Basic search

K
oraclelinuxOracleLinuxELSA-2019-3517
HistoryNov 14, 2019 - 12:00 a.m.

kernel security, bug fix, and enhancement update

2019-11-1400:00:00
linux.oracle.com
22

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

[4.18.0-147.OL8]

  • Oracle Linux certificates (Alexey Petrenko)
  • Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
  • Update x509.genkey [Orabug: 24817676]
    [4.18.0-147]
  • [x86] perf/x86/intel: Fix spurious NMI on fixed counter (Michael Petlan) [1755110]
  • [x86] perf/x86/intel: Fix race in intel_pmu_disable_event() (Michael Petlan) [1755110]
  • [netdrv] drivers: tap.c: fix wrong backport causing WARN_ON_ONCE(1) in skb_flow_dissect() (Davide Caratti) [1750711]
  • [virt] KVM: coalesced_mmio: add bounds checking (Bandan Das) [1746804] {CVE-2019-14821}
    [4.18.0-146]
  • [fs] gfs2: clear buf_in_tr when ending a transaction in sweep_bh_for_rgrps (Robert S Peterson) [1750939]
  • [s390] kvm: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset() (Thomas Huth) [1753260]
  • [fs] cifs: fix credits leak for SMB1 oplock breaks (Leif Sahlberg) [1752243]
    [4.18.0-145]
  • [iommu] iommu/amd: Add support for X2APIC IOMMU interrupts (Suravee Suthikulpanit) [1734842]
  • [vhost] vhost: make sure log_num < in_num (Eugenio Perez) [1750882] {CVE-2019-14835}
    [4.18.0-144]
  • [md] Revert ‘[md] dm: eliminate ‘split_discard_bios’ flag from DM target interface’ (Mike Snitzer) [1749929]
  • [md] Revert ‘[md] dm: make sure to obey max_io_len_target_boundary’ (Mike Snitzer) [1749929]
  • [pci] PCI: Restore Resizable BAR size bits correctly for 1MB BARs (Myron Stowe) [1717760]
  • [net] netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled (Phil Sutter) [1743945]
  • [net] netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded (Phil Sutter) [1743945]
  • [drm] drm/qxl: get vga ioports (Gerd Hoffmann) [1728936]
  • [drm] drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (Lyude Paul) [1724363]
    [4.18.0-143]
  • [net] netfilter: nft_set: fix allocation size overflow in privsize callback. (Florian Westphal) [1746338]
  • [net] net: route dump netlink NLM_F_MULTI flag missing (Stefano Brivio) [1745971]
  • [net] sched: pfifo_fast: fix wrong dereference in pfifo_fast_enqueue (Davide Caratti) [1745390]
  • [net] sched: pfifo_fast: fix wrong dereference when qdisc is reset (Davide Caratti) [1745387]
  • [scsi] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() (David Milburn) [1746597]
    [4.18.0-142]
  • [drm] drm/virtio: use virtio_max_dma_size (Gerd Hoffmann) [1739291]
  • [mm] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (Rafael Aquini) [1706088]
  • [powerpc] kvm: ppc: book3s: Enable XIVE native capability only if OPAL has required functions [BZ1744884] (David Gibson) [1744884]
  • [scsi] scsi: lpfc: Fix oops when fewer hdwqs than cpus (Dick Kennedy) [1745731]
  • [scsi] scsi: lpfc: Limit xri count for kdump environment (Dick Kennedy) [1745731]
  • [scsi] scsi: lpfc: Mitigate high memory pre-allocation by SCSI-MQ (Dick Kennedy) [1745731]
  • [scsi] scsi: qla2xxx: Fix hardirq-unsafe locking (Himanshu Madhani) [1719941]
  • [x86] Revert ‘[x86] x86/kexec/64: Prevent kexec from 5-level paging to a 4-level only kernel’ (Baoquan He) [1669088]
  • [x86] Revert ‘[x86] x86/boot: Add xloadflags bits to check for 5-level paging support’ (Baoquan He) [1669088]
    [4.18.0-141]
  • [wireless] mwifiex: fix 802.11n/WPA detection (Jarod Wilson) [1714476] {CVE-2019-3846}
    [4.18.0-140]
  • [x86] x86/kdump: Reserve extra memory when SME or SEV is active (Kairui Song) [1728519]
  • [scsi] scsi: qla2xxx: Fix hardlockup in abort command during driver remove (Himanshu Madhani) [1690041]
  • [scsi] qla2xxx: Update driver version to 10.01.00.15.08.1-k1 (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: cleanup trace buffer initialization (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: qla2x00_alloc_fw_dump: set ha->eft (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Use mutex protection during qla2x00_sysfs_read_fw_dump() (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: move IO flush to the front of NVME rport unregistration (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix NVME cmd and LS cmd timeout race condition (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Complain loudly about reference count underflow (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Use an on-stack completion in qla24xx_control_vp() (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Change abort wait_loop from msleep to wait_event_timeout (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Set the SCSI command result before calling the command done (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: on session delete, return nvme cmd (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix kernel crash after disconnecting NVMe devices (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Remove the fcport test from qla_nvme_abort_work() (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix driver unload when FC-NVMe LUNs are connected (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Set remote port devloss timeout to 0 (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix panic in qla_dfs_tgt_counters_show (Himanshu Madhani) [1690041]
