SUSE-SU-2017:2342-1

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c (bsc#1032340).
• CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous pages, which allowed local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero (bnc#979021).
• CVE-2015-8970: crypto/algifskcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AFALG socket before an accept system call is processed, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that did not supply a key, related to the lrw_crypt function in crypto/lrw.c (bnc#1008374 bsc#1008850).
• CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCKZAPPED status, related to net/l2tp/l2tpip.c and net/l2tp/l2tp_ip6.c (bnc#1028415).
• CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956).
• CVE-2016-4997: The compat IPTSOSETREPLACE and IP6TSOSETREPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362).
• CVE-2016-4998: The IPTSOSET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365).
• CVE-2016-5243: The tipcnlcompatlinkdump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212).
• CVE-2016-7117: Use-after-free vulnerability in the _sysrecvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
• CVE-2017-1000363: A buffer overflow in kernel commandline handling of the 'lp' parameter could be used to bypass certain secure boot settings. (bnc#1039456).
• CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be 'jumped' over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010) (bnc#1039348).
• CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMITSTACK/RLIMINFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354).
• CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125).
• CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275).
• CVE-2017-11473: Buffer overflow in the mpoverridelegacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bsc#1049603).
• CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (bnc#1027565 bsc#1028372).
• CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyringsearchiterator function in keyring.c (bnc#1030593).
• CVE-2017-2671: The pingunhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTOICMP in a socket system call (bnc#1031003).
• CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914).
• CVE-2017-5970: The ipv4pktinfoprepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bnc#1024938).
• CVE-2017-5986: Race condition in the sctpwaitfor_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bnc#1025235).
• CVE-2017-6074: The dccprcvstateprocess function in net/dccp/input.c in the Linux kernel mishandled DCCPPKTREQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6RECVPKTINFO setsockopt system call (bnc#1026024 bsc#1033287).
• CVE-2017-6214: The tcpspliceread function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722).
• CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly manages lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178).
• CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066).
• CVE-2017-6951: The keyringsearchaux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850).
• CVE-2017-7184: The xfrmreplayverifylen function in net/xfrm/xfrmuser.c in the Linux kernel did not validate certain size data after an XFRMMSGNEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAPNETADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52 (bnc#1030573).
• CVE-2017-7187: The sgioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SGNEXTCMDLEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213).
• CVE-2017-7261: The vmwsurfacedefineioctl function in drivers/gpu/drm/vmwgfx/vmwgfxsurface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZEROSIZEPTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052).
• CVE-2017-7294: The vmwsurfacedefineioctl function in drivers/gpu/drm/vmwgfx/vmwgfxsurface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).
• CVE-2017-7308: The packetsetring function in net/packet/afpacket.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAPNET_RAW capability is held), via crafted system calls (bnc#1031579).
• CVE-2017-7482: Fixed a potential overflow in the net/rxprc where a padded len isn't checked in ticket decode (bsc#1046107).
• CVE-2017-7487: The ipxitfioctl function in net/ipx/afipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879).
• CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotifyhandleevent and vfs_rename functions (bsc#1049483).
• CVE-2017-7542: The ip6find1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bsc#1049882).
• CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336).
• CVE-2017-8890: The inetcskclonelock function in net/ipv4/inetconnection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544).
• CVE-2017-8924: The edgebulkincallback function in drivers/usb/serial/ioti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982).
• CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981).
• CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882).
• CVE-2017-9075: The sctpv6createacceptsk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883).
• CVE-2017-9076: The dccpv6requestrecvsock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).
• CVE-2017-9077: The tcpv6synrecvsock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069).
• CVE-2017-9242: The _ip6appenddata function in net/ipv6/ip6output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431).

The following non-security bugs were fixed:

• 8250: use callbacks to access UARTDLL/UARTDLM.
• acpi: Disable APEI error injection if securelevel is set (bsc#972891, bsc#1023051).
• af_key: Add lock to key dump (bsc#1047653).
• afkey: Fix slab-out-of-bounds in pfkeycompile_policy (bsc#1047354).
• alsa: ctxfi: Fallback DMA mask to 32bit (bsc#1045538).
