SUSE-SU-2022:0763-1: important: Security update for the Linux Kernel

sle-security-updates at sle-security-updates at
Tue Mar 8 23:25:32 UTC 2022

   SUSE Security Update: Security update for the Linux Kernel

Announcement ID:    SUSE-SU-2022:0763-1
Rating:             important
References:         #1089644 #1154353 #1157038 #1157923 #1176447 
                    #1176940 #1178134 #1181147 #1181588 #1183872 
                    #1187716 #1188404 #1189126 #1190812 #1190972 
                    #1191580 #1191655 #1191741 #1192210 #1192483 
                    #1193096 #1193233 #1193243 #1193787 #1194163 
                    #1194967 #1195012 #1195081 #1195286 #1195352 
                    #1195378 #1195506 #1195668 #1195701 #1195798 
                    #1195799 #1195823 #1195928 #1195957 #1195995 
                    #1196195 #1196235 #1196339 #1196400 #1196516 
                    #1196584 SLE-20807 SLE-22135 SLE-22494 
Cross-References:   CVE-2022-0001 CVE-2022-0002 CVE-2022-25375
CVSS scores:
                    CVE-2022-0001 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
                    CVE-2022-0002 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
                    CVE-2022-25375 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-25375 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    SUSE Linux Enterprise Micro 5.1
                    SUSE Linux Enterprise Module for Realtime 15-SP3
                    SUSE Linux Enterprise Real Time 15-SP3

   An update that solves three vulnerabilities, contains three
   features and has 43 fixes is now available.


   The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various
   security and bugfixes.

   Transient execution side-channel attacks attacking the Branch History
   Buffer (BHB), named "Branch Target Injection" and "Intra-Mode Branch
   History Injection" are now mitigated.

   The following security bugs were fixed:

   - CVE-2022-0001: Fixed Branch History Injection vulnerability
   - CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability
   - CVE-2022-25375: The RNDIS USB gadget lacks validation of the size of the
     RNDIS_MSG_SET command. Attackers can obtain sensitive information from
     kernel memory (bnc#1196235 ).

   The following non-security bugs were fixed:

