SUSE-SU-2023:4035-1

The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861).
• CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860).
• CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858).
• CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467).
• CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351).
• CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899)
• CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150).
• CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703).
• CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275).
• CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117).
• CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115).
• CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022)

The following non-security bugs were fixed:

• ALSA: hda/realtek: Splitting the UX3402 into two separate models (git-fixes).
• arm64: module-plts: inline linux/moduleloader.h (git-fixes)
• arm64: module: Use moduleinitlayout_section() to spot init sections (git-fixes)
• arm64: sdei: abort running SDEI handlers during crash (git-fixes)
• arm64: tegra: Update AHUB clock parent and rate (git-fixes)
• arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git-fixes)
• ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG (git-fixes).
• ASoC: hdaudio.c: Add missing check for devm_kstrdup (git-fixes).
• ASoC: imx-audmix: Fix return error with devmclkget() (git-fixes).
• ASoC: meson: spdifin: start hw on dai probe (git-fixes).
• ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode (git-fixes).
• ASoC: rt5640: Fix sleep in atomic context (git-fixes).
• ASoC: rt5640: Revert 'Fix sleep in atomic context' (git-fixes).
• ASoC: soc-utils: Export sndsocdaiisdummy() symbol (git-fixes).
• ASoC: SOF: core: Only call sofopsfree() on remove if the probe was successful (git-fixes).
• ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes).
• blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986).
• blk-iocost: use spinlockirqsave in adjustinuseandcalccost (bsc#1214992).
• block/mq-deadline: use correct way to throttling write requests (bsc#1214993).
• bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322).
• clocksource: hyper-v: Mark hyperv tsc page unencrypted in sev-snp enlightened guest (bsc#1206453).
• drivers: hv: Mark percpu hvcall input arg page unencrypted in SEV-SNP enlightened guest (bsc#1206453).
• Drivers: hv: vmbus: Bring the postmsgpage back for TDX VMs with the paravisor (bsc#1206453).
• Drivers: hv: vmbus: Support >64 VPs for a fully enlightened TDX/SNP VM (bsc#1206453).
• Drivers: hv: vmbus: Support fully enlightened TDX guests (bsc#1206453).
• drm/ast: Add BMC virtual connector (bsc#1152472) Backporting changes: * rename astdevice to astprivate
• drm/ast: report connection status on Display Port. (bsc#1152472) Backporting changes: * rename astdevice to astprivate * context changes
• drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808).
• drm/meson: fix memory leak on ->hpd_notify callback (git-fixes).
• drm/virtio: Correct drmgemshmemgetsg_table() error handling (git-fixes).
• drm/virtio: Use appropriate atomic state in virtiogpuplanecleanupfb() (git-fixes).
• ext4: avoid potential data overflow in nextlineargroup (bsc#1214951).
• ext4: correct inline offset when handling xattrs in inode body (bsc#1214950).
• ext4: fix memory leaks in ext4fname{setupfilename,preparelookup} (bsc#1214954).
• ext4: fix wrong unit use in ext4mbclear_bb (bsc#1214943).
• ext4: fix wrong unit use in ext4mbnew_blocks (bsc#1214944).
• ext4: get block from bh in ext4freeblocks for fast commit replay (bsc#1214942).
• ext4: reflect error codes from ext4multimount_protect() to its callers (bsc#1214941).
• ext4: Remove ext4 locking of moved directory (bsc#1214957).
• ext4: set goal start correctly in ext4mbnormalize_request (bsc#1214940).
• fs: Establish locking order for unrelated directories (bsc#1214958).
• fs: Lock moved directories (bsc#1214959).
• fs: lockd: avoid possible wrong NULL parameter (git-fixes).
• fs: no need to check source (bsc#1215752).
• fuse: nlookup missing decrement in fusedirentpluslink (bsc#1215581).
• gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479).
• gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479).
• gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
• gve: Changes to add new TX queues (bsc#1214479).
• gve: Control path for DQO-QPL (bsc#1214479).
• gve: fix frag_list chaining (bsc#1214479).
• gve: Fix gve interrupt names (bsc#1214479).
• gve: RX path for DQO-QPL (bsc#1214479).
• gve: trivial spell fix Recive to Receive (bsc#1214479).
• gve: Tx path for DQO-QPL (bsc#1214479).
• gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479).
• gve: use vmalloc_array and vcalloc (bsc#1214479).
• gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
• hwrng: virtio - add an internal buffer (git-fixes).
• hwrng: virtio - always add a pending request (git-fixes).
• hwrng: virtio - do not wait on cleanup (git-fixes).
• hwrng: virtio - do not waste entropy (git-fixes).
• hwrng: virtio - Fix race on data_avail and actual data (git-fixes).
• i915/pmu: Move execlist stats initialization to execlist specific setup (git-fixes).
• iommu/virtio: Detach domain on endpoint release (git-fixes).
• iommu/virtio: Return size mapped for a detached domain (git-fixes).
• jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953).
• jbd2: correct the end of the journal recovery scan range (bsc#1214955).
• jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949).
• jbd2: fix checkpoint cleanup performance regression (bsc#1214952).
• jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948).
• jbd2: recheck chechpointing non-dirty buffer (bsc#1214945).
• jbd2: remove journalcleanonecplist() (bsc#1214947).
• jbd2: remove tcheckpointio_list (bsc#1214946).
• jbd2: restore tcheckpointio_list to maintain kABI (bsc#1214946).
• kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template.
• kernel-binary: python3 is needed for build At least scripts/bpfhelpersdoc.py requires python3 since Linux 4.18 Other simimlar scripts may exist.
• KVM: s390: fix KVMS390GETCMMABITS for GFNs in memslot holes (git-fixes bsc#1215915).
• KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896).
• KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916).
• KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894).
• KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895).
• KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911).
• KVM: x86: Fix KVMCAPSYNCREGS's syncregs() TOCTOU issues (git-fixes).
• KVM: x86/mmu: Include mmu.h in spte.h (git-fixes).
• loop: Fix use-after-free issues (bsc#1214991).
• loop: loopsetstatusfrominfo() check before assignment (bsc#1214990).
• module: Expose moduleinitlayout_section() (git-fixes)
• net: do not allow gsosize to be set to GSOBY_FRAGS (git-fixes).
• net: mana: Add page pool for RX buffers (bsc#1214040).
• net: mana: Configure hwc timeout from hardware (bsc#1214037).
• net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
• NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git-fixes).
• nfs/blocklayout: Use the passed in gfp flags (git-fixes).
• NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes).
• NFSD: daaddrbody field missing in some GETDEVICEINFO replies (git-fixes).
• nfsd: fix change_info in NFSv4 RENAME replies (git-fixes).
• nfsd: Fix race to FREESTATEID and clrevoked (git-fixes).
• NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes).
• NFSv4: fix out path in _nfs4getacluncached (git-fixes).
• NFSv4.2: fix error handling in nfs42procgetxattr (git-fixes).
• NFSv4.2: fix handling of COPY ERROFFLOADNO_REQ (git-fixes).
• NFSv4/pnfs: minor fix for cleanup path in nfs4getdevice_info (git-fixes).
• nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543).
• nvme-tcp: add recovery_delay to sysfs (bsc#1201284).
• nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284).
• nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284).
• nvme-tcp: make 'err_work' a delayed work (bsc#1201284).
• platform/x86: intelscuipc: Check status after timeout in busy_loop() (git-fixes).
• platform/x86: intelscuipc: Check status upon timeout in ipcwaitfor_interrupt() (git-fixes).
• platform/x86: intelscuipc: Do not override scu in intelscuipcdevsimple_command() (git-fixes).
• platform/x86: intelscuipc: Fail IPC send if still busy (git-fixes).
• pNFS: Fix assignment of xprtdata.cred (git-fixes).
• powerpc/fadump: make iskdumpkernel() return false when fadump is active (bsc#1212639 ltc#202582).
• printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875).
• quota: add new helper dquot_active() (bsc#1214998).
• quota: factor out dquotwritedquot() (bsc#1214995).
• quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963).
• quota: fix warning in dqgrab() (bsc#1214962).
• quota: Properly disable quotas when adddquotref() fails (bsc#1214961).
• quota: rename dquotactive() to inodequota_active() (bsc#1214997).
• RDMA/siw: Fabricate a GID on tun and loopback devices (git-fixes)
• scsi: lpfc: Early return after marking final NLPDROPPED flag in devloss_tmo (git-fixes).
• scsi: lpfc: Fix the NULL vs ISERR() bug for debugfscreate_file() (git-fixes).
• scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes).
• scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658).
