ELSA-2021-9453

ELSA-2021-9453 - Unbreakable Enterprise kernel-container security update

Type:	SECURITY
Severity:	IMPORTANT
Release Date:	2021-09-21

Description

[4.14.35-2047.507.7.4.el7]
- KVM: x86: Check kvm_rebooting in kvm_spurious_fault() (Sean Christopherson) [Orabug: 33362693]

[4.14.35-2047.507.7.3]
- arm64: Reserve elfcorehdr before scanning reserved memory from device tree (Dave Kleikamp) [Orabug: 33354710]

[4.14.35-2047.507.7.2]
- net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (Phillip Potter) [Orabug: 33337449]
- ip: Manual backport of pskb_inet_may_pull() (Hakon Bugge) [Orabug: 33337449]
- Revert Revert net: geneve: check skb is large enough for IPv4/IPv6 header (Hakon Bugge) [Orabug: 33337449]

[4.14.35-2047.507.7.1]
- RDMA/cma: Revert INIT-INIT patch (Mike Marciniszyn) [Orabug: 33306519]
- Revert net: geneve: check skb is large enough for IPv4/IPv6 header (Somasundaram Krishnasamy) [Orabug: 33323390]

[4.14.35-2047.507.7]
- xen-acpi-processor: fix coordination type mismatch (Elena Ufimtseva) [Orabug: 33296813]
- Revert mm: memcontrol: eliminate raw access to stat and event counters (Ritika Srivastava) [Orabug: 33254727]
- Revert mm: memcontrol: implement lruvec stat functions on top of each other (Ritika Srivastava) [Orabug: 33254727]
- KVM: do not allow mapping valid but non-reference-counted pages (Nicholas Piggin) [Orabug: 33054089] {CVE-2021-22543} {CVE-2021-22543}
- ocfs2: issue zeroout to EOF blocks (Junxiao Bi) [Orabug: 32974988]
- ocfs2: fix zero out valid data (Junxiao Bi) [Orabug: 32974988]

[4.14.35-2047.507.6]
- xen-netback: do not kfree_skb() when irq is disabled (Dongli Zhang) [Orabug: 33277336]
- rds: ib: Set SEND_SIGNALED on the last WR posted (Hakon Bugge) [Orabug: 33253068]
- uek-rpm: update kABI lists for new symbols (Saeed Mirzamohammadi) [Orabug: 33246581]
- scsi: lpfc: Fix crash due to port reset racing vs adapter error handling (James Smart) [Orabug: 33213341]
- xfs: dont drain buffer lru on freeze and read-only remount (Brian Foster) [Orabug: 33141334]
- xfs: rename xfs_wait_buftarg() to xfs_buftarg_drain() (Brian Foster) [Orabug: 33141334]
- Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl (Alexander Larkin) [Orabug: 33114988] {CVE-2021-3612}
- rds: fix statistics counters and check for memory leak (Hans Westgaard Ry) [Orabug: 31372381]
- dsc-drivers: update for 1.15.9-C-32 (Shannon Nelson) [Orabug: 33281086]
- dts/pensando: creating reserved dma memory pool for mnet devices (Neel Patel) [Orabug: 33281086]
- pcie: rm pcie register access message (#256) (Brad Smith) [Orabug: 33281086]
- drivers: updates for 1.15.9-C-28 (Shannon Nelson) [Orabug: 33281086]