  • [scsi] scsi: qla2xxx: Fix fw dump corruption (Himanshu Madhani) [1690041]
  • [x86] kvm: disable nested virt on pre-haswell processors (Paolo Bonzini) [1739739]
  • [x86] kvm: taint kernel for tech-preview when using nested virtualization (Paolo Bonzini) [1739739]
  • [x86] kvm: x86: hyper-v: dont crash on KVM_GET_SUPPORTED_HV_CPUID when kvm_intel.nested is disabled (Vitaly Kuznetsov) [1746100]
    [4.18.0-139]
  • [char] ipmi: move message error checking to avoid deadlock (Tony Camuso) [1731388 1718699]
  • [crypto] crypto: testmgr - mark crc32 checksum as FIPS allowed (Neil Horman) [1738887]
  • [include] dma-mapping: use dma_get_mask in dma_addressing_limited (Don Dutile) [1738631]
  • [kernel] dma-direct: correct the physical addr in dma_direct_sync_sg_for_cpu/device (Don Dutile) [1738631]
  • [kernel] dma-direct: only limit the mapping size if swiotlb could be used (Don Dutile) [1738631]
  • [include] dma-mapping: add a dma_addressing_limited helper (Don Dutile) [1738631]
  • [kernel] dma-direct: Force unencrypted DMA under SME for certain DMA masks (Don Dutile) [1738631]
  • [lib] lib/genalloc: introduce chunk owners (Don Dutile) [1738631]
  • [lib] lib/genalloc: add gen_pool_dma_zalloc() for zeroed DMA allocations (Don Dutile) [1738631]
  • [lib] lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk (Don Dutile) [1738631]
  • [include] dma-mapping: remove dma_max_pfn (Don Dutile) [1738631]
  • [mmc] mmc: core: let the dma map ops handle bouncing (Don Dutile) [1738631]
  • [mmc] mmc: core: align max segment size with logical block size (Don Dutile) [1738631]
  • [kernel] swiotlb: no need to check return value of debugfs_create functions (Don Dutile) [1738631]
  • [xen] swiotlb: fix phys_addr_t overflow warning (Don Dutile) [1738631]
  • [kernel] swiotlb: Return consistent SWIOTLB segments/nr_tbl (Don Dutile) [1738631]
  • [kernel] swiotlb: Group identical cleanup in swiotlb_cleanup() (Don Dutile) [1738631]
  • [kernel] swiotlb: save io_tlb_used to local variable before leaving critical section (Don Dutile) [1738631]
  • [kernel] swiotlb: dump used and total slots when swiotlb buffer is full (Don Dutile) [1738631]
  • [kernel] swiotlb: add checks for the return value of memblock_alloc*() (Don Dutile) [1738631]
  • [kernel] swiotlb: add debugfs to track swiotlb buffer usage (Don Dutile) [1738631]
  • [kernel] dma-direct: fix DMA_ATTR_NO_KERNEL_MAPPING (Don Dutile) [1738631]
  • [kernel] dma-direct: handle DMA_ATTR_NO_KERNEL_MAPPING in common code (Don Dutile) [1738631]
  • [kernel] dma-direct: fix DMA_ATTR_NO_KERNEL_MAPPING for remapped allocations (Don Dutile) [1738631]
  • [kernel] dma-mapping: remove a pointless memset in dma_atomic_pool_init (Don Dutile) [1738631]
  • [kernel] dma-mapping: fix lack of DMA address assignment in generic remap allocator (Don Dutile) [1738631]
  • [kernel] dma-remap: support DMA_ATTR_NO_KERNEL_MAPPING (Don Dutile) [1738631]
  • [kernel] dma-mapping: support highmem in the generic remap allocator (Don Dutile) [1738631]
  • [kernel] dma-direct: handle DMA_ATTR_NON_CONSISTENT in common code (Don Dutile) [1738631]
  • [kernel] dma-mapping: add a dma_alloc_need_uncached helper (Don Dutile) [1738631]
  • [kernel] dma-mapping: truncate dma masks to what dma_addr_t can hold (Don Dutile) [1738631]
  • [kernel] dma-remap: Avoid de-referencing NULL atomic_pool (Don Dutile) [1738631]
  • [include] dma-buf: add DMA_BUF_SET_NAME ioctls (Don Dutile) [1738631]
  • [include] dma-buf: give each buffer a full-fledged inode (Don Dutile) [1738631]
  • [fs] new wrapper: alloc_file_pseudo() (Don Dutile) [1738631]
  • [kernel] dma-direct: provide generic support for uncached kernel segments (Don Dutile) [1738631]
  • [include] dma-contiguous: fix !CONFIG_DMA_CMA version of dma_{alloc, free}_contiguous() (Don Dutile) [1738631]
  • [kernel] dma-contiguous: use fallback alloc_pages for single pages (Don Dutile) [1738631]
  • [kernel] dma-contiguous: add dma_{alloc,free}_contiguous() helpers (Don Dutile) [1738631]
  • [iommu] iommu/dma: Fix condition check in iommu_dma_unmap_sg (Don Dutile) [1738631]
  • [iommu] iommu/dma: move the arm64 wrappers to common code (Don Dutile) [1738631]
