This bug was fixed in the package linux - 5.0.0-32.34 --------------- linux (5.0.0-32.34) disco; urgency=medium * disco/linux: 5.0.0-32.34 -proposed tracker (LP: #1846097) * CVE-2019-14814 // CVE-2019-14815 // CVE-2019-14816 - mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings * CVE-2019-15505 - media: technisat-usb2: break out of loop at end of buffer * CVE-2019-2181 - binder: check for overflow when alloc for security context * Support Hi1620 zip hw accelerator (LP: #1845355) - [Config] Enable HiSilicon QM/ZIP as modules - crypto: hisilicon - add queue management driver for HiSilicon QM module - crypto: hisilicon - add hardware SGL support - crypto: hisilicon - add HiSilicon ZIP accelerator support - crypto: hisilicon - add SRIOV support for ZIP - Documentation: Add debugfs doc for hisi_zip - crypto: hisilicon - add debugfs for ZIP and QM - MAINTAINERS: add maintainer for HiSilicon QM and ZIP controller driver - crypto: hisilicon - fix kbuild warnings - crypto: hisilicon - add dependency for CRYPTO_DEV_HISI_ZIP - crypto: hisilicon - init curr_sgl_dma to fix compile warning - crypto: hisilicon - add missing single_release - crypto: hisilicon - fix error handle in hisi_zip_create_req_q - crypto: hisilicon - Fix warning on printing %p with dma_addr_t - crypto: hisilicon - Fix return value check in hisi_zip_acompress() - crypto: hisilicon - avoid unused function warning * xfrm interface: several kernel panic (LP: #1836261) - xfrm interface: fix memory leak on creation - xfrm interface: avoid corruption on changelink - xfrm interface: ifname may be wrong in logs - xfrm interface: fix list corruption for x-netns - xfrm interface: fix management of phydev * shiftfs: drop entries from cache on unlink (LP: #1841977) - SAUCE: shiftfs: fix buggy unlink logic * shiftfs: mark kmem_cache as reclaimable (LP: #1842059) - SAUCE: shiftfs: mark slab objects SLAB_RECLAIM_ACCOUNT * Suspend to RAM(S3) does not wake up for latest megaraid and mpt3sas adapters(SAS3.5 onwards) (LP: #1838751) - PCI: Restore Resizable BAR size bits correctly for 1MB BARs * No sound inputs from the external microphone and headset on a Dell machine (LP: #1842265) - ALSA: hda - Expand pin_match function to match upcoming new tbls - ALSA: hda - Define a fallback_pin_fixup_tbl for alc269 family * Add -fcf-protection=none when using retpoline flags (LP: #1843291) - SAUCE: kbuild: add -fcf-protection=none when using retpoline flags * Disco update: upstream stable patchset 2019-09-25 (LP: #1845390) - bridge/mdb: remove wrong use of NLM_F_MULTI - cdc_ether: fix rndis support for Mediatek based smartphones - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' - isdn/capi: check message length in capi_write() - ixgbe: Fix secpath usage for IPsec TX offload. - net: Fix null de-reference of device refcount - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list - net: phylink: Fix flow control resolution - net: sched: fix reordering issues - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR - tipc: add NULL pointer check before calling kfree_rcu - tun: fix use-after-free when register netdev failed - gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist - gpio: fix line flag validation in linehandle_create - Btrfs: fix assertion failure during fsync and use of stale transaction - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us - genirq: Prevent NULL pointer dereference in resend_irqs() - KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset() - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl - KVM: x86: work around leak of uninitialized stack contents - KVM: nVMX: handle page fault in vmread - x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors - powerpc: Add barrier_nospec to raw_copy_in_user() - drm/meson: Add support for XBGR8888 & ABGR8888 formats - clk: rockchip: Don't yell about bad mmc phases when getting - mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue - PCI: Always allow probing with driver_override - gpio: fix line flag validation in lineevent_create - ubifs: Correctly use tnc_next() in search_dh_cookie() - driver core: Fix use-after-free and