid5: limit request size according to implementation limits
- thermal: hwmon: Properly report critical temperature in sysfs
- USB: serial: kl5kusb105: fix open error path
- USB: serial: kl5kusb105: abort on open exception path
- [powerpc] ps3: Fix system hang with GCC 5 builds
- Btrfs: fix tree search logic when replaying directory entry deletes
- [armhf,arm64] bus: vexpress-config: fix device reference leak
- block: protect iterate_bdevs() against concurrent close
- NFS: Fix a performance regression in readdir
- xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
- mmc: sdhci: Fix recovery from tuning timeout
- CIFS: Fix missing nls unload in smb2_reconnect()
- CIFS: Fix a possible memory corruption in push locks
- CIFS: Fix a possible memory corruption during reconnect
- [x86] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T
- [x86] ALSA: hda - Add the top speaker pin config for HP Spectre x360
- [x86] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
- drm/radeon: Hide the HW cursor while it's out of bounds
- drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
- drm/radeon: add additional pci revision to dpm workaround
- [armhf] xen: Use alloc_percpu rather than __alloc_percpu
- clk: clk-wm831x: fix a logic error
- hotplug: Make register and unregister notifier API symmetric
- iw_cxgb4: Fix error return code in c4iw_rdev_open()
- dm space map metadata: fix 'struct sm_metadata' leak on failed create
- md: MD_RECOVERY_NEEDED is set for mddev->recovery
- cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts
- hwmon: (ds620) Fix overflows seen when writing temperature limits
- [i386] ftrace: Set ftrace_stub to weak to prevent gcc from using short
jumps to it
- fgraph: Handle a case where a tracer ignores set_graph_notrace
- nfs_write_end(): fix handling of short copies
- ext4: reject inodes with negative size
- ext4: return -ENOMEM instead of success
- [s390*] vmlogrdr: fix IUCV buffer allocation
- [armhf] hwmon: (g762) Fix overflows and crash seen when writing limit
attributes
- ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
- libceph: verify authorize reply on connect
- fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes
- fsnotify: Fix possible use-after-free in inode iteration on umount
- IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
- IB/mlx4: Fix out-of-range array index in destroy qp flow
- Btrfs: delayed-inode: replace root args iff only fs_info used
- btrfs: limit async_work allocation and worker func duration
- block_dev: don't test bdev->bd_contains when it is not stable
- IB/mad: Fix an array index check
- IPoIB: Avoid reading an uninitialized member variable
- IB/multicast: Check ib_find_pkey() return value
- [s390x] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
- [s390x] scsi: zfcp: do not trace pure benign residual HBA responses at
default level
- [s390x] scsi: zfcp: fix rport unblock race with LUN recovery
- scsi: avoid a permanent stop of the scsi device's request queue
- target/iscsi: Fix double free in lio_target_tiqn_addtpg()
- [x86] drivers/gpu/drm/ast: Fix infinite loop if read fails
- NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
- [x86] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from
vlv_init_display_clock_gating
- fs: exec: apply CLOEXEC before changing dumpable task flags
- [x86] Input: i8042 - add Pegatron touchpad to noloop table
- net, sched: fix soft lockup in tc_classify
- [armhf] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
- [armhf net: stmmac: Fix error path after register_netdev move
- net/mlx4_core: Use-after-free causes a resource leak in flow-steering
detach
- net/mlx4_en: Fix bad WQE issue
- net/mlx4: Remove BUG_ON from ICM allocation routine
- [armhf] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
- [armhf] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
- [armhf] usb: dwc3: gadget: always unmap EP0 requests