  • [iommu] iommu/dma-iommu.c: convert to use vm_map_pages() (Don Dutile) [1738631]
  • [mm] mm: introduce new vm_map_pages() and vm_map_pages_zero() API (Don Dutile) [1738631]
  • [mm] arm64/iommu: handle non-remapped addresses in ->mmap and ->get_sgtable (Don Dutile) [1738631]
  • [arm64] arm64/mm: wire up CONFIG_ARCH_HAS_SET_DIRECT_MAP (Don Dutile) [1738631]
  • [kernel] mm/hibernation: Make hibernation handle unmapped pages (Don Dutile) [1738631]
  • [mm] page_poison: play nicely with KASAN (Don Dutile) [1738631]
  • [mm] mm/vmalloc: Avoid rare case of flushing TLB with weird arguments (Don Dutile) [1738631]
  • [mm] mm/vmalloc: Fix calculation of direct map addr range (Don Dutile) [1738631]
  • [mm] mm/vmalloc: Add flag for freeing of special permsissions (Don Dutile) [1738631]
  • [x86] x86/mm/cpa: Add set_direct_map_*() functions (Don Dutile) [1738631]
  • [arm64] dma-mapping: add a kconfig symbol for arch_setup_dma_ops availability (Don Dutile) [1738631]
  • [iommu] iommu/dma: Remove the flush_page callback (Don Dutile) [1738631]
  • [include] iommu/dma: Cleanup dma-iommu.h (Don Dutile) [1738631]
  • [dma] dmaengine: Add matching device node validation in __dma_request_channel() (Don Dutile) [1738631]
  • [dma] dmaengine: dma_request_chan_by_mask() to handle deferred probing (Don Dutile) [1738631]
  • [include] dma-buf: start caching of sg_table objects v2 (Don Dutile) [1738631]
  • [kernel] dma-mapping: add a Kconfig symbol to indicate arch_dma_prep_coherent presence (Don Dutile) [1738631]
  • [iommu] iommu/dma-iommu: Remove iommu_dma_map_msi_msg() (Don Dutile) [1738631]
  • [irqchip] irqchip/ls-scfg-msi: Dont map the MSI page in ls_scfg_msi_compose_msg() (Don Dutile) [1738631]
  • [irqchip] irqchip/gic-v3-mbi: Dont map the MSI page in mbi_compose_m{b, s}i_msg() (Don Dutile) [1738631]
  • [irqchip] irqchip/gicv2m: Dont map the MSI page in gicv2m_compose_msi_msg() (Don Dutile) [1738631]
  • [irqchip] irqchip/gic-v3-its: Dont map the MSI page in its_irq_compose_msi_msg() (Don Dutile) [1738631]
  • [irqchip] irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size (Don Dutile) [1738631]
  • [iommu] iommu/dma-iommu: Split iommu_dma_map_msi_msg() in two parts (Don Dutile) [1738631]
  • [iommu] iommu/dma: Remove unused variable (Don Dutile) [1738631]
  • [iommu] iommu/dma: Use NUMA aware memory allocations in __iommu_dma_alloc_pages() (Don Dutile) [1738631]
  • [kernel] genirq/msi: Add a new field in msi_desc to store an IOMMU cookie (Don Dutile) [1738631]
  • [pci] PCI/MSI: Remove unused mask_msi_irq() and unmask_msi_irq() (Don Dutile) [1738631]
  • [include] PCI/MSI: Remove unused __write_msi_msg() and write_msi_msg() (Don Dutile) [1738631]
  • [include] genirq/msi: Clean up usage of __u8/__u16 types (Don Dutile) [1738631]
  • [base] platform-msi: Free descriptors in platform_msi_domain_free() (Don Dutile) [1738631]
  • [base] genirq/msi: Allow creation of a tree-based irqdomain for platform-msi (Don Dutile) [1738631]
  • [kernel] dma-debug: only skip one stackframe entry (Don Dutile) [1738631]
  • [dma] dmaengine: idma64: Move driver name to the header (Don Dutile) [1738631]
  • [kernel] dma-mapping: remove an unnecessary NULL check (Don Dutile) [1738631]
  • [include] dma-buf: Update [un]map documentation to match the other functions (Don Dutile) [1738631]
  • [include] dma-buf: Remove leftover [un]map_atomic comments (Don Dutile) [1738631]
  • [x86] x86/dma: Remove the x86_dma_fallback_dev hack (Don Dutile) [1738631]
  • [kernel] dma-mapping: remove leftover NULL device support (Don Dutile) [1738631]
  • [kernel] dma: select GENERIC_ALLOCATOR for DMA_REMAP (Don Dutile) [1738631]
  • [crypto] crypto: ccp - Ignore unconfigured CCP device on suspend/resume (Gary Hook) [1743999]
  • [md] dm snapshot: fix oversights in optional discard support (Mike Snitzer) [1744291]
  • [md] dm snapshot: add optional discard support features (Mike Snitzer) [1744291]
  • [md] dm snapshot: Use fine-grained locking scheme (Mike Snitzer) [1744291]
  • [md] dm snapshot: Make exception tables scalable (Mike Snitzer) [1744291]
  • [md] dm snapshot: Replace mutex with rw semaphore (Mike Snitzer) [1744291]
  • [md] dm snapshot: Dont sleep holding the snapshot lock (Mike Snitzer) [1744291]
  • [include] list_bl: Add hlist_bl_add_before/behind helpers (Mike Snitzer) [1744291]
  • [powerpc] powerpc/rtas: use device model APIs and serialization during LPM (Steve Best) [1741643]
  • [firmware] firmware/efi: Add NULL pointer checks in efivars API functions (Jarod Wilson) [1741949]
  • [fs] ovl: fix wrong flags check in FS_IOC_FS[SG]ETXATTR ioctls (Miklos Szeredi) [1724518]
  • [include] mm: page_cache_add_speculative(): refactor out some code duplication (Michael Petlan) [1738331]
