Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2017-16649: The usbnet_generic_cdc_bind function in
  drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to
  cause a denial of service (divide-by-zero error and system crash) or
  possibly have unspecified other impact via a crafted USB device
  (bnc#1067085).
• CVE-2017-16535: The usb_get_bos_descriptor function in
  drivers/usb/core/config.c in the Linux kernel allowed local users to
  cause a denial of service (out-of-bounds read and system crash) or
  possibly have unspecified other impact via a crafted USB device
  (bnc#1066700).
• CVE-2017-15102: The tower_probe function in
  drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users
  (who are physically proximate for inserting a crafted USB device) to
  gain privileges by leveraging a write-what-where condition that occurs
  after a race condition and a NULL pointer dereference (bnc#1066705).
• CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed
  local users to cause a denial of service (out-of-bounds read and system
  crash) or possibly have unspecified other impact via a crafted USB
  device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor
  (bnc#1066671).
• CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c
  in the Linux kernel allowed local users to cause a denial of service
  (out-of-bounds read and system crash) or possibly have unspecified other
  impact via a crafted USB device (bnc#1066650).
• CVE-2017-16525: The usb_serial_console_disconnect function in
  drivers/usb/serial/console.c in the Linux kernel allowed local users to
  cause a denial of service (use-after-free and system crash) or possibly
  have unspecified other impact via a crafted USB device, related to
  disconnection and failed setup (bnc#1066618).
• CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in
  the Linux kernel allowed local users to cause a denial of service (NULL
  pointer dereference and system crash) or possibly have unspecified other
  impact via a crafted USB device (bnc#1066573).
• CVE-2017-16536: The cx231xx_usb_probe function in
  drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed
  local users to cause a denial of service (NULL pointer dereference and
  system crash) or possibly have unspecified other impact via a crafted
  USB device (bnc#1066606).
• CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local
  users to cause a denial of service (snd_usb_mixer_interrupt
  use-after-free and system crash) or possibly have unspecified other
  impact via a crafted USB device (bnc#1066625).
• CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed
  reinstallation of the Group Temporal Key (GTK) during the group key
  handshake, allowing an attacker within radio range to replay frames from
  access points to clients (bnc#1063667).
• CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not
  consider the case of a NULL payload in conjunction with a nonzero length
  value, which allowed local users to cause a denial of service (NULL
  pointer dereference and OOPS) via a crafted add_key or keyctl system
  call, a different vulnerability than CVE-2017-12192 (bnc#1045327).
• CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel
  allowed local users to cause a denial of service (use-after-free) or
  possibly have unspecified other impact via crafted /dev/snd/seq ioctl
  calls, related to sound/core/seq/seq_clientmgr.c and
  sound/core/seq/seq_ports.c (bnc#1062520).
• CVE-2017-14489: The iscsi_if_rx function in
  drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local
  users to cause a denial of service (panic) by leveraging incorrect
  length validation (bnc#1059051).
• CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in
  the Linux kernel did not verify that a filesystem has a realtime device,
  which allowed local users to cause a denial of service (NULL pointer
  dereference and OOPS) via vectors related to setting an RHINHERIT flag
  on a directory (bnc#1058524).
• CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux
  kernel doesn’t check the effective uid of the target process, enabling a
  local attacker to learn the memory layout of a setuid executable despite
  ASLR (bnc#1057179).
• CVE-2017-14051: An integer overflow in the
  qla2x00_sysfs_write_optrom_ctl function in
  drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users
  to cause a denial of service (memory corruption and system crash) by
  leveraging root access (bnc#1056588).
• CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel
  allowed local users to gain privileges or cause a denial of service
  (list corruption or use-after-free) via simultaneous file-descriptor
  operations that leverage improper might_cancel queueing (bnc#1053152).
• CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled
  buffer is copied into a local buffer of constant size using strcpy
  without a length check which can cause a buffer overflow. (bnc#1053148).
• CVE-2017-8831: The saa7164_bus_get function in
  drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed
  local users to cause a denial of service (out-of-bounds array access) or
  possibly have unspecified other impact by changing a certain
  sequence-number value, aka a "double fetch" vulnerability (bnc#1037994).
