SUSE-SU-2020:3717-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Dec 9 07:15:40 MST 2020


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3717-1
Rating:             important
References:         #1050549 #1067665 #1111666 #1112178 #1158775 
                    #1170139 #1170630 #1172542 #1172873 #1174726 
                    #1175306 #1175721 #1175916 #1176109 #1176855 
                    #1176983 #1177304 #1177397 #1177703 #1177805 
                    #1177808 #1177809 #1177819 #1177820 #1178123 
                    #1178182 #1178393 #1178589 #1178607 #1178635 
                    #1178669 #1178686 #1178765 #1178782 #1178838 
                    #1178853 #1178854 #1178878 #1178886 #1178897 
                    #1178940 #1178962 #1179107 #1179140 #1179141 
                    #1179211 #1179213 #1179259 #1179424 #1179426 
                    #1179427 #1179429 #927455 
Cross-References:   CVE-2020-15436 CVE-2020-15437 CVE-2020-25668
                    CVE-2020-25669 CVE-2020-25704 CVE-2020-25705
                    CVE-2020-27777 CVE-2020-28915 CVE-2020-28974
                    CVE-2020-29371
Affected Products:
                    SUSE Linux Enterprise Live Patching 12-SP5
______________________________________________________________________________

   An update that solves 10 vulnerabilities and has 43 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c
     which could have allowed local users to gain privileges or cause a
     denial of service (bsc#1179141).
   - CVE-2020-15437: Fixed a null pointer dereference which could have
     allowed local users to cause a denial of service(bsc#1179140).
   - CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op
     (bsc#1178123).
   - CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit()
     (bsc#1178182).
   - CVE-2020-25704: Fixed a leak in perf_event_parse_addr_filter()
     (bsc#1178393).
   - CVE-2020-27777: Restrict RTAS requests from userspace  (bsc#1179107)
   - CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could
     have been used by local attackers to read kernel memory (bsc#1178886).
   - CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could
     have been used by local attackers to read privileged information or
     potentially crash the kernel (bsc#1178589).
   - CVE-2020-29371: Fixed uninitialized memory leaks to userspace
     (bsc#1179429).
   - CVE-2020-25705: Fixed an issue which could have allowed to quickly scan
     open UDP ports. This flaw allowed an off-path remote user to effectively
     bypassing source port UDP randomization (bsc#1175721).

   The following non-security bugs were fixed:

   - 9P: Cast to loff_t before multiplying (git-fixes).
   - ACPI: GED: fix -Wformat (git-fixes).
   - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes).
   - ALSA: ctl: fix error path at adding user-defined element set (git-fixes).
   - ALSA: firewire: Clean up a locking issue in copy_resp_to_buf()
     (git-fixes).
   - ALSA: hda - Fix the return value if cb func is already registered
     (git-fixes).
   - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
     (git-fixes).
   - ALSA: mixart: Fix mutex deadlock (git-fixes).
   - arm64: KVM: Fix system register enumeration (bsc#1174726).
   - arm/arm64: KVM: Add PSCI version selection API (bsc#1174726).
   - ASoC: qcom: lpass-platform: Fix memory leak (git-fixes).
   - ath10k: Acquire tx_lock in tx error paths (git-fixes).
   - batman-adv: set .owner to THIS_MODULE (git-fixes).
   - Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth
     controllers (git-fixes).
   - Bluetooth: hci_bcm: fix freeing not-requested IRQ (git-fixes).
   - bpf: Zero-fill re-used per-cpu map element (git-fixes).
   - btrfs: account ticket size at add/delete time (bsc#1178897).
   - btrfs: add helper to obtain number of devices with ongoing dev-replace
     (bsc#1178897).
   - btrfs: check rw_devices, not num_devices for balance (bsc#1178897).
   - btrfs: do not delete mismatched root refs (bsc#1178962).
   - btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1178897).
   - btrfs: fix force usage in inc_block_group_ro (bsc#1178897).
   - btrfs: fix invalid removal of root ref (bsc#1178962).
   - btrfs: fix reclaim counter leak of space_info objects (bsc#1178897).
   - btrfs: fix reclaim_size counter leak after stealing from global reserve
     (bsc#1178897).
   - btrfs: kill min_allocable_bytes in inc_block_group_ro (bsc#1178897).
   - btrfs: rework arguments of btrfs_unlink_subvol (bsc#1178962).
   - btrfs: split dev-replace locking helpers for read and write
     (bsc#1178897).
   - can: af_can: prevent potential access of uninitialized member in
     canfd_rcv() (git-fixes).