- [armhf] usb: gadget: composite: Test get_alt() presence instead of
set_alt()
- [armhf] usb: gadgetfs: restrict upper bound on device configuration size
- [armhf] USB: gadgetfs: fix unbounded memory allocation bug
- [armhf] USB: gadgetfs: fix use-after-free bug
- [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors
- btrfs: fix error handling when run_delayed_extent_op fails
- btrfs: fix locking when we put back a delayed ref that's too new
- xhci: free xhci virtual devices with leaf nodes first
- usb: xhci: fix possible wild pointer
- usb: host: xhci: Fix possible wild pointer when handling abort command
- xhci: Handle command completion and timeout race
- usb: xhci: hold lock over xhci_abort_cmd_ring()
- USB: serial: cyberjack: fix NULL-deref at open
- USB: serial: garmin_gps: fix memory leak on failed URB submit
- USB: serial: io_edgeport: fix NULL-deref at open
- USB: serial: io_ti: fix NULL-deref at open
- USB: serial: io_ti: fix another NULL-deref at open
- USB: serial: iuu_phoenix: fix NULL-deref at open
- USB: serial: keyspan_pda: verify endpoints at probe
- USB: serial: kobil_sct: fix NULL-deref in write
- USB: serial: mos7720: fix NULL-deref at open
- USB: serial: mos7720: fix use-after-free on probe errors
- USB: serial: mos7720: fix parport use-after-free on probe errors
- USB: serial: mos7720: fix parallel probe
- USB: serial: mos7840: fix NULL-deref at open
- USB: serial: mos7840: fix misleading interrupt-URB comment
- USB: serial: omninet: fix NULL-derefs at open and disconnect
- USB: serial: oti6858: fix NULL-deref at open
- USB: serial: pl2303: fix NULL-deref at open
- USB: serial: quatech2: fix sleep-while-atomic in close
- USB: serial: spcp8x5: fix NULL-deref at open
- USB: serial: ti_usb_3410_5052: fix NULL-deref at open
- [x86] iommu/amd: Fix the left value check of cmd buffer
- [x86] mei: move write cb to completion on credentials failures
- ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
- [x86] cpu: Fix bootup crashes by sanitizing the argument of the
'clearcpuid=' command-line option
- [armhf] usb: musb: Fix trying to free already-free IRQ 4
- usb: hub: Move hub_port_disable() to fix warning if PM is disabled
- USB: fix problems with duplicate endpoint addresses
- selftests: do not require bash to run netsocktests testcase
- HID: hid-cypress: validate length of report (CVE-2017-7273)
- ata: sata_mv:- Handle return value of devm_ioremap.
- drm/radeon: drop verde dpm quirks
- [x86] boot: Add missing declaration of string functions
- USB: ch341: remove redundant close from open error path
- USB: ch341: set tty baud speed according to tty struct
- USB: serial: ch341: add register and USB request definitions
- USB: serial: ch341: reinitialize chip on reconfiguration
- USB: serial: ch341: fix initial modem-control state
- USB: serial: ch341: fix open and resume after B0
- USB: serial: ch341: fix modem-control and B0 handling
- USB: serial: ch341: fix open error handling
- USB: serial: ch341: fix resume after reset
- USB: serial: ch341: fix baud rate and line-control handling
- gro: Enter slow-path if there is no tailroom
- gro: Disable frag0 optimization on IPv6 ext headers
- ocfs2: fix crash caused by stale lvb with fsdlm plugin
- mm/hugetlb.c: fix reservation race when freeing surplus pages
- sysrq: attach sysrq handler correctly for 32-bit kernel
- USB: serial: ch341: fix control-message error handling
- gro: use min_t() in skb_gro_reset_offset()
- [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
- xhci: fix deadlock at host remove by running watchdog correctly
- [x86] KVM: flush pending lapic jump label updates on module unload
- i2c: fix kernel memory disclosure in dev interface
- svcrpc: don't leak contexts on PROC_DESTROY
- netfilter: rpfilter: fix incorrect loopback packet judgment
- be2net: fix status check in be_cmd_pmac_add()
- net/mlx4_core: Fix racy CQ (Completion Queue) free