[4.14.35-2047.507.5]
- rds_rdma: add missing rds_ib_cm_handle_connect tracepoint (Alan Maguire) [Orabug: 33243560]
- KVM: SVM: use vmsave/vmload for saving/restoring additional host state (Michael Roth) [Orabug: 33225761]
- KVM: SVM: Use asm goto to handle unexpected #UD on SVM instructions (Sean Christopherson) [Orabug: 33225761]
- kvm: svm/avic: Do not send AVIC doorbell to self (Suthikulpanit, Suravee) [Orabug: 33225761]
- svm/avic: Fix invalidate logical APIC id entry (Suthikulpanit, Suravee) [Orabug: 33225761]
- svm: Fix improper check when deactivate AVIC (Suthikulpanit, Suravee) [Orabug: 33225761]
- svm: Fix AVIC DFR and LDR handling (Suthikulpanit, Suravee) [Orabug: 33225761]
- scsi: qla2xxx: Add heartbeat check (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (Baokun Li) [Orabug: 33116624]
- scsi: qla2xxx: Remove duplicate declarations (Shaokun Zhang) [Orabug: 33116624]
- scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (Daniel Wagner) [Orabug: 33116624]
- scsi: qla2xxx: Remove redundant assignment to rval (Jiapeng Chong) [Orabug: 33116624]
- scsi: qla2xxx: Prevent PRLI in target mode (Anastasia Kovaleva) [Orabug: 33116624]
- scsi: qla2xxx: Add marginal path handling support (Bikash Hazarika) [Orabug: 33116624]
- scsi: qla2xxx: Reserve extra IRQ vectors (Roman Bolshakov) [Orabug: 33116624]
- scsi: qla2xxx: Reuse existing error handling path (Christophe JAILLET) [Orabug: 33116624]
- scsi: qla2xxx: Remove unneeded if-null-free check (Qiheng Lin) [Orabug: 33116624]
- scsi: qla2xxx: Update version to 10.02.00.106-k (Nilesh Javali) [Orabug: 33116624]
- scsi: qla2xxx: Update default AER debug mask (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix mailbox recovery during PCIe error (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix crash in PCIe error handling (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix RISC RESET completion polling (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Consolidate zio threshold setting for both FCP & NVMe (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix stuck session (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Add H:C:T info in the log message for fc ports (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Fix IOPS drop seen in some adapters (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Check kzalloc() return value (Bart Van Assche) [Orabug: 33116624]
- scsi: qla2xxx: Simplify qla8044_minidump_process_control() (Bart Van Assche) [Orabug: 33116624]
- scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (Bart Van Assche) [Orabug: 33116624]
- scsi: qla2xxx: Fix endianness annotations (Bart Van Assche) [Orabug: 33116624]
- scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (Bart Van Assche) [Orabug: 33116624]
- scsi: qla2xxx: Use dma_pool_zalloc() (Wang Qing) [Orabug: 33116624]
- scsi: qla2xxx: Fix a couple of misdocumented functions (Lee Jones) [Orabug: 33116624]
- scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (Lee Jones) [Orabug: 33116624]
- scsi: qla2xxx: Fix a couple of misnamed functions (Lee Jones) [Orabug: 33116624]
- scsi: qla2xxx: Fix some incorrect formatting/spelling issues (Lee Jones) [Orabug: 33116624]
- scsi: qla2xxx: Replace __qla2x00_marker()s missing underscores (Lee Jones) [Orabug: 33116624]
- scsi: qla2xxx: Simplify if statement (Jiapeng Chong) [Orabug: 33116624]
- scsi: qla2xxx: Simplify the calculation of variables (Jiapeng Zhong) [Orabug: 33116624]
- scsi: qla2xxx: Fix some memory corruption (Dan Carpenter) [Orabug: 33116624]
- scsi: qla2xxx: Remove redundant NULL check (Yang Li) [Orabug: 33116624]
- scsi: qla2xxx: Remove unnecessary NULL check (Dan Carpenter) [Orabug: 33116624]
- scsi: qla2xxx: Assign boolean values to a bool variable (Jiapeng Zhong) [Orabug: 33116624]
- scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (Hannes Reinecke) [Orabug: 33116624]
- scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (Enzo Matsumiya) [Orabug: 33116624]
- scsi: qla2xxx: Update version to 10.02.00.105-k (Nilesh Javali) [Orabug: 33116624]
- scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Fix mailbox Ch erroneous error (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (Bikash Hazarika) [Orabug: 33116624]
- scsi: qla2xxx: Move some messages from debug to normal log level (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Add error counters to debugfs node (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Update version to 10.02.00.104-k (Nilesh Javali) [Orabug: 33116624]
- scsi: qla2xxx: Fix device loss on 4G and older HBAs (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: If fcport is undergoing deletion complete I/O with retry (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Fix the call trace for flush workqueue (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Fix flash update in 28XX adapters on big endian machines (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Handle aborts correctly for port undergoing deletion (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Fix N2N and NVMe connect retry failure (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Fix FW initialization error on big endian machines (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Fix compilation issue in PPC systems (Arun Easi) [Orabug: 33116624]
- scsi: qla2xxx: Dont check for fw_started while posting NVMe command (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Tear down session if FW say it is down (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Limit interrupt vectors to number of CPUs (Quinn Tran) [Orabug: 33116624]
- scsi: qla2xxx: Change post del message from debug level to log level (Saurav Kashyap) [Orabug: 33116624]
- scsi: qla2xxx: Remove trailing semicolon in macro definition (Tom Rix) [Orabug: 33116624]
- scsi: qla2xxx: Remove in_interrupt() from qla83xx-specific code (Ahmed S. Darwish) [Orabug: 33116624]
- scsi: target: tcm_qla2xxx: Remove BUG_ON(in_interrupt()) (Ahmed S. Darwish) [Orabug: 33116624]
- scsi: qla2xxx: Remove in_interrupt() from qla82xx-specific code (Ahmed S. Darwish) [Orabug: 33116624]
- scsi: Remove unneeded break statements (Tom Rix) [Orabug: 33116624]
- scsi: scsi_transport_fc: Add store capability to rport port_state in sysfs (Muneendra Kumar) [Orabug: 33116624]
- scsi: scsi_transport_fc: Add a new rport state FC_PORTSTATE_MARGINAL (Muneendra Kumar) [Orabug: 33116624]
- scsi: core: No retries on abort success (Muneendra Kumar) [Orabug: 33116624]
- scsi: core: Add a new error code DID_TRANSPORT_MARGINAL in scsi.h (Muneendra Kumar) [Orabug: 33116624]