double free on glue directory - crypto: talitos - check AES key size - crypto: talitos - fix CTR alg blocksize - crypto: talitos - check data blocksize in ablkcipher. - crypto: talitos - fix ECB algs ivsize - crypto: talitos - Do not modify req->cryptlen on decryption. - crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking. - firmware: ti_sci: Always request response from firmware - drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC - drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto - Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" - iio: adc: stm32-dfsdm: fix data type - modules: fix BUG when load module with rodata=n - modules: fix compile error if don't have strict module rwx - platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table - rsi: fix a double free bug in rsi_91x_deinit() - x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning - ixgbevf: Fix secpath usage for IPsec Tx offload - net: fixed_phy: Add forward declaration for struct gpio_desc; - net: sock_map, fix missing ulp check in sock hash case - Revert "mmc: bcm2835: Terminate timeout work synchronously" - mmc: tmio: Fixup runtime PM management during probe - mmc: tmio: Fixup runtime PM management during remove - drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+ - ixgbe: fix double clean of Tx descriptors with xdp - mt76: mt76x0e: disable 5GHz band for MT7630E - x86/ima: check EFI SetupMode too - kvm: nVMX: Remove unnecessary sync_roots from handle_invept - KVM: SVM: Fix detection of AMD Errata 1096 * Disco update: upstream stable patchset 2019-09-19 (LP: #1844722) - ALSA: hda - Fix potential endless loop at applying quirks - ALSA: hda/realtek - Fix overridden device-specific initialization - ALSA: hda/realtek - Add quirk for HP Pavilion 15 - ALSA: hda/realtek - Enable internal speaker & headset mic of ASUS UX431FL - ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre - sched/fair: Don't assign runtime for throttled cfs_rq - drm/vmwgfx: Fix double free in vmw_recv_msg() - vhost/test: fix build for vhost test - vhost/test: fix build for vhost test - again - batman-adv: fix uninit-value in batadv_netlink_get_ifindex() - batman-adv: Only read OGM tvlv_len after buffer len check - timekeeping: Use proper ktime_add when adding nsecs in coarse offset - selftests: fib_rule_tests: use pre-defined DEV_ADDR - powerpc/64: mark start_here_multiplatform as __ref - media: stm32-dcmi: fix irq = 0 case - scripts/decode_stacktrace: match basepath using shell prefix operator, not regex - nvme-fc: use separate work queue to avoid warning - modules: always page-align module section allocations - kernel/module: Fix mem leak in module_add_modinfo_attrs - drm/vblank: Allow dynamic per-crtc max_vblank_count - mfd: Kconfig: Fix I2C_DESIGNWARE_PLATFORM dependencies - tpm: Fix some name collisions with drivers/char/tpm.h - drm/nouveau: Don't WARN_ON VCPI allocation failures - drm: add __user attribute to ptr_to_compat() - drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set - drm/i915: Sanity check mmap length against object size - arm64: dts: stratix10: add the sysmgr-syscon property from the gmac's - kvm: mmu: Fix overflow on kvm mmu page limit calculation - KVM: x86: Always use 32-bit SMRAM save state for 32-bit kernels - media: i2c: tda1997x: select V4L2_FWNODE - ext4: protect journal inode's blocks using block_validity - ARM: dts: qcom: ipq4019: Fix MSI IRQ type - dt-bindings: mmc: Add supports-cqe property - dt-bindings: mmc: Add disable-cqe-dcmd property. - dm mpath: fix missing call of path selector type->end_io - mmc: sdhci-pci: Add support for Intel CML - PCI: dwc: Use devm_pci_alloc_host_bridge() to simplify code - cifs: smbd: take an array of reqeusts when sending upper layer data - drm/amdkfd: Add missing Polaris10 ID - kvm: Check irqchip mode before assign irqfd - Btrfs: fix race between block group removal and block group allocation - cifs: add spinlock for the openFileList to cifsInodeInfo - ceph: use ceph_evict_inode to cleanup inode's resource - KVM: x86: optimize check for valid PAT value - KVM: VMX: Always signal #GP on WRMSR to MSR_IA32_CR_PAT