Changelog
linux (3.16.39-1) jessie; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.37
- [x86] iommu/vt-d: Ratelimit fault handler
- xfs: disallow rw remount on fs with unknown ro-compat features
- Bluetooth: vhci: fix open_timeout vs. hdev race
- [x86] drm/i915: Prevent machine death on Ivybridge context switching
- scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
(Closes: #834513)
- Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
- Bluetooth: vhci: Fix race at creating hci device
- EDAC: Increment correct counter in edac_inc_ue_error()
- ext4: fix data exposure after a crash
- [armhf] crypto: s5p-sss - Fix missed interrupts when working with
8 kB blocks
- [armhf] crypto: s5p-sss - fix incorrect usage of scatterlists api
- btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
btrfs_ioctl
- [arm*] KVM: Enforce Break-Before-Make on Stage-2 page tables
- aacraid: Relinquish CPU during timeout wait
- aacraid: Fix for aac_command_thread hang
- ext4: fix hang when processing corrupted orphaned inode list
- ext4: clean up error handling when orphan list is corrupted
- Revert "tty: Fix pty master poll() after slave closes v2"
- Fix OpenSSH pty regression on close
- cpufreq: Fix GOV_LIMITS handling for the userspace governor
- ACPI / sysfs: fix error code in get_status()
- ext4: fix oops on corrupted filesystem
- [arm64] Ensure pmd_present() returns false after pmd_mknotpresent()
- [armhf] dts: exynos: Add interrupt line to MAX8997 PMIC on
exynos4210-trats
- [mips*] Fix siginfo.h to use strict posix types
- USB: serial: keyspan,muxport,quatech2: fix use-after-free in probe
error path
- irqchip/gic: Ensure ordering between read of INTACK and shared data
- [powerpc*] mm/hash64: Fix subpage protection with 4K HPTE config
- rtlwifi: Fix logic error in enter/exit power-save mode
- sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded
systems
- [mips*] Fix race condition in lazy cache flushing.
- ring-buffer: Use long for nr_pages to avoid overflow failures
- ring-buffer: Prevent overflow of size in ring_buffer_resize()
- RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr()
- IB/core: Fix a potential array overrun in CMA and SA agent
- i40e: fix an uninitialized variable bug
- mmc: mmc: Fix partition switch timeout for some eMMCs
- net/mlx4_core: Fix access to uninitialized index
- [x86] PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
- PCI: Disable all BAR sizing for devices with non-compliant BARs
- netlink: Fix dump skb leak/double free (CVE-2016-9806)
- sched/preempt: Fix preempt_count manipulations
- fs/cifs: correctly do anonymous authentication
- fs/cifs: remove directory incorrectly tries to set delete on close on
non-empty directories
- sunrpc: Update RPCBIND_MAXNETIDLEN
- cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
- batman-adv: fix skb deref after free
- batman-adv: Fix unexpected free of bcast_own on add_if error
- batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
- xfs: xfs_iflush_cluster fails to abort on error
- xfs: fix inode validity check in xfs_iflush_cluster
- xfs: skip stale inodes in xfs_iflush_cluster
- crypto: public_key: select CRYPTO_AKCIPHER
- net: ehea: avoid null pointer dereference
- cifs: Create dedicated keyring for spnego operations
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- PM / sleep: Handle failures in device_suspend_late() consistently
- tuntap: correctly wake up process during uninit
- scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands
- [x86] drm/i915: Don't leave old junk in ilk active watermarks on readout
- mmc: longer timeout for long read time quirk
- sunrpc: fix stripping of padded MIC tokens
- wait/ptrace: assume __WALL if the child is traced
- xen/events: Don't move disabled irqs
- UBI: do propagate positive error codes up
- UBI: fix missing brace control flow
- UBI: Fix static volume checks when Fastmap is used
- RDMA/cxgb3: device driver frees DMA memory with different size
- [x86] ALSA: hda - Fix headset mic detection problem for one Dell machine
- [x86] crypto: ccp - Fix AES XTS error for request sizes above 4096
- sfc: on MC reset, clear PIO buffer linkage in TXQs
