SUSE-SU-2023:0779-1

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2022-3606: Fixed a null pointer dereference inside the function findprogbysecinsn of the file tools/lib/bpf/libbpf.c of the component BPF (bsc#1204502).
• CVE-2022-36280: Fixed out-of-bounds memory access vulnerability found in vmwgfx driver (bsc#1203332).
• CVE-2022-38096: Fixed NULL-ptr deref in vmwcmddxdefinequery() (bsc#1203331).
• CVE-2022-47929: Fixed a NULL pointer dereference bug in the traffic control subsystem (bsc#1207237).
• CVE-2023-0045: Fixed missing Flush IBP in ibprctlset (bsc#1207773).
• CVE-2023-0179: Fixed incorrect arithmetics when fetching VLAN header bits (bsc#1207034).
• CVE-2023-0266: Fixed a use-after-free vulnerability inside the ALSA PCM package. SNDRVCTLIOCTLELEM{READ|WRITE}32 was missing locks that could have been used in a use-after-free that could have resulted in a priviledge escalation to gain ring0 access from the system user (bsc#1207134).
• CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795).
• CVE-2023-0597: Fixed lack of randomization of per-cpu entry area in x86/mm (bsc#1207845).
• CVE-2023-1076: Fixed incorrect initialization of socket ui in tap_open() (bsc#1208599).
• CVE-2023-1095: Fixed fix null deref due to zeroed list head in nf_tables (bsc#1208777).
• CVE-2023-1118: Fixed a use-after-free bugs caused by enetxirqsim() in media/rc (bsc#1208837).
• CVE-2023-1195: Fixed a use-after-free caused by invalid pointer hostname in cifs (bsc#1208971).
• CVE-2023-22995: Fixed lacks of certain platformdeviceput and kfree in drivers/usb/dwc3/dwc3-qcom.c (bsc#1208741).
• CVE-2023-22998: Fixed NULL vs ISERR checking in virtiogpuobjectshmem_init (bsc#1208776).
• CVE-2023-23000: Fixed return value of tegraxusbfindportnode function phy/tegra (bsc#1208816).
• CVE-2023-23004: Fixed NULL vs IS_ERR() checking in malidp (bsc#1208843).
• CVE-2023-23006: Fixed NULL vs ISERR checking in drdomaininitresources (bsc#1208845).
• CVE-2023-23559: Fixed integer overflow in rndis_wlan that leads to a buffer overflow (bsc#1207051).
• CVE-2023-25012: Fixed a use-after-eree in bigbensetled() in hid (bsc#1207560).
• CVE-2023-26545: Fixed double free in net/mpls/af_mpls.c upon an allocation failure (bsc#1208700).

The following non-security bugs were fixed:

• add support for enabling livepatching related packages on -RT (jsc#PED-1706)
• add suse-kernel-rpm-scriptlets to kmp buildreqs (boo#1205149)
• bcache: fix setatmaxwritebackrate() for multiple attached devices (git-fixes).
• blktrace: Fix output non-blktrace event when blk_classic option enabled (git-fixes).
• blktrace: ensure our debugfs dir exists (git-fixes).
• ceph: avoid putting the realm twice when decoding snaps fails (bsc#1207198).
• ceph: do not update snapshot context when there is no new snapshot (bsc#1207218).
• config.conf: Drop armv7l, Leap 15.3 is EOL.
• constraints: increase disk space for all architectures References: bsc#1203693 aarch64 is already suffering. SLE15-SP5 x86_64 stats show that it is very close to the limit.
• delete config/armv7hl/default.
• delete config/armv7hl/lpae.
• dm btree: add a defensive bounds check to insert_at() (git-fixes).
• dm cache: Fix ABBA deadlock between shrinkslab and dmcachemetadataabort (git-fixes).
• dm cache: Fix UAF in destroy() (git-fixes).
• dm cache: set needs_check flag after aborting metadata (git-fixes).
• dm clone: Fix UAF in clone_dtr() (git-fixes).
• dm integrity: Fix UAF in dmintegritydtr() (git-fixes).
• dm integrity: fix flush with external metadata device (git-fixes).
• dm integrity: flush the journal on suspend (git-fixes).
• dm integrity: select CRYPTO_SKCIPHER (git-fixes).
• dm ioctl: fix misbehavior if list_versions races with module loading (git-fixes).
• dm ioctl: prevent potential spectre v1 gadget (git-fixes).
