SUSE-SU-2018:2150-1

The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.139 to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-13053: The alarmtimernsleep function had an integer overflow via a large relative timeout because ktimeaddsafe was not used (bnc#1099924)
• CVE-2018-9385: Prevent overread of the 'driver_override' buffer (bsc#1100491)
• CVE-2018-13405: The inodeinitowner function allowed local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID (bnc#1100416)
• CVE-2018-13406: An integer overflow in the uvesafbsetcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmallocarray is not used (bnc#1100418)
• CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may have allowed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bsc#1068032)

The following non-security bugs were fixed:

• 1wire: family module autoload fails because of upper/lower case mismatch (bnc#1012382).
• ALSA: hda - Clean up ALC299 init code (bsc#1099810).
• ALSA: hda - Enable powersavenode for CX20722 (bsc#1099810).
• ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines (bsc#1099810).
• ALSA: hda - Fix incorrect usage of IS_REACHABLE() (bsc#1099810).
• ALSA: hda - Fix pincfg at resume on Lenovo T470 dock (bsc#1099810).
• ALSA: hda - Handle kzalloc() failure in sndhdaattachpcmstream() (bnc#1012382).
• ALSA: hda - Use acpidevpresent() (bsc#1099810).
• ALSA: hda - add a new condition to check if it is thinkpad (bsc#1099810).
• ALSA: hda - silence uninitialized variable warning in activateampin() (bsc#1099810).
• ALSA: hda/patch_sigmatel: Add AmigaOne X1000 pinconfigs (bsc#1099810).
• ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 (bsc#1099810).
• ALSA: hda/realtek - Add headset mode support for Dell laptop (bsc#1099810).
• ALSA: hda/realtek - Add support headset mode for DELL WYSE (bsc#1099810).
• ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup (bsc#1099810).
• ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform (bsc#1099810).
• ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (bsc#1099810).
• ALSA: hda/realtek - Fix Dell headset Mic can't record (bsc#1099810).
• ALSA: hda/realtek - Fix pop noise on Lenovo P50 and co (bsc#1099810).
• ALSA: hda/realtek - Fix the problem of two front mics on more machines (bsc#1099810).
• ALSA: hda/realtek - Fixup for HP x360 laptops with B and O speakers (bsc#1099810).
• ALSA: hda/realtek - Fixup mute led on HP Spectre x360 (bsc#1099810).
• ALSA: hda/realtek - Make dock sound work on ThinkPad L570 (bsc#1099810).
• ALSA: hda/realtek - Refactor alc269fixuphpmuteled_mic*() (bsc#1099810).
• ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries (bsc#1099810).
• ALSA: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (bsc#1099810).
• ALSA: hda/realtek - Update ALC255 depop optimize (bsc#1099810).
• ALSA: hda/realtek - adjust the location of one mic (bsc#1099810).
• ALSA: hda/realtek - change the location for one of two front mics (bsc#1099810).
• ALSA: hda/realtek - set PINCFGHEADSETMIC to parse_flags (bsc#1099810).
• ALSA: hda/realtek - update ALC215 depop optimize (bsc#1099810).
• ALSA: hda/realtek - update ALC225 depop optimize (bsc#1099810).
• ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD (bsc#1099810).
• ALSA: hda/realtek: Limit mic boost on T480 (bsc#1099810).
• ALSA: hda: Fix forget to free resource in error handling code path in hdacodecdriver_probe (bsc#1099810).
• ALSA: hda: add dock and led support for HP EliteBook 830 G5 (bsc#1099810).
• ALSA: hda: add dock and led support for HP ProBook 640 G4 (bsc#1099810).
• ALSA: hda: fix some klockwork scan warnings (bsc#1099810).
• ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size (bnc#1012382).
• ASoC: cirrus: i2s: Fix LRCLK configuration (bnc#1012382).
• ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bnc#1012382).
• ASoC: dapm: delete dapmkcontroldata paths list before freeing it (bnc#1012382).
• Bluetooth: Fix connection if directed advertising and privacy is used (bnc#1012382).
• Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bnc#1012382).
• Btrfs: fix clone vs chattr NODATASUM race (bnc#1012382).
• Btrfs: fix unexpected cow in rundelallocnocow (bnc#1012382).
• Btrfs: make raid6 rebuild retry more (bnc#1012382).
• Btrfs: scrub: Do not use inode pages for device replace (bnc#1012382).
