Security update for the Linux Kernel (important)

ID SUSE-SU-2015:0178-1
Type suse
Reporter Suse
Modified 2015-01-30T11:04:56


The SUSE Linux Enterprise 12 kernel was updated to 3.12.36 to receive various security and bugfixes.

Following security bugs were fixed: - CVE-2014-8559: The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 did not properly maintain the semantics of rename_lock, which allowed local users to cause a denial of service (deadlock and system hang) via a crafted application (bnc#903640). - CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 did not restrict the number of Rock Ridge continuation entries, which allowed local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image (bnc#906545 911325). - CVE-2014-3690: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors did not ensure that the value in the CR4 control register remained the same after a VM entry, which allowed host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU (bnc#902232). - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allowed remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that triggered an incorrect uncork within the side-effect interpreter (bnc#902349). - CVE-2014-9585: The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 did not properly choose memory locations for the vDSO area, which made it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD (bnc#912705).

The following non-security bugs were fixed: - ACPI idle: permit sparse C-state sub-state numbers (bnc#907969). - ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV. - ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec. - ALSA: hda/hdmi - apply Valleyview fix-ups to Cherryview display codec. - ALSA: hda_intel: Add Device IDs for Intel Sunrise Point PCH. - ALSA: hda_intel: Add DeviceIDs for Sunrise Point-LP. - Btrfs: Disable patches.suse/Btrfs-fix-abnormal-long-waiting-in-fsync.patch (bnc#910697) because it needs to be revisited due partial msync behavior. - Btrfs: Fix misuse of chunk mutex (bnc#912514). - Btrfs: always clear a block group node when removing it from the tree (bnc#912514). - Btrfs: collect only the necessary ordered extents on ranged fsync (bnc#912946). - Btrfs: do not access non-existent key when csum tree is empty. - Btrfs: do not delay inode ref updates during log replay. - Btrfs: do not ignore log btree writeback errors (bnc#912946). - Btrfs: ensure btrfs_prev_leaf does not miss 1 item. - Btrfs: ensure deletion from pinned_chunks list is protected (bnc#908198). - Btrfs: ensure ordered extent errors are not missed on fsync (bnc#912946). - Btrfs: fix abnormal long waiting in fsync (VM/FS Micro-optimisations). - Btrfs: fix abnormal long waiting in fsync (bnc#912946). - Btrfs: fix crash caused by block group removal (bnc#912514). - Btrfs: fix freeing used extent after removing empty block group (bnc#912514). - Btrfs: fix freeing used extents after removing empty block group (bnc#912514). - Btrfs: fix fs corruption on transaction abort if device supports discard (bnc#908198). - Btrfs: fix fs mapping extent map leak (bnc#908198). - Btrfs: fix invalid block group rbtree access after bg is removed (bnc#912514). - Btrfs: fix memory leak after block remove + trimming (bnc#908198). - Btrfs: fix race between fs trimming and block group remove/allocation (bnc#908198). - Btrfs: fix race between writing free space cache and trimming (bnc#908198). - Btrfs: fix transaction leak during fsync call. - Btrfs: fix unprotected deletion from pending_chunks list (bnc#908198). - Btrfs: fix unprotected system chunk array insertion (bnc#912514). - Btrfs: free ulist in qgroup_shared_accounting() error path. - Btrfs: ioctl, do not re-lock extent range when not necessary. - Btrfs: make btrfs_abort_transaction