SUSE-SU-2022:0363-1

The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).
• CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
• CVE-2022-0286: Fixed null pointer dereference in bondipsecadd_sa() that may have lead to local denial of service (bnc#1195371).
• CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).
• CVE-2021-45095: Fixed refcount leak in pepsockaccept in net/phonet/pep.c (bnc#1193867).
• CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/teeshm.c in the TEE subsystem, that could have occured because of a race condition in teeshmgetfrom_id during an attempt to free a shared memory object (bnc#1193767).
• CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcdehdeviceresethandler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
• CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadgetdevdescUDCshow of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
• CVE-2021-22600: Fixed double free bug in packetsetring() in net/packet/af_packet.c that could have been exploited by a local user through crafted syscalls to escalate privileges or deny service (bnc#1195184).
• CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that mishandled software scrollback (bnc#1187723).
• CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in coerceregto_size (bsc#1194227).

The following security references were added to already fixed issues:

• CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large endpoint 0 requests (bsc#1193802).

The following non-security bugs were fixed:

• ACPI: battery: Add the ThinkPad 'Not Charging' quirk (git-fixes).
• ACPICA: Executer: Fix the REFCLASSREFOF case in acpiexopcode1A0T1R() (git-fixes).
• ACPICA: Fix wrong interpretation of PCC address (git-fixes).
• ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 (git-fixes).
• ACPICA: Utilities: Avoid deleting the same object twice in a row (git-fixes).
• ACPICA: actypes.h: Expand the ACPIACCESS definitions (git-fixes).
• ALSA: seq: Set upper limit of processed events (git-fixes).
• ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
• Bluetooth: Fix debugfs entry leak in hciregisterdev() (git-fixes).
• Documentation: fix firewire.rst ABI file path error (git-fixes).
• HID: apple: Do not reset quirks when the Fn key is not found (git-fixes).
• HID: quirks: Allow inverting the absolute X/Y values (git-fixes).
• HID: uhid: Fix worker destroying device without any protection (git-fixes).
• HID: wacom: Reset expected and received contact counts at the same time (git-fixes).
• PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller (git-fixes).
• RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
• RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
• ar5523: Fix null-ptr-deref with unexpected WDCMSGTARGETSTART reply (git-fixes).
• arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
• asix: fix wrong return value in asixcheckhost_enable() (git-fixes).
• ata: pataplatform: Fix a NULL pointer dereference in _pataplatformprobe() (git-fixes).
• ath10k: Fix tx hanging (git-fixes).
• ath9k: Fix out-of-bound memcpy in ath9khifusbrxstream (git-fixes).
• batman-adv: allow netlink usage in unprivileged containers (git-fixes).
• btrfs: tree-checker: Add EXTENTITEM and METADATAITEM check (bsc#1195009).
• btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
• btrfs: tree-checker: check for BTRFSBLOCKFLAGFULLBACKREF being set improperly (bsc#1195009).
• cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
• clk: si5341: Fix clock HW provider cleanup (git-fixes).
• crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
• drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
• drm/bridge: megachips: Ensure both bridges are probed before registration (git-fixes).
• drm/etnaviv: limit submit sizes (git-fixes).
• drm/etnaviv: relax submit size limits (git-fixes).
• drm/lima: fix warning when CONFIGDEBUGSG=y & CONFIGDMAAPI_DEBUG=y (git-fixes).
• drm/msm/dpu: invalid parameter check in dpusetupdspp_pcc (git-fixes).
• drm/msm/dsi: invalid parameter check in msmdsiphy_enable (git-fixes).
• drm/msm/hdmi: Fix missing putdevice() call in msmhdmigetphy (git-fixes).
• drm/msm: Fix wrong size calculation (git-fixes).
• drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
• drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR (git-fixes).
• drm/radeon: fix error handling in radeondriveropen_kms (git-fixes).
• drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L (git-fixes).
• ext4: set csum seed in tmp inode while migrating to extents (bsc#1195267).
• floppy: Add max size check for user space request (git-fixes).
• gpio: aspeed: Convert aspeedgpio.lock to rawspinlock (git-fixes).
• gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use (git-fixes).
• hvnetvsc: Set neededheadroom according to VF (bsc#1193506).
• hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 (git-fixes).
• hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 (git-fixes).
• hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
• hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
• hwmon: (lm90) Reduce maximum conversion rate for G781 (git-fixes).
• i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters (git-fixes).
• i2c: i801: Do not silently correct invalid transfer size (git-fixes).
• i2c: mpc: Correct I2C reset procedure (git-fixes).
• ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
• ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
• ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
