Security update for the Linux Kernel (important)

The openSUSE Leap 42.1 kernel was updated to 4.1.26 to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2016-1583: Prevent the usage of mmap when the lower file system does
  not allow it. This could have lead to local privilege escalation when
  ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid
  (bsc#983143).
• CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel
  incorrectly relies on the write system call, which allows local users to
  cause a denial of service (kernel memory write operation) or possibly
  have unspecified other impact via a uAPI interface. (bsc#979548)
• CVE-2016-4805: Use-after-free vulnerability in
  drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to
  cause a denial of service (memory corruption and system crash,
  or spinlock) or possibly have unspecified other impact by removing a
  network namespace, related to the ppp_register_net_channel and
  ppp_unregister_channel functions. (bsc#980371).
• CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in
  the Linux kernel did not verify socket existence, which allowed local
  users to cause a denial of service (NULL pointer dereference and system
  crash) or possibly have unspecified other impact via a dumpit
  operation. (bsc#981058).
• CVE-2016-5244: An information leak vulnerability in function
  rds_inc_info_copy of file net/rds/recv.c was fixed that might have
  leaked kernel stack data. (bsc#983213).
• CVE-2016-4580: The x25_negotiate_facilities function in
  net/x25/x25_facilities.c in the Linux kernel did not properly initialize
  a certain data structure, which allowed attackers to
  obtain sensitive information from kernel stack memory via an X.25 Call
  Request. (bsc#981267).
• CVE-2016-0758: Tags with indefinite length could have corrupted pointers
  in asn1_find_indefinite_length (bsc#979867).
• CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in
  the Linux kernel allowed attackers to cause a denial of service (panic)
  via an ASN.1 BER file that lacks a public key, leading to mishandling by
  the public_key_verify_signature function in
  crypto/asymmetric_keys/public_key.c (bnc#963762).
• CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the
  Linux kernel allowed local users to bypass intended AF_UNIX socket
  permissions or cause a denial of service (panic) via crafted epoll_ctl
  calls (bnc#955654).
• CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
  validate certain offset fields, which allowed local users to gain
  privileges or cause a denial of service (heap memory corruption) via an
  IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
• CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c
  in the Linux kernel did not properly randomize the legacy base address,
  which made it easier for local users to defeat the intended restrictions
  on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism
  for a setuid or setgid program, by disabling stack-consumption resource
  limits (bnc#974308).
• CVE-2016-4482: A kernel information leak in the usbfs devio connectinfo
  was fixed, which could expose kernel stack memory to userspace.
  (bnc#978401).
• CVE-2016-4485: A kernel information leak in llc was fixed (bsc#978821).
• CVE-2016-4486: A kernel information leak in rtnetlink was fixed, where 4
  uninitialized bytes could leak to userspace (bsc#978822).
• CVE-2016-4557: A use-after-free via double-fdput in
  replace_map_fd_with_map_ptr() was fixed, which could allow privilege
  escalation (bsc#979018).
• CVE-2016-4565: When the "rdma_ucm" infiniband module is loaded, local
  attackers could escalate their privileges (bsc#979548).
• CVE-2016-4569: A kernel information leak in the ALSA timer via events
  via snd_timer_user_tinterrupt that could leak information to userspace
  was fixed (bsc#979213).
• CVE-2016-4578: A kernel information leak in the ALSA timer via events
  that could leak information to userspace was fixed (bsc#979879).
• CVE-2016-4581: If the first propogated mount copy was being a slave it
  could oops the kernel (bsc#979913)

The following non-security bugs were fixed:

• ALSA: hda - Add dock support for ThinkPad X260 (boo#979278).
• ALSA: hda - Apply fix for white noise on Asus N550JV, too (boo#979278).
• ALSA: hda - Asus N750JV external subwoofer fixup (boo#979278).
• ALSA: hda - Fix broken reconfig (boo#979278).
• ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
  (boo#979278).
• ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 (boo#979278).
• ALSA: hda - Fix white noise on Asus N750JV headphone (boo#979278).
• ALSA: hda - Fix white noise on Asus UX501VW headset (boo#979278).
• ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m
  (boo#979278).
• ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294
  (boo#979278).
• ALSA: hda/realtek - New codec support of ALC225 (boo#979278).
• ALSA: hda/realtek - Support headset mode for ALC225 (boo#979278).
• ALSA: pcxhr: Fix missing mutex unlock (boo#979278).
• ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
  (boo#979278).
• bluetooth: fix power_on vs close race (bsc#966849).
• bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849).
• bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849).
• bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849).
• btrfs: do not use src fd for printk (bsc#980348).
• btrfs: fix crash/invalid memory access on fsync when using overlayfs
  (bsc#977198)
• drm: qxl: Workaround for buggy user-space (bsc#981344).
• enic: set netdev->vlan_features (bsc#966245).
• fs: add file_dentry() (bsc#977198).
• IB/IPoIB: Do not set skb truesize since using one linearskb (bsc#980657).
• input: i8042 - lower log level for "no controller" message (bsc#945345).
• kabi: Add kabi/severities entries to ignore sound/hda/, x509_,
  efivar_validate, file_open_root and dax_fault
• kabi: Add some fixups (module, pci_dev, drm, fuse and thermal)
• kabi: file_dentry changes (bsc#977198).
• kABI fixes for 4.1.22
• mm/page_alloc.c: calculate ‘available’ memory in a separate function
  (bsc#982239).
• net: disable fragment reassembly if high_thresh is zero (bsc#970506).
• of: iommu: Silence misleading warning.
• pstore_register() error handling was wrong – it tried to release lock
  before it’s acquired, causing spinlock / preemption imbalance. - usb:
  quirk to stop runtime PM for Intel 7260 (bnc#984460).
• Revert "usb: hub: do not clear BOS field during reset device"
  (boo#979728).
• usb: core: hub: hub_port_init lock controller instead of bus
  (bnc#978073).
• usb: preserve kABI in address0 locking (bnc#978073).
• usb: usbip: fix potential out-of-bounds write (bnc#975945).
• USB: xhci: Add broken streams quirk for Frescologic device id 1009
  (bnc#982712).
• virtio_balloon: do not change memory amount visible via /proc/meminfo
  (bsc#982238).
• virtio_balloon: export ‘available’ memory to balloon statistics
  (bsc#982239).