- net/mlx4_core: Fix when to save some qp context flags for dynamic VST to
VGT transitions
- net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
- clocksource/exynos_mct: Clear interrupt when cpu is shut down
- ubifs: Fix journal replay wrt. xattr nodes
- qla2xxx: Fix crash due to null pointer access
- can: c_can_pci: fix null-pointer-deref in c_can_start() - set device
pointer
- ceph: fix bad endianness handling in parse_reply_info_extra
- [arm64] ptrace: Preserve previous registers for short regset write
- [arm64] ptrace: Avoid uninitialised struct padding in fpr_set()
- [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint
fields
- net: fix harmonize_features() vs NETIF_F_HIGHDMA
- [arm64] avoid returning from bad_mode
- tcp: initialize max window for a new fastopen socket
- nbd: fix use-after-free of rq/bio in the xmit path
- nbd: only set MSG_MORE when we have more to send
- [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write
- [powerpc*] Ignore reserved field in DCSR and PVR reads and writes
- [x86] platform: intel_mid_powerbtn: Set IRQ_ONESHOT
- crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
- [arm64] crypto: aes-blk - honour iv_out requirement in CBC and CTR modes
- [powerpc*] Add missing error check to prom_find_boot_cpu()
- nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
- ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
- SUNRPC: cleanup ida information when removing sunrpc module
- netfilter: nft_log: restrict the log prefix length to 127
- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
- [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc()
- sysctl: fix proc_doulongvec_ms_jiffies_minmax()
- nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
- can: bcm: fix hrtimer/tasklet termination in bcm op removal
- perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
- [armel,armhf] 8643/3: ptrace: Preserve previous registers for short
regset write
- drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
- mmc: sdhci: Ignore unexpected CARD_INT interrupts
- svcrpc: fix oops in absence of krb5 module
- net: use a work queue to defer net_disable_timestamp() work
- mm, fs: check for fatal signals in do_generic_file_read()
- netlabel: out of bound access in cipso_v4_validate()
- mac80211: Fix adding of mesh vendor IEs
- ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
- [x86] drm/i915: fix use-after-free in page_flip_completed()
- ALSA: seq: Fix race at creating a queue
- target: Use correct SCSI status during EXTENDED_COPY exception
- target: Fix early transport_generic_handle_tmr abort scenario
- target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
- btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
- ping: fix a null pointer dereference
- [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
on failed send
- xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
- l2tp: do not use udp_ioctl()
- futex: Move futex_init() to core_initcall
- mmc: core: fix multi-bit bus width without high-speed mode
- vfs: fix uninitialized flags in splice_to_pipe()
- packet: call fanout_release, while UNREGISTERING a netdev
- packet: Do not call fanout_release from atomic contexts
- printk: use rcuidle console tracepoint
- sg: Fix missing sanity check in /dev/sg
- sched/cputime: Fix invalid gtime in proc
- decnet: Do not build routes to devices without decnet private data.
- route: do not cache fib route info on local routes with oif
- sch_htb: update backlog as well
- sch_dsmark: update backlog as well
- netem: Segment GSO packets on enqueue
- [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only
- net: bridge: fix old ioctl unlocked net device walk
- udp: prevent skbs lingering in tunnel socket queues
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
- sit: correct IP protocol used in ipip6_err
- ipmr/ip6mr: Initialize the last assert time of mfc entries.