• dm space map common: add bounds check to smlllookup_bitmap() (git-fixes).
• dm space maps: do not reset space map allocation cursor when committing (git-fixes).
• dm table: Remove BUGON(ininterrupt()) (git-fixes).
• dm thin: Fix ABBA deadlock between shrinkslab and dmpoolabortmetadata (git-fixes).
• dm thin: Fix UAF in runtimersoftirq() (git-fixes).
• dm thin: Use last transaction's pmd->root when commit failed (git-fixes).
• dm thin: resume even if in FAIL mode (git-fixes).
• dm verity: fix requiresignatures moduleparam permissions (git-fixes).
• dm verity: skip verity work if I/O error when system is shutting down (git-fixes).
• do not sign the vanilla kernel (bsc#1209008).
• drivers:md:fix a potential use-after-free bug (git-fixes).
• ext4: Fixup pages without buffers (bsc#1205495).
• genirq: Provide new interfaces for affinity hints (bsc#1208153).
• hid: betop: check shape of output reports (git-fixes, bsc#1207186).
• hid: check empty reportlist in bigbenprobe() (git-fixes, bsc#1206784).
• hid: check empty reportlist in hidvalidate_values() (git-fixes, bsc#1206784).
• kabi/severities: add mlx5 internal symbols
• kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179). When -b is specified the script is prefixed with KMPNEEDSMKINITRD=1 which sets the variable for a simple command. However, the script is no longer a simple command. Export the variable instead.
• kvm: vmx: fix crash cleanup when KVM wasn't used (bsc#1207508).
• loop: unset GENHDFLNOPARTSCAN on LOOP_CONFIGURE (git-fixes).
• loop: use sysfs_emit() in the sysfs xxx show() (git-fixes).
• md/raid5: Wait for MDSBCHANGE_PENDING in raid5d (git-fixes).
• md: Flush workqueue mdrdevmiscwq in mdalloc() (git-fixes).
• md: Notify sysfs synccompleted in mdreapsyncthread() (git-fixes).
• md: protect mdunregisterthread from reentrancy (git-fixes).
• mm/memcg: optimize memory.numa_stat like memory.stat (bsc#1206663).
• mm/slub: fix panic in slaballocnode() (bsc#1208023).
• mm: /proc/pid/smaps_rollup: fix no vma's null-deref (bsc#1207769).
• module: Do not wait for GOING modules (bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662).
• nbd: Fix hung on disconnect request if socket is closed before (git-fixes).
• nbd: Fix hung when signal interrupts nbdstartdevice_ioctl() (git-fixes).
• nbd: Fix incorrect error handle when firstminor is illegal in nbddev_add (git-fixes).
• nbd: call genlunregisterfamily() first in nbd_cleanup() (git-fixes).
• nbd: fix io hung while disconnecting device (git-fixes).
• nbd: fix max value for 'first_minor' (git-fixes).
• nbd: fix race between nbdallocconfig() and module removal (git-fixes).
• nbd: make the config put is called before the notifying the waiter (git-fixes).
• nbd: restore default timeout when setting it to zero (git-fixes).
• net/mlx5: Allocate individual capability (bsc#119175).
• net/mlx5: Dynamically resize flow counters query buffer (bsc#119175).
• net/mlx5: Fix flow counters SF bulk query len (bsc#119175).
• net/mlx5: Reduce flow counters bulk query buffer size for SFs (bsc#119175).
• net/mlx5: Reorganize current and maximal capabilities to be per-type (bsc#119175).
• net/mlx5: Use order-0 allocations for EQs (bsc#119175).
• net: mana: Assign interrupts to CPUs based on NUMA nodes (bsc#1208153).
• net: mana: Fix IRQ name - add PCI and queue number (bsc#1207875).
• net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
• nullblk: fix ida error handling in nulladd_dev() (git-fixes).
• rbd: work around -Wuninitialized warning (git-fixes).
• rdma/core: Fix ib block iterator counter overflow (bsc#1207878).
• refresh patches.kabi/scsi-kABI-fix-for-ehshouldretry_cmd (bsc#1206351).
• revert 'constraints: increase disk space for all architectures' (bsc#1203693).
