Unbreakable Enterprise kernel security update

[4.14.35-2047.529.3]

• uek-rpm: Update kernel linux-firmware dependency to 20230516-999.26.git6c9e0ed5. (Somasundaram Krishnasamy) [Orabug: 35724203]
• LTS version: v4.14.322 (Saeed Mirzamohammadi)
• drm/edid: fix objtool warning in drm_cvt_modes() (Linus Torvalds)
• mtd: rawnand: omap_elm: Fix incorrect type in assignment (Roger Quadros)
• test_firmware: fix a memory leak with reqs buffer (Mirsad Goran Todorovac)
• ext2: Drop fragment support (Jan Kara)
• net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb (Alan Stern)
• Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb (Sungwoo Kim)
• fs/sysv: Null check to prevent null-ptr-deref bug (Prince Kumar Maurya)
• USB: zaurus: Add ID for A-300/B-500/C-700 (Ross Maynard)
• libceph: fix potential hang in ceph_osdc_notify() (Ilya Dryomov)
• loop: Select I/O scheduler ‘none’ from inside add_disk() (Bart Van Assche)
• tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen (Eric Dumazet)
• tcp_metrics: annotate data-races around tm->tcpm_net (Eric Dumazet)
• tcp_metrics: annotate data-races around tm->tcpm_vals[] (Eric Dumazet)
• tcp_metrics: annotate data-races around tm->tcpm_lock (Eric Dumazet)
• tcp_metrics: annotate data-races around tm->tcpm_stamp (Eric Dumazet)
• tcp_metrics: fix addr_same() helper (Eric Dumazet)
• ip6mr: Fix skb_under_panic in ip6mr_cache_report() (Yue Haibing)
• net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free (valis)
• net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free (valis)
• net: add missing data-race annotation for sk_ll_usec (Eric Dumazet)
• net: add missing data-race annotations around sk->sk_peek_off (Eric Dumazet)
• perf test uprobe_from_different_cu: Skip if there is no gcc (Georg Muller)
• net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() (Yuanjun Gong)
• word-at-a-time: use the same return type for has_zero regardless of endianness ([email protected])
• perf: Fix function pointer case (Peter Zijlstra)
• net/sched: cls_u32: Fix reference counter leak leading to overflow (Lee Jones)
• net/sched: sch_qfq: account for stab overhead in qfq_enqueue (Pedro Tammela)
• net/sched: cls_fw: Fix improper refcount update leads to use-after-free (M A Ramdhan)
• drm/client: Fix memory leak in drm_client_target_cloned (Jocelyn Falempe)
• dm cache policy smq: ensure IO doesn’t prevent cleaner policy progress (Joe Thornber)
• ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register (Mark Brown)
• s390/dasd: fix hanging device after quiesce/resume (Stefan Haberland)
• irq-bcm6345-l1: Do not assume a fixed block to cpu mapping (Jonas Gorski)
• tpm_tis: Explicitly check for error code (Alexander Steffen)
• hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled (Gilles Buloz)
• staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (Zhang Shurong)
• Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group (Greg Kroah-Hartman)
• usb: xhci-mtk: set the dma max_seg_size (Ricardo Ribalda)
• usb: ohci-at91: Fix the unhandle interrupt when resume (Guiting Shen)
• can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED (Marc Kleine-Budde)
• USB: serial: simple: sort driver entries (Johan Hovold)
• USB: serial: simple: add Kaufmann RKS+CAN VCP (Oliver Neukum)
• USB: serial: option: add Quectel EC200A module support (Mohsen Tahmasebi)
• USB: serial: option: support Quectel EM060K_128 (Jerry Meng)
• tracing: Fix warning in trace_buffered_event_disable() (Zheng Yejian)
• ring-buffer: Fix wrong stat of cpu_buffer->read (Zheng Yejian)
• ata: pata_ns87415: mark ns87560_tf_read static (Arnd Bergmann)
• dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths (Yu Kuai)
• block: Fix a source code comment in include/uapi/linux/blkzoned.h (Bart Van Assche)
• ASoC: fsl_spdif: Silence output on stop (Matus Gajdos)
• benet: fix return value check in be_lancer_xmit_workarounds() (Yuanjun Gong)
• platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 (Maxim Mikityanskiy)
• team: reset team’s flags when down link is P2P device (Hangbin Liu)
