Security update for Linux kernel (important)

The SUSE Linux Enterprise 11 Service Pack 3 kernel has been
updated to version 3.0.93 and to fix various bugs and
security issues.

The following features have been added:

• NFS: Now supports a "nosharetransport" option
  (bnc#807502, bnc#828192, FATE#315593).
• ALSA: virtuoso: Xonar DSX support was added
  (FATE#316016).

The following security issues have been fixed:

CVE-2013-2148: The fill_event_metadata function in
fs/notify/fanotify/fanotify_user.c in the Linux kernel did
not initialize a certain structure member, which allowed
local users to obtain sensitive information from kernel
memory via a read operation on the fanotify descriptor.

CVE-2013-2237: The key_notify_policy_flush function
in net/key/af_key.c in the Linux kernel did not initialize
a certain structure member, which allowed local users to
obtain sensitive information from kernel heap memory by
reading a broadcast message from the notify_policy
interface of an IPSec key_socket.

CVE-2013-2232: The ip6_sk_dst_check function in
net/ipv6/ip6_output.c in the Linux kernel allowed local
users to cause a denial of service (system crash) by using
an AF_INET6 socket for a connection to an IPv4 interface.

CVE-2013-2234: The (1) key_notify_sa_flush and (2)
key_notify_policy_flush functions in net/key/af_key.c in
the Linux kernel did not initialize certain structure
members, which allowed local users to obtain sensitive
information from kernel heap memory by reading a broadcast
message from the notify interface of an IPSec key_socket.
CVE-2013-4162: The udp_v6_push_pending_frames function in
net/ipv6/udp.c in the IPv6 implementation in the Linux
kernel made an incorrect function call for pending data,
which allowed local users to cause a denial of service (BUG
and system crash) via a crafted application that uses the
UDP_CORK option in a setsockopt system call.

CVE-2013-1059: net/ceph/auth_none.c in the Linux
kernel allowed remote attackers to cause a denial of
service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via an auth_reply
message that triggers an attempted build_request operation.

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function
in drivers/cdrom/cdrom.c in the Linux kernel allowed local
users to obtain sensitive information from kernel memory
via a read operation on a malfunctioning CD-ROM drive.

CVE-2013-2851: Format string vulnerability in the
register_disk function in block/genhd.c in the Linux kernel
allowed local users to gain privileges by leveraging root
access and writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create
a crafted /dev/md device name.

CVE-2013-4163: The ip6_append_data_mtu function in
net/ipv6/ip6_output.c in the IPv6 implementation in the
Linux kernel did not properly maintain information about
whether the IPV6_MTU setsockopt option had been specified,
which allowed local users to cause a denial of service (BUG
and system crash) via a crafted application that uses the
UDP_CORK option in a setsockopt system call.

CVE-2013-1929: Heap-based buffer overflow in the
tg3_read_vpd function in
drivers/net/ethernet/broadcom/tg3.c in the Linux kernel
allowed physically proximate attackers to cause a denial of
service (system crash) or possibly execute arbitrary code
via crafted firmware that specifies a long string in the
Vital Product Data (VPD) data structure.

CVE-2013-1819: The _xfs_buf_find function in
fs/xfs/xfs_buf.c in the Linux kernel did not validate block
numbers, which allowed local users to cause a denial of
service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by leveraging the
ability to mount an XFS filesystem containing a metadata
inode with an invalid extent map.

Also the following non-security bugs have been fixed:

• ACPI / APEI: Force fatal AER severity when component
  has been reset (bnc#828886 bnc#824568).
• PCI/AER: Move AER severity defines to aer.h
  (bnc#828886 bnc#824568).
• PCI/AER: Set dev->__aer_firmware_first only for
  matching devices (bnc#828886 bnc#824568).
• PCI/AER: Factor out HEST device type matching
  (bnc#828886 bnc#824568).
• PCI/AER: Do not parse HEST table for non-PCIe devices
  (bnc#828886 bnc#824568).

PCI/AER: Reset link for devices below Root Port or
Downstream Port (bnc#828886 bnc#824568).

zfcp: fix lock imbalance by reworking request queue
locking (bnc#835175, LTC#96825).

qeth: Fix crash on initial MTU size change
(bnc#835175, LTC#96809).

qeth: change default standard blkt settings for OSA
Express (bnc#835175, LTC#96808).

x86: Add workaround to NMI iret woes (bnc#831949).

x86: Do not schedule while still in NMI context
(bnc#831949).

drm/i915: no longer call drm_helper_resume_force_mode
(bnc#831424,bnc#800875).

bnx2x: protect different statistics flows
(bnc#814336).

