Changelog
linux (3.16.7-ckt9-1) unstable; urgency=medium
* New upstream stable update:
http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt8
- usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
- btrfs: fix leak of path in btrfs_find_item
- tpm_tis: verify interrupt during init
- xfs: ensure buffer types are set correctly
- xfs: inode unlink does not set AGI buffer type
- xfs: set buf types when converting extent formats
- xfs: set superblock buffer type correctly
- [s390*] KVM: avoid memory leaks if __inject_vm() fails
- samsung-laptop: Add use_native_backlight quirk, and enable it on some
models (regression in 3.14)
- staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
- nfs: don't call blocking operations while !TASK_RUNNING
- cdc-acm: add sanity checks
- USB: fix use-after-free bug in usb_hcd_unlink_urb()
- iwlwifi: mvm: fix failure path when power_update fails in add_interface
- tty: Prevent untrappable signals from malicious program
- cpufreq: Set cpufreq_cpu_data to NULL before putting kobject
- nfs41: .init_read and .init_write can be called with valid pg_lseg
(regression in 3.15)
- mei: mask interrupt set bit on clean reset bit (regression in
3.16.7-ckt5)
- [s390*] KVM: floating irqs: fix user triggerable endless loop
- cfq-iosched: handle failure of cfq group allocation
- tracing: Fix unmapping loop in tracing_mark_write
- fsnotify: fix handling of renames in audit
- blk-mq: fix double-free in error path
- NFSv4.1: Fix a kfree() of uninitialised pointers in
decode_cb_sequence_args
- mm/hugetlb: pmd_huge() returns true for non-present hugepage
- mm/hugetlb: take page table lock in follow_huge_pmd()
- mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
- mm/hugetlb: add migration/hwpoisoned entry check in
hugetlb_change_protection
- mm/hugetlb: add migration entry check in __unmap_hugepage_range
- iscsi-target: Drop problematic active_ts_list usage
- mm/memory.c: actually remap enough memory
- mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
(regression in 3.11)
- jffs2: fix handling of corrupted summary length
- dm mirror: do not degrade the mirror on discard error
- dm io: reject unsupported DISCARD requests with EOPNOTSUPP
- NFS: struct nfs_commit_info.lock must always point to inode->i_lock
(regression in 3.16.4)
- target: Add missing WRITE_SAME end-of-device sanity check
- target: Check for LBA + sectors wrap-around in sbc_parse_cdb
- Btrfs: fix fsync data loss after adding hard link to inode
- sg: fix read() error reporting
- IB/qib: Do not write EEPROM
- [amd64] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers
(regression in 3.11)
- md/raid5: Fix livelock when array is both resyncing and degraded.
- locking/rtmutex: Avoid a NULL pointer dereference on deadlock
(regression in 3.16)
- time: adjtimex: Validate the ADJ_FREQUENCY values
- ntp: Fixup adjtimex freq validation on 32-bit systems
- dm: fix a race condition in dm_get_md
- dm snapshot: fix a possible invalid memory access on unload
- libceph: fix double __remove_osd() problem
- blk-throttle: check stats_cpu before reading it from sysfs
- debugfs: leave freeing a symlink body until inode eviction
- procfs: fix race between symlink removals and traversals
- autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for
allocation
- clk-gate: fix bit # check in clk_register_gate() (regression in 3.11)
- [powerpc*] kernel: Avoid memory corruption at early stage
(regression in 3.14)
- GFS2: Fix crash during ACL deletion in acl max entry check in
gfs2_set_acl() (regression in 3.14)
- net: llc: use correct size for sysctl timeout entries (CVE-2015-2041)
- net: rds: use correct size for max unacked packets and bytes
(CVE-2015-2042)
- HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events
(regression in 3.16.7-ckt4)
- net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
- ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs
- IB/core: When marshaling ucma path from user-space, clear unused fields
(regression in 3.14)
- IB/core: Fix deadlock on uverbs modify_qp error flow (regression in 3.14)
- IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach
(regression in 3.14)
- IB/iser: Use correct dma direction when unmapping SGs
(regression in 3.15)
- staging: comedi: cb_pcidas64: fix incorrect AI range code handling
- target: Fix R_HOLDER bit usage for AllRegistrants
- target: Avoid dropping AllRegistrants reservation during unregister
- target: Allow AllRegistrants to re-RESERVE existing reservation
- target: Allow Write Exclusive non-reservation holders to READ
- vhost/scsi: potential memory corruption
- mm: softdirty: unmapped addresses between VMAs are clean
- proc/pagemap: walk page tables under pte lock
http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt9
- netfilter: nft_compat: fix module refcount underflow
- netfilter: xt_socket: fix a stack corruption bug
- ipvs: add missing ip_vs_pe_put in sync code
- flowcache: Fix kernel panic in flow_cache_flush_task (regression in 3.15)
- tcp: make sure skb is not shared before using skb_get()
(regression in 3.16)
- gen_stats.c: Duplicate xstats buffer for later use
- ematch: Fix auto-loading of ematch modules.
- openvswitch: Fix net exit.
