SUSE-SU-2015:2350-1

The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive various security and bugfixes.

Following security bugs were fixed: - CVE-2015-7509: Mounting a prepared ext2 filesystem as ext4 could lead to a local denial of service (crash) (bsc#956709). - CVE-2015-7799: The slhcinit function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2015-7990: RDS: Verify the underlying transport exists before creating a connection, preventing possible DoS (bsc#952384). - CVE-2015-5157: arch/x86/entry/entry64.S in the Linux kernel on the x8664 platform mishandled IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI (bnc#937969 937970 938706 939207). - CVE-2015-7872: The keygcunusedkeys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product. (bnc#955354). - CVE-2015-6937: The _rdsconn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825).

The following non-security bugs were fixed: - afxhci: avoid path quiesce of severed path in shutdown() (bnc#946214, LTC#131684). - ahci: Add Device ID for Intel Sunrise Point PCH (bsc#953799). - alsa: hda - Disable 64bit address for Creative HDA controllers (bnc#814440). - blktap: also call blkifdisconnect() when frontend switched to closed (bsc#952976). - blktap: refine mm tracking (bsc#952976). - cachefiles: Avoid deadlocks with fs freezing (bsc#935123). - dm: do not start current request if it would've merged with the previous (bsc#904348). - dm: impose configurable deadline for dmrequestfn's merge heuristic (bsc#904348). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - dm sysfs: introduce ability to add writable attributes (bsc#904348). - drivers: hv: do not do hypercalls when hypercallpage is NULL. - drivers: hv: kvp: move pollchannel() to hypervvmbus.h. - drivers: hv: util: move kvp/vss function declarations to hypervvmbus.h. - drivers: hv: vmbus: add special crash handler (bnc#930770). - drivers: hv: vmbus: add special kexec handler. - drivers: hv: vmbus: Get rid of some unused definitions. - drivers: hv: vmbus: Implement the protocol for tearing down vmbus state. - drivers: hv: vmbus: kill tasklets on module unload. - drivers: hv: vmbus: prefer 'die' notification chain to 'panic'. - drivers: hv: vmbus: remove hvsynicfreecpu() call from hvsyniccleanup(). - drivers: hv: vmbus: unregister panic notifier on module unload. - driver: Vmxnet3: Fix ethtool -S to return correct rx queue stats (bsc#950750). - drm/i915: add hotplug activation period to hotplug update mask (bsc#953980). - drm/i915: Avoid race of intelcrtdetecthotplug() with HPD interrupt, v2 (bsc#942938). - drm/i915: Fix DDC probe for passive adapters (bsc#900610, fdo#85924). - fix lpfcsendrscnevent allocation size claims bnc#935757 - fs: Avoid deadlocks of fsyncbdev() and fs freezing (bsc#935123). - fs: Fix deadlocks between sync and fs freezing (bsc#935123). - hugetlb: simplify migratehugepage() (bnc#947957, VM Functionality). - hwpoison, hugetlb: lockpage/unlockpage does not match for handling a free hugepage (bnc#947957, VM Functionality). - IB/srp: Avoid skipping srpresethost() after a transport error (bsc#904965). - IB/srp: Fix a sporadic crash triggered by cable pulling (bsc#904965). - Import SP4-RT GA kabi files - ipr: Fix incorrect trace indexing (bsc#940913). - ipr: Fix invalid array indexing for HRRQ (bsc#940913). - ipv6: fix tunnel error handling (bsc#952579). - ipvs: drop first packet to dead server (bsc#946078). - ipvs: Fix reuse connection if real server is dead (bnc#945827). - kernel: correct ucsigmask of the compat signal frame (bnc#946214, LTC#130124). - kernel: fix incorrect use of DIAG44 in continuetrylockrelax() (bnc#946214, LTC#132100). - kexec: Fix race between panic() and crashkexec() called directly (bnc#937444). - keys: Fix race between key destruction and finding a keyring by name (bsc#951440). - ktime: add ktimeafter and ktimebefore helpe (bsc#904348). - lib/string.c: introduce memchrinv() (bnc#930788). - lpfc: Fix cqid masking problem (bsc#944677). - macvlan: Support bonding events bsc#948521 - Make sure XPRTCONNECTING gets cleared when needed (bsc#946309). - memory-failure: do code refactor of softofflinepage() (bnc#947957, VM Functionality). - memory-failure: fix an error of mcebadpages statistics (bnc#947957, VM Functionality). - memory-failure: use numpoisonedpages instead of mcebadpages (bnc#947957, VM Functionality). - memory-hotplug: update mcebadpages when removing the memory (bnc#947957, VM Functionality). - mm: exclude reserved pages from dirtyable memory 32b fix (bnc#940017, bnc#949298). - mm: fix GFPTHISNODE callers and clarify (bsc#954950, VM Functionality). - mm/memory-failure.c: fix wrong numpoisonedpages in handling memory error on thp (bnc#947957, VM Functionality). - mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate successfully (bnc#947957, VM Functionality). - mm/migrate.c: pair unlockpage() and lockpage() when migrating huge pages (bnc#947957, VM Functionality). - mm: remove GFPTHISNODE (bsc#954950, VM Functionality). - mm: sl[au]b: add knowledge of PFMEMALLOC reserve pages (Swap over NFS (fate#304949)). - Modified -rt patches: 343 of 434, noise elided. - net/core: Add VF link state control policy (bsc#950298). - netfilter: xtrecent: fix namespace destroy path (bsc#879378). - NFSv4: Fix two infinite loops in the mount code (bsc#954628). - panic/x86: Allow cpus to save registers even if they (bnc#940946). - panic/x86: Fix re-entrance problem due to panic on (bnc#937444). - pci: Add devflags bit to access VPD through function 0 (bnc#943786). - pci: Add VPD function 0 quirk for Intel Ethernet devices (bnc#943786). - pci: Clear NumVFs when disabling SR-IOV in sriovinit() (bnc#952084). - pci: delay configuration of SRIOV capability (bnc#952084). - pci: Refresh First VF Offset and VF Stride when updating NumVFs (bnc#952084). - pci: set pci sriov page size before reading SRIOV BAR (bnc#952084). - pci: Update NumVFs register when disabling SR-IOV (bnc#952084). - pktgen: clean up ktimet helpers (bsc#904348). - qla2xxx: do not clear slot in outstanding cmd array (bsc#944993). - qla2xxx: Do not reset adapter if SRB handle is in range (bsc#944993). - qla2xxx: Remove decrement of sp reference count in abort handler (bsc#944993). - qla2xxx: Remove unavailable firmware files (bsc#921081). - qlge: Fix qlgeupdatehwvlanfeatures to handle if interface is down (bsc#930835). - quota: Fix deadlock with suspend and quotas (bsc#935123). - rcu: Eliminate deadlock between CPU hotplug and expedited grace periods (bsc#949706). - Refresh patches.xen/1282-usbback-limit-copying.patch (bsc#941202). - rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds (bsc#930145). - rtnetlink: Fix VF IFLA policy (bsc#950298). - rtnetlink: fix VF info size (bsc#950298). - s390/dasd: fix disconnected device with valid path mask (bnc#946214, LTC#132707). - s390/dasd: fix invalid PAV assignment after suspend/resume (bnc#946214, LTC#132706). - s390/dasd: fix listdel corruption after lcu changes (bnc#954984, LTC#133077). - s390/pci: handle events for unused functions (bnc#946214, LTC#130628). - s390/pci: improve handling of hotplug event 0x301 (bnc#946214, LTC#130628). - s390/pci: improve state check when processing hotplug events (bnc#946214, LTC#130628). - sched/core: Fix task and run queue schedinfo::rundelay inconsistencies (bnc#949100). - scsi: hosts: update to use idasimple for hostno (bsc#939926) - sg: fix read() error reporting (bsc#926774). - sunrpc: refactor rpcauthcheckverf error returns (bsc#955673). - Update patches.fixes/fanotify-fix-deadlock-during-thread-exit.patch (bsc#935053, bsc#926709). Add bug reference. - usbback: correct copy length for partial transfers (bsc#941202). - usbvision fix overflow of interfaces array (bnc#950998). - usb: xhci: apply XHCIAVOIDBEI quirk to all Intel xHCI controllers (bnc#944989). - veth: extend device features (bsc#879381). - vfs: Provide function to get superblock and wait for it to thaw (bsc#935123). - vmxnet3: adjust ring sizes when interface is down (bsc#950750). - vmxnet3: fix ethtool ring buffer size setting (bsc#950750). - writeback: Skip writeback for frozen filesystem (bsc#935123). - x86/evtchn: make use of PHYSDEVOPmappirq. - x86: mm: drop TLB flush from ptepsetaccessflags (bsc#948330). - x86: mm: only do a local tlb flush in ptepsetaccessflags() (bsc#948330). - x86, pageattr: Prevent overflow in slowvirttophys() for X86PAE (fate#317533, bnc#937256). - xen: x86, pageattr: Prevent overflow in slowvirttophys() for X86PAE (fate#317533, bnc#937256). - xfs: add background scanning to clear eofblocks inodes (bnc#930788). - xfs: add EOFBLOCKS inode tagging/untagging (bnc#930788). - xfs: add inode id filtering to eofblocks scan (bnc#930788). - xfs: add minimum file size filtering to eofblocks scan (bnc#930788). - xfs: add XFSIOCFREEEOFBLOCKS ioctl (bnc#930788). - xfs: create function to scan and clear EOFBLOCKS inodes (bnc#930788). - xfs: create helper to check whether to free eofblocks on inode (bnc#930788). - xfs: Fix lost direct IO write in the last block (bsc#949744). - xfs: Fix softlockup in xfsinodeagwalk() (bsc#948347). - xfs: introduce a common helper xfsiclustersizefsb (bsc#932805). - xfs: make xfsfreeeofblocks() non-static, return EAGAIN on trylock failure (bnc#930788). - xfs: support a tag-based inodeagiterator (bnc#930788). - xfs: support multiple inode id filtering in eofblocks scan (bnc#930788). - xfs: use xfsiclustersizefsb in xfsbulkstat (bsc#932805). - xfs: use xfsiclustersizefsb in xfsiallocinodeinit (bsc#932805). - xfs: use xfsiclustersizefsb in xfsifreecluster (bsc#932805). - xfs: use xfsiclustersizefsb in xfs_imap (bsc#932805). - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers (bnc#949981). - xhci: Calculate old endpoints correctly on device reset (bnc#944831). - xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bnc#949502). - xhci: fix isoc endpoint dequeue from advancing too far on transaction error (bnc#944837). - xhci: For streams the css flag most be read from the stream-ctx on ep stop (bnc#945691). - xhci: silence TD warning (bnc#939955). - xhci: use uninterruptible sleep for waiting for internal operations (bnc#939955).