• bnx2x: Avoid sending multiple statistics queries
  (bnc#814336).

bnx2x: protect different statistics flows
(bnc#814336).

ALSA: hda - Fix unbalanced runtime pm refount
(bnc#834742).

xhci: directly calling _PS3 on suspend (bnc#833148).

futex: Take hugepages into account when generating
futex_key.

e1000e: workaround DMA unit hang on I218 (bnc#834647).

• e1000e: unexpected "Reset adapter" message when cable
  pulled (bnc#834647).
• e1000e: 82577: workaround for link drop issue
  (bnc#834647).
• e1000e: helper functions for accessing EMI registers
  (bnc#834647).
• e1000e: workaround DMA unit hang on I218 (bnc#834647).
• e1000e: unexpected "Reset adapter" message when cable
  pulled (bnc#834647).
• e1000e: 82577: workaround for link drop issue
  (bnc#834647).

e1000e: helper functions for accessing EMI registers
(bnc#834647).

Drivers: hv: util: Fix a bug in version negotiation
code for util services (bnc#828714).

printk: Add NMI ringbuffer (bnc#831949).

• printk: extract ringbuffer handling from vprintk
  (bnc#831949).
• printk: NMI safe printk (bnc#831949).
• printk: Make NMI ringbuffer size independent on
  log_buf_len (bnc#831949).
• printk: Do not call console_unlock from nmi context
  (bnc#831949).

printk: Do not use printk_cpu from finish_printk
(bnc#831949).

zfcp: fix schedule-inside-lock in scsi_device list
loops (bnc#833073, LTC#94937).

uvc: increase number of buffers (bnc#822164,
bnc#805804).

drm/i915: Adding more reserved PCI IDs for Haswell
(bnc#834116).

Refresh patches.xen/xen-netback-generalize
(bnc#827378).

Update Xen patches to 3.0.87.

mlx4_en: Adding 40gb speed report for ethtool
(bnc#831410).

drm/i915: Retry DP aux_ch communications with a
different clock after failure (bnc#831422).

• drm/i915: split aux_clock_divider logic in a
  separated function for reuse (bnc#831422).
• drm/i915: dp: increase probe retries (bnc#831422).
• drm/i915: Only clear write-domains after a successful
  wait-seqno (bnc#831422).
• drm/i915: Fix write-read race with multiple rings
  (bnc#831422).
• drm/i915: Retry DP aux_ch communications with a
  different clock after failure (bnc#831422).
• drm/i915: split aux_clock_divider logic in a
  separated function for reuse (bnc#831422).
• drm/i915: dp: increase probe retries (bnc#831422).
• drm/i915: Only clear write-domains after a successful
  wait-seqno (bnc#831422).

drm/i915: Fix write-read race with multiple rings
(bnc#831422).

xhci: Add xhci_disable_ports boot option (bnc#822164).

xhci: set device to D3Cold on shutdown (bnc#833097).

reiserfs: Fixed double unlock in reiserfs_setattr
failure path.

• reiserfs: locking, release lock around quota
  operations (bnc#815320).
• reiserfs: locking, push write lock out of xattr code
  (bnc#815320).
• reiserfs: locking, handle nested locks properly
  (bnc#815320).
• reiserfs: do not lock journal_init() (bnc#815320).

reiserfs: delay reiserfs lock until journal
initialization (bnc#815320).

NFS: support "nosharetransport" option (bnc#807502,
bnc#828192, FATE#315593).

HID: hyperv: convert alloc+memcpy to memdup.

• Drivers: hv: vmbus: Implement multi-channel support
  (fate#316098).
• Drivers: hv: Add the GUID fot synthetic fibre channel
  device (fate#316098).
• tools: hv: Check return value of setsockopt call.
• tools: hv: Check return value of poll call.
• tools: hv: Check retrun value of strchr call.
• tools: hv: Fix file descriptor leaks.
• tools: hv: Improve error logging in KVP daemon.
• drivers: hv: switch to use mb() instead of smp_mb().
• drivers: hv: check interrupt mask before read_index.
• drivers: hv: allocate synic structures before
  hv_synic_init().
• storvsc: Increase the value of scsi timeout for
  storvsc devices (fate#316098).
• storvsc: Update the storage protocol to win8 level
  (fate#316098).
• storvsc: Implement multi-channel support
  (fate#316098).
• storvsc: Support FC devices (fate#316098).
• storvsc: Increase the value of
  STORVSC_MAX_IO_REQUESTS (fate#316098).
• hyperv: Fix the NETIF_F_SG flag setting in netvsc.
• Drivers: hv: vmbus: incorrect device name is printed
  when child device is unregistered.

Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration
(bnc#828714).

ipv6: ip6_append_data_mtu did not care about pmtudisc
and frag_size (bnc#831055, CVE-2013-4163).

ipv6: ip6_append_data_mtu did not care about pmtudisc
and frag_size (bnc#831055, CVE-2013-4163).

dm mpath: add retain_attached_hw_handler feature
(bnc#760407).

scsi_dh: add scsi_dh_attached_handler_name
(bnc#760407).

af_key: fix info leaks in notify messages (bnc#827749
CVE-2013-2234).

af_key: initialize satype in
key_notify_policy_flush() (bnc#828119 CVE-2013-2237).

ipv6: call udp_push_pending_frames when uncorking a
socket with (bnc#831058, CVE-2013-4162).

tg3: fix length overflow in VPD firmware parsing
(bnc#813733 CVE-2013-1929).

xfs: fix _xfs_buf_find oops on blocks beyond the
filesystem end (CVE-2013-1819 bnc#807471).

ipv6: ip6_sk_dst_check() must not assume ipv6 dst
(bnc#827750, CVE-2013-2232).

dasd: fix hanging devices after path events
(bnc#831623, LTC#96336).

kernel: z90crypt module load crash (bnc#831623,
LTC#96214).

ata: Fix DVD not dectected at some platform with
Wellsburg PCH (bnc#822225).

drm/i915: edp: add standard modes (bnc#832318).

Do not switch camera on yet more HP machines
(bnc#822164).

Do not switch camera on HP EB 820 G1 (bnc#822164).

xhci: Avoid NULL pointer deref when host dies
(bnc#827271).

bonding: disallow change of MAC if fail_over_mac
enabled (bnc#827376).

• bonding: propagate unicast lists down to slaves
  (bnc#773255 bnc#827372).
• net/bonding: emit address change event also in
  bond_release (bnc#773255 bnc#827372).

bonding: emit event when bonding changes MAC
(bnc#773255 bnc#827372).

usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all
controllers with xhci 1.0 (bnc#797909).

xhci: fix null pointer dereference on
ring_doorbell_for_active_rings (bnc#827271).

updated reference for security issue fixed inside
(CVE-2013-3301 bnc#815256)

qla2xxx: Clear the MBX_INTR_WAIT flag when the
mailbox time-out happens (bnc#830478).

drm/i915: initialize gt_lock early with other spin
locks (bnc#801341).

• drm/i915: fix up gt init sequence fallout
  (bnc#801341).
• drm/i915: initialize gt_lock early with other spin
  locks (bnc#801341).

drm/i915: fix up gt init sequence fallout
(bnc#801341).

timer_list: Correct the iterator for timer_list
(bnc#818047).

firmware: do not spew errors in normal boot
(bnc#831438, fate#314574).

ALSA: virtuoso: Xonar DSX support (FATE#316016).

SUNRPC: Ensure we release the socket write lock if
the rpc_task exits early (bnc#830901).

ext4: Re-add config option Building ext4 as the
ext4-writeable KMP uses CONFIG_EXT4_FS_RW=y to denote that
read-write module should be enabled. This update just
defaults allow_rw to true if it is set.

e1000: fix vlan processing regression (bnc#830766).

ext4: force read-only unless rw=1 module option is
used (fate#314864).

dm mpath: fix ioctl deadlock when no paths
(bnc#808940).

HID: fix unused rsize usage (bnc#783475).

add reference for b43 format string flaw (bnc#822579
CVE-2013-2852)

HID: fix data access in implement() (bnc#783475).

xfs: fix deadlock in xfs_rtfree_extent with kernel
v3.x (bnc#829622).

kernel: sclp console hangs (bnc#830346, LTC#95711).

Refresh
patches.fixes/rtc-add-an-alarm-disable-quirk.patch.

Delete
patches.drm/1209-nvc0-fb-shut-up-pmfb-interrupt-after-the-fi
rst-occurrence. It was removed from series.conf in
063ed686e5a3cda01a7ddbc49db1499da917fef5 but the file was
not deleted.

Drivers: hv: balloon: Do not post pressure status if
interrupted (bnc#829539).

