Security update for the Linux Kernel (important)

An update that solves 16 vulnerabilities, contains 6
features and has 25 fixes is now available.

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

• CVE-2020-27835: Fixed a use after free vulnerability in infiniband hfi1
  driver in the way user calls Ioctl after open dev file and fork. A local
  user could use this flaw to crash the system (bnc#1179878).
• CVE-2021-0707: Fixed a use after free vulnerability in dma_buf_release
  of dma-buf.c, which may lead to local escalation of privilege with no
  additional execution privileges needed (bnc#1198437).
• CVE-2021-20292: Fixed object validation prior to performing operations
  on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem
  (bnc#1183723).
• CVE-2021-20321: Fixed a race condition accessing file object in the
  OverlayFS subsystem in the way users do rename in specific way with
  OverlayFS. A local user could have used this flaw to crash the system
  (bnc#1191647).
• CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and
  BUG) by making a getsockname call after a certain type of failure of a
  bind call (bnc#1187055).
• CVE-2021-4154: Fixed a use-after-free vulnerability in
  cgroup1_parse_param in kernel/cgroup/cgroup-v1.c, allowing a local
  privilege escalation by an attacker with user privileges by exploiting
  the fsconfig syscall parameter, leading to a container breakout and a
  denial of service on the system (bnc#1193842).
• CVE-2022-0812: Fixed information leak when a file is read from RDMA
  (bsc#1196639)
• CVE-2022-1158: Fixed a vulnerability in the kvm module that may lead to
  a use-after-free write or denial of service (bsc#1197660).
• CVE-2022-1280: Fixed a use-after-free vulnerability in drm_lease_held in
  drivers/gpu/drm/drm_lease.c (bnc#1197914).
• CVE-2022-1353: Fixed access controll to kernel memory in the
  pfkey_register function in net/key/af_key.c (bnc#1198516).
• CVE-2022-1419: Fixed a concurrency use-after-free in
  vgem_gem_dumb_create (bsc#1198742).
• CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect
  (bsc#1199012).
• CVE-2022-28356: Fixed a refcount leak bug in net/llc/af_llc.c
  (bnc#1197391).
• CVE-2022-28748: Fixed memory lead over the network by ax88179_178a
  devices (bsc#1196018).
• CVE-2022-28893: Fixed a use after free vulnerability in inet_put_port
  where some sockets are not closed before xs_xprt_free() (bsc#1198330).
• CVE-2022-29156: Fixed a double free vulnerability related to
  rtrs_clt_dev_release.ate (jsc#SLE-15176 bsc#1198515).

The following non-security bugs were fixed:

• ACPI/APEI: Limit printable size of BERT table data (git-fixes).
• ACPI: processor idle: Check for architectural support for LPI
  (git-fixes).
• ACPICA: Avoid walking the ACPI Namespace if it is not there (git-fixes).
• ALSA: cs4236: fix an incorrect NULL check on list iterator (git-fixes).
• ALSA: hda/hdmi: fix warning about PCM count when used with SOF
  (git-fixes).
• ALSA: hda/realtek: Add alc256-samsung-headphone fixup (git-fixes).
• ALSA: hda/realtek: Add quirk for Clevo PD50PNT (git-fixes).
• ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
  (git-fixes).
• ALSA: pcm: Test for “silence” field in struct “pcm_format_data”
  (git-fixes).
• ALSA: usb-audio: Cap upper limits of buffer/period bytes for implicit fb
  (git-fixes).
• ALSA: usb-audio: Increase max buffer size (git-fixes).
• ALSA: usb-audio: Limit max buffer and period sizes per time (git-fixes).
• ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
  (git-fixes).
• ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use
  (git-fixes).
• ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs (git-fixes).
• ASoC: msm8916-wcd-digital: Check failure for
  devm_snd_soc_register_component (git-fixes).
• ASoC: soc-compress: Change the check for codec_dai (git-fixes).
• ASoC: soc-compress: prevent the potentially use of null pointer
  (git-fixes).
• ASoC: soc-core: skip zero num_dai component in searching dai name
  (git-fixes).
• ASoC: soc-dapm: fix two incorrect uses of list iterator (git-fixes).
• Bluetooth: Fix use after free in hci_send_acl (git-fixes).
• Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt (git-fixes).
• Bluetooth: hci_serdev: call init_rwsem() before p->open() (git-fixes).
• Documentation: add link to stable release candidate tree (git-fixes).
• HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports (git-fixes).
• IB/hfi1: Allow larger MTU without AIP (jsc#SLE-13208).
• Input: omap4-keypad - fix pm_runtime_get_sync() error checking
  (git-fixes).