• scsi: qla2xxx: Fix NULL vs ISERR() bug for debugfscreate_dir() (git-fixes).
• scsi: qla2xxx: Use rawsmpprocessorid() instead of smpprocessor_id() (git-fixes).
• scsi: storvsc: Handle additional SRB status values (git-fixes).
• scsi: zfcp: Fix a double put in zfcpportenqueue() (git-fixes bsc#1215941).
• selftests: mlxsw: Fix test failure on Spectrum-4 (jsc#PED-1549).
• spi: Add TPM HW flow flag (bsc#1213534)
• spi: tegra210-quad: Enable TPM wait polling (bsc#1213534)
• spi: tegra210-quad: set half duplex flag (bsc#1213534)
• SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes).
• tpmtisspi: Add hardware wait polling (bsc#1213534)
• uapi: stddef.h: Fix _DECLAREFLEX_ARRAY for C++ (git-fixes).
• udf: Fix extension of the last extent in the file (bsc#1214964).
• udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965).
• udf: Fix off-by-one error when discarding preallocation (bsc#1214966).
• udf: Fix uninitialized array access for some pathnames (bsc#1214967).
• Update metadata
• usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes).
• usb: ehci: move new member hascipec_bug into hole (git-fixes).
• vhost_vdpa: fix the crash in unmap a large memory (git-fixes).
• vhost-scsi: unbreak any layout for response (git-fixes).
• vhost: allow batching hint without size (git-fixes).
• vhost: allow batching hint without size (git-fixes).
• vhost: fix hung thread due to erroneous iotlb entries (git-fixes).
• vhost: handle error while adding split ranges to iotlb (git-fixes).
• virtio_net: add checking sq is full inside xdp xmit (git-fixes).
• virtionet: Fix probe failed when modprobe virtionet (git-fixes).
• virtio_net: reorder some funcs (git-fixes).
• virtio_net: separate the logic of checking whether sq is full (git-fixes).
• virtioring: fix availwrapcounter in virtqueueadd_packed (git-fixes).
• virtio-blk: set req->state to MQRQCOMPLETE after polling I/O is finished (git-fixes).
• virtio-mmio: do not break lifecycle of vm_dev (git-fixes).
• virtio-net: fix race between set queues and probe (git-fixes).
• virtio-net: set queues after driver_ok (git-fixes).
• virtio-rng: make device ready before making request (git-fixes).
• virtio: acknowledge all features before access (git-fixes).
• vmcore: remove dependency with iskdumpkernel() for exporting vmcore (bsc#1212639 ltc#202582).
• x86/coco: Allow CPU online/offline for a TDX VM with the paravisor on Hyper-V (bsc#1206453).
• x86/coco: Export cc_vendor (bsc#1206453).
• x86/hyperv: Add hvwriteefer() for a TDX VM with the paravisor (bsc#1206453).
• x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (bsc#1206453).
• x86/hyperv: Add missing 'inline' to hvsnpboot_ap() stub (bsc#1206453).
• x86/hyperv: Add sev-snp enlightened guest static key (bsc#1206453)
• x86/hyperv: Add smp support for SEV-SNP guest (bsc#1206453).
• x86/hyperv: Add VTL specific structs and hypercalls (bsc#1206453).
• x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (bsc#1206453).
• x86/hyperv: Fix undefined reference to isolationtypeensnp without CONFIGHYPERV (bsc#1206453).
• x86/hyperv: Introduce a global variable hypervparavisorpresent (bsc#1206453).
• x86/hyperv: Mark hvghcbterminate() as noreturn (bsc#1206453).
• x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (bsc#1206453).
• x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (bsc#1206453).
• x86/hyperv: Remove hvisolationtypeensnp (bsc#1206453).
• x86/hyperv: Set Virtual Trust Level in VMBus init message (bsc#1206453).
• x86/hyperv: Support hypercalls for fully enlightened TDX guests (bsc#1206453).
• x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (bsc#1206453).
• x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (bsc#1206453).
• x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git-fixes).
• x86/srso: Do not probe microcode in a guest (git-fixes).
• x86/srso: Fix SBPB enablement for specrstackoverflow=off (git-fixes).
• x86/srso: Fix srsoshowstate() side effect (git-fixes).
• x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes).
• xen: remove a confusing comment on auto-translated guest I/O (git-fixes).
• xprtrdma: Remap Receive buffers after a reconnect (git-fixes).