   - ACPI/IORT: Check node revision for PMCG resources (git-fixes).
   - ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570
     ALC1220 quirks (git-fixes).
   - ALSA: hda/realtek: Add quirk for ASUS GU603 (git-fixes).
   - ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after
     reboot from Windows (git-fixes).
   - ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master
     (newer chipset) (git-fixes).
   - ALSA: hda: Fix missing codec probe on Shenker Dock 15 (git-fixes).
   - ALSA: hda: Fix regression on forced probe mask option (git-fixes).
   - ASoC: Revert "ASoC: mediatek: Check for error clk pointer" (git-fixes).
   - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw()
   - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range()
   - ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
   - ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()
   - ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()
   - Align s390 NVME target options with other architectures (bsc#1188404,
   - EDAC/xgene: Fix deferred probing (bsc#1178134).
   - HID:Add support for UGTABLET WP5540 (git-fixes).
   - IB/cma: Do not send IGMP leaves for sendonly Multicast groups
   - IB/hfi1: Fix AIP early init panic (jsc#SLE-13208).
   - KVM: remember position in kvm->vcpus array (bsc#1190972 LTC#194674).
   - NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1195957).
   - PM: hibernate: Remove register_nosave_region_late() (git-fixes).
   - PM: s2idle: ACPI: Fix wakeup interrupts handling (git-fixes).
   - RDMA/cma: Use correct address when leaving multicast group (bsc#1181147).
   - RDMA/ucma: Protect mc during concurrent multicast leaves (bsc#1181147).
   - USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
   - USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
   - USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
   - USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
   - USB: serial: mos7840: remove duplicated 0xac24 device ID (git-fixes).
   - USB: serial: option: add ZTE MF286D modem (git-fixes).
   - ata: libata-core: Disable TRIM on M88V29 (git-fixes).
   - ax25: improve the incomplete fix to avoid UAF and NPD bugs (git-fixes).
   - blk-mq: always allow reserved allocation in hctx_may_queue (bsc#1193787).
   - blk-mq: avoid to iterate over stale request (bsc#1193787).
   - blk-mq: clear stale request in tags->rq before freeing one request pool
   - blk-mq: clearing flush request reference in tags->rqs (bsc#1193787).
   - blk-mq: do not grab rq's refcount in blk_mq_check_expired() (bsc#1193787
   - blk-mq: fix is_flush_rq (bsc#1193787 git-fixes).
   - blk-mq: fix kernel panic during iterating over flush request
     (bsc#1193787 git-fixes).
   - blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
   - blk-mq: mark flush request as IDLE in flush_end_io() (bsc#1193787).
   - blk-tag: Hide spin_lock (bsc#1193787).
   - block: avoid double io accounting for flush request (bsc#1193787).
   - block: do not send a rezise udev event for hidden block device
   - block: mark flush request as IDLE when it is really finished
   - bonding: pair enable_port with slave_arr_updates (git-fixes).
   - btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
   - btrfs: check worker before need_preemptive_reclaim (bsc#1196195).
   - btrfs: do not do preemptive flushing if the majority is global rsv
   - btrfs: do not include the global rsv size in the preemptive used amount
   - btrfs: handle preemptive delalloc flushing slightly differently
   - btrfs: make sure SB_I_VERSION does not get unset by remount
   - btrfs: only clamp the first time we have to start flushing (bsc#1196195).
   - btrfs: only ignore delalloc if delalloc is much smaller than ordered
   - btrfs: reduce the preemptive flushing threshold to 90% (bsc#1196195).
   - btrfs: take into account global rsv in need_preemptive_reclaim
   - btrfs: use the global rsv size in the preemptive thresh calculation
   - ceph: properly put ceph_string reference after async create attempt
   - ceph: set pool_ns in new inode layout for async creates (bsc#1195799).
   - drm/amdgpu: fix logic inversion in check (git-fixes).
   - drm/i915/gvt: Make DRM_I915_GVT depend on X86 (git-fixes).
   - drm/i915/gvt: clean up kernel-doc in gtt.c (git-fixes).
   - drm/i915/opregion: check port number bounds for SWSCI display power
     state (git-fixes).
   - drm/i915: Correctly populate use_sagv_wm for all pipes (git-fixes).
   - drm/i915: Fix bw atomic check when switching between SAGV vs. no SAGV
   - drm/panel: simple: Assign data from panel_dpi_probe() correctly
   - drm/radeon: Fix backlight control on iMac 12,1 (git-fixes).
   - drm/rockchip: dw_hdmi: Do not leave clock enabled in error case
   - drm/rockchip: vop: Correct RK3399 VOP register fields (git-fixes).
   - drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd (git-fixes).
   - drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer
   - ext4: check for inconsistent extents between index and leaf block
     (bsc#1194163 bsc#1196339).
   - ext4: check for out-of-order index extents in
     ext4_valid_extent_entries() (bsc#1194163 bsc#1196339).
   - ext4: prevent partial update of the extent blocks (bsc#1194163
   - gve: Add RX context (bsc#1191655).
   - gve: Add a jumbo-frame device option (bsc#1191655).
   - gve: Add consumed counts to ethtool stats (bsc#1191655).
   - gve: Add optional metadata descriptor type GVE_TXD_MTD (bsc#1191655).
   - gve: Correct order of processing device options (bsc#1191655).
   - gve: Fix GFP flags when allocing pages (git-fixes).
   - gve: Fix off by one in gve_tx_timeout() (bsc#1191655).
   - gve: Implement packet continuation for RX (bsc#1191655).