consider existence of new block groups (bnc#908198). - Btrfs: make sure logged extents complete in the current transaction V3 (bnc#912946). - Btrfs: make sure we wait on logged extents when fsycning two subvols (bnc#912946). - Btrfs: make xattr replace operations atomic (bnc#913466). - Btrfs: remove empty block groups automatically (bnc#912514). - Btrfs: remove unused wait queue in struct extent_buffer. - Btrfs: replace EINVAL with ERANGE for resize when ULLONG_MAX. - Btrfs: use helpers for last_trans_log_full_commit instead of opencode (bnc#912946). - Drivers: hv: kvp,vss: Fast propagation of userspace communication failure. - Drivers: hv: util: Properly pack the data for file copy functionality. - Drivers: hv: util: make struct hv_do_fcopy match Hyper-V host messages. - Drivers: hv: vmbus: Fix a race condition when unregistering a device. - Drivers: hv: vss: Introduce timeout for communication with userspace. - Fixed warning on DP unplugging driver in intel_dp.c (bnc#907536). - Fixed warning on suspend in intel_display.c (bnc#907593). - KEYS: Fix stale key registration at error path (bnc#908163). - PCI/MSI: Add pci_enable_msi_range() and pci_enable_msix_range() (bug#912281). - PCI/MSI: Add pci_enable_msi_range() and pci_enable_msix_range() (bug#912281). - Refresh patches.xen/xen3-patch-3.9 (bsc#909829). - Remove filesize checks for sync I/O journal commit (bnc#800255). - SELinux: fix selinuxfs policy file on big endian systems (bsc#913233). - Tools: hv: vssdaemon: ignore the EBUSY on multiple freezing the same partition. - Tools: hv: vssdaemon: report freeze errors. - Tools: hv: vssdaemon: skip all filesystems mounted readonly. - Update Xen patches to 3.12.35. - Update s390x kabi files again (bnc#903279, LTC#118177) - benet: Use pci_enable_msix_range() instead of pci_enable_msix() (bug#912281). - bfa: check for terminated commands (bnc#906027). - cpuidle / menu: Return (-1) if there are no suitable states (cpuidle performance). - cpuidle / menu: move repeated correction factor check to init (cpuidle performance). - cpuidle: Do not substract exit latency from assumed sleep length (cpuidle performance). - cpuidle: Ensure menu coefficients stay within domain (cpuidle performance). - cpuidle: Move perf multiplier calculation out of the selection loop (cpuidle performance). - cpuidle: Use actual state latency in menu governor (cpuidle performance). - cpuidle: menu governor - remove unused macro STDDEV_THRESH (cpuidle performance). - cpuidle: menu: Call nr_iowait_cpu less times (cpuidle performance). - cpuidle: menu: Lookup CPU runqueues less (cpuidle performance). - cpuidle: menu: Use ktime_to_us instead of reinventing the wheel (cpuidle performance). - cpuidle: menu: Use shifts when calculating averages where possible (cpuidle performance). - cpuidle: rename expected_us to next_timer_us in menu governor (cpuidle performance). - crypto: aesni - Add support for 192 & 256 bit keys to AESNI RFC4106 (bsc#913387). - crypto: kernel oops at insmod of the z90crypt device driver (bnc#908057, LTC#119591). - cxgb4: Add the MC1 registers to read in the interrupt handler (bsc#912290). - cxgb4: Allow T4/T5 firmware sizes up to 1MB (bsc#912290). - cxgb4: Fix FW flash logic using ethtool (bsc#912290). - cxgb4: Fix T5 adapter accessing T4 adapter registers (bsc#912290). - cxgb4: Fix for handling 1Gb/s SFP+ Transceiver Modules (bsc#912290). - cxgb4: Fix race condition in cleanup (bsc#912290). - cxgb4: Free completed tx skbs promptly (bsc#912290). - cxgb4: Not need to hold the adap_rcu_lock lock when read adap_rcu_list (bsc#912290). - cxgb4: Use FW interface to get BAR0 value (bsc#912290). - drm/i915: Do a dummy DPCD read before the actual read (bnc#907714). - drm: add MIPI DSI encoder and