- Input: xpad - prevent spurious input from wired Xbox 360 controllers
- Input: pwm-beeper - remove useless call to pwm_config()
- Input: pwm-beeper - fix - scheduling while atomic
- [mips*] fix read_msa_* & write_msa_* functions on non-MSA toolchains
- hpfs: fix remount failure when there are no options changed
- hpfs: implement the show_options method
- [powerpc*] pseries/eeh: Handle RTAS delay requests in configure_bridge
- [powerpc*] Fix definition of SIAR and SDAR registers
- [powerpc*] Use privileged SPR number for MMCR2
- mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
- mac80211: mesh: flush mesh paths unconditionally
- [arm64] Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks
- scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist
- ACPI / processor: Avoid reserving IO regions too early
- drm/nouveau/fbcon: fix out-of-bounds memory accesses
- [armel,armhf] fix PTRACE_SETVFPREGS on SMP systems
- KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
- [x86] KVM: fix OOPS after invalid KVM_SET_DEBUGREGS
- ALSA: hda - Fix headset mic detection problem for Dell machine
- [powerpc*] pseries: Fix PCI config address for DDW
- mnt: fs_fully_visible test the proper mount for MNT_LOCKED
- IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions
- IB/mlx5: Return PORT_ERR in Active to Initializing tranisition
- IB/mlx5: Fix returned values of query QP
- IB/IPoIB: Don't update neigh validity for unresolved entries
- tcp: record TLP and ER timer stats in v6 stats
- of: fix autoloading due to broken modalias with no 'compatible'
- [x86] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo
- fs: fix d_walk()/non-delayed __d_free() race
- net/mlx5: Fix the size of modify QP mailbox
- net/mlx5: Fix masking of reserved bits in XRCD number
- uvc: Forward compat ioctls to their handlers directly
- [armhf] mfd: omap-usb-tll: Fix scheduling while atomic BUG
- [armhf] usb: dwc3: exynos: Fix deferred probing storm.
- usb: f_fs: off by one bug in _ffs_func_bind()
- usb: gadget: fix spinlock dead lock in gadgetfs
- usb: gadget: avoid exposing kernel stack
- HID: elo: kill not flush the work
- usb: xhci-plat: properly handle probe deferral for devm_clk_get()
- USB: quirks: Fix entries on wrong list in 3.16.y
- [armhf] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints
- [armhf] usb: musb: Stop bulk endpoint while queue is rotated
- iio: Fix error handling in iio_trigger_attach_poll_func
- scsi: fix race between simultaneous decrements of ->host_failed
- [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit
- [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent
- drm/radeon: fix asic initialization for virtualized environments
- [armhf] spi: sun4i: fix FIFO limit
- [armhf] spi: sunxi: fix transfer timeout
- [x86] kprobes: Clear TF bit in fault on single-stepping
- kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while
processing sysrq-w
- ipv6: fix endianness error in icmpv6_err
- net_sched: introduce qdisc_replace() helper
- net_sched: update hierarchical backlog too
- netem: fix a use after free
- net_sched: fix pfifo_head_drop behavior vs backlog
- [x86] drm/i915/ilk: Don't disable SSC source if it's in use
- base: make module_create_drivers_dir race-free
- kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
- [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
- IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
- isa: Call isa_bus_init before dependent ISA bus drivers register
- [x86] hwmon: (dell-smm) Restrict fan control and serial number to
CAP_SYS_ADMIN by default
- tracing: Handle NULL formats in hold_module_trace_bprintk_format()
- [arm64] mm: remove page_mapping check in __sync_icache_dcache
- pinctrl: single: Fix missing flush of posted write for a wakeirq
- net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill
- ubi: Make recover_peb power cut aware
- mm: Export migrate_page_move_mapping and migrate_page_copy
- UBIFS: Implement ->migratepage()
- [ppc64el] bpf/jit: Disable classic BPF JIT on ppc64le
- can: fix oops caused by wrong rtnl dellink usage
- xen/pciback: Fix conf_space read/write overlap check.