  • [netdrv] ibmvnic: Unmap DMA address of TX descriptor buffers after use (Steve Best) [1743155]
  • [fs] NFSv4.1 dont free interrupted slot on open (Steve Dickson) [1708345]
  • [fs] NFSv4.1: Avoid false retries when RPC calls are interrupted (Steve Dickson) [1708345]
  • [net] ipv6: Fix return value of ipv6_mc_may_pull() for malformed packets (Stefano Brivio) [1743203]
  • [net] inet: frags: re-introduce skb coalescing for local delivery (Guillaume Nault) [1719418]
    [4.18.0-138]
  • [net] xfrm: fix sa selector validation (Sabrina Dubroca) [1738871]
  • [net] xfrm: Fix xfrm sel prefix length validation (Sabrina Dubroca) [1738871]
  • [kernel] locking/rwsem: Prevent decrement of reader count before increment (Waiman Long) [1740338]
  • [include] include/list: Backport list_cut_before() (Waiman Long) [1740338]
  • [vhost] vhost: vsock: add weight support (Jason Wang) [1738494]
  • [vhost] vhost_net: fix possible infinite loop (Jason Wang) [1738494]
  • [vhost] vhost: introduce vhost_exceeds_weight() (Jason Wang) [1738494]
  • [vhost] vhost: reject zero size iova range (Jason Wang) [1738494]
  • [vhost] vhost: silence an unused-variable warning (Jason Wang) [1738494]
  • [vhost] vhost: correctly check the return value of translate_desc() in log_used() (Jason Wang) [1738494]
  • [vhost] vhost: return EINVAL if iovecs size does not match the message size (Jason Wang) [1738494]
  • [vhost] Revert ‘net: vhost: lock the vqs one by one’ (Jason Wang) [1738494]
  • [vhost] vhost_net: switch to use mutex_trylock() in vhost_net_busy_poll() (Jason Wang) [1738494]
  • [vhost] vhost: make sure used idx is seen before log in vhost_add_used_n() (Jason Wang) [1738494]
  • [vhost] vhost: fix IOTLB locking (Jason Wang) [1738494]
  • [netdrv] tun: wake up waitqueues after IFF_UP is set (Jason Wang) [1738494]
  • [netdrv] tuntap: synchronize through tfiles array instead of tun->numqueues (Jason Wang) [1738494]
  • [netdrv] tuntap: fix dividing by zero in ebpf queue selection (Jason Wang) [1738494]
  • [netdrv] tun: Remove unused first parameter of tun_get_iff() (Jason Wang) [1738494]
  • [netdrv] tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device (Jason Wang) [1738494]
  • [netdrv] tun: add a missing rcu_read_unlock() in error path (Jason Wang) [1738494]
  • [netdrv] tun: properly test for IFF_UP (Jason Wang) [1738494]
  • [netdrv] tun: remove unnecessary memory barrier (Jason Wang) [1738494]
  • [netdrv] tun: fix blocking read (Jason Wang) [1738494]
  • [netdrv] tun: move the call to tun_set_real_num_queues (Jason Wang) [1738494]
  • [netdrv] tun: publish tfile after its fully initialized (Jason Wang) [1738494]
  • [netdrv] tun: replace get_cpu_ptr with this_cpu_ptr when bh disabled (Jason Wang) [1738494]
  • [netdrv] tun: remove skb access after netif_receive_skb (Jason Wang) [1738494]
  • [netdrv] tun: remove unnecessary check in tun_flow_update (Jason Wang) [1738494]
  • [netdrv] tuntap: fix multiqueue rx (Jason Wang) [1738494]
  • [netdrv] tun: Adjust on-stack tun_page initialization. (Jason Wang) [1738494]
  • [netdrv] tuntap: free XDP dropped packets in a batch (Jason Wang) [1738494]
  • [vhost] vhost_net: mitigate page reference counting during page frag refill (Jason Wang) [1738494]
  • [vhost] net: vhost: remove bad code line (Jason Wang) [1738494]
  • [vhost] net: vhost: add rx busy polling in tx path (Jason Wang) [1738494]
  • [vhost] net: vhost: factor out busy polling logic to vhost_net_busy_poll() (Jason Wang) [1738494]
  • [vhost] net: vhost: replace magic number of lock annotation (Jason Wang) [1738494]
  • [vhost] net: vhost: lock the vqs one by one (Jason Wang) [1738494]
  • [vhost] vhost_net: add a missing error return (Jason Wang) [1738494]
  • [netdrv] net: tun: remove useless codes of tun_automq_select_queue (Jason Wang) [1738494]
  • [vhost] vhost_net: batch submitting XDP buffers to underlayer sockets (Jason Wang) [1738494]
  • [netdrv] tap: accept an array of XDP buffs through sendmsg() (Jason Wang) [1738494]
  • [netdrv] tuntap: accept an array of XDP buffs through sendmsg() (Jason Wang) [1738494]
  • [netdrv] tun: switch to new type of msg_control (Jason Wang) [1738494]
  • [netdrv] tuntap: move XDP flushing out of tun_do_xdp() (Jason Wang) [1738494]
  • [netdrv] tuntap: split out XDP logic (Jason Wang) [1738494]
  • [netdrv] tuntap: tweak on the path of skb XDP case in tun_build_skb() (Jason Wang) [1738494]
  • [netdrv] tuntap: simplify error handling in tun_build_skb() (Jason Wang) [1738494]
  • [netdrv] tuntap: enable bh early during processing XDP (Jason Wang) [1738494]
  • [netdrv] tuntap: switch to use XDP_PACKET_HEADROOM (Jason Wang) [1738494]
  • [netdrv] net: sock: introduce SOCK_XDP (Jason Wang) [1738494]
  • [vhost] vhost: correctly check the iova range when waking virtqueue (Jason Wang) [1738494]
