The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to
receive various security and bugfixes.
Following security bugs were fixed:
- CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could
lead to arbitrary code execution. The ipc_addid() function initialized a
shared object that has unset uid/gid values. Since the fields are not
initialized, the check can falsely succeed. (bsc#948536)
- CVE-2015-5156: When a guests KVM network devices is in a bridge
configuration the kernel can create a situation in which packets are
fragmented in an unexpected fashion. The GRO functionality can create a
situation in which multiple SKB’s are chained together in a single
packets fraglist (by design). (bsc#940776)
- CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel before
4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs
that occurred during userspace execution, which might allow local users
to gain privileges by triggering an NMI (bsc#938706).
- CVE-2015-6252: A flaw was found in the way the Linux kernel’s vhost
driver treated userspace provided log file descriptor when processing
the VHOST_SET_LOG_FD ioctl command. The file descriptor was never
released and continued to consume kernel memory. A privileged local user
with access to the /dev/vhost-net files could use this flaw to create a
denial-of-service attack (bsc#942367).
- CVE-2015-5697: The get_bitmap_file function in drivers/md/md.c in the
Linux kernel before 4.1.6 does not initialize a certain bitmap data
structure, which allows local users to obtain sensitive information from
kernel memory via a GET_BITMAP_FILE ioctl call. (bnc#939994)
- CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable
Datagram Sockets (RDS) implementation allowing a local user to cause
system DoS. A verification was missing that the underlying transport
exists when a connection was created. (bsc#945825)
- CVE-2015-5283: A NULL pointer dereference flaw was found in SCTP
implementation allowing a local user to cause system DoS. Creation of
multiple sockets in parallel when system doesn’t have SCTP module loaded
can lead to kernel panic. (bsc#947155)
The following non-security bugs were fixed:
- ALSA: hda - Abort the probe without i915 binding for HSW/BDW
(bsc#936556).
- Btrfs: Backport subvolume mount option handling (bsc#934962)
- Btrfs: Handle unaligned length in extent_same (bsc#937609).
- Btrfs: advertise which crc32c implementation is being used on mount
(bsc#946057).
- Btrfs: allow mounting btrfs subvolumes with different ro/rw options.
- Btrfs: check if previous transaction aborted to avoid fs corruption
(bnc#942509).
- Btrfs: clean up error handling in mount_subvol() (bsc#934962).
- Btrfs: cleanup orphans while looking up default subvolume (bsc#914818).
- Btrfs: do not update mtime/ctime on deduped inodes (bsc#937616).
- Btrfs: fail on mismatched subvol and subvolid mount options (bsc#934962).
- Btrfs: fix chunk allocation regression leading to transaction abort
(bnc#938550).
- Btrfs: fix clone / extent-same deadlocks (bsc#937612).
- Btrfs: fix crash on close_ctree() if cleaner starts new transaction
(bnc#938891).
- Btrfs: fix deadlock with extent-same and readpage (bsc#937612).
- Btrfs: fix file corruption after cloning inline extents (bnc#942512).
- Btrfs: fix file read corruption after extent cloning and fsync
(bnc#946902).
- Btrfs: fix find_free_dev_extent() malfunction in case device tree has
hole (bnc#938550).
- Btrfs: fix hang when failing to submit bio of directIO (bnc#942685).
- Btrfs: fix list transaction->pending_ordered corruption (bnc#938893).
- Btrfs: fix memory corruption on failure to submit bio for direct IO
(bnc#942685).
- Btrfs: fix memory leak in the extent_same ioctl (bsc#937613).
- Btrfs: fix put dio bio twice when we submit dio bio fail (bnc#942685).
- Btrfs: fix race between balance and unused block group deletion
(bnc#938892).
- Btrfs: fix range cloning when same inode used as source and destination
(bnc#942511).
- Btrfs: fix read corruption of compressed and shared extents (bnc#946906).
- Btrfs: fix uninit variable in clone ioctl (bnc#942511).
- Btrfs: fix use-after-free in mount_subvol().
- Btrfs: fix wrong check for btrfs_force_chunk_alloc() (bnc#938550).
- Btrfs: lock superblock before remounting for rw subvol (bsc#934962).
- Btrfs: pass unaligned length to btrfs_cmp_data() (bsc#937609).
- Btrfs: remove all subvol options before mounting top-level (bsc#934962).
- Btrfs: show subvol= and subvolid= in /proc/mounts (bsc#934962).
- Btrfs: unify subvol= and subvolid= mounting (bsc#934962).
- Btrfs: fill ->last_trans for delayed inode in btrfs_fill_inode
(bnc#942925).
- Btrfs: fix metadata inconsistencies after directory fsync (bnc#942925).
- Btrfs: fix stale dir entries after removing a link and fsync
(bnc#942925).
