SUSE-SU-2020:2121-1

The SUSE Linux Enterprise 12 SP4 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2020-0305: In cdevget of chardev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
• CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).
• CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).
• CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770 (bnc#1173514).
• CVE-2020-12771: btreegccoalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
• CVE-2019-16746: net/wireless/nl80211.c did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107).
• CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).
• CVE-2020-10769: A buffer over-read flaw was found in cryptoauthencextractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).
• CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
• CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
• CVE-2020-10768: Indirect branch speculation could have been enabled after it was force-disabled by the PRSPECFORCE_DISABLE prctl command. (bnc#1172783).
• CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (bnc#1172781).
• CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled when STIBP is unavailable or enhanced IBRS is available. (bnc#1172782).
• CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
• CVE-2019-20810: go7007sndinit in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call sndcardfree for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).

The following non-security bugs were fixed:

• ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510).
• ALSA: es1688: Add the missed sndcardfree() (bsc#1051510).
• bcache: Fix an error code in bchdumpread() (git fixes (block drivers)).
• block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).
• block, bfq: postpone rq preparation to insert or merge (bsc#1104967 bsc#1171673).
• block: remove QUEUEFLAGSTACKABLE (git fixes (block drivers)).
• block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)).
• btrfs: always wait on ordered extents at fsync time (bsc#1171761).
• btrfs: clean up the left over logged_list usage (bsc#1171761).
• btrfs: do not zero f_bavail if we have available space (bsc#1168081).
• btrfs: fix list_add corruption and soft lockups in fsync (bsc#1171761).
• btrfs: fix missing data checksums after a ranged fsync (msync) (bsc#1171761).
• btrfs: fix missing file extent item for hole after ranged fsync (bsc#1171761).
• btrfs: fix missing hole after hole punching and fsync when using NO_HOLES (bsc#1171761).
• btrfs: fix missing semaphore unlock in btrfssyncfile (bsc#1171761).
• btrfs: fix rare chances for data loss when doing a fast fsync (bsc#1171761).
• btrfs: Remove extra parentheses from condition in copy_items() (bsc#1171761).
• btrfs: remove no longer used ioerr from btrfslog_ctx (bsc#1171761).
• btrfs: remove no longer used logged range variables when logging extents (bsc#1171761).
• btrfs: remove no longer used 'sync' member from transaction handle (bsc#1171761).
• btrfs: remove remaing fullsync logic from btrfssync_file (bsc#1171761).
• btrfs: remove the logged extents infrastructure (bsc#1171761).
• btrfs: remove the wait ordered logic in the logoneextent path (bsc#1171761).
• btrfs: volumes: Remove ENOSPC-prone btrfscanrelocate() (bsc#1171124).
• CDC-ACM: heed quirk also in error handling (git-fixes).
• cifs: get rid of unused parameter in reconnsetupdfs_targets() (bsc#1144333).
• cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016).
• cifs: set up next DFS target before genericipconnect() (bsc#1144333 bsc#1161016).
• clk: bcm2835: Fix return type of bcm2835registergate (bsc#1051510).
• clk: clk-flexgen: fix clock-critical handling (bsc#1051510).
• clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510).
• compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)).
• compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)).
• copy{to,from}user(): consolidate object size checks (git fixes).
• crypto: cavium/nitrox - Fix 'nitroxgetfirst_device()' when ndevlist is fully iterated (git-fixes).
• dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)).
• dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)).
• dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)).
• dm: fix potential for q->makerequestfn NULL pointer (git fixes (block drivers)).
• dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)).
• dm: various cleanups to md->queue initialization code (git fixes).
• dm verity fec: fix hash block number in verityfecdecode (git fixes (block drivers)).
• dm verity fec: fix memory leak in verityfecdtr (git fixes (block drivers)).
• Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
• drivers: soc: ti: knavqmssqueue: Make knavgprange_ops static (bsc#1051510).
• drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1152472) * context changes
• drm: encoder_slave: fix refcouting error for modules (bsc#1114279)
• drm/mediatek: Check plane visibility in atomic_update (bsc#1152472) * context changes
• drm/qxl: Use correct notify port address when creating cursor ring (bsc#1152472)
• drm/radeon: fix double free (bsc#1152472)
• drm/radeon: fix fbdiv check in niinitsmcspll_table() (bsc#1152472)
• e1000e: Disable TSO for buffer overrun workaround (bsc#1051510).
• e1000e: Do not wake up the system via WOL if device wakeup is disabled (bsc#1051510).
• EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1114279).
• evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510).
• evm: Fix a small race in init_desc() (bsc#1051510).
• extcon: adc-jack: Fix an error handling path in 'adcjackprobe()' (bsc#1051510).
• gpiolib: Document that GPIO line names are not globally unique (bsc#1051510).
• HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510).
• ibmveth: Fix max MTU limit (bsc#1173428 ltc#186397).
• ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
• ibmvnic: Flush existing work items before device removal (bsc#1065729).
• ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
• iio: buffer: Do not allow buffers without any channels enabled to be activated (bsc#1051510).
• iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510).