  • [vhost] vhost: switch to use new message format (Jason Wang) [1738494]
  • [vhost] vhost_net: batch update used ring for datacopy TX (Jason Wang) [1738494]
  • [vhost] vhost_net: rename VHOST_RX_BATCH to VHOST_NET_BATCH (Jason Wang) [1738494]
  • [vhost] vhost_net: rename vhost_rx_signal_used() to vhost_net_signal_used() (Jason Wang) [1738494]
  • [vhost] vhost_net: split out datacopy logic (Jason Wang) [1738494]
  • [vhost] vhost_net: introduce tx_can_batch() (Jason Wang) [1738494]
  • [vhost] vhost_net: introduce get_tx_bufs() (Jason Wang) [1738494]
  • [vhost] vhost_net: introduce vhost_exceeds_weight() (Jason Wang) [1738494]
  • [vhost] vhost_net: introduce helper to initialize tx iov iter (Jason Wang) [1738494]
  • [vhost] vhost_net: drop unnecessary parameter (Jason Wang) [1738494]
  • [vhost] vhost_net: Avoid rx vring kicks during busyloop (Jason Wang) [1738494]
  • [vhost] vhost_net: Avoid rx queue wake-ups during busypoll (Jason Wang) [1738494]
  • [vhost] vhost_net: Avoid tx vring kicks during busyloop (Jason Wang) [1738494]
  • [vhost] vhost_net: Rename local variables in vhost_net_rx_peek_head_len (Jason Wang) [1738494]
  • [mm] x86/mm/fault: Allow stack access below rsp (Waiman Long) [1739341]
  • [mm] x86/mm: Clarify hardware vs. software ‘error_code’ (Waiman Long) [1739341]
  • [net] libceph: handle an empty authorize reply (Ilya Dryomov) [1720582]
    [4.18.0-137]
  • [drm] drm: Dont retry infinitely when receiving no data on i2c over AUX (Lyude Paul) [1672361]
  • [scsi] scsi: hpsa: update revision to RH3 (Joseph Szczypek) [1739615]
  • [scsi] scsi: hpsa: remove printing internal cdb on tag collision (Joseph Szczypek) [1739615]
  • [scsi] scsi: hpsa: correct scsi command status issue after reset (Joseph Szczypek) [1739615]
  • [scsi] hpsa: docs: fix broken doc references due to renames (Joseph Szczypek) [1739615]
  • [scsi] hpsa: docs: pci: fix broken links due to conversion from pci.txt to pci.rst (Joseph Szczypek) [1739615]
    [4.18.0-136]
  • [drm] drm/nouveau: Only recalculate PBN/VCPI on mode/connector changes (Lyude Paul) [1734452 1734444]
  • [drm] drm/nouveau: Only release VCPI slots on mode changes (Lyude Paul) [1734452 1734444]
  • [infiniband] RDMA/srp: turn off ‘use_imm_data’ by default (Honggang Li) [1725158]
  • [gpu] vga_switcheroo: Fix missing gpu_bound call at audio client registration (Lyude Paul) [1739727]
  • [net] Bluetooth: Fix faulty expression for minimum encryption key size check (Gopal Tiwari) [1743076] {CVE-2019-9506}
  • [net] Bluetooth: Fix regression with minimum encryption key size alignment (Gopal Tiwari) [1743076] {CVE-2019-9506}
  • [net] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections (Gopal Tiwari) [1743076] {CVE-2019-9506}
    [4.18.0-135]
  • [rpmspec] perf: package tips.txt (Michael Petlan) [1663816]
  • [mm] mm/memblock.c: skip kmemleak for kasan_init() (Mark Langsdorf) [1722741]
  • [kernel] mm/resource: Return real error codes from walk failures (Kairui Song) [1740443]
  • [tools] perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64 (Michael Petlan) [1733231]
  • [tools] selftests/powerpc: Fix Makefiles for headers_install change (Steve Best) [1740127]
  • [tools] selftests/powerpc: Add more version checks to alignment_handler test (Steve Best) [1740127]
  • [tools] selftests/powerpc: Skip earlier in alignment_handler test (Steve Best) [1740127]
  • [tools] selftests/powerpc: Consolidate copy/paste test logic (Steve Best) [1740127]
  • [s390] s390/bpf: use 32-bit index for tail calls (Yauheni Kaliuta) [1719377]
  • [s390] s390/bpf: fix lcgr instruction encoding (Yauheni Kaliuta) [1719377]
  • [tools] selftests/bpf: fix ‘alu with different scalars 1’ on s390 (Yauheni Kaliuta) [1719377]
  • [net] bpf: fix use after free in bpf_evict_inode (Yauheni Kaliuta) [1719377]
  • [arm64] bpf, arm64: remove prefetch insn in xadd mapping (Yauheni Kaliuta) [1719377]
  • [scsi] scsi: lpfc: Fix crash when cpu count is 1 and null irq affinity mask (Dick Kennedy) [1720905]
  • [md] md: add bitmap_abort label in md_run (Nigel Croxon) [1721944]
  • [md] md-bitmap: create and destroy wb_info_pool with the change of bitmap (Nigel Croxon) [1721944]
  • [md] md-bitmap: create and destroy wb_info_pool with the change of backlog (Nigel Croxon) [1721944]
  • [md] md: introduce mddev_create/destroy_wb_pool for the change of member device (Nigel Croxon) [1721944]
  • [md] md/raid1: fix potential data inconsistency issue with write behind device (Nigel Croxon) [1721944]
  • [md] md: fix for divide error in status_resync (Nigel Croxon) [1721944]
  • [md] md/raid10: read balance chooses idlest disk for SSD (Nigel Croxon) [1721944]
  • [md] md: raid1-10: Unify r{1,10}bio_pool_free (Nigel Croxon) [1721944]