[4.14.35-2047.507.4]
- drivers: updated for 1.15.9.26 (Shannon Nelson) [Orabug: 33235357]
- XFS: code enhancement to help debug (Wengang Wang) [Orabug: 33186644]
- KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (Maxim Levitsky) [Orabug: 33234941] {CVE-2021-3656} {CVE-2021-3656}
- KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (Maxim Levitsky) [Orabug: 33234967] {CVE-2021-3653} {CVE-2021-3653}

[4.14.35-2047.507.3]
- drivers: updates for 1.15.9.21 (Shannon Nelson) [Orabug: 33220300]
- Revert rds/ib: reap tx completions during connection shutdown (Manjunath Patil) [Orabug: 33220435]
- Revert rds/ib: handle posted ACK during connection shutdown (Manjunath Patil) [Orabug: 33220435]
- Revert rds/ib: recover rds connection from interrupt loss scenario (Manjunath Patil) [Orabug: 33220435]
- Revert rds/ib: move rds_ib_clear_irq_miss() to .h file (Manjunath Patil) [Orabug: 33220435]
- NFS: Dont call generic_error_remove_page() while holding locks (Trond Myklebust) [Orabug: 33213898]
- ip6_gre: proper dev_{hold|put} in ndo_[un]init methods (aloktiw) [Orabug: 33179252]
- ifb: fix packets checksum (Jon Maxwell) [Orabug: 33145562]
- Linux 4.14.239 (Greg Kroah-Hartman)
- xen/events: reset active flag for lateeoi events later (Juergen Gross)
- kthread: prevent deadlock when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync() (Petr Mladek)
- kthread_worker: split code for canceling the delayed work timer (Petr Mladek)
- kfifo: DECLARE_KIFO_PTR(fifo, u64) does not work on arm 32 bit (Sean Young)
- drm/nouveau: fix dma_address check for CPU/GPU sync (Christian Konig)
- scsi: sr: Return appropriate error code when disk is ejected (ManYi Li)
- mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk() (Hugh Dickins)
- mm/thp: fix page_vma_mapped_walk() if THP mapped by ptes (Hugh Dickins)
- mm: page_vma_mapped_walk(): get vma_address_end() earlier (Hugh Dickins)
- mm: page_vma_mapped_walk(): use goto instead of while (1) (Hugh Dickins)
- mm: page_vma_mapped_walk(): add a level of indentation (Hugh Dickins)
- mm: page_vma_mapped_walk(): crossing page table boundary (Hugh Dickins)
- mm: page_vma_mapped_walk(): prettify PVMW_MIGRATION block (Hugh Dickins)
- mm: page_vma_mapped_walk(): use pmde for *pvmw->pmd (Hugh Dickins)
- mm: page_vma_mapped_walk(): settle PageHuge on entry (Hugh Dickins)
- mm: page_vma_mapped_walk(): use page for pvmw->page (Hugh Dickins)
- mm: thp: replace DEBUG_VM BUG with VM_WARN when unmap fails for split (Yang Shi)
- mm/thp: fix page_address_in_vma() on file THP tails (Jue Wang)
- mm/thp: fix vma_address() if virtual address below file offset (Hugh Dickins)
- mm/thp: try_to_unmap() use TTU_SYNC for safe splitting (Hugh Dickins)
- mm/rmap: use page_not_mapped in try_to_unmap() (Miaohe Lin)
- mm/rmap: remove unneeded semicolon in page_not_mapped() (Miaohe Lin)
- mm: add VM_WARN_ON_ONCE_PAGE() macro (Alex Shi)
- include/linux/mmdebug.h: make VM_WARN* non-rvals (Michal Hocko)