• ima: Directly assign the imadefaultpolicy pointer to ima_rules (bsc#1051510).
• ima: Fix ima digest hash table key calculation (bsc#1051510).
• include/asm-generic/topology.h: guard cpumaskofnode() macro argument (bsc#1148868).
• intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
• KVM: nVMX: Do not reread VMCS-agnostic state when switching VMCS (bsc#1114279).
• KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1114279).
• kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904).
• KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904).
• KVM: x86: only do L1TF workaround on affected processors (bsc#1171904).
• libceph: do not omit recoverydeletes in targetcopy() (bsc#1173462).
• livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).
• livepatch: Disallow vmlinux.ko (bsc#1071995).
• livepatch: Make klpapplyobject_relocs static (bsc#1071995).
• livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995).
• livepatch: Remove .klp.arch (bsc#1071995).
• md: Avoid namespace collision with bitmap API (git fixes (block drivers)).
• md: use memalloc scope APIs in mddevsuspend()/mddevresume() (git fixes (block drivers)).
• mmc: fix compilation of user API (bsc#1051510).
• netfilter: connlabels: prefer static lock initialiser (git-fixes).
• netfilter: ctnetlink: netns exit must wait for callbacks (bsc#1169795).
• netfilter: not mark a spinlock as _readmostly (git-fixes).
• net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3getrss() (bsc#1172484).
• NFS: Fix an RCU lock leak in nfs4refreshdelegation_stateid() (bsc#1170592).
• NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERROLDSTATEID (bsc#1170592).
• nvme: check for NVMECTRLLIVE in nvmereportns_ids() (bcs#1171558 bsc#1159058).
• nvme: do not update multipath disk information if the controller is down (bcs#1171558 bsc#1159058).
• objtool: Clean instruction state before each function validation (bsc#1169514).
• objtool: Ignore empty alternatives (bsc#1169514).
• overflow: Fix -Wtype-limits compilation warnings (git fixes).
• overflow.h: Add arithmetic shift helper (git fixes).
• p54usb: add AirVasT USB stick device-id (bsc#1051510).
• PCI: Allow pciresizeresource() for devices on root bus (bsc#1051510).
• PCI: Fix pciregisterhostbridge() deviceregister() error handling (bsc#1051510).
• PCI: Program MPS for RCiEP devices (bsc#1051510).
• PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (bsc#1051510).
• perf: Allocate context taskctxdata for child event (git-fixes).
• perf/cgroup: Fix perf cgroup hierarchy support (git-fixes).
• perf: Copy parent's address filter offsets on clone (git-fixes).
• perf/core: Add sanity check to deal with pinned event failure (git-fixes).
• perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes).
• perf/core: Correct event creation with PERFFORMATGROUP (git-fixes).
• perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes).
• perf/core: Fix bad use of igrab() (git fixes (dependent patch)).
• perf/core: Fix crash when using HW tracing kernel filters (git-fixes).
• perf/core: Fix ctxeventtype in ctx_resched() (git-fixes).
• perf/core: Fix error handling in perfeventalloc() (git-fixes).
• perf/core: Fix exclusive events' grouping (git-fixes).
• perf/core: Fix group scheduling with mixed hw and sw events (git-fixes).
• perf/core: Fix impossible ring-buffer sizes warning (git-fixes).
• perf/core: Fix locking for children siblings group read (git-fixes).
• perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)).
• perf/core: Fix perfeventread_value() locking (git-fixes).
• perf/core: Fix perfpmuunregister() locking (git-fixes).
• perf/core: Fix _perfreadgroupadd() locking (git-fixes (dependent patch)).
• perf/core: Fix perfsampleregs_user() mm check (git-fixes).
• perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes).
• perf/core: Fix race between close() and fork() (git-fixes).
• perf/core: Fix the address filtering fix (git-fixes).
• perf/core: Fix use-after-free in uprobeperfclose() (git-fixes).
• perf/core: Force USER_DS when recording user stack data (git-fixes).
• perf/core: Restore mmap record type correctly (git-fixes).
• perf: Fix header.size for namespace events (git-fixes).
• perf/ioctl: Add check for the sample_period value (git-fixes).
• perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes).
• perf: Return proper values for user stack errors (git-fixes).
• perf/x86/amd: Constrain Large Increment per Cycle events (git-fixes).
• perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity (git-fixes).
• perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops (git-fixes).
• perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) (git-fixes).
• perf/x86/amd/iommu: Make the 'amdiommuattr_groups' symbol static (git-fixes).
• perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs (git-fixes stable).
• perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs (git-fixes).
• perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events (git-fixes stable).
• perf/x86: Enable free running PEBS for REGS_USER/INTR (git-fixes).
• perf/x86: Fix incorrect PEBS_REGS (git-fixes).
• perf/x86/intel: Add generic branch tracing check to intelpmuhas_bts() (git-fixes).
• perf/x86/intel: Add proper condition to run sched_task callbacks (git-fixes).
• perf/x86/intel/bts: Fix the use of page_private() (git-fixes).
• perf/x86/intel: Fix PT PMI handling (git-fixes).