  • [md] md: raid10: Use struct_size() in kmalloc() (Nigel Croxon) [1721944]
  • [md] md/raid1: get rid of extra blank line and space (Nigel Croxon) [1721944]
  • [md] md: fix spelling typo and add necessary space (Nigel Croxon) [1721944]
  • [md] md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (Nigel Croxon) [1721944]
  • [md] raid5-cache: Need to do start() part job after adding journal device (Nigel Croxon) [1721944]
  • [md] drivers: md: Unify common definitions of raid1 and raid10 (Nigel Croxon) [1721944]
  • [kernel] userfaultfd: use RCU to free the task struct when fork fails (Andrea Arcangeli) [1718498]
    [4.18.0-134]
  • [efi] efi/arm: Revert ‘Defer persistent reservations until after paging_init()’ (Mark Salter) [1699961]
  • [s390] s390/ipl: Fix detection of has_secure attribute (Philipp Rudo) [1740653]
  • [fs] xfs: dont crash on null attr fork xfs_bmapi_read (Bill ODonnell) [1719094]
  • [powerpc] powerpc/mm: Dont report PUDs as memory leaks when using kmemleak (Desnes Augusto Nunes do Rosario) [1716952]
  • [x86] kvm: x86: introduce is_pae_paging (Vitaly Kuznetsov) [1720556]
  • [s390] s390/kasan: Fix recursion loop when triggering kdump (Philipp Rudo) [1740249]
  • [s390] s390/dasd: fix endless loop after read unit address configuration (Philipp Rudo) [1740251]
  • [tools] selftests/powerpc: Give some tests longer to run (Steve Best) [1740420]
  • [nvme] nvme-rdma: use dynamic dma mapping per command (David Milburn) [1738252]
  • [nvme] nvme-rdma: remove redundant reference between ib_device and tagset (David Milburn) [1738252]
  • [x86] kvm: svm/avic: Do not send AVIC doorbell to self (Janakarajan Natarajan) [1720981]
  • [net] tipc: initialise addr_trial_end when setting node addresses (Jon Maloy) [1740317]
  • [net] tipc: ensure head->lock is initialised (Jon Maloy) [1740317]
  • [net] netfilter: nf_tables: fix oops during rule dump (Stefano Brivio) [1739734]
  • [include] netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value (Stefano Brivio) [1739734]
  • [net] netfilter: nft_compat: do not dump private area (Stefano Brivio) [1739734]
  • [net] netfilter: nf_tables: fix register ordering (Stefano Brivio) [1739734]
  • [net] ipvs: defer hook registration to avoid leaks (Stefano Brivio) [1739734]
  • [net] ipvs: Fix use-after-free in ip_vs_in (Stefano Brivio) [1739734]
  • [net] netfilter: nf_conntrack_h323: restore boundary check correctness (Stefano Brivio) [1739734]
  • [net] netfilter: fix nf_l4proto_log_invalid to log invalid packets (Stefano Brivio) [1739734]
  • [net] netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() (Stefano Brivio) [1739734]
  • [net] netfilter: nft_set_rbtree: check for inactive element after flag mismatch (Stefano Brivio) [1739734]
  • [net] netfilter: nft_compat: use-after-free when deleting targets (Stefano Brivio) [1739734]
  • [net] netfilter: nf_tables: fix leaking object reference count (Stefano Brivio) [1739734]
  • [net] ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 (Stefano Brivio) [1739640]
  • [net] ipv6: Unlink sibling route in case of failure (Stefano Brivio) [1739640]
  • [net] ipv6: Default fib6_type to RTN_UNICAST when not set (Stefano Brivio) [1739640]
  • [net] inet: frags: call inet_frags_fini() after unregister_pernet_subsys() (Stefano Brivio) [1739640]
  • [net] ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero (Stefano Brivio) [1739640]
  • [net] netfilter: ipset: Fix rename concurrency with listing (Stefano Brivio) [1739578]
  • [net] netfilter: ipset: Fix error path in set_target_v3_checkentry() (Stefano Brivio) [1739578]
  • [net] netfilter: ipset: Fix the last missing check of nla_parse_deprecated() (Stefano Brivio) [1739578]
  • [net] netfilter: ipset: fix a missing check of nla_parse (Stefano Brivio) [1739578]
  • [netdrv] ipvlan, l3mdev: fix broken l3s mode wrt local routes (Guillaume Nault) [1738329]
  • [net] sched: use temporary variable for actions indexes (Marcelo Leitner) [1739244 1729822 1729818 1729398]
  • [net] sched: cbs: Fix error path of cbs_module_init (Marcelo Leitner) [1739244 1729822 1729818 1729398]
  • [net] netem: fix use after free and double free with packet corruption (Marcelo Leitner) [1739244 1729822 1729818 1729398]
  • [net] netem: fix backlog accounting for corrupted GSO frames (Marcelo Leitner) [1739244 1729822 1729818 1729398]
  • [netdrv] macsec: fix checksumming after decryption (Sabrina Dubroca) [1738237]
  • [netdrv] macsec: fix use-after-free of skb during RX (Sabrina Dubroca) [1738237]
  • [net] xfrm interface: fix memory leak on creation (Sabrina Dubroca) [1738267]
  • [net] tls: fix socket wmem accounting on fallback with netem (Sabrina Dubroca) [1739260]
  • [net] tls: fix poll ignoring partially copied records (Sabrina Dubroca) [1739260]