• alsa: hda - Fix regression of HD-audio controller fallback modes (bsc#1045538).
• alsa: hda/realtek - Correction of fixup codes for PB V7900 laptop (bsc#1045538).
• alsa: hda/realtek - Fix COEF widget NID for ALC260 replacer fixup (bsc#1045538).
• alsa: hda - using uninitialized data (bsc#1045538).
• alsa: off by one bug in sndriptidejoystick_probe() (bsc#1045538).
• alsa: seq: Fix sndseqcallportinfo_ioctl in compat mode (bsc#1045538).
• ath9k: fix buffer overrun for ar9287 (bsc#1045538).
• _bitmapparselist: fix bug in empty string handling (bnc#1042633).
• blacklist.conf: Add a few inapplicable items (bsc#1045538).
• blacklist.conf: blacklisted 1fe89e1b6d27 (bnc#1046122)
• block: do not allow updates through sysfs until registration completes (bsc#1047027).
• block: fix extdevlock lockdep report (bsc#1050154).
• btrfs: Don't clear SGID when inheriting ACLs (bsc#1030552).
• cifs: backport prepath matching fix (bsc#799133).
• cifs: don't compare uniqueids in cifsprimedcache unless server inode numbers are in use (bsc#1041975).
• cifs: small underflow in cnvrtDosUnixTm() (bsc#1043935).
• cifs: Timeout on SMBNegotiate request (bsc#1044913).
• clocksource: Remove 'weak' from clocksourcedefaultclock() declaration (bnc#1013018).
• cputime: Avoid multiplication overflow on utime scaling (bnc#938352).
• crypto: nx - off by one bug in nxofupdate_msc() (fate#314588,bnc#792863).
• decompressbunzip2: off by one in getnext_block() (git-fixes).
• devres: fix a for loop bounds check (git-fixes).
• dlm: backport 'fix lvb invalidation conditions' (bsc#1005651).
• dm: fix ioctl retry termination with signal (bsc#1050154).
• drm/mgag200: Add support for G200eH3 (bnc#1044216, fate#323551)
• drm/mgag200: Add support for G200e rev 4 (bnc#995542, comment #81)
• edac, amd64edac: Shift wrapping issue in f1xgetnormdct_addr() (fate#313937).
• enic: set skb->hash type properly (bsc#911105 FATE#317501).
• ext2: Don't clear SGID when inheriting ACLs (bsc#1030552).
• ext3: Don't clear SGID when inheriting ACLs (bsc#1030552).
• ext4: Don't clear SGID when inheriting ACLs (bsc#1030552).
• ext4: fix fdatasync(2) after extent manipulation operations (bsc#1013018).
• ext4: fix mballoc breakage with 64k block size (bsc#1013018).
• ext4: fix stack memory corruption with 64k block size (bsc#1013018).
• ext4: keep existing extra fields when inode expands (bsc#1013018).
• ext4: reject inodes with negative size (bsc#1013018).
• fbdev/efifb: Fix 16 color palette entry calculation (bsc#1041762).
• firmware: fix directory creation rule matching with make 3.80 (bsc#1012422).
• firmware: fix directory creation rule matching with make 3.82 (bsc#1012422).
• fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit (bsc#1042045).
• Fix soft lockup in svcrdmasend (bsc#1044854).
• fnic: Return 'DIDIMMRETRY' if rport is not ready (bsc#1035920).
• fnic: Using rport->dddata to check rport online instead of rportlookup (bsc#1035920).
• fs/blockdev: always invalidate cleancache in invalidatebdev() (git-fixes).
• fs: fix data invalidation in the cleancache during direct IO (git-fixes).
• fs/xattr.c: zero out memory copied to userspace in getxattr (bsc#1013018).
• fuse: add missing FR_FORCE (bsc#1013018).
• fuse: initialize fc->release before calling it (bsc#1013018).
• genirq: Prevent proc race against freeing of irq descriptors (bnc#1044230).
• hrtimer: Allow concurrent hrtimer_start() for self restarting timers (bnc#1013018).
• i40e: avoid null pointer dereference (bsc#909486 FATE#317393).
• i40e: Fix TSO with more than 8 frags per segment issue (bsc#985561).