   - gve: Implement suspend/resume/shutdown (bsc#1191655).
   - gve: Move the irq db indexes out of the ntfy block struct (bsc#1191655).
   - gve: Recording rx queue before sending to napi (bsc#1191655).
   - gve: Recover from queue stall due to missed IRQ (bsc#1191655).
   - gve: Update gve_free_queue_page_list signature (bsc#1191655).
   - gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
   - gve: fix for null pointer dereference (bsc#1191655).
   - gve: fix the wrong AdminQ buffer queue index check (bsc#1176940).
   - gve: fix unmatched u64_stats_update_end() (bsc#1191655).
   - gve: remove memory barrier around seqno (bsc#1191655).
   - i2c: brcmstb: fix support for DSL and CM variants (git-fixes).
   - i40e: Fix for failed to init adminq while VF reset (git-fixes).
   - i40e: Fix issue when maximum queues is exceeded (git-fixes).
   - i40e: Fix queues reservation for XDP (git-fixes).
   - i40e: Increase delay to 1 s after global EMP reset (git-fixes).
   - i40e: fix unsigned stat widths (git-fixes).
   - ibmvnic: Allow queueing resets during probe (bsc#1196516 ltc#196391).
   - ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
   - ibmvnic: complete init_done on transport events (bsc#1196516 ltc#196391).
   - ibmvnic: define flush_reset_queue helper (bsc#1196516 ltc#196391).
   - ibmvnic: do not release napi in __ibmvnic_open() (bsc#1195668
   - ibmvnic: free reset-work-item when flushing (bsc#1196516 ltc#196391).
   - ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
   - ibmvnic: initialize rc before completing wait (bsc#1196516 ltc#196391).
   - ibmvnic: register netdev after init of adapter (bsc#1196516 ltc#196391).
   - ibmvnic: schedule failover only if vioctl fails (bsc#1196400 ltc#195815).
   - ice: fix IPIP and SIT TSO offload (git-fixes).
   - ice: fix an error code in ice_cfg_phy_fec() (jsc#SLE-12878).
   - ima: Allow template selection with ima_template[_fmt]= after ima_hash=
   - ima: Do not print policy rule with inactive LSM labels (git-fixes).
   - ima: Remove ima_policy file before directory (git-fixes).
   - integrity: Make function integrity_add_key() static (git-fixes).
   - integrity: check the return value of audit_log_start() (git-fixes).
   - integrity: double check iint_cache was initialized (git-fixes).
   - iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() (git-fixes).
   - iommu/amd: Remove useless irq affinity notifier (git-fixes).
   - iommu/amd: Restore GA log/tail pointer on host resume (git-fixes).
   - iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume
   - iommu/amd: X2apic mode: re-enable after resume (git-fixes).
   - iommu/amd: X2apic mode: setup the INTX registers on mask/unmask
   - iommu/io-pgtable-arm-v7s: Add error handle for page table allocation
     failure (git-fixes).
   - iommu/io-pgtable-arm: Fix table descriptor paddr formatting (git-fixes).
   - iommu/iova: Fix race between FQ timeout and teardown (git-fixes).
   - iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()
   - iwlwifi: fix use-after-free (git-fixes).
   - iwlwifi: pcie: fix locking when "HW not ready" (git-fixes).
   - iwlwifi: pcie: gen2: fix locking when "HW not ready" (git-fixes).
   - ixgbevf: Require large buffers for build_skb on 82599VF (git-fixes).
   - kABI fixup after adding vcpu_idx to struct kvm_cpu (bsc#1190972
   - kABI: Fix kABI for AMD IOMMU driver (git-fixes).
   - kabi: Hide changes to s390/AP structures (jsc#SLE-20807).
   - lib/iov_iter: initialize "flags" in new pipe_buffer (bsc#1196584).
   - libsubcmd: Fix use-after-free for realloc(..., 0) (git-fixes).
   - md/raid5: fix oops during stripe resizing (bsc#1181588).
   - misc: fastrpc: avoid double fput() on failed usercopy (git-fixes).
   - mmc: sdhci-of-esdhc: Check for error num after setting mask (git-fixes).
   - mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status (git-fixes).
   - mtd: rawnand: gpmi: do not leak PM reference in error path (git-fixes).
   - mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe()
   - net/ibmvnic: Cleanup workaround doing an EOI after partition migration
     (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
   - net/mlx5e: Fix handling of wrong devices during bond netevent
   - net: macb: Align the dma and coherent dma masks (git-fixes).
   - net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE (bsc#1176447).
   - net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs
   - net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible
     PHYs (git-fixes).
   - net: phy: marvell: configure RGMII delays for 88E1118 (git-fixes).
   - net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
   - nfp: flower: fix ida_idx not being released (bsc#1154353).
   - nfsd: allow delegation state ids to be revoked and then freed
   - nfsd: allow lock state ids to be revoked and then freed (bsc#1192483).
   - nfsd: allow open state ids to be revoked and then freed (bsc#1192483).
   - nfsd: do not admin-revoke NSv4.0 state ids (bsc#1192483).
   - nfsd: prepare for supporting admin-revocation of state (bsc#1192483).
   - nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts()
   - nvme: also mark passthrough-only namespaces ready in nvme_update_ns_info
   - nvme: do not return an error from nvme_configure_metadata (git-fixes).
   - nvme: let namespace probing continue for unsupported features
   - powerpc/64: Move paca allocation later in boot (bsc#1190812).
   - powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038
     bsc#1157923 ltc#182612 git-fixes).
   - powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for
     persistent memory" (bsc#1195995 ltc#196394).
