Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 kernel was updated to receive various
security and bugfixes.

Following security bugs were fixed:

• CVE-2015-7550: A local user could have triggered a race between read and
  revoke in keyctl (bnc#958951).
• CVE-2015-8539: A negatively instantiated user key could have been used
  by a local user to leverage privileges (bnc#958463).
• CVE-2015-8543: The networking implementation in the Linux kernel did not
  validate protocol identifiers for certain protocol families, which
  allowed local users to cause a denial of service (NULL function pointer
  dereference and system crash) or possibly gain privileges by leveraging
  CLONE_NEWUSER support to execute a crafted SOCK_RAW application
  (bnc#958886).
• CVE-2015-8550: Compiler optimizations in the XEN PV backend drivers
  could have lead to double fetch vulnerabilities, causing denial of
  service or arbitrary code execution (depending on the configuration)
  (bsc#957988).
• CVE-2015-8551, CVE-2015-8552: xen/pciback: For
  XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled
  (bsc#957990).
• CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
  drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
  length, which allowed local users to obtain sensitive information from
  kernel memory and bypass the KASLR protection mechanism via a crafted
  application (bnc#959190).
• CVE-2015-8575: Validate socket address length in sco_sock_bind() to
  prevent information leak (bsc#959399).

The following non-security bugs were fixed:

• ACPICA: Correctly cleanup after a ACPI table load failure (bnc#937261).
• ALSA: hda - Fix noise problems on Thinkpad T440s (boo#958504).
• Input: aiptek - fix crash on detecting device without endpoints
  (bnc#956708).
• Re-add copy_page_vector_to_user()
• Refresh patches.xen/xen3-patch-3.12.46-47 (bsc#959705).
• Refresh patches.xen/xen3-patch-3.9 (bsc#951155).
• Update
  patches.suse/btrfs-8361-Btrfs-keep-dropped-roots-in-cache-until-transaction
  -.patch (bnc#935087, bnc#945649, bnc#951615).
• bcache: Add btree_insert_node() (bnc#951638).
• bcache: Add explicit keylist arg to btree_insert() (bnc#951638).
• bcache: Clean up keylist code (bnc#951638).
• bcache: Convert btree_insert_check_key() to btree_insert_node()
  (bnc#951638).
• bcache: Convert bucket_wait to wait_queue_head_t (bnc#951638).
• bcache: Convert try_wait to wait_queue_head_t (bnc#951638).
• bcache: Explicitly track btree node’s parent (bnc#951638).
• bcache: Fix a bug when detaching (bsc#951638).
• bcache: Fix a lockdep splat in an error path (bnc#951638).
• bcache: Fix a shutdown bug (bsc#951638).
• bcache: Fix more early shutdown bugs (bsc#951638).
• bcache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
• bcache: Insert multiple keys at a time (bnc#951638).
• bcache: Refactor journalling flow control (bnc#951638).
• bcache: Refactor request_write() (bnc#951638).
• bcache: Use blkdev_issue_discard() (bnc#951638).
• bcache: backing device set to clean after finishing detach (bsc#951638).
• bcache: kill closure locking usage (bnc#951638).
• blktap: also call blkif_disconnect() when frontend switched to closed
  (bsc#952976).
• blktap: refine mm tracking (bsc#952976).
• block: Always check queue limits for cloned requests (bsc#902606).
• btrfs: Add qgroup tracing (bnc#935087, bnc#945649).
• btrfs: Adjust commit-transaction condition to avoid NO_SPACE more
  (bsc#958647).
• btrfs: Fix out-of-space bug (bsc#958647).
• btrfs: Fix tail space processing in find_free_dev_extent() (bsc#958647).
• btrfs: Set relative data on clear btrfs_block_group_cache->pinned
  (bsc#958647).
• btrfs: Update btrfs qgroup status item when rescan is done (bnc#960300).
• btrfs: backref: Add special time_seq == (u64)-1 case for
  btrfs_find_all_roots() (bnc#935087, bnc#945649).
• btrfs: backref: Do not merge refs which are not for same block
  (bnc#935087, bnc#945649).
• btrfs: cleanup: remove no-used alloc_chunk in
  btrfs_check_data_free_space() (bsc#958647).
• btrfs: delayed-ref: Cleanup the unneeded functions (bnc#935087,
  bnc#945649).
• btrfs: delayed-ref: Use list to replace the ref_root in ref_head
  (bnc#935087, bnc#945649).
• btrfs: extent-tree: Use ref_node to replace unneeded parameters in
  __inc_extent_ref() and __free_extent() (bnc#935087, bnc#945649).
• btrfs: fix comp_oper to get right order (bnc#935087, bnc#945649).
• btrfs: fix condition of commit transaction (bsc#958647).
• btrfs: fix leak in qgroup_subtree_accounting() error path (bnc#935087,
  bnc#945649).
• btrfs: fix order by which delayed references are run (bnc#949440).
• btrfs: fix qgroup sanity tests (bnc#951615).
• btrfs: fix race waiting for qgroup rescan worker (bnc#960300).
• btrfs: fix regression running delayed references when using qgroups
  (bnc#951615).
• btrfs: fix regression when running delayed references (bnc#951615).
• btrfs: fix sleeping inside atomic context in qgroup rescan worker
  (bnc#960300).
• btrfs: fix the number of transaction units needed to remove a block
  group (bsc#958647).
• btrfs: keep dropped roots in cache until transaction commit (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Add function qgroup_update_counters() (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Add function qgroup_update_refcnt() (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Add new function to record old_roots (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Add new qgroup calculation function
  btrfs_qgroup_account_extents() (bnc#935087, bnc#945649).
• btrfs: qgroup: Add the ability to skip given qgroup for old/new_roots
  (bnc#935087, bnc#945649).
• btrfs: qgroup: Cleanup open-coded old/new_refcnt update and read
  (bnc#935087, bnc#945649).
• btrfs: qgroup: Cleanup the old ref_node-oriented mechanism (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Do not copy extent buffer to do qgroup rescan
  (bnc#960300).
• btrfs: qgroup: Fix a regression in qgroup reserved space (bnc#935087,
  bnc#945649).
• btrfs: qgroup: Make snapshot accounting work with new extent-oriented
  qgroup (bnc#935087, bnc#945649).
• btrfs: qgroup: Record possible quota-related extent for qgroup
  (bnc#935087, bnc#945649).
• btrfs: qgroup: Switch rescan to new mechanism (bnc#935087, bnc#945649).
• btrfs: qgroup: Switch self test to extent-oriented qgroup mechanism
  (bnc#935087, bnc#945649).
• btrfs: qgroup: Switch to new extent-oriented qgroup mechanism
  (bnc#935087, bnc#945649).
• btrfs: qgroup: account shared subtree during snapshot delete
  (bnc#935087, bnc#945649).
• btrfs: qgroup: clear STATUS_FLAG_ON in disabling quota (bnc#960300).
• btrfs: qgroup: exit the rescan worker during umount (bnc#960300).
• btrfs: qgroup: fix quota disable during rescan (bnc#960300).
• btrfs: qgroup: move WARN_ON() to the correct location (bnc#935087,
  bnc#945649).
• btrfs: remove transaction from send (bnc#935087, bnc#945649).
• btrfs: ulist: Add ulist_del() function (bnc#935087, bnc#945649).
• btrfs: use btrfs_get_fs_root in resolve_indirect_ref (bnc#935087,
  bnc#945649).
• btrfs: use global reserve when deleting unused block group after ENOSPC
  (bsc#958647).
• cache: Fix sysfs splat on shutdown with flash only devs (bsc#951638).
• cpusets, isolcpus: exclude isolcpus from load balancing in cpusets
  (bsc#957395).
• drm/i915: Fix SRC_COPY width on 830/845g (bsc#758040).
• drm: Allocate new master object when client becomes master (bsc#956876,
  bsc#956801).
• drm: Fix KABI of "struct drm_file" (bsc#956876, bsc#956801).
• e1000e: Do not read ICR in Other interrupt (bsc#924919).
• e1000e: Do not write lsc to ics in msi-x mode (bsc#924919).
• e1000e: Fix msi-x interrupt automask (bsc#924919).
• e1000e: Remove unreachable code (bsc#924919).
• genksyms: Handle string literals with spaces in reference files
  (bsc#958510).
• ipv6: fix tunnel error handling (bsc#952579).
• lpfc: Fix null ndlp dereference in target_reset_handler (bsc#951392).
• mm/mempolicy.c: convert the shared_policy lock to a rwlock (bnc#959436).
• mm: remove PG_waiters from PAGE_FLAGS_CHECK_AT_FREE (bnc#943959).
• pm, hinernate: use put_page in release_swap_writer (bnc#943959).
• sched, isolcpu: make cpu_isolated_map visible outside scheduler
  (bsc#957395).
• udp: properly support MSG_PEEK with truncated buffers (bsc#951199
  bsc#959364).
• xhci: Workaround to get Intel xHCI reset working more reliably
  (bnc#957546).