• i40e/i40evf: Break up xmitdescriptorcount from maybestoptx (bsc#985561).
• i40e/i40evf: Fix mixed size frags and linearization (bsc#985561).
• i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet (bsc#985561).
• i40e/i40evf: Rewrite logic for 8 descriptor per packet check (bsc#985561).
• i40e: Impose a lower limit on gso size (bsc#985561).
• i40e: Limit TX descriptor count in cases where frag size is greater than 16K (bsc#985561).
• ib/mlx4: Demote mcg message from warning to debug (bsc#919382).
• ib/mlx4: Fix ib device initialization error flow (bsc#919382).
• ib/mlx4: Fix port query for 56Gb Ethernet links (bsc#919382).
• ib/mlx4: Handle well-known-gid in mad_demux processing (bsc#919382).
• ib/mlx4: Reduce SRIOV multicast cleanup warning message to debug level (bsc#919382).
• ib/mlx4: Set traffic class in AH (bsc#919382).
• Implement an ioctl to support the USMTMC-USB488 READSTATUSBYTE operation (bsc#1036288).
• initial cr0 bits (bnc#1036056, LTC#153612).
• input: cm109 - validate number of endpoints before using them (bsc#1037193).
• input: hanwang - validate number of endpoints before using them (bsc#1037232).
• input: yealink - validate number of endpoints before using them (bsc#1037227).
• ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmrgetroute (git-fixes).
• irq: Fix race condition (bsc#1042615).
• isdn/gigaset: fix NULL-deref at probe (bsc#1037356).
• isofs: Do not return EACCES for unknown filesystems (bsc#1013018).
• jbd: do not wait (forever) for stale tid caused by wraparound (bsc#1020229).
• jbd: Fix oops in journalremovejournal_head() (bsc#1017143).
• jsm: add support for additional Neo cards (bsc#1045615).
• kabi fix (bsc#1008893).
• kABI: mask struct xfs_icdinode change (bsc#1024788).
• kabi: Protect xfsmount and xfsbuftarg (bsc#1024508).
• kabi:severeties: Add splicewriteto_file PASS This function is part of an xfs-specific fix which never went upstream and is not expected to have 3rdparty users other than xfs itself.
• kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422)
• keys: Disallow keyrings beginning with '.' to be joined as session keyrings (bnc#1035576).
• kvm: kvmiobusunregisterdev() should never fail.
• libata: fix sff host state machine locking while polling (bsc#1045525).
• libceph: NULL deref on crush_decode() error path (bsc#1044015).
• libceph: potential NULL dereference in cephmsgdata_create() (bsc#1051515).
• libfc: fixup locking in fcdiscstop() (bsc#1029140).
• libfc: move 'pending' and 'requested' setting (bsc#1029140).
• libfc: only restart discovery after timeout if not already running (bsc#1029140).
• lockd: use init_utsname for id encoding (bsc#1033804).
• lockd: use rpc client's cl_nodename for id encoding (bsc#1033804).
• locking/rtmutex: Prevent dequeue vs. unlock race (bnc#1013018).
• math64: New div64u64rem helper (bnc#938352).
• md: ensure md devices are freed before module is unloaded (git-fixes).
• md: fix a null dereference (bsc#1040351).
• md: flush ->event_work before stopping array (git-fixes).
• md linear: fix a race between linearadd() and linearcongested() (bsc#1018446).
• md/linear: shutup lockdep warnning (bsc#1018446).
• md: make sure GETARRAYINFO ioctl reports correct 'clean' status (git-fixes).
• md/raid0: apply base queue limits before diskstacklimits (git-fixes).
• md/raid1: extend spinlock to protect raid1endread_request against inconsistencies (git-fixes).
• md/raid1: fix test for 'was read error from last working device' (git-fixes).
• md/raid5: do not record new size if resize_stripes fails (git-fixes).
• md/raid5: Fix CPU hotplug callback registration (git-fixes).
• md: use separate bio_pool for metadata writes (bsc#1040351).
• megaraid_sas: add missing curly braces in ioctl handler (bsc#1050154).
• mlx4: reduce OOM risk on arches with large pages (bsc#919382).
• mmc: core: add missing pm event in mmcpmnotify to fix hib restore (bsc#1045547).