• rpm/check-for-config-changes: add OBJTOOL and FTRACEMCOUNTUSE* Dummy gcc pretends to support -mrecord-mcount option but actual gcc on ppc64le does not. Therefore ppc64le builds of 6.2-rc1 and later in OBS enable FTRACEMCOUNTUSEOBJTOOL and OBJTOOL config options, resulting in check failure. As we already have FTRACEMCOUNTUSECC and FTRACEMCOUNTUSERECORDMCOUNT in the exception list, replace them with a general pattern. And add OBJTOOL as well.
• rpm/check-for-config-changes: add TOOLCHAINHAS* to IGNOREDCONFIGSRE This new form was added in commit b8c86872d1dc (riscv: fix detection of toolchain Zicbom support).
• rpm/check-for-config-changes: loosen pattern for ASHAS* This is needed to handle CONFIGASHASNONCONST_LEB128.
• rpm/group-source-files.pl: Deal with {pre,post}fixed / in location When the source file location provided with -L is either prefixed or postfixed with forward slash, the script get stuck in a infinite loop inside calc_dirs() where $path is an empty string. user@localhost:/tmp> perl '$HOME/group-source-files.pl' -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/ ... path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig path = /usr/src/linux-5.14.21-150500.41/Documentation path = /usr/src/linux-5.14.21-150500.41 path = /usr/src path = /usr path = path = path = ... # Stuck in an infinite loop This workarounds the issue by breaking out the loop once path is an empty string. For a proper fix we'd want something that filesystem-aware, but this workaround should be enough for the rare occation that this script is ran manually. Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
• rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs This makes in-tree KMPs more consistent with externally built KMPs and silences several rpmlint warnings.
• rpm/mkspec-dtb: add riscv64 dtb-renesas subpackage
• s390/kexec: fix ipl report address for kdump (bsc#1207575).
• scsi: 3w-9xxx: Avoid disabling device if failing to enable it (git-fixes).
• scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (git-fixes).
• scsi: NCR5380: Add disconnect_mask module parameter (git-fixes).
• scsi: Revert 'scsi: qla2xxx: Fix disk failure to rediscover' (git-fixes).
• scsi: advansys: Fix kernel pointer leak (git-fixes).
• scsi: aha152x: Fix aha152xsetup() _setup handler return value (git-fixes).
• scsi: aic7xxx: Adjust indentation in ahcfindsyncrate (git-fixes).
• scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 (git-fixes).
• scsi: atariscsi: sun3scsi: Set sgtablesize to 1 instead of SGNONE (git-fixes).
• scsi: bfa: Replace snprintf() with sysfs_emit() (git-fixes).
• scsi: bnx2fc: Return failure if io_req is already in ABTS processing (git-fixes).
• scsi: core: Avoid printing an error if target_alloc() returns -ENXIO (git-fixes).
• scsi: core: Cap scsihost cmdperlun at canqueue (git-fixes).
• scsi: core: Do not start concurrent async scan on same host (git-fixes).
• scsi: core: Fix a race between scsidone() and scsitimeout() (git-fixes).
• scsi: core: Fix capacity set to zero after offlinining device (git-fixes).
• scsi: core: Fix hang of freezing queue between blocking and running device (git-fixes).
• scsi: core: Fix shost->cmdperlun calculation in scsiaddhostwithdma() (git-fixes).
• scsi: core: Restrict legal sdev_state transitions via sysfs (git-fixes).
• scsi: core: free sgtables in case command setup fails (git-fixes).
• scsi: core: sysfs: Fix hang when device state is set via sysfs (git-fixes).
• scsi: core: sysfs: Fix setting device state to SDEV_RUNNING (git-fixes).
• scsi: cxlflash: Fix error return code in cxlflash_probe() (git-fixes).
• scsi: fcoe: Fix possible name leak when device_register() fails (git-fixes).
• scsi: fcoe: Fix transport not deattached when fcoeifinit() fails (git-fixes).
• scsi: fnic: Fix memleak in vnicdevinit_devcmd2 (git-fixes).
• scsi: fnic: fix use after free (git-fixes).
• scsi: hisisas: Check sasport before using it (git-fixes).
• scsi: hisisas: Delete the debugfs folder of hisisas when the probe fails (git-fixes).
• scsi: hisi_sas: Do not reset phy timer to wait for stray phy up (git-fixes).
• scsi: hisisas: Drop freeirq() of devmrequestirq() allocated irq (git-fixes).
• scsi: hisisas: Propagate errors in interruptinitv1hw() (git-fixes).
