SUSE-SU-2016:1707-1

The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed: - CVE-2015-1339: Memory leak in the cusechannelrelease function in fs/fuse/cuse.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) or possibly have unspecified other impact by opening /dev/cuse many times (bnc#969356). - CVE-2015-7566: The clie5attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XENPCIOP* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XENPCIOPenablemsi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8816: The hubactivate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmucontext.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2184: The createfixedstreamquirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-2185: The atiremote2probe function in drivers/input/misc/atiremote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermateprobe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarriorprobe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2782: The treoattach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-3137: drivers/usb/serial/cypressm8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypressgenericportprobe and cypressopen functions (bnc#970970). - CVE-2016-3138: The acmprobe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3139: The wacomprobe function in drivers/input/tablet/wacomsys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-3140: The digiportinit function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360).

The following non-security bugs were fixed: - acpi / pci: Account for ARI in PRT lookups (bsc#968566). - afunix: Guard against other == sk in unixdgramsendmsg (bsc#973570). - alsa: pcm: Fix potential deadlock in OSS emulation (bsc#968018). - alsa: rawmidi: Fix race at copying & updating the position (bsc#968018). - alsa: rawmidi: Make sndrawmiditransmit() race-free (bsc#968018). - alsa: seq: Fix double port list deletion (bsc#968018). - alsa: seq: Fix incorrect sanity check at sndseqosssynthcleanup() (bsc#968018). - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - alsa: seq: Fix lockdep warnings due to double mutex locks (bsc#968018). - alsa: seq: Fix race at closing in virmidi driver (bsc#968018). - alsa: seq: Fix yet another races among ALSA timer accesses (bsc#968018). - alsa: timer: Call notifier in the same spinlock (bsc#973378). - alsa: timer: Code cleanup (bsc#968018). - alsa: timer: Fix leftover link at closing (bsc#968018). - alsa: timer: Fix link corruption due to double start or stop (bsc#968018). - alsa: timer: Fix race between stop and interrupt (bsc#968018). - alsa: timer: Fix wrong instance passed to slave callbacks (bsc#968018). - alsa: timer: Protect the whole sndtimerclose() with open race (bsc#973378). - alsa: timer: Sync timer deletion at closing the system timer (bsc#973378). - alsa: timer: Use modtimer() for rearming the system timer (bsc#973378). - dcache: use ISROOT to decide where dentry is hashed (bsc#949752). - fs, seqfile: always allow oom killer (bnc#968687). - fs/seqfile: fallback to vmalloc allocation (bnc#968687). - fs, seqfile: fallback to vmalloc instead of oom kill processes (bnc#968687). - hpsa: fix issues with multilun devices (bsc#959381). - ibmvscsi: Remove unsupported host config MAD (bsc#973556). - iommu/vt-d: Improve fault handler error messages (bsc#975772). - iommu/vt-d: Ratelimit fault handler (bsc#975772). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: mld: fix addgrhead skboverpanic for devs with large MTUs (bsc#956852). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: replace global gcargs with local variable (bsc#965319). - kabi, fs/seqfile: fallback to vmalloc allocation (bnc#968687). - kabi: Import kabi files from kernel 3.0.101-71 - kabi: protect struct netnsipv6 after FIB6 GC series (bsc#965319). - kabi: Restore kabi after lock-owner change (bnc#968141). - llist: Add llistnext() (fate#316876). - make vfree() safe to call from interrupt contexts (fate#316876). - mld, igmp: Fix reserved tailroom calculation (bsc#956852). - net/core: devmcsyncmultiple calls wrong helper (bsc#971433). - net/core: _hwaddrcreateex does not initialize synccnt (bsc#971433). - net/core: _hwaddrsyncone / _multiple broken (bsc#971433). - net/core: _hwaddrunsyncone 'from' address not marked synced (bsc#971433). - nfs4: treat lock owners as opaque values (bnc#968141). - nfsd4: return nfserrsymlink on v4 OPEN of non-regular file (bsc#973237). - nfsd: do not fail unchecked creates of non-special files (bsc#973237). - nfs: use smaller allocations for 'struct idmap' (bsc#965923). - pciback: check PF instead of VF for PCICOMMANDMEMORY (bsc#957990). - pciback: Save the number of MSI-X entries to be copied later (bsc#957988). - pci: Move pciarienabled() to global header (bsc#968566). - pci: Update PCI VPD size patch to upstream: - PCI: Determine actual VPD size on first access (bsc#971729). - PCI: Update VPD definitions (bsc#971729). - rdma/ucma: Fix AB-BA deadlock (bsc#963998). - s390/pageattr: Do a single TLB flush for changepageattr (bsc#940413). - scsidhalua: Do not block request queue if workqueue is active (bsc#960458). - scsi: mpt2sas: Rearrange the the code so that the completion queues are initialized prior to sending the request to controller firmware (bsc#967863). - skb: Add inline helper for getting the skb end offset from head (bsc#956852). - tcp: avoid order-1 allocations on wifi and tx path (bsc#956852). - tcp: fix skbavailroom() (bsc#956852). - usb: usbip: fix potential out-of-bounds write (bnc#975945). - vmxnet3: set carrier state properly on probe (bsc#972363). - vmxnet3: set netdev parant device before calling netdevinfo (bsc#972363). - xfrm: do not segment UFO packets (bsc#946122). - xfs: fix sgid inheritance for subdirectories inheriting default acls [V3] (bsc#965860). - xhci: Workaround to get Intel xHCI reset working more reliably (bnc#898592).