Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2017-16939: The XFRM dump policy implementation in
  net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain
  privileges or cause a denial of service (use-after-free) via a crafted
  SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY
  Netlink messages. (bnc#1069702)
• CVE-2017-1000405: mm, thp: do not dirty huge pages on read fault
  (bnc#1069496).
• CVE-2017-16649: The usbnet_generic_cdc_bind function in
  drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to
  cause a denial of service (divide-by-zero error and system crash) or
  possibly have unspecified other impact via a crafted USB device.
  (bnc#1067085)
• CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c, when
  CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a
  recvmmsg system call with a crafted timeout pointer parameter
  (bnc#860993).
• CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c
  in the Linux kernel allowed local users to cause a denial of service
  (divide-by-zero error and system crash) or possibly have unspecified
  other impact via a crafted USB device. (bnc#1067086)
• CVE-2017-16535: The usb_get_bos_descriptor function in
  drivers/usb/core/config.c in the Linux kernel allowed local users to
  cause a denial of service (out-of-bounds read and system crash) or
  possibly have unspecified other impact via a crafted USB device.
  (bnc#1066700)
• CVE-2017-15102: The tower_probe function in
  drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users
  (who are physically proximate for inserting a crafted USB device) to
  gain privileges by leveraging a write-what-where condition that occurs
  after a race condition and a NULL pointer dereference. (bnc#1066705)
• CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed
  local users to cause a denial of service (out-of-bounds read and system
  crash) or possibly have unspecified other impact via a crafted USB
  device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.
  (bnc#1066671)
• CVE-2017-12193: The assoc_array_insert_into_terminal_node function in
  lib/assoc_array.c in the Linux kernel mishandled node splitting, which
  allowed local users to cause a denial of service (NULL pointer
  dereference and panic) via a crafted application, as demonstrated by the
  keyring key type, and key addition and link creation operations.
  (bnc#1066192)
• CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c
  in the Linux kernel allowed local users to cause a denial of service
  (out-of-bounds read and system crash) or possibly have unspecified other
  impact via a crafted USB device. (bnc#1066650)
• CVE-2017-16525: The usb_serial_console_disconnect function in
  drivers/usb/serial/console.c in the Linux kernel allowed local users to
  cause a denial of service (use-after-free and system crash) or possibly
  have unspecified other impact via a crafted USB device, related to
  disconnection and failed setup. (bnc#1066618)
• CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in
  the Linux kernel allowed local users to cause a denial of service (NULL
  pointer dereference and system crash) or possibly have unspecified other
  impact via a crafted USB device. (bnc#1066573)
• CVE-2017-16536: The cx231xx_usb_probe function in
  drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed
  local users to cause a denial of service (NULL pointer dereference and
  system crash) or possibly have unspecified other impact via a crafted
  USB device. (bnc#1066606)
• CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local
  users to cause a denial of service (snd_usb_mixer_interrupt
  use-after-free and system crash) or possibly have unspecified other
  impact via a crafted USB device. (bnc#1066625)

The following non-security bugs were fixed:

• NVMe: No lock while DMA mapping data (bsc#975788).
• bcache: Add bch_keylist_init_single() (bsc#1047626).
• bcache: Add btree_map() functions (bsc#1047626).
• bcache: Add on error panic/unregister setting (bsc#1047626).
• bcache: Convert gc to a kthread (bsc#1047626).
• bcache: Delete some slower inline asm (bsc#1047626).
• bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).
• bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).
• bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).
• bcache: Fix a null ptr deref in journal replay (bsc#1047626).
• bcache: Fix an infinite loop in journal replay (bsc#1047626).
• bcache: Fix bch_ptr_bad() (bsc#1047626).
• bcache: Fix discard granularity (bsc#1047626).
• bcache: Fix for can_attach_cache() (bsc#1047626).
• bcache: Fix heap_peek() macro (bsc#1047626).
• bcache: Fix moving_pred() (bsc#1047626).
• bcache: Fix to remove the rcu_sched stalls (bsc#1047626).
• bcache: Improve bucket_prio() calculation (bsc#1047626).
• bcache: Improve priority_stats (bsc#1047626).
• bcache: Minor btree cache fix (bsc#1047626).
• bcache: Move keylist out of btree_op (bsc#1047626).
• bcache: New writeback PD controller (bsc#1047626).
• bcache: PRECEDING_KEY() (bsc#1047626).
• bcache: Performance fix for when journal entry is full (bsc#1047626).
• bcache: Remove redundant block_size assignment (bsc#1047626).
• bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).
• bcache: Remove/fix some header dependencies (bsc#1047626).
• bcache: Trivial error handling fix (bsc#1047626).
• bcache: Use ida for bcache block dev minor (bsc#1047626).
• bcache: allows use of register in udev to avoid "device_busy" error
  (bsc#1047626).
• bcache: bch_allocator_thread() is not freezable (bsc#1047626).
• bcache: bch_gc_thread() is not freezable (bsc#1047626).
• bcache: bugfix - gc thread now gets woken when cache is full
  (bsc#1047626).
• bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).
• bcache: cleaned up error handling around register_cache() (bsc#1047626).
• bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing
  device (bsc#1047626).
• bcache: defensively handle format strings (bsc#1047626).
• bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED
  (bsc#1047626).
• bcache: fix a livelock when we cause a huge number of cache misses
  (bsc#1047626).
• bcache: fix crash in bcache_btree_node_alloc_fail tracepoint
  (bsc#1047626).
• bcache: fix for gc and writeback race (bsc#1047626).
• bcache: fix for gc crashing when no sectors are used (bsc#1047626).
• bcache: kill index() (bsc#1047626).
• bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
  (bsc#1047626).
• bcache: stop moving_gc marking buckets that can’t be moved (bsc#1047626).
• mac80211: do not compare TKIP TX MIC key in reinstall prevention
  (bsc#1066472).
• mac80211: use constant time comparison with keys (bsc#1066471).
• packet: fix use-after-free in fanout_add()
• scsi: ILLEGAL REQUEST + ASC==27 produces target failure (bsc#1059465).