• mmc: ushc: fix NULL-deref at probe (bsc#1037191).
• mm: do not collapse stack gap into THP (bnc#1039348)
• mm: enlarge stack guard gap (bnc#1039348).
• mm/hugememory: replace VMNOTHP VMBUG_ON with actual VMA check (VM Functionality, bsc#1042832).
• mm: hugetlb: call hugeptealloc() only if ptep is null (VM Functionality, bsc#1042832).
• mm/memory-failure.c: use compound_head() flags for huge pages (bnc#971975 VM -- git fixes).
• mm/mempolicy.c: do not put mempolicy before using its nodemask (References: VM Performance, bnc#931620).
• mm, mmap: do not blow on PROTNONE MAPFIXED holes in the stack (bnc#1039348, bnc#1045340, bnc#1045406).
• module: fix memory leak on early load_module() failures (bsc#1043014).
• Move nrcpusallowed into a hole in structschedentity instead of the one below taskstruct.policy. RT fills the hole 29baa7478ba4 used, which will screw up kABI for RT instead of curing the space needed problem in schedrtentity caused by adding ff77e4685359. This leaves nrcpusalowed in an odd spot, but safely allows the RT entity specific data added by ff77e4685359 to reside where it belongs.. nrcpus_allowed just moves from one odd spot to another.
• mwifiex: printk() overflow with 32-byte SSIDs (bsc#1048185).
• net: avoid reference counter overflows on fib_rules in multicast forwarding (git-fixes).
• net: ip6mr: fix static mfc/dev leaks on table destruction (git-fixes).
• net: ipmr: fix static mfc/dev leaks on table destruction (git-fixes).
• net/mlx4core: Eliminate warning messages for SRQLIMIT under SRIOV (bsc#919382).
• net/mlx4core: Enhance the MADIFC wrapper to convert VF port to physical (bsc#919382).
• net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs (bsc#919382).
• net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions (bsc#919382).
• net/mlx4core: Get numtc using netdevgetnum_tc (bsc#919382).
• net/mlx4_core: Prevent VF from changing port configuration (bsc#919382).
• net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach (bsc#919382).
• net/mlx4_core: Use cq quota in SRIOV when creating completion EQs (bsc#919382).
• net/mlx4_en: Avoid adding steering rules with invalid ring (bsc#919382).
• net/mlx4_en: Change the error print to debug print (bsc#919382).
• net/mlx4en: fix overflow in mlx4eninittimestamp() (bsc#919382).
• net/mlx4_en: Fix type mismatch for 32-bit systems (bsc#919382).
• net/mlx4_en: Resolve dividing by zero in 32-bit system (bsc#919382).
• net/mlx4_en: Wake TX queues only when there's enough room (bsc#1039258).
• net/mlx4: Fix the check in attaching steering rules (bsc#919382).
• net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering (bsc#919382).
• net: wimax/i2400m: fix NULL-deref at probe (bsc#1037358).
• netxennic: set rcode to the return status from the call to netxenissue_cmd (bnc#784815 FATE#313898).
• nfs: Avoid getting confused by confused server (bsc#1045416).
• nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670).
• nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670).
• nfsd: do not risk using duplicate owner/file/delegation ids (bsc#1029212).
• nfsd: Don't use state id of 0 - it is reserved (bsc#1049688 bsc#1051770).
• nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670).
• nfs: Fix another OPEN_DOWNGRADE bug (git-next).
• nfs: fix nfssizetolofft (git-fixes).
• nfs: Fix size of NFSACL SETACL operations (git-fixes).
• nfs: Make nfs_readdir revalidate less often (bsc#1048232).
• nfs: tidy up nfsshowmountd_netid (git-fixes).
• nfsv4: Do not call putrpccred() under the rcuread_lock() (git-fixes).
• nfsv4: Fix another bug in the close/open_downgrade code (git-fixes).
• nfsv4: fix getacl head length estimation (git-fixes).
• nfsv4: Fix problems with close in the presence of a delegation (git-fixes).
• nfsv4: Fix the underestimation of delegation XDR space reservation (git-fixes).