• Correct the arguments to verbose() (bsc#1098425)
• Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
• IB/qib: Fix DMA api warning with debug kernel (bnc#1012382).
• Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID (bnc#1012382).
• Input: elani2csmbus - fix more potential stack buffer overflows (bnc#1012382).
• Input: elantech - enable middle button of touchpads on ThinkPad P52 (bnc#1012382).
• Input: elantech - fix V4 report decoding for module with middle key (bnc#1012382).
• MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum (bnc#1012382).
• MIPS: io: Add barrier after register read in inX() (bnc#1012382).
• NFSv4: Fix possible 1-byte stack overflow in nfsidmapreadandverify_message (bnc#1012382).
• PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume (bnc#1012382).
• RDMA/mlx4: Discard unknown SQP work requests (bnc#1012382).
• Refresh with upstream commit:62290a5c194b since the typo fix has been merged in upstream. (bsc#1085185)
• Revert 'Btrfs: fix scrub to repair raid6 corruption' (bnc#1012382).
• Revert 'kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).' This turned out to be superfluous for 4.4.x kernels.
• Revert 'scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).' This reverts commit b054499f7615e2ffa7571ac0d05c7d5c9a8c0327.
• UBIFS: Fix potential integer overflow in allocation (bnc#1012382).
• Update patches.fixes/nvme-expand-nvmfcheckif_ready-checks.patch (bsc#1098527).
• atm: zatm: fix memcmp casting (bnc#1012382).
• backlight: as3711_bl: Fix Device Tree node lookup (bnc#1012382).
• backlight: max8925_bl: Fix Device Tree node lookup (bnc#1012382).
• backlight: tps65217_bl: Fix Device Tree node lookup (bnc#1012382).
• block: Fix transfer when chunk sectors exceeds max (bnc#1012382).
• bonding: re-evaluate force_primary when the primary slave name changes (bnc#1012382).
• bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
• branch-check: fix long->int truncation when profiling branches (bnc#1012382).
• cdc_ncm: avoid padding beyond end of skb (bnc#1012382).
• ceph: fix dentry leak in splice_dentry() (bsc#1098236).
• ceph: fix use-after-free in ceph_statfs() (bsc#1098236).
• ceph: fix wrong check for the case of updating link count (bsc#1098236).
• ceph: prevent i_version from going back (bsc#1098236).
• ceph: support file lock on directory (bsc#1098236).
• cifs: Check for timeout on Negotiate stage (bsc#1091171).
• cpufreq: Fix new policy initialization during limits updates via sysfs (bnc#1012382).
• cpuidle: powernv: Fix promotion from snooze if next state disabled (bnc#1012382).
• dm thin: handle running out of data space vs concurrent discard (bnc#1012382).
• dm: convert DM printk macros to pr_level macros (bsc#1099918).
• dm: fix printk() rate limiting code (bsc#1099918).
• driver core: Do not ignore classdircreateandadd() failure (bnc#1012382).
• e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes (bsc#1075876).
• ext4: fix fencepost error in check for inode count overflow during resize (bnc#1012382).
• ext4: fix unsupported feature message formatting (bsc#1098435).
• ext4: update mtime in ext4punchhole even if no blocks are released (bnc#1012382).
• fs/binfmt_misc.c: do not allow offset overflow (bsc#1099279).
• fuse: atomicotrunc should truncate pagecache (bnc#1012382).
• fuse: do not keep dead fuseconn at fusefill_super() (bnc#1012382).
• fuse: fix control dir setup and teardown (bnc#1012382).
• hv_netvsc: avoid repeated updates of packet filter (bsc#1097492).
• hv_netvsc: defer queue selection to VF (bsc#1097492).
• hv_netvsc: enable multicast if necessary (bsc#1097492).
• hv_netvsc: filter multicast/broadcast (bsc#1097492).
• hv_netvsc: fix filter flags (bsc#1097492).
• hv_netvsc: fix locking during VF setup (bsc#1097492).
• hvnetvsc: fix locking for rxmode (bsc#1097492).
• hv_netvsc: propagate rx filters to VF (bsc#1097492).
• iio:buffer: make length types match kfifo types (bnc#1012382).
• iommu/vt-d: Fix race condition in add_unmap() (bsc#1096790, bsc#1097034).
• ipmi:bt: Set the timeout before doing a capabilities check (bnc#1012382).
• ipvs: fix buffer overflow with sync daemon and service (bnc#1012382).
• iwlmvm: tdls: Check TDLS channel switch support (bsc#1099810).