• KEYS: fix length validation in keyctl_pkey_params_get_2() (git-fixes).
• NFSv4: fix open failure with O_ACCMODE flag (git-fixes).
• PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge
  (git-fixes).
• PCI: aardvark: Fix support for MSI interrupts (git-fixes).
• PCI: imx6: Allow to probe when dw_pcie_wait_for_link() fails (git-fixes).
• PCI: pciehp: Add Qualcomm quirk for Command Completed erratum
  (git-fixes).
• PCI: pciehp: Clear cmd_busy bit in polling mode (git-fixes).
• PM: core: keep irq flags in device_pm_check_callbacks() (git-fixes).
• RDMA/core: Set MR type in ib_reg_user_mr (jsc#SLE-8449).
• RDMA/mlx5: Add a missing update of cache->last_add (jsc#SLE-15175).
• RDMA/mlx5: Do not remove cache MRs when a delay is needed
  (jsc#SLE-15175).
• RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR
  (jsc#SLE-15175).
• SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
  (git-fixes).
• SUNRPC: Fix the svc_deferred_event trace class (git-fixes).
• SUNRPC: Handle ENOMEM in call_transmit_status() (git-fixes).
• SUNRPC: Handle low memory situations in call_status() (git-fixes).
• SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
• USB: serial: pl2303: add IBM device IDs (git-fixes).
• USB: serial: simple: add Nokia phone driver (git-fixes).
• USB: storage: ums-realtek: fix error code in rts51x_read_mem()
  (git-fixes).
• USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
  (git-fixes).
• USB: dwc3: omap: fix “unbalanced disables for smps10_out1” on omap5evm
  (git-fixes).
• USB: gadget: uvc: Fix crash when encoding data for usb request
  (git-fixes).
• adm8211: fix error return code in adm8211_probe() (git-fixes).
• arm64/sve: Use correct size when reinitialising SVE state (git-fixes)
• arm64: clear_page() shouldn’t use DC ZVA when DCZID_EL0.DZP == 1
  (git-fixes)
• arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node (git-fixes)
• arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode (git-fixes)
• arm64: dts: exynos: correct GIC CPU interfaces address range on
  (git-fixes)
• arm64: dts: ls1028a: fix memory node (git-fixes)
• arm64: dts: ls1028a: fix node name for the sysclk (git-fixes)
• arm64: dts: lx2160a: fix scl-gpios property name (git-fixes)
• arm64: dts: marvell: armada-37xx: Extend PCIe MEM space (git-fixes)
• arm64: dts: marvell: armada-37xx: Fix reg for standard variant of
  (git-fixes)
• arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0
  (git-fixes)
• arm64: dts: rockchip: Fix GPU register width for RK3328 (git-fixes)
• arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from (git-fixes)
• arm64: dts: zii-ultra: fix 12V_MAIN voltage (git-fixes)
• arm64: head: avoid over-mapping in map_memory (git-fixes)
• ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
  (git-fixes).
• ata: sata_dwc_460ex: Fix crash due to OOB write (git-fixes).
• ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
  (git-fixes).
• ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 (git-fixes).
• ath5k: fix building with LEDS=m (git-fixes).
• ath9k: Fix usage of driver-private space in tx_info (git-fixes).
• ath9k: Properly clear TX status area before reporting to mac80211
  (git-fixes).
• ath9k_htc: fix uninit value bugs (git-fixes).
• bareudp: use ipv6_mod_enabled to check if IPv6 enabled (jsc#SLE-15172).
• bfq: Avoid merging queues with different parents (bsc#1197926).
• bfq: Drop pointless unlock-lock pair (bsc#1197926).
• bfq: Get rid of __bio_blkcg() usage (bsc#1197926).
• bfq: Make sure bfqg for which we are queueing requests is online
  (bsc#1197926).
• bfq: Remove pointless bfq_init_rq() calls (bsc#1197926).
• bfq: Split shared queues on move between cgroups (bsc#1197926).
• bfq: Track whether bfq_group is still online (bsc#1197926).
• bfq: Update cgroup information before merging bio (bsc#1197926).
• block: Drop leftover references to RQF_SORTED (bsc#1182073).
• bnx2x: fix napi API usage sequence (bsc#1198217).
• bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
  (git-fixes bsc#1177028).
• brcmfmac: firmware: Allocate space for default boardrev in nvram
  (git-fixes).
• brcmfmac: pcie: Fix crashes due to early IRQs (git-fixes).
• brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
  (git-fixes).
• brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
  (git-fixes).
• carl9170: fix missing bit-wise or operator for tx_params (git-fixes).