- IB/mlx5: Fix post send fence logic
- IB/mlx4: Fix the SQ size of an RC QP
- IB/mlx4: Fix error flow when sending mads under SRIOV
- IB/mlx4: Verify port number in flow steering create flow
- IB/mlx4: Fix memory leak if QP creation failed
- Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
- cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name
- cifs: dynamic allocation of ntlmssp blob
- ALSA: dummy: Fix a use-after-free at closing
- cifs: Fix reconnect to not defer smb3 session reconnect long after socket
reconnect
- tmpfs: don't undo fallocate past its last page
- fs/nilfs2: fix potential underflow in call to crc32_le
- staging: iio: accel: fix error check
- [armhf,arm64] KVM: Stop leaking vcpu pid references
- make nfs_atomic_open() call d_drop() on all ->open_context() errors.
- USB: don't free bandwidth_mutex too early
- ALSA: echoaudio: Fix memory allocation
- [s390x] fix test_fp_ctl inline assembly contraints
- net: bgmac: Start transmit queue in bgmac_open
- net: bgmac: Remove superflous netif_carrier_on()
- mac80211: Fix mesh estab_plinks counting in STA removal case
- Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address
- NFS: Fix another OPEN_DOWNGRADE bug
- ipr: Clear interrupt on croc/crocodile when running with LSI
- [powerpc*] tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
- net: phy: Manage fixed PHY address space using IDA
- batman-adv: Fix memory leak on tt add with invalid vlan
- batman-adv: replace WARN with rate limited output on non-existing VLAN
- batman-adv: Fix use-after-free/double-free of tt_req_node
- batman-adv: Fix ICMP RR ethernet access after skb_linearize
- batman-adv: Clean up untagged vlan when destroying via rtnl-link
- qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag()
- ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
- [amd64] power: Fix kernel text mapping corruption during image
restoration
- [x86] amd_nb: Fix boot crash on non-AMD systems
- bonding: prevent out of bound accesses
- net/mlx5: Fix potential deadlock in command mode change
- net/mlx5: Add timeout handle to commands with callback
- block: fix use-after-free in sys_ioprio_get() (CVE-2016-7911)
- ALSA: timer: Fix negative queue usage by racy accesses
- qeth: delete napi struct when removing a qeth device
- xenbus: don't bail early from xenbus_dev_request_and_reply()
- ecryptfs: don't allow mmap when the lower fs doesn't support it
- tmpfs: fix regression hang in fallocate undo
- fs: limit filesystem stacking depth
- proc: prevent stacking filesystems on top
- [powerpc*] KVM: Book3S HV: Pull out TM state save/restore into separate
procedures
- [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.38
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.39
- HID: uhid: fix timeout when probe races with IO
- macvlan: Fix potential use-after free for broadcasts
- netlabel: add address family checks to netlbl_{sock,req}_delattr()
- em28xx-i2c: rt_mutex_trylock() returns zero on failure
- PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset
- [armhf] gpio: pca953x: Fix NBANK calculation for PCA9536
- random: print a warning for the first ten uninitialized random users
- [x86] random: add interrupt callback to VMBus IRQ handler
- sched/cputime: Fix prev steal time accouting during CPU hotplug
- [armel/kirkwood,armhf] mvebu: fix HW I/O coherency related deadlocks
- [armhf] usb: dwc3: fix for the isoc transfer EP_BUSY flag
- crypto: gcm - Filter out async ghash if necessary
- IB/mlx5: Fix MODIFY_QP command input structure
- drm/nouveau: Don't leak runtime pm ref on driver unload
- drm/radeon: Don't leak runtime pm ref on driver unload
- drm/radeon: Don't leak runtime pm ref on driver load
- tty/serial: atmel: fix RS485 half duplex with DMA
- [armhf] serial: samsung: Fix ERR pointer dereference on deferred probe
