Security update for kernel-source (important)

ID SUSE-SU-2015:1727-1
Type suse
Reporter Suse
Modified 2015-10-13T11:09:43


The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to receive various security and bugfixes.

Following security bugs were fixed: * CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could lead to arbitrary code execution. The ipc_addid() function initialized a shared object that has unset uid/gid values. Since the fields are not initialized, the check can falsely succeed. (bsc#948536) * CVE-2015-5156: When a guests KVM network devices is in a bridge configuration the kernel can create a situation in which packets are fragmented in an unexpected fashion. The GRO functionality can create a situation in which multiple SKB's are chained together in a single packets fraglist (by design). (bsc#940776) * CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bsc#938706). * CVE-2015-6252: A flaw was found in the way the Linux kernel's vhost driver treated userspace provided log file descriptor when processing the VHOST_SET_LOG_FD ioctl command. The file descriptor was never released and continued to consume kernel memory. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack (bsc#942367). * CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994) * CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable Datagram Sockets (RDS) implementation allowing a local user to cause system DoS. A verification was missing that the underlying transport exists when a connection was created. (bsc#945825) * CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP implementation allowing a local user to cause system DoS. Creation of multiple sockets in parallel when system doesn't have SCTP module loaded can lead to kernel panic. (bsc#947155)

The following non-security bugs were fixed: - ALSA: hda - Abort the probe without i915 binding for HSW/BDW (bsc#936556). - Btrfs: Backport subvolume mount option handling (bsc#934962) - Btrfs: Handle unaligned length in extent_same (bsc#937609). - Btrfs: advertise which crc32c implementation is being used on mount (bsc#946057). - Btrfs: allow mounting btrfs subvolumes with different ro/rw options. - Btrfs: check if previous transaction aborted to avoid fs corruption (bnc#942509). - Btrfs: clean up error handling in mount_subvol() (bsc#934962). - Btrfs: cleanup orphans while looking up default subvolume (bsc#914818). - Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616). - Btrfs: fail on mismatched subvol and subvolid mount options (bsc#934962). - Btrfs: fix chunk allocation regression leading to transaction abort (bnc#938550). - Btrfs: fix clone / extent-same deadlocks (bsc#937612). - Btrfs: fix crash on close_ctree() if cleaner starts new transaction (bnc#938891). - Btrfs: fix deadlock with extent-same and readpage (bsc#937612). - Btrfs: fix file corruption after cloning inline extents (bnc#942512). - Btrfs: fix file read corruption after extent cloning and fsync (bnc#946902). - Btrfs: fix find_free_dev_extent() malfunction in case device tree has hole (bnc#938550). - Btrfs: fix hang when failing to submit bio of directIO (bnc#942685). - Btrfs: fix list transaction->pending_ordered corruption (bnc#938893). - Btrfs: fix memory corruption on failure to submit bio for direct IO (bnc#942685). - Btrfs: fix memory leak in the extent_same ioctl (bsc#937613). - Btrfs: fix put dio bio twice when we submit dio bio fail (bnc#942685). - Btrfs: fix race between balance and unused block group deletion (bnc#938892). - Btrfs: fix range cloning when same inode used as source and destination (bnc#942511). - Btrfs: fix read corruption of compressed and shared extents (bnc#946906). - Btrfs: fix uninit variable in clone ioctl (bnc#942511). - Btrfs: fix use-after-free in mount_subvol(). - Btrfs: fix wrong check for btrfs_force_chunk_alloc() (bnc#938550). - Btrfs: lock superblock before remounting for rw subvol (bsc#934962). - Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609). - Btrfs: remove all subvol options before mounting top-level (bsc#934962). - Btrfs: show subvol= and subvolid= in /proc/mounts (bsc#934962). - Btrfs: unify subvol= and subvolid= mounting (bsc#934962). - Btrfs: fill ->last_trans for delayed inode in btrfs_fill_inode (bnc#942925). - Btrfs: fix metadata inconsistencies after directory fsync (bnc#942925). - Btrfs: fix stale dir entries after removing a link and fsync (bnc#942925). - Btrfs: fix stale dir entries after unlink, inode eviction and fsync (bnc#942925). - Btrfs: fix stale directory entries after fsync log replay (bnc#942925). - Btrfs: make btrfs_search_forward return with nodes unlocked (bnc#942925). - Btrfs: support NFSv2 export (bnc#929871). - Btrfs: update fix for read corruption of compressed and shared extents (bsc#948256). - Drivers: hv: do not do hypercalls when hypercall_page is NULL. - Drivers: hv: vmbus: add special crash handler. - Drivers: hv: vmbus: add special kexec handler. - Drivers: hv: vmbus: remove hv_synic_free_cpu() call from hv_synic_cleanup(). - Input: evdev - do not report errors form flush() (bsc#939834). - Input: synaptics - do not retrieve the board id on old firmwares (bsc#929092). - Input: synaptics - log queried and quirked dimension values (bsc#929092). - Input: synaptics - query min dimensions for fw v8.1. - Input: synaptics - remove X1 Carbon 3rd gen from the topbuttonpad list (bsc#929092). - Input: synaptics - remove X250 from the topbuttonpad list. - Input: synaptics - remove obsolete min/max quirk for X240 (bsc#929092). - Input: synaptics - skip quirks when post-2013 dimensions (bsc#929092). - Input: synaptics - split synaptics_resolution(), query first (bsc#929092). - Input: synaptics - support min/max board id in min_max_pnpid_table (bsc#929092). - NFS: Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - NFSv4: do not set SETATTR for O_RDONLY|O_EXCL (bsc#939716). - PCI: Move MPS configuration check to pci_configure_device() (bsc#943313). - PCI: Set MPS to match upstream bridge (bsc#943313). - SCSI: fix regression in scsi_send_eh_cmnd() (bsc#930813). - SCSI: fix scsi_error_handler vs. scsi_host_dev_release race (bnc#942204). - SCSI: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398). - UAS: fixup for remaining use of dead_list (bnc#934942). - USB: storage: use %*ph specifier to dump small buffers (bnc#934942). - aio: fix reqs_available handling (bsc#943378). - audit: do not generate loginuid log when audit disabled (bsc#941098). - blk-merge: do not compute bi_phys_segments from bi_vcnt for cloned bio (bnc#934430). - blk-merge: fix blk_recount_segments (bnc#934430). - blk-merge: recaculate segment if it isn't less than max segments (bnc#934430). - block: add queue flag for disabling SG merging (bnc#934430). - block: blk-merge: fix blk_recount_segments() (bnc#934430). - config: disable CONFIG_TCM_RBD on ppc64le and s390x - cpufreq: intel_pstate: Add CPU ID for Braswell processor. - dlm: fix missing endian conversion of rcom_status flags (bsc#940679). - dm cache mq: fix memory allocation failure for large cache devices (bsc#942707). - drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt (bsc#942938). - drm/i915: Make hpd arrays big enough to avoid out of bounds access (bsc#942938). - drm/i915: Only print hotplug event message when hotplug bit is set (bsc#942938). - drm/i915: Queue reenable timer also when enable_hotplug_processing is false (bsc#942938). - drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler() (bsc#942938). - drm/radeon: fix hotplug race at startup (bsc#942307). - ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool reporting support (bsc#945710). - hrtimer: prevent timer interrupt DoS (bnc#886785). - hv: fcopy: add memory barrier to propagate state (bnc#943529). - inotify: Fix nested sleeps in inotify_read() (bsc#940925). - intel_pstate: Add CPU IDs for Broadwell processors. - intel_pstate: Add CPUID for BDW-H CPU. - intel_pstate: Add support for SkyLake. - intel_pstate: Correct BYT VID values (bnc#907973). - intel_pstate: Remove periodic P state boost (bnc#907973). - intel_pstate: add sample time scaling (bnc#907973, bnc#924722, bnc#916543). - intel_pstate: don't touch turbo bit if turbo disabled or unavailable (bnc#907973). - intel_pstate: remove setting P state to MAX on init (bnc#907973). - intel_pstate: remove unneeded sample buffers (bnc#907973). - intel_pstate: set BYT MSR with wrmsrl_on_cpu() (bnc#907973). - ipr: Fix incorrect trace indexing (bsc#940912). - ipr: Fix invalid array indexing for HRRQ (bsc#940912). - iwlwifi: dvm: drop non VO frames when flushing (bsc#940545). - kABI workaround for ieee80211_ops.flush argument change (bsc#940545). - kconfig: Do not print status messages in make -s mode (bnc#942160). - kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in load_uefi_certs (bsc#856382). - kernel: do full redraw of the 3270 screen on reconnect (bnc#943476, LTC#129509). - kexec: define kexec_in_progress in !CONFIG_KEXEC case. - kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS (bsc#947537). - lpfc: Fix scsi prep dma buf error (bsc#908950). - mac80211: add vif to flush call (bsc#940545). - md/bitmap: do not abuse i_writecount for bitmap files (bsc#943270). - md/bitmap: protect clearing of ->bitmap by mddev->lock (bnc#912183). - md/raid5: use ->lock to protect accessing raid5 sysfs attributes (bnc#912183). - md: fix problems with freeing private data after ->run failure (bnc#912183). - md: level_store: group all important changes into one place (bnc#912183). - md: move GET_BITMAP_FILE ioctl out from mddev_lock (bsc#943270). - md: protect ->pers changes with mddev->lock (bnc#912183). - md: remove mddev_lock from rdev_attr_show() (bnc#912183). - md: remove mddev_lock() from md_attr_show() (bnc#912183). - md: remove need for mddev_lock() in md_seq_show() (bnc#912183). - md: split detach operation out from ->stop (bnc#912183). - md: tidy up set_bitmap_file (bsc#943270). - megaraid_sas: Handle firmware initialization after fast boot (bsc#922071). - mfd: lpc_ich: Assign subdevice ids automatically (bnc#898159). - mm: filemap: Avoid unnecessary barriers and waitqueue lookups -fix (VM/FS Performance (bnc#941951)). - mm: make page pfmemalloc check more robust (bnc#920016). - mm: numa: disable change protection for vma(VM_HUGETLB) (bnc#943573). - netfilter: nf_conntrack_proto_sctp: minimal multihoming support (bsc#932350). - net/mlx4_core: Add ethernet backplane autoneg device capability (bsc#945710). - net/mlx4_core: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap (bsc#945710). - net/mlx4_en: Use PTYS register to query ethtool settings (bsc#945710). - net/mlx4_en: Use PTYS register to set ethtool settings (Speed) (bsc#945710). - rcu: Reject memory-order-induced stall-warning false positives (bnc#941908). - s390/dasd: fix kernel panic when alias is set offline (bnc#940965, LTC#128595). - sched: Fix KMALLOC_MAX_SIZE overflow during cpumask allocation (bnc#939266). - sched: Fix cpu_active_mask/cpu_online_mask race (bsc#936773). - sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings (bnc#943573). - uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942). - uas: Add response iu handling (bnc#934942). - uas: Add uas_get_tag() helper function (bnc#934942). - uas: Check against unexpected completions (bnc#934942). - uas: Cleanup uas_log_cmd_state usage (bnc#934942). - uas: Do not log urb status error on cancellation (bnc#934942). - uas: Do not use scsi_host_find_tag (bnc#934942). - uas: Drop COMMAND_COMPLETED flag (bnc#934942). - uas: Drop all references to a scsi_cmnd once it has been aborted (bnc#934942). - uas: Drop inflight list (bnc#934942). - uas: Fix memleak of non-submitted urbs (bnc#934942). - uas: Fix resetting flag handling (bnc#934942). - uas: Free data urbs on completion (bnc#934942). - uas: Log error codes when logging errors (bnc#934942). - uas: Reduce number of function arguments for uas_alloc_foo functions (bnc#934942). - uas: Remove cmnd reference from the cmd urb (bnc#934942). - uas: Remove support for old sense ui as used in pre-production hardware (bnc#934942). - uas: Remove task-management / abort error handling code (bnc#934942). - uas: Set max_sectors_240 quirk for ASM1053 devices (bnc#934942). - uas: Simplify reset / disconnect handling (bnc#934942). - uas: Simplify unlink of data urbs on error (bnc#934942). - uas: Use scsi_print_command (bnc#934942). - uas: pre_reset and suspend: Fix a few races (bnc#934942). - uas: zap_pending: data urbs should have completed at this time (bnc#934942). - x86/kernel: Do not reserve crashkernel high memory if crashkernel low memory reserving failed (bsc#939145). - x86/smpboot: Check for cpu_active on cpu initialization (bsc#932285). - x86/smpboot: Check for cpu_active on cpu initialization (bsc#936773). - xhci: Workaround for PME stuck issues in Intel xhci (bnc#944028). - xhci: rework cycle bit checking for new dequeue pointers (bnc#944028). - xfs: Fix file type directory corruption for btree directories (bsc#941305).