Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2020:3230-1
Rating:	important
References:	bsc#1065600 bsc#1155798 bsc#1168468 bsc#1171675 bsc#1175599 bsc#1175718 bsc#1176019 bsc#1176381 bsc#1176588 bsc#1176979 bsc#1177027 bsc#1177121 bsc#1177193 bsc#1177194 bsc#1177206 bsc#1177258 bsc#1177283 bsc#1177284 bsc#1177285 bsc#1177286 bsc#1177297 bsc#1177384 bsc#1177511 bsc#954532
Cross-References:	CVE-2020-25212 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645
CVSS scores:	CVE-2020-25212 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25212 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-25641 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25641 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25643 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-25643 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-25645 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Linux Enterprise Real Time 15 SP2 SUSE Real Time Module 15-SP2

An update that solves four vulnerabilities and has 20 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
• CVE-2020-25643: Added range checks in ppp_cp_parse_cr() (bsc#1177206).
• CVE-2020-25641: Allowed for_each_bvec to support zero len bvec (bsc#1177121).
• CVE-2020-25645: Added transport ports in route lookup for geneve (bsc#1177511).

The following non-security bugs were fixed:

• 9p: Fix memory leak in v9fs_mount (git-fixes).
• ACPI: EC: Reference count query handlers under lock (git-fixes).
• airo: Fix read overflows sending packets (git-fixes).
• ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
• ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes).
• ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes).
• ASoC: kirkwood: fix IRQ error handling (git-fixes).
• ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes).
• ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes).
• ath10k: fix array out-of-bounds access (git-fixes).
• ath10k: fix memory leak for tpc_stats_final (git-fixes).
• ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
• Bluetooth: Fix refcount use-after-free issue (git-fixes).
• Bluetooth: guard against controllers sending zero'd events (git-fixes).
• Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes).
• Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes).
• Bluetooth: prefetch channel before killing sock (git-fixes).
• brcmfmac: Fix double freeing in the fmac usb data path (git-fixes).
• btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019).
• btrfs: block-group: fix free-space bitmap threshold (bsc#1176019).
• btrfs: block-group: refactor how we delete one block group item (bsc#1176019).
• btrfs: block-group: refactor how we insert a block group item (bsc#1176019).
• btrfs: block-group: refactor how we read one block group item (bsc#1176019).
• btrfs: block-group: rename write_one_cache_group() (bsc#1176019).
• btrfs: do not take an extra root ref at allocation time (bsc#1176019).
• btrfs: drop logs when we've aborted a transaction (bsc#1176019).
• btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019).
• btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019).
• btrfs: free block groups after free'ing fs trees (bsc#1176019).
• btrfs: hold a ref on the root on the dead roots list (bsc#1176019).
• btrfs: kill the subvol_srcu (bsc#1176019).
• btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019).
• btrfs: make inodes hold a ref on their roots (bsc#1176019).
• btrfs: make the extent buffer leak check per fs info (bsc#1176019).
• btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019).
• btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019).
• btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019).
• btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019).
• btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019).
• btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019).
• bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes).
• clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes).
• clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes).
• clk: tegra: Always program PLL_E when enabled (git-fixes).
• clk/ti/adpll: allocate room for terminating null (git-fixes).
• clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes).
• clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes).
• cpuidle: Poll for a minimum of 30ns and poll for a tick if lower c-states are disabled (bnc#1176588).
• crypto: dh - check validity of Z before export (bsc#1175718).
• crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718).
• crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718).
• crypto: ecdh - check validity of Z before export (bsc#1175718).
• dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes).
• dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
• dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
• dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes).
• dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
• dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes).
• drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes).
• drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes).
• drm/radeon: revert "Prefer lower feedback dividers" (bsc#1177384).
• e1000: Do not perform reset in reset_task if we are already down (git-fixes).
• ftrace: Move RCU is watching check after recursion check (git-fixes).
• fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193).
• gpio: mockup: fix resource leak in error path (git-fixes).
• gpio: rcar: Fix runtime PM imbalance on error (git-fixes).
• gpio: siox: explicitly support only threaded irqs (git-fixes).
• gpio: sprd: Clear interrupt when setting the type as edge (git-fixes).
• gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
• hwmon: (applesmc) check status earlier (git-fixes).
• i2c: aspeed: Mask IRQ status to relevant bits (git-fixes).
• i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes).
• i2c: i801: Exclude device from suspend direct complete optimization (git-fixes).
• i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes).
• i2c: tegra: Restore pinmux on system resume (git-fixes).
• ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
• ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
• iio: adc: qcom-spmi-adc5: fix driver name (git-fixes).
• Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532).
• Input: trackpoint - enable Synaptics trackpoints (git-fixes).
• iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297).
• iommu/amd: Fix potential @entry null deref (bsc#1177283).
• iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284).
• iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285).
• iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286).
• kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
• leds: mlxreg: Fix possible buffer overflow (git-fixes).
• lib/mpi: Add mpi_sub_ui() (bsc#1175718).
• locking/rwsem: Disable reader optimistic spinning (bnc#1176588).
• mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes).
• mac80211: skip mpath lookup also for control port tx (git-fixes).
• mac802154: tx: fix use-after-free (git-fixes).
• media: mc-device.c: fix memleak in media_device_register_entity (git-fixes).
• media: smiapp: Fix error handling at NVM reading (git-fixes).
• media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
• mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes).
• mmc: core: Rework wp-gpio handling (git-fixes).
• mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes).
• mt76: add missing locking around ampdu action (git-fixes).
• mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes).
• mt76: do not use devm API for led classdev (git-fixes).
• mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes).
• mt76: fix LED link time failure (git-fixes).
• mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes).
• mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes).
• mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes).
• net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes).
• nfs: Fix security label length not being reset (bsc#1176381).
• PCI: Avoid double hpmemsize MMIO window assignment (git-fixes).
• PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
• PCI: tegra194: Fix runtime PM imbalance on error (git-fixes).
• PCI: tegra: Fix runtime PM imbalance on error (git-fixes).
• phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes).
• pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
• Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes).
• platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes).
• platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes).
• platform/x86: intel_pmc_core: do not create a static struct device (git-fixes).
• platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599).
• platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes).
• platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes).
• power: supply: max17040: Correct voltage reading (git-fixes).
• Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675).
• rtc: ds1374: fix possible race condition (git-fixes).
• rtc: sa1100: fix possible race condition (git-fixes).
• s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
• sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)).
• sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)).
• sched/numa: Avoid creating large imbalances at task creation time (bnc#1176588).
• sched/numa: Check numa balancing information only when enabled (bnc#1176588).
• sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)).
• scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258).
• serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes).
• serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes).
• serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
• serial: uartps: Wait for tx_empty in console setup (git-fixes).
• spi: fsl-espi: Only process interrupts for expected events (git-fixes).
• staging:r8188eu: avoid skb_clone for amsdu to msdu conversion (git-fixes).
• thermal: rcar_thermal: Handle probe error gracefully (git-fixes).
• Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194).
• usb: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes).
• USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
• USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes).
• USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
• vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979).
• vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes).
• wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes).
• wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes).
• xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
• yam: fix possible memory leak in yam_init_driver (git-fixes).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Real Time Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2020-3230=1