with bad value - btrfs: correctly validate compression type - dm thin metadata: check if in fail_io mode when setting needs_check - bcache: only clear BTREE_NODE_dirty bit when it is set - bcache: add comments for mutex_lock(&b->write_lock) - bcache: fix race in btree_flush_write() - drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV - virtio/s390: fix race on airq_areas[] - ext4: don't perform block validity checks on the journal inode - ext4: fix block validity checks for journal inodes using indirect blocks - ext4: unsigned int compared against zero - PCI: Reset both NVIDIA GPU and HDA in ThinkPad P50 workaround - gpio: pca953x: correct type of reg_direction - gpio: pca953x: use pca953x_read_regs instead of regmap_bulk_read - drm/nouveau/sec2/gp102: add missing MODULE_FIRMWAREs - powerpc/64e: Drop stale call to smp_processor_id() which hangs SMP startup - drm/i915: Disable SAMPLER_STATE prefetching on all Gen11 steppings. - mmc: sdhci-sprd: Fix the incorrect soft reset operation when runtime resuming - usb: chipidea: imx: add imx7ulp support - usb: chipidea: imx: fix EPROBE_DEFER support during driver probe * Disco update: upstream stable patchset 2019-09-11 (LP: #1843622) - dmaengine: ste_dma40: fix unneeded variable warning - nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns - afs: Fix the CB.ProbeUuid service handler to reply correctly - afs: Fix loop index mixup in afs_deliver_vl_get_entry_by_name_u() - fs: afs: Fix a possible null-pointer dereference in afs_put_read() - afs: Only update d_fsdata if different in afs_d_revalidate() - nvmet-loop: Flush nvme_delete_wq when removing the port - nvme: fix a possible deadlock when passthru commands sent to a multipath device - nvme-pci: Fix async probe remove race - soundwire: cadence_master: fix register definition for SLAVE_STATE - soundwire: cadence_master: fix definitions for INTSTAT0/1 - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach - dmaengine: stm32-mdma: Fix a possible null-pointer dereference in stm32_mdma_irq_handler() - omap-dma/omap_vout_vrfb: fix off-by-one fi value - iommu/dma: Handle SG length overflow better - usb: gadget: composite: Clear "suspended" on reset/disconnect - usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt - xen/blkback: fix memory leaks - arm64: cpufeature: Don't treat granule sizes as strict - i2c: rcar: avoid race when unregistering slave client - i2c: emev2: avoid race when unregistering slave client - drm/ast: Fixed reboot test may cause system hanged - usb: host: fotg2: restart hcd after port reset - tools: hv: fixed Python pep8/flake8 warnings for lsvmbus - tools: hv: fix KVP and VSS daemons exit code - watchdog: bcm2835_wdt: Fix module autoload - drm/bridge: tfp410: fix memleak in get_modes() - scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value - drm/tilcdc: Register cpufreq notifier after we have initialized crtc - net/tls: swap sk_write_space on close - net: tls, fix sk_write_space NULL write when tx disabled - ipv6/addrconf: allow adding multicast addr if IFA_F_MCAUTOJOIN is set - ipv6: Default fib6_type to RTN_UNICAST when not set - net/smc: make sure EPOLLOUT is raised - tcp: make sure EPOLLOUT wont be missed - ipv4/icmp: fix rt dst dev null pointer dereference - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n - ALSA: usb-audio: Check mixer unit bitmap yet more strictly - ALSA: line6: Fix memory leak at line6_init_pcm() error path - ALSA: hda - Fixes inverted Conexant GPIO mic mute led - ALSA: seq: Fix potential concurrent access to the deleted pool - ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() - ALSA: usb-audio: Add implicit fb quirk for Behringer UFX1604 - kvm: x86: skip populating logical dest map if apic is not sw enabled - KVM: x86: Don't update RIP or do single-step on faulting emulation - uprobes/x86: Fix detection of 32-bit user mode - x86/apic: Do not initialize LDR and DFR for bigsmp - ftrace: Fix NULL pointer dereference in t_probe_next() - ftrace: Check for successful allocation of hash - ftrace: Check for empty hash and comment the race with registering probes - usb-storage: Add new