   - powerpc/pseries: read the lpar name from the firmware (bsc#1187716
   - powerpc: Set crashkernel offset to mid of RMA region (bsc#1190812).
   - powerpc: add link stack flush mitigation status in debugfs (bsc#1157038
     bsc#1157923 ltc#182612 git-fixes).
   - s390/AP: support new dynamic AP bus size limit (jsc#SLE-20807).
   - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (git-fixes).
   - s390/bpf: Fix optimizing out zero-extensions (git-fixes).
   - s390/cio: make ccw_device_dma_* more robust (bsc#1193243 LTC#195549).
   - s390/cio: verify the driver availability for path_event call
     (bsc#1195928 LTC#196418).
   - s390/cpumf: Support for CPU Measurement Facility CSVN 7 (bsc#1195081
   - s390/cpumf: Support for CPU Measurement Sampling Facility LS bit
     (bsc#1195081 LTC#196088).
   - s390/pci: add s390_iommu_aperture kernel parameter (bsc#1193233
   - s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194967
   - s390/protvirt: fix error return code in uv_info_init() (jsc#SLE-22135).
   - s390/sclp: fix Secure-IPL facility detection (bsc#1191741 LTC#194816).
   - s390/uv: add prot virt guest/host indication files (jsc#SLE-22135).
   - s390/uv: fix prot virt host indication compilation (jsc#SLE-22135).
   - scsi: core: Add a new error code DID_TRANSPORT_MARGINAL in scsi.h
   - scsi: core: Add limitless cmd retry support (bsc#1195506).
   - scsi: core: No retries on abort success (bsc#1195506).
   - scsi: kABI fix for 'eh_should_retry_cmd' (bsc#1195506).
   - scsi: lpfc: Add support for eh_should_retry_cmd() (bsc#1195506).
   - scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
   - scsi: qla2xxx: Add devids and conditionals for 28xx (bsc#1195823).
   - scsi: qla2xxx: Add marginal path handling support (bsc#1195506).
   - scsi: qla2xxx: Add ql2xnvme_queues module param to configure number of
     NVMe queues (bsc#1195823).
   - scsi: qla2xxx: Add qla2x00_async_done() for async routines (bsc#1195823).
   - scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
   - scsi: qla2xxx: Check for firmware dump already collected (bsc#1195823).
   - scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX
     adapters (bsc#1195823).
   - scsi: qla2xxx: Fix device reconnect in loop topology (bsc#1195823).
   - scsi: qla2xxx: Fix premature hw access after PCI error (bsc#1195823).
   - scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
   - scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
   - scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
   - scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
   - scsi: qla2xxx: Fix warning message due to adisc being flushed
   - scsi: qla2xxx: Fix wrong FDMI data for 64G adapter (bsc#1195823).
   - scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
   - scsi: qla2xxx: Refactor asynchronous command initialization
   - scsi: qla2xxx: Remove a declaration (bsc#1195823).
   - scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from scsi_qla_host_t
   - scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
   - scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
   - scsi: qla2xxx: Update version to (bsc#1195823).
   - scsi: qla2xxx: Update version to (bsc#1195823).
   - scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
   - scsi: qla2xxx: edif: Fix inconsistent check of db_flags (bsc#1195823).
   - scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
   - scsi: qla2xxx: edif: Replace list_for_each_safe with
     list_for_each_entry_safe (bsc#1195823).
   - scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
   - scsi: scsi_transport_fc: Add a new rport state FC_PORTSTATE_MARGINAL
   - scsi: scsi_transport_fc: Add store capability to rport port_state in
     sysfs (bsc#1195506).
   - scsi: target: iscsi: Fix cmd abort fabric stop race (bsc#1195286).
   - scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP
     devices (bsc#1195378 LTC#196244).
   - scsi_transport_fc: kabi fix blank out FC_PORTSTATE_MARGINAL
   - staging/fbtft: Fix backlight (git-fixes).
   - staging: fbtft: Fix error path in fbtft_driver_module_init() (git-fixes).
   - tracing: Do not inc err_log entry count if entry allocation fails
   - tracing: Dump stacktrace trigger to the corresponding instance
   - tracing: Fix smatch warning for null glob in event_hist_trigger_parse()
   - tracing: Have traceon and traceoff trigger honor the instance
   - tracing: Propagate is_signed to expression (git-fixes).
   - usb: dwc2: Fix NULL qh in dwc2_queue_transaction (git-fixes).
   - usb: dwc2: gadget: do not try to disable ep0 in dwc2_hsotg_suspend
   - usb: dwc3: do not set gadget->is_otg flag (git-fixes).
   - usb: dwc3: gadget: Prevent core from processing stale TRBs (git-fixes).
   - usb: f_fs: Fix use-after-free for epfile (git-fixes).
   - usb: gadget: f_uac2: Define specific wTerminalType (git-fixes).
   - usb: gadget: rndis: check size of RNDIS_MSG_SET command (git-fixes).
   - usb: gadget: s3c: remove unused 'udc' variable (git-fixes).
   - usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition
   - usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe()
   - usb: ulpi: Call of_node_put correctly (git-fixes).
   - usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).

Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Realtime 15-SP3:

      zypper in -t patch SUSE-SLE-Module-RT-15-SP3-2022-763=1

   - SUSE Linux Enterprise Micro 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-763=1

Package List:

   - SUSE Linux Enterprise Module for Realtime 15-SP3 (noarch):


   - SUSE Linux Enterprise Module for Realtime 15-SP3 (x86_64):


   - SUSE Linux Enterprise Micro 5.1 (x86_64):



More information about the sle-security-updates mailing list