• ocfs2: do not write error flag to user structure we cannot copy from/to (bsc#1013018).
• ocfs2: Don't clear SGID when inheriting ACLs (bsc#1030552).
• ocfs2: fix crash caused by stale lvb with fsdlm plugin (bsc#1013800).
• ocfs2: fix error return code in ocfs2infohandle_freefrag() (bsc#1013018).
• ocfs2: NFS hangs in _ocfs2clusterlock due to race with ocfs2unblock_lock (bsc#962257).
• ocfs2: null deref on allocation error (bsc#1013018).
• pci: Allow access to VPD attributes with size 0 (bsc#1018074).
• pciback: only check PF if actually dealing with a VF (bsc#999245).
• pciback: use pci_physfn() (bsc#999245).
• pci: Fix devfn for VPD access through function 0 (bnc#943786 git-fixes).
• perf/core: Correct event creation with PERFFORMATGROUP (bnc#1013018).
• perf/core: Fix event inheritance on fork() (bnc#1013018).
• posix-timers: Fix stack info leak in timer_create() (bnc#1013018).
• powerpc,cpuidle: Dont toggle CPUIDLEFLAGIGNORE while setting smtsnoozedelay (bsc#1023163).
• powerpc: Drop support for pre-POWER4 cpus (fate#322495, bsc#1032471).
• powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971).
• powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141).
• powerpc/fadump: Update fadump documentation (bsc#1032141).
• powerpc/mm: Do not alias user region to other regions below PAGE_OFFSET (bsc#928138,fate#319026).
• powerpc/mm/hash: Check for non-kernel address in getkernelvsid() (fate#322495, bsc#1032471).
• powerpc/mm/hash: Convert mask to unsigned long (fate#322495, bsc#1032471).
• powerpc/mm/hash: Increase VA range to 128TB (fate#322495, bsc#1032471).
• powerpc/mm/hash: Properly mask the ESID bits when building proto VSID (fate#322495, bsc#1032471).
• powerpc/mm/hash: Support 68 bit VA (fate#322495, bsc#1032471).
• powerpc/mm/hash: Use context ids 1-4 for the kernel (fate#322495, bsc#1032471).
• powerpc/mm: Remove checks that TASKSIZEUSER64 is too small (fate#322495, bsc#1032471).
• powerpc/mm/slice: Convert slice_mask high slice to a bitmap (fate#322495, bsc#1032471).
• powerpc/mm/slice: Fix off-by-1 error when computing slice mask (fate#322495, bsc#1032471).
• powerpc/mm/slice: Move slice_mask struct definition to slice.c (fate#322495, bsc#1032471).
• powerpc/mm/slice: Update slice mask printing to use bitmap printing (fate#322495, bsc#1032471).
• powerpc/mm/slice: Update the function prototype (fate#322495, bsc#1032471).
• powerpc/mm: use macro PGTABLEEADDRSIZE instead of digital (fate#322495, bsc#1032471).
• powerpc/nvram: Fix an incorrect partition merge (bsc#1016489).
• powerpc/pseries: Release DRC when configure_connector fails (bsc#1035777, Pending Base Kernel Fixes).
• powerpc: Remove STAB code (fate#322495, bsc#1032471).
• powerpc/vdso64: Use double word compare on pointers (bsc#1016489).
• raid1: avoid unnecessary spin locks in I/O barrier code (bsc#982783,bsc#1026260).
• random32: fix off-by-one in seeding requirement (git-fixes).
• rcu: Call out dangers of expedited RCU primitives (bsc#1008893).
• rcu: Direct algorithmic SRCU implementation (bsc#1008893).
• rcu: Flip ->completed only once per SRCU grace period (bsc#1008893).
• rcu: Implement a variant of Peter's SRCU algorithm (bsc#1008893).
• rcu: Increment upper bit only for srcureadlock() (bsc#1008893).
• rcu: Remove fast check path from _synchronizesrcu() (bsc#1008893).
• reiserfs: Don't clear SGID when inheriting ACLs (bsc#1030552).
• reiserfs: don't preallocate blocks for extended attributes (bsc#990682).
• Remove patches causing regression (bsc#1043234)
• Remove superfluous make flags (bsc#1012422)
• Return short read or 0 at end of a raw device, not EIO (bsc#1039594).
