SUSE-SU-2022:1038-1

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2022-25636: Fixed an issue which allowed a local users to gain privileges because of a heap out-of-bounds write in nfdupnetdev.c, related to nftablesoffload (bsc#1196299).
• CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).
• CVE-2022-0487: A use-after-free vulnerability was found in rtsxusbmsdrvremove() in drivers/memstick/host/rtsxusbms.c (bsc#1194516).
• CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
• CVE-2022-0516: Fixed missing check in ioctl related to KVM in s390 allows kernel memory read/write (bsc#1195516).
• CVE-2022-24448: Fixed an issue if an application sets the ODIRECTORY flag, and tries to open a regular file, nfsatomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
• CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udffilewrite_iter() via a malicious UDF image. (bsc#1196079)
• CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernelreadfilefromfd(). (bsc#1196155)
• CVE-2022-25258: The USB Gadget subsystem lacked certain validation of interface OS descriptor requests, which could have lead to memory corruption (bsc#1196096).
• CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandled dev->buf release (bsc#1195905).
• CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
• CVE-2022-27223: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index was not validated and could have been manipulated by the host for out-of-array access (bsc#1197245).
• CVE-2021-44879: In gcdatasegment() in fs/f2fs/gc.c, special files were not considered, which lead to a movedatapage NULL pointer dereference (bsc#1195987).
• CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free vulnerability in unixscmtoskb of afunix (bsc#1193731).
• CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from heap memory via crafted frame lengths from a device (bsc#1196836).
• CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aiopollcomplete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956)
• CVE-2021-45402: The checkaluop function in kernel/bpf/verifier.c did not properly update bounds while handling the mov32 instruction, which allowed local users to obtain potentially sensitive address information (bsc#1196130).
• CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)

The following non-security bugs were fixed:

• ALSA: intel_hdmi: Fix reference to PCM buffer address (git-fixes).
• arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output (git-fixes).
• ARM: 9182/1: mmu: fix returns from earlyparam() and _setup() functions (git-fixes).
• ARM: Fix kgdb breakpoint for Thumb2 (git-fixes).
• asix: fix uninit-value in asixmdioread() (git-fixes).
• ASoC: cs4265: Fix the duplicated control name (git-fixes).
• ASoC: ops: Shift tested values in sndsocput_volsw() by +min (git-fixes).
• ASoC: rt5682: do not block workqueue if card is unbound (git-fixes).
• ata: pata_hpt37x: disable primary channel on HPT371 (git-fixes).
• ax25: Fix NULL pointer dereference in ax25killby_device (git-fixes).
• batman-adv: Do not expect inter-netns unique iflink indices (git-fixes).
• batman-adv: Request iflink once in batadvgetreal_netdevice (git-fixes).
• batman-adv: Request iflink once in batadv-on-batadv check (git-fixes).
• blk-mq: do not free tags if the tag_set is used by other device in queue initialztion (bsc#1193787).
• Bluetooth: btusb: Add missing Chicony device for Realtek RTL8723BE (bsc#1196779).
• bnxt_en: Fix active FEC reporting to ethtool (jsc#SLE-16649).
• bnxt_en: Fix incorrect multicast rx mask setting when not requested (git-fixes).
• bnxt_en: Fix occasional ethtool -t loopback test failures (git-fixes).
• bnxt_en: Fix offline ethtool selftest with RDMA enabled (git-fixes).
• bonding: force carrier update when releasing slave (git-fixes).
• can: gsusb: change activechannels's type from atomic_t to u8 (git-fixes).
• cgroup/cpuset: Fix 'suspicious RCU usage' lockdep warning (bsc#1196868).
• cgroup-v1: Correct privileges check in release_agent writes (bsc#1196723).
• clk: jz4725b: fix mmc0 clock gating (git-fixes).
• constraints: Also adjust disk requirement for x86 and s390.
• constraints: Increase disk space for aarch64
• cpufreq: schedutil: Use kobject release() method to free (git-fixes)
• cpuset: Fix the bug that subpartcpus updated wrongly in updatecpumask() (bsc#1196866).
• cputime, cpuacct: Include guest time in user time in (git-fixes)
• dma-direct: Fix potential NULL pointer dereference (bsc#1196472 ltc#192278).
• dmaengine: shdma: Fix runtime PM imbalance on error (git-fixes).
• dma-mapping: Allow mixing bypass and mapped DMA operation (bsc#1196472 ltc#192278).
• drm/amdgpu: disable MMHUB PG for Picasso (git-fixes).
• drm/edid: Always set RGB444 (git-fixes).
• drm/i915/dg1: Wait for pcode/uncore handshake at startup (bsc#1195211).
• drm/i915/gen11+: Only load DRAM information from pcode (bsc#1195211).
• drm/i915: Nuke not needed members of dram_info (bsc#1195211).
• drm/i915: Remove memory frequency calculation (bsc#1195211).
