SUSE-SU-2021:2644-1

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2021-3659: Fixed a NULL pointer dereference in llseckeyalloc() in net/mac802154/llsec.c (bsc#1188876).
• CVE-2021-22543: Fixed improper handling of VMIO|VMPFNMAP vmas in KVM, which could bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation (bsc#1186482).
• CVE-2021-37576: Fixed an issue on the powerpc platform, where a KVM guest OS user could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
• CVE-2020-0429: In l2tpsessiondelete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. (bsc#1176724).
• CVE-2020-36386: Fixed a slab out-of-bounds read in hciextendedinquiryresultevt (bsc#1187038).

The following non-security bugs were fixed:

• ACPI: AMBA: Fix resource name in /proc/iomem (git-fixes).
• ACPI: bus: Call kobjectput() in acpiinit() error path (git-fixes).
• ACPI: processor idle: Fix up C-state latency if not ordered (git-fixes).
• ALSA: bebob: add support for ToneWeal FW66 (git-fixes).
• ALSA: hda: Add IRQ check for platformgetirq() (git-fixes).
• ALSA: ppc: fix error return code in sndpmacprobe() (git-fixes).
• ALSA: sb: Fix potential ABBA deadlock in CSP driver (git-fixes).
• ALSA: sb: Fix potential double-free of CSP mixer elements (git-fixes).
• ALSA: usb-audio: fix rate on Ozone Z90 USB headset (git-fixes).
• ASoC: soc-core: Fix the error return code in sndsocofparseaudio_routing() (git-fixes).
• ASoC: tegra: Set driver_name=tegra for all machine drivers (git-fixes).
• Bluetooth: Fix the HCI to MGMT status conversion table (git-fixes).
• Bluetooth: Shutdown controller after workqueues are flushed or cancelled (git-fixes).
• Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc (git-fixes).
• HID: wacom: Correct base usage for capacitive ExpressKey status bits (git-fixes).
• PCI/sysfs: Fix dsmlabelutf16stoutf8s() buffer overrun (git-fixes).
• PCI/sysfs: Fix dsmlabelutf16stoutf8s() buffer overrun (git-fixes).
• PCI: Add ACS quirk for Broadcom BCM57414 NIC (git-fixes).
• PCI: Leave Apple Thunderbolt controllers on for s2idle or standby (git-fixes).
• PCI: quirks: fix false kABI positive (git-fixes).
• Revert 'USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem' (git-fixes).
• USB: cdc-acm: blacklist Heimann USB Appset device (git-fixes).
• USB: move many drivers to use DEVICEATTRWO (git-fixes).
• USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick (git-fixes).
• USB: serial: cp210x: fix comments for GE CS1000 (git-fixes).
• USB: serial: cp210x: fix comments for GE CS1000 (git-fixes).
• USB: serial: option: add support for u-blox LARA-R6 family (git-fixes).
• USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS (git-fixes).
• ath9k: Fix kernel NULL pointer dereference during athresetinternal() (git-fixes).
• can: ems_usb: fix memory leak (git-fixes).
• can: esd_usb2: fix memory leak (git-fixes).
• can: hi311x: fix a signedness bug in hi3110_cmd() (git-fixes).
• can: mcbausbstart(): add missing urb->transfer_dma initialization (git-fixes).
• can: raw: rawsetsockopt(): fix rawrcv panic for sock UAF (git-fixes).
• can: sja1000: sja1000_err(): do not count arbitration lose as an error (git-fixes).
• can: sun4ican: sun4ican_err(): do not count arbitration lose as an error (git-fixes).
• can: tihecc: Fix memleak in tihecc_probe (git-fixes).
• can: usb_8dev: fix memory leak (git-fixes).
• ceph: do not WARN if we're still opening a session to an MDS (bsc#1188750).
• cifs: Fix preauth hash corruption (git-fixes).
• cifs: Return correct error code from smb2getenc_key (git-fixes).
• cifs: Set CIFSMOUNTUSEPREFIXPATH flag on setting cifs_sb->prepath (git-fixes).
• cifs: fix interrupted close commands (git-fixes).
• cifs: fix memory leak in smb2copychunkrange (git-fixes).
• cosa: Add missing kfree in error path of cosa_write (git-fixes).
• crypto: do not free algorithm before using (git-fixes).
• cw1200: add missing MODULEDEVICETABLE (git-fixes).