• cfg80211: hold bss_lock while updating nontrans_list (git-fixes).
• cifs: fix bad fids sent over wire (bsc#1197157).
• clk: Enforce that disjoints limits are invalid (git-fixes).
• clk: si5341: fix reported clk_rate when output divider is 2 (git-fixes).
• direct-io: clean up error paths of do_blockdev_direct_IO (bsc#1197656).
• direct-io: defer alignment check until after the EOF check (bsc#1197656).
• direct-io: do not force writeback for reads beyond EOF (bsc#1197656).
• dma-debug: fix return value of __setup handlers (git-fixes).
• dma: at_xdmac: fix a missing check on list iterator (git-fixes).
• dmaengine: Revert “dmaengine: shdma: Fix runtime PM imbalance on error”
  (git-fixes).
• dmaengine: idxd: add RO check for wq max_batch_size write (git-fixes).
• dmaengine: idxd: add RO check for wq max_transfer_size write (git-fixes).
• dmaengine: imx-sdma: Fix error checking in sdma_event_remap (git-fixes).
• dmaengine: mediatek:Fix PM usage reference leak of
  mtk_uart_apdma_alloc_chan_resources (git-fixes).
• drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
  (git-fixes).
• drm/amd/display: Fix a NULL pointer dereference in
  amdgpu_dm_connector_add_common_modes() (git-fixes).
• drm/amd/display: Fix allocate_mst_payload assert on resume (git-fixes).
• drm/amd/display: do not ignore alpha property on pre-multiplied mode
  (git-fixes).
• drm/amd: Add USBC connector ID (git-fixes).
• drm/amdgpu: Fix recursive locking warning (git-fixes).
• drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire() (git-fixes).
• drm/amdkfd: Check for potential null return of kmalloc_array()
  (git-fixes).
• drm/amdkfd: Fix Incorrect VMIDs passed to HWS (git-fixes).
• drm/amdkfd: make CRAT table missing message informational only
  (git-fixes).
• drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe
  (git-fixes).
• drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev
  (git-fixes).
• drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt
  (git-fixes).
• drm/edid: Do not clear formats if using deep color (git-fixes).
• drm/edid: check basic audio support on CEA extension block (git-fixes).
• drm/i915/gem: Flush coherency domains on first set-domain-ioctl
  (git-fixes).
• drm/i915: Call i915_globals_exit() if pci_register_device() fails
  (git-fixes).
• drm/imx: Fix memory leak in imx_pd_connector_get_modes (git-fixes).
• drm/mediatek: Add AAL output size configuration (git-fixes).
• drm/mediatek: Fix aal size config (git-fixes).
• drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
  (git-fixes).
• drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
  (git-fixes).
• drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
  (git-fixes).
• drm/tegra: Fix reference leak in tegra_dsi_ganged_probe (git-fixes).
• drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync()
  usage (git-fixes).
• drm: Add orientation quirk for GPD Win Max (git-fixes).
• drm: add a locked version of drm_is_current_master (bsc#1197914).
• drm: add a locked version of drm_is_current_master (bsc#1197914).
• drm: drm_file struct kABI compatibility workaround (bsc#1197914).
• drm: drm_file struct kABI compatibility workaround (bsc#1197914).
• drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
• drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
• drm: serialize drm_file.master with a new spinlock (bsc#1197914).
• drm: serialize drm_file.master with a new spinlock (bsc#1197914).
• drm: use the lookup lock in drm_is_current_master (bsc#1197914).
• drm: use the lookup lock in drm_is_current_master (bsc#1197914).
• e1000e: Fix possible overflow in LTR decoding (git-fixes).
• fibmap: Reject negative block numbers (bsc#1198448).
• fibmap: Use bmap instead of ->bmap method in ioctl_fibmap (bsc#1198448).
• firmware: arm_scmi: Fix sorting of retrieved clock rates (git-fixes).
• gpiolib: acpi: use correct format characters (git-fixes).
• gpu: ipu-v3: Fix dev_dbg frequency output (git-fixes).
• hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
  (git-fixes).
• i2c: dev: Force case user pointers in compat_i2cdev_ioctl() (git-fixes).
• ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
  (git-fixes).
• ipmi: Move remove_work to dedicated workqueue (git-fixes).
• ipmi: bail out if init_srcu_struct fails (git-fixes).
• iwlwifi: Fix -EIO error code that is never returned (git-fixes).
• iwlwifi: mvm: Fix an error code in iwl_mvm_up() (git-fixes).
• livepatch: Do not block removal of patches that are safe to unload
  (bsc#1071995).
• lz4: fix LZ4_decompress_safe_partial read out of bound (git-fixes).