- Btrfs: fix stale dir entries after unlink, inode eviction and fsync
(bnc#942925).
- Btrfs: fix stale directory entries after fsync log replay (bnc#942925).
- Btrfs: make btrfs_search_forward return with nodes unlocked (bnc#942925).
- Btrfs: support NFSv2 export (bnc#929871).
- Btrfs: update fix for read corruption of compressed and shared extents
(bsc#948256).
- Drivers: hv: do not do hypercalls when hypercall_page is NULL.
- Drivers: hv: vmbus: add special crash handler.
- Drivers: hv: vmbus: add special kexec handler.
- Drivers: hv: vmbus: remove hv_synic_free_cpu() call from
hv_synic_cleanup().
- Input: evdev - do not report errors form flush() (bsc#939834).
- Input: synaptics - do not retrieve the board id on old firmwares
(bsc#929092).
- Input: synaptics - log queried and quirked dimension values (bsc#929092).
- Input: synaptics - query min dimensions for fw v8.1.
- Input: synaptics - remove X1 Carbon 3rd gen from the topbuttonpad list
(bsc#929092).
- Input: synaptics - remove X250 from the topbuttonpad list.
- Input: synaptics - remove obsolete min/max quirk for X240 (bsc#929092).
- Input: synaptics - skip quirks when post-2013 dimensions (bsc#929092).
- Input: synaptics - split synaptics_resolution(), query first
(bsc#929092).
- Input: synaptics - support min/max board id in min_max_pnpid_table
(bsc#929092).
- NFS: Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
- NFSv4: do not set SETATTR for O_RDONLY|O_EXCL (bsc#939716).
- PCI: Move MPS configuration check to pci_configure_device() (bsc#943313).
- PCI: Set MPS to match upstream bridge (bsc#943313).
- SCSI: fix regression in scsi_send_eh_cmnd() (bsc#930813).
- SCSI: fix scsi_error_handler vs. scsi_host_dev_release race (bnc#942204).
- SCSI: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398).
- UAS: fixup for remaining use of dead_list (bnc#934942).
- USB: storage: use %*ph specifier to dump small buffers (bnc#934942).
- aio: fix reqs_available handling (bsc#943378).
- audit: do not generate loginuid log when audit disabled (bsc#941098).
- blk-merge: do not compute bi_phys_segments from bi_vcnt for cloned bio
(bnc#934430).
- blk-merge: fix blk_recount_segments (bnc#934430).
- blk-merge: recaculate segment if it isn’t less than max segments
(bnc#934430).
- block: add queue flag for disabling SG merging (bnc#934430).
- block: blk-merge: fix blk_recount_segments() (bnc#934430).
- config: disable CONFIG_TCM_RBD on ppc64le and s390x
- cpufreq: intel_pstate: Add CPU ID for Braswell processor.
- dlm: fix missing endian conversion of rcom_status flags (bsc#940679).
- dm cache mq: fix memory allocation failure for large cache devices
(bsc#942707).
- drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt
(bsc#942938).
- drm/i915: Make hpd arrays big enough to avoid out of bounds access
(bsc#942938).
- drm/i915: Only print hotplug event message when hotplug bit is set
(bsc#942938).
- drm/i915: Queue reenable timer also when enable_hotplug_processing is
false (bsc#942938).
- drm/i915: Use an interrupt save spinlock in intel_hpd_irq_handler()
(bsc#942938).
- drm/radeon: fix hotplug race at startup (bsc#942307).
- ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool reporting
support (bsc#945710).
- hrtimer: prevent timer interrupt DoS (bnc#886785).
- hv: fcopy: add memory barrier to propagate state (bnc#943529).
- inotify: Fix nested sleeps in inotify_read() (bsc#940925).
- intel_pstate: Add CPU IDs for Broadwell processors.
- intel_pstate: Add CPUID for BDW-H CPU.
- intel_pstate: Add support for SkyLake.
- intel_pstate: Correct BYT VID values (bnc#907973).
- intel_pstate: Remove periodic P state boost (bnc#907973).
- intel_pstate: add sample time scaling (bnc#907973, bnc#924722,
bnc#916543).
- intel_pstate: don’t touch turbo bit if turbo disabled or unavailable
(bnc#907973).
- intel_pstate: remove setting P state to MAX on init (bnc#907973).
- intel_pstate: remove unneeded sample buffers (bnc#907973).
- intel_pstate: set BYT MSR with wrmsrl_on_cpu() (bnc#907973).
- ipr: Fix incorrect trace indexing (bsc#940912).
- ipr: Fix invalid array indexing for HRRQ (bsc#940912).
- iwlwifi: dvm: drop non VO frames when flushing (bsc#940545).
- kABI workaround for ieee80211_ops.flush argument change (bsc#940545).