• Revert 'kabi:severeties: Add splicewriteto_file PASS' This reverts commit 05ecf7ab16b2ea555fadd1ce17d8177394de88f2.
• Revert 'math64: New div64u64rem helper' (bnc#938352).
• Revert 'xfs: fix up xfsswapextent_forks inline extent handling (bsc#1023888).' I was baing my assumption of SLE11-SP4 needing this patch on an old kernel build (3.0.101-63). Re-testing with the latest one 3.0.101-94 shows that the issue is not present. Furthermore this one was causing some crashes. This reverts commit 16ceeac70f7286b6232861c3170ed32e39dcc68c.
• rfkill: fix rfkillfopread wait_event usage (bsc#1046192).
• s390/kmsg: add missing kmsg descriptions (bnc#1025702, LTC#151573).
• s390/qdio: clear DSCI prior to scanning multiple input queues (bnc#1046715, LTC#156234).
• s390/qeth: no ETH header for outbound AF_IUCV (bnc#1046715, LTC#156276).
• s390/qeth: size calculation outbound buffers (bnc#1046715, LTC#156276).
• s390/vmlogrdr: fix IUCV buffer allocation (bnc#1025702, LTC#152144).
• s390/zcrypt: Introduce CEX6 toleration (FATE#321782, LTC#147505).
• sched: Always initialize cpu-power (bnc#1013018).
• sched: Avoid cputime scaling overflow (bnc#938352).
• sched: Avoid prev->stime underflow (bnc#938352).
• sched/core: Fix TASKDEAD race in finishtask_switch() (bnc#1013018).
• sched/core: Remove false-positive warning from wakeupprocess() (bnc#1044882).
• sched/cputime: Do not scale when utime == 0 (bnc#938352).
• sched/debug: Print the scheduler topology group mask (bnc#1013018).
• sched: Do not account bogus utime (bnc#938352).
• sched/fair, cpumask: Export foreachcpu_wrap() (bnc#1013018).
• sched/fair: Fix min_vruntime tracking (bnc#1013018).
• sched: Fix domain iteration (bnc#1013018).
• sched: Fix SD_OVERLAP (bnc#1013018).
• sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems (bnc#1013018).
• sched: Lower chances of cputime scaling overflow (bnc#938352).
• sched: Move nrcpusallowed out of 'struct schedrtentity' (bnc#1013018). Prep for b60205c7c558 sched/fair: Fix min_vruntime tracking
• sched: Rename a misleading variable in buildoverlapsched_groups() (bnc#1013018).
• sched/rt: Fix PI handling vs. schedsetscheduler() (bnc#1013018). Prep for b60205c7c558 sched/fair: Fix minvruntime tracking
• sched/topology: Fix building of overlapping sched-groups (bnc#1013018).
• sched/topology: Fix overlapping schedgroupcapacity (bnc#1013018).
• sched/topology: Fix overlapping schedgroupmask (bnc#1013018).
• sched/topology: Move comment about asymmetric node setups (bnc#1013018).
• sched/topology: Optimize buildgroupmask() (bnc#1013018).
• sched/topology: Refactor function buildoverlapsched_groups() (bnc#1013018).
• sched/topology: Remove FORCESDOVERLAP (bnc#1013018).
• sched/topology: Simplify buildoverlapsched_groups() (bnc#1013018).
• sched/topology: Verify the first group matches the child domain (bnc#1013018).
• sched: Use swap() macro in scale_stime() (bnc#938352).
• scsi: bnx2i: missing error code in bnx2iepconnect() (bsc#1048221).
• scsi: fix race between simultaneous decrements of ->host_failed (bsc#1050154).
• scsi: fnic: Correcting rport check location in fnicqueuecommandlck (bsc#1035920).
• scsi: mvsas: fix command_active typo (bsc#1050154).
• scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init (bsc#1050154).
• scsi: virtio_scsi: fix memory leak on full queue condition (bsc#1028880).
• scsi: zfcp: do not trace pure benign residual HBA responses at default level (bnc#1025702, LTC#151317).
• scsi: zfcp: fix rport unblock race with LUN recovery (bnc#1025702, LTC#151319).
• scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send (bnc#1025702, LTC#151365).
• scsi: zfcp: fix use-after-'free' in FC ingress path after TMF (bnc#1025702, LTC#151312).
• sfc: do not device_attach if a reset is pending (bsc#909618 FATE#317521).
• sfc: reduce severity of PIO buffer alloc failures (bsc#1019168).
• smsc75xx: use skbcowhead() to deal with cloned skbs (bsc#1045154).
• splice: Stub splicewriteto_file (bsc#1043234).
• sunrpc: Clean up the slot table allocation (bsc#1013862).
• sunrpc: Fix a memory leak in the backchannel code (git-fixes).
• sunrpc: Initalise the struct xprt upon allocation (bsc#1013862).
• svcrdma: Fix send_reply() scatter/gather set-up (git-fixes).
• target/iscsi: Fix double free in liotargettiqn_addtpg() (bsc#1050154).
• tcp: abort orphan sockets stalling on zero window probes (bsc#1021913).
• tracing: Fix syscall*regfunc() vs copyprocess() race (bnc#1042687).
• tracing/kprobes: Enforce kprobes teardown after testing (bnc#1013018).
• udf: Fix deadlock between writeback and udf_setsize() (bsc#1013018).
• udf: Fix races with i_size changes during readpage (bsc#1013018).
• Update metadata for serial fixes (bsc#1013070)
• Update patches.fixes/nfs-svc-rdma.fix (bsc#1044854).
• usb: cdc-acm: fix broken runtime suspend (bsc#1033771).
• usb: cdc-acm: fix open and suspend race (bsc#1033771).
• usb: cdc-acm: fix potential urb leak and PM imbalance in write (bsc#1033771).
• usb: cdc-acm: fix runtime PM for control messages (bsc#1033771).
• usb: cdc-acm: fix runtime PM imbalance at shutdown (bsc#1033771).
• usb: cdc-acm: fix shutdown and suspend race (bsc#1033771).
• usb: cdc-acm: fix write and resume race (bsc#1033771).
• usb: cdc-acm: fix write and suspend race (bsc#1033771).
• usb: class: usbtmc.c: Cleaning up uninitialized variables (bsc#1036288).
• usb: class: usbtmc: do not print error when allocating urb fails (bsc#1036288).
• usb: class: usbtmc: do not print on ENOMEM (bsc#1036288).
• usb: hub: Fix crash after failure to read BOS descriptor (FATE#317453).
• usb: iowarrior: fix info ioctl on big-endian hosts (bsc#1037441).
• usb: iowarrior: fix NULL-deref in write (bsc#1037359).
• usb: r8a66597-hcd: select a different endpoint on timeout (bsc#1047053).
• usb: serial: ark3116: fix register-accessor error handling (git-fixes).
• usb: serial: ch341: fix open error handling (bsc#1037441).
• usb: serial: cp210x: fix tiocmget error handling (bsc#1037441).
• usb: serial: ftdi_sio: fix line-status over-reporting (bsc#1037441).
• usb: serial: io_edgeport: fix epic-descriptor handling (bsc#1037441).
• usb: serial: io_ti: fix information leak in completion handler (git-fixes).
• usb: serial: iuu_phoenix: fix NULL-deref at open (bsc#1033794).
• usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
• usb: serial: mos7720: fix NULL-deref at open (bsc#1033816).
• usb: serial: mos7720: fix parallel probe (bsc#1033816).
• usb: serial: mos7720: fix parport use-after-free on probe errors (bsc#1033816).
• usb: serial: mos7720: fix use-after-free on probe errors (bsc#1033816).
• usb: serial: mos7840: fix another NULL-deref at open (bsc#1034026).
• usb: serial: mos7840: fix NULL-deref at open (bsc#1034026).
• usb: serial: oti6858: fix NULL-deref at open (bsc#1037441).
• usb: serial: sierra: fix bogus alternate-setting assumption (bsc#1037441).
• usb: serial: spcp8x5: fix NULL-deref at open (bsc#1037441).
• usbtmc: remove redundant braces (bsc#1036288).
• usbtmc: remove trailing spaces (bsc#1036288).
