SUSE-SU-2022:0763-1

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes.

Transient execution side-channel attacks attacking the Branch History Buffer (BHB), named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

The following security bugs were fixed:

• CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
• CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
• CVE-2022-0847: Fixed a vulnerability were a local attackers could overwrite data in arbitrary (read-only) files (bsc#1196584).
• CVE-2022-25375: The RNDIS USB gadget lacks validation of the size of the RNDISMSGSET command. Attackers can obtain sensitive information from kernel memory (bnc#1196235 ).

The following non-security bugs were fixed:

• ACPI/IORT: Check node revision for PMCG resources (git-fixes).
• ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks (git-fixes).
• ALSA: hda/realtek: Add quirk for ASUS GU603 (git-fixes).
• ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows (git-fixes).
• ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) (git-fixes).
• ALSA: hda: Fix missing codec probe on Shenker Dock 15 (git-fixes).
• ALSA: hda: Fix regression on forced probe mask option (git-fixes).
• ASoC: Revert 'ASoC: mediatek: Check for error clk pointer' (git-fixes).
• ASoC: ops: Fix stereo change notifications in sndsocput_volsw() (git-fixes).
• ASoC: ops: Fix stereo change notifications in sndsocputvolswrange() (git-fixes).
• ASoC: ops: Reject out of bounds values in sndsocput_volsw() (git-fixes).
• ASoC: ops: Reject out of bounds values in sndsocputvolswsx() (git-fixes).
• ASoC: ops: Reject out of bounds values in sndsocputxrsx() (git-fixes).
• Align s390 NVME target options with other architectures (bsc#1188404, jsc#SLE-22494). CONFIGNVMETARGET=m CONFIGNVMETARGETPASSTHRU=y CONFIGNVMETARGETLOOP=m CONFIGNVMETARGETRDMA=m CONFIGNVMETARGETFC=m CONFIGNVMETARGETFCLOOP=m CONFIGNVMETARGETTCP=m
• EDAC/xgene: Fix deferred probing (bsc#1178134).
• HID:Add support for UGTABLET WP5540 (git-fixes).
• IB/cma: Do not send IGMP leaves for sendonly Multicast groups (git-fixes).
• IB/hfi1: Fix AIP early init panic (jsc#SLE-13208).
• KVM: remember position in kvm->vcpus array (bsc#1190972 LTC#194674).
• NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1195957).
• PM: hibernate: Remove registernosaveregion_late() (git-fixes).
• PM: s2idle: ACPI: Fix wakeup interrupts handling (git-fixes).
• RDMA/cma: Use correct address when leaving multicast group (bsc#1181147).
• RDMA/ucma: Protect mc during concurrent multicast leaves (bsc#1181147).
• USB: serial: ch341: add support for GW Instek USB2.0-Serial devices (git-fixes).
• USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
• USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
• USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 (git-fixes).
• USB: serial: mos7840: remove duplicated 0xac24 device ID (git-fixes).
• USB: serial: option: add ZTE MF286D modem (git-fixes).
• ata: libata-core: Disable TRIM on M88V29 (git-fixes).
• ax25: improve the incomplete fix to avoid UAF and NPD bugs (git-fixes).
• blk-mq: always allow reserved allocation in hctxmayqueue (bsc#1193787).
• blk-mq: avoid to iterate over stale request (bsc#1193787).
• blk-mq: clear stale request in tags->rq before freeing one request pool (bsc#1193787).
• blk-mq: clearing flush request reference in tags->rqs (bsc#1193787).
• blk-mq: do not grab rq's refcount in blkmqcheck_expired() (bsc#1193787 git-fixes).
• blk-mq: fix isflushrq (bsc#1193787 git-fixes).
• blk-mq: fix kernel panic during iterating over flush request (bsc#1193787 git-fixes).
• blk-mq: grab rq->refcount before calling ->fn in blkmqtagsetbusyiter (bsc#1193787).
• blk-mq: mark flush request as IDLE in flushendio() (bsc#1193787).
• blk-tag: Hide spin_lock (bsc#1193787).
• block: avoid double io accounting for flush request (bsc#1193787).
• block: do not send a rezise udev event for hidden block device (bsc#1193096).
• block: mark flush request as IDLE when it is really finished (bsc#1193787).
• bonding: pair enableport with slavearr_updates (git-fixes).
• btrfs: check for missing device in btrfstrimfs (bsc#1195701).
• btrfs: check worker before needpreemptivereclaim (bsc#1196195).
• btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1196195).
• btrfs: do not include the global rsv size in the preemptive used amount (bsc#1196195).