- kconfig: Do not print status messages in make -s mode (bnc#942160).
- kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in load_uefi_certs
(bsc#856382).
- kernel: do full redraw of the 3270 screen on reconnect (bnc#943476,
LTC#129509).
- kexec: define kexec_in_progress in !CONFIG_KEXEC case.
- kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS (bsc#947537).
- lpfc: Fix scsi prep dma buf error (bsc#908950).
- mac80211: add vif to flush call (bsc#940545).
- md/bitmap: do not abuse i_writecount for bitmap files (bsc#943270).
- md/bitmap: protect clearing of ->bitmap by mddev->lock
(bnc#912183).
- md/raid5: use ->lock to protect accessing raid5 sysfs attributes
(bnc#912183).
- md: fix problems with freeing private data after ->run failure
(bnc#912183).
- md: level_store: group all important changes into one place (bnc#912183).
- md: move GET_BITMAP_FILE ioctl out from mddev_lock (bsc#943270).
- md: protect ->pers changes with mddev->lock (bnc#912183).
- md: remove mddev_lock from rdev_attr_show() (bnc#912183).
- md: remove mddev_lock() from md_attr_show() (bnc#912183).
- md: remove need for mddev_lock() in md_seq_show() (bnc#912183).
- md: split detach operation out from ->stop (bnc#912183).
- md: tidy up set_bitmap_file (bsc#943270).
- megaraid_sas: Handle firmware initialization after fast boot
(bsc#922071).
- mfd: lpc_ich: Assign subdevice ids automatically (bnc#898159).
- mm: filemap: Avoid unnecessary barriers and waitqueue lookups -fix
(VM/FS Performance (bnc#941951)).
- mm: make page pfmemalloc check more robust (bnc#920016).
- mm: numa: disable change protection for vma(VM_HUGETLB) (bnc#943573).
- netfilter: nf_conntrack_proto_sctp: minimal multihoming support
(bsc#932350).
- net/mlx4_core: Add ethernet backplane autoneg device capability
(bsc#945710).
- net/mlx4_core: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap
(bsc#945710).
- net/mlx4_en: Use PTYS register to query ethtool settings (bsc#945710).
- net/mlx4_en: Use PTYS register to set ethtool settings (Speed)
(bsc#945710).
- rcu: Reject memory-order-induced stall-warning false positives
(bnc#941908).
- s390/dasd: fix kernel panic when alias is set offline (bnc#940965,
LTC#128595).
- sched: Fix KMALLOC_MAX_SIZE overflow during cpumask allocation
(bnc#939266).
- sched: Fix cpu_active_mask/cpu_online_mask race (bsc#936773).
- sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings
(bnc#943573).
- uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942).
- uas: Add response iu handling (bnc#934942).
- uas: Add uas_get_tag() helper function (bnc#934942).
- uas: Check against unexpected completions (bnc#934942).
- uas: Cleanup uas_log_cmd_state usage (bnc#934942).
- uas: Do not log urb status error on cancellation (bnc#934942).
- uas: Do not use scsi_host_find_tag (bnc#934942).
- uas: Drop COMMAND_COMPLETED flag (bnc#934942).
- uas: Drop all references to a scsi_cmnd once it has been aborted
(bnc#934942).
- uas: Drop inflight list (bnc#934942).
- uas: Fix memleak of non-submitted urbs (bnc#934942).
- uas: Fix resetting flag handling (bnc#934942).
- uas: Free data urbs on completion (bnc#934942).
- uas: Log error codes when logging errors (bnc#934942).
- uas: Reduce number of function arguments for uas_alloc_foo functions
(bnc#934942).
- uas: Remove cmnd reference from the cmd urb (bnc#934942).
- uas: Remove support for old sense ui as used in pre-production hardware
(bnc#934942).
- uas: Remove task-management / abort error handling code (bnc#934942).
- uas: Set max_sectors_240 quirk for ASM1053 devices (bnc#934942).
- uas: Simplify reset / disconnect handling (bnc#934942).
- uas: Simplify unlink of data urbs on error (bnc#934942).
- uas: Use scsi_print_command (bnc#934942).
- uas: pre_reset and suspend: Fix a few races (bnc#934942).
- uas: zap_pending: data urbs should have completed at this time
(bnc#934942).
- x86/kernel: Do not reserve crashkernel high memory if crashkernel low
memory reserving failed (bsc#939145).
- x86/smpboot: Check for cpu_active on cpu initialization (bsc#932285).
- x86/smpboot: Check for cpu_active on cpu initialization (bsc#936773).
- xhci: Workaround for PME stuck issues in Intel xhci (bnc#944028).
- xhci: rework cycle bit checking for new dequeue pointers (bnc#944028).
- xfs: Fix file type directory corruption for btree directories
(bsc#941305).