openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Security update for the Linux Kernel

This update for kernel-source-arm64 fixes the following issues:

- kABI fixes for 4.1.22
- Add some fixups (module, pci_dev, drm, fuse and thermal)
- Add kabi/severities entries to ignore sound/hda/*, x509_*,
efivar_validate, file_open_root and dax_fault

- Linux 4.1.22 (CVE-2015-8539OD CVE-2015-8812 CVE-2016-2184
CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-3138
CVE-2016-3689 bsc#958463 bsc#970911 bsc#970956 bsc#970958
bsc#971124 bsc#971628 bsc#954532 bsc#954876 bsc#975868
bsc#966437 bsc#971125).

- of: iommu: Silence misleading warning.
- USB: usbip: fix potential out-of-bounds write (bsc#975945).
- Revert "drm/radeon: call hpd_irq_event on resume" (bsc#975868).
- pipe: limit the per-user amount of pages allocated in pipes (bsc#970948 CVE-2016-2847).
- Fix kABI additions for pipe: limit the per-user amount of pages allocated in pipes.
- USB: mct_u232: add sanity checking in probe (bsc#970955, CVE-2016-3136).
- USB: iowarrior: fix oops with malicious USB descriptors (bsc#970956, CVE-2016-2188).
- USB: cdc-acm: more sanity checking (bsc#970911, CVE-2016-3138).
- USB: cypress_m8: add endpoint sanity check (bsc#970970, CVE-2016-3137).
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (bsc#974418, CVE-2016-3951).
- USB: digi_acceleport: do sanity checking for the number of ports (bsc#970892, CVE-2016-3140).

- Linux 4.1.21.

- arm64: Update config file and enable CONFIG_FB_EFI

- efi/arm*: efifb: expose efifb platform device if GOP is available (bsc#974215).
- efi/arm*: libstub: wire up GOP handling into the ARM UEFI stub (bsc#974215).
- efi: efifb: use builtin_platform_driver and drop unused includes (bsc#974215).
- efi/x86: efifb: move DMI based quirks handling out of generic code (bsc#974215).
- efi/x86: libstub: move to generic GOP code (bsc#974215).
- efi: libstub: move Graphics Output Protocol handling to generic code (bsc#974215).
- efi: make install_configuration_table() boot service usable (bsc#974215).
- efifb: Add support for 64-bit frame buffer addresses (bsc#974215).

- Input: powermate - fix oops with malicious USB descriptors (bsc#970958, CVE-2016-2186).
- USB: usb_driver_claim_interface: add sanity checking (bsc#971124, CVE-2016-2185).
- Input: ims-pcu - sanity check against missing interfaces (bsc#971628, CVE-2016-3689).

- ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378).
- ALSA: timer: Call notifier in the same spinlock (bsc#973378).
- ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378).
- ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378).

- backends: guarantee one time reads of shared ring contents (bsc#957988).
- netback: don't use last request to determine minimum Tx credit (bsc#957988).
- Update Xen patches to 4.1.20.

- Update kabi files from kernel 4.1.20-11

- Backport arm64 patches from SLE12-SP1-ARM
- net: thunderx: Use napi_schedule_irqoff() (fate#319980).
- Update config files: Enable RTC_HCTOSYS, build I2C_XGENE_SLIMPRO as a module.

- ipv4: Don't do expensive useless work during inetdev destroy (CVE-2016-3156 bsc#971360).

- ext4: fix races of writeback with punch hole and zero range (bsc#972174).
- ext4: fix races between buffered IO and collapse / insert range (bsc#972174).
- ext4: move unlocked dio protection from ext4_alloc_file_blocks() (bsc#972174).
- ext4: fix races between page faults and hole punching (bsc#972174).

- net: thunderx: Use napi_schedule_irqoff() (fate#319980).

- Linux 4.1.20 (bsc#954647 bsc#954876).

- ALSA: usb-audio: Add sanity checks for endpoint accesses (CVE-2016-2184,bsc#971125).
- ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() (CVE-2016-2184,bsc#971125).

