SUSE-SU-2023:2538-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2023-2269: Fixed a denial-of-service problem due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c (bsc#1210806).
• CVE-2022-3566: Fixed race condition in the TCP Handler (bsc#1204405).
• CVE-2022-45886: Fixed a .disconnect versus dvbdeviceopen race condition in dvb_net.c that lead to a use-after-free (bsc#1205760).
• CVE-2022-45885: Fixed a race condition in dvb_frontend.c that could cause a use-after-free when a device is disconnected (bsc#1205758).
• CVE-2022-45887: Fixed a memory leak in ttusbdec.c caused by the lack of a dvbfrontend_detach call (bsc#1205762).
• CVE-2022-45919: Fixed a use-after-free in dvbcaen50221.c that could occur if there is a disconnect after an open, because of the lack of a wait_event (bsc#1205803).
• CVE-2022-45884: Fixed a use-after-free in dvbdev.c, related to dvbregisterdevice dynamically allocating fops (bsc#1205756).
• CVE-2023-31084: Fixed a blocking issue in drivers/media/dvb-core/dvb_frontend.c (bsc#1210783).
• CVE-2023-31436: Fixed an out-of-bounds write in qfqchangeclass() because lmax can exceed QFQMINLMAX (bsc#1210940).
• CVE-2023-2194: Fixed an out-of-bounds write vulnerability in the SLIMpro I2C device driver (bsc#1210715).
• CVE-2023-32269: Fixed a use-after-free in afnetrom.c, related to the fact that accept() was also allowed for a successfully connected AFNETROM socket (bsc#1211186).
• CVE-2023-28466: Fixed race condition that could lead to use-after-free or NULL pointer dereference in dotlsgetsockopt in net/tls/tls_main.c (bsc#1209366).
• CVE-2023-1380: Fixed a slab-out-of-bound read problem in brcmfgetassoc_ies() (bsc#1209287).
• CVE-2023-2513: Fixed a use-after-free vulnerability in the ext4 filesystem (bsc#1211105).
• CVE-2023-2176: Fixed an out-of-boundary read in comparenetdevand_ip in drivers/infiniband/core/cma.c in RDMA (bsc#1210629).

The following non-security bugs were fixed:

• ACPI: processor: Fix evaluating _PDC method when running as Xen dom0 (git-fixes).
• Documentation: Document sysfs interfaces purr, spurr, idlepurr, idlespurr (PED-3947 bsc#1210544 ltc#202303).
• Drivers: hv: vmbus: Optimize vmbusonevent (bsc#1211622).
• IB/hfi1: Assign npages earlier (git-fixes)
• IB/iser: bound protectionsg size by datasg size (git-fixes)
• IB/mlx4: Fix memory leaks (git-fixes)
• IB/mlx4: Increase the timeout for CM cache (git-fixes)
• IB/mlx5: Fix initializing CQ fragments buffer (git-fixes)
• IB/rdmavt: Add init/exit annotations to module init/exit funcs (git-fixes)
• IB/usnic: Fix potential deadlock (git-fixes)
• KVM: nSVM: clear events pending from svmcompleteinterrupts() when exiting to L1 (git-fixes).
• KVM: x86: Update the exit_qualification access bits while walking an address (git-fixes).
• KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing (git-fixes).
• KVM: x86: emulator: em_sysexit should update ctxt->mode (git-fixes).
• KVM: x86: emulator: introduce emulatorrecalcandsetmode (git-fixes).
• KVM: x86: emulator: update the emulation mode after CR0 write (git-fixes).
• KVM: x86: fix empty-body warnings (git-fixes).
• KVM: x86: fix incorrect comparison in trace event (git-fixes).
• KVM: x86: svm: report MSRIA32MCGEXTCTL as unsupported (git-fixes).
• Move upstreamed media fixes into sorted section
• PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
• PCI: Call Max Payload Size-related fixup quirks early (git-fixes).
• PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
• PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
• PCI: Return ~0 data on pciconfigread() CAPSYS_ADMIN failure (git-fixes).
• PCI: aardvark: Configure PCIe resources from 'ranges' DT property (git-fixes).
• PCI: aardvark: Fix PCIe Max Payload Size setting (git-fixes).
• PCI: aardvark: Fix checking for PIO status (git-fixes).
• PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
• PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
• PCI: xilinx-nwl: Enable the clock through CCF (git-fixes).