   - can: af_can: prevent potential access of uninitialized member in
     can_rcv() (git-fixes).
   - can: can_create_echo_skb(): fix echo skb generation: always use
     skb_clone() (git-fixes).
   - can: dev: __can_get_echo_skb(): fix real payload length return value for
     RTR frames (git-fixes).
   - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
     context (git-fixes).
   - can: dev: can_restart(): post buffer from the right context (git-fixes).
   - can: gs_usb: fix endianess problem with candleLight firmware (git-fixes).
   - can: m_can: fix nominal bitiming tseg2 min for version >= 3.1
     (git-fixes).
   - can: m_can: m_can_handle_state_change(): fix state change (git-fixes).
   - can: m_can: m_can_stop(): set device to software init mode before
     closing (git-fixes).
   - can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to
     can_put_echo_skb() (git-fixes).
   - can: peak_canfd: pucan_handle_can_rx(): fix echo management when
     loopback is on (git-fixes).
   - can: peak_usb: add range checking in decode operations (git-fixes).
   - can: peak_usb: fix potential integer overflow on shift of a int
     (git-fixes).
   - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
     (git-fixes).
   - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes).
   - ceph: add check_session_state() helper and make it global (bsc#1179259).
   - ceph: check session state after bumping session->s_seq (bsc#1179259).
   - ceph: fix race in concurrent __ceph_remove_cap invocations (bsc#1178635).
   - cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
   - cifs: remove bogus debug code (bsc#1179427).
   - cifs: Return the error from crypt_message when enc/dec key not found
     (bsc#1179426).
   - Convert trailing spaces and periods in path components (bsc#1179424).
   - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes).
   - docs: ABI: stable: remove a duplicated documentation (git-fixes).
   - docs: ABI: sysfs-c2port: remove a duplicated entry (git-fixes).
   - drbd: code cleanup by using sendpage_ok() to check page for
     kernel_sendpage() (bsc#1172873).
   - Drivers: hv: vmbus: Remove the unused "tsc_page" from struct hv_context
     (git-fixes).
   - drm/i915: Break up error capture compression loops with cond_resched()
     (git-fixes).
   - drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes).
   - drm/imx: tve remove extraneous type qualifier (git-fixes).
   - drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind()
     (git-fixes).
   - drm/vc4: drv: Add error handding for bind (git-fixes).
   - Drop sysctl files for dropped archs, add ppc64le and arm64 (bsc#1178838).
   - efi: cper: Fix possible out-of-bounds access (git-fixes).
   - efi/efivars: Add missing kobject_put() in sysfs entry creation error
     path (git-fixes).
   - efi/esrt: Fix reference count leak in esre_create_sysfs_entry
     (git-fixes).
   - efi: provide empty efi_enter_virtual_mode implementation (git-fixes).
   - efivarfs: fix memory leak in efivarfs_create() (git-fixes).
   - efivarfs: revert "fix memory leak in efivarfs_create()" (git-fixes).
   - efi/x86: Do not panic or BUG() on non-critical error conditions
     (git-fixes).
   - efi/x86: Free efi_pgd with free_pages() (bsc#1112178).
   - efi/x86: Ignore the memory attributes table on i386 (git-fixes).
   - efi/x86: Map the entire EFI vendor string before copying it (git-fixes).
   - fs/proc/array.c: allow reporting eip/esp for all coredumping threads
     (bsc#1050549).
   - ftrace: Fix recursion check for NMI test (git-fixes).
   - ftrace: Handle tracing when switching between context (git-fixes).
   - fuse: fix page dereference after free (bsc#1179213).
   - futex: Do not enable IRQs unconditionally in put_pi_state()
     (bsc#1067665).
   - futex: Handle transient "ownerless" rtmutex state correctly
     (bsc#1067665).
   - hv_balloon: disable warning when floor reached (git-fixes).
   - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820).
   - hv_netvsc: deal with bpf API differences in 4.12 (bsc#1177819,
     bsc#1177820).
   - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819,
     bsc#1177820).
   - hv_netvsc: make recording RSS hash depend on feature flag (bsc#1178853,
     bsc#1178854).
   - hv_netvsc: record hardware hash in skb (bsc#1178853, bsc#1178854).
   - hyperv_fb: Update screen_info after removing old framebuffer
     (bsc#1175306).