- Backport patches from SLE12-SP1-ARM
- PCI: thunder: Add PCIe host driver for ThunderX processors
- PCI: thunder: Add driver for ThunderX-pass{1,2} on-chip devices
- arm64: Add workaround for Cavium erratum 27456.
- Update numa patches to v15
- Update config files

- arm64: Update config files.
Enable
PCI_HOST_THUNDER_ECAM
PCI_HOST_THUNDER_PEM

- PCI: thunder: Add driver for ThunderX-pass{1,2} on-chip devices (fate#319484).
- PCI: thunder: Add PCIe host driver for ThunderX processors (fate#319484).
- PCI: generic: Expose pci_host_common_probe() for use by other drivers (fate#319484).
- PCI: generic: Add pci_host_common_probe(), based on gen_pci_probe() (fate#319484).
- PCI: generic: Move structure definitions to separate header file (fate#319484).

- arm64: Update numa patch set to v15
- [v15, 1/6] efi: ARM/arm64: ignore DT memory nodes instead of removing them (fate#319973).
- [v15,2/6] Documentation, dt, numa: dt bindings for NUMA (fate#319973).
- [v15,3/6] of, numa: Add NUMA of binding implementation (fate#319973).
- [v15,4/6] arm64: Move unflatten_device_tree() call earlier (fate#319973).
- [v15,6/6] arm64, mm, numa: Add NUMA balancing support for arm64 (fate#319973).
- [v15,5/6] arm64, numa: Add NUMA support for arm64 platforms (fate#319973).

- kabi/severities: ignore ip6_route_output symbol lost
It's inlined in 4.1.19.

- hda_jack_callback kabi fix for 4.1.19.
- net kabi fixes for 4.1.19.
- cgroup kabi fix for 4.1.19.

- Linux 4.1.19 (CVE-2016-2383 CVE-2016-2384 bsc#966684 bsc#966693 bsc#968018).

- ibmvnic: Fix ibmvnic_capability struct.

- Update config files: Modularize NF_REJECT_IPV4/V6
There is no reason why these helper modules should be built-in when
the rest of netfilter is built as modules.

- Disable Skylake support in intel_idle driver again (bsc#969582)
This turned out to bring a regression on some machines, unfortunately.
It should be addressed in the upstream at first.

- intel_idle: Skylake Client Support - updated (bsc#969582).
- intel_idle: Skylake Client Support (bsc#969582).
- intel_idle: allow idle states to be freeze-mode specific (bsc#969582).

- cuse: fix memory leak (bsc#969356, CVE-2015-1339).

- series.conf: move cxgb3 patch to network drivers section

- ALSA: seq: Fix leak of pool buffer at concurrent writes (bsc#968018).
- ALSA: timer: Fix race between stop and interrupt (bsc#968018).
- ALSA: timer: Fix wrong instance passed to slave callbacks (bsc#968018).
- ALSA: seq: Fix double port list deletion (bsc#968018).

- Update config files.
Enable CAVIUM_ERRATUM_27456

- arm64: Add workaround for Cavium erratum 27456.
- arm64: alternative: Provide if/else/endif assembler macros.
- arm64: alternative: Merge alternative-asm.h into alternative.h.

- config: arm64: compile xgene-slimpro as a module

- ALSA: hda - Apply clock gate workaround to Skylake, too (bsc#966137).
- ALSA: hda - disable dynamic clock gating on Broxton before reset (bsc#966137).
- ALSA: hda - Fix playback noise with 24/32 bit sample size on BXT (bsc#966137).

- drm/i915: Pin the ifbdev for the info->system_base GGTT mmapping (bsc#962866, bsc#966179).
- drm/i915: Fix failure paths around initial fbdev allocation (bsc#962866, bsc#966179).
- drm/i915: Fix double unref in intelfb_alloc failure path (bsc#962866, bsc#966179).

- kabi/severities: Ignore drivers/mfd/tps65218 and lpddr2_jedec_*
These are from 2 useless drivers that were removed, nobody needs
these symbols.

- Update s390x/vanilla config file: disable MFD_SYSCON.

- Ignore kabi of net/ceph/*, drivers/targets/* & co
The recent ARM64 patches brought kABI brekage on ceph and targets.
Ignore these changes, as they should be either in-kernel or a full
set of KMP.

- bpf: fix branch offset adjustment on backjumps after patching
ctx expansion (bsc#966684, CVE-2016-2383).

- Backport arm64 patches from SLE12-SP1-ARM
Add: libceph: fix scatterlist last_piece calculation (bsc#963746).

- Ignore dm-snapshot kABI changes
4.1.18 changed the signature slightly, but this isn't used anywhere else.