connector types (bnc#907971). - ext4: cache extent hole in extent status tree for ext4_da_map_blocks() (bnc#893428). - ext4: change LRU to round-robin in extent status tree shrinker (bnc#893428). - ext4: cleanup flag definitions for extent status tree (bnc#893428). - ext4: fix block reservation for bigalloc filesystems (bnc#893428). - ext4: improve extents status tree trace point (bnc#893428). - ext4: introduce aging to extent status tree (bnc#893428). - ext4: limit number of scanned extents in status tree shrinker (bnc#893428). - ext4: move handling of list of shrinkable inodes into extent status code (bnc#893428). - ext4: track extent status tree shrinker delay statictics (bnc#893428). - fix kABI after "x86: use custom dma_get_required_mask()". - fsnotify: next_i is freed during fsnotify_unmount_inodes (bnc#908904). - hv: hv_balloon: avoid memory leak on alloc_error of 2MB memory block. - hyperv: Add processing of MTU reduced by the host. - hyperv: Fix some variable name typos in send-buffer init/revoke. - hyperv: Fix the total_data_buflen in send path. - intel_idle: Add CPU model 54 (Atom N2000 series) (bnc#907969). - intel_idle: allow sparse sub-state numbering, for Bay Trail (bnc#907969). - intel_idle: support Bay Trail (bnc#907969). - intel_pstate: Add setting voltage value for baytrail P states (bnc#907973). - intel_pstate: Add support for Baytrail turbo P states (bnc#907973). - intel_pstate: Fix BYT frequency reporting (bnc#907973). - intel_pstate: Fix setting VID (bnc#907973). - intel_pstate: Set turbo VID for BayTrail (bnc#907973). - intel_pstate: Use LFM bus ratio as min ratio/P state (bnc#907973). - iommu/vt-d: Fix an off-by-one bug in __domain_mapping() (bsc#908825). - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb() (IPC scalability). - isofs: Fix unchecked printing of ER records. - kABI: fix for move of d_rcu (bnc#903640 CVE-2014-8559). - kABI: protect ipv6.h include in drivers/net. - kABI: protect rmap include in mm/truncate.c. - kABI: protect struct iwl_trans. - kABI: protect struct pci_dev. - kABI: protect struct user_namespace. - kABI: protect user_namespace.h include in kernel/groups.c. - kABI: reintroduce generic_write_sync. - kABI: uninline of_property_count_string functions. Omitted ppc64le kabi fix for 3.12.33. - kernel: kprobes instruction corruption (bnc#908057, LTC#119330). - kernel: reduce function tracer overhead (bnc#903279, LTC#118177). - kgr: allow to search various types of struct kgr_patch_fun. - kgr: be consistent when applying patches on loaded modules. - kgr: fix replace_all. - kgr: fix typo in error message. - kgr: fix unwinder and user addresses (bnc#908803). - kgr: handle IRQ context using global variable. - kgr: mark even more kthreads (bnc#905087 bnc#906140). - kgr: prevent recursive loops of stubs in ftrace. - kgr: set revert slow state for all reverted symbols when loading patched module. - kgr: unregister only the used ftrace ops when removing a patched module. - kprobes: introduce weak arch_check_ftrace_location() helper function (bnc#903279, LTC#118177). - kvm: Do not expose MONITOR cpuid as available (bnc#887597) - lpfc: Fix race on command completion (bnc#906027). - macvlan: allow setting LRO independently of lower device (bnc#829110 bnc#891277 bnc#904053). - mm, cma: drain single zone pcplists (VM Performance, bnc#904177). - mm, compaction: always update cached scanner positions (VM Performance, bnc#904177). - mm, compaction: defer each zone individually instead of preferred zone (VM Performance, bnc#904177). - mm, compaction: defer only on COMPACT_COMPLETE (VM Performance, bnc#904177). - mm, compaction: do not count compact_stall if all zones skipped compaction (VM Performance, bnc#904177). - mm, compaction: do not recheck