Security update for kernel-source (important)

The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to
receive various security and bugfixes.

Following security bugs were fixed:

• CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could
  lead to arbitrary code execution. The ipc_addid() function initialized a
  shared object that has unset uid/gid values. Since the fields are not
  initialized, the check can falsely succeed. (bsc#948536)
• CVE-2015-5156: When a guests KVM network devices is in a bridge
  configuration the kernel can create a situation in which packets are
  fragmented in an unexpected fashion. The GRO functionality can create a
  situation in which multiple SKB’s are chained together in a single
  packets fraglist (by design). (bsc#940776)
• CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before
  4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs
  that occurred during userspace execution, which might allow local users
  to gain privileges by triggering an NMI (bsc#938706).
• CVE-2015-6252: A flaw was found in the way the Linux kernel’s vhost
  driver treated userspace provided log file descriptor when processing
  the VHOST_SET_LOG_FD ioctl command. The file descriptor was never
  released and continued to consume kernel memory. A privileged local user
  with access to the /dev/vhost-net files could use this flaw to create a
  denial-of-service attack (bsc#942367).
• CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the
  Linux kernel before 4.1.6 does not initialize a certain bitmap data
  structure, which allows local users to obtain sensitive information from
  kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994)
• CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable
  Datagram Sockets (RDS) implementation allowing a local user to cause
  system DoS. A verification was missing that the underlying transport
  exists when a connection was created. (bsc#945825)
• CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP
  implementation allowing a local user to cause system DoS. Creation of
  multiple sockets in parallel when system doesn’t have SCTP module loaded
  can lead to kernel panic. (bsc#947155)

The following non-security bugs were fixed:

• ALSA: hda - Abort the probe without i915 binding for HSW/BDW
  (bsc#936556).
• Btrfs: Backport subvolume mount option handling (bsc#934962)
• Btrfs: Handle unaligned length in extent_same (bsc#937609).
• Btrfs: advertise which crc32c implementation is being used on mount
  (bsc#946057).
• Btrfs: allow mounting btrfs subvolumes with different ro/rw options.
• Btrfs: check if previous transaction aborted to avoid fs corruption
  (bnc#942509).
• Btrfs: clean up error handling in mount_subvol() (bsc#934962).
• Btrfs: cleanup orphans while looking up default subvolume (bsc#914818).
• Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616).
• Btrfs: fail on mismatched subvol and subvolid mount options (bsc#934962).
• Btrfs: fix chunk allocation regression leading to transaction abort
  (bnc#938550).
• Btrfs: fix clone / extent-same deadlocks (bsc#937612).
• Btrfs: fix crash on close_ctree() if cleaner starts new transaction
  (bnc#938891).
• Btrfs: fix deadlock with extent-same and readpage (bsc#937612).
• Btrfs: fix file corruption after cloning inline extents (bnc#942512).
• Btrfs: fix file read corruption after extent cloning and fsync
  (bnc#946902).
• Btrfs: fix find_free_dev_extent() malfunction in case device tree has
  hole (bnc#938550).
• Btrfs: fix hang when failing to submit bio of directIO (bnc#942685).
• Btrfs: fix list transaction->pending_ordered corruption (bnc#938893).
• Btrfs: fix memory corruption on failure to submit bio for direct IO
  (bnc#942685).
• Btrfs: fix memory leak in the extent_same ioctl (bsc#937613).
• Btrfs: fix put dio bio twice when we submit dio bio fail (bnc#942685).
• Btrfs: fix race between balance and unused block group deletion
  (bnc#938892).
• Btrfs: fix range cloning when same inode used as source and destination
  (bnc#942511).
• Btrfs: fix read corruption of compressed and shared extents (bnc#946906).
• Btrfs: fix uninit variable in clone ioctl (bnc#942511).
• Btrfs: fix use-after-free in mount_subvol().
• Btrfs: fix wrong check for btrfs_force_chunk_alloc() (bnc#938550).
• Btrfs: lock superblock before remounting for rw subvol (bsc#934962).
• Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609).
• Btrfs: remove all subvol options before mounting top-level (bsc#934962).
• Btrfs: show subvol= and subvolid= in /proc/mounts (bsc#934962).
• Btrfs: unify subvol= and subvolid= mounting (bsc#934962).
• Btrfs: fill ->last_trans for delayed inode in btrfs_fill_inode
  (bnc#942925).
• Btrfs: fix metadata inconsistencies after directory fsync (bnc#942925).
• Btrfs: fix stale dir entries after removing a link and fsync
  (bnc#942925).
• Btrfs: fix stale dir entries after unlink, inode eviction and fsync
  (bnc#942925).
• Btrfs: fix stale directory entries after fsync log replay (bnc#942925).
• Btrfs: make btrfs_search_forward return with nodes unlocked (bnc#942925).
• Btrfs: support NFSv2 export (bnc#929871).
• Btrfs: update fix for read corruption of compressed and shared extents
  (bsc#948256).
• Drivers: hv: do not do hypercalls when hypercall_page is NULL.
• Drivers: hv: vmbus: add special crash handler.
• Drivers: hv: vmbus: add special kexec handler.
• Drivers: hv: vmbus: remove hv_synic_free_cpu() call from
  hv_synic_cleanup().
• Input: evdev - do not report errors form flush() (bsc#939834).
• Input: synaptics - do not retrieve the board id on old firmwares
  (bsc#929092).
• Input: synaptics - log queried and quirked dimension values (bsc#929092).
• Input: synaptics - query min dimensions for fw v8.1.
• Input: synaptics - remove X1 Carbon 3rd gen from the topbuttonpad list
  (bsc#929092).
• Input: synaptics - remove X250 from the topbuttonpad list.
• Input: synaptics - remove obsolete min/max quirk for X240 (bsc#929092).
• Input: synaptics - skip quirks when post-2013 dimensions (bsc#929092).
• Input: synaptics - split synaptics_resolution(), query first
  (bsc#929092).
• Input: synaptics - support min/max board id in min_max_pnpid_table
  (bsc#929092).
• NFS: Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
• NFSv4: do not set SETATTR for O_RDONLY|O_EXCL (bsc#939716).
• PCI: Move MPS configuration check to pci_configure_device() (bsc#943313).
• PCI: Set MPS to match upstream bridge (bsc#943313).
• SCSI: fix regression in scsi_send_eh_cmnd() (bsc#930813).
• SCSI: fix scsi_error_handler vs. scsi_host_dev_release race (bnc#942204).
• SCSI: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398).
• UAS: fixup for remaining use of dead_list (bnc#934942).
• USB: storage: use %*ph specifier to dump small buffers (bnc#934942).
• aio: fix reqs_available handling (bsc#943378).
• audit: do not generate loginuid log when audit disabled (bsc#941098).
• blk-merge: do not compute bi_phys_segments from bi_vcnt for cloned bio
  (bnc#934430).
• blk-merge: fix blk_recount_segments (bnc#934430).
• blk-merge: recaculate segment if it isn’t less than max segments
  (bnc#934430).
• block: add queue flag for disabling SG merging (bnc#934430).
• block: blk-merge: fix blk_recount_segments() (bnc#934430).
• config: disable CONFIG_TCM_RBD on ppc64le and s390x
• cpufreq: intel_pstate: Add CPU ID for Braswell processor.
• dlm: fix missing endian conversion of rcom_status flags (bsc#940679).
• dm cache mq: fix memory allocation failure for large cache devices
  (bsc#942707).
• drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt
  (bsc#942938).
• drm/i915: Make hpd arrays big enough to avoid out of bounds access
  (bsc#942938).
• drm/i915: Only print hotplug event message when hotplug bit is set
  (bsc#942938).
• drm/i915: Queue reenable timer also when enable_hotplug_processing is
  false (bsc#942938).
• drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler()
  (bsc#942938).
• drm/radeon: fix hotplug race at startup (bsc#942307).
• ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool reporting
  support (bsc#945710).
• hrtimer: prevent timer interrupt DoS (bnc#886785).
• hv: fcopy: add memory barrier to propagate state (bnc#943529).
• inotify: Fix nested sleeps in inotify_read() (bsc#940925).
• intel_pstate: Add CPU IDs for Broadwell processors.
• intel_pstate: Add CPUID for BDW-H CPU.
• intel_pstate: Add support for SkyLake.
• intel_pstate: Correct BYT VID values (bnc#907973).
• intel_pstate: Remove periodic P state boost (bnc#907973).
• intel_pstate: add sample time scaling (bnc#907973, bnc#924722,
  bnc#916543).
• intel_pstate: don’t touch turbo bit if turbo disabled or unavailable
  (bnc#907973).
• intel_pstate: remove setting P state to MAX on init (bnc#907973).
• intel_pstate: remove unneeded sample buffers (bnc#907973).
• intel_pstate: set BYT MSR with wrmsrl_on_cpu() (bnc#907973).
• ipr: Fix incorrect trace indexing (bsc#940912).
• ipr: Fix invalid array indexing for HRRQ (bsc#940912).
• iwlwifi: dvm: drop non VO frames when flushing (bsc#940545).
• kABI workaround for ieee80211_ops.flush argument change (bsc#940545).
• kconfig: Do not print status messages in make -s mode (bnc#942160).
• kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in load_uefi_certs
  (bsc#856382).
• kernel: do full redraw of the 3270 screen on reconnect (bnc#943476,
  LTC#129509).
• kexec: define kexec_in_progress in !CONFIG_KEXEC case.
• kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS (bsc#947537).
• lpfc: Fix scsi prep dma buf error (bsc#908950).
• mac80211: add vif to flush call (bsc#940545).
• md/bitmap: do not abuse i_writecount for bitmap files (bsc#943270).
• md/bitmap: protect clearing of ->bitmap by mddev->lock
  (bnc#912183).
• md/raid5: use ->lock to protect accessing raid5 sysfs attributes
  (bnc#912183).
• md: fix problems with freeing private data after ->run failure
  (bnc#912183).
• md: level_store: group all important changes into one place (bnc#912183).
• md: move GET_BITMAP_FILE ioctl out from mddev_lock (bsc#943270).
• md: protect ->pers changes with mddev->lock (bnc#912183).
• md: remove mddev_lock from rdev_attr_show() (bnc#912183).
• md: remove mddev_lock() from md_attr_show() (bnc#912183).
• md: remove need for mddev_lock() in md_seq_show() (bnc#912183).
• md: split detach operation out from ->stop (bnc#912183).
• md: tidy up set_bitmap_file (bsc#943270).
• megaraid_sas: Handle firmware initialization after fast boot
  (bsc#922071).
• mfd: lpc_ich: Assign subdevice ids automatically (bnc#898159).
• mm: filemap: Avoid unnecessary barriers and waitqueue lookups -fix
  (VM/FS Performance (bnc#941951)).
• mm: make page pfmemalloc check more robust (bnc#920016).
• mm: numa: disable change protection for vma(VM_HUGETLB) (bnc#943573).
• netfilter: nf_conntrack_proto_sctp: minimal multihoming support
  (bsc#932350).
• net/mlx4_core: Add ethernet backplane autoneg device capability
  (bsc#945710).
• net/mlx4_core: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap
  (bsc#945710).
• net/mlx4_en: Use PTYS register to query ethtool settings (bsc#945710).
• net/mlx4_en: Use PTYS register to set ethtool settings (Speed)
  (bsc#945710).
• rcu: Reject memory-order-induced stall-warning false positives
  (bnc#941908).
• s390/dasd: fix kernel panic when alias is set offline (bnc#940965,
  LTC#128595).
• sched: Fix KMALLOC_MAX_SIZE overflow during cpumask allocation
  (bnc#939266).
• sched: Fix cpu_active_mask/cpu_online_mask race (bsc#936773).
• sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings
  (bnc#943573).
• uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942).
• uas: Add response iu handling (bnc#934942).
• uas: Add uas_get_tag() helper function (bnc#934942).
• uas: Check against unexpected completions (bnc#934942).
• uas: Cleanup uas_log_cmd_state usage (bnc#934942).
• uas: Do not log urb status error on cancellation (bnc#934942).
• uas: Do not use scsi_host_find_tag (bnc#934942).
• uas: Drop COMMAND_COMPLETED flag (bnc#934942).
• uas: Drop all references to a scsi_cmnd once it has been aborted
  (bnc#934942).
• uas: Drop inflight list (bnc#934942).
• uas: Fix memleak of non-submitted urbs (bnc#934942).
• uas: Fix resetting flag handling (bnc#934942).
• uas: Free data urbs on completion (bnc#934942).
• uas: Log error codes when logging errors (bnc#934942).
• uas: Reduce number of function arguments for uas_alloc_foo functions
  (bnc#934942).
• uas: Remove cmnd reference from the cmd urb (bnc#934942).
• uas: Remove support for old sense ui as used in pre-production hardware
  (bnc#934942).
• uas: Remove task-management / abort error handling code (bnc#934942).
• uas: Set max_sectors_240 quirk for ASM1053 devices (bnc#934942).
• uas: Simplify reset / disconnect handling (bnc#934942).
• uas: Simplify unlink of data urbs on error (bnc#934942).
• uas: Use scsi_print_command (bnc#934942).
• uas: pre_reset and suspend: Fix a few races (bnc#934942).
• uas: zap_pending: data urbs should have completed at this time
  (bnc#934942).
• x86/kernel: Do not reserve crashkernel high memory if crashkernel low
  memory reserving failed (bsc#939145).
• x86/smpboot: Check for cpu_active on cpu initialization (bsc#932285).
• x86/smpboot: Check for cpu_active on cpu initialization (bsc#936773).
• xhci: Workaround for PME stuck issues in Intel xhci (bnc#944028).
• xhci: rework cycle bit checking for new dequeue pointers (bnc#944028).
• xfs: Fix file type directory corruption for btree directories
  (bsc#941305).