JMS567 revision to unusual_devs - USB: cdc-wdm: fix race between write and disconnect due to flag abuse - usb: hcd: use managed device resources - usb: chipidea: udc: don't do hardware access if gadget has stopped - usb: host: ohci: fix a race condition between shutdown and irq - usb: host: xhci: rcar: Fix typo in compatible string matching - USB: storage: ums-realtek: Update module parameter description for auto_delink_en - mei: me: add Tiger Lake point LP device ID - mmc: sdhci-of-at91: add quirk for broken HS200 - mmc: core: Fix init of SD cards reporting an invalid VDD range - stm class: Fix a double free of stm_source_device - intel_th: pci: Add support for another Lewisburg PCH - intel_th: pci: Add Tiger Lake support - typec: tcpm: fix a typo in the comparison of pdo_max_voltage - fsi: scom: Don't abort operations for minor errors - lib: logic_pio: Fix RCU usage - lib: logic_pio: Avoid possible overlap for unregistering regions - lib: logic_pio: Add logic_pio_unregister_range() - drm/amdgpu: Add APTX quirk for Dell Latitude 5495 - drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest - drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() - bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after- free - bus: hisi_lpc: Add .remove method to avoid driver unbind crash - VMCI: Release resource if the work is already queued - crypto: ccp - Ignore unconfigured CCP device on suspend/resume - Revert "cfg80211: fix processing world regdomain when non modular" - mac80211: fix possible sta leak - mac80211: Don't memset RXCB prior to PAE intercept - mac80211: Correctly set noencrypt for PAE frames - KVM: PPC: Book3S HV: Avoid lockdep debugging in TCE realmode handlers - KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling - KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long - KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI - NFS: Clean up list moves of struct nfs_page - NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() - NFS: Pass error information to the pgio error cleanup routine - NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 - i2c: piix4: Fix port selection for AMD Family 16h Model 30h - x86/ptrace: fix up botched merge of spectrev1 fix - mt76: mt76x0u: do not reset radio on resume - Revert "ASoC: Fail card instantiation if DAI format setup fails" - nvmet: Fix use-after-free bug when a port is removed - nvmet-file: fix nvmet_file_flush() always returning an error - nvme-rdma: fix possible use-after-free in connect error flow - nvme: fix controller removal race with scan work - IB/mlx5: Fix implicit MR release flow - dma-direct: don't truncate dma_required_mask to bus addressing capabilities - riscv: fix flush_tlb_range() end address for flush_tlb_page() - drm/scheduler: use job count instead of peek - locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop - selftests/bpf: install files test_xdp_vlan.sh - ALSA: hda/ca0132 - Add new SBZ quirk - KVM: x86: hyper-v: don't crash on KVM_GET_SUPPORTED_HV_CPUID when kvm_intel.nested is disabled - x86/mm/cpa: Prevent large page split when ftrace flips RW on kernel text - usbtmc: more sanity checking for packet size - mmc: sdhci-cadence: enable v4_mode to fix ADMA 64-bit addressing - mmc: sdhci-sprd: fixed incorrect clock divider - mmc: sdhci-sprd: add SDHCI_QUIRK2_PRESET_VALUE_BROKEN - mms: sdhci-sprd: add SDHCI_QUIRK_BROKEN_CARD_DETECTION - mmc: sdhci-sprd: clear the UHS-I modes read from registers - mmc: sdhci-sprd: Implement the get_max_timeout_count() interface - mmc: sdhci-sprd: add get_ro hook function - drm/i915/dp: Fix DSC enable code to use cpu_transcoder instead of encoder->type - hsr: implement dellink to clean up resources - hsr: fix a NULL pointer deref in hsr_dev_xmit() - hsr: switch ->dellink() to ->ndo_uninit() - Revert "Input: elantech - enable SMBus on new (2018+) systems" - mld: fix memory leak in mld_del_delrec() - net: fix skb use after free in netpoll - net: sched: act_sample: fix psample group handling on overwrite - net_sched: fix a NULL pointer deref in ipt action - net: stmmac: dwmac-rk: Don't fail if phy regulator is absent - tcp: inherit timestamp on mtu probe - tcp: remove empty skb from write queue in error cases - x86/boot: Preserve boot_params.secure_boot from sanitizing - spi: bcm2835aux: unifying code between polling and interrupt driven code - spi: bcm2835aux: remove dangerous uncontrolled read of fifo - spi: bcm2835aux: fix corruptions for longer spi transfers - net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context - netfilter: nf_tables: use-after-free in failing rule with bound set - tools: bpftool: fix error message (prog -> object) - hv_netvsc: Fix a warning of suspicious RCU usage - net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx - Bluetooth: btqca: Add a short delay before downloading the NVM - ibmveth: Convert multicast list size for little-endian system - gpio: Fix build error of function redefinition - netfilter: nft_flow_offload: skip tcp rst and fin packets - drm/mediatek: use correct device to import PRIME buffers - drm/mediatek: set DMA max segment size - scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure - scsi: target: tcmu: avoid use-after-free after command timeout - cxgb4: fix a memory leak bug - liquidio: add cleanup in octeon_setup_iq() - net: myri10ge: fix memory leaks - lan78xx: Fix memory leaks - vfs: fix page locking deadlocks when deduping files - cx82310_eth: fix a memory leak bug - net: kalmia: fix memory leaks - ibmvnic: Unmap DMA address of TX descriptor buffers after use - net: cavium: fix driver name - wimax/i2400m: fix a memory leak bug - ravb: Fix use-after-free ravb_tstamp_skb - kprobes: Fix potential deadlock in kprobe_optimizer() - HID: cp2112: prevent sleeping function called from invalid context - x86/boot/compressed/64: Fix boot on machines with broken E820 table - Input: hyperv-keyboard: Use in-place iterator API in the channel callback - Tools: hv: kvp: eliminate 'may be used uninitialized' warning - nvme-multipath: fix possible I/O hang when paths are updated - IB/mlx4: Fix memory leaks - infiniband: hfi1: fix a memory leak bug - infiniband: hfi1: fix memory leaks - selftests: kvm: fix state save/load on processors without XSAVE - selftests/kvm: make platform_info_test pass on AMD - ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() - ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() - ceph: fix buffer free while holding i_ceph_lock in fill_inode() - KVM: arm/arm64: Only skip MMIO insn once - afs: Fix leak in afs_lookup_cell_rcu() - KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity - x86/boot/compressed/64: Fix missing initialization in find_trampoline_placement() - libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer - Revert "r8152: napi hangup fix after disconnect" - r8152: remove calling netif_napi_del - batman-adv: Fix netlink dumping of all mcast_flags buckets - libbpf: fix erroneous multi-closing of BTF FD - libbpf: set BTF FD for prog only when there is supported .BTF.ext data - netfilter: nf_flow_table: fix offload for flows that are subject to xfrm - clk: samsung: Change signature of exynos5_subcmus_init() function - clk: samsung: exynos5800: Move MAU subsystem clocks to MAU sub-CMU - clk: samsung: exynos542x: Move MSCL subsystem clocks to its sub-CMU - netfilter: nf_flow_table: conntrack picks up expired flows - netfilter: nf_flow_table: teardown flow timeout race - ixgbe: fix possible deadlock in ixgbe_service_task() - nvme: Fix cntlid validation when not using NVMEoF - RDMA/cma: fix null-ptr-deref Read in cma_cleanup - RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message - gpio: Fix irqchip initialization order * New ID in ums-realtek module breaks cardreader (LP: #1838886) // Disco update: upstream stable patchset 2019-09-11 (LP: #1843622) - USB: storage: ums-realtek: Whitelist auto-delink support * ipv4: enable route flushing in network namespaces (LP: #1836912) - ipv4: enable route flushing in network namespaces * Enhanced Hardware Support - Finalize Naming (LP: #1842774) - s390: add support for IBM z15 machines * CVE-2019-16714 - net/rds: Fix info leak in rds6_inc_info_copy() * CVE-2019-14821 - KVM: coalesced_mmio: add bounds checking -- Khalid Elmously