• drm/i915: Rename is16gbdimm to wmlv0adjustneeded (bsc#1195211).
• drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
• EDAC/altera: Fix deferred probing (bsc#1178134).
• EDAC: Fix calculation of returned address and next offset in edacalignptr() (bsc#1178134).
• efivars: Respect 'block' flag in efivarentryset_safe() (git-fixes).
• exfat: fix i_blocks for files truncated over 4 GiB (git-fixes).
• exfat: fix incorrect loading of i_blocks for large files (git-fixes).
• firmware: armscmi: Remove space in MODULEALIAS name (git-fixes).
• gianfar: ethtool: Fix refcount leak in gfargetts_info (git-fixes).
• gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
• gpio: rockchip: Reset int_bothedge when changing trigger (git-fixes).
• gpio: tegra186: Fix chip_data type confusion (git-fixes).
• gpio: ts4900: Do not set DAT and OE together (git-fixes).
• gtp: remove useless rcureadlock() (git-fixes).
• hamradio: fix macro redefine warning (git-fixes).
• Hand over the maintainership to SLE15-SP3 maintainers
• HID: add mapping for KEYALLAPPLICATIONS (git-fixes).
• HID: add mapping for KEY_DICTATE (git-fixes).
• i2c: bcm2835: Avoid clock stretching timeouts (git-fixes).
• iavf: Fix missing check for running netdev (git-fixes).
• IB/hfi1: Correct guard on eager buffer deallocation (git-fixes).
• IB/hfi1: Fix early init panic (git-fixes).
• IB/hfi1: Fix leak of rcvhdrtaildummykvaddr (git-fixes).
• IB/hfi1: Insure use of smpprocessorid() is preempt disabled (git-fixes).
• IB/rdmavt: Validate remote_addr during loopback atomic tests (git-fixes).
• ice: initialize local variable 'tlv' (jsc#SLE-12878).
• igc: igcreadphyreggpy: drop premature return (git-fixes).
• igc: igcwritephyreggpy: drop premature return (git-fixes).
• iio: adc: ad7124: fix mask used for setting AINBUFP & AINBUFM bits (git-fixes).
• iio: adc: menz188adc: Fix a resource leak in an error handling path (git-fixes).
• iio: Fix error handling for PM (git-fixes).
• Input: clear BTN_RIGHT/MIDDLE on buttonpads (git-fixes).
• Input: elan_i2c - fix regulator enable count imbalance after suspend/resume (git-fixes).
• Input: elani2c - move regulator[en|dis]able() out of elan[en|dis]ablepower() (git-fixes).
• ixgbe: xsk: change !netifcarrierok() handling in ixgbexmitzc() (git-fixes).
• mac80211: fix forwarded mesh frames AC & queue selection (git-fixes).
• mac80211hwsim: initialize ieee80211txinfo at hwscan_work (git-fixes).
• mac80211hwsim: report NOACK frames in txstatus (git-fixes).
• mask out added spinlock in rndis_params (git-fixes).
• mmc: meson: Fix usage of mesonmmcpost_req() (git-fixes).
• net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration (git-fixes).
• net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement (git-fixes).
• netfilter: nf_tables: fix memory leak during stateful obj update (bsc#1176447).
• net: fix up skbs deltatruesize in UDP GRO fraglist (bsc#1176447).
• net: hns3: Clear the CMDQ registers before unmapping BAR region (git-fixes).
• net/mlx5e: Fix modify header actions memory leak (git-fixes).
• net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
• net/mlx5e: Fix wrong return value on ioctl EEPROM query failure (git-fixes).
• net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets (jsc#SLE-15172).
• net/mlx5e: TC, Reject rules with drop and modify hdr action (git-fixes).
• net/mlx5e: TC, Reject rules with forward and drop actions (git-fixes).
• net/mlx5: Fix possible deadlock on rule deletion (git-fixes).
• net/mlx5: Fix wrong limitation of metadata match on ecpf (git-fixes).
• net/mlx5: Update the list of the PCI supported devices (git-fixes).
• net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
• net/sched: act_ct: Fix flow table lookup after ct clear or switching zones (jsc#SLE-15172).
• netsec: ignore 'phy-mode' device property on ACPI systems (git-fixes).
• net: sfc: Replace in_interrupt() usage (git-fixes).
• net: tipc: validate domain record count on input (bsc#1195254).
• net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 (git-fixes).
• NFC: port100: fix use-after-free in port100sendcomplete (git-fixes).
• nfp: flower: Fix a potential leak in nfptunneladdsharedmac() (git-fixes).
• nl80211: Handle nlamemdup failures in handlenan_filter (git-fixes).
• ntb: intel: fix port config status offset for SPR (git-fixes).
• nvme: fix a possible use-after-free in controller reset during load (git-fixes).
• nvme-multipath: use vmalloc for ANA log buffer (bsc#1193787).
• nvme-rdma: fix possible use-after-free in transport error_recovery work (git-fixes).