• ibmvnic: init ->runningcapcrqs early (bsc#1195073 ltc#195713).
• ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
• ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
• igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1160634).
• iwlwifi: fix leaks/bad data after failed firmware load (git-fixes).
• iwlwifi: mvm: Fix calculation of frame length (git-fixes).
• iwlwifi: mvm: Increase the scan timeout guard to 30 seconds (git-fixes).
• iwlwifi: mvm: synchronize with FW after multicast commands (git-fixes).
• iwlwifi: remove module loading failure message (git-fixes).
• lib82596: Fix IRQ check in sni82596probe (git-fixes).
• lightnvm: Remove lightnvm implemenation (bsc#1191881).
• mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
• media: b2c2: Add missing check in flexcoppciisr: (git-fixes).
• media: coda/imx-vdoa: Handle dmasetcoherent_mask error codes (git-fixes).
• media: igorplugusb: receiver overflow should be reported (git-fixes).
• media: m920x: do not use stack on USB reads (git-fixes).
• media: saa7146: hexiumgemini: Fix a NULL pointer dereference in hexiumattach() (git-fixes).
• media: saa7146: hexiumorion: Fix a NULL pointer dereference in hexiumattach() (git-fixes).
• media: uvcvideo: Increase UVCCTRLCONTROL_TIMEOUT to 5 seconds (git-fixes).
• mlxsw: Only advertise link modes supported by both driver and device (bsc#1154488).
• mmc: core: Fixup storing of OCR for MMCQUIRKNONSTD_SDIO (git-fixes).
• mtd: nand: bbt: Fix corner case in bad block table handling (git-fixes).
• mtd: rawnand: gpmi: Add ERR007117 protection for nfcapplytimings (git-fixes).
• mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 (git-fixes).
• net, xdp: Introduce xdpinitbuff utility routine (bsc#1193506).
• net, xdp: Introduce xdppreparebuff utility routine (bsc#1193506).
• net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering (jsc#SLE-8464).
• net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
• net/mlx5e: Protect encap route dev from concurrent release (jsc#SLE-8464).
• net: allow retransmitting a TCP packet if original is still in queue (bsc#1188605 bsc#1187428).
• net: bonding: fix bondxmitbroadcast return value error bug (bsc#1176447).
• net: bridge: vlan: fix memory leak in _allowedingress (bsc#1176447).
• net: bridge: vlan: fix single net device option dumping (bsc#1176447).
• net: mana: Add RX fencing (bsc#1193506).
• net: mana: Add XDP support (bsc#1193506).
• net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc (bsc#1183405).
• net: sched: add barrier to ensure correct ordering for lockless qdisc (bsc#1183405).
• net: sched: avoid unnecessary seqcount operation for lockless qdisc (bsc#1183405).
• net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
• net: sched: fix tx action reschedule issue with stopped queue (bsc#1183405).
• net: sched: fix tx action rescheduling issue during deactivation (bsc#1183405).
• net: sched: replaced invalid qdisc tree flush helper in qdisc_replace (bsc#1183405).
• net: sfp: fix high power modules without diagnostic monitoring (bsc#1154353).
• netdevsim: set .owner to THIS_MODULE (bsc#1154353).
• nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() (git-fixes).
• nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
• phy: uniphier-usb3ss: fix unintended writing zeros to PHY register (git-fixes).
• phylib: fix potential use-after-free (git-fixes).
• pinctrl: bcm2835: Add support for wake-up interrupts (git-fixes).
• pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
• powerpc/book3s64/radix: make tlbsinglepageflushceiling a debugfs entry (bsc#1195183 ltc#193865).
• regulator: qcom_smd: Align probe function with rpmh-regulator (git-fixes).
• rsi: Fix use-after-free in rsirxdone_handler() (git-fixes).
• sched/fair: Fix detection of per-CPU kthreads waking a task (git fixes (sched/fair)).
• sched/numa: Fix iscoreidle() (git fixes (sched/numa)).
• scripts/dtc: dtx_diff: remove broken example from help text (git-fixes).
• serial: 8250: of: Fix mapped region size when using reg-offset property (git-fixes).
• serial: Fix incorrect rs485 polarity on uart open (git-fixes).
• serial: amba-pl011: do not request memory region twice (git-fixes).
• serial: core: Keep mctrl register state and cached copy in sync (git-fixes).
• serial: pl010: Drop CR register reset on set_termios (git-fixes).
• serial: stm32: fix software flow control transfer (git-fixes).
• supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
• tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
• ucsiccg: Check DEVINT bit only when starting CCG4 (git-fixes).
• usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
• usb: gadget: ffs: Use streamopen() for endpoint files (git-fixes).
• usb: gadget: fsourcesink: Fix isoc transfer for USBSPEEDSUPERPLUS (git-fixes).
• usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 (git-fixes).
• usb: roles: fix include/linux/usb/role.h compile issue (git-fixes).
• usb: typec: tcpm: Do not disconnect while receiving VBUS off (git-fixes).
• usb: uhci: add aspeed ast2600 uhci support (git-fixes).
• vfio/iommu_type1: replace kfree with kvfree (git-fixes).
• video: hyperv_fb: Fix validation of screen resolution (git-fixes).
• vxlan: fix error return code in _vxlandev_create() (bsc#1154353).
• workqueue: Fix unbindworkers() VS wqworker_running() race (bsc#1195062).
• x86/gpu: Reserve stolen memory for first integrated Intel GPU (git-fixes).
• xfrm: fix MTU regression (bsc#1185377, bsc#1194048).