• RDMA/bnxtre: Restrict the maxgids to 256 (git-fixes)
• RDMA/cma: Do not change route.addr.srcaddr.ssfamily (git-fixes)
• RDMA/cma: Fix rdmaresolveroute() memory leak (git-fixes)
• RDMA/core: Do not access cm_id after its destruction (git-fixes)
• RDMA/cxgb4: Fix missing error code in create_qp() (git-fixes)
• RDMA/hfi1: Prevent panic when SDMA is disabled (git-fixes)
• RDMA/hns: Bugfix for querying qkey (git-fixes)
• RDMA/i40iw: Fix potential use after free (git-fixes)
• RDMA/iwcgxb4: Fix an error handling path in 'c4iwconnect()' (git-fixes)
• RDMA/mlx4: Prevent shift wrapping in setusersq_size() (git-fixes)
• RDMA/mlx5: Block delay drop to unprivileged users (git-fixes)
• RDMA/rxe: Fix error type of mmap_offset (git-fixes)
• RDMA/srp: Move large values to a new enum for gcc13 (git-fixes)
• RDMA/srp: Propagate ibpostsend() failures to the SCSI mid-layer (git-fixes)
• RDMA/usnic: fix set-but-not-unused variable 'flags' warning (git-fixes)
• RDMa/mthca: Work around -Wenum-conversion warning (git-fixes)
• RDS: IB: Fix null pointer issue (git-fixes).
• USB: core: Add routines for endpoint checks in old drivers (git-fixes).
• USB: sisusbvga: Add endpoint checks (git-fixes).
• Update patch reference for libata fix (bsc#1118212).
• adm8211: fix error return code in adm8211_probe() (git-fixes).
• backlight: lm3630a: Fix return code of .update_status() callback (bsc#1129770)
• blacklist.conf: workqueue: Cosmetic change. Not worth backporting (bsc#1211275)
• bonding: show full hw address in sysfs for slave entries (git-fixes).
• ceph: force updating the msg pointer in non-split case (bsc#1211801).
• cpuidle/powernv: avoid double irq enable coming out of idle (PED-3947 bsc#1210544 ltc#202303).
• cpuidle: powerpc: cpuidle set polling before enabling irqs (PED-3947 bsc#1210544 ltc#202303).
• cpuidle: powerpc: no memory barrier after break from idle (PED-3947 bsc#1210544 ltc#202303).
• cpuidle: powerpc: read mostly for common globals (PED-3947 bsc#1210544 ltc#202303).
• ext4: add EXT4INODEHASXATTRSPACE macro in xattr.h (bsc#1206878).
• f2fs: Fix f2fstruncatepartial_nodes ftrace event (git-fixes).
• fbcon: Check font dimension limits (bsc#1154048)
• fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() (bsc#1154048)
• fix kcm_clone() (git-fixes).
• fotg210-udc: Add missing completion handler (git-fixes).
• ip6_tunnel: allow ip6gre dev mtu to be set below 1280 (git-fixes).
• ip6tunnel: fix IFLAMTU ignored on NEWLINK (git-fixes).
• ipoib: correcly show a VF hardware address (git-fixes)
• ipv4: ipv4defaultadvmss() should use route mtu (git-fixes).
• ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT (git-fixes).
• ipv6: icmp6: Allow icmp messages to be looped back (git-fixes).
• ipv6: sr: fix out-of-bounds read when setting HMAC data (bsc#1211592).
• kcm: Check if skuserdata already set in kcm_attach (git-fixes).
• kvm: mmu: Do not read PDPTEs when paging is not enabled (git-fixes).
• l2tp: remove configurable payload offset (git-fixes).
• l2tp: remove l2specificlen dependency in l2tpcore (git-fixes).
• libata: add horkage for ASMedia 1092 (git-fixes).
• mac80211: choose first enabled channel for monitor (git-fixes).
• mac80211: drop multicast fragments (git-fixes).
• mac80211: fix fast-rx encryption check (git-fixes).
• mac80211: pause TX while changing interface type (git-fixes).
• media: radio-shark: Add endpoint checks (git-fixes).
• mlx4: Use snprintf instead of complicated strcpy (git-fixes)
• mwl8k: Fix a double Free in mwl8kprobehw (git-fixes).
• net/iucv: Fix size of interrupt data (bsc#1211466).
• net/mlx4_core: Fix return codes of unsupported operations (git-fixes).
• net/tcp/illinois: replace broken algorithm reference link (git-fixes).
• net: Extra 'get' in declaration of archgetplatformmac_address (git-fixes).
• net: alteratse: fix connectlocal_phy error path (git-fixes).
• net: alteratse: fix msgdmatxcompletion on non-zero filllevel case (git-fixes).
• net: amd: add missing ofnodeput() (git-fixes).
• net: arcemac: fix arcemac_rx() error paths (git-fixes).
• net: broadcom: fix return type of ndostartxmit function (git-fixes).
• net: davinci_emac: match the mdio device against its compatible if possible (git-fixes).
• net: dsa: b53: Add BCM5389 support (git-fixes).
• net: dsa: bcm_sf2: Turn on PHY to allow successful registration (git-fixes).
• net: dsa: mt7530: fix module autoloading for OF platform drivers (git-fixes).
