SUSE-SU-2021:3206-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-9517: Fixed possible memory corruption due to a use after free in pppol2tp_connect (bsc#1108488).
• CVE-2019-3874: Fixed possible denial of service attack via SCTP socket buffer used by a userspace applications (bnc#1129898).
• CVE-2019-3900: Fixed an infinite loop issue while handling incoming packets in handle_rx() (bnc#1133374).
• CVE-2021-3640: Fixed a Use-After-Free vulnerability in function scosocksendmsg() in the bluetooth stack (bsc#1188172).
• CVE-2021-3653: Missing validation of the int_ctl VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399).
• CVE-2021-3656: Missing validation of the the virt_ext VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
• CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAPSYSADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
• CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
• CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
• CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
• CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
• CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262).
• CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
• CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983).
• CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985).
• CVE-2020-12770: Fixed sgremoverequest call in a certain failure cases (bsc#1171420).

The following non-security bugs were fixed:

• ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes).
• ALSA: seq: Fix racy deletion of subscriber (git-fixes).
• ASoC: cs42l42: Do not allow SNDSOCDAIFMTLEFTJ (git-fixes).
• ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes).
• ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes).
• Bluetooth: Move shutdown callback before flushing tx and rx queue (git-fixes).
• Bluetooth: add timeout sanity check to hci_inquiry (git-fixes).
• Bluetooth: fix repeated calls to scosockkill (git-fixes).
• Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes).
• Bluetooth: sco: prevent information leak in scoconndefer_accept() (git-fixes).
• KVM: SVM: Call SEV Guest Decommission if ASID binding fails (12sp5).
• NFSv4/pNFS: Do not call nfs4pnfsv3ds_connect multiple times (git-fixes).
• NFSv4: Initialise connection to the server in nfs4allocclient() (bsc#1040364).
• PCI/MSI: Correct misleading comments (git-fixes).
• PCI/MSI: Do not set invalid bits in MSI mask (git-fixes).
• PCI/MSI: Enable and mask MSI-X early (git-fixes).
• PCI/MSI: Use msimaskirq() in pcimsishutdown() (git-fixes).
• PCI: Add Intel VMD devices to pci ids (bsc#1183983).
• PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes).
• PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
• PCI: vmd: Add an additional VMD device id to driver device id table (bsc#1183983).
• PCI: vmd: Add offset to bus numbers if necessary (bsc#1183983).
• PCI: vmd: Assign membar addresses from shadow registers (bsc#1183983).
• PCI: vmd: Filter resource type bits from shadow register (bsc#1183983).
• PCI: vmd: Fix config addressing when using bus offsets (bsc#1183983).
• PCI: vmd: Fix shadow offsets to reflect spec changes (bsc#1183983).
• SUNRPC: Fix the batch tasks count wraparound (git-fixes).
• SUNRPC: Should wake up the privileged task firstly (git-fixes).
• SUNRPC: improve error response to over-size gss credential (bsc#1190022).
• USB: serial: ch341: fix character loss at high transfer rates (git-fixes).
• USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes).
• USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes).
• USB: usbtmc: Fix RCU stall warning (git-fixes).
• USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes).
• arch/x86/lib/usercopy64.c: fix _copyuserflushcache() cache writeback (git-fixes).
• ath6kl: wmi: fix an error code in ath6klwmisync_point() (git-fixes).
• ax88179178a: Merge memcpy + le32tocpus to getunaligned_le32 (git-fixes).
• bcma: Fix memory leak for internally-handled cores (git-fixes).
• bdi: Do not use freezable workqueue (bsc#1189573).
• blk-mq-sched: Fix blkmqschedalloctags() error handling (bsc#1189506).
• block: fix trace completion for chained bio (bsc#1189505).
• can: usb: esdusb2: esdusb2rxevent(): fix the interchange of the CAN RX and TX error counters (git-fixes).
• cifs: Remove unused inline function issysvolor_netlogon() (bsc#1185902).
• cifs: avoid starvation when refreshing dfs cache (bsc#1185902).
• cifs: constify getnormalizedpath() properly (bsc#1185902).
• cifs: do not cargo-cult strndup() (bsc#1185902).
• cifs: do not send tree disconnect to ipc shares (bsc#1185902).
• cifs: do not share tcp servers with dfs mounts (bsc#1185902).
• cifs: do not share tcp sessions of dfs connections (bsc#1185902).
• cifs: fix check of dfs interlinks (bsc#1185902).
• cifs: fix path comparison and hash calc (bsc#1185902).
• cifs: get rid of @noreq param in _dfscache_find() (bsc#1185902).
• cifs: handle different charsets in dfs cache (bsc#1185902).
• cifs: keep referral server sessions alive (bsc#1185902).
• cifs: missing null pointer check in cifs_mount (bsc#1185902).
• cifs: prevent NULL deref in cifscomposemount_options() (bsc#1185902).
• cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902).
• clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes).
• crypto: ccp - Annotate SEV Firmware file names (bsc#1189268).