[4.14.35-2047.507.2]
- uek-rpm: mark /etc/ld.so.conf.d/ files as %config (Stephen Brennan) [Orabug: 33186981]
- rds: Congestion tracepoints should be enabled by default (Greg Jumper) [Orabug: 33145670]
- Linux 4.14.238 (Sasha Levin)
- i2c: robotfuzz-osif: fix control-request directions (Johan Hovold)
- nilfs2: fix memory leak in nilfs_sysfs_delete_device_group (Pavel Skripkin)
- pinctrl: stm32: fix the reported number of GPIO lines per bank (Fabien Dessenne)
- net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY (Esben Haabendal)
- net: qed: Fix memcpy() overflow of qed_dcbx_params() (Kees Cook)
- r8169: Avoid memcpy() over-reading of ETH_SS_STATS (Kees Cook)
- sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS (Kees Cook)
- r8152: Avoid memcpy() over-reading of ETH_SS_STATS (Kees Cook)
- net/packet: annotate accesses to po->ifindex (Eric Dumazet)
- net/packet: annotate accesses to po->bind (Eric Dumazet)
- net: caif: fix memory leak in ldisc_open (Pavel Skripkin)
- inet: annotate date races around sk->sk_txhash (Eric Dumazet)
- ping: Check return value of function ping_queue_rcv_skb (Zheng Yongjun)
- mac80211: drop multicast fragments (Johannes Berg)
- cfg80211: call cfg80211_leave_ocb when switching away from OCB (Du Cheng)
- mac80211: remove warning in ieee80211_get_sband() (Johannes Berg)
- Revert PCI: PM: Do not read power state in pci_enable_device_flags() (Rafael J. Wysocki)
- arm64: perf: Disable PMU while processing counter overflows (Suzuki K Poulose)
- MIPS: generic: Update node names to avoid unit addresses (Nathan Chancellor)
- Makefile: Move -Wno-unused-but-set-variable out of GCC only block (Nathan Chancellor)
- ARM: 9081/1: fix gcc-10 thumb2-kernel regression (Arnd Bergmann)
- drm/radeon: wait for moving fence after pinning (Christian Konig)
- drm/nouveau: wait for moving fence after pinning v2 (Christian Konig)
- x86/fpu: Reset state for all signal restore failures (Thomas Gleixner)
- unfuck sysfs_mount() (Al Viro)
- kernfs: deal with kernfs_fill_super() failures (Al Viro)
- usb: dwc3: core: fix kernel panic when do reboot (Peter Chen)
- inet: use bigger hash table for IP ID generation (Eric Dumazet)
- can: bcm/raw/isotp: use per module netdevice notifier (Tetsuo Handa)
- net: fec_ptp: add clock rate zero check (Fugang Duan)
- mm/slub.c: include swab.h (Andrew Morton)
- net: bridge: fix vlan tunnel dst refcnt when egressing (Nikolay Aleksandrov)
- net: bridge: fix vlan tunnel dst null pointer dereference (Nikolay Aleksandrov)
- dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc (Bumyong Lee)
- ARCv2: save ABI registers across signal handling (Vineet Gupta)
- PCI: Work around Huawei Intelligent NIC VF FLR erratum (Chiqijun)
- PCI: Add ACS quirk for Broadcom BCM57414 NIC (Sriharsha Basavapatna)
- PCI: Mark some NVIDIA GPUs to avoid bus reset (Shanker Donthineni)
- PCI: Mark TI C667X to avoid bus reset (Antti Jarvinen)
- tracing: Do no increment trace_clock_global() by one (Steven Rostedt (VMware))
- tracing: Do not stop recording comms if the trace file is being read (Steven Rostedt (VMware))
- tracing: Do not stop recording cmdlines when tracing is off (Steven Rostedt (VMware))
- usb: core: hub: Disable autosuspend for Cypress CY7C65632 (Andrew Lunn)
- can: mcba_usb: fix memory leak in mcba_usb (Pavel Skripkin)
- hwmon: (scpi-hwmon) shows the negative temperature properly (Riwen Lu)
- radeon: use memcpy_to/fromio for UVD fw upload (Chen Li)
