Security update for the SUSE Linux Enterprise 12 kernel (important)

ID SUSE-SU-2015:1324-1
Type suse
Reporter Suse
Modified 2015-07-31T10:08:48


The SUSE Linux Enterprise 12 kernel was updated to 3.12.44 to receive various security and bugfixes.

These features were added: - mpt2sas: Added Reply Descriptor Post Queue (RDPQ) Array support (bsc#854824). - mpt3sas: Bump mpt3sas driver version to (bsc#854817).

Following security bugs were fixed: - CVE-2015-1805: iov overrun for failed atomic copy could have lead to DoS or privilege escalation (bsc#933429). - CVE-2015-3212: A race condition in the way the Linux kernel handled lists of associations in SCTP sockets could have lead to list corruption and kernel panics (bsc#936502). - CVE-2015-4036: DoS via memory corruption in vhost/scsi driver (bsc#931988). - CVE-2015-4167: Linux kernel built with the UDF file system(CONFIG_UDF_FS) support was vulnerable to a crash. It occurred while fetching inode information from a corrupted/malicious udf file system image (bsc#933907). - CVE-2015-4692: DoS via NULL pointer dereference in kvm_apic_has_events function (bsc#935542). - CVE-2015-5364: Remote DoS via flood of UDP packets with invalid checksums (bsc#936831). - CVE-2015-5366: Remote DoS of EPOLLET epoll applications via flood of UDP packets with invalid checksums (bsc#936831).

Security issues already fixed in the previous update but not referenced by CVE: - CVE-2014-9728: Kernel built with the UDF file system(CONFIG_UDF_FS) support were vulnerable to a crash (bsc#933904). - CVE-2014-9729: Kernel built with the UDF file system(CONFIG_UDF_FS) support were vulnerable to a crash (bsc#933904). - CVE-2014-9730: Kernel built with the UDF file system(CONFIG_UDF_FS) support were vulnerable to a crash (bsc#933904). - CVE-2014-9731: Kernel built with the UDF file system(CONFIG_UDF_FS) support were vulnerable to information leakage (bsc#933896).

The following non-security bugs were fixed: - ALSA: hda - add codec ID for Skylake display audio codec (bsc#936556). - ALSA: hda/hdmi - apply Haswell fix-ups to Skylake display codec (bsc#936556). - ALSA: hda_controller: Separate stream_tag for input and output streams (bsc#936556). - ALSA: hda_intel: add AZX_DCAPS_I915_POWERWELL for SKL and BSW (bsc#936556). - ALSA: hda_intel: apply the Seperate stream_tag for Skylake (bsc#936556). - ALSA: hda_intel: apply the Seperate stream_tag for Sunrise Point (bsc#936556). - Btrfs: Handle unaligned length in extent_same (bsc#937609). - Btrfs: add missing inode item update in fallocate() (bsc#938023). - Btrfs: check pending chunks when shrinking fs to avoid corruption (bsc#936445). - Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616). - Btrfs: fix block group ->space_info null pointer dereference (bsc#935088). - Btrfs: fix clone / extent-same deadlocks (bsc#937612). - Btrfs: fix deadlock with extent-same and readpage (bsc#937612). - Btrfs: fix fsync data loss after append write (bsc#936446). - Btrfs: fix hang during inode eviction due to concurrent readahead (bsc#935085). - Btrfs: fix memory leak in the extent_same ioctl (bsc#937613). - Btrfs: fix race when reusing stale extent buffers that leads to BUG_ON (bsc#926369). - Btrfs: fix use after free when close_ctree frees the orphan_rsv (bsc#938022). - Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609). - Btrfs: provide super_operations->inode_get_dev (bsc#927455). - Drivers: hv: balloon: check if ha_region_mutex was acquired in MEM_CANCEL_ONLINE case. - Drivers: hv: fcopy: process deferred messages when we complete the transaction. - Drivers: hv: fcopy: rename fcopy_work -> fcopy_timeout_work. - Drivers: hv: fcopy: set .owner reference for file operations. - Drivers: hv: fcopy: switch to using the hvutil_device_state state machine. - Drivers: hv: hv_balloon: correctly handle num_pages>INT_MAX