• perf/x86/intel: Move branch tracing setup to the Intel-specific source file (git-fixes).
• perf/x86/intel/uncore: Add Node ID mask (git-fixes).
• perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX (git-fixes).
• perf/x86/pt, coresight: Clean up address filter structure (git fixes (dependent patch)).
• perf/x86/uncore: Fix event group support (git-fixes).
• pid: Improve the comment about waiting in zappidns_processes (git fixes)).
• pinctrl: freescale: imx: Fix an error handling path in 'imxpinctrlprobe()' (bsc#1051510).
• pinctrl: imxl: Fix an error handling path in 'imx1pinctrlcore_probe()' (bsc#1051510).
• pinctrl: samsung: Save/restore eintmask over suspend for EINTTYPE GPIOs (bsc#1051510).
• pnp: Use listforeach_entry() instead of open coding (git fixes).
• powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729).
• powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729).
• powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030).
• power: supply: bq24257charger: Replace depends on REGMAPI2C with select (bsc#1051510).
• power: supply: lp8788: Fix an error handling path in 'lp8788chargerprobe()' (bsc#1051510).
• power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510).
• raid5: remove gfp flags from scribble_alloc() (git fixes (block drivers)).
• resolve KABI warning for perf-pt-coresight (git-fixes).
• Revert 'bcache: ignore pending signals when creating gc and allocator thread' (git fixes (block drivers)).
• Revert 'dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues' (git fixes (block drivers)).
• Revert 'tools lib traceevent: Remove unneeded qsort and uses memmove'
• rpm/kernel-docs.spec.in: Require python-packaging for build.
• s390/bpf: Maintain 8-byte stack alignment (bsc#1169194).
• s390: fix syscallgeterror for compat processes (git-fixes).
• s390/qdio: consistently restore the IRQ handler (git-fixes).
• s390/qdio: lock device while installing IRQ handler (git-fixes).
• s390/qdio: put thinint indicator after early error (git-fixes).
• s390/qdio: tear down thinint indicator after early error (git-fixes).
• s390/qeth: fix error handling for isolation mode cmds (git-fixes).
• scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814).
• scsi: qedf: Add port_id getter (bsc#1150660).
• scsi: qla2xxx: Set NVMe status code for failed NVMe FCP request (bsc#1158983).
• spi: dw: use 'smp_mb()' to avoid sending spi data error (bsc#1051510).
• staging: rtl8712: Fix IEEE80211ADDBAPARAMBUFSIZE_MASK (bsc#1051510).
• staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510).
• SUNRPC: The TCP back channel mustn't disappear while requests are outstanding (bsc#1152624).
• tracing: Fix event trigger to accept redundant spaces (git-fixes).
• tty: ngsm: Fix bogus i++ in gsmdata_kick (bsc#1051510).
• tty: n_gsm: Fix SOF skipping (bsc#1051510).
• tty: n_gsm: Fix waking up upper tty layer when room available (bsc#1051510).
• usb: dwc2: gadget: move gadget resume after the core is in L0 state (bsc#1051510).
• usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (bsc#1051510).
• usb: gadget: udc: s3c2410udc: Remove pointless NULL check in s3c2410udc_nuke (bsc#1051510).
• usb: host: ehci-mxc: Add error handling in ehcimxcdrv_probe() (bsc#1051510).
• usb: musb: Fix runtime PM imbalance on error (bsc#1051510).
• usb: musb: start session in resume for host port (bsc#1051510).
• usb: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510).
• usb: serial: qcserial: add DW5816e QDL support (bsc#1051510).
• usb: serial: usb_wwan: do not resubmit rx urb on fatal errors (bsc#1051510).
• usb: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes).
• virtio-blk: handle blockdeviceoperations callbacks after hot unplug (git fixes (block drivers)).
• vmxnet3: add geneve and vxlan tunnel offload support (bsc#1172484).
• vmxnet3: add support to get/set rx flow hash (bsc#1172484).
• vmxnet3: allow rx flow hash ops only when rss is enabled (bsc#1172484).
• vmxnet3: avoid format strint overflow warning (bsc#1172484).
• vmxnet3: prepare for version 4 changes (bsc#1172484).
• vmxnet3: Remove always false conditional statement (bsc#1172484).
• vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1172484).
• vmxnet3: remove unused flag 'rxcsum' from struct vmxnet3_adapter (bsc#1172484).
• vmxnet3: Replace msleep(1) with usleep_range() (bsc#1172484).
• vmxnet3: update to version 4 (bsc#1172484).
• vmxnet3: use correct hdr reference when packet is encapsulated (bsc#1172484).
• w1: omap-hdq: cleanup to add missing newline for some dev_dbg (bsc#1051510).
• work around mvfs bug (bsc#1162063).
• x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279).
• x86/events/intel/ds: Add PERFSAMPLEPERIOD into PEBSFREERUNNINGFLAGS (git-fixes).
• x86: Fix early boot crash on gcc-10, third try (bsc#1114279).
• x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1172257).
• x86/reboot/quirks: Add MacBook6,1 reboot quirk (bsc#1114279).
• xfrm: fix error in comment (git fixes).