• bonding: reset bond’s flags when down link is P2P device (Hangbin Liu)
• tcp: Reduce chance of collisions in inet6_hashfn(). (Stewart Smith)
• ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address (Maciej Zenczykowski)
• ethernet: atheros: fix return value check in atl1e_tso_csum() (Yuanjun Gong)
• i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir() (Wang Ming)
• gpio: tps68470: Make tps68470_gpio_output() always set the initial value (Hans de Goede)
• tcp: annotate data-races around fastopenq.max_qlen (Eric Dumazet)
• tcp: annotate data-races around tp->notsent_lowat (Eric Dumazet)
• tcp: annotate data-races around rskq_defer_accept (Eric Dumazet)
• netfilter: nf_tables: fix spurious set element insertion failure (Florian Westphal)
• llc: Don’t drop packet from non-root netns. (Kuniyuki Iwashima)
• fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe (Zhang Shurong)
• net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field() (Tanmay Patil)
• pinctrl: amd: Use amd_pinconf_set() for all config options (Mario Limonciello)
• fbdev: imxfb: warn about invalid left/right margin (Martin Kaiser)
• spi: bcm63xx: fix max prepend length (Jonas Gorski)
• igb: Fix igb_down hung on surprise removal (Ying Hsu)
• wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() (Gustavo A. R. Silva)
• bpf: Address KCSAN report on bpf_lru_list (Martin KaFai Lau)
• sched/fair: Don’t balance task to its current running CPU (Yicong Yang)
• posix-timers: Ensure timer ID search-loop limit is valid (Saeed Mirzamohammadi)
• md/raid10: prevent soft lockup while flush writes (Yu Kuai)
• md: fix data corruption for raid456 when reshape restart while grow up (Yu Kuai)
• nbd: Add the maximum limit of allocated index in nbd_dev_add (Zhong Jinghua)
• debugobjects: Recheck debug_objects_enabled before reporting (Tetsuo Handa)
• ext4: correct inline offset when handling xattrs in inode body (Eric Whitney)
• can: bcm: Fix UAF in bcm_proc_show() (YueHaibing)
• fuse: revalidate: don’t invalidate if interrupted (Miklos Szeredi)
• perf probe: Add test for regression introduced by switch to die_get_decl_file() (Georg Muller)
• serial: atmel: don’t enable IRQs prematurely (Dan Carpenter)
• scsi: qla2xxx: Pointer may be dereferenced (Shreyas Deodhar)
• scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() (Nilesh Javali)
• scsi: qla2xxx: Fix potential NULL pointer dereference (Bikash Hazarika)
• scsi: qla2xxx: Wait for io return on terminate rport (Quinn Tran)
• xtensa: ISS: fix call to split_if_spec (Max Filippov)
• ring-buffer: Fix deadloop issue on reading trace_pipe (Zheng Yejian)
• tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk (Christophe JAILLET)
• tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error (Christophe JAILLET)
• Revert ‘8250: add support for ASIX devices with a FIFO bug’ (Jiaqing Zhao)
• meson saradc: fix clock divider mask length (George Stark)
• hwrng: imx-rngc - fix the timeout for init and self check (Martin Kaiser)
• fs: dlm: return positive pid value for F_GETLK (Alexander Aring)
• md/raid0: add discard support for the ‘original’ layout (Jason Baron)
• misc: pci_endpoint_test: Re-init completion for every test (Damien Le Moal)
• PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 (Robin Murphy)
• jfs: jfs_dmap: Validate db_l2nbperpage while mounting (Siddh Raman Pant)
• ext4: only update i_reserved_data_blocks on successful block allocation (Baokun Li)
• ext4: fix wrong unit use in ext4_mb_clear_bb (Kemeng Shi)
• perf intel-pt: Fix CYC timestamps after standalone CBR (Adrian Hunter)
• SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (Ding Hui)
• tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation (Jarkko Sakkinen)
• net/sched: make psched_mtu() RTNL-less safe (Pedro Tammela)
• wifi: airo: avoid uninitialized warning in airo_get_rate() (Randy Dunlap)
• ipv6/addrconf: fix a potential refcount underflow for idev (Ziyang Xuan)
• NTB: ntb_transport: fix possible memory leak while device_register() fails (Yang Yingliang)