- [armhf] hwrng: omap - Fix assumption that runtime_get_sync will always
succeed
- hp-wmi: Fix wifi cannot be hard-unblocked
- Input: xpad - validate USB endpoint count during probe
- ath9k: Fix programming of minCCA power threshold
- ext4: check for extents that wrap around
- ext4: fix deadlock during page writeback
- ext4: don't call ext4_should_journal_data() on the journal inode
- batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
- batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
- batman-adv: Fix orig_node_vlan leak on orig_node_release
- batman-adv: lock crc access in bridge loop avoidance
- batman-adv: Fix non-atomic bla_claim::backbone_gw access
- batman-adv: Fix reference leak in batadv_find_router
- batman-adv: Free last_bonding_candidate on release of orig_node
- ext4: validate s_reserved_gdt_blocks on mount
- iwlwifi: pcie: fix access to scratch buffer
- [mips*] Fix page table corruption on THP permission changes.
- batman-adv: Fix speedy join in gateway client mode
- drm/radeon: add a delay after ATPX dGPU power off
- drm/radeon: Poll for both connect/disconnect on analog connectors
- ALSA: ctl: Stop notification after disconnection
- ALSA: pcm: Free chmap at PCM free callback, too
- [armhf] net: mvneta: set real interrupt per packet for tx_done
- ppp: defer netns reference release for ppp channel
- rtc: ds1307: Fix relying on reset value for weekday
- ngene: properly handle __user ptr
- media: dvb_ringbuffer: Add memory barriers
- [x86] quirks: Apply nvidia_bugs quirk only on root bus
- [x86] quirks: Reintroduce scanning of secondary buses
- [x86] quirks: Add early quirk to reset Apple AirPort card
- posix_cpu_timer: Exit early when process has been reaped
- ALSA: hda - fix use-after-free after module unload
- svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
- NFS: Don't drop CB requests with invalid principals
- qxl: check for kmap failures
- cifs: Check for existing directory when opening file with O_CREAT
- net: ethoc: Fix early error paths
- [s390x] mm: fix gmap tlb flush issues
- [armel,armhf] 8561/3: dma-mapping: Don't use outer_flush_range when the
L2C is coherent
- [x86] KVM: nVMX: fix lifetime issues for vmcs02
- [x86] KVM: nVMX: Fix memory corruption when using VMCS shadowing
- ext4: fix reference counting bug on block allocation error
- ext4: short-cut orphan cleanup on error
- [powerpc*] tm: Fix stack pointer corruption in __tm_recheckpoint()
- Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
- xfrm: fix crash in XFRM_MSG_GETSA netlink handler
- crypto: scatterwalk - Fix test in scatterwalk_done
- mmc: block: fix packed command header endianness
- crypto: nx - off by one bug in nx_of_update_msc()
- tpm: read burstcount from TPM_STS in one 32-bit transaction
- [arm64] debug: unmask PSTATE.D earlier
- brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
- brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
- brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
- mtd: nand: fix bug writing 1 byte less than page size
- target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP
- target: Fix race between iscsi-target connection shutdown + ABORT_TASK
- target: Fix max_unmap_lba_count calc overflow
- cifs: fix crash due to race in hmac(md5) handling
- hwmon: (adt7411) set bit 3 in CFG1 register
- iscsi-target: Fix panic when adding second TCP connection to iSCSI session
- tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
- [mips*] bpf: fix off-by-one in ctx offset allocation
- libceph: set 'exists' flag for newly up osd
- libceph: apply new_state before new_up_client on incrementals
- [x86] gpio: intel-mid: Remove potentially harmful code
- nfs: don't create zero-length requests
- radix-tree: fix radix_tree_iter_retry() for tagged iterators.