Package List:

• SUSE Real Time Module 15-SP2 (x86_64)
  • dlm-kmp-rt-debuginfo-5.3.18-13.1
  • kernel-rt_debug-debugsource-5.3.18-13.1
  • ocfs2-kmp-rt-5.3.18-13.1
  • ocfs2-kmp-rt-debuginfo-5.3.18-13.1
  • cluster-md-kmp-rt-5.3.18-13.1
  • gfs2-kmp-rt-5.3.18-13.1
  • kernel-rt-devel-5.3.18-13.1
  • kernel-rt-devel-debuginfo-5.3.18-13.1
  • kernel-rt_debug-devel-5.3.18-13.1
  • kernel-rt-debuginfo-5.3.18-13.1
  • kernel-rt_debug-debuginfo-5.3.18-13.1
  • kernel-syms-rt-5.3.18-13.1
  • gfs2-kmp-rt-debuginfo-5.3.18-13.1
  • cluster-md-kmp-rt-debuginfo-5.3.18-13.1
  • kernel-rt_debug-devel-debuginfo-5.3.18-13.1
  • kernel-rt-debugsource-5.3.18-13.1
  • dlm-kmp-rt-5.3.18-13.1
• SUSE Real Time Module 15-SP2 (noarch)
  • kernel-source-rt-5.3.18-13.1
  • kernel-devel-rt-5.3.18-13.1
• SUSE Real Time Module 15-SP2 (nosrc x86_64)
  • kernel-rt-5.3.18-13.1
• SUSE Real Time Module 15-SP2 (nosrc)
  • kernel-rt_debug-5.3.18-13.1

References:

• https://www.suse.com/security/cve/CVE-2020-25212.html
• https://www.suse.com/security/cve/CVE-2020-25641.html
• https://www.suse.com/security/cve/CVE-2020-25643.html
• https://www.suse.com/security/cve/CVE-2020-25645.html
• https://bugzilla.suse.com/show_bug.cgi?id=1065600
• https://bugzilla.suse.com/show_bug.cgi?id=1155798
• https://bugzilla.suse.com/show_bug.cgi?id=1168468
• https://bugzilla.suse.com/show_bug.cgi?id=1171675
• https://bugzilla.suse.com/show_bug.cgi?id=1175599
• https://bugzilla.suse.com/show_bug.cgi?id=1175718
• https://bugzilla.suse.com/show_bug.cgi?id=1176019
• https://bugzilla.suse.com/show_bug.cgi?id=1176381
• https://bugzilla.suse.com/show_bug.cgi?id=1176588
• https://bugzilla.suse.com/show_bug.cgi?id=1176979
• https://bugzilla.suse.com/show_bug.cgi?id=1177027
• https://bugzilla.suse.com/show_bug.cgi?id=1177121
• https://bugzilla.suse.com/show_bug.cgi?id=1177193
• https://bugzilla.suse.com/show_bug.cgi?id=1177194
• https://bugzilla.suse.com/show_bug.cgi?id=1177206
• https://bugzilla.suse.com/show_bug.cgi?id=1177258
• https://bugzilla.suse.com/show_bug.cgi?id=1177283
• https://bugzilla.suse.com/show_bug.cgi?id=1177284
• https://bugzilla.suse.com/show_bug.cgi?id=1177285
• https://bugzilla.suse.com/show_bug.cgi?id=1177286
• https://bugzilla.suse.com/show_bug.cgi?id=1177297
• https://bugzilla.suse.com/show_bug.cgi?id=1177384
• https://bugzilla.suse.com/show_bug.cgi?id=1177511
• https://bugzilla.suse.com/show_bug.cgi?id=954532