• ntb: intel: Fix error handling in intel_ntb_pci_driver_init() (Yuan Can)
• NTB: amd: Fix error handling in amd_ntb_pci_driver_init() (Yuan Can)
• ntb: idt: Fix error handling in idt_pci_driver_init() (Yuan Can)
• udp6: fix udp6_ehashfn() typo (Eric Dumazet)
• net: mvneta: fix txq_map in case of txq_number==1 (Klaus Kudielka)
• workqueue: clean up WORK_* constant types, clarify masking (Linus Torvalds)
• netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (Thadeu Lima de Souza Cascardo)
• netfilter: conntrack: Avoid nf_ct_helper_hash uses after free (Florent Revest)
• netfilter: nf_tables: unbind non-anonymous set if rule construction fails (Pablo Neira Ayuso)
• netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (Pablo Neira Ayuso)
• netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE (Pablo Neira Ayuso)
• spi: spi-fsl-spi: allow changing bits_per_word while CS is still active (Rasmus Villemoes)
• spi: spi-fsl-spi: relax message sanity checking a little (Rasmus Villemoes)
• spi: spi-fsl-spi: remove always-true conditional in fsl_spi_do_one_msg (Rasmus Villemoes)
• ARM: orion5x: fix d2net gpio initialization (Arnd Bergmann)
• btrfs: fix race when deleting quota root from the dirty cow roots list (Filipe Manana)
• jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (Fabian Frederick)
• integrity: Fix possible multiple allocation in integrity_inode_get() (Tianjia Zhang)
• mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M (Robert Marko)
• mmc: core: disable TRIM on Kingston EMMC04G-M627 (Robert Marko)
• NFSD: add encoding of op_recall flag for write delegation (Dai Ngo)
• sh: dma: Fix DMA channel offset calculation (Artur Rojek)
• net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX (Lin Ma)
• tcp: annotate data races in __tcp_oow_rate_limited() (Eric Dumazet)
• net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode (Vladimir Oltean)
• powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y (Randy Dunlap)
• mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 (Nishanth Menon)
• spi: bcm-qspi: return error if neither hif_mspi nor mspi is available (Jonas Gorski)
• Add MODULE_FIRMWARE() for FIRMWARE_TG357766. (Tobias Heider)
• sctp: fix potential deadlock on &net->sctp.addr_wq_lock (Chengfeng Ye)
• rtc: st-lpc: Release some resources in st_rtc_probe() in case of error (Christophe JAILLET)
• mfd: stmpe: Only disable the regulators if they are enabled (Christophe JAILLET)
• mfd: intel-lpss: Add missing check for platform_get_resource (Jiasheng Jiang)
• mfd: rt5033: Drop rt5033-battery sub-device (Stephan Gerhold)
• usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() (Li Yang)
• extcon: Fix kernel doc of property capability fields to avoid warnings (Andy Shevchenko)
• extcon: Fix kernel doc of property fields to avoid warnings (Andy Shevchenko)
• media: usb: siano: Fix warning due to null work_func_t function pointer (Duoming Zhou)
• media: videodev2.h: Fix struct v4l2_input tuner index comment (Marek Vasut)
• media: usb: Check az6007_read() return value (Daniil Dulov)
• sh: j2: Use ioremap() to translate device tree address into kernel memory (John Paul Adrian Glaubitz)
• w1: fix loop in w1_fini() (Dan Carpenter)
• block: change all __u32 annotations to __be32 in affs_hardblocks.h (Michael Schmitz)
• USB: serial: option: add LARA-R6 01B PIDs (Davide Tronchin)
• modpost: fix off by one in is_executable_section() (Dan Carpenter)
• modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} (Masahiro Yamada)
• modpost: fix section mismatch message for R_ARM_ABS32 (Masahiro Yamada)
• crypto: nx - fix build warnings when DEBUG_FS is not enabled (Randy Dunlap)
• pinctrl: at91-pio4: check return value of devm_kasprintf() (Claudiu Beznea)
• perf dwarf-aux: Fix off-by-one in die_get_varname() (Namhyung Kim)
• pinctrl: cherryview: Return correct value if pin in push-pull mode (Andy Shevchenko)
• PCI: Add pci_clear_master() stub for non-CONFIG_PCI (Sui Jingfeng)
• scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (Yuchen Yang)
• ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer (Su Hui)