• usb: usbip: fix nonconforming hub descriptor (bsc#1047487).
• usb: usbtmc: add device quirk for Rigol DS6104 (bsc#1036288).
• usb: usbtmc: Add flag rigolquirk to usbtmcdevice_data (bsc#1036288).
• usb: usbtmc: add missing endpoint sanity check (bsc#1036288).
• usb: usbtmc: Change magic number to constant (bsc#1036288).
• usb: usbtmc: fix big-endian probe of Rigol devices (bsc#1036288).
• usb: usbtmc: fix DMA on stack (bsc#1036288).
• usb: usbtmc: fix probe error path (bsc#1036288).
• usb: usbtmc: Set rigol_quirk if device is listed (bsc#1036288).
• usb: usbtmc: TMC request code segregated from usbtmc_read (bsc#1036288).
• usb: usbtmc: usbtmcread sends multiple TMC header based on rigolquirk (bsc#1036288).
• usbvision: fix NULL-deref at probe (bsc#1050431).
• usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL (bsc#1023014).
• Use make --output-sync feature when available (bsc#1012422). The mesages in make output can interleave making it impossible to extract warnings reliably. Since version 4 GNU Make supports --output-sync flag that prints output of each sub-command atomically preventing this issue. Detect the flag and use it if available. SLE11 has make 3.81 so it is required to include make 4 in the kernel OBS projects to take advantege of this.
• Use PFLESSTHROTTLE in loop device thread (bsc#1027101).
• uwb: hwa-rc: fix NULL-deref at probe (bsc#1037233).
• uwb: i1480-dfu: fix NULL-deref at probe (bsc#1036629).
• vb2: Fix an off by one error in 'vb2planevaddr' (bsc#1050431).
• vfs: split generic splice code from i_mutex locking (bsc#1024788).
• vmxnet3: avoid calling pskbmaypull with interrupts disabled (bsc#1045356).
• vmxnet3: fix checks for dma mapping errors (bsc#1045356).
• vmxnet3: fix lock imbalance in vmxnet3tqxmit() (bsc#1045356).
• vmxnet3: segCnt can be 1 for LRO packets (bsc#988065, bsc#1029770).
• x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).
• x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 (bsc#1051478).
• xen: avoid deadlock in xenbus (bnc#1047523).
• xen-blkfront: correct maximum segment accounting (bsc#1018263).
• xen-blkfront: do not call talktoblkback when already connected to blkback.
• xen-blkfront: free resources if xlvbdallocgendisk fails.
• xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).
• xfrm: dstentriesinit() per-net dst_ops (bsc#1030814).
• xfrm: NULL dereference on allocation failure (bsc#1047343).
• xfrm: Oops on error in pfkeymsg2xfrmstate() (bsc#1047653).
• xfsdmapi: fix the debug compilation of xfsdmapi (bsc#989056).
• xfs: do not assert fail on non-async buffers on ioacct decrement (bsc#1024508).
• xfs: exclude never-released buffers from buftarg I/O accounting (bsc#1024508).
• xfs: fix buffer overflow dmgetdirattrs/dmgetdirattrs2 (bsc#989056).
• xfs: Fix lock ordering in splice write (bsc#1024788).
• xfs: fix up xfsswapextent_forks inline extent handling (bsc#1023888).
• xfs: kill xfsitruncatestart (bsc#1024788).
• xfs: Make xfsicdinode->didmstate atomic_t (bsc#1024788).
• xfs: remove the inewsize field in struct xfs_inode (bsc#1024788).
• xfs: remove the isize field in struct xfsinode (bsc#1024788).
• xfs: remove xfsitruncatedata (bsc#1024788).
• xfs: replace global xfslogd wq with per-mount wq (bsc#1024508).
• xfs: split xfsitruncatefinish (bsc#1024788).
• xfs: split xfs_setattr (bsc#1024788).
• xfs: Synchronize xfs_buf disposal routines (bsc#1041160).
• xfs: track and serialize in-flight async buffers against unmount (bsc#1024508).
• xfs: use ->b_state to fix buffer I/O accounting release race (bsc#1041160).
• xprtrdma: Free the pd if ibqueryqp() fails (git-fixes).