SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: SUSE-SU-2015:2350-1
Rating: important
References: #814440 #879378 #879381 #900610 #904348 #904965
#921081 #926709 #926774 #930145 #930770 #930788
#930835 #932805 #935053 #935123 #935757 #937256
#937444 #937969 #937970 #938706 #939207 #939826
#939926 #939955 #940017 #940913 #940946 #941202
#942938 #943786 #944677 #944831 #944837 #944989
#944993 #945691 #945825 #945827 #946078 #946214
#946309 #947957 #948330 #948347 #948521 #949100
#949298 #949502 #949706 #949744 #949936 #949981
#950298 #950750 #950998 #951440 #952084 #952384
#952579 #952976 #953527 #953799 #953980 #954404
#954628 #954950 #954984 #955354 #955673 #956709

Cross-References: CVE-2015-0272 CVE-2015-5157 CVE-2015-5307
CVE-2015-6937 CVE-2015-7509 CVE-2015-7799
CVE-2015-7872 CVE-2015-7990 CVE-2015-8104
CVE-2015-8215
Affected Products:
SUSE Linux Enterprise Real Time Extension 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

An update that solves 10 vulnerabilities and has 62 fixes
is now available.

Description:

The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive
various security and bugfixes.

Following security bugs were fixed:
– CVE-2015-7509: Mounting a prepared ext2 filesystem as ext4 could lead to
a local denial of service (crash) (bsc#956709).
– CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the
Linux kernel did not ensure that certain slot numbers are valid, which
allowed local users to cause a denial of service (NULL pointer
dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call
(bnc#949936).
– CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
– CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c
(bnc#953527).
– CVE-2015-7990: RDS: Verify the underlying transport exists before
creating a connection, preventing possible DoS (bsc#952384).
– CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux kernel on the
x86_64 platform mishandled IRET faults in processing NMIs that
occurred during userspace execution, which might allow local users to
gain privileges by triggering an NMI (bnc#937969 937970 938706 939207).
– CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in
the Linux kernel allowed local users to cause a denial of service (OOPS)
via crafted keyctl commands (bnc#951440).
– CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel
did not validate attempted changes to the MTU value, which allowed
context-dependent attackers to cause a denial of service (packet loss)
via a value that is (1) smaller than the minimum compliant value or (2)
larger than the MTU of an interface, as demonstrated by a Router
Advertisement (RA) message that is not validated by a daemon, a
different vulnerability than CVE-2015-0272. NOTE: the scope of
CVE-2015-0272 is limited to the NetworkManager product. (bnc#955354).
– CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in
the Linux kernel allowed local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified
other impact by using a socket that was not properly bound (bnc#945825).