• dma-buf/sync_file: Do not leak fences on merge failure (git-fixes).
• drm/amd/amdgpu/sriov disable all ip hw status by default (git-fixes).
• drm/panel: raspberrypi-touchscreen: Prevent double-free (git-fixes).
• drm/radeon: Add the missed drmgemobjectput() in radeonuserframebuffercreate() (git-fixes).
• drm/virtio: Fix double free on probe failure (git-fixes).
• drm: Return -ENOTTY for non-drm ioctls (git-fixes).
• e100: handle eeprom as little endian (git-fixes).
• gpio: zynq: Check return value of pmruntimeget_sync (git-fixes).
• gve: Add DQO fields for core data structures (bsc#1176940).
• gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags (bsc#1176940).
• gve: Add NULL pointer checks when freeing irqs (bsc#1176940).
• gve: Add basic driver framework for Compute Engine Virtual NIC (jsc#SLE-10538).
• gve: Add dqo descriptors (bsc#1176940).
• gve: Add ethtool support (jsc#SLE-10538).
• gve: Add stats for gve (bsc#1176940).
• gve: Add support for DQO RX PTYPE map (bsc#1176940).
• gve: Add support for raw addressing device option (bsc#1176940).
• gve: Add support for raw addressing in the tx path (bsc#1176940).
• gve: Add support for raw addressing to the rx path (bsc#1176940).
• gve: Add workqueue and reset support (jsc#SLE-10538).
• gve: Batch AQ commands for creating and destroying queues (bsc#1176940).
• gve: Check TX QPL was actually assigned (bsc#1176940).
• gve: Copy and paste bug in gvegetstats() (jsc#SLE-10538).
• gve: Correct SKB queue index validation (bsc#1176940).
• gve: DQO: Add RX path (bsc#1176940).
• gve: DQO: Add TX path (bsc#1176940).
• gve: DQO: Add core netdev features (bsc#1176940).
• gve: DQO: Add ring allocation and initialization (bsc#1176940).
• gve: DQO: Configure interrupts on device up (bsc#1176940).
• gve: DQO: Fix off by one in gverxdqo() (bsc#1176940).
• gve: DQO: Remove incorrect prefetch (bsc#1176940).
• gve: Enable Link Speed Reporting in the driver (bsc#1176940).
• gve: Fix an error handling path in 'gve_probe()' (bsc#1176940).
• gve: Fix case where desccnt and datacnt can get out of sync (jsc#SLE-10538).
• gve: Fix error return code in gveallocqpls() (jsc#SLE-10538).
• gve: Fix the queue page list allocated pages count (bsc#1176940).
• gve: Fix u64statssync to initialize start (jsc#SLE-10538).
• gve: Fix warnings reported for DQO patchset (bsc#1176940).
• gve: Fixes DMA synchronization (jsc#SLE-10538).
• gve: Get and set Rx copybreak via ethtool (bsc#1176940).
• gve: Introduce a new model for device options (bsc#1176940).
• gve: Introduce per netdev enum gve_queue_format (bsc#1176940).
• gve: Make gverxslotpageinfo.page_offset an absolute offset (bsc#1176940).
• gve: Move some static functions to a common file (bsc#1176940).
• gve: NIC stats for report-stats and for ethtool (bsc#1176940).
• gve: Propagate error codes to caller (bsc#1176940).
• gve: Remove the exporting of gve_probe (jsc#SLE-10538).
• gve: Replace zero-length array with flexible-array member (bsc#1176940).
• gve: Rx Buffer Recycling (bsc#1176940).
• gve: Simplify code and axe the use of a deprecated API (bsc#1176940).
• gve: Update adminq commands to support DQO queues (bsc#1176940).
• gve: Update mgmtmsixidx if num_ntfy changes (bsc#1176940).
• gve: Upgrade memory barrier in poll routine (bsc#1176940).
• gve: Use devinfo/err instead of netifinfo/err (bsc#1176940).
• gve: Use link status register to report link status (bsc#1176940).
• gve: adminq: DQO specific device descriptor logic (bsc#1176940).
• gve: fix -ENOMEM null check on a page allocation (jsc#SLE-10538).
• gve: fix dma sync bug where not all pages synced (bsc#1176940).
• gve: fix unused variable/label warnings (jsc#SLE-10538).
• gve: gverxcopy: Move padding to an argument (bsc#1176940).