suitable_migration_target under lock (VM Performance, bnc#904177). - mm, compaction: khugepaged should not give up due to need_resched() (VM Performance, bnc#904177). - mm, compaction: more focused lru and pcplists draining (VM Performance, bnc#904177). - mm, compaction: move pageblock checks up from isolate_migratepages_range() (VM Performance, bnc#904177). - mm, compaction: pass classzone_idx and alloc_flags to watermark checking (VM Performance, bnc#904177). - mm, compaction: pass gfp mask to compact_control (VM Cleanup, bnc#904177). - mm, compaction: periodically drop lock and restore IRQs in scanners (VM Performance, bnc#904177). - mm, compaction: prevent infinite loop in compact_zone (VM Functionality, bnc#904177). - mm, compaction: reduce zone checking frequency in the migration scanner (VM Performance, bnc#904177). - mm, compaction: remember position within pageblock in free pages scanner (VM Performance, bnc#904177). - mm, compaction: simplify deferred compaction (VM Performance, bnc#904177). - mm, compaction: skip buddy pages by their order in the migrate scanner (VM Performance, bnc#904177). - mm, compaction: skip rechecks when lock was already held (VM Performance, bnc#904177). - mm, memory_hotplug/failure: drain single zone pcplists (VM Performance, bnc#904177). - mm, page_isolation: drain single zone pcplists (VM Performance, bnc#904177). - mm, thp: avoid excessive compaction latency during fault (VM Performance, bnc#904177). - mm, thp: restructure thp avoidance of light synchronous migration (VM Performance, bnc#904177). - mm/compaction.c: avoid premature range skip in isolate_migratepages_range (VM Functionality, bnc#904177). - mm/compaction: skip the range until proper target pageblock is met (VM Performance, bnc#904177). - mm/vmscan.c: use DIV_ROUND_UP for calculation of zones balance_gap and correct comments (VM Cleanup, bnc#904177). - mm/vmscan: do not check compaction_ready on promoted zones (VM Cleanup, bnc#904177). - mm/vmscan: restore sc->gfp_mask after promoting it to __GFP_HIGHMEM (VM Cleanup, bnc#904177). - mm: Disable patches.suse/msync-fix-incorrect-fstart-calculation.patch (bnc#910697) because it needs to be revisited due partial msync behavior. - mm: Disabled patches.suse/mm-msync.c-sync-only-the-requested-range-in-msync.patch (bnc#910697) because it needs to be revisited due partial msync behavior. - mm: improve documentation of page_order (VM Cleanup, bnc#904177). - mm: introduce single zone pcplists drain (VM Performance, bnc#904177). - mm: memcontrol: remove hierarchy restrictions for swappiness and oom_control (VM Cleanup, bnc#904177). - mm: page_alloc: determine migratetype only once (VM Performance, bnc#904177). - mm: rename allocflags_to_migratetype for clarity (VM Cleanup, bnc#904177). - mm: unmapped page migration avoid unmap+remap overhead (MM performance). - mm: vmscan: clean up struct scan_control (VM Cleanup, bnc#904177). - mm: vmscan: move call to shrink_slab() to shrink_zones() (VM Cleanup, bnc#904177). - mm: vmscan: move swappiness out of scan_control (VM Cleanup, bnc#904177). - mm: vmscan: remove all_unreclaimable() (VM Cleanup, bnc#904177). - mm: vmscan: remove remains of kswapd-managed zone->all_unreclaimable (VM Cleanup, bnc#904177). - mm: vmscan: remove shrink_control arg from do_try_to_free_pages() (VM Cleanup, bnc#904177). - mm: vmscan: rework compaction-ready signaling in direct reclaim (VM Cleanup, bnc#904177). - msync: fix incorrect fstart calculation (VM/FS Micro-optimisations). - net, sunrpc: suppress allocation warning in rpc_malloc() (bnc#904659). - net: Find the nesting level of a given device by type (bnc#829110 bnc#891277 bnc#904053). - net: Hyper-V: Deletion of an unnecessary check before the function call "vfree". - net: generic dev_disable_lro() stacked device handling (bnc#829110 bnc#891277 bnc#904053). - nvme: Add missing hunk from backport (bnc#873252). - parport: parport_pc, do not remove parent devices early (bnc#856659). - patches.suse/supported-flag: fix mis-reported supported status (bnc#809493). - patches.xen/xen-privcmd-hcall-preemption: Fix EFLAGS.IF check. - powerpc/fadump: Fix endianess issues in firmware assisted dump handling (bsc#889192). - powerpc/pseries/hvcserver: Fix endian issue in hvcs_get_partner_info (bsc#912129). - powerpc/pseries: Make CPU hotplug path endian safe (bsc#907069). - powerpc: fix dlpar memory - pseries: Fix endian issues in cpu hot-removal (bsc#907069). - pseries: Fix endian issues in onlining cpu threads (bsc#907069). - rpm/ Require 10GB disk space on POWER A debuginfo build currently requires about 8.5 GB on POWER. Also, require at least 8 CPUs, so that builds do not get accidentally scheduled on slow machines. - rpm/gitlog-fixups: Fix invalid address in two commits - s390/ftrace,kprobes: allow to patch first instruction (bnc#903279, LTC#118177). - s390/ftrace: add HAVE_DYNAMIC_FTRACE_WITH_REGS support (bnc#903279, LTC#118177). - s390/ftrace: add code replacement sanity checks (bnc#903279, LTC#118177). - s390/ftrace: enforce DYNAMIC_FTRACE if FUNCTION_TRACER is selected (bnc#903279, LTC#118177). - s390/ftrace: optimize function graph caller code (bnc#903279, LTC#118177). - s390/ftrace: optimize mcount code (bnc#903279, LTC#118177). - s390/ftrace: remove 31 bit ftrace support (bnc#903279, LTC#118177). - s390/ftrace: remove check of obsolete variable function_trace_stop (bnc#903279, LTC#118177). - s390/ftrace: revert mcount_adjust change (bnc#903279, LTC#118177). - s390/ftrace: simplify enabling/disabling of ftrace_graph_caller (bnc#903279, LTC#118177). - s390: pass march flag to assembly files as well (bnc#903279, LTC#118177). - sched/fair: cleanup: Remove useless assignment in select_task_rq_fair() (cpuidle performance). - scripts/ Do not specify kind-spec for emacs ctags/etags. - scripts/ fix DEFINE_HASHTABLE in emacs case. - scripts/ include compat_sys_ symbols in the generated tags. - scsi: call device handler for failed TUR command (bnc#895814). - series.conf: remove orphan bnc comments - storvsc: ring buffer failures may result in I/O freeze. - supported.conf: mark tcm_qla2xxx as supported Has not been ported from SLES11 SP3 automatically. - Fixup regex definition for etags. - tcm_loop: Wrong I_T nexus association (bnc#907325). - tools: hv: ignore ENOBUFS and ENOMEM in the KVP daemon. - tools: hv: introduce -n/--no-daemon option. - udf: Check component length before reading it. - udf: Check path length when reading symlink. - udf: Verify i_size when loading inode. - udf: Verify symlink size before loading it. - vmscan: memcg: always use swappiness of the reclaimed memcg (VM Cleanup, bnc#904177). - x86, cpu: Detect more TLB configuration (TLB Performance). - x86-64/MCE: flip CPU and bank numbers in log message. - x86/UV: Fix conditional in gru_exit() (bsc#909095). - x86/early quirk: use gen6 stolen detection for VLV (bnc#907970). - x86/efi: Do not export efi runtime map in case old map (bsc#904969). - x86/mm: Add tracepoints for TLB flushes (TLB Performance). - x86/mm: Rip out complicated, out-of-date, buggy TLB flushing (TLB Performance). - x86/uv: Update the UV3 TLB shootdown logic (bsc#909092). - x86: UV BAU: Avoid NULL pointer reference in ptc_seq_show (bsc#911181). - x86: UV BAU: Increase maximum CPUs per socket/hub (bsc#911181). - x86: fix step size adjustment during initial memory mapping (bsc#910249). - x86: use custom dma_get_required_mask(). - x86: use optimized ioresource lookup in ioremap function (Boot time optimisations (bnc#895387)).