- net: alx: Work around the DMA RX overflow issue
- cdc_ncm: workaround for EM7455 "silent" data interface
- bonding: set carrier off for devices created through netlink
- net: fix sk_mem_reclaim_partial()
- tcp: fix overflow in __tcp_retransmit_skb()
- net: avoid sk_forward_alloc overflows
- tcp: fix wrong checksum calculation on MTU probing
- net: Add netdev all_adj_list refcnt propagation to fix panic
- net: sctp, forbid negative length
- net: clear sk_err_soft in sk_clone_lock()
- net: mangle zero checksum in skb_checksum_help()
- dccp: do not send reset to already closed sockets
- dccp: fix out of bound access in dccp_v4_err()
- ipv6: dccp: fix out of bound access in dccp_v6_err()
- ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
- sctp: assign assoc_id earlier in __sctp_connect
- sock: fix sendmmsg for partial sendmsg
- ip6_tunnel: disable caching when the traffic class is inherited
- net: sky2: Fix shutdown crash
- net/sched: pedit: make sure that offset is valid
- net/dccp: fix use-after-free in dccp_invalid_packet
- [x86] netvsc: reduce maximum GSO size
- ipv6: handle -EFAULT from skb_copy_bits
- drop_monitor: add missing call to genlmsg_end
- drop_monitor: consider inserted data in genlmsg_end
- igmp: Make igmp group member RFC 3376 compliant
- r8152: fix the sw rx checksum is unavailable
- tcp: fix tcp_fastopen unaligned access complaints on sparc
- ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
- net: socket: fix recvmmsg not returning error from sock_error
- can: Fix kernel panic at security_sock_rcv_skb
- ipv6: fix ip6_tnl_parse_tlv_enc_lim()
- ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
- tcp: fix 0 divide in __tcp_select_window()
- tun: Fix TUN_PKT_STRIP setting
- tun: read vnet_hdr_sz once
- macvtap: read vnet_hdr_size once
- mlx4: Invoke softirqs after napi_reschedule
- sit: fix a double free on error path
- igmp: do not remove igmp souce list info when set link down
- mld: do not remove mld souce list info when set link down
- igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
- [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
(regression in 3.16.7-ckt24)
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.43
- crypto: improve gcc optimization flags for serpent and wp512
- mmc: sunxi: avoid invalid pointer calculation
- [mips*] Zero variable read by get_user / __get_user in case of an error.
- netlink: remove mmapped netlink support
- vfs: Commit to never having exectuables on proc and sysfs.
- aio: mark AIO pseudo-fs noexec (CVE-2016-10044)
- keys: Guard against null match function in keyring_search_aux()
(CVE-2017-2647 / CVE-2017-6951)
[ Ben Hutchings ]
* locking/mutex: Don't assume TASK_RUNNING (Closes: #841171)
* can, tcp: Ignore ABI changes
* [arm64] ptrace: Avoid ABI change in 3.16.42
* [x86] Revert "x86/panic: replace smp_send_stop() with kdump friendly
version in panic path" to avoid ABI change
* net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()"
* vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..."
* mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32"
* ext4: fix fencepost in s_first_meta_bg validation (regression in 3.16.41)
* timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
* mbcache: Reschedule before restarting iteration in mb_cache_entry_alloc()
(mitigates CVE-2015-8952)
* [powerpc/powerpc64,ppc64*] Enable SCSI_IBMVFC as module (Closes: #859523)
- udeb: Add ibmvfc to scsi-modules
* mm: Make PIE address randomisation independent of mmap (Closes: #797530)
- [armel,armhf] factor out mmap ASLR into mmap_rnd
- [arm64] ASLR: Don't randomise text when randomise_va_space == 0
- [arm64] standardize mmap_rnd() usage
- [mips*] extract logic for mmap_rnd()
- [powerpc*] Use generic PIE randomization
- [powerpc*] standardize mmap_rnd() usage
- [s390*] Change randomize_et_dyn() to take void and use mmap_rnd()
- [s390*] standardize mmap_rnd() usage
- mm: expose arch_mmap_rnd when available
- [s390*] redefine randomize_et_dyn for ELF_ET_DYN_BASE
- mm: split ET_DYN ASLR from mmap ASLR
- mm: fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE
* ping: implement proper locking (CVE-2017-2671)
* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
(CVE-2017-7184)
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
* [x86] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
(CVE-2017-7261)
* [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
(CVE-2017-7294)
* net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
* mm/mempolicy.c: fix error handling in set_mempolicy and mbind
(CVE-2017-7616)
* crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618)
* USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
* ixgbe: do not call check_link for ethtool in ixgbe_get_settings()
(Closes: #851952)
* Fix bugs in ipv6 peer address cleanup (Closes: #854348):
- ipv6: fix a refcnt leak with peer addr
- ipv6: use addrconf_get_prefix_route() to remove peer addr
* KEYS: special dot prefixed keyring name bug fix
* KEYS: Reinstate EPERM for a key type name beginning with a '.'
* KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
(CVE-2016-9604)
* KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
(CVE-2017-7472)
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
Thanks to Raphael Geissert <email address hidden> (Closes: #852708)
-- Ben Hutchings <email address hidden> Sat, 22 Apr 2017 03:50:23 +0100