• gve: replace kfree with kvfree (jsc#SLE-10538).
• ibmvnic: retry reset if there are no other resets (bsc#1184350 ltc#191533).
• iio: accel: bma180: Use explicit member assignment (git-fixes).
• iwlwifi: mvm: do not change band on bound PHY contexts (git-fixes).
• kabi: fix nvmewaitfreeze_timeout() return type (bsc#1181161).
• kernel-binary.spec.in: Regenerate makefile when not using mkmakefile.
• kernel-binary.spec.in: build-id check requires elfutils.
• kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
• kernel-binary.spec: Fix up usrmerge for non-modular kernels.
• kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no longer had a mkmakefile script
• kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is repleced by echo on newer kernel
• kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.
• kfifo: DECLAREKIFOPTR(fifo, u64) does not work on arm 32 bit (git-fixes).
• lib/decompress_unlz4.c: correctly handle zero-padding around initrds (git-fixes).
• mISDN: fix possible use-after-free in HFC_cleanup() (git-fixes).
• media: bt8xx: Fix a missing check bug in bt878_probe (git-fixes).
• media: cobalt: fix race condition in setting HPD (git-fixes).
• media: cpia2: fix memory leak in cpia2usbprobe (git-fixes).
• media: dvb_net: avoid speculation from net slot (git-fixes).
• media: dvdusb: memory leak in cinergyt2fe_attach (git-fixes).
• media: em28xx: Fix possible memory leak of em28xx struct (git-fixes).
• media: ngene: Fix out-of-bounds bug in ngenecommandconfigfreebuf() (git-fixes).
• media: pvrusb2: fix warning in pvr2i2ccore_done (git-fixes).
• media: siano: fix device register error path (git-fixes).
• media: st-hva: Fix potential NULL pointer dereferences (git-fixes).
• media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K (git-fixes).
• media: v4l2-core: Avoid the dangling pointer in v4l2fhrelease (git-fixes).
• mfd: da9052/stmpe: Add and modify MODULEDEVICETABLE (git-fixes).
• mlxsw: core: Use variable timeout for EMAD retries (git-fixes).
• mmc: core: Allow UHS-I voltage switch for SDSC cards if supported (git-fixes).
• mmc: via-sdmmc: add a check against NULL pointer dereference (git-fixes).
• net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes).
• net/mlx5: Query PPS pin operational status before registering it (git-fixes).
• net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes).
• net: Google gve: Remove dma_wmb() before ringing doorbell (bsc#1176940).
• net: b44: fix error return code in b44initone() (git-fixes).
• net: broadcom CNIC: requires MMU (git-fixes).
• net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes).
• net: gve: convert strlcpy to strscpy (bsc#1176940).
• net: gve: remove duplicated allowed (bsc#1176940).
• nfc: nfcsim: fix use after free during module unload (git-fixes).
• nvme-core: add cancel tagset helpers (bsc#1181161).
• nvme-multipath: fix double initialization of ANA state (bsc#1181161).
• nvme-rdma: add clean action for failed reconnection (bsc#1181161).
• nvme-rdma: fix reset hang if controller died in the middle of a reset (bsc#1181161).
• nvme-rdma: use cancel tagset helper for tear down (bsc#1181161).
• nvme: have nvmewaitfreeze_timeout return if it timed out (bsc#1181161).
• nvmet: use new analogsize instead the old one (bsc#1181161).
• platform/x86: toshibaacpi: Fix missing error code in toshibaacpisetupkeyboard() (git-fixes).
• power: reset: gpio-poweroff: add missing MODULEDEVICETABLE (git-fixes).
• power: supply: ab8500: Avoid NULL pointers (git-fixes).
• power: supply: ab8500: add missing MODULEDEVICETABLE (git-fixes).
• power: supply: charger-manager: add missing MODULEDEVICETABLE (git-fixes).
• powerpc/64s: Move branch cache flushing bcctr variant to ppc-ops.h (bsc#1188885 ltc#193722).
• powerpc/64s: rename pnv|pseriessetuprfiflush to _setupsecurity_mitigations (bsc#1188885 ltc#193722).
• powerpc/papr_scm: Properly handle UUID types and API (bsc#1113295, git-fixes).
• powerpc/pesries: Get STF barrier requirement from HGETCPU_CHARACTERISTICS (bsc#1188885 ltc#193722).