- pps: do not crash when failed to register
- [armhf] OMAP3: hwmod data: Add sysc information for DSI
- net/irda: fix NULL pointer dereference on memory allocation failure
- l2tp: Correctly return -EBADF from pppol2tp_getname.
- ceph: Correctly return NXIO errors from ceph_llseek
- CIFS: Fix a possible invalid memory access in smb2_query_symlink()
- [mips*] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit
userspace
- drm/radeon: fix firmware info version checks
- fuse: fsync() did not return IO errors
- fuse: fuse_flush must check mapping->flags for errors
- fuse: fix wrong assignment of ->flags in fuse_send_init()
- ubi: Fix race condition between ubi device creation and udev
- ubi: Make volume resize power cut aware
- ubi: Be more paranoid while seaching for the most recent Fastmap
- drm/nouveau/fbcon: fix font width not divisible by 8
- drm/nouveau/acpi: ensure matching ACPI handle and supported functions
- drm/nouveau/acpi: check for function 0x1B before using it
- tcp: consider recv buf for the initial window scale
- ext4: validate that metadata blocks do not overlap superblock
- ALSA: hda - On-board speaker fixup on ACER Veriton
- [amd64] syscalls: Add compat_sys_keyctl for 32-bit userspace
- balloon: check the number of available pages in leak balloon
- dm flakey: error READ bios during the down_interval
- mm/hugetlb: avoid soft lockup in set_max_huge_pages()
- sysv, ipc: fix security-layer leaking
- ALSA: hda: Fix krealloc() with __GFP_ZERO usage
- block: fix use-after-free in seq file (CVE-2016-7910)
- mac80211: fix purging multicast PS buffer queue
- SUNRPC: allow for upcalls for same uid but different gss service
- USB: serial: fix memleak in driver-registration error path
- vfio/pci: Fix NULL pointer oops in error interrupt setup handling
- [x86] drm/edid: Add 6 bpc quirk for display AEO model 0.
- [x86] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink
capability is unknown"
- [powerpc*] powernv: Fix MCE handler to avoid trashing CR0/CR1 registers.
- netfilter: nf_ct_expect: remove the redundant slash when policy name is
empty
- netfilter: nfnetlink_queue: reject verdict request from different portid
- [powerpc*] book3s: Fix MCE console messages for unrecoverable MCE.
- USB: validate wMaxPacketValue entries in endpoint descriptors
- cpuset: make sure new tasks conform to the current config of the cpuset
- [s390x] dasd: fix hanging device after clear subchannel
- [armhf] usb: dwc3: gadget: increment request->actual once
- [x86] mm: Disable preemption during CR3 read+write
- megaraid_sas: Fix probing cards without io port
- PM / hibernate: Restore processor state before using per-CPU variables
- ipv6: suppress sparse warnings in IP6_ECN_set_ce()
- USB: serial: mos7720: fix non-atomic allocation in write path
- USB: serial: mos7840: fix non-atomic allocation in write path
- cdc-acm: fix wrong pipe type on rx interrupt xfers
- scsi: fix upper bounds check of sense key in scsi_sense_key_string()
- xhci: always handle "Command Ring Stopped" events
- usb: xhci: Fix panic if disconnect
- xhci: don't dereference a xhci member after removing xhci
- [x86] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
- bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
- bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power
of two.