• btrfs: handle preemptive delalloc flushing slightly differently (bsc#1196195).
• btrfs: make sure SBIVERSION does not get unset by remount (bsc#1192210).
• btrfs: only clamp the first time we have to start flushing (bsc#1196195).
• btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1196195).
• btrfs: reduce the preemptive flushing threshold to 90% (bsc#1196195).
• btrfs: take into account global rsv in needpreemptivereclaim (bsc#1196195).
• btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1196195).
• ceph: properly put ceph_string reference after async create attempt (bsc#1195798).
• ceph: set pool_ns in new inode layout for async creates (bsc#1195799).
• drm/amdgpu: fix logic inversion in check (git-fixes).
• drm/i915/gvt: Make DRMI915GVT depend on X86 (git-fixes).
• drm/i915/gvt: clean up kernel-doc in gtt.c (git-fixes).
• drm/i915/opregion: check port number bounds for SWSCI display power state (git-fixes).
• drm/i915: Correctly populate usesagvwm for all pipes (git-fixes).
• drm/i915: Fix bw atomic check when switching between SAGV vs. no SAGV (git-fixes).
• drm/panel: simple: Assign data from paneldpiprobe() correctly (git-fixes).
• drm/radeon: Fix backlight control on iMac 12,1 (git-fixes).
• drm/rockchip: dw_hdmi: Do not leave clock enabled in error case (git-fixes).
• drm/rockchip: vop: Correct RK3399 VOP register fields (git-fixes).
• drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd (git-fixes).
• drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer (git-fixes).
• ext4: check for inconsistent extents between index and leaf block (bsc#1194163 bsc#1196339).
• ext4: check for out-of-order index extents in ext4validextent_entries() (bsc#1194163 bsc#1196339).
• ext4: prevent partial update of the extent blocks (bsc#1194163 bsc#1196339).
• gve: Add RX context (bsc#1191655).
• gve: Add a jumbo-frame device option (bsc#1191655).
• gve: Add consumed counts to ethtool stats (bsc#1191655).
• gve: Add optional metadata descriptor type GVETXDMTD (bsc#1191655).
• gve: Correct order of processing device options (bsc#1191655).
• gve: Fix GFP flags when allocing pages (git-fixes).
• gve: Fix off by one in gvetxtimeout() (bsc#1191655).
• gve: Implement packet continuation for RX (bsc#1191655).
• gve: Implement suspend/resume/shutdown (bsc#1191655).
• gve: Move the irq db indexes out of the ntfy block struct (bsc#1191655).
• gve: Recording rx queue before sending to napi (bsc#1191655).
• gve: Recover from queue stall due to missed IRQ (bsc#1191655).
• gve: Update gvefreequeuepagelist signature (bsc#1191655).
• gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
• gve: fix for null pointer dereference (bsc#1191655).
• gve: fix the wrong AdminQ buffer queue index check (bsc#1176940).
• gve: fix unmatched u64statsupdate_end() (bsc#1191655).
• gve: remove memory barrier around seqno (bsc#1191655).
• i2c: brcmstb: fix support for DSL and CM variants (git-fixes).
• i40e: Fix for failed to init adminq while VF reset (git-fixes).
• i40e: Fix issue when maximum queues is exceeded (git-fixes).
• i40e: Fix queues reservation for XDP (git-fixes).
• i40e: Increase delay to 1 s after global EMP reset (git-fixes).
• i40e: fix unsigned stat widths (git-fixes).
• ibmvnic: Allow queueing resets during probe (bsc#1196516 ltc#196391).
• ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
• ibmvnic: complete init_done on transport events (bsc#1196516 ltc#196391).
• ibmvnic: define flushresetqueue helper (bsc#1196516 ltc#196391).
• ibmvnic: do not release napi in _ibmvnicopen() (bsc#1195668 ltc#195811).
• ibmvnic: free reset-work-item when flushing (bsc#1196516 ltc#196391).
• ibmvnic: init initdonerc earlier (bsc#1196516 ltc#196391).
• ibmvnic: initialize rc before completing wait (bsc#1196516 ltc#196391).
• ibmvnic: register netdev after init of adapter (bsc#1196516 ltc#196391).
• ibmvnic: schedule failover only if vioctl fails (bsc#1196400 ltc#195815).
• ice: fix IPIP and SIT TSO offload (git-fixes).
• ice: fix an error code in icecfgphy_fec() (jsc#SLE-12878).
• ima: Allow template selection with imatemplate[fmt]= after ima_hash= (git-fixes).
• ima: Do not print policy rule with inactive LSM labels (git-fixes).
• ima: Remove ima_policy file before directory (git-fixes).