• crypto: nx - Fix RCU warning in nx842OFupd_status (git-fixes).
• crypto: nx - Fix memcpy() over-reading in nonce (git-fixes).
• crypto: talitos - Do not modify req->cryptlen on decryption (git-fixes).
• crypto: talitos - fix ECB algs ivsize (git-fixes).
• crypto: ux500 - Fix error return code in hashhwfinal() (git-fixes).
• dm btree remove: assign new_root only when removal succeeds (git fixes).
• dm cache metadata: Avoid returning cmd->bm wild pointer on error (git fixes).
• dm era: Fix bitset memory leaks (git fixes).
• dm era: Recover committed writeset after crash (git fixes).
• dm era: Reinitialize bitset cache before digesting a new writeset (git fixes).
• dm era: Use correct value size in equality function of writeset tree (git fixes).
• dm era: Verify the data block size hasn't changed (git fixes).
• dm era: only resize metadata in preresume (git fixes).
• dm ioctl: fix error return code in target_message (git fixes).
• dm ioctl: fix out of bounds array access when no devices (git fixes).
• dm persistent data: packed struct should have an aligned() attribute too (git fixes).
• dm rq: fix double free of blkmqtag_set in dev remove after table load fails (git fixes).
• dm snapshot: fix crash with transient storage and zero chunk size (git fixes).
• dm snapshot: flush merged data before committing metadata (git fixes).
• dm snapshot: properly fix a crash when an origin has no snapshots (git fixes).
• dm space map common: fix division bug in smllfindfreeblock() (git fixes).
• dm table: fix iterate_devices based device capability checks (git fixes).
• dm thin metadata: Avoid returning cmd->bm wild pointer on error (git fixes).
• dm verity: fix DMVERITYOPTS_MAX value (git-fixes).
• dm writecache: fix the maximum number of arguments (git-fixes).
• dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes).
• dm writecache: remove BUG() and fail gracefully instead (git-fixes).
• dm zoned: select CONFIG_CRC32 (git-fixes).
• dm: eliminate potential source of excessive kernel log noise (git fixes).
• dm: remove invalid sparse _acquires and _releases annotations (git-fixes).
• ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568).
• ext4: correct the cachenr in tracepoint ext4esshrinkexit (bsc#1189564).
• ext4: fix avefreec in findgrouporlov (bsc#1189566).
• ext4: fix kernel infoleak via ext4extentheader (bsc#1189562).
• ext4: remove check for zero nrtoscan in ext4esscan() (bsc#1189565).
• ext4: use ext4grplockederror in mbfind_extent (bsc#1189567).
• ftgmac100: Restart MAC HW once (git-fixes).
• i2c: dev: zero out array used for i2c reads from userspace (git-fixes).
• i2c: highlander: add IRQ check (git-fixes).
• i2c: iop3xx: fix deferred probing (git-fixes).
• i2c: mt65xx: fix IRQ check (git-fixes).
• i2c: s3c2410: fix IRQ check (git-fixes).
• i40e: Fix Error I40EAQRC_EINVAL when removing VFs (git-fixes).
• iio: adc: Fix incorrect exit of for-loop (git-fixes).
• iio: humidity: hdc100x: Add margin to the conversion time (git-fixes).
• iommu/amd: Fix extended features logging (bsc#1189269).
• iommu/arm-smmu-v3: add bit field SFM into GERRORERRMASK (bsc#1189270).
• iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189271).
• iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189272).
• kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes).
• kABI: s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193818).
• mac80211: Fix insufficient headroom issue for AMSDU (git-fixes).
• md/raid10: properly indicate failure when ending a failed write request (git-fixes).
• media: go7007: fix memory leak in go7007usbprobe (git-fixes).
• media: rtl28xxu: fix zero-length control request (git-fixes).
• memcg: enable accounting for file lock caches (bsc#1190115).
• mm, vmscan: guarantee dropslabnode() termination (VM Functionality, bsc#1189301).
• mm/memory-failure: unnecessary amount of unmapping (bsc#1189640).
• mm/memory.c: dofault: avoid usage of stale vmarea_struct (bsc#1136513).
• mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes).
• mm/thp: unmapmappingpage() to fix THP truncatecleanuppage() (bsc#1189569).
• mm/vmscan: fix infinite loop in dropslabnode (VM Performance, bsc#1189301).
• mm: vmscan: scan anonymous pages on file refaults (VM Performance, bsc#1183050).
• mmc: dwmmc: Fix issue with uninitialized dmaslave_config (git-fixes).
• mmc: moxart: Fix issue with uninitialized dmaslaveconfig (git-fixes).
• net: lapbether: Remove netifstartqueue / netifstopqueue (git-fixes).
• net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes).
• net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes).
• net: stmmac: use netiftxstart|stopallqueues() function (git-fixes).
• net: usb: Merge cputole32s + memcpy to putunalignedle32 (git-fixes).
• net: usb: ax88179_178a: remove redundant assignment to variable ret (git-fixes).