• media: cx88-mpeg: clear interrupt status register before streaming video
  (git-fixes).
• media: hdpvr: initialize dev->worker at hdpvr_register_videodev
  (git-fixes).
• memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
  (git-fixes).
• mfd: asic3: Add missing iounmap() on error asic3_mfd_probe (git-fixes).
• mfd: mc13xxx: Add check for mc13xxx_irq_request (git-fixes).
• mmc: host: Return an error when ->enable_sdio_irq() ops is missing
  (git-fixes).
• mmc: mmci: stm32: correctly check all elements of sg list (git-fixes).
• mmc: mmci_sdmmc: Replace sg_dma_xxx macros (git-fixes).
• mmc: renesas_sdhi: do not overwrite TAP settings when HS400 tuning is
  complete (git-fixes).
• mtd: onenand: Check for error irq (git-fixes).
• mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
  (git-fixes).
• mtd: rawnand: gpmi: fix controller timings setting (git-fixes).
• mwl8k: Fix a double Free in mwl8k_probe_hw (git-fixes).
• net: asix: add proper error handling of usb read errors (git-fixes).
• net: mcs7830: handle usb read errors properly (git-fixes).
• net: usb: aqc111: Fix out-of-bounds accesses in RX fixup (git-fixes).
• nfc: nci: add flush_workqueue to prevent uaf (git-fixes).
• power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
  (git-fixes).
• power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
  (git-fixes).
• power: supply: axp20x_battery: properly report current when discharging
  (git-fixes).
• power: supply: axp288-charger: Set Vhold to 4.4V (git-fixes).
• power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong
  false return (git-fixes).
• power: supply: wm8350-power: Add missing free in free_charger_irq
  (git-fixes).
• power: supply: wm8350-power: Handle error for wm8350_register_irq
  (git-fixes).
• powerpc/perf: Fix power10 event alternatives (jsc#SLE-13513 git-fixes).
• powerpc/perf: Fix power9 event alternatives (bsc#1137728, LTC#178106,
  git-fixes).
• ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
  (bsc#1198413).
• random: check for signal_pending() outside of need_resched() check
  (git-fixes).
• ray_cs: Check ioremap return value (git-fixes).
• regulator: wm8994: Add an off-on delay for WM8994 variant (git-fixes).
• rtc: check if __rtc_read_time was successful (git-fixes).
• rtc: wm8350: Handle error for wm8350_register_irq (git-fixes).
• scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
  (git-fixes).
• scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
  (git-fixes).
• scsi: mpt3sas: Page fault in reply q processing (git-fixes).
• scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (bsc#1028340
  bsc#1198825).
• spi: Fix erroneous sgs value with min_t() (git-fixes).
• spi: Fix invalid sgs value (git-fixes).
• spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and
  controller (git-fixes).
• spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op()
  (git-fixes).
• spi: mxic: Fix the transmit path (git-fixes).
• spi: tegra20: Use of_device_get_match_data() (git-fixes).
• staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree
  (git-fixes).
• vgacon: Propagate console boot parameters before calling `vc_resize’
  (bsc#1152489)
• video: fbdev: atari: Atari 2 bpp (STe) palette bugfix (git-fixes).
• video: fbdev: cirrusfb: check pixclock to avoid divide by zero
  (git-fixes).
• video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
  (git-fixes).
• video: fbdev: sm712fb: Fix crash in smtcfb_read() (git-fixes).
• video: fbdev: sm712fb: Fix crash in smtcfb_write() (git-fixes).
• video: fbdev: udlfb: properly check endpoint type (bsc#1152489)
• video: fbdev: w100fb: Reset global state (git-fixes).
• virtio_console: break out of buf poll on remove (git-fixes).
• virtio_console: eliminate anonymous module_init & module_exit
  (git-fixes).
• w1: w1_therm: fixes w1_seq for ds28ea00 sensors (git-fixes).
• x86/pm: Save the MSR validity status at context setup (bsc#1198400).
• x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
  (git-fixes).
• x86/speculation: Restore speculation related MSRs during S3 resume
  (bsc#1198400).
• xen/blkfront: fix comment for need_copy (git-fixes).
• xen/x86: obtain full video frame buffer address for Dom0 also under EFI
  (bsc#1193556).
• xen/x86: obtain upper 32 bits of video frame buffer address for Dom0
  (bsc#1193556).
• xen: fix is_xen_pmu() (git-fixes).
• xhci: fix runtime PM imbalance in USB2 resume (git-fixes).
• xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
  (git-fixes).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-1676=1

• SUSE Linux Enterprise Module for Public Cloud 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2022-1676=1