case. - Drivers: hv: hv_balloon: correctly handle val.freeram lower than num_pages case. - Drivers: hv: hv_balloon: do not lose memory when onlining order is not natural. - Drivers: hv: hv_balloon: do not online pages in offline blocks. - Drivers: hv: hv_balloon: eliminate jumps in piecewiese linear floor function. - Drivers: hv: hv_balloon: eliminate the trylock path in acquire/release_region_mutex. - Drivers: hv: hv_balloon: keep locks balanced on add_memory() failure. - Drivers: hv: hv_balloon: refuse to balloon below the floor. - Drivers: hv: hv_balloon: report offline pages as being used. - Drivers: hv: hv_balloon: survive ballooning request with num_pages=0. - Drivers: hv: kvp: move poll_channel() to hyperv_vmbus.h. - Drivers: hv: kvp: rename kvp_work -> kvp_timeout_work. - Drivers: hv: kvp: reset kvp_context. - Drivers: hv: kvp: switch to using the hvutil_device_state state machine. - Drivers: hv: util: Fix a bug in the KVP code. reapply upstream change ontop of v3.12-stable change - Drivers: hv: util: On device remove, close the channel after de-initializing the service. - Drivers: hv: util: introduce hv_utils_transport abstraction. - Drivers: hv: util: introduce state machine for util drivers. - Drivers: hv: util: move kvp/vss function declarations to hyperv_vmbus.h. - Drivers: hv: vmbus: Add device and vendor ID to vmbus devices. - Drivers: hv: vmbus: Add support for VMBus panic notifier handler (bsc#934160). - Drivers: hv: vmbus: Add support for the NetworkDirect GUID. - Drivers: hv: vmbus: Correcting truncation error for constant HV_CRASH_CTL_CRASH_NOTIFY (bsc#934160). - Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl(). - Drivers: hv: vmbus: Fix a bug in rescind processing in vmbus_close_internal(). - Drivers: hv: vmbus: Fix a siganlling host signalling issue. - Drivers: hv: vmbus: Get rid of some unnecessary messages. - Drivers: hv: vmbus: Get rid of some unused definitions. - Drivers: hv: vmbus: Handle both rescind and offer messages in the same context. - Drivers: hv: vmbus: Implement the protocol for tearing down vmbus state. - Drivers: hv: vmbus: Introduce a function to remove a rescinded offer. - Drivers: hv: vmbus: Perform device register in the per-channel work element. - Drivers: hv: vmbus: Permit sending of packets without payload. - Drivers: hv: vmbus: Properly handle child device remove. - Drivers: hv: vmbus: Remove the channel from the channel list(s) on failure. - Drivers: hv: vmbus: Suport an API to send packet with additional control. - Drivers: hv: vmbus: Suport an API to send pagebuffers with additional control. - Drivers: hv: vmbus: Teardown clockevent devices on module unload. - Drivers: hv: vmbus: Teardown synthetic interrupt controllers on module unload. - Drivers: hv: vmbus: Use a round-robin algorithm for picking the outgoing channel. - Drivers: hv: vmbus: Use the vp_index map even for channels bound to CPU 0. - Drivers: hv: vmbus: avoid double kfree for device_obj. - Drivers: hv: vmbus: briefly comment num_sc and next_oc. - Drivers: hv: vmbus: decrease num_sc on subchannel removal. - Drivers: hv: vmbus: distribute subchannels among all vcpus. - Drivers: hv: vmbus: do cleanup on all vmbus_open() failure paths. - Drivers: hv: vmbus: introduce vmbus_acpi_remove. - Drivers: hv: vmbus: kill tasklets on module unload. - Drivers: hv: vmbus: move init_vp_index() call to vmbus_process_offer(). - Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors. - Drivers: hv: vmbus: rename channel work queues. - Drivers: hv: vmbus: teardown hv_vmbus_con workqueue and vmbus_connection pages on shutdown. - Drivers: hv: vmbus: unify calls to percpu_channel_enq(). - Drivers: hv: vmbus: unregister panic notifier on module unload. - Drivers: hv: vmbus:Update preferred vmbus protocol version to windows 10. - Drivers: hv: vss: process