- net: ethernet: fix potential use-after-free in ec_bhf_remove (Pavel Skripkin)
- icmp: dont send out ICMP messages with a source address of 0.0.0.0 (Toke Hoiland-Jorgensen)
- net: cdc_eem: fix tx fixup skb leak (Linyu Yuan)
- net: hamradio: fix memory leak in mkiss_close (Pavel Skripkin)
- be2net: Fix an error handling path in be_probe() (Christophe JAILLET)
- net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock (Eric Dumazet)
- net: ipv4: fix memory leak in ip_mc_add1_src (Chengyang Fan)
- net: usb: fix possible use-after-free in smsc75xx_bind (Dongliang Mu)
- net: cdc_ncm: switch to eth%d interface naming (Maciej zenczykowski)
- netxen_nic: Fix an error handling path in netxen_nic_probe() (Christophe JAILLET)
- qlcnic: Fix an error handling path in qlcnic_probe() (Christophe JAILLET)
- net: stmmac: dwmac1000: Fix extended MAC address registers definition (Jisheng Zhang)
- alx: Fix an error handling path in alx_probe() (Christophe JAILLET)
- netfilter: synproxy: Fix out of bounds when parsing TCP options (Maxim Mikityanskiy)
- rtnetlink: Fix regression in bridge VLAN configuration (Ido Schimmel)
- udp: fix race between close() and udp_abort() (Paolo Abeni)
- net: rds: fix memory leak in rds_recvmsg (Pavel Skripkin)
- net: ipv4: fix memory leak in netlbl_cipsov4_add_std (Nanyong Sun)
- batman-adv: Avoid WARN_ON timing related checks (Sven Eckelmann)
- mm/memory-failure: make sure wait for page writeback in memory_failure (yangerkun)
- dmaengine: stedma40: add missing iounmap() on error in d40_probe() (Yang Yingliang)
- dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM (Randy Dunlap)
- dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM (Randy Dunlap)
- fib: Return the correct errno code (Zheng Yongjun)
- net: Return the correct errno code (Zheng Yongjun)
- net/x25: Return the correct errno code (Zheng Yongjun)
- rtnetlink: Fix missing error code in rtnl_bridge_notify() (Jiapeng Chong)
- net: ipconfig: Dont override command-line hostnames or domains (Josh Triplett)
- nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() (Hannes Reinecke)
- nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails (Hannes Reinecke)
- nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() (Hannes Reinecke)
- ethernet: myri10ge: Fix missing error code in myri10ge_probe() (Jiapeng Chong)
- scsi: target: core: Fix warning on realtime kernels (Maurizio Lombardi)
- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (Hillf Danton)
- HID: gt683r: add missing MODULE_DEVICE_TABLE (Bixuan Cui)
- ARM: OMAP2+: Fix build warning when mmc_omap is not built (Yongqiang Liu)
- HID: usbhid: fix info leak in hid_submit_ctrl (Anirudh Rayabharam)
- HID: Add BUS_VIRTUAL to hid_connect logging (Mark Bolhuis)
- HID: hid-sensor-hub: Return error for hid_set_field() failure (Srinivas Pandruvada)
- net: ieee802154: fix null deref in parse dev addr (Dan Robertson)
- Linux 4.14.237 (Greg Kroah-Hartman)
- proc: only require mm_struct for writing (Linus Torvalds)
- tracing: Correct the length check which causes memory corruption (Liangyan)
- ftrace: Do not blindly read the ip address in ftrace_bug() (Steven Rostedt (VMware))
- scsi: core: Only put parent device if host state differs from SHOST_CREATED (Ming Lei)
- scsi: core: Put .shost_dev in failure path if host state changes to RUNNING (Ming Lei)
- scsi: core: Fix error handling of scsi_host_alloc() (Ming Lei)