• scsi: hisisas: Replace insoftirq() check in hisisastask_exec() (git-fixes).
• scsi: hpsa: Fix error handling in hpsaaddsas_host() (git-fixes).
• scsi: hpsa: Fix memory leak in hpsainitone() (git-fixes).
• scsi: hpsa: Fix possible memory leak in hpsaaddsas_device() (git-fixes).
• scsi: hpsa: Fix possible memory leak in hpsainitone() (git-fixes).
• scsi: ipr: Fix WARNING in ipr_init() (git-fixes).
• scsi: ipr: Fix missing/incorrect resource cleanup in error case (git-fixes).
• scsi: iscsi: Add iscsiclsconn refcount helpers (git-fixes).
• scsi: iscsi: Avoid potential deadlock in iscsiifrx func (git-fixes).
• scsi: iscsi: Do not destroy session if there are outstanding connections (git-fixes).
• scsi: iscsi: Do not put host in iscsisetflashnode_param() (git-fixes).
• scsi: iscsi: Do not send data to unbound connection (git-fixes).
• scsi: iscsi: Fix reference count leak in iscsibootcreate_kobj (git-fixes).
• scsi: iscsi: Fix shost->max_id use (git-fixes).
• scsi: iscsi: Report unbind session event when the target has been removed (git-fixes).
• scsi: iscsi: Unblock session then wake up error handler (git-fixes).
• scsi: libfc: Fix a format specifier (git-fixes).
• scsi: libfc: Fix use after free in fcexchabts_resp() (git-fixes).
• scsi: libiscsi: Fix UAF in iscsiconngetparam()/iscsiconn_teardown() (git-fixes).
• scsi: libiscsi: Fix iscsiprepscsicmdpdu() error handling (git-fixes).
• scsi: libsas: Add LUN number check in .slave_alloc callback (git-fixes).
• scsi: megaraid: Fix error check return value of register_chrdev() (git-fixes).
• scsi: megaraidmm: Fix end of loop tests for listforeachentry() (git-fixes).
• scsi: megaraid_sas: Early detection of VD deletion through RaidMap update (git-fixes).
• scsi: megaraid_sas: Fix double kfree() (git-fixes).
• scsi: megaraid_sas: Fix resource leak in case of probe failure (git-fixes).
• scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs (git-fixes).
• scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan (git-fixes).
• scsi: mpi3mr: Refer CONFIGSCSIMPI3MR in Makefile (git-fixes).
• scsi: mpt3sas: Block PCI config access from userspace during reset (git-fixes).
• scsi: mpt3sas: Fix possible resource leaks in mpt3sastransportport_add() (git-fixes).
• scsi: mpt3sas: Fix timeouts observed while reenabling IRQ (git-fixes).
• scsi: mpt3sas: Increase IOCInit request timeout to 30s (git-fixes).
• scsi: mvsas: Add PCI ID of RocketRaid 2640 (git-fixes).
• scsi: mvsas: Replace snprintf() with sysfs_emit() (git-fixes).
• scsi: mvumi: Fix error return in mvumiioattach() (git-fixes).
• scsi: myrb: Fix up null pointer access on myrb_cleanup() (git-fixes).
• scsi: myrs: Fix crash in error case (git-fixes).
• scsi: pm8001: Fix pm8001mpitaskabortresp() (git-fixes).
• scsi: pm: Balance pm_only counter of request queue during system resume (git-fixes).
• scsi: pmcraid: Fix missing resource cleanup in error case (git-fixes).
• scsi: qedf: Add check to synchronize abort and flush (git-fixes).
• scsi: qedf: Fix a UAF bug in _qedfprobe() (git-fixes).
• scsi: qedf: Fix refcount issue when LOGO is received during TMF (git-fixes).
• scsi: qedf: Return SUCCESS if stale rport is encountered (git-fixes).
• scsi: qedi: Fix failed disconnect handling (git-fixes).
• scsi: qedi: Fix list_del corruption while removing active I/O (git-fixes).
• scsi: qedi: Fix null ref during abort handling (git-fixes).
• scsi: qedi: Protect active command list to avoid list corruption (git-fixes).
• scsi: qla2xxx: Add option to disable FC2 Target support (bsc#1198438 bsc#1206103).
• scsi: scsidebug: Fix a warning in respwrite_scat() (git-fixes).
• scsi: scsidebug: Fix possible UAF in sdebugaddhosthelper() (git-fixes).