  • [net] tls: make sure offload also gets the keys wiped (Sabrina Dubroca) [1739260]
  • [net] tls: reject offload of TLS 1.3 (Sabrina Dubroca) [1739260]
  • [net] tls: fix page double free on TX cleanup (Sabrina Dubroca) [1739260]
  • [net] tls, correctly account for copied bytes with multiple sk_msgs (Sabrina Dubroca) [1739260]
  • [net] tcp: fix tcp_set_congestion_control() use from bpf hook (Guillaume Nault) [1738272]
  • [net] tcp: Reset bytes_acked and bytes_received when disconnecting (Guillaume Nault) [1738272]
  • [net] tcp: Ensure DCTCP reacts to losses (Guillaume Nault) [1738272]
  • [net] tcp: tcp_v4_err() should be more careful (Guillaume Nault) [1738272]
  • [net] tcp: avoid resetting ACK timer upon receiving packet with ECN CWR flag (Guillaume Nault) [1738272]
  • [net] tcp: always ACK immediately on hole repairs (Guillaume Nault) [1738272]
  • [net] tcp: avoid resetting ACK timer in DCTCP (Guillaume Nault) [1738272]
  • [net] tcp: mandate a one-time immediate ACK (Guillaume Nault) [1738272]
  • [net] tipc: fix unitilized skb list crash (Xin Long) [1734298]
  • [net] tipc: compat: allow tipc commands without arguments (Xin Long) [1738397]
  • [net] sctp: factor out sctp_connect_add_peer (Xin Long) [1738393]
  • [net] sctp: factor out sctp_connect_new_asoc (Xin Long) [1738393]
  • [net] sctp: clean up __sctp_connect (Xin Long) [1738393]
  • [net] sctp: check addr_size with sa_family_t size in __sctp_setsockopt_connectx (Xin Long) [1738393]
  • [net] sctp: only copy the available addr data in sctp_transport_init (Xin Long) [1738393]
  • [net] sctp: drop unneeded likely() call around IS_ERR() (Xin Long) [1738393]
  • [net] sctp: fix warning ‘NULL check before some freeing functions is not needed’ (Xin Long) [1738393]
  • [net] sctp: remove rcu_read_lock from sctp_bind_addr_state (Xin Long) [1738393]
  • [net] sctp: rename sp strm_interleave to ep intl_enable (Xin Long) [1738393]
  • [net] sctp: rename asoc intl_enable to asoc peer.intl_capable (Xin Long) [1738393]
  • [net] sctp: remove prsctp_enable from asoc (Xin Long) [1738393]
  • [net] sctp: remove reconf_enable from asoc (Xin Long) [1738393]
  • [net] sctp: count data bundling sack chunk for outctrlchunks (Xin Long) [1738393]
  • [net] sctp: fix error handling on stream scheduler initialization (Xin Long) [1738393]
  • [net] sctp: not bind the socket in sctp_connect (Xin Long) [1738393]
  • [net] sctp: change to hold sk after auth shkey is created successfully (Xin Long) [1738393]
  • [net] sctp: Free cookie before we memdup a new one (Xin Long) [1738393]
  • [net] Fix memory leak in sctp_process_init (Xin Long) [1738393]
  • [net] sctp: deduplicate identical skb_checksum_ops (Xin Long) [1738393]
  • [net] sctp: Check address length before reading address family (Xin Long) [1738393]
  • [net] sctp: Pass sk_buff_head explicitly to sctp_ulpq_tail_event(). (Xin Long) [1738393]
  • [net] sctp: Make sctp_enqueue_event tak an skb list. (Xin Long) [1738393]
  • [net] sctp: Use helper for sctp_ulpq_tail_event() when hooked up to ->enqueue_event (Xin Long) [1738393]
  • [net] sctp: Always pass skbs on a list to sctp_ulpq_tail_event(). (Xin Long) [1738393]
  • [net] sctp: Remove superfluous test in sctp_ulpq_reasm_drain(). (Xin Long) [1738393]
  • [netdrv] ppp: Remove direct skb_queue_head list pointer access. (Xin Long) [1738393]
  • [net] ipv6: fix neighbour resolution with raw socket (Stefano Brivio) [1728320]
  • [net] ipv6: constify rt6_nexthop() (Stefano Brivio) [1728320]
  • [net] openvswitch: fix csum updates for MPLS actions (Marcelo Leitner) [1738654]
  • [net] udp_gso: Allow TX timestamp with UDP GSO (Paolo Abeni) [1738585]
  • [net] bpf: udp: ipv6: Avoid running reuseports bpf_prog from __udp6_lib_err (Paolo Abeni) [1738585]
  • [net] fix ifindex collision during namespace removal (Paolo Abeni) [1738492]
  • [net] rtnl: return early from rtnl_unregister_all when protocol isnt registered (Paolo Abeni) [1738492]
  • [net] neigh: fix use-after-free read in pneigh_get_next (Paolo Abeni) [1738492]
  • [net] socket: set sock->sk to NULL after calling proto_ops::release() (Paolo Abeni) [1738492]
  • [net] socket: make bond ioctls go through compat_ifreq_ioctl() (Paolo Abeni) [1738492]
  • [net] socket: fix SIOCGIFNAME in compat (Paolo Abeni) [1738492]
  • [net] Revert ‘kill dev_ifsioc()’ (Paolo Abeni) [1738492]
  • [net] revert ‘socket: fix struct ifreq size in compat ioctl’ (Paolo Abeni) [1738492]
  • [net] ip6_tunnel: fix possible use-after-free on xmit (Guillaume Nault) [1737105]
  • [net] genetlink: Fix a memory leak on error path (Guillaume Nault) [1737821]
  • [net] netfilter: ipset: Copy the right MAC address in bitmap:ip, mac and hash:ip, mac sets (Stefano Brivio) [1723605]