- NFS: Fix use-after-free in nfs4_init_client() (Anna Schumaker)
- kvm: fix previous commit for 32-bit builds (Paolo Bonzini)
- perf session: Correct buffer copying when peeking events (Leo Yan)
- NFS: Fix a potential NULL dereference in nfs_get_client() (Dan Carpenter)
- perf: Fix data race between pin_count increment/decrement (Marco Elver)
- regulator: max77620: Use device_set_of_node_from_dev() (Dmitry Osipenko)
- regulator: core: resolve supply for boot-on/always-on regulators (Dmitry Baryshkov)
- usb: fix various gadget panics on 10gbps cabling (Maciej zenczykowski)
- usb: fix various gadgets null ptr deref on 10gbps cabling. (Maciej zenczykowski)
- usb: gadget: eem: fix wrong eem header operation (Linyu Yuan)
- USB: serial: quatech2: fix control-request directions (Johan Hovold)
- USB: serial: omninet: add device id for Zyxel Omni 56K Plus (Alexandre GRIVEAUX)
- USB: serial: ftdi_sio: add NovaTech OrionMX product ID (George McCollister)
- usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind (Wesley Cheng)
- usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path (Mayank Rana)
- usb: dwc3: ep0: fix NULL pointer exception (Marian-Cristian Rotariu)
- USB: f_ncm: ncm_bitrate (speed) is unsigned (Maciej zenczykowski)
- cgroup1: dont allow
in renaming (Alexander Kuznetsov)
- btrfs: return value from btrfs_mark_extent_written() in case of error (Ritesh Harjani)
- staging: rtl8723bs: Fix uninitialized variables (Wenli Looi)
- kvm: avoid speculation-based attacks from out-of-range memslot accesses (Paolo Bonzini)
- drm: Lock pointer access in drm_master_release() (Desmond Cheong Zhi Xi)
- drm: Fix use-after-free read in drm_getunique() (Desmond Cheong Zhi Xi)
- i2c: mpc: implement erratum A-004447 workaround (Chris Packham)
- i2c: mpc: Make use of i2c_recover_bus() (Chris Packham)
- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers (Chris Packham)
- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers (Chris Packham)
- bnx2x: Fix missing error code in bnx2x_iov_init_one() (Jiapeng Chong)
- MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER (Tiezhu Yang)
- net: appletalk: cops: Fix data race in cops_probe1 (Saubhik Mukherjee)
- net: macb: ensure the device is available before accessing GEMGXL control registers (Zong Li)
- scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (Dmitry Bogdanov)
- scsi: vmw_pvscsi: Set correct residual data length (Matt Wang)
- net/qla3xxx: fix schedule while atomic in ql_sem_spinlock (Zheyu Ma)
- wq: handle VM suspension in stall detection (Sergey Senozhatsky)
- cgroup: disable controllers at parse time (Shakeel Butt)
- net: mdiobus: get rid of a BUG_ON() (Dan Carpenter)
- netlink: disable IRQs for netlink_lock_table() (Johannes Berg)
- bonding: init notify_work earlier to avoid uninitialized use (Johannes Berg)
- isdn: mISDN: netjet: Fix crash in nj_probe: (Zheyu Ma)
- ASoC: sti-sas: add missing MODULE_DEVICE_TABLE (Zou Wei)
- net/nfc/rawsock.c: fix a permission check bug (Jeimon)
- proc: Track /proc//attr/ opener mm_struct (Kees Cook)
- rds/ib: quarantine STALE mr before dereg (Manjunath Patil) [Orabug: 33150437]
- rds/ib: avoid dereg of mr in frwr_clean (Manjunath Patil) [Orabug: 33150414]
- rds/ib: update mr incarnation after forming inv wr (Manjunath Patil) [Orabug: 33177350]
- can: bcm: delay release of struct bcm_op after synchronize_rcu() (Thadeu Lima de Souza Cascardo) [Orabug: 33114648] {CVE-2021-3609}