• CVE-2017-1000112: An exploitable memory corruption due to UFO to non-UFO
  path switch was fixed. (bnc#1052311 bnc#1052365).

The following non-security bugs were fixed:

• alsa: core: Fix unexpected error at replacing user TLV (bsc#1045538).
• alsa: hda - fix Lewisburg audio issue (fate#319286).
• alsa: hda/ca0132 - Fix memory leak at error path (bsc#1045538).
• alsa: timer: Add missing mutex lock for compat ioctls (bsc#1045538).
• audit: Fix use after free in audit_remove_watch_rule() (bsc#1045205).
• hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch
  (bnc#1022967).
• kvm: SVM: Add a missing ‘break’ statement (bsc#1061017).
• kvm: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"
  exceptions simultaneously (bsc#1061017).
• nfs: Cache aggressively when file is open for writing (bsc#1053933).
• nfs: Do drop directory dentry when error clearly requires it
  (bsc#1051932).
• nfs: Do not flush caches for a getattr that races with writeback
  (bsc#1053933). # Conflicts: # series.conf
• nfs: Optimize fallocate by refreshing mapping when needed (bsc#1053933).
• nfs: Remove asserts from the NFS XDR code (bsc#1063544).
• nfs: invalidate file size when taking a lock (bsc#1053933).
• pci: fix hotplug related issues (bnc#1054247, LTC#157731).
• Update config files. (bsc#1057796) The CONFIG_MODULE_SIG_UEFI should be
  enabled on x86_64/xen architecture because xen can work with shim on
  x86_64. Enabling the following kernel config to load certificate from
  db/mok: +CONFIG_MODULE_SIG_BLACKLIST=y +CONFIG_MODULE_SIG_UEFI=y
• af_key: do not use GFP_KERNEL in atomic contexts (bsc#1054093).
• autofs: do not fail mount for transient error (bsc#1065180).
• xen: avoid deadlock in xenbus (bnc#1047523).
• blacklist.conf: Add PCI ASPM fix to blacklist (bsc#1045538)
• blkback/blktap: do not leak stack data via response ring (bsc#1042863
  XSA-216).
• bnx2x: prevent crash when accessing PTP with interface down
  (bsc#1060665).
• cx231xx-audio: fix NULL-deref at probe (bsc#1050431).
• cx82310_eth: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
• dm bufio: fix integer overflow when limiting maximum cache size
  (git-fixes).
• drm/mgag200: Fixes for G200eH3. (bnc#1062842)
• fnic: Use the local variable instead of I/O flag to acquire io_req_lock
  in fnic_queuecommand() to avoid deadloack (bsc#1067816).
• fuse: do not use iocb after it may have been freed (bsc#1054706).
• fuse: fix fuse_write_end() if zero bytes were copied (bsc#1054706).
• fuse: fsync() did not return IO errors (bsc#1054076).
• fuse: fuse_flush must check mapping->flags for errors (bsc#1054706).
• getcwd: Close race with d_move called by lustre (bsc#1052593).
• gspca: konica: add missing endpoint sanity check (bsc#1050431).
• i40e: Initialize 64-bit statistics TX ring seqcount (bsc#909484).
• kabi fix for new hash_cred function (bsc#1012917).
• kabi/severities: Ignore zpci symbol changes (bsc#1054247)
• lib/mpi: mpi_read_raw_data(): fix nbits calculation (fate#314508).
• lpfc: check for valid scsi cmnd in lpfc_scsi_cmd_iocb_cmpl()
  (bsc#1051133).
• mac80211: do not compare TKIP TX MIC key in reinstall prevention
  (bsc#1066472).
• md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061180).
• media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
  ioctl (bsc#1050431).
• net: Fix RCU splat in af_key (bsc#1054093).
• netback: coalesce (guest) RX SKBs as needed (bsc#1056504).
• nfs: Fix ugly referral attributes (git-fixes).
• nfs: improve shinking of access cache (bsc#1012917).
• powerpc/fadump: add reschedule point while releasing memory (bsc#1040609
  bsc#1024450).