• integrity: Make function integrityaddkey() static (git-fixes).
• integrity: check the return value of auditlogstart() (git-fixes).
• integrity: double check iint_cache was initialized (git-fixes).
• iommu/amd: Fix loop timeout issue in iommugalog_enable() (git-fixes).
• iommu/amd: Remove useless irq affinity notifier (git-fixes).
• iommu/amd: Restore GA log/tail pointer on host resume (git-fixes).
• iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume (git-fixes).
• iommu/amd: X2apic mode: re-enable after resume (git-fixes).
• iommu/amd: X2apic mode: setup the INTX registers on mask/unmask (git-fixes).
• iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure (git-fixes).
• iommu/io-pgtable-arm: Fix table descriptor paddr formatting (git-fixes).
• iommu/iova: Fix race between FQ timeout and teardown (git-fixes).
• iommu/vt-d: Fix potential memory leak in intelsetupirq_remapping() (git-fixes).
• iwlwifi: fix use-after-free (git-fixes).
• iwlwifi: pcie: fix locking when 'HW not ready' (git-fixes).
• iwlwifi: pcie: gen2: fix locking when 'HW not ready' (git-fixes).
• ixgbevf: Require large buffers for build_skb on 82599VF (git-fixes).
• kABI fixup after adding vcpuidx to struct kvmcpu (bsc#1190972 LTC#194674).
• kABI: Fix kABI for AMD IOMMU driver (git-fixes).
• kabi: Hide changes to s390/AP structures (jsc#SLE-20807).
• lib/ioviter: initialize 'flags' in new pipebuffer (bsc#1196584).
• libsubcmd: Fix use-after-free for realloc(..., 0) (git-fixes).
• md/raid5: fix oops during stripe resizing (bsc#1181588).
• misc: fastrpc: avoid double fput() on failed usercopy (git-fixes).
• mmc: sdhci-of-esdhc: Check for error num after setting mask (git-fixes).
• mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status (git-fixes).
• mtd: rawnand: gpmi: do not leak PM reference in error path (git-fixes).
• mtd: rawnand: qcom: Fix clock sequencing in qcomnandcprobe() (git-fixes).
• net/ibmvnic: Cleanup workaround doing an EOI after partition migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
• net/mlx5e: Fix handling of wrong devices during bond netevent (jsc#SLE-15172).
• net: macb: Align the dma and coherent dma masks (git-fixes).
• net: mdio: aspeed: Add missing MODULEDEVICETABLE (bsc#1176447).
• net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs (git-fixes).
• net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs (git-fixes).
• net: phy: marvell: configure RGMII delays for 88E1118 (git-fixes).
• net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
• nfp: flower: fix ida_idx not being released (bsc#1154353).
• nfsd: allow delegation state ids to be revoked and then freed (bsc#1192483).
• nfsd: allow lock state ids to be revoked and then freed (bsc#1192483).
• nfsd: allow open state ids to be revoked and then freed (bsc#1192483).
• nfsd: do not admin-revoke NSv4.0 state ids (bsc#1192483).
• nfsd: prepare for supporting admin-revocation of state (bsc#1192483).
• nvme-fabrics: fix state check in nvmfctlrmatches_baseopts() (bsc#1195012).
• nvme: also mark passthrough-only namespaces ready in nvmeupdatens_info (git-fixes).
• nvme: do not return an error from nvmeconfiguremetadata (git-fixes).
• nvme: let namespace probing continue for unsupported features (git-fixes).
• powerpc/64: Move paca allocation later in boot (bsc#1190812).
• powerpc/64s: Fix debugfssimpleattr.cocci warnings (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
• powerpc/pseries/ddw: Revert 'Extend upper limit for huge DMA window for persistent memory' (bsc#1195995 ltc#196394).
• powerpc/pseries: read the lpar name from the firmware (bsc#1187716 ltc#193451).
• powerpc: Set crashkernel offset to mid of RMA region (bsc#1190812).
• powerpc: add link stack flush mitigation status in debugfs (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
• s390/AP: support new dynamic AP bus size limit (jsc#SLE-20807).
• s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (git-fixes).
• s390/bpf: Fix optimizing out zero-extensions (git-fixes).
• s390/cio: make ccwdevicedma_* more robust (bsc#1193243 LTC#195549).
• s390/cio: verify the driver availability for path_event call (bsc#1195928 LTC#196418).
• s390/cpumf: Support for CPU Measurement Facility CSVN 7 (bsc#1195081 LTC#196088).
• s390/cpumf: Support for CPU Measurement Sampling Facility LS bit (bsc#1195081 LTC#196088).