- drm/radeon: fix radeon_move_blit on 32bit systems
- net/mlx5: Added missing check of msg length in verifying its signature
- [x86] staging: comedi: daqboard2000: bug fix board type matching code
- [x86] staging: comedi: ni_mio_common: fix AO inttrig backwards
compatibility
- [armhf] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
- [powerpc*] pseries: use pci_host_bridge.release_fn() to kfree(phb)
- [powerpc*] prom: Fix sub-processor option passed to ibm,
client-architecture-support
- drm: Reject page_flip for !DRIVER_MODESET
- USB: fix typo in wMaxPacketSize validation
- USB: avoid left shift by -1
- ubifs: Fix assertion in layout_in_gaps()
- tun: fix transmit timestamp support
- timekeeping: Cap array access in timekeeping_debug
- [x86] apic: Do not init irq remapping if ioapic is disabled
- usb: gadget: udc: core: don't starve DMA resources
- qdisc: fix a module refcount leak in qdisc_create_dflt()
- [armel/kirkwood] ib62x0: fix size of u-boot environment partition
- batman-adv: Add missing refcnt for last_candidate
- [armhf] clocksource/drivers/sun4i: Clear interrupts after stopping timer
in probe function
- printk: fix parsing of "brl=" option
- fs/seq_file: fix out-of-bounds read
- [powerpc*] powernv : Drop reference added by kset_find_obj()
- ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
- ALSA: timer: fix NULL pointer dereference on memory allocation failure
- NFSv4.x: Fix a refcount leak in nfs_callback_up_net
- dm crypt: fix free of bad values after tfm allocation failure
- kernfs: don't depend on d_find_any_alias() when generating notifications
- ALSA: fireworks: accessing to user space outside spinlock
- ipv6: add missing netconf notif when 'all' is updated
- tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data
- kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
- [x86] paravirt: Do not trace _paravirt_ident_*() functions
- IB/core: Fix use after free in send_leave function
- IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
- [x86] AMD: Apply erratum 665 on machines without a BIOS fix
- l2tp: fix use-after-free during module unload
- iio: fix pressure data output unit in hid-sensor-attributes
- sched/core: Fix a race between try_to_wake_up() and a woken up task
- [x86] efi/libstub: Allocate headspace in efi_get_memory_map()
- iio:core: fix IIO_VAL_FRACTIONAL sign handling
- Btrfs: add missing blk_finish_plug in btrfs_sync_log()
- Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
- ipv6: addrconf: fix dev refcont leak when DAD failed
- crypto: cryptd - initialize child shash_desc on import
- ALSA: timer: Fix zero-division by continue of uninitialized instance
- ALSA: rawmidi: Fix possible deadlock with virmidi registration
- xfrm_user: propagate sec ctx allocation errors
- [armhf,arm64] kvm-arm: Unmap shadow pagetables properly
- [arm64] spinlocks: implement smp_mb__before_spinlock() as smp_mb()
- asm-generic: make copy_from_user() zero the destination properly
- NFSv4.1: Fix the CREATE_SESSION slot number accounting
- crypto: skcipher - Fix blkcipher walk OOM crash
- [arm64] crypto: aes-ctr - fix NULL dereference in tail processing
- nl80211: validate number of probe response CSA counters
- asm-generic: make get_user() clear the destination on errors
- [mips*] copy_from_user() must zero the destination on access_ok() failure
- [powerpc] ppc32: fix copy_from_user()
- [s390x] get_user() should zero on failure
- [x86] perf/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
- USB: change bInterval default to 10 ms
- IB/ipoib: Don't allow MC joins during light MC flush
- IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
- IB/mlx4: Fix code indentation in QP1 MAD flow
- IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
- irda: Free skb on irda_accept error path.
- xfrm: Fix memory leak of aead algorithm name
- ocfs2/dlm: fix race between convert and migration
- fsnotify: add a way to stop queueing events on group shutdown
- ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
- fix fault_in_multipages_...() on architectures with no-op access_ok()
- [x86] i2c-eg20t: fix race between i2c init and interrupt enable
- btrfs: ensure that file descriptor used with subvol ioctls is a dir
- can: dev: fix deadlock reported after bus-off
- ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path.
- ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
- tracing: Move mutex to protect against resetting of seq data
- ipmr, ip6mr: fix scheduling while atomic and a deadlock with
ipmr_get_route
- drm/radeon/si/dpm: add workaround for for Jet parts
- mm,ksm: fix endless looping in allocating memory when ksm enable
- [armel,armhf] 8617/1: dma: fix dma_max_pfn()
- [mips*/5kc-malta] Fix IOCU disable switch read for MIPS64
- mm: workingset: fix crash in shadow node shrinker caused by
replace_page_cache_page()
- [armhf] 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
- [arm64] perf: reject groups spanning multiple HW PMUs (CVE-2015-8955)
- firewire: net: guard against rx buffer overflows (CVE-2016-8633)
- brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
(CVE-2016-8658)
- vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083,
CVE-2016-9084)
- fs: Give dentry to inode_change_ok() instead of inode
- fs: Avoid premature clearing of capabilities (CVE-2015-1350)
(Closes: #770492)
- posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
- staging: comedi: ni_mio_common: fix wrong insn_write handler
- xenbus: don't BUG() on user mode induced condition
- xenbus: don't look up transaction IDs for ordinary writes
- compiler-gcc: disable -ftracer for __noclone functions
- PM / devfreq: Fix incorrect type issue.
- mm: filemap: don't plant shadow entries without radix tree node
[ Aurelien Jarno ]
* [mips*] Fix ptrace handling of any syscalls returning ENOSYS.
[ Salvatore Bonaccorso ]
* [x86] KVM: pass host_initiated to functions that read MSRs
* [x86] KVM: VMX: Fix host initiated access to guest MSR_TSC_AUX
(Closes: #838660)
[ Ben Hutchings ]
* [x86] video: Disable X86_SYSFB, FB_SIMPLE (Closes: #822575)
* Revert "ecryptfs: forbid opening files without mmap handler", redundant
with upstream fixes
* fs: Move procfs/ecryptfs stacking check into ecryptfs, to avoid ABI change
* [mips*] Fix ABI change in 3.16.37
* net/sched: Fix ABI change in 3.16.37
* SCSI: Fix ABI change in 3.16.37
* ubi: Avoid ABI change in 3.16.37
* i8042: Revert ABI break in 3.16.39
* fs: Fix ABI change in 3.16.39
* can: Ignore ABI change in 3.16.39
* [mips*] uaccess: Avoid ABI change in 3.16.39
* [arm64] Revert "arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO" to
avoid ABI change
* [s390x] Revert "s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO" to
avoid ABI change
* Revert "block: fix bdi vs gendisk lifetime mismatch" to avoid ABI change
* fsnotify: Ignore ABI change in 3.16.39
* Fix backport of "fs: Give dentry to inode_change_ok() instead of inode"
in fuse, xfs
* sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
* perf: Fix race in swevent hash (CVE-2015-8963)
* tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964)
* usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
* HID: core: prevent out-of-bound readings (CVE-2016-7915)
* netfilter: nfnetlink: correctly validate length of batch messages
(CVE-2016-7917)
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
* net: Add __sock_queue_rcv_skb()
* rose,dccp: limit sk_filter trim to payload
* tcp: take care of truncations done by sk_filter() (CVE-2016-8645)
* mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650)
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
* [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
* sctp: validate chunk len before actually using it (CVE-2016-9555)
* sg_write()/bsg_write() is not fit to be called under KERNEL_DS
(CVE-2016-9576, CVE-2016-10088)
* [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756)
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
* ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
* security,perf: Allow unprivileged use of perf_event_open to be disabled
(sysctl: kernel.perf_event_paranoid=3)
* spi-nor: Add support for n25q256a11 SPI flash device (Closes: #843650)
(thanks to Matt Sickler)
* xen-blkfront: fix accounting of reqs when migrating (Closes: #843715)
[ Julien Cristau ]
* hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
-- Ben Hutchings <email address hidden> Fri, 30 Dec 2016 19:42:20 +0000