- Ignore kABI for crypto/*
4.1.18 changed the codes in crypto a lot, and also more will come in
near future, too. We support only our own crypto modules, so let's
ignore kABI changes to make our lives easier.
- kABI fixes for 4.1.18 thermal changes.
- kABI fixes for 4.1.18 drm changes.
- kABI fix for 4.1.18 ceph changes.

- Linux 4.1.18 (CVE-2016-0723 bsc#961500 bsc#962257).

- ptrace: being capable wrt a process requires mapped uids/gids (bsc#959709 bsc#960561 CVE-2015-8709).
- iw_cxgb3: Fix incorrectly returning error on success (bsc#966437, CVE-2015-8812).

- Update x86 config files: Enable Intel RAPL
This driver is useful when power caping is needed. It was enabled in
the SLE kernel 2 years ago.

- Update config files: Disable MFD_TPS65218
The TPS65218 is a power management IC for 32-bit ARM systems. Its
driver serves no purpose on other architectures. All sub-drivers were
already disabled anyway.

- ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384,bsc#966693).
- e1000e: Avoid divide by zero error (bsc#965125).
- e1000e: fix division by zero on jumbo MTUs (bsc#965125).
- e1000e: Fix tight loop implementation of systime read algorithm (bsc#965125).
- e1000e: fix systim issues (bsc#965125).

- Btrfs: teach backref walking about backrefs with underflowed (bsc#966259).

- fuse: break infinite loop in fuse_fill_write_pages() (bsc#963765, CVE-2015-8785).

- Update s390x config files: CONFIG_ENCLOSURE_SERVICES
Per bsc#884701, CONFIG_ENCLOSURE_SERVICES isn't needed on S/390. It
was already disabled in SLE, so disable it in openSUSE too.

- libceph: fix scatterlist last_piece calculation (bsc#963746).

- Update config files: Disable CONFIG_DDR
CONFIG_DDR is selected automatically by drivers which need it. This
piece of helper code is useless in the absence of any such driver.

- kabi/severities: Drop inet_twsk_schedule symbol check
It's dropped from 4.1.17, but it's rather used only internally.

- Fix kABI for addition of unix_inflight to user_struct.

- Linux 4.1.17 (CVE-2015-7799 CVE-2015-7884 CVE-2015-8104
CVE-2015-8767 CVE-2016-2069 bsc#814440 bsc#951626
bsc#963767 bsc#954876 bsc#958504 bsc#960710
bsc#949936 bsc#954404 bsc#958439 bsc#961509
http://article.gmane.org/gmane.comp.security.oss.general/17908).

- sd: Optimal I/O size is in bytes, not sectors (bsc#961263).
- sd: Reject optimal transfer length smaller than page size (bsc#961263).

- netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787 bsc#963931).

- x86/mm: Add barriers and document switch_mm()-vs-flush synchronization (bsc#963767, CVE-2016-2069).

- n_tty: Fix unsafe reference to "other" ldisc (bsc#961500 CVE-2016-0723).
- tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (bsc#961500 CVE-2016-0723).

- ocfs2: fix dlmglue deadlock issue(bsc#962257)

- Linux 4.1.16 (CVE-2015-7550 CVE-2015-7872 CVE-2015-8543
CVE-2015-8569 CVE-2015-8575 bsc#958951 bsc#951440 bsc#958886
bsc#959190 bsc#959399).

- ALSA: hda - Flush the pending probe work at remove (bsc#960710).

- sctp: Prevent soft lockup when sctp_accept() is called during a timeout event (CVE-2015-8767 bsc#961509).
- HID: multitouch: fix input mode switching on some Elan panels (bsc#954532).
- HID: multitouch: Fetch feature reports on demand for Win8 devices (bsc#954532).

- Enable CONFIG_PINCTRL_CHERRYVIEW (bsc#954532)
Needed for recent tablets/laptops.
CONFIG_PINCTRL_BAYTRAIL is still disabled as it can't be built as a module.

- hwrng: core - sleep interruptible in read (bsc#962597).

- Backport arm64 patches from SLE12-SP1-ARM.
- Add LIO clustered RBD backend (fate#318836)

- keys-fix-leak (bsc#962075, CVE-2016-0728).