   - i40iw: Fix error handling in i40iw_manage_arp_cache() (bsc#1111666)
   - i40iw: fix null pointer dereference on a null wqe pointer (bsc#1111666)
   - i40iw: Report correct firmware version (bsc#1111666)
   - IB/cma: Fix ports memory leak in cma_configfs (bsc#1111666)
   - IB/core: Set qp->real_qp before it may be accessed (bsc#1111666)
   - IB/hfi1: Add missing INVALIDATE opcodes for trace (bsc#1111666)
   - IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats (bsc#1111666)
   - IB/hfi1: Add software counter for ctxt0 seq drop (bsc#1111666)
   - IB/hfi1: Avoid hardlockup with flushlist_lock (bsc#1111666)
   - IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
     (bsc#1111666)
   - IB/hfi1: Check for error on call to alloc_rsm_map_table (bsc#1111666)
   - IB/hfi1: Close PSM sdma_progress sleep window (bsc#1111666)
   - IB/hfi1: Define variables as unsigned long to fix KASAN warning
     (bsc#1111666)
   - IB/hfi1: Ensure full Gen3 speed in a Gen4 system (bsc#1111666)
   - IB/hfi1: Fix memory leaks in sysfs registration and unregistration
     (bsc#1111666)
   - IB/hfi1: Fix Spectre v1 vulnerability (bsc#1111666)
   - IB/hfi1: Handle port down properly in pio (bsc#1111666)
   - IB/hfi1: Handle wakeup of orphaned QPs for pio (bsc#1111666)
   - IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
     (bsc#1111666)
   - IB/hfi1, qib: Ensure RCU is locked when accessing list (bsc#1111666)
   - IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
     (bsc#1111666)
   - IB/hfi1: Remove unused define (bsc#1111666)
   - IB/hfi1: Silence txreq allocation warnings (bsc#1111666)
   - IB/hfi1: Validate page aligned for a given virtual address (bsc#1111666)
   - IB/hfi1: Wakeup QPs orphaned on wait list after flush (bsc#1111666)
   - IB/ipoib: drop useless LIST_HEAD (bsc#1111666)
   - IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
     (bsc#1111666)
   - IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start (bsc#1111666)
   - IB/iser: Fix dma_nents type definition (bsc#1111666)
   - IB/iser: Pass the correct number of entries for dma mapped SGL
     (bsc#1111666)
   - IB/mad: Fix use-after-free in ib mad completion handling (bsc#1111666)
   - IB/mlx4: Add and improve logging (bsc#1111666)
   - IB/mlx4: Add support for MRA (bsc#1111666)
   - IB/mlx4: Adjust delayed work when a dup is observed (bsc#1111666)
   - IB/mlx4: Fix leak in id_map_find_del (bsc#1111666)
   - IB/mlx4: Fix memory leak in add_gid error flow (bsc#1111666)
   - IB/mlx4: Fix race condition between catas error reset and aliasguid
     flows (bsc#1111666)
   - IB/mlx4: Fix starvation in paravirt mux/demux (bsc#1111666)
   - IB/mlx4: Follow mirror sequence of device add during device removal
     (bsc#1111666)
   - IB/mlx4: Remove unneeded NULL check (bsc#1111666)
   - IB/mlx4: Test return value of calls to ib_get_cached_pkey (bsc#1111666)
   - IB/mlx5: Add missing XRC options to QP optional params mask (bsc#1111666)
   - IB/mlx5: Compare only index part of a memory window rkey (bsc#1111666)
   - IB/mlx5: Do not override existing ip_protocol (bsc#1111666)
   - IB/mlx5: Fix clean_mr() to work in the expected order (bsc#1111666)
   - IB/mlx5: Fix implicit MR release flow (bsc#1111666)
   - IB/mlx5: Fix outstanding_pi index for GSI qps (bsc#1111666)
   - IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
     (bsc#1111666)
   - IB/mlx5: Fix unreg_umr to ignore the mkey state (bsc#1111666)
   - IB/mlx5: Improve ODP debugging messages (bsc#1111666)
   - IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache
     (bsc#1111666)
   - IB/mlx5: Prevent concurrent MR updates during invalidation (bsc#1111666)
   - IB/mlx5: Reset access mask when looping inside page fault handler
     (bsc#1111666)
   - IB/mlx5: Set correct write permissions for implicit ODP MR (bsc#1111666)
   - IB/mlx5: Use direct mkey destroy command upon UMR unreg failure
     (bsc#1111666)
   - IB/mlx5: Use fragmented QP's buffer for in-kernel users (bsc#1111666)
   - IB/mlx5: WQE dump jumps over first 16 bytes (bsc#1111666)
   - IB/mthca: fix return value of error branch in mthca_init_cq()
     (bsc#1111666)
   - IB/qib: Call kobject_put() when kobject_init_and_add() fails