deferred messages when we complete the transaction. - Drivers: hv: vss: switch to using the hvutil_device_state state machine. - Enable CONFIG_BRIDGE_NF_EBTABLES on s390x (bsc#936012) - Fix connection reuse when sk_error_report is used (bsc#930972). - GHES: Carve out error queueing in a separate function (bsc#917630). - GHES: Carve out the panic functionality (bsc#917630). - GHES: Elliminate double-loop in the NMI handler (bsc#917630). - GHES: Make NMI handler have a single reader (bsc#917630). - GHES: Panic right after detection (bsc#917630). - IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach (bsc#918618). - Initialize hv_netvsc_packet->xmit_more to avoid transfer stalls - KVM: PPC: BOOK3S: HV: CMA: Reserve cma region only in hypervisor mode (bsc#908491). - KVM: s390: virtio-ccw: Handle command rejects (bsc#931860). - MODSIGN: loading keys from db when SecureBoot disabled (bsc#929696). - MODSIGN: loading keys from db when SecureBoot disabled (bsc#929696). - PCI: pciehp: Add hotplug_lock to serialize hotplug events (bsc#866911). - Revert "MODSIGN: loading keys from db when SecureBoot disabled". This reverts commit b45412d4, because it breaks legacy boot. - SUNRPC: Report connection error values to rpc_tasks on the pending queue (bsc#930972). - Update s390x kabi files with netfilter change (bsc#936012) - client MUST ignore EncryptionKeyLength if CAP_EXTENDED_SECURITY is set (bsc#932348). - cpufreq: pcc: Enable autoload of pcc-cpufreq for ACPI processors (bsc#933117). - dmapi: fix value from newer Linux strnlen_user() (bsc#932897). - drm/i915/hsw: Fix workaround for server AUX channel clock divisor (bsc#935918). - drm/i915: Evict CS TLBs between batches (bsc#935918). - drm/i915: Fix DDC probe for passive adapters (bsc#935918). - drm/i915: Handle failure to kick out a conflicting fb driver (bsc#935918). - drm/i915: drop WaSetupGtModeTdRowDispatch:snb (bsc#935918). - drm/i915: save/restore GMBUS freq across suspend/resume on gen4 (bsc#935918). - edd: support original Phoenix EDD 3.0 information (bsc#929974). - ext4: fix over-defensive complaint after journal abort (bsc#935174). - fs/cifs: Fix corrupt SMB2 ioctl requests (bsc#931124). - ftrace: add oco handling patch (bsc#924526). - ftrace: allow architectures to specify ftrace compile options (bsc#924526). - ftrace: let notrace function attribute disable hotpatching if necessary (bsc#924526). - hugetlb, kabi: do not account hugetlb pages as NR_FILE_PAGES (bsc#930092). - hugetlb: do not account hugetlb pages as NR_FILE_PAGES (bsc#930092). - hv: channel: match var type to return type of wait_for_completion. - hv: do not schedule new works in vmbus_onoffer()/vmbus_onoffer_rescind(). - hv: hv_balloon: match var type to return type of wait_for_completion. - hv: hv_util: move vmbus_open() to a later place. - hv: hypervvssd: call endmntent before call setmntent again. - hv: no rmmod for hv_vmbus and hv_utils. - hv: remove the per-channel workqueue. - hv: run non-blocking message handlers in the dispatch tasklet. - hv: vmbus: missing curly braces in vmbus_process_offer(). - hv: vmbus_free_channels(): remove the redundant free_channel(). - hv: vmbus_open(): reset the channel state on ENOMEM. - hv: vmbus_post_msg: retry the hypercall on some transient errors. - hv_netvsc: Allocate the receive buffer from the correct NUMA node. - hv_netvsc: Allocate the sendbuf in a NUMA aware way. - hv_netvsc: Clean up two unused variables. - hv_netvsc: Cleanup the test for freeing skb when we use sendbuf mechanism. - hv_netvsc: Define a macro RNDIS_AND_PPI_SIZE. - hv_netvsc: Eliminate memory allocation in the packet send path. - hv_netvsc: Fix a bug in netvsc_start_xmit(). - hv_netvsc: Fix the packet free when it is in skb headroom. - hv_netvsc: Implement batching in send buffer. - hv_netvsc: Implement partial copy into send