The following non-security bugs were fixed:
– af_xhci: avoid path quiesce of severed path in shutdown() (bnc#946214,
LTC#131684).
– ahci: Add Device ID for Intel Sunrise Point PCH (bsc#953799).
– alsa: hda – Disable 64bit address for Creative HDA controllers
(bnc#814440).
– blktap: also call blkif_disconnect() when frontend switched to closed
(bsc#952976).
– blktap: refine mm tracking (bsc#952976).
– cachefiles: Avoid deadlocks with fs freezing (bsc#935123).
– dm: do not start current request if it would’ve merged with the previous
(bsc#904348).
– dm: impose configurable deadline for dm_request_fn’s merge heuristic
(bsc#904348).
– dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
– dm sysfs: introduce ability to add writable attributes (bsc#904348).
– drivers: hv: do not do hypercalls when hypercall_page is NULL.
– drivers: hv: kvp: move poll_channel() to hyperv_vmbus.h.
– drivers: hv: util: move kvp/vss function declarations to hyperv_vmbus.h.
– drivers: hv: vmbus: add special crash handler (bnc#930770).
– drivers: hv: vmbus: add special kexec handler.
– drivers: hv: vmbus: Get rid of some unused definitions.
– drivers: hv: vmbus: Implement the protocol for tearing down vmbus state.
– drivers: hv: vmbus: kill tasklets on module unload.
– drivers: hv: vmbus: prefer “die” notification chain to ‘panic’.
– drivers: hv: vmbus: remove hv_synic_free_cpu() call from
hv_synic_cleanup().
– drivers: hv: vmbus: unregister panic notifier on module unload.
– driver: Vmxnet3: Fix ethtool -S to return correct rx queue stats
(bsc#950750).
– drm/i915: add hotplug activation period to hotplug update mask
(bsc#953980).
– drm/i915: Avoid race of intel_crt_detect_hotplug() with HPD interrupt,
v2 (bsc#942938).
– drm/i915: Fix DDC probe for passive adapters (bsc#900610, fdo#85924).
– fix lpfc_send_rscn_event allocation size claims bnc#935757
– fs: Avoid deadlocks of fsync_bdev() and fs freezing (bsc#935123).
– fs: Fix deadlocks between sync and fs freezing (bsc#935123).
– hugetlb: simplify migrate_huge_page() (bnc#947957, VM Functionality).
– hwpoison, hugetlb: lock_page/unlock_page does not match for handling a
free hugepage (bnc#947957, VM Functionality).
– IB/srp: Avoid skipping srp_reset_host() after a transport error
(bsc#904965).
– IB/srp: Fix a sporadic crash triggered by cable pulling (bsc#904965).
– Import SP4-RT GA kabi files
– ipr: Fix incorrect trace indexing (bsc#940913).
– ipr: Fix invalid array indexing for HRRQ (bsc#940913).
– ipv6: fix tunnel error handling (bsc#952579).
– ipvs: drop first packet to dead server (bsc#946078).
– ipvs: Fix reuse connection if real server is dead (bnc#945827).
– kernel: correct uc_sigmask of the compat signal frame (bnc#946214,
LTC#130124).
– kernel: fix incorrect use of DIAG44 in continue_trylock_relax()
(bnc#946214, LTC#132100).
– kexec: Fix race between panic() and crash_kexec() called directly
(bnc#937444).
– keys: Fix race between key destruction and finding a keyring by name
(bsc#951440).
– ktime: add ktime_after and ktime_before helpe (bsc#904348).
– lib/string.c: introduce memchr_inv() (bnc#930788).
– lpfc: Fix cq_id masking problem (bsc#944677).
– macvlan: Support bonding events bsc#948521
– Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
– memory-failure: do code refactor of soft_offline_page() (bnc#947957, VM
Functionality).
– memory-failure: fix an error of mce_bad_pages statistics (bnc#947957, VM
Functionality).
– memory-failure: use num_poisoned_pages instead of mce_bad_pages
(bnc#947957, VM Functionality).
– memory-hotplug: update mce_bad_pages when removing the memory
(bnc#947957, VM Functionality).
– mm: exclude reserved pages from dirtyable memory 32b fix (bnc#940017,
bnc#949298).
– mm: fix GFP_THISNODE callers and clarify (bsc#954950, VM Functionality).
– mm/memory-failure.c: fix wrong num_poisoned_pages in handling memory
error on thp (bnc#947957, VM Functionality).
– mm/memory-failure.c: recheck PageHuge() after hugetlb page migrate
successfully (bnc#947957, VM Functionality).
– mm/migrate.c: pair unlock_page() and lock_page() when migrating huge
pages (bnc#947957, VM Functionality).
– mm: remove GFP_THISNODE (bsc#954950, VM Functionality).
– mm: sl[au]b: add knowledge of PFMEMALLOC reserve pages (Swap over NFS
(fate#304949)).
– Modified -rt patches: 343 of 434, noise elided.
– net/core: Add VF link state control policy (bsc#950298).
– netfilter: xt_recent: fix namespace destroy path (bsc#879378).
– NFSv4: Fix two infinite loops in the mount code (bsc#954628).
– panic/x86: Allow cpus to save registers even if they (bnc#940946).
– panic/x86: Fix re-entrance problem due to panic on (bnc#937444).
– pci: Add dev_flags bit to access VPD through function 0 (bnc#943786).