• powerpc/pseries/scm: Use a specific endian format for storing uuid from the device tree (bsc#1113295, git-fixes).
• powerpc/pseries: Get entry and uaccess flush required bits from HGETCPU_CHARACTERISTICS (bsc#1188885 ltc#193722).
• powerpc/pseries: add new branch prediction security bits for link stack (bsc#1188885 ltc#193722).
• powerpc/pseries: export LPAR security flavor in lparcfg (bsc#1188885 ltc#193722).
• powerpc/security: Add a security feature for STF barrier (bsc#1188885 ltc#193722).
• powerpc/security: Allow for processors that flush the link stack using the special bcctr (bsc#1188885 ltc#193722).
• powerpc/security: Fix link stack flush instruction (bsc#1188885 ltc#193722).
• powerpc/security: change link stack flush state to the flush type enum (bsc#1188885 ltc#193722).
• powerpc/security: make display of branch cache flush more consistent (bsc#1188885 ltc#193722).
• powerpc/security: re-name count cache flush to branch cache flush (bsc#1188885 ltc#193722).
• powerpc/security: split branch cache flush toggle from code patching (bsc#1188885 ltc#193722).
• pwm: spear: Do not modify HW state in .remove callback (git-fixes).
• qlcnic: fix error return code in qlcnic83xxrestart_hw() (git-fixes).
• regulator: da9052: Ensure enough delay time for .setvoltagetime_sel (git-fixes).
• replaced with above upstream fix.
• replaced with upstream security mitigation cleanup
• rtc: max77686: Do not enforce (incorrect) interrupt trigger type (git-fixes).
• scripts/gitsort/gitsort.py: add bpf git repo
• scsi: fc: Add 256GBit speed setting to SCSI FC transport (bsc#1188101).
• scsi: smartpqi: create module parameters for LUN reset (bsc#1179195).
• smb3: Fix out-of-bounds bug in SMB2_negotiate() (git-fixes).
• spi: Make ofregisterspi_device also set the fwnode (git-fixes).
• spi: mediatek: fix fifo rx mode (git-fixes).
• spi: omap-100k: Fix the length judgment problem (git-fixes).
• spi: spi-loopback-test: Fix 'txbuf' might be 'rxbuf' (git-fixes).
• spi: spi-topcliff-pch: Fix potential double free in pchspiprocess_messages() (git-fixes).
• ssb: sdio: Do not overwrite const buffer if block_write fails (git-fixes).
• tracing: Do not reference char * as a string in histograms (git-fixes).
• tty: serial: 8250: serial_cs: Fix a memory leak in error handling path (git-fixes).
• tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero (git-fixes).
• usb: dwc2: gadget: Fix sending zero length packet in DDMA mode (git-fixes).
• usb: hub: Disable USB 3 device initiated lpm if exit latency is too high (git-fixes).
• usb: max-3421: Prevent corruption of freed memory (git-fixes).
• usb: max-3421: Prevent corruption of freed memory (git-fixes).
• usbip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes).
• usbip: fix vudc usbipsockfdstore races leading to gpf (git-fixes).
• usbip: vudc synchronize sysfs code paths (git-fixes).
• usbip: vudc: fix missing unlock on error in usbipsockfdstore() (git-fixes).
• uuid: Add inline helpers to import / export UUIDs (bsc#1113295, git-fixes).
• virtio_console: Assure used length from device is limited (git-fixes).
• w1: ds2438: fixing bug that would always get page0 (git-fixes).
• watchdog: Fix possible use-after-free by calling deltimersync() (git-fixes).
• watchdog: Fix possible use-after-free in wdt_startup() (git-fixes).
• watchdog: iTCO_wdt: Account for rebooting on second timeout (git-fixes).
• watchdog: sc520wdt: Fix possible use-after-free in wdtturnoff() (git-fixes).
• wireless: wext-spy: Fix out-of-bounds warning (git-fixes).
• wl1251: Fix possible buffer overflow in wl1251cmdscan (git-fixes).
• wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP (git-fixes).
• workqueue: fix UAF in pwqunboundrelease_workfn() (bsc#1188973).
• xen-pciback: reconfigure also from backend watch handler (git-fixes).
• xfrm: xfrmstatemtu should return at least 1280 for ipv6 (bsc#1185377).
• xhci: Fix lost USB 2 remote wake (git-fixes).