The SUSE Linux Enterprise 15 SP1 Azure kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2020-1749: Use ip6dstlookupflow instead of ip6dst_lookup (bsc#1165629).
CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
CVE-2020-14356: Fixed a null pointer dereference in cgroupv2 subsystem which could have led to privilege escalation (bsc#1175213).
CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
CVE-2020-24394: Fixed an issue which could set incorrect permissions on new filesystem objects when the filesystem lacks ACL support (bsc#1175518).
CVE-2020-10135: Legacy pairing and secure-connections pairing authentication Bluetooth might have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access (bsc#1171988).
The following non-security bugs were fixed:
ACPI: kABI fixes for subsys exports (bsc#1174968).
ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq (bsc#1174968).
ACPI / LPSS: Use acpilpss* instead of acpisubsys* functions for hibernate (bsc#1174968).
ACPI: PM: Introduce 'poweroff' callbacks for ACPI PM domain and LPSS (bsc#1174968).
ACPI: PM: Simplify and fix PM domain hibernation callbacks (bsc#1174968).
console: newport_con: fix an issue about leak related system resources (git-fixes).
constrants: fix malformed XML Closing tag of an element is '</foo>', not '<foo/>'. Fixes: 8b37de2eb835 ('rpm/constraints.in: Increase memory for kernel-docs')
Created new preempt kernel flavor (jsc#SLE-11309) Configs are cloned from the respective $arch/default configs. All changed configs appart from CONFIGPREEMPT->y are a result of dependencies, namely many lock/unlock primitives are no longer inlined in the preempt kernel. TREERCU has been also changed to PREEMPT_RCU which is the default implementation for PREEMPT kernel.
crypto: ccp - Fix use of merged scatterlists (git-fixes).
crypto: cpt - do not sleep of CRYPTOTFMREQMAYSLEEP was not specified (git-fixes).
crypto: qat - fix double free in qatuclocreatebatchinit_list (git-fixes).
iwlegacy: Check the return value of pciecapabilityread_*() (bsc#1111666).
jbd2: add the missing unlockbuffer() in the error path of jbd2write_superblock() (bsc#1175772).
kabi: genetlink: remove genl_bind (kabi).
kabi: hide new parameter of ip6dstlookup_flow() (bsc#1165629).
kabi: mask changes to struct ipv6_stub (bsc#1165629).
kernel/cpupm: Fix uninitted local in cpupm (git fixes (kernel/pm)).
kernel-docs: Change Requires on python-Sphinx to earlier than version 3 References: bsc#1166965 From 3 on the internal API that the build system uses was rewritten in an incompatible way. See https://github.com/sphinx-doc/sphinx/issues/7421 and https://bugzilla.suse.com/show_bug.cgi?id=1166965#c16 for some details.
kernel/relay.c: fix memleak on destroy relay channel (git-fixes).
kernfs: do not call fsnotify() with name without a parent (bsc#1175770).
KVM: arm64: Ensure 'params' is initialised when looking up sys register (bsc#1133021).
KVM: arm64: Stop clobbering x0 for HVCSOFTRESTART (bsc#1133021).
KVM: arm/arm64: Fix young bit from mmu notifier (bsc#1133021).
KVM: arm/arm64: vgic: Do not rely on the wrong pending table (bsc#1133021).
KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections (bsc#1133021).
KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests (bsc#1133021).
KVM: arm: Make inject_abt32() inject an external abort instead (bsc#1133021).
kvm: Change offset in kvmwriteguestoffsetcached to unsigned (bsc#1133021).
KVM: Check for a bad hva before dropping into the ghc slow path (bsc#1133021).
rpm/constraints.in: Increase memory for kernel-docs References: https://build.opensuse.org/request/show/792664
rpm: drop execute permissions on source files Sometimes a source file with execute permission appears in upstream repository and makes it into our kernel-source packages. This is caught by OBS build checks and may even result in build failures. Sanitize the source tree by removing execute permissions from all C source and header files.
rpm/kabi.pl: account for namespace field being moved last Upstream is moving the namespace field in Module.symvers last in order to preserve backwards compatibility with kmod tools (depmod, etc). Fix the kabi.pl script to expect the namespace field last. Since split() ignores trailing empty fields and delimeters, switch to using tr to count how many fields/tabs are in a line. Also, in load_symvers(), pass LIMIT of -1 to split() so it does not strip trailing empty fields, as namespace is an optional field.
rpm/kernel-binary.spec.in: do not run klp-symbols for configs with no modules Starting with 5.8-rc1, s390x/zfcpdump builds fail because rpm/klp-symbols script does not find .tmpversions directory. This is missing because s390x/zfcpdump is built without modules (CONFIGMODULES disabled). As livepatching cannot work without modules, the cleanest solution is setting %klpsymbols to 0 if CONFIGMODULES is disabled. (We cannot simply add another condition to the place where %klp_symbols is set as it can be already set to 1 from prjconf.)
rpm/kernel-binary.spec.in: restrict livepatch metapackage to default flavor It has been reported that the kernel--livepatch metapackage got erroneously enabled for SLE15-SP3's new -preempt flavor, leading to a unresolvable dependency to a non-existing kernel-livepatch-x.y.z-preempt package. As SLE12 and SLE12-SP1 have run out of livepatching support, the need to build said metapackage for the -xen flavor is gone and the only remaining flavor for which they're still wanted is -default. Restrict the build of the kernel--livepatch metapackage to the -default flavor.
rpm/kernel-obs-build.spec.in: add dm-crypt for building with cryptsetup Co-Authored-By: Adam Spiers aspiers@suse.com
rpm/kernel-obs-build.spec.in: Enable overlayfs Overlayfs is needed for podman or docker builds when no more specific driver can be used (like lvm or btrfs). As the default build fs is ext4 currently, we need overlayfs kernel modules to be available.