[4.14.35-2047.507.1]
- can: bcm: fix infoleak in struct bcm_msg_head (Norbert Slusarek) [Orabug: 33030700] {CVE-2021-34693}
- Linux 4.14.236 (Greg Kroah-Hartman)
- xen-pciback: redo VF placement in the virtual topology (Jan Beulich)
- sched/fair: Optimize select_idle_cpu (Cheng Jian)
- KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode (Sean Christopherson)
- bnxt_en: Remove the setting of dev_port. (Michael Chan)
- bpf: No need to simulate speculative domain for immediates (Daniel Borkmann)
- bpf: Fix mask direction swap upon off reg sign change (Daniel Borkmann)
- bpf: Wrap aux data inside bpf_sanitize_info container (Daniel Borkmann)
- bpf: Fix leakage of uninitialized bpf stack under speculation (Daniel Borkmann)
- selftests/bpf: make dubious pointer arithmetic test useful (Alexei Starovoitov)
- selftests/bpf: fix test_align (Alexei Starovoitov)
- bpf/verifier: disallow pointer subtraction (Alexei Starovoitov)
- bpf: Update selftests to reflect new error states (Daniel Borkmann)
- bpf: Tighten speculative pointer arithmetic mask (Daniel Borkmann)
- bpf: Move sanitize_val_alu out of op switch (Daniel Borkmann)
- bpf: Refactor and streamline bounds check into helper (Daniel Borkmann)
- bpf: Improve verifier error messages for users (Daniel Borkmann)
- bpf: Rework ptr_limit into alu_limit and add common error path (Daniel Borkmann)
- bpf: Ensure off_reg has no mixed signed bounds for all types (Daniel Borkmann)
- bpf: Move off_reg into sanitize_ptr_alu (Daniel Borkmann)
- bpf, selftests: Fix up some test_verifier cases for unprivileged (Piotr Krysiuk)
- mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY (Mina Almasry)
- btrfs: fixup error handling in fixup_inode_link_counts (Josef Bacik)
- btrfs: fix error handling in btrfs_del_csums (Josef Bacik)
- nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski)
- ocfs2: fix data corruption by fallocate (Junxiao Bi)
- pid: take a reference when initializing (Mark Rutland)
- ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed (Ye Bin)
- ALSA: timer: Fix master timer notification (Takashi Iwai)
- net: caif: fix memory leak in cfusbl_device_notify (Pavel Skripkin)
- net: caif: fix memory leak in caif_device_notify (Pavel Skripkin)
- net: caif: add proper error handling (Pavel Skripkin)
- net: caif: added cfserl_release function (Pavel Skripkin)
- ieee802154: fix error return code in ieee802154_llsec_getparams() (Wei Yongjun)
- ieee802154: fix error return code in ieee802154_add_iface() (Zhen Lei)
- netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches (Pablo Neira Ayuso)
- HID: i2c-hid: fix format string mismatch (Arnd Bergmann)
- HID: pidff: fix error return code in hid_pidff_init() (Zhen Lei)
- ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service (Julian Anastasov)
- vfio/platform: fix module_put call in error flow (Max Gurtovoy)
- vfio/pci: zap_vma_ptes() needs MMU (Randy Dunlap)
- vfio/pci: Fix error return code in vfio_ecap_init() (Zhen Lei)
- efi: cper: fix snprintf() use in cper_dimm_err_location() (Rasmus Villemoes)
- efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared (Heiner Kallweit)
- net: usb: cdc_ncm: dont spew notifications (Grant Grundler)
- Linux 4.14.235 (Greg Kroah-Hartman)
- usb: core: reduce power-on-good delay time of root hub (Chunfeng Yun)
- drivers/net/ethernet: clean up unused assignments (Jesse Brandeburg)
- hugetlbfs: hugetlb_fault_mutex_hash() cleanup (Mike Kravetz)
- MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c (Randy Dunlap)
- MIPS: alchemy: xxs1500: add gpio-au1000.h header file (Randy Dunlap)
- sch_dsmark: fix a NULL deref in qdisc_reset() (Taehee Yoo)
- ipv6: record frag_max_size in atomic fragments in input path (Francesco Ruggeri)
- scsi: libsas: Use _safe() loop in sas_resume_port() (Dan Carpenter)
- ixgbe: fix large MTU request from VF (Jesse Brandeburg)
- bpf: Set mac_len in bpf_skb_change_head (Jussi Maki)
- ASoC: cs35l33: fix an error code in probe() (Dan Carpenter)
- staging: emxx_udc: fix loop in _nbu2ss_nuke() (Dan Carpenter)
- mld: fix panic in mld_newpack() (Taehee Yoo)
- net: bnx2: Fix error return code in bnx2_init_board() (Zhen Lei)
- net: mdio: octeon: Fix some double free issues (Christophe JAILLET)
- net: mdio: thunder: Fix a double free issue in the .remove function (Christophe JAILLET)
- net: netcp: Fix an error message (Christophe JAILLET)
- drm/amdgpu: Fix a use-after-free (xinhui pan)
- SMB3: incorrect file id in requests compounded with open (Steve French)
- platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI (Andy Shevchenko)
- platform/x86: hp-wireless: add AMDs hardware id to the supported list (Shyam Sundar S K)
- btrfs: do not BUG_ON in link_to_fixup_dir (Josef Bacik)
- openrisc: Define memory barrier mb (Peter Zijlstra)
- scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (Matt Wang)
- media: gspca: properly check for errors in po1030_probe() (Greg Kroah-Hartman)
- media: dvb: Add check on sp8870_readreg return (Alaa Emad)
- libertas: register sysfs groups properly (Greg Kroah-Hartman)