• nvme-tcp: fix possible use-after-free in transport error_recovery work (git-fixes).
• powerpc/dma: Fallback to dma_ops when persistent memory present (bsc#1196472 ltc#192278).
• powerpc/fadump: register for fadump as early as possible (bsc#1179439 ltc#190038).
• powerpc/mm: Remove dcache flush from memory remove (bsc#1196433 ltc#196449).
• powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433 ltc#196449).
• powerpc/pseries/iommu: Fix window size for direct mapping with pmem (bsc#1196472 ltc#192278).
• RDMA/bnxt_re: Scan the whole bitmap when checking if 'disabling RCFW with pending cmd-bit' (git-fixes).
• RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1181147).
• RDMA/cma: Let cmaresolveib_dev() continue search even after empty entry (git-fixes).
• RDMA/cma: Remove open coding of overflow checking for privatedatalen (git-fixes).
• RDMA/core: Do not infoleak GRH fields (git-fixes).
• RDMA/core: Let ibfindgid() continue search even after empty entry (git-fixes).
• RDMA/cxgb4: Set queue pair state when being queried (git-fixes).
• RDMA/hns: Validate the pkey index (git-fixes).
• RDMA/ib_srp: Fix a deadlock (git-fixes).
• RDMA/mlx4: Do not continue event handler after memory allocation failure (git-fixes).
• RDMA/rtrs-clt: Fix possible double free in error case (jsc#SLE-15176).
• RDMA/rxe: Fix a typo in opcode name (git-fixes).
• RDMA/siw: Fix broken RDMA Read Fence/Resume logic (git-fixes).
• RDMA/uverbs: Check for null return of kmalloc_array (git-fixes).
• RDMA/uverbs: Remove the unnecessary assignment (git-fixes).
• README.BRANCH: Add Frederic Weisbecker as branch maintainer
• README.BRANCH: Remove Davidlohr Bueso as a branch maintainer
• rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
• rpm: SC2006: Use $(...) notation instead of legacy backticked ....
• sched/core: Mitigate race (git-fixes)
• scsi: bnx2fc: Flush destroywork queue before calling bnx2fcinterface_put() (git-fixes).
• scsi: bnx2fc: Make bnx2fcrecvframe() mp safe (git-fixes).
• scsi: lpfc: Terminate string in lpfcdebugfsnvmeiotrcwrite() (git-fixes).
• scsi: nsp_cs: Check of ioremap return value (git-fixes).
• scsi: qedf: Fix potential dereference of NULL pointer (git-fixes).
• scsi: smartpqi: Add PCI IDs (bsc#1196627).
• scsi: ufs: Fix race conditions related to driver data (git-fixes).
• selftests: mlxsw: tcpolicescale: Make test more robust (bsc#1176774).
• soc: fsl: Correct MAINTAINERS database (QUICC ENGINE LIBRARY) (git-fixes).
• soc: fsl: Correct MAINTAINERS database (SOC) (git-fixes).
• soc: fsl: qe: Check of ioremap return value (git-fixes).
• spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynqqspiexecmemop() (git-fixes).
• sr9700: sanity check for packet length (bsc#1196836).
• staging: gdm724x: fix use after free in gdmlterx() (git-fixes).
• SUNRPC: avoid race between modtimer() and deltimer_sync() (bnc#1195403).
• tracing: Fix return value of __setup handlers (git-fixes).
• tty: n_gsm: fix encoding of control signal octet bit DV (git-fixes).
• tty: n_gsm: fix proper link termination after failed open (git-fixes).
• usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
• usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
• usb: dwc2: gadget: Fix killallrequests race (git-fixes).
• usb: dwc2: use well defined macros for power_down (git-fixes).
• usb: dwc3: gadget: Let the interrupt handler disable bottom halves (git-fixes).
• usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes).
• usb: dwc3: pci: Fix Bay Trail phy GPIO mappings (git-fixes).
• usb: gadget: rndis: add spinlock for rndis response list (git-fixes).
• USB: gadget: validate endpoint index for xilinx udc (git-fixes).
• USB: gadget: validate interface OS descriptor requests (git-fixes).
• usb: host: xen-hcd: add missing unlock in error path (git-fixes).
• USB: hub: Clean up use of port initialization schemes and retries (git-fixes).
• usb: hub: Fix locking issues with address0_mutex (git-fixes).
• usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
• USB: serial: option: add support for DW5829e (git-fixes).
• USB: serial: option: add Telit LE910R1 compositions (git-fixes).
• USB: zaurus: support another broken Zaurus (git-fixes).
• vrf: Fix fast path output packet handling with async Netfilter rules (git-fixes).
• xen/usb: do not use gnttabendforeignaccess() in xenhcdgnttab_done() (bsc#1196488, XSA-396).
• xhci: Prevent futile URB re-submissions due to incorrect return value (git-fixes).
• xhci: re-initialize the HC during resume if HCE was set (git-fixes).