• net: dsa: qca8k: Add support for QCA8334 switch (git-fixes).
• net: emac: fix fixed-link setup for the RTL8363SB switch (git-fixes).
• net: ethernet: ti: cpsw-phy-sel: check busfinddevice() ret value (git-fixes).
• net: faraday: fix return type of ndostartxmit function (git-fixes).
• net: hisilicon: remove unexpected free_netdev (git-fixes).
• net: hns3: fix return type of ndostartxmit function (git-fixes).
• net: hns: Fix wrong read accesses via Clause 45 MDIO protocol (git-fixes).
• net: ibm: fix possible object reference leak (git-fixes).
• net: ipv6: send NS for DAD when link operationally up (git-fixes).
• net: mediatek: setup proper state for disabled GMAC on the default (git-fixes).
• net: micrel: fix return type of ndostartxmit function (git-fixes).
• net: mvneta: fix enable of all initialized RXQs (git-fixes).
• net: netxen: fix a missing check and an uninitialized use (git-fixes).
• net: propagate devgetvalid_name return code (git-fixes).
• net: qca_spi: Fix log level if probe fails (git-fixes).
• net: qcom/emac: Use proper free methods during TX (git-fixes).
• net: qla3xxx: Remove overflowing shift statement (git-fixes).
• net: smsc: fix return type of ndostartxmit function (git-fixes).
• net: stmmac: do not log oversized frames (git-fixes).
• net: stmmac: fix dropping of multi-descriptor RX frames (git-fixes).
• net: sun: fix return type of ndostartxmit function (git-fixes).
• net: toshiba: fix return type of ndostartxmit function (git-fixes).
• net: xfrm: allow clearing socket xfrm policies (git-fixes).
• net: xilinx: fix return type of ndostartxmit function (git-fixes).
• netfilter: ebtables: convert BUGONs to WARNONs (git-fixes).
• netfilter: ipt_CLUSTERIP: put config instead of freeing it (git-fixes).
• netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount (git-fixes).
• nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs (git-fixes).
• nvme-pci: fix a NULL pointer dereference in nvmeallocadmin_tags (git-fixes).
• nvme-pci: unquiesce admin queue on shutdown (git-fixes).
• nvme-pci: use the same attributes when freeing hostmemdesc_bufs (git-fixes).
• nvme: Fix u32 overflow in the number of namespace list calculation (git-fixes).
• nvme: free sq/cq dbbuf pointers when dbbuf set fails (git-fixes).
• nvme: refine the Qemu Identify CNS quirk (git-fixes).
• nvme: remove the ifdef around nvmenvmioctl (git-fixes).
• platform/x86: alienware-wmi: Adjust instance of wmievaluatemethod calls to 0 (git-fixes).
• platform/x86: alienware-wmi: constify attribute_group structures (git-fixes).
• platform/x86: alienware-wmi: fix format string overflow warning (git-fixes).
• platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer (git-fixes).
• platform/x86: dell-laptop: fix rfkill functionality.
• platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from runsmbioscall (git-fixes).
• platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (git-fixes).
• powerpc/idle: Store PURR snapshot in a per-cpu global variable (PED-3947 bsc#1210544 ltc#202303).
• powerpc/pseries: Account for SPURR ticks on idle CPUs (PED-3947 bsc#1210544 ltc#202303).
• powerpc/rtas: use memmove for potentially overlapping buffer copy (bsc#1065729).
• powerpc/sysfs: Show idlepurr and idlespurr for every CPU (PED-3947 bsc#1210544 ltc#202303).
• powerpc: Do not try to copy PPR for task with NULL pt_regs (bsc#1065729).
• powerpc: Move idleloopprolog()/epilog() functions to header file (PED-3947 bsc#1210544 ltc#202303).
• powerpc: Squash lines for simple wrapper functions (bsc#1065729).
• rds; Reset rs->rsboundaddr in rdsaddbound() failure path (git-fixes).
• ring-buffer: Ensure proper resetting of atomic variables in ringbufferresetonlinecpus (git-fixes).
• ring-buffer: Sync IRQ works before buffer destruction (git-fixes).
• rxe: IBWRREG_MR does not capture MR's iova field (git-fixes)
• s390/dasd: correct numanode in dasdalloc_queue (git-fixes bsc#1211362).
• s390/extmem: fix gcc 8 stringop-overflow warning (git-fixes bsc#1211363).
• s390/kasan: fix early pgm check handler execution (git-fixes bsc#1211360).
• s390/pci: fix sleeping in atomic during hotplug (git-fixes bsc#1211364).
• s390/scmblk: correct numanode in scmblkdev_setup (git-fixes bsc#1211365).
• s390/sysinfo: add missing #ifdef CONFIGPROCFS (git-fixes bsc#1211366).