- rpm/kernel-binary.spec.in: Fix build if no UEFI certs are installed
- rpm/kernel-binary.spec.in: Install libopenssl-devel for newer sign-file

- Fix kABI breakage for max_dev_sectors addition to queue_limits (bsc#961263).
- block/sd: Fix device-imposed transfer length limits (bsc#961263).
- block: bump BLK_DEF_MAX_SECTORS to 2560 (bsc#961263).
- Revert "block: remove artifical max_hw_sectors cap" (bsc#961263).

- rpm/constraints.in: Bump disk space requirements up a bit
Require 10GB on s390x, 20GB elsewhere.

- rpm/compute-PATCHVERSION.sh: Skip stale directories in the package dir
- Add RHEL to kernel-obs-build

- group-source-files: mark module.lds as devel file
ld: cannot open linker script file /usr/src/linux-4.2.5-1/arch/arm/kernel/module.lds: No such file or directory

- rpm/kernel-binary.spec.in: really pass down %{?_smp_mflags}
- rpm/kernel-binary.spec.in: Use parallel make in all invocations
Also, remove the lengthy comment, since we are using a standard rpm
macro now.

- rpm/kernel-binary.spec.in: Delete one more DEBUG_SECTION_MISMATCH assignment
- rpm/kernel-binary.spec.in: Do not explicitly set DEBUG_SECTION_MISMATCH
CONFIG_DEBUG_SECTION_MISMATCH is a selectable Kconfig option since
2.6.39 and is enabled in our configs.
- rpm/kernel-binary.spec.in: No scriptlets in kernel-zfcpdump
The kernel should not be added to the bootloader nor are there any KMPs.
- Obsolete compat-wireless, rts5229 and rts_pstor KMPs
These are found in SLE11-SP3, now replaced with the upstream drivers.
- rpm/kernel-binary.spec.in: Do not obsolete ocfs2-kmp (bsc#865259)
- rpm/kernel-binary.spec.in: Obsolete the -base package from SLE11 (bsc#865096)

Submitted by Dirk Mueller (dirkmueller)

Fixed bugs

bnc#959709

VUL-0: kernel: privilege escalation in user namespaces

bnc#963767

VUL-0: CVE-2016-2069: kernel: race condition in the TLB flush logic

bnc#958886

VUL-1: CVE-2015-8543: kernel-source: connect IPv6/SOCK_RAW connect causes a denial of service

bnc#963765

VUL-0: CVE-2015-8785: kernel: fuse: possible denial of service in fuse_fill_write_pages()

bnc#972174

VUL-1: CVE-2015-8839: kernel: ext4 data corruption due to punch hole races

bnc#971124

VUL-1: CVE-2016-2185: kernel: Kernel panic on invalid USB device descriptor (ati_remote2 driver)

bnc#971125

VUL-1: CVE-2016-2184: kernel: Kernel panic on invalid USB device descriptor (snd_usb_audio driver)

bnc#962075

VUL-0: CVE-2016-0728: kernel: Use-after-free vulnerability in keyring facility

bnc#958951

VUL-0: CVE-2015-7550: kernel: User triggerable crash from race between key read and rey revoke

bnc#971360

VUL-0: CVE-2016-3156: kernel-source: ipv4: denial of service when destroying a network interface

bnc#973378

[syzkaller] snd_timer BUG: KASAN: use-after-free in snd_timer_interrupt

bnc#954876

Sound burst when initiating Plasma 5 Desktop

bnc#961263

NCQ Timeout with SMR drives (e.g. Seagate 8tb hdd)

bnc#970970

VUL-1: CVE-2016-3137: kernel-source: Crash on invalid USB device descriptors (cypress_m8 driver)

bnc#962257

ocfs2: very bad performance when doing cluster IO

bnc#974418

VUL-0: CVE-2016-3951: kernel: usbnet: memory corruption triggered by invalid USB descriptor allowing for DoS

bnc#959399

VUL-1: CVE-2015-8575: kernel-source: information leak from getsockname in bluetooth/sco

bnc#970911

VUL-0: CVE-2016-3138: kernel-source: crash on invalid USB device descriptors (cdc_acm driver)

bnc#865259

[Test Case 1279393] [Build 0094] ocfs2-kmp-* not installed by default

bnc#970958

VUL-0: CVE-2016-2186: kernel-source: Kernel panic on invalid USB device descriptor (powermate driver)