buffer. - hv_netvsc: Use the xmit_more skb flag to optimize signaling the host. - hv_netvsc: change member name of struct netvsc_stats. - hv_netvsc: introduce netif-msg into netvsc module. - hv_netvsc: remove unused variable in netvsc_send(). - hv_netvsc: remove vmbus_are_subchannels_present() in rndis_filter_device_add(). - hv_netvsc: try linearizing big SKBs before dropping them. - hv_netvsc: use per_cpu stats to calculate TX/RX data. - hv_netvsc: use single existing drop path in netvsc_start_xmit. - hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg(). - hyperv: Implement netvsc_get_channels() ethool op. - hyperv: hyperv_fb: match wait_for_completion_timeout return type. - iommu/amd: Handle integer overflow in dma_ops_area_alloc (bsc#931538). - iommu/amd: Handle large pages correctly in free_pagetable (bsc#935881). - ipr: Increase default adapter init stage change timeout (bsc#930579). - ipv6: do not delete previously existing ECMP routes if add fails (bsc#930399). - ipv6: fix ECMP route replacement (bsc#930399). - jbd2: improve error messages for inconsistent journal heads (bsc#935174). - jbd2: revise KERN_EMERG error messages (bsc#935174). - kabi/severities: Add s390 symbols allowed to change in bsc#931860 - kabi: only use sops->get_inode_dev with proper fsflag. - kernel: add panic_on_warn. - kexec: allocate the kexec control page with KEXEC_CONTROL_MEMORY_GFP (bsc#928131). - kgr: fix redirection on s390x arch (bsc#903279). - kgr: move kgr_task_in_progress() to sched.h. - kgr: send a fake signal to all blocking tasks. - kvm: irqchip: Break up high order allocations of kvm_irq_routing_table (bsc#926953). - libata: Blacklist queued TRIM on all Samsung 800-series (bsc#930599). - mei: bus: () can be static. - mm, thp: really limit transparent hugepage allocation to local node (VM Performance, bsc#931620). - mm, thp: respect MPOL_PREFERRED policy with non-local node (VM Performance, bsc#931620). - mm/mempolicy.c: merge alloc_hugepage_vma to alloc_pages_vma (VM Performance, bsc#931620). - mm/thp: allocate transparent hugepages on local node (VM Performance, bsc#931620). - net/mlx4_en: Call register_netdevice in the proper location (bsc#858727). - net/mlx4_en: Do not attempt to TX offload the outer UDP checksum for VXLAN (bsc#858727). - net: fib6: fib6_commit_metrics: fix potential NULL pointer dereference (bsc#867362). - net: introduce netdev_alloc_pcpu_stats() for drivers. - net: ipv6: fib: do not sleep inside atomic lock (bsc#867362). - netdev: set __percpu attribute on netdev_alloc_pcpu_stats. - netdev_alloc_pcpu_stats: use less common iterator variable. - netfilter: xt_NFQUEUE: fix --queue-bypass regression (bsc#935083) - ovl: default permissions (bsc#924071). - ovl: move s_stack_depth . - powerpc/perf/hv-24x7: use kmem_cache instead of aligned stack allocations (bsc#931403). - powerpc/pseries: Correct cpu affinity for dlpar added cpus (bsc#932967). - powerpc: Add VM_FAULT_HWPOISON handling to powerpc page fault handler (bsc#929475). - powerpc: Fill in si_addr_lsb siginfo field (bsc#929475). - powerpc: Simplify do_sigbus (bsc#929475). - reiserfs: Fix use after free in journal teardown (bsc#927697). - rtlwifi: rtl8192cu: Fix kernel deadlock (bsc#927786). - s390/airq: add support for irq ranges (bsc#931860). - s390/airq: silence lockdep warning (bsc#931860). - s390/compat,signal: change return values to -EFAULT (bsc#929879). - s390/ftrace: hotpatch support for function tracing (bsc#924526). - s390/irq: improve displayed interrupt order in /proc/interrupts (bsc#931860). - s390/kernel: use stnsm 255 instead of stosm 0 (bsc#929879). - s390/kgr: reorganize kgr infrastructure in entry64.S. - s390/mm: align 64-bit PIE binaries to 4GB (bsc#929879). - s390/mm: limit STACK_RND_MASK for compat tasks (bsc#929879). - s390/rwlock: add missing local_irq_restore calls (bsc#929879). - s390/sclp_vt220: Fix kernel panic due to early terminal input (bsc#931860). - s390/smp: only send external call ipi if needed (bsc#929879). - s390/spinlock,rwlock: always to a load-and-test first (bsc#929879). - s390/spinlock: cleanup spinlock code (bsc#929879). - s390/spinlock: optimize spin_unlock code (bsc#929879). - s390/spinlock: optimize spinlock code sequence (bsc#929879). - s390/spinlock: refactor arch_spin_lock_wait[flags] (bsc#929879). - s390/time: use stck clock fast for do_account_vtime (bsc#929879). - s390: Remove zfcpdump NR_CPUS dependency (bsc#929879). - s390: add z13 code generation support (bsc#929879). - s390: avoid z13 cache aliasing (bsc#929879). - s390: fix control register update (bsc#929879). - s390: optimize control register update (bsc#929879). - s390: z13 base performance (bsc#929879). - sched: fix __sched_setscheduler() vs load balancing race (bsc#921430) - scsi: retry MODE SENSE on unit attention (bsc#895814). - scsi_dh_alua: Recheck state on unit attention (bsc#895814). - scsi_dh_alua: fixup crash in alua_rtpg_work() (bsc#895814). - scsi_dh_alua: parse device id instead of target id (bsc#895814). - scsi_dh_alua: recheck RTPG in regular intervals (bsc#895814). - scsi_dh_alua: update all port states (bsc#895814). - sd: always retry READ CAPACITY for ALUA state transition (bsc#895814). - st: null pointer dereference panic caused by use after kref_put by st_open (bsc#936875). - supported.conf: add btrfs to kernel-$flavor-base (bsc#933637) - udf: Remove repeated loads blocksize (bsc#933907). - usb: core: Fix USB 3.0 devices lost in NOTATTACHED state after a hub port reset (bsc#938024). - vTPM: set virtual device before passing to ibmvtpm_reset_crq (bsc#937087). - vfs: add super_operations->get_inode_dev (bsc#927455). - virtio-ccw: virtio-ccw adapter interrupt support (bsc#931860). - virtio-rng: do not crash if virtqueue is broken (bsc#931860). - virtio: fail adding buffer on broken queues (bsc#931860). - virtio: virtio_break_device() to mark all virtqueues broken (bsc#931860). - virtio_blk: verify if queue is broken after virtqueue_get_buf() (bsc#931860). - virtio_ccw: fix hang in set offline processing (bsc#931860). - virtio_ccw: fix vcdev pointer handling issues (bsc#931860). - virtio_ccw: introduce device_lost in virtio_ccw_device (bsc#931860). - virtio_net: do not crash if virtqueue is broken (bsc#931860). - virtio_net: verify if queue is broken after virtqueue_get_buf() (bsc#931860). - virtio_ring: adapt to notify() returning bool (bsc#931860). - virtio_ring: add new function virtqueue_is_broken() (bsc#931860). - virtio_ring: change host notification API (bsc#931860). - virtio_ring: let virtqueue{kick()/notify()} return a bool (bsc#931860). - virtio_ring: plug kmemleak false positive (bsc#931860). - virtio_scsi: do not call virtqueue_add_sgs(... GFP_NOIO) holding spinlock (bsc#931860). - virtio_scsi: verify if queue is broken after virtqueue_get_buf() (bsc#931860). - vmxnet3: Bump up driver version number (bsc#936423). - vmxnet3: Changes for vmxnet3 adapter version 2 (fwd) (bug#936423). - vmxnet3: Fix memory leaks in rx path (fwd) (bug#936423). - vmxnet3: Register shutdown handler for device (fwd) (bug#936423). - x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A (bsc#907092). - x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing (bsc#907092). - x86/kgr: move kgr infrastructure from asm to C. - x86/mm: Improve AMD Bulldozer ASLR workaround (bsc#937032). - xfrm: release dst_orig in case of error in xfrm_lookup() (bsc#932793). - xfs: Skip dirty pages in ->releasepage (bsc#915183). - xfs: fix xfs_setattr for DMAPI (bsc#932900). - xfs_dmapi: fix transaction ilocks (bsc#932899). - xfs_dmapi: fix value from newer Linux strnlen_user() (bsc#932897). - xfs_dmapi: xfs_dm_rdwr() uses dir file ops not file's ops (bsc#932898).