• powerpc/fadump: avoid duplicates in crash memory ranges (bsc#1037669
  bsc#1037667).
• powerpc/fadump: provide a helpful error message (bsc#1037669
  bsc#1037667).
• powerpc/mm: Fix check of multiple 16G pages from device tree
  (bsc#1064861, git-fixes).
• powerpc/prom: Increase minimum RMA size to 512MB (bsc#984530,
  bsc#1052370).
• powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister
  (bsc#1067888, git-fixes f2ab6219969f).
• powerpc/slb: Force a full SLB flush when we insert for a bad EA
  (bsc#1054070).
• powerpc/xics: Harden xics hypervisor backend (bnc#1056230).
• powerpc: Correct instruction code for xxlor instruction (bsc#1064861,
  git-fixes).
• powerpc: Fix emulation of mfocrf in emulate_step() (bsc#1064861,
  git-fixes).
• powerpc: Fix the corrupt r3 error during MCE handling (bnc#1056230).
• powerpc: Make sure IPI handlers see data written by IPI senders
  (bnc#1056230).
• reiserfs: fix race in readdir (bsc#1039803).
• s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060245, LTC#159112).
• s390/pci: do not cleanup in arch_setup_msi_irqs (bnc#1054247,
  LTC#157731).
• s390/pci: fix handling of PEC 306 (bnc#1054247, LTC#157731).
• s390/pci: improve error handling during fmb (de)registration
  (bnc#1054247, LTC#157731).
• s390/pci: improve error handling during interrupt deregistration
  (bnc#1054247, LTC#157731).
• s390/pci: improve pci hotplug (bnc#1054247, LTC#157731).
• s390/pci: improve unreg_ioat error handling (bnc#1054247, LTC#157731).
• s390/pci: introduce clp_get_state (bnc#1054247, LTC#157731).
• s390/pci: provide more debug information (bnc#1054247, LTC#157731).
• s390/qdio: avoid reschedule of outbound tasklet once killed
  (bnc#1063301, LTC#159885).
• s390/topology: alternative topology for topology-less machines
  (bnc#1060245, LTC#159177).
• s390/topology: enable / disable topology dynamically (bnc#1060245,
  LTC#159177).
• scsi: avoid system stall due to host_busy race (bsc#1031358).
• scsi: close race when updating blocked counters (bsc#1031358).
• scsi: qla2xxx: Get mutex lock before checking optrom_state (bsc#1053317).
• scsi: reset wait for IO completion (bsc#996376).
• scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace
  records (bnc#1060245, LTC#158494).
• scsi: zfcp: fix missing trace records for early returns in TMF eh
  handlers (bnc#1060245, LTC#158494).
• scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with
  HBA (bnc#1060245, LTC#158494).
• scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
  (bnc#1060245, LTC#158494).
• scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
  (bnc#1060245, LTC#158493).
• scsi: zfcp: trace HBA FSF response by default on dismiss or timedout
  late response (bnc#1060245, LTC#158494).
• ser_gigaset: return -ENOMEM on error instead of success (bsc#1037441).
• sunrpc: add RPCSEC_GSS hash_cred() function (bsc#1012917).
• sunrpc: add auth_unix hash_cred() function (bsc#1012917).
• sunrpc: add generic_auth hash_cred() function (bsc#1012917).
• sunrpc: add hash_cred() function to rpc_authops struct (bsc#1012917).
• sunrpc: replace generic auth_cred hash with auth-specific function
  (bsc#1012917).
• sunrpc: use supplimental groups in auth hash (bsc#1012917).
• supported.conf: clear mistaken external support flag for cifs.ko
  (bsc#1053802).
• tpm: fix a kernel memory leak in tpm-sysfs.c (bsc#1050381).
• usb-serial: check for NULL private data in pl2303_suse_disconnect
  (bsc#1064803).
• uwb: fix device quirk on big-endian hosts (bsc#1036629).
• virtio_scsi: do not call virtqueue_add_sgs(… GFP_NOIO) holding
  spinlock (bsc#1036286).
• x86/microcode/intel: Disable late loading on model 79 (bsc#1054305).
• xfs: fix inobt inode allocation search optimization (bsc#1013018).