     (bsc#1111666)
   - IB/qib: Fix an error code in qib_sdma_verbs_send() (bsc#1111666)
   - IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value (bsc#1111666)
   - IB/qib: Remove a set-but-not-used variable (bsc#1111666)
   - IB/rdmavt: Convert timers to use timer_setup() (bsc#1111666)
   - IB/rdmavt: Fix alloc_qpn() WARN_ON() (bsc#1111666)
   - IB/rdmavt: Fix sizeof mismatch (bsc#1111666)
   - IB/rdmavt: Reset all QPs when the device is shut down (bsc#1111666)
   - IB/rxe: Fix incorrect cache cleanup in error flow (bsc#1111666)
   - IB/rxe: Make counters thread safe (bsc#1111666)
   - IB/srpt: Fix memory leak in srpt_add_one (bsc#1111666)
   - IB/umad: Avoid additional device reference during open()/close()
     (bsc#1111666)
   - IB/umad: Avoid destroying device while it is accessed (bsc#1111666)
   - IB/umad: Do not check status of nonseekable_open() (bsc#1111666)
   - IB/umad: Fix kernel crash while unloading ib_umad (bsc#1111666)
   - IB/umad: Refactor code to use cdev_device_add() (bsc#1111666)
   - IB/umad: Simplify and avoid dynamic allocation of class (bsc#1111666)
   - IB/usnic: Fix out of bounds index check in query pkey (bsc#1111666)
   - IB/uverbs: Fix OOPs upon device disassociation (bsc#1111666)
   - iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting
     tablet-mode (git-fixes).
   - iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum
     (git-fixes).
   - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()
     (git-fixes).
   - Input: adxl34x - clean up a data type in adxl34x_probe() (git-fixes).
   - ipmi: use vzalloc instead of kmalloc for user creation (bsc#1178607).
   - iw_cxgb4: fix ECN check on the passive accept (bsc#1111666)
   - iw_cxgb4: only reconnect with MPAv1 if the peer aborts (bsc#1111666)
   - kABI: add back flush_dcache_range (jsc#SLE-16402 jsc#SLE-16497
     bsc#1176109 ltc#187964).
   - kthread_worker: prevent queuing delayed work from timer_fn when it is
     being canceled (git-fixes).
   - KVM: arm64: Add missing #include of -<linux/string.h> in guest.c
     (bsc#1174726).
   - KVM: arm64: Factor out core register ID enumeration (bsc#1174726).
   - KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST
     (bsc#1174726).
   - KVM: arm64: Refactor kvm_arm_num_regs() for easier maintenance
     (bsc#1174726).
   - KVM: arm64: Reject ioctl access to FPSIMD V-regs on SVE vcpus
     (bsc#1174726).
   - KVM host: kabi fixes for psci_version (bsc#1174726).
   - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873).
   - libnvdimm/nvdimm/flush: Allow architecture to override the flush barrier
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - locking/lockdep: Add debug_locks check in __lock_downgrade()
     (bsc#1050549).
   - locking/percpu-rwsem: Use this_cpu_{inc,dec}() for read_count
     (bsc#1050549).
   - locktorture: Print ratio of acquisitions, not failures (bsc#1050549).
   - mac80211: always wind down STA state (git-fixes).
   - mac80211: free sta in sta_info_insert_finish() on errors (git-fixes).
   - mac80211: minstrel: fix tx status processing corner case (git-fixes).
   - mac80211: minstrel: remove deferred sampling code (git-fixes).
   - memcg: fix NULL pointer dereference in
     __mem_cgroup_usage_unregister_event (bsc#1177703).
   - mm: always have io_remap_pfn_range() set pgprot_decrypted()
     (bsc#1112178).
   - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs
     (git-fixes).
   - mm/memcg: fix refcount error while moving and swapping (bsc#1178686).
   - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send
     (bsc#1172873).
   - net: ena: Capitalize all log strings and improve code readability
     (bsc#1177397).
   - net: ena: Change license into format to SPDX in all files (bsc#1177397).
   - net: ena: Change log message to netif/dev function (bsc#1177397).
   - net: ena: Change RSS related macros and variables names (bsc#1177397).
   - net: ena: ethtool: Add new device statistics (bsc#1177397).
   - net: ena: ethtool: add stats printing to XDP queues (bsc#1177397).
   - net: ena: ethtool: convert stat_offset to 64 bit resolution
     (bsc#1177397).
   - net: ena: Fix all static chekers' warnings (bsc#1177397).