  • [net] netfilter: ipset: Actually allow destination MAC address for hash:ip, mac sets too (Stefano Brivio) [1723605]
  • [net] igmp: fix memory leak in igmpv3_del_delrec() (Hangbin Liu) [1736816]
  • [net] dont clear sock->sk early to avoid trouble in strparser (Hangbin Liu) [1736816]
  • [net] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST (Hangbin Liu) [1736816]
  • [net] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() (Hangbin Liu) [1736816]
  • [net] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (Hangbin Liu) [1736816]
  • [net] netlabel: fix out-of-bounds memory accesses (Hangbin Liu) [1736816]
  • [net] ipv4: Fix memory leak in network namespace dismantle (Hangbin Liu) [1736816]
  • [net] bridge: delete local fdb on device init failure (Hangbin Liu) [1736824]
  • [net] bridge: stp: dont cache eth dest pointer before skb pull (Hangbin Liu) [1736824]
  • [net] bridge: dont cache ether dest pointer on input (Hangbin Liu) [1736824]
  • [net] bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query (Hangbin Liu) [1736824]
  • [net] bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling (Hangbin Liu) [1736824]
  • [net] bridge: fix per-port af_packet sockets (Hangbin Liu) [1736824]
  • [include] ip: fix ip_mc_may_pull() return value (Hangbin Liu) [1736824]
  • [net] bridge: use struct_size() helper (Hangbin Liu) [1736824]
  • [net] bridge: simplify ip_mc_check_igmp() and ipv6_mc_check_mld() calls (Hangbin Liu) [1736824]
  • [net] net/bridge/br_multicast: remove redundant variable ‘err’ (Hangbin Liu) [1736824]
  • [x86] x86/kdump/64: Restrict kdump kernel reservation to <64TB (Baoquan He) [1669090]
  • [x86] x86/kexec/64: Prevent kexec from 5-level paging to a 4-level only kernel (Baoquan He) [1669088]
  • [x86] x86/boot: Add xloadflags bits to check for 5-level paging support (Baoquan He) [1669088]
  • [tools] perf header: Fix wrong node write in NUMA_TOPOLOGY feature (Michael Petlan) [1722044]
  • [tools] perf c2c: Fix c2c report for empty numa node (Michael Petlan) [1722044]
  • [x86] kvm: svm/avic: fix off-by-one in checking host APIC ID (Janakarajan Natarajan) [1720983]
    [4.18.0-133]
  • [fs] gfs2: gfs2_walk_metadata fix (Andreas Grunbacher) [1724361]
  • [netdrv] mlx4/en_netdev: allow offloading VXLAN over VLAN (Paolo Abeni) [1733532]
  • [fs] xfs: always rejoin held resources during defer roll (Bill ODonnell) [1706588]
  • [bluetooth] Bluetooth: hci_uart: check for missing tty operations (Gopal Tiwari) [1734239] {CVE-2019-10207}
    [4.18.0-132]
  • [documentation] Documentation: Add swapgs description to the Spectre v1 documentation (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [documentation] Documentation: Add section about CPU vulnerabilities for Spectre (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/entry/64: Use JMP instead of JMPQ (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/speculation: Enable Spectre v1 swapgs mitigations (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/cpufeatures: Combine word 11 and 12 into a new scattered features word (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [x86] x86/cpufeatures: Carve out CQM features retrieval (Josh Poimboeuf) [1724501] {CVE-2019-1125}
  • [netdrv] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path (Steve Best) [1739431]
  • [rpmspec] rpmspec: use make macro to do headers_install with rpm CFLAGS/LDFLAGS (‘Herton R. Krzesinski’) [1738659]
  • [rpmspec] rpmspec: use tools_make for building tools (‘Herton R. Krzesinski’) [1738659]
  • [tools] tools gpio: Allow overriding CFLAGS (‘Herton R. Krzesinski’) [1738659]
  • [tools] tools thermal tmon: Allow overriding CFLAGS assignments (‘Herton R. Krzesinski’) [1738659]
  • [tools] tools iio: Override CFLAGS assignments (‘Herton R. Krzesinski’) [1738659]
  • [fs] NFS: Fix dentry revalidation on NFSv4 lookup (Steve Dickson) [1667774]
  • [fs] pNFS: Avoid read/modify/write when it is not necessary (Benjamin Coddington) [1680649]
  • [fs] pNFS: Fix potential corruption of page being written (Benjamin Coddington) [1680649]
  • [fs] gfs2: Inode dirtying fix (Andreas Grunbacher) [1724361]
  • [net] sunrpc: make visible processing error in bc_svc_process() (‘J. Bruce Fields’) [1660823] {CVE-2018-16884}
  • [net] sunrpc: remove unused xpo_prep_reply_hdr callback (‘J. Bruce Fields’) [1660823] {CVE-2018-16884}
  • [net] sunrpc: remove svc_tcp_bc_class (‘J. Bruce Fields’) [1660823] {CVE-2018-16884}
  • [net] sunrpc: replace svc_serv->sv_bc_xprt by boolean flag (‘J. Bruce Fields’) [1660823] {CVE-2018-16884}
  • [net] sunrpc: use-after-free in svc_process_common() (‘J. Bruce Fields’) [1660823] {CVE-2018-16884}

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

Related for ELSA-2019-3517