• s390/uaccess: add missing earlyclobber annotations to _clearuser() (LTC#202116 bsc#1209857 git-fixes).
• s390: ctcm: fix ctcmnewdevice error return code (git-fixes bsc#1211361).
• scsi: qla2xxx: Declare SCSI host template const (bsc#1211960).
• scsi: qla2xxx: Drop redundant pcienablepcieerrorreporting() (bsc#1211960).
• scsi: qla2xxx: Fix hang in task management (bsc#1211960).
• scsi: qla2xxx: Fix hang in task management (bsc#1211960).
• scsi: qla2xxx: Fix mem access after free (bsc#1211960).
• scsi: qla2xxx: Fix mem access after free (bsc#1211960).
• scsi: qla2xxx: Fix task management cmd fail due to unavailable resource (bsc#1211960).
• scsi: qla2xxx: Fix task management cmd fail due to unavailable resource (bsc#1211960).
• scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
• scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
• scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
• scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
• scsi: qla2xxx: Refer directly to the qla2xxxdrivertemplate (bsc#1211960).
• scsi: qla2xxx: Remove default fabric ops callouts (bsc#1211960).
• scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() (bsc#1211960).
• scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() (bsc#1211960).
• scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
• scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
• scsi: qla2xxx: Wait for io return on terminate rport (bsc#1211960).
• scsi: qla2xxx: Wait for io return on terminate rport (bsc#1211960).
• scsi: storvsc: Parameterize number hardware queues (bsc#1211622).
• sctp: avoid flushing unsent queue when doing asoc reset (git-fixes).
• sctp: fix erroneous inc of snmp SctpFragUsrMsgs (git-fixes).
• sctp: fix the issue that a _u16 variable may overflow in sctpulpq_renege (git-fixes).
• sctp: make use of pre-calculated len (git-fixes).
• seccomp: Set PF_SUPERPRIV when checking capability (git-fixes bsc#1211816).
• sfc: suppress duplicate nvmem partition types in efxef10mtd_probe (git-fixes).
• sit: fix IFLA_MTU ignored on NEWLINK (git-fixes).
• stmmac: fix valid numbers of unicast filter entries (git-fixes).
• sunvnet: does not support GSO for sctp (git-fixes).
• usb: dwc3: Fix race between dwc3setmode and _dwc3set_mode (git-fixes).
• usb: early: xhci-dbc: Fix a potential out-of-bound memory access (git-fixes).
• vrf: mark skb for multicast or link-local as enslaved to VRF (git-fixes).
• wcn36xx: Add ability for wcn36xxsmddumpcmdreq to pass two's complement (git-fixes).
• wcn36xx: Add ieee80211 rx status rate information (git-fixes).
• wcn36xx: Channel list update before hardware scan (git-fixes).
• wcn36xx: Disable bmps when encryption is disabled (git-fixes).
• wcn36xx: Ensure finish scan is not requested before start scan (git-fixes).
• wcn36xx: Fix TX data path (git-fixes).
• wcn36xx: Fix multiple AMPDU sessions support (git-fixes).
• wcn36xx: Fix software-driven scan (git-fix).
• wcn36xx: Fix warning due to bad rate_idx (git-fixes).
• wcn36xx: Increase number of TX retries (git-fixes).
• wcn36xx: Specify ieee80211rxstatus.nss (git-fixes).
• wcn36xx: Use kmemdup instead of duplicating it in wcn36xxsmdprocesspttmsg_rsp (git-fixes).
• wcn36xx: Use sequence number allocated by mac80211 (git-fixes).
• wcn36xx: disable HWCONNECTIONMONITOR (git-fixes).
• wcn36xx: ensure pairing of initscan/finishscan and startscan/endscan (git-fixes).
• wcn36xx: fix spelling mistake 'to' -> 'too' (git-fixes).
• wcn36xx: fix typo (git-fixes).
• wcn36xx: remove unecessary return (git-fixes).
• wcn36xx: use dmazalloccoherent instead of allocator/memset (git-fixes).
• workqueue: Fix hung time report of worker pools (bsc#1211044).
• workqueue: Interrupted create_worker() is not a repeated event (bsc#1211044).
• workqueue: Print backtraces from CPUs with hung CPU bound workqueues (bsc#1211044).
• workqueue: Warn when a new worker could not be created (bsc#1211044).
• workqueue: Warn when a rescuer could not be created (bsc#1211044).
• x86/kvm/vmx: fix old-style function declaration (git-fixes).
• x86/kvm: Do not call kvmspuriousfault() from .fixup (git-fixes).
• x86: kvm: avoid constant-conversion warning (git-fixes).
• xen/netback: do not do grant copy across page boundary (git-fixes).
• xen/netback: use same error messages for same errors (git-fixes).
• xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies (git-fixes).