Drivers: hv: balloon: Fix a bug in the hot-add code
(bnc#829539).

drm/i915: Fix incoherence with fence updates on
Sandybridge+ (bnc#809463).

• drm/i915: merge {i965, sandybridge}_write_fence_reg()
  (bnc#809463).
• drm/i915: Fix incoherence with fence updates on
  Sandybridge+ (bnc#809463).

drm/i915: merge {i965, sandybridge}_write_fence_reg()
(bnc#809463).

Refresh
patches.fixes/rtc-add-an-alarm-disable-quirk.patch.

r8169: allow multicast packets on sub-8168f chipset
(bnc#805371).

• r8169: support new chips of RTL8111F (bnc#805371).
• r8169: define the early size for 8111evl (bnc#805371).
• r8169: fix the reset setting for 8111evl (bnc#805371).
• r8169: add MODULE_FIRMWARE for the firmware of
  8111evl (bnc#805371).
• r8169: fix sticky accepts packet bits in RxConfig
  (bnc#805371).
• r8169: adjust the RxConfig settings (bnc#805371).
• r8169: support RTL8111E-VL (bnc#805371).
• r8169: add ERI functions (bnc#805371).
• r8169: modify the flow of the hw reset (bnc#805371).
• r8169: adjust some registers (bnc#805371).
• r8169: check firmware content sooner (bnc#805371).
• r8169: support new firmware format (bnc#805371).
• r8169: explicit firmware format check (bnc#805371).
• r8169: move the firmware down into the device private
  data (bnc#805371).
• r8169: allow multicast packets on sub-8168f chipset
  (bnc#805371).
• r8169: support new chips of RTL8111F (bnc#805371).
• r8169: define the early size for 8111evl (bnc#805371).
• r8169: fix the reset setting for 8111evl (bnc#805371).
• r8169: add MODULE_FIRMWARE for the firmware of
  8111evl (bnc#805371).
• r8169: fix sticky accepts packet bits in RxConfig
  (bnc#805371).
• r8169: adjust the RxConfig settings (bnc#805371).
• r8169: support RTL8111E-VL (bnc#805371).
• r8169: add ERI functions (bnc#805371).
• r8169: modify the flow of the hw reset (bnc#805371).
• r8169: adjust some registers (bnc#805371).
• r8169: check firmware content sooner (bnc#805371).
• r8169: support new firmware format (bnc#805371).
• r8169: explicit firmware format check (bnc#805371).

r8169: move the firmware down into the device private
data (bnc#805371).

patches.fixes/mm-link_mem_sections-touch-nmi-watchdog.patch:
mm: link_mem_sections make sure nmi watchdog does not
trigger while linking memory sections (bnc#820434).

drm/i915: fix long-standing SNB regression in power
consumption after resume v2 (bnc#801341).

RTC: Add an alarm disable quirk (bnc#805740).

drm/i915: Fix bogus hotplug warnings at resume
(bnc#828087).

• drm/i915: Serialize all register access
  (bnc#809463,bnc#812274,bnc#822878,bnc#828914).
• drm/i915: Resurrect ring kicking for semaphores,
  selectively (bnc#828087).
• drm/i915: Fix bogus hotplug warnings at resume
  (bnc#828087).
• drm/i915: Serialize all register access
  (bnc#809463,bnc#812274,bnc#822878,bnc#828914).

drm/i915: Resurrect ring kicking for semaphores,
selectively (bnc#828087).

drm/i915: use lower aux clock divider on non-ULT HSW
(bnc#800875).

• drm/i915: preserve the PBC bits of TRANS_CHICKEN2
  (bnc#828087).
• drm/i915: set CPT FDI RX polarity bits based on VBT
  (bnc#828087).
• drm/i915: hsw: fix link training for eDP on port-A
  (bnc#800875).
• drm/i915: use lower aux clock divider on non-ULT HSW
  (bnc#800875).
• drm/i915: preserve the PBC bits of TRANS_CHICKEN2
  (bnc#828087).
• drm/i915: set CPT FDI RX polarity bits based on VBT
  (bnc#828087).

drm/i915: hsw: fix link training for eDP on port-A
(bnc#800875).

patches.arch/s390-66-02-smp-ipi.patch: kernel: lost
IPIs on CPU hotplug (bnc#825048, LTC#94784).

patches.fixes/iwlwifi-use-correct-supported-firmware-for-603
5-and-.patch: iwlwifi: use correct supported firmware for
6035 and 6000g2 (bnc#825887).