• drm/radeon: fix possible division-by-zero errors (Nikita Zhandarovich)
• fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() (Christophe JAILLET)
• soc/fsl/qe: fix usb.c build errors (Randy Dunlap)
• ASoC: es8316: Increment max value for ALC Capture Target Volume control (Cristian Ciocaltea)
• ARM: ep93xx: fix missing-prototype warnings (Arnd Bergmann)
• drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H (Dario Binacchi)
• Input: adxl34x - do not hardcode interrupt trigger type (Marek Vasut)
• ARM: dts: BCM5301X: Drop ‘clock-names’ from the SPI node (Rafal Milecki)
• Input: drv260x - sleep between polling GO bit (Luca Weiss)
• radeon: avoid double free in ci_dpm_init() (Nikita Zhandarovich)
• netlink: Add __sock_i_ino() for __netlink_diag_dump(). (Kuniyuki Iwashima)
• netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. (Ilia.Gavrilov)
• lib/ts_bm: reset initial match offset for every block of text (Jeremy Sowden)
• gtp: Fix use-after-free in __gtp_encap_destroy(). (Kuniyuki Iwashima)
• netlink: do not hard code device address lenth in fdb dumps (Eric Dumazet)
• netlink: fix potential deadlock in netlink_set_err() (Eric Dumazet)
• wifi: ath9k: convert msecs to jiffies where needed (Dmitry Antipov)
• wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() (Remi Pommarel)
• memstick r592: make memstick_debug_get_tpc_name() static (Arnd Bergmann)
• kexec: fix a memory leak in crash_shrink_memory() (Zhen Lei)
• watchdog/perf: more properly prevent false positives with turbo modes (Douglas Anderson)
• watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config (Douglas Anderson)
• wifi: ath9k: don’t allow to overwrite ENDPOINT0 attributes (Fedor Pchelkin)
• wifi: ray_cs: Fix an error handling path in ray_probe() (Christophe JAILLET)
• wifi: wl3501_cs: Fix an error handling path in wl3501_probe() (Christophe JAILLET)
• wifi: atmel: Fix an error handling path in atmel_probe() (Christophe JAILLET)
• wifi: orinoco: Fix an error handling path in orinoco_cs_probe() (Christophe JAILLET)
• wifi: orinoco: Fix an error handling path in spectrum_cs_probe() (Christophe JAILLET)
• wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx (Fedor Pchelkin)
• wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation (Peter Seiderer)
• evm: Complete description of evm_inode_setattr() (Roberto Sassu)
• PM: domains: fix integer overflow issues in genpd_parse_state() (Nikita Zhandarovich)
• md/raid10: fix io loss while replacement replace rdev (Li Nan)
• md/raid10: fix wrong setting of max_corr_read_errors (Li Nan)
• md/raid10: fix overflow of md/safe_mode_delay (Li Nan)
• treewide: Remove uninitialized_var() usage (Kees Cook)
• drm/amdgpu: Validate VM ioctl flags. (Bas Nieuwenhuizen)
• scripts/tags.sh: Resolve gtags empty index generation (Ahmed S. Darwish)
• drm/edid: Fix uninitialized variable in drm_cvt_modes() (Lyude Paul)
• fbdev: imsttfb: Fix use after free bug in imsttfb_probe (Zheng Wang)
• x86/smp: Use dedicated cache-line for mwait_play_dead() (Thomas Gleixner)
• x86/microcode/AMD: Load late on both threads too (Borislav Petkov (AMD))
• gfs2: Don’t deref jdesc in evict (Bob Peterson)
• LTS version: v4.14.321 (Saeed Mirzamohammadi)
  [4.14.35-2047.529.2]
• x86/cpu: persist X86_FEATURE_NT_GOOD for late reload (Ankur Arora) [Orabug: 35693947]
• uek-rpm: Disable cls_tcindex in file tcindex-disable.conf (Sherry Yang) [Orabug: 35678739]
• uek-rpm: Update kernel’s linux-firmware dependency. (Somasundaram Krishnasamy) [Orabug: 35678693]
• Revert ‘sched/fair: sanitize vruntime of entity being placed’ (Saeed Mirzamohammadi) [Orabug: 35651310]
• Revert ‘sched/fair: Sanitize vruntime of entity being migrated’ (Saeed Mirzamohammadi) [Orabug: 35651310]
• x86/microcode/AMD: Clean up per-family patch size checks (Borislav Petkov) [Orabug: 35643967]
  [4.14.35-2047.529.1]
• vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF (George Kennedy) [Orabug: 35649492] {CVE-2023-3567}
• ocfs2: always read both high and low parts of dinode link count (Alexey Asemov) [Orabug: 35643004]