• iwlwifi: fix nonsharedant for 9000 devices (bsc#1099810).
• kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).
• lib/vsprintf: Remove atomic-unsafe support for %pCr (bnc#1012382).
• libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk (bnc#1012382).
• libata: zpodd: make arrays cdb static, reduces object code size (bnc#1012382).
• libata: zpodd: small read overflow in eject_tray() (bnc#1012382).
• linvdimm, pmem: Preserve read-only setting for pmem devices (bnc#1012382).
• m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() (bnc#1012382).
• mac80211: Fix condition validating WMM IE (bsc#1099810,bsc#1099732).
• media: cx231xx: Add support for AverMedia DVD EZMaker 7 (bnc#1012382).
• media: dvbfrontend: fix locking issues at dvbfrontendgetevent() (bnc#1012382).
• media: smiapp: fix timeout checking in smiappreadnvm (bsc#1099918).
• media: v4l2-compat-ioctl32: prevent go past max size (bnc#1012382).
• mfd: intel-lpss: Program REMAP register in PIO mode (bnc#1012382).
• mips: ftrace: fix static function graph tracing (bnc#1012382).
• mtd: cficmdset0002: Avoid walking all chips when unlocking (bnc#1012382).
• mtd: cficmdset0002: Change write buffer to check correct value (bnc#1012382).
• mtd: cficmdset0002: Fix unlocking requests crossing a chip boudary (bnc#1012382).
• mtd: cficmdset0002: Use right chip in doppbxxlock() (bnc#1012382).
• mtd: cficmdset0002: fix SEGV unlocking multiple chips (bnc#1012382).
• mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS (bsc#1099918).
• mtd: partitions: add helper for deleting partition (bsc#1099918).
• mtd: partitions: remove sysfs files when deleting all master's partitions (bsc#1099918).
• net/sonic: Use dmamappingerror() (bnc#1012382).
• net: qmi_wwan: Add Netgear Aircard 779S (bnc#1012382).
• netfilter: ebtables: handle string from userspace with care (bnc#1012382).
• nfsd: restrict rdmaxcount to svcmaxpayload in nfsdencode_readdir (bnc#1012382).
• nvme-fabrics: allow duplicate connections to the discovery controller (bsc#1098527).
• nvme-fabrics: allow internal passthrough command on deleting controllers (bsc#1098527).
• nvme-fabrics: centralize discovery controller defaults (bsc#1098527).
• nvme-fabrics: fix and refine state checks in _nvmfcheck_ready (bsc#1098527).
• nvme-fabrics: refactor queue ready check (bsc#1098527).
• nvme-fc: change controllers first connect to use reconnect path (bsc#1098527).
• nvme-fc: fix nulling of queue data on reconnect (bsc#1098527).
• nvme-fc: remove reinit_request routine (bsc#1098527).
• nvme-fc: remove setting DNR on exception conditions (bsc#1098527).
• nvme: allow duplicate controller if prior controller being deleted (bsc#1098527).
• nvme: move init of keep_alive work item to controller initialization (bsc#1098527).
• nvme: reimplement nvmfcheckif_ready() to avoid kabi breakage (bsc#1098527).
• nvmet-fc: increase LS buffer count per fc port (bsc#1098527).
• nvmet: switch loopback target state to connecting when resetting (bsc#1098527).
• of: unittest: for strings, account for trailing \0 in property length field (bnc#1012382).
• ovl: fix random return value on mount (bsc#1099993).
• ovl: fix uid/gid when creating over whiteout (bsc#1099993).
• ovl: override creds with the ones from the superblock mounter (bsc#1099993).
• perf intel-pt: Fix 'Unexpected indirect branch' error (bnc#1012382).
• perf intel-pt: Fix MTC timing after overflow (bnc#1012382).
• perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP (bnc#1012382).
• perf intel-pt: Fix packet decoding of CYC packets (bnc#1012382).
• perf intel-pt: Fix syncswitch INTELPTSSNOT_TRACING (bnc#1012382).
• perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 (bnc#1012382).
• platform/x86: thinkpad_acpi: Adding new hotkey ID for Lenovo thinkpad (bsc#1099810).
• powerpc/64s: Exception macro for stack frame and initial register save (bsc#1094244).
• powerpc/64s: Fix mce accounting for powernv (bsc#1094244).
• powerpc/fadump: Unregister fadump on kexec down path (bnc#1012382).
• powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch (bnc#1012382).