patches.fixes/watchdog-update-watchdog_thresh-atomically.pat
ch: watchdog: Update watchdog_thresh atomically
(bnc#829357).

patches.fixes/watchdog-update-watchdog_tresh-properly.patch:
watchdog: update watchdog_tresh properly (bnc#829357).
*

patches.fixes/watchdog-make-disable-enable-hotplug-and-preem
pt-save.patch:
watchdog-make-disable-enable-hotplug-and-preempt-save.patch
(bnc#829357).

kabi/severities: Ignore changes in drivers/hv

patches.drivers/lpfc-return-correct-error-code-on-bsg_timeou
t.patch: lpfc: Return correct error code on bsg_timeout
(bnc#816043).

patches.fixes/dm-drop-table-reference-on-ioctl-retry.patch:
dm-multipath: Drop table when retrying ioctl (bnc#808940).

scsi: Do not retry invalid function error
(bnc#809122).

patches.suse/scsi-do-not-retry-invalid-function-error.patch:
scsi: Do not retry invalid function error (bnc#809122).

scsi: Always retry internal target error (bnc#745640,
bnc#825227).

patches.suse/scsi-always-retry-internal-target-error.patch:
scsi: Always retry internal target error (bnc#745640,
bnc#825227).

patches.drivers/drm-edid-Don-t-print-messages-regarding-ster
eo-or-csync-by-default.patch: Refresh: add upstream commit
ID.

patches.suse/acpiphp-match-to-Bochs-dmi-data.patch:
Refresh. (bnc#824915).

Refresh
patches.suse/acpiphp-match-to-Bochs-dmi-data.patch
(bnc#824915).

Update kabi files.

ACPI:remove panic in case hardware has changed after
S4 (bnc#829001).

ibmvfc: Driver version 1.0.1 (bnc#825142).

• ibmvfc: Fix for offlining devices during error
  recovery (bnc#825142).
• ibmvfc: Properly set cancel flags when cancelling
  abort (bnc#825142).
• ibmvfc: Send cancel when link is down (bnc#825142).
• ibmvfc: Support FAST_IO_FAIL in EH handlers
  (bnc#825142).

ibmvfc: Suppress ABTS if target gone (bnc#825142).

fs/dcache.c: add cond_resched() to
shrink_dcache_parent() (bnc#829082).

drivers/cdrom/cdrom.c: use kzalloc() for failing
hardware (bnc#824295, CVE-2013-2164).

kmsg_dump: do not run on non-error paths by default
(bnc#820172).

supported.conf: mark tcm_qla2xxx as supported

mm: honor min_free_kbytes set by user (bnc#826960).

Drivers: hv: util: Fix a bug in version negotiation
code for util services (bnc#828714).

hyperv: Fix a kernel warning from
netvsc_linkstatus_callback() (bnc#828574).

RT: Fix up hardening patch to not gripe when avg >
available, which lockless access makes possible and happens
in -rt kernels running a cpubound ltp realtime testcase.
Just keep the output sane in that case.

kabi/severities: Add exception for
aer_recover_queue() There should not be any user besides
ghes.ko.

Fix rpm changelog

PCI / PM: restore the original behavior of
pci_set_power_state() (bnc#827930).

fanotify: info leak in copy_event_to_user()
(CVE-2013-2148 bnc#823517).

usb: xhci: check usb2 port capabilities before adding
hw link PM support (bnc#828265).

aerdrv: Move cper_print_aer() call out of interrupt
context (bnc#822052, bnc#824568).

PCI/AER: pci_get_domain_bus_and_slot() call missing
required pci_dev_put() (bnc#822052, bnc#824568).

patches.fixes/block-do-not-pass-disk-names-as-format-strings
.patch: block: do not pass disk names as format strings
(bnc#822575 CVE-2013-2851).

powerpc: POWER8 cputable entries (bnc#824256).

libceph: Fix NULL pointer dereference in auth client
code. (CVE-2013-1059, bnc#826350)

md/raid10: Fix two bug affecting RAID10 reshape.

Allow NFSv4 to run execute-only files (bnc#765523).

fs/ocfs2/namei.c: remove unecessary ERROR when
removing non-empty directory (bnc#819363).

block: Reserve only one queue tag for sync IO if only
3 tags are available (bnc#806396).

btrfs: merge contigous regions when loading free
space cache

btrfs: fix how we deal with the orphan block rsv.

• btrfs: fix wrong check during log recovery.
• btrfs: change how we indicate we are adding csums.