- dmaengine: qcom_hidma: comment platform_driver_register call (Phillip Potter)
- isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io (Phillip Potter)
- char: hpet: add checks after calling ioremap (Tom Seewald)
- net: caif: remove BUG_ON(dev == NULL) in caif_xmit (Du Cheng)
- net: fujitsu: fix potential null-ptr-deref (Anirudh Rayabharam)
- serial: max310x: unregister uart driver in case of failure and abort (Atul Gopinathan)
- platform/x86: hp_accel: Avoid invoking _INI to speed up resume (Kai-Heng Feng)
- perf jevents: Fix getting maximum number of fds (Felix Fietkau)
- i2c: i801: Dont generate an interrupt on bus reset (Jean Delvare)
- i2c: s3c2410: fix possible NULL pointer deref on read message after write (Krzysztof Kozlowski)
- tipc: skb_linearize the head skb when reassembling msgs (Xin Long)
- Revert net:tipc: Fix a double free in tipc_sk_mcast_rcv (Hoang Le)
- drm/meson: fix shutdown crash when component not probed (Neil Armstrong)
- NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config (Zhang Xiaoxu)
- NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() (Trond Myklebust)
- NFS: fix an incorrect limit in filelayout_decode_layout() (Dan Carpenter)
- Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails (Thadeu Lima de Souza Cascardo)
- net: usb: fix memory leak in smsc75xx_bind (Pavel Skripkin)
- usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (Yoshihiro Shimoda)
- USB: serial: pl2303: add device id for ADLINK ND-6530 GC (Zolton Jheng)
- USB: serial: ftdi_sio: add IDs for IDS GmbH Products (Dominik Andreas Schorpp)
- USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 (Daniele Palmas)
- USB: serial: ti_usb_3410_5052: add startech.com device id (Sean MacLennan)
- serial: rp2: use request_firmware instead of request_firmware_nowait (Zheyu Ma)
- serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (Geert Uytterhoeven)
- USB: trancevibrator: fix control-request direction (Johan Hovold)
- iio: adc: ad7793: Add missing error code in ad7793_setup() (YueHaibing)
- staging: iio: cdc: ad7746: avoid overwrite of num_channels (Lucas Stankus)
- mei: request autosuspend after sending rx flow control (Alexander Usyskin)
- thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (Mathias Nyman)
- misc/uss720: fix memory leak in uss720_probe (Dongliang Mu)
- kgdb: fix gcc-11 warnings harder (Greg Kroah-Hartman)
- dm snapshot: properly fix a crash when an origin has no snapshots (Mikulas Patocka)
- ath10k: Validate first subframe of A-MSDU before processing the list (Sriram R)
- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) {CVE-2020-24586} {CVE-2020-24587}
- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg)
- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg)
- mac80211: check defrag PN against current frame (Johannes Berg)
- mac80211: add fragment cache to sta_info (Johannes Berg)
- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) {CVE-2020-24588}
- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) {CVE-2020-24588}
- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef)
- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) {CVE-2020-24587} {CVE-2020-24586}
- mac80211: assure all fragments are encrypted (Mathy Vanhoef) {CVE-2020-26147}
- net: hso: fix control-request directions (Johan Hovold)
- proc: Check /proc//attr/ writes against file opener (Kees Cook)
- perf intel-pt: Fix transaction abort handling (Adrian Hunter)
- perf intel-pt: Fix sample instruction bytes (Adrian Hunter)
- iommu/vt-d: Fix sysfs leak in alloc_iommu() (Rolf Eike Beer)
- NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() (Anna Schumaker)
- NFC: nci: fix memory leak in nci_allocate_device (Dongliang Mu)
- usb: dwc3: gadget: Enable suspend events (Jack Pham)
- scripts: switch explicitly to Python 3 (Andy Shevchenko)
- tweewide: Fix most Shebang lines (Finn Behrens)
- A/A Bonding: dev_hold/put() the delayed GARP work handlers netdev in rdmaip (Sharath Srinivasan) [Orabug: 33161269]
- capmem: Mark the pages as non-readonly+dirty. (David Clear) [Orabug: 33155665]
- Revert capmem: Mark the pages as non-readonly+dirty. (Dave Kleikamp) [Orabug: 33155665]
- ionic: clean interrupt before enabling queue to avoid credit race (Shannon Nelson) [Orabug: 33155665]
- scsi: core: Retry I/O for Notify (Enable Spinup) Required error (Quat Le) [Orabug: 33165871]
- Revert x86/reboot: Force all cpus to exit VMX root if VMX is supported (Somasundaram Krishnasamy) [Orabug: 33156450]

Related CVEs

CVE-2021-3653

CVE-2021-34693

CVE-2021-3612

CVE-2020-24586

CVE-2021-23134

CVE-2020-24587

CVE-2020-24588

CVE-2020-26147

CVE-2021-3609

CVE-2021-22543

CVE-2021-3656

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory
Oracle Linux 7 (x86_64)	kernel-uek-container-4.14.35-2047.507.7.4.el7.src.rpm	584b313556d544ec18253464c91f7a0f	-
	kernel-uek-container-4.14.35-2047.507.7.4.el7.x86_64.rpm	1c379fc3865730a86da52b224312c7a7	-

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team