• s390/pci: add s390iommuaperture kernel parameter (bsc#1193233 LTC#195540).
• s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194967 LTC#196028).
• s390/protvirt: fix error return code in uvinfoinit() (jsc#SLE-22135).
• s390/sclp: fix Secure-IPL facility detection (bsc#1191741 LTC#194816).
• s390/uv: add prot virt guest/host indication files (jsc#SLE-22135).
• s390/uv: fix prot virt host indication compilation (jsc#SLE-22135).
• scsi: core: Add a new error code DIDTRANSPORTMARGINAL in scsi.h (bsc#1195506).
• scsi: core: Add limitless cmd retry support (bsc#1195506).
• scsi: core: No retries on abort success (bsc#1195506).
• scsi: kABI fix for 'ehshouldretry_cmd' (bsc#1195506).
• scsi: lpfc: Add support for ehshouldretry_cmd() (bsc#1195506).
• scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
• scsi: qla2xxx: Add devids and conditionals for 28xx (bsc#1195823).
• scsi: qla2xxx: Add marginal path handling support (bsc#1195506).
• scsi: qla2xxx: Add ql2xnvme_queues module param to configure number of NVMe queues (bsc#1195823).
• scsi: qla2xxx: Add qla2x00asyncdone() for async routines (bsc#1195823).
• scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
• scsi: qla2xxx: Check for firmware dump already collected (bsc#1195823).
• scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters (bsc#1195823).
• scsi: qla2xxx: Fix device reconnect in loop topology (bsc#1195823).
• scsi: qla2xxx: Fix premature hw access after PCI error (bsc#1195823).
• scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
• scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
• scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
• scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
• scsi: qla2xxx: Fix warning message due to adisc being flushed (bsc#1195823).
• scsi: qla2xxx: Fix wrong FDMI data for 64G adapter (bsc#1195823).
• scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
• scsi: qla2xxx: Refactor asynchronous command initialization (bsc#1195823).
• scsi: qla2xxx: Remove a declaration (bsc#1195823).
• scsi: qla2xxx: Remove unused qlasessopcmdlist from scsiqlahost_t (bsc#1195823).
• scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
• scsi: qla2xxx: Suppress a kernel complaint in qlacreateqpair() (bsc#1195823).
• scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
• scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
• scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
• scsi: qla2xxx: edif: Fix inconsistent check of db_flags (bsc#1195823).
• scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
• scsi: qla2xxx: edif: Replace listforeachsafe with listforeachentry_safe (bsc#1195823).
• scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
• scsi: scsitransportfc: Add a new rport state FCPORTSTATEMARGINAL (bsc#1195506).
• scsi: scsitransportfc: Add store capability to rport port_state in sysfs (bsc#1195506).
• scsi: target: iscsi: Fix cmd abort fabric stop race (bsc#1195286).
• scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices (bsc#1195378 LTC#196244).
• scsitransportfc: kabi fix blank out FCPORTSTATEMARGINAL (bsc#1195506).
• staging/fbtft: Fix backlight (git-fixes).
• staging: fbtft: Fix error path in fbtftdrivermodule_init() (git-fixes).
• tracing: Do not inc err_log entry count if entry allocation fails (git-fixes).
• tracing: Dump stacktrace trigger to the corresponding instance (git-fixes).
• tracing: Fix smatch warning for null glob in eventhisttrigger_parse() (git-fixes).
• tracing: Have traceon and traceoff trigger honor the instance (git-fixes).
• tracing: Propagate is_signed to expression (git-fixes).
• usb: dwc2: Fix NULL qh in dwc2queuetransaction (git-fixes).
• usb: dwc2: gadget: do not try to disable ep0 in dwc2hsotgsuspend (git-fixes).
• usb: dwc3: do not set gadget->is_otg flag (git-fixes).
• usb: dwc3: gadget: Prevent core from processing stale TRBs (git-fixes).
• usb: f_fs: Fix use-after-free for epfile (git-fixes).
• usb: gadget: f_uac2: Define specific wTerminalType (git-fixes).
• usb: gadget: rndis: check size of RNDISMSGSET command (git-fixes).
• usb: gadget: s3c: remove unused 'udc' variable (git-fixes).
• usb: gadget: udc: renesasusb3: Fix host to USBROLE_NONE transition (git-fixes).
• usb: host: ehci-tegra: Fix error handling in tegraehciprobe() (git-fixes).
• usb: ulpi: Call ofnodeput correctly (git-fixes).
• usb: ulpi: Move ofnodeput to ulpidevrelease (git-fixes).