   - net: ena: Remove redundant print of placement policy (bsc#1177397).
   - net: ena: xdp: add queue counters for xdp actions (bsc#1177397).
   - netfilter: nat: can't use dst_hold on noref dst (bsc#1178878).
   - net: introduce helper sendpage_ok() in include/linux/net.h
     (bsc#1172873). kABI workaround for including mm.h in include/linux/net.h
     (bsc#1172873).
   - net/mlx4_core: Fix init_hca fields offset (git-fixes).
   - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes).
   - nfc: s3fwrn5: use signed integer for parsing GPIO numbers (git-fixes).
   - NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
   - NFS: only invalidate dentrys that are clearly invalid (bsc#1178669
     bsc#1170139).
   - NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION
     (bsc#1170630).
   - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage()
     (bsc#1172873).
   - PCI: pci-hyperv: Fix build errors on non-SYSFS config (git-fixes).
   - pinctrl: amd: fix incorrect way to disable debounce filter (git-fixes).
   - pinctrl: amd: use higher precision for 512 RtcClk (git-fixes).
   - pinctrl: aspeed: Fix GPI only function problem (git-fixes).
   - pinctrl: intel: Set default bias in case no particular value given
     (git-fixes).
   - platform/x86: toshiba_acpi: Fix the wrong variable assignment
     (git-fixes).
   - powerpc/32: define helpers to get L1 cache sizes (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/64: flush_inval_dcache_range() becomes flush_dcache_range()
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/64: reuse PPC32 static inline flush_dcache_range()
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc: Chunk calls to flush_dcache_range in arch_*_memory
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964 git-fixes).
   - powerpc: define helpers to get L1 icache sizes (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/mm: Flush cache on memory hot(un)plug (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Add flush routines using new pmem store and sync
     instruction (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Add new instructions for persistent storage and sync
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Avoid the barrier in flush routines (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Fix kernel crash due to wrong range value usage in
     flush_dcache_range (jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Initialize pmem device on newer hardware (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Restrict papr_scm to P8 and above (jsc#SLE-16402
     jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pmem: Update ppc64 to use the new barrier instruction
     (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
   - powerpc/pseries/cpuidle: add polling idle for shared processor guests
     (bsc#1178765 ltc#188968).
   - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293).
   - powerpc/vnic: Extend "failover pending" window (bsc#1176855 ltc#187293).
   - RDMA/bnxt_re: Fix lifetimes in bnxt_re_task (bsc#1111666)
   - RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
     (bsc#1111666)
   - RDMA/bnxt_re: Fix sizeof mismatch for allocation of pbl_tbl.
     (bsc#1111666)
   - RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message
     (bsc#1111666)
   - RDMA/cma: add missed unregister_pernet_subsys in init failure
     (bsc#1111666)
   - RDMA/cm: Add missing locking around id.state in cm_dup_req_handler
     (bsc#1111666)
   - RDMA/cma: Fix false error message (bsc#1111666)
   - RDMA/cma: fix null-ptr-deref Read in cma_cleanup (bsc#1111666)
   - RDMA/cma: Protect bind_list and listen_list while finding matching cm id
     (bsc#1111666)
   - RDMA/cm: Fix checking for allowed duplicate listens (bsc#1111666)
   - RDMA/cm: Remove a race freeing timewait_info (bsc#1111666)
   - RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
     (bsc#1111666)
   - RDMA/core: Do not depend device ODP capabilities on kconfig option
     (bsc#1111666)
   - RDMA/core: Fix invalid memory access in spec_filter_size (bsc#1111666)
   - RDMA/core: Fix locking in ib_uverbs_event_read (bsc#1111666)
   - RDMA/core: Fix protection fault in ib_mr_pool_destroy (bsc#1111666)
   - RDMA/core: Fix race between destroy and release FD object (bsc#1111666)
   - RDMA/core: Fix race when resolving IP address (bsc#1111666)
   - RDMA/core: Prevent mixed use of FDs between shared ufiles (bsc#1111666)
   - RDMA/cxgb3: Delete and properly mark unimplemented resize CQ function
     (bsc#1111666)
   - RDMA: Directly cast the sockaddr union to sockaddr (bsc#1111666)
   - RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN (bsc#1111666)