• powerpc/ptrace: Fix enforcement of DAWR constraints (bnc#1012382).
• powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACESETDEBUGREG (bnc#1012382).
• powerpc: Machine check interrupt is a non-maskable interrupt (bsc#1094244).
• procfs: add tunable for fd/fdinfo dentry retention (bsc#10866542).
• qla2xxx: Fix NULL pointer derefrence for fcport search (bsc#1085657).
• qla2xxx: Fix inconsistent DMA mem alloc/free (bsc#1085657).
• qla2xxx: Fix kernel crash due to late workqueue allocation (bsc#1085657).
• regulator: Do not return or expect -errno from ofmapmode() (bsc#1099042).
• rmdir(),rename(): do shrinkdcacheparent() only on success (bsc#1100340).
• s390/dasd: configurable IFCC handling (bsc#1097808).
• sbitmap: check for valid bitmap in sbitmapforeach (bsc#1090435).
• sched/sysctl: Check user input value of sysctlschedtime_avg (bsc#1100089).
• scsi: ipr: Format HCAM overlay ID 0x41 (bsc#1097961).
• scsi: ipr: new IOASC update (bsc#1097961).
• scsi: lpfc: Change IO submit return to EBUSY if remote port is recovering (bsc#1092207).
• scsi: lpfc: Driver NVME load fails when CPU cnt > WQ resource cnt (bsc#1092207).
• scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).
• scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1095453).
• scsi: lpfc: Fix MDS diagnostics failure (Rx lower than Tx) (bsc#1095453).
• scsi: lpfc: Fix crash in blk_mq layer when executing modprobe -r lpfc (bsc#1095453).
• scsi: lpfc: Fix port initialization failure (bsc#1095453).
• scsi: lpfc: Fix up log messages and stats counters in IO submit code path (bsc#1092207).
• scsi: lpfc: Handle new link fault code returned by adapter firmware (bsc#1092207).
• scsi: lpfc: correct oversubscription of nvme io requests for an adapter (bsc#1095453).
• scsi: lpfc: update driver version to 11.4.0.7-3 (bsc#1092207).
• scsi: lpfc: update driver version to 11.4.0.7-4 (bsc#1095453).
• scsi: qedi: Fix truncation of CHAP name and secret (bsc#1097931)
• scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bnc#1012382).
• scsi: qla2xxx: Spinlock recursion in qla_target (bsc#1097501)
• scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio early return (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio early return (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio for ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on terminaterportio for ERP_FAILED (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for result of ehhostreset_handler (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing SCSI trace for result of ehhostreset_handler (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1099713, LTC#168765).
• serial: sh-sci: Use spin{try}lockirqsave instead of open coding version (bnc#1012382).
• signal/xtensa: Consistenly use SIGBUS in dounaligneduser (bnc#1012382).
• sort and rename various hyperv patches
• spi: Fix scatterlist elements size in spimapbuf (bnc#1012382).
• tcp: do not overshoot windowclamp in tcprcvspaceadjust() (bnc#1012382).
• tcp: verify the checksum of the first data segment in a new connection (bnc#1012382).
• thinkpad_acpi: Add support for HKEY version 0x200 (bsc#1099810).
• time: Make sure jiffiestomsecs() preserves non-zero time periods (bnc#1012382).
• ubi: fastmap: Cancel work upon detach (bnc#1012382).
• udf: Detect incorrect directory size (bnc#1012382).
• usb: do not reset if a low-speed or full-speed device timed out (bnc#1012382).
• usb: musb: fix remote wakeup racing with suspend (bnc#1012382).
• video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifbinitfb() (bsc#1090888 bsc#1099966).
• video: uvesafb: Fix integer overflow in allocation (bnc#1012382).
• w1: mxcw1: Enable clock before calling clkget_rate() on it (bnc#1012382).
• x86/cpu/amd: Derive L3 sharedcpumap from cpullcshared_mask (bsc#1094643).
• x86/mce: Improve error message when kernel cannot recover (git-fixes b2f9d678e28c).
• x86/pti: do not report XenPV as vulnerable (bsc#1097551).
• xen: Remove unnecessary BUGON from _unbindfromirq() (bnc#1012382).
• xfrm6: avoid potential infinite loop in decodesession6() (bnc#1012382).
• xfrm: Ignore socket policies when rebuilding hash tables (bnc#1012382).
• xfrm: skip policies marked as dead while rehashing (bnc#1012382).