• scsi: scsidebug: Fix possible name leak in sdebugaddhosthelper() (git-fixes).
• scsi: scsidebug: numtgts must be >= 0 (git-fixes).
• scsi: scsidhalua: Check for negative result value (git-fixes).
• scsi: scsidhalua: Fix signedness bug in alua_rtpg() (git-fixes).
• scsi: scsidhalua: Remove check for ASC 24h in alua_rtpg() (git-fixes).
• scsi: scsidhrdac: Avoid crash during rdacbusattach() (git-fixes).
• scsi: scsitransportspi: Fix function pointer check (git-fixes).
• scsi: scsitransportspi: Set RQF_PM for domain validation commands (git-fixes).
• scsi: sd: Free scsidisk device via putdevice() (git-fixes).
• scsi: sd: Suppress spurious errors when WRITE SAME is being disabled (git-fixes).
• scsi: ses: Fix unsigned comparison with less than zero (git-fixes).
• scsi: ses: Retry failed Send/Receive Diagnostic commands (git-fixes).
• scsi: snic: Fix possible UAF in snictgtcreate() (git-fixes).
• scsi: sr: Do not use GFP_DMA (git-fixes).
• scsi: sr: Fix sr_probe() missing deallocate of device minor (git-fixes).
• scsi: sr: Return appropriate error code when disk is ejected (git-fixes).
• scsi: sr: Return correct event when media event code is 3 (git-fixes).
• scsi: st: Fix a use after free in st_open() (git-fixes).
• scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff() (git-fixes).
• scsi: ufs: Add DELAYBEFORELPM quirk for Micron devices (git-fixes).
• scsi: ufs: Clean up completed request without interrupt notification (git-fixes).
• scsi: ufs: Fix a race condition in the tracing code (git-fixes).
• scsi: ufs: Fix error handing during hibern8 enter (git-fixes).
• scsi: ufs: Fix illegal offset in UPIU event trace (git-fixes).
• scsi: ufs: Fix interrupt error message for shared interrupts (git-fixes).
• scsi: ufs: Fix irq return code (git-fixes).
• scsi: ufs: Fix possible infinite loop in ufshcd_hold (git-fixes).
• scsi: ufs: Fix tm request when non-fatal error happens (git-fixes).
• scsi: ufs: Fix unbalanced scsiblockreqscnt caused by ufshcdhold() (git-fixes).
• scsi: ufs: Fix up auto hibern8 enablement (git-fixes).
• scsi: ufs: Fix wrong print message in dev_err() (git-fixes).
• scsi: ufs: Improve interrupt handling for shared interrupts (git-fixes).
• scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE (git-fixes).
• scsi: ufs: Make ufshcdaddcommand_trace() easier to read (git-fixes).
• scsi: ufs: delete redundant function ufshcddefdesc_sizes() (git-fixes).
• scsi: ufs: fix potential bug which ends in system hang (git-fixes).
• scsi: ufs: ufs-qcom: Fix race conditions caused by ufsqcomtestbus_config() (git-fixes).
• scsi: virtio_scsi: Fix spelling mistake 'Unsupport' -> 'Unsupported' (git-fixes).
• scsi: vmw_pvscsi: Expand vcpuHint to 16 bits (git-fixes).
• scsi: vmw_pvscsi: Set correct residual data length (git-fixes).
• scsi: vmw_pvscsi: Set residual data length conditionally (git-fixes).
• sctp: fail if no bound addresses can be used for a given scope (bsc#1206677).
• sctp: sysctl: make extra pointers netns aware (bsc#1204760).
• update patches.suse/net-mlx5-Allocate-individual-capability (bsc#1195175).
• update patches.suse/net-mlx5-Dynamically-resize-flow-counters-query-buff (bsc#1195175).
• update patches.suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len (bsc#1195175).
• update patches.suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size (bsc#1195175).
• update patches.suse/net-mlx5-Reorganize-current-and-maximal-capabilities (bsc#1195175).
• update patches.suse/net-mlx5-Use-order-0-allocations-for-EQs (bsc#1195175). Fixed bugzilla reference.
• vmxnet3: move rss code block under eop descriptor (bsc#1208212).
• watchdog: diag288_wdt: do not use stack buffers for hardware data (bsc#1207497).
• watchdog: diag288wdt: fix _diag288() inline assembly (bsc#1207497).