   - RDMA/hns: Correct typo of hns_roce_create_cq() (bsc#1111666)
   - RDMA/hns: Remove unsupported modify_port callback (bsc#1111666)
   - RDMA/hns: Set the unsupported wr opcode (bsc#1111666)
   - RDMA/i40iw: fix a potential NULL pointer dereference (bsc#1111666)
   - RDMA/i40iw: Set queue pair state when being queried (bsc#1111666)
   - RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() (bsc#1111666)
   - RDMA/ipoib: Remove check for ETH_SS_TEST (bsc#1111666)
   - RDMA/ipoib: Return void from ipoib_ib_dev_stop() (bsc#1111666)
   - RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces (bsc#1111666)
   - RDMA/iwcm: Fix a lock inversion issue (bsc#1111666)
   - RDMA/iwcm: Fix iwcm work deallocation (bsc#1111666)
   - RDMA/iwcm: move iw_rem_ref() calls out of spinlock (bsc#1111666)
   - RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case (bsc#1111666)
   - RDMA/iw_cxgb4: Fix the unchecked ep dereference (bsc#1111666)
   - RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
     (bsc#1111666)
   - RDMA/mlx4: Initialize ib_spec on the stack (bsc#1111666)
   - RDMA/mlx4: Read pkey table length instead of hardcoded value
     (bsc#1111666)
   - RDMA/mlx5: Clear old rate limit when closing QP (bsc#1111666)
   - RDMA/mlx5: Delete unreachable handle_atomic code by simplifying SW
     completion (bsc#1111666)
   - RDMA/mlx5: Fix access to wrong pointer while performing flush due to
     error (bsc#1111666)
   - RDMA/mlx5: Fix a race with mlx5_ib_update_xlt on an implicit MR
     (bsc#1111666)
   - RDMA/mlx5: Fix function name typo 'fileds' -> 'fields' (bsc#1111666)
   - RDMA/mlx5: Return proper error value (bsc#1111666)
   - RDMA/mlx5: Set GRH fields in query QP on RoCE (bsc#1111666)
   - RDMA/mlx5: Verify that QP is created with RQ or SQ (bsc#1111666)
   - RDMA/nes: Remove second wait queue initialization call (bsc#1111666)
   - RDMA/netlink: Do not always generate an ACK for some netlink operations
     (bsc#1111666)
   - RDMA/ocrdma: Fix out of bounds index check in query pkey (bsc#1111666)
   - RDMA/ocrdma: Remove unsupported modify_port callback (bsc#1111666)
   - RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() (bsc#1111666)
   - RDMA/qedr: Endianness warnings cleanup (bsc#1111666)
   - RDMA/qedr: Fix doorbell setting (bsc#1111666)
   - RDMA/qedr: Fix memory leak in user qp and mr (bsc#1111666)
   - RDMA/qedr: Fix reported firmware version (bsc#1111666)
   - RDMA/qedr: Fix use of uninitialized field (bsc#1111666)
   - RDMA/qedr: Remove unsupported modify_port callback (bsc#1111666)
   - RDMA/qedr: SRQ's bug fixes (bsc#1111666)
   - RDMA/qib: Delete extra line (bsc#1111666)
   - RDMA/qib: Remove all occurrences of BUG_ON() (bsc#1111666)
   - RDMA/qib: Validate ->show()/store() callbacks before calling them
     (bsc#1111666)
   - RDMA/rxe: Drop pointless checks in rxe_init_ports (bsc#1111666)
   - RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM (bsc#1111666)
   - RDMA/rxe: Fix configuration of atomic queue pair attributes (bsc#1111666)
   - RDMA/rxe: Fix memleak in rxe_mem_init_user (bsc#1111666)
   - RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later
     (bsc#1111666)
   - RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
     (bsc#1111666)
   - RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars
     (bsc#1111666)
   - RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send
     queue (bsc#1111666)
   - RDMA/rxe: Remove unused rxe_mem_map_pages (bsc#1111666)
   - RDMA/rxe: Remove useless rxe_init_device_param assignments (bsc#1111666)
   - RDMA/rxe: Return void from rxe_init_port_param() (bsc#1111666)
   - RDMA/rxe: Return void from rxe_mem_init_dma() (bsc#1111666)
   - RDMA/rxe: Set default vendor ID (bsc#1111666)
   - RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
     (bsc#1111666)
   - RDMA/rxe: Skip dgid check in loopback mode (bsc#1111666)
   - RDMA/rxe: Use for_each_sg_page iterator on umem SGL (bsc#1111666)
   - RDMA/srp: Rework SCSI device reset handling (bsc#1111666)
   - RDMA/srpt: Fix typo in srpt_unregister_mad_agent docstring (bsc#1111666)
   - RDMA/srpt: Report the SCSI residual to the initiator (bsc#1111666)
   - RDMA/ucma: Add missing locking around rdma_leave_multicast()
     (bsc#1111666)
   - RDMA/ucma: Put a lock around every call to the rdma_cm layer
     (bsc#1111666)
   - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
     (bsc#1111666)
   - RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove (bsc#1111666)
   - RDMA/vmw_pvrdma: Use atomic memory allocation in create AH (bsc#1111666)
   - regulator: avoid resolve_supply() infinite recursion (git-fixes).