bnc#959190

VUL-1: CVE-2015-8569: kernel: information leak using getsockname

bnc#974215

EFI framebuffer patches for arm64

bnc#966693

VUL-0: CVE-2016-2384: kernel: ALSA: usb-audio: double-free triggered by invalid USB descriptor

bnc#962866

BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 in intel_fb_obj_invalidate+0x1c/0xf0 [i915]

bnc#954404

VUL-0: CVE-2015-8104: kernel: kvm: virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception

bnc#970955

VUL-1: CVE-2016-3136: kernel-source: Crash on invalid USB device descriptors (mct_u232 driver)

bnc#970956

VUL-0: CVE-2016-2188: kernel-source: Kernel panic on invalid USB device descriptor (iowarrior driver)

bnc#960710

crash when unloading+loading snd_hda_intel

bnc#958439

Noise in headphones when shutting down or rebooting

bnc#954647

Fixes for Dell headset are missing from Leap 4.1.x kernel

bnc#884701

Removing Kernel Modules from s390x kernel

bnc#951626

VUL-0: CVE-2015-7884: kernel: ioctl infoleaks on vivid-osd

bnc#970892

VUL-0: CVE-2016-3140: kernel-source: crash on invalid USB device descriptors (digi_acceleport driver)

bnc#966179

[i915] framebuffer console remains black

bnc#966137

Installing with NVIDIA K420 does not show "Internal Audio"; sets "NVIDIA HDMI Audio" as default.

bnc#975868

xorg crash after upgrade to 4.1.20

bnc#963746

ISCSI target server crash: kernel BUG at ../net/ceph/messenger.c:1212!

bnc#961509

VUL-0: CVE-2015-8767: kernel: SCTP denial of service during heartbeat timeout functions

bnc#966437

VUL-0: CVE-2015-8812: kernel: CXGB3: Logic bug in return code handling prematurely frees key structures causing Use after free or kernel panic.

bnc#962597

virtio_rng causes long stalls during shutdown

bnc#971628

VUL-1: CVE-2016-3689: kernel: ims-pcu driver can be oopsed by malicious device

bnc#965125

kernel crashes with divide error: 0000 in e1000e driver

bnc#961500

VUL-0: CVE-2016-0723: kernel: Use-after-free in TIOCGETD ioctl

bnc#865096

[Test Case 1366807] kernel-default-base-3.12.10-2.3 package conflicts during upgrade SLES11SP3 to SLES12Beta1

bnc#975945

VUL-0: CVE-2016-3955: kernel: buffer overflow in usbip by trusting length of incoming packets

bnc#954532

Elantech Touchpad on Acer Aspire R11 not detected

bnc#970948

VUL-0: CVE-2016-2847: kernel-source: limit the per-user amount of pages allocated in pipes

bnc#814440

HP CSBU SP3 bug: driver for Creative Recon3D audio working in Beta3, broken in Beta4

bnc#966684

VUL-0: CVE-2016-2383: kernel: Incorrect branch fixups for eBPF allow arbitrary read

bnc#958504

Constant background noise on T440s and loud cracking noise after audio powersave

bnc#969356

VUL-0: CVE-2015-1339: kernel: Memory exhaustion via CUSE driver

bnc#970845

Kernel:openSUSE-42.1' 4.1.19-1.1.gba8f37b: xfs problems & kernel panic

bnc#968018

VUL-1: kernel: ALSA core issues reported by syzkaller fuzzer

bnc#966259

BTRFS send error: did not find backref in send_root

bnc#963931

VUL-0: CVE-2015-8787: kernel: Missing NULL pointer check in nf_nat_redirect_ipv4

bnc#958463

VUL-0: CVE-2015-8539: kernel: Fix handling of stored error in a negatively instantiated user key

bnc#951440

VUL-0: CVE-2015-7872: kernel: Keyrings crash triggerable by unprivileged user

bnc#957988

VUL-0: CVE-2015-8550: xen: paravirtualized drivers incautious about shared memory contents (XSA-155)

bnc#949936

VUL-0: CVE-2015-7799: kernel: Using the PPP character device driver caused the system to restart

bnc#969582

Missing support in intel_idle for Skylake

bnc#960561

VUL-0: CVE-2015-8709: kernel: ptrace: potential privilege escalation in user namespaces

Places

Fixed bugs

Selected Binaries

Places