– pci: Add VPD function 0 quirk for Intel Ethernet devices (bnc#943786).
– pci: Clear NumVFs when disabling SR-IOV in sriov_init() (bnc#952084).
– pci: delay configuration of SRIOV capability (bnc#952084).
– pci: Refresh First VF Offset and VF Stride when updating NumVFs
(bnc#952084).
– pci: set pci sriov page size before reading SRIOV BAR (bnc#952084).
– pci: Update NumVFs register when disabling SR-IOV (bnc#952084).
– pktgen: clean up ktime_t helpers (bsc#904348).
– qla2xxx: do not clear slot in outstanding cmd array (bsc#944993).
– qla2xxx: Do not reset adapter if SRB handle is in range (bsc#944993).
– qla2xxx: Remove decrement of sp reference count in abort handler
(bsc#944993).
– qla2xxx: Remove unavailable firmware files (bsc#921081).
– qlge: Fix qlge_update_hw_vlan_features to handle if interface is down
(bsc#930835).
– quota: Fix deadlock with suspend and quotas (bsc#935123).
– rcu: Eliminate deadlock between CPU hotplug and expedited grace periods
(bsc#949706).
– Refresh patches.xen/1282-usbback-limit-copying.patch (bsc#941202).
– rtc: cmos: Cancel alarm timer if alarm time is equal to now+1 seconds
(bsc#930145).
– rtnetlink: Fix VF IFLA policy (bsc#950298).
– rtnetlink: fix VF info size (bsc#950298).
– s390/dasd: fix disconnected device with valid path mask (bnc#946214,
LTC#132707).
– s390/dasd: fix invalid PAV assignment after suspend/resume (bnc#946214,
LTC#132706).
– s390/dasd: fix list_del corruption after lcu changes (bnc#954984,
LTC#133077).
– s390/pci: handle events for unused functions (bnc#946214, LTC#130628).
– s390/pci: improve handling of hotplug event 0x301 (bnc#946214,
LTC#130628).
– s390/pci: improve state check when processing hotplug events
(bnc#946214, LTC#130628).
– sched/core: Fix task and run queue sched_info::run_delay inconsistencies
(bnc#949100).
– scsi: hosts: update to use ida_simple for host_no (bsc#939926)
– sg: fix read() error reporting (bsc#926774).
– sunrpc: refactor rpcauth_checkverf error returns (bsc#955673).
– Update patches.fixes/fanotify-fix-deadlock-during-thread-exit.patch
(bsc#935053, bsc#926709). Add bug reference.
– usbback: correct copy length for partial transfers (bsc#941202).
– usbvision fix overflow of interfaces array (bnc#950998).
– usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers
(bnc#944989).
– veth: extend device features (bsc#879381).
– vfs: Provide function to get superblock and wait for it to thaw
(bsc#935123).
– vmxnet3: adjust ring sizes when interface is down (bsc#950750).
– vmxnet3: fix ethtool ring buffer size setting (bsc#950750).
– writeback: Skip writeback for frozen filesystem (bsc#935123).
– x86/evtchn: make use of PHYSDEVOP_map_pirq.
– x86: mm: drop TLB flush from ptep_set_access_flags (bsc#948330).
– x86: mm: only do a local tlb flush in ptep_set_access_flags()
(bsc#948330).
– x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE
(fate#317533, bnc#937256).
– xen: x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE
(fate#317533, bnc#937256).
– xfs: add background scanning to clear eofblocks inodes (bnc#930788).
– xfs: add EOFBLOCKS inode tagging/untagging (bnc#930788).
– xfs: add inode id filtering to eofblocks scan (bnc#930788).
– xfs: add minimum file size filtering to eofblocks scan (bnc#930788).
– xfs: add XFS_IOC_FREE_EOFBLOCKS ioctl (bnc#930788).
– xfs: create function to scan and clear EOFBLOCKS inodes (bnc#930788).
– xfs: create helper to check whether to free eofblocks on inode
(bnc#930788).
– xfs: Fix lost direct IO write in the last block (bsc#949744).
– xfs: Fix softlockup in xfs_inode_ag_walk() (bsc#948347).
– xfs: introduce a common helper xfs_icluster_size_fsb (bsc#932805).
– xfs: make xfs_free_eofblocks() non-static, return EAGAIN on trylock
failure (bnc#930788).
– xfs: support a tag-based inode_ag_iterator (bnc#930788).
– xfs: support multiple inode id filtering in eofblocks scan (bnc#930788).
– xfs: use xfs_icluster_size_fsb in xfs_bulkstat (bsc#932805).
– xfs: use xfs_icluster_size_fsb in xfs_ialloc_inode_init (bsc#932805).
– xfs: use xfs_icluster_size_fsb in xfs_ifree_cluster (bsc#932805).
– xfs: use xfs_icluster_size_fsb in xfs_imap (bsc#932805).
– xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
(bnc#949981).
– xhci: Calculate old endpoints correctly on device reset (bnc#944831).
– xhci: change xhci 1.0 only restrictions to support xhci 1.1 (bnc#949502).
– xhci: fix isoc endpoint dequeue from advancing too far on transaction
error (bnc#944837).
– xhci: For streams the css flag most be read from the stream-ctx on ep
stop (bnc#945691).
– xhci: silence TD warning (bnc#939955).
– xhci: use uninterruptible sleep for waiting for internal operations
(bnc#939955).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Real Time Extension 11-SP4:

zypper in -t patch slertesp4-kernel-rt-20151204-12284=1

– SUSE Linux Enterprise Debuginfo 11-SP4:

zypper in -t patch dbgsp4-kernel-rt-20151204-12284=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

kernel-rt-3.0.101.rt130-48.1
kernel-rt-base-3.0.101.rt130-48.1
kernel-rt-devel-3.0.101.rt130-48.1
kernel-rt_trace-3.0.101.rt130-48.1
kernel-rt_trace-base-3.0.101.rt130-48.1
kernel-rt_trace-devel-3.0.101.rt130-48.1
kernel-source-rt-3.0.101.rt130-48.1
kernel-syms-rt-3.0.101.rt130-48.1

– SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

kernel-rt-debuginfo-3.0.101.rt130-48.1
kernel-rt-debugsource-3.0.101.rt130-48.1
kernel-rt_debug-debuginfo-3.0.101.rt130-48.1
kernel-rt_debug-debugsource-3.0.101.rt130-48.1
kernel-rt_trace-debuginfo-3.0.101.rt130-48.1
kernel-rt_trace-debugsource-3.0.101.rt130-48.1

References:

https://www.suse.com/security/cve/CVE-2015-0272.html
https://www.suse.com/security/cve/CVE-2015-5157.html
https://www.suse.com/security/cve/CVE-2015-5307.html
https://www.suse.com/security/cve/CVE-2015-6937.html
https://www.suse.com/security/cve/CVE-2015-7509.html
https://www.suse.com/security/cve/CVE-2015-7799.html
https://www.suse.com/security/cve/CVE-2015-7872.html
https://www.suse.com/security/cve/CVE-2015-7990.html
https://www.suse.com/security/cve/CVE-2015-8104.html
https://www.suse.com/security/cve/CVE-2015-8215.html
https://bugzilla.suse.com/814440
https://bugzilla.suse.com/879378
https://bugzilla.suse.com/879381
https://bugzilla.suse.com/900610
https://bugzilla.suse.com/904348
https://bugzilla.suse.com/904965
https://bugzilla.suse.com/921081
https://bugzilla.suse.com/926709
https://bugzilla.suse.com/926774
https://bugzilla.suse.com/930145
https://bugzilla.suse.com/930770
https://bugzilla.suse.com/930788
https://bugzilla.suse.com/930835
https://bugzilla.suse.com/932805
https://bugzilla.suse.com/935053
https://bugzilla.suse.com/935123
https://bugzilla.suse.com/935757
https://bugzilla.suse.com/937256
https://bugzilla.suse.com/937444
https://bugzilla.suse.com/937969
https://bugzilla.suse.com/937970
https://bugzilla.suse.com/938706
https://bugzilla.suse.com/939207
https://bugzilla.suse.com/939826
https://bugzilla.suse.com/939926
https://bugzilla.suse.com/939955
https://bugzilla.suse.com/940017
https://bugzilla.suse.com/940913
https://bugzilla.suse.com/940946
https://bugzilla.suse.com/941202
https://bugzilla.suse.com/942938
https://bugzilla.suse.com/943786
https://bugzilla.suse.com/944677
https://bugzilla.suse.com/944831
https://bugzilla.suse.com/944837
https://bugzilla.suse.com/944989
https://bugzilla.suse.com/944993
https://bugzilla.suse.com/945691
https://bugzilla.suse.com/945825
https://bugzilla.suse.com/945827
https://bugzilla.suse.com/946078
https://bugzilla.suse.com/946214
https://bugzilla.suse.com/946309
https://bugzilla.suse.com/947957
https://bugzilla.suse.com/948330
https://bugzilla.suse.com/948347
https://bugzilla.suse.com/948521
https://bugzilla.suse.com/949100
https://bugzilla.suse.com/949298
https://bugzilla.suse.com/949502
https://bugzilla.suse.com/949706
https://bugzilla.suse.com/949744
https://bugzilla.suse.com/949936
https://bugzilla.suse.com/949981
https://bugzilla.suse.com/950298
https://bugzilla.suse.com/950750
https://bugzilla.suse.com/950998
https://bugzilla.suse.com/951440
https://bugzilla.suse.com/952084
https://bugzilla.suse.com/952384
https://bugzilla.suse.com/952579
https://bugzilla.suse.com/952976
https://bugzilla.suse.com/953527
https://bugzilla.suse.com/953799
https://bugzilla.suse.com/953980
https://bugzilla.suse.com/954404
https://bugzilla.suse.com/954628
https://bugzilla.suse.com/954950
https://bugzilla.suse.com/954984
https://bugzilla.suse.com/955354
https://bugzilla.suse.com/955673
https://bugzilla.suse.com/956709

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org