- net: reject creation of netdev names with colons
- macvtap: make sure neighbour code can push ethernet header
- udp: only allow UFO for packets from SOCK_DGRAM sockets
- gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip
per node (regression in 3.16.7-ckt6)
- [x86] drm/i915: Check obj->vma_list under the struct_mutex
(regression in 3.15)
- ALSA: hda - Disable runtime PM for Panther Point again
(regression in 3.14)
- nilfs2: fix potential memory overrun on inode
- [armhf] usb: dwc3: dwc3-omap: Fix disable IRQ
- [i386] KVM: emulate: fix CMPXCHG8B on 32-bit hosts
- xhci: Allocate correct amount of scratchpad buffers
- USB: usbfs: don't leak kernel data in siginfo
- efi/libstub: Fix boundary checking in efi_high_alloc()
- USB: serial: fix potential use-after-free after failed probe
- USB: serial: fix tty-device error handling at probe
- staging: comedi: adv_pci1710: fix AI INSN_READ for non-zero channel
- mei: make device disabled on stop unconditionally
- NFSv4: Don't call put_rpccred() under the rcu_read_lock()
- btrfs: fix lost return value due to variable shadowing
- eCryptfs: don't pass fs-specific ioctl commands through
- drm/radeon: fix DRM_IOCTL_RADEON_CS oops
- [armhf] ASoC: omap-pcm: Correct dma mask
- [amd64] x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization
(CVE-2015-2830)
- Btrfs: fix data loss in the fast fsync path
- Btrfs:__add_inode_ref: out of bounds memory read when looking for
extended ref.
- svcrpc: fix memory leak in gssp_accept_sec_context_upcall
(regression in 3.12)
- SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock
(regression in 3.15)
- net: cls_bpf: fix size mismatch on filter preparation
- net: cls_bpf: fix auto generation of per list handles
- qlge: Fix qlge_update_hw_vlan_features to handle if interface is down
(regression in 3.13)
- libsas: Fix Kernel Crash in smp_execute_task
- ALSA: hda - Fix regression of HD-audio controller fallback modes
(regression in 3.11)
- can: add missing initialisations in CAN related skbuffs
- ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl
- ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled
- [armhf] imx6qdl-sabresd: set swbst_reg as vbus's parent reg
- [armhf] imx6sl-evk: set swbst_reg as vbus's parent reg
- xen-pciback: limit guest control of command register (CVE-2015-2150)
- drm/vmwgfx: Reorder device takedown somewhat
- ALSA: control: Add sanity checks for user ctl id name string
- Revert "i2c: core: Dispose OF IRQ mapping at client removal time"
(regression in 3.16.7-ckt2)
- nilfs2: fix deadlock of segment constructor during recovery
(regression in 3.16.7-ckt7)
- clk: divider: fix calculation of maximal parent rate for a given divider
(regression in 3.15)
- [sparc*] Fix several bugs in memmove().
- net: sysctl_net_core: check SNDBUF and RCVBUF for min length
- inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
- caif: fix MSG_OOB test in caif_seqpkt_recvmsg()
- rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg()
- tcp: fix tcp fin memory accounting
- net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user()
behaviour (regression in 3.13)
- tcp: make connect() mem charging friendly
[ Ian Campbell ]
* Initialise framebuffer console earlier. (Closes: #779935)
* [xen] Enable Xen MCE log support. (Closes: #779698)
* [armhf] mvebu: do not register custom DMA operations when coherency is
disabled (Closes: #780858)
* [armhf] Enable power control on various sunxi platforms, enable MFD_AXP20X
and REGULATOR_AXP20X and adding the necessary DTB nodes. (Closes: #781576)
[ Ben Hutchings ]
* [armel/kirkwood] linux-image: Add versioned Breaks against flash-kernel,
to ensure that an FDT is appended to the image if needed (Closes: #781193)
* Revert "quota: Store maximum space limit in bytes" to avoid ABI change
* IB/core: Prevent integer overflow in ib_umem_get address arithmetic
(CVE-2014-8159)
* Btrfs: make xattr replace operations atomic (CVE-2014-9710)
* ext4: fix ZERO_RANGE bug hidden by flag aliasing
* ext4: fix accidental flag aliasing in ext4_map_blocks flags
* ext4: allocate entire range in zero range (CVE-2015-0275)
* [x86] microcode/intel: Guard against stack overflow in the loader
(CVE-2015-2666)
* ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
* [powerpc/powerpc64,ppc64] Disable THERM_PM72 and enable its replacements
WINDFARM_PM72 and WINDFARM_RM31 as modules. Update the udeb config
accordingly. Thanks to Milan Kupcevic. (Closes: #781934)
* psmouse: Add support for FocalTech touchpads, thanks to Rafal Ramocki
(Closes: #780971)
* [x86] drm/i915: Add limited color range readout for HDMI/DP ports on
g4x/vlv/chv (Closes: #775217)
* HID: thingm: fix workqueue race on remove (Closes: #780055)
* [x86] Disable X86_VERBOSE_BOOTUP (Closes: #781953)
* eMMC: Don't initialize partitions on RPMB flagged areas (Closes: #782038)
* [x86] powercap / RAPL: change domain detection message (Closes: #781418)
* procfs: Avoid ABI change in 3.16.7-ckt8
* [powerpc/powerpc] udeb: Add fb-modules package containing radeonfb driver
(Closes: #782058)
-- Ben Hutchings <email address hidden> Wed, 08 Apr 2015 01:03:08 +0100