   - regulator: defer probe when trying to get voltage from unresolved supply
     (git-fixes).
   - regulator: fix memory leak with repeated set_machine_constraints()
     (git-fixes).
   - regulator: resolve supply after creating regulator (git-fixes).
   - regulator: ti-abb: Fix array out of bound read access on the first
     transition (git-fixes).
   - regulator: workaround self-referent regulators (git-fixes).
   - Revert "cdc-acm: hardening against malicious devices" (git-fixes).
   - ring-buffer: Fix recursion protection transitions between interrupt
     context (git-fixes).
   - RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
     (bsc#1111666)
   - rxe: correctly calculate iCRC for unaligned payloads (bsc#1111666)
   - rxe: fix error completion wr_id and qp_num (bsc#1111666)
   - s390/cio: add cond_resched() in the slow_eval_known_fn() loop
     (bsc#1177805 LTC#188737).
   - s390/cpum_cf,perf: change DFLT_CCERROR counter name (bsc#1175916
     LTC#187937).
   - s390/dasd: fix inability to use DASD with DIAG driver (bsc#1177809
     LTC#188738).
   - s390/dasd: Fix zero write for FBA devices (bsc#1177808 LTC#188739).
   - s390: kernel/uv: handle length extension properly (bsc#1178940
     LTC#189323).
   - sched/core: Fix PI boosting between RT and DEADLINE tasks (bsc#1112178).
   - sched/x86: SaveFLAGS on context switch (bsc#1112178).
   - scripts/git_sort/git_sort.py: add ceph maintainers git tree
   - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map()
     (bsc#1172873).
   - scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported
     (git-fixes).
   - scsi: RDMA/srpt: Fix a credit leak for aborted commands (bsc#1111666)
   - Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode
     (git-fixes).
   - staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids
     (git-fixes).
   - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix()
     (git-fixes).
   - time: Prevent undefined behaviour in timespec64_to_ns() (git-fixes).
   - tty: serial: imx: keep console clocks always on (git-fixes).
   - Update patches.suse/vfs-add-super_operations-get_inode_dev (bsc#927455
     bsc#1176983).
   - Update references in patches.suse/net-smc-tolerate-future-smcd-versions
     (bsc#1172542 LTC#186070 git-fixes).
   - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes).
   - USB: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode (git-fixes).
   - USB: cdc-acm: fix cooldown mechanism (git-fixes).
   - USB: core: driver: fix stray tabs in error messages (git-fixes).
   - USB: core: Fix regression in Hercules audio card (git-fixes).
   - USB: gadget: Fix memleak in gadgetfs_fill_super (git-fixes).
   - USB: gadget: f_midi: Fix memleak in f_midi_alloc (git-fixes).
   - USB: host: ehci-tegra: Fix error handling in tegra_ehci_probe()
     (git-fixes).
   - USB: host: xhci: fix ep context print mismatch in debugfs (git-fixes).
   - USB: host: xhci-mtk: avoid runtime suspend when removing hcd (git-fixes).
   - USB: mtu3: fix panic in mtu3_gadget_stop() (git-fixes).
   - USB: serial: cyberjack: fix write-URB completion race (git-fixes).
   - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters
     (git-fixes).
   - USB: serial: option: add Cellient MPL200 card (git-fixes).
   - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
     (git-fixes).
   - USB: serial: option: add Quectel EC200T module support (git-fixes).
   - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes).
   - USB: serial: option: Add Telit FT980-KS composition (git-fixes).
   - USB: serial: pl2303: add device-id for HP GC device (git-fixes).
   - USB: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes).
   - USB: xhci: force all memory allocations to node (git-fixes).
   - video: hyperv_fb: Fix the cache type when mapping the VRAM (git-fixes).
   - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host
     (bsc#1175306).
   - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer
     driver (bsc#1175306).
   - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs
     (bsc#1175306).
   - vt: Disable KD_FONT_OP_COPY (bsc#1178589).
   - x86/hyperv: Clarify comment on x2apic mode (git-fixes).
   - x86/hyperv: Make vapic support x2apic mode (git-fixes).