• nfs: fix acl memory leak of posixaclcreate() (git-fixes).
• nvme-fc: avoid calling nvmefcabortoutstanding_ios from interrupt context (bsc#1187076).
• nvme-fc: convert assoc_active flag to bit op (bsc#1187076).
• nvme-fc: eliminate terminateio use by nvmefcerrorrecovery (bsc#1187076).
• nvme-fc: fix double-free scenarios on hw queues (bsc#1187076).
• nvme-fc: fix io timeout to abort I/O (bsc#1187076).
• nvme-fc: fix racing controller reset and create association (bsc#1187076).
• nvme-fc: remove err_work work item (bsc#1187076).
• nvme-fc: remove nvmefcterminate_io() (bsc#1187076).
• nvme-fc: track error_recovery while connecting (bsc#1187076).
• ocfs2: fix snprintf() checking (bsc#1189581).
• ocfs2: fix zero out valid data (bsc#1189579).
• ocfs2: issue zeroout to EOF blocks (bsc#1189582).
• ocfs2: ocfs2downconvertlock failure results in deadlock (bsc#1188439).
• overflow: Correct checkshloverflow() comment (git-fixes).
• overflow: Include header file with SIZE_MAX declaration (git-fixes).
• ovl: check whiteout in ovlcreateover_whiteout() (bsc#1189846).
• ovl: filter of trusted xattr results in audit (bsc#1189846).
• ovl: fix dentry leak in ovlgetredirect (bsc#1189846).
• ovl: initialize error in ovlcopyxattr (bsc#1189846).
• ovl: relax WARN_ON() on rename to self (bsc#1189846).
• pcmcia: i82092: fix a null pointer dereference bug (git-fixes).
• power: supply: max17042: handle fails of reading status register (git-fixes).
• powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes).
• qlcnic: Fix error code in probe (git-fixes).
• r8152: Fix potential PM refcount imbalance (git-fixes).
• readdir: make sure to verify directory entry for legacy interfaces too (bsc#1189639).
• regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes).
• s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193818).
• scsi: core: Add scsiprotref_tag() helper (bsc#1189392).
• scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650).
• scsi: libfc: Fix array index out of bound exception (bsc#1188616).
• scsi: lpfc: Add 256 Gb link speed support (bsc#1189385).
• scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385).
• scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385).
• scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385).
• scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385).
• scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385).
• scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385).
• scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385).
• scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385).
• scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfcunregrpi() routine (bsc#1189385).
• scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385).
• scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385).
• scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385).
• scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385).
• scsi: lpfc: Fix possible ABBA deadlock in nvmetxriaborted() (bsc#1189385).
• scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385).
• scsi: lpfc: Improve firmware download logging (bsc#1189385).
• scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385).
• scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes).
• scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385).
• scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385).
• scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385).
• scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385).
• scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385).
• scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385).
• scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385).
• scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385).
• scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385).
• scsi: lpfc: Use listmovetail() instead of listdel()/listadd_tail() (bsc#1189385).
• scsi: qla2xxx: Add heartbeat check (bsc#1189392).
• scsi: qla2xxx: Fix error return code in qla82xxwriteflash_dword() (bsc#1189392).
• scsi: qla2xxx: Fix spelling mistakes 'allloc' -> 'alloc' (bsc#1189384).
• scsi: qla2xxx: Fix use after free in debug code (bsc#1189384).
• scsi: qla2xxx: Log PCI address in qlanvmeunregisterremoteport() (bsc#1189392).
• scsi: qla2xxx: Remove duplicate declarations (bsc#1189392).
• scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392).
• scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392).
• scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189384).
• scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392).
• scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189384).
• scsi: qla2xxx: Use listmovetail() instead of listdel()/listadd_tail() (bsc#1189392).
• scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392).
• scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189384).
• scsi: qla2xxx: edif: Add detection of secure device (bsc#1189384).
• scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189384).
• scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189384).
• scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189384).
• scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189384).
• scsi: qla2xxx: edif: Add key update (bsc#1189384).
• scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189384).
• scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392).
• scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189384).
• scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392).
• serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes).
• spi: mediatek: Fix fifo transfer (git-fixes).
• spi: spi-fsl-dspi: Fix issue with uninitialized dmaslaveconfig (git-fixes).
• spi: spi-pic32: Fix issue with uninitialized dmaslaveconfig (git-fixes).
• staging: rtl8723bs: Fix a resource leak in sdintdpc (git-fixes).
• virtio_net: Fix error code in probe() (git-fixes).
• writeback: fix obtain a reference to a freeing memcg css (bsc#1189577).
• x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1114648).
• x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1114648).
• x86/fpu: Reset state for all signal restore failures (bsc#1114648).
• x86/kvm: fix vcpu-id indexed array sizes (git-fixes).
• x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1114648).
• xen/events: Fix race in setevtchnto_irq (git-fixes).