   - x86/kexec: Use up-to-dated screen_info copy to fill boot params
     (bsc#1175306).
   - x86/microcode/intel: Check patch signature before saving microcode for
     early loading (bsc#1112178).
   - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect (git-fixes).
   - x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled
     (git-fixes).
   - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs (git-fixes).
   - x86/speculation: Allow IBPB to be conditionally enabled on CPUs with
     always-on STIBP (bsc#1112178).
   - x86/sysfb_efi: Add quirks for some devices with swapped width and height
     (git-fixes).
   - xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
   - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes).
   - xfs: fix flags argument to rmap lookup when converting shared file rmaps
     (git-fixes).
   - xfs: fix rmap key and record comparison functions (git-fixes).
   - xfs: flush new eof page on truncate to avoid post-eof corruption
     (git-fixes).
   - xfs: revert "xfs: fix rmap key and record comparison functions"
     (git-fixes).
   - xhci: do not create endpoint debugfs entry before ring buffer is set
     (git-fixes).
   - xhci: Fix sizeof() mismatch (git-fixes).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Live Patching 12-SP5:

      zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-3717=1



Package List:

   - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64):

      kernel-default-debuginfo-4.12.14-122.54.1
      kernel-default-debugsource-4.12.14-122.54.1
      kernel-default-kgraft-4.12.14-122.54.1
      kernel-default-kgraft-devel-4.12.14-122.54.1
      kgraft-patch-4_12_14-122_54-default-1-8.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-15436.html
   https://www.suse.com/security/cve/CVE-2020-15437.html
   https://www.suse.com/security/cve/CVE-2020-25668.html
   https://www.suse.com/security/cve/CVE-2020-25669.html
   https://www.suse.com/security/cve/CVE-2020-25704.html
   https://www.suse.com/security/cve/CVE-2020-25705.html
   https://www.suse.com/security/cve/CVE-2020-27777.html
   https://www.suse.com/security/cve/CVE-2020-28915.html
   https://www.suse.com/security/cve/CVE-2020-28974.html
   https://www.suse.com/security/cve/CVE-2020-29371.html
   https://bugzilla.suse.com/1050549
   https://bugzilla.suse.com/1067665
   https://bugzilla.suse.com/1111666
   https://bugzilla.suse.com/1112178
   https://bugzilla.suse.com/1158775
   https://bugzilla.suse.com/1170139
   https://bugzilla.suse.com/1170630
   https://bugzilla.suse.com/1172542
   https://bugzilla.suse.com/1172873
   https://bugzilla.suse.com/1174726
   https://bugzilla.suse.com/1175306
   https://bugzilla.suse.com/1175721
   https://bugzilla.suse.com/1175916
   https://bugzilla.suse.com/1176109
   https://bugzilla.suse.com/1176855
   https://bugzilla.suse.com/1176983
   https://bugzilla.suse.com/1177304
   https://bugzilla.suse.com/1177397
   https://bugzilla.suse.com/1177703
   https://bugzilla.suse.com/1177805
   https://bugzilla.suse.com/1177808
   https://bugzilla.suse.com/1177809
   https://bugzilla.suse.com/1177819
   https://bugzilla.suse.com/1177820
   https://bugzilla.suse.com/1178123
   https://bugzilla.suse.com/1178182
   https://bugzilla.suse.com/1178393
   https://bugzilla.suse.com/1178589
   https://bugzilla.suse.com/1178607
   https://bugzilla.suse.com/1178635
   https://bugzilla.suse.com/1178669
   https://bugzilla.suse.com/1178686
   https://bugzilla.suse.com/1178765
   https://bugzilla.suse.com/1178782
   https://bugzilla.suse.com/1178838
   https://bugzilla.suse.com/1178853
   https://bugzilla.suse.com/1178854
   https://bugzilla.suse.com/1178878
   https://bugzilla.suse.com/1178886
   https://bugzilla.suse.com/1178897
   https://bugzilla.suse.com/1178940
   https://bugzilla.suse.com/1178962
   https://bugzilla.suse.com/1179107
   https://bugzilla.suse.com/1179140
   https://bugzilla.suse.com/1179141
   https://bugzilla.suse.com/1179211
   https://bugzilla.suse.com/1179213
   https://bugzilla.suse.com/1179259
   https://bugzilla.suse.com/1179424
   https://bugzilla.suse.com/1179426
   https://bugzilla.suse.com/1179427
   https://bugzilla.suse.com/1179429
   https://bugzilla.suse.com/927455



More information about the sle-security-updates mailing list