Security update for the Linux Kernel

Announcement ID: SUSE-SU-2021:3177-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2021-34556 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-34556 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-35477 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CVE-2021-35477 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-3640 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-3640 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-3653 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-3653 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • CVE-2021-3656 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-3656 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • CVE-2021-3679 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3679 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3732 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-3732 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-3739 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3739 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
  • CVE-2021-3743 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3743 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
  • CVE-2021-3753 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-3753 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-3759 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3759 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-38160 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-38160 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-38198 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-38198 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-38204 ( SUSE ): 4.2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-38204 ( NVD ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-38205 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-38205 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE-2021-38207 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-38207 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Micro 5.0
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Real Time Module 15-SP2

An update that solves 16 vulnerabilities and has 98 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP2 Realtime kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
  • CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
  • CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
  • CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
  • CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883).
  • CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ).
  • CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
  • CVE-2021-3653: Missing validation of the int_ctl VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399).
  • CVE-2021-3656: Missing validation of the the virt_ext VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
  • CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262).
  • CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298).
  • CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292).
  • CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
  • CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
  • CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983).
  • CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985).

The following non-security bugs were fixed:

  • ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes).
  • ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543)
  • ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543)
  • ACPI: processor: Export function to claim _CST control (bsc#1175543)
  • ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543)
  • ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543)
  • ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes).
  • ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes).
  • ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes).
  • ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes).
  • ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes).
  • ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes).
  • ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes).
  • ALSA: seq: Fix racy deletion of subscriber (git-fixes).
  • ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes).
  • ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes).
  • ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes).
  • ALSA: usb-audio: fix incorrect clock source setting (git-fixes).
  • ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes).
  • ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes).
  • ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes).
  • ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes).
  • ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes).
  • ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes).
  • ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes).
  • ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes).
  • ASoC: ti: delete some dead code in omap_abe_probe() (git-fixes).
  • ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes).
  • ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes).
  • ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes).
  • ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes).
  • ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes).
  • ASoC: xilinx: Fix reference to PCM buffer address (git-fixes).
  • Bluetooth: add timeout sanity check to hci_inquiry (git-fixes).
  • Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes).
  • Bluetooth: fix repeated calls to sco_sock_kill (git-fixes).
  • Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes).
  • Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes).
  • Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes).
  • Documentation: admin-guide: PM: Add intel_idle document (bsc#1175543)
  • Drop watchdog iTCO_wdt patch that causes incompatible behavior (bsc#1189449) Also blacklisted
  • Fix breakage of swap over NFS (bsc#1188924).
  • Fix kabi of prepare_to_wait_exclusive() (bsc#1189575).
  • HID: i2c-hid: Fix Elan touchpad regression (git-fixes).
  • HID: input: do not report stylus battery state as "full" (git-fixes).
  • KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786).
  • KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787).
  • KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788).
  • KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780).
  • KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781).
  • KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782).
  • KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783).
  • KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784).
  • KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790).
  • Move upstreamed BT fixes into sorted section
  • NFS: Correct size calculation for create reply length (bsc#1189870).
  • NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021)
  • NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes).
  • NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364).
  • PCI/MSI: Correct misleading comments (git-fixes).
  • PCI/MSI: Do not set invalid bits in MSI mask (git-fixes).
  • PCI/MSI: Enable and mask MSI-X early (git-fixes).
  • PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes).
  • PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes).
  • PCI/MSI: Mask all unused MSI-X entries (git-fixes).
  • PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes).
  • PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes).
  • PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes).
  • PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes).
  • PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes).
  • README: Modernize build instructions.
  • Revert "ACPICA: Fix memory leak caused by _CID repair function" (git-fixes).
  • Revert "USB: serial: ch341: fix character loss at high transfer rates" (git-fixes).
  • Revert "dmaengine: imx-sdma: refine to load context only once" (git-fixes).
  • Revert "gpio: eic-sprd: Use devm_platform_ioremap_resource()" (git-fixes).
  • Revert "mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711" (git-fixes).
  • SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924).
  • SUNRPC: Fix the batch tasks count wraparound (git-fixes).
  • SUNRPC: Should wake up the privileged task firstly (git-fixes).
  • SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924).
  • SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924).
  • SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021).
  • USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes).
  • USB: serial: ch341: fix character loss at high transfer rates (git-fixes).
  • USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes).
  • USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes).
  • USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes).
  • USB: usbtmc: Fix RCU stall warning (git-fixes).
  • USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes).
  • Update patches.suse/ibmvnic-Allow-device-probe-if-the-device-is-not-read.patch (bsc#1167032 ltc#184087 bsc#1184114 ltc#192237).
  • VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes).
  • ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes).
  • ath9k: Clear key cache explicitly on disabling hardware (git-fixes).
  • ath: Use safer key clearing with key cache entries (git-fixes).
  • bcma: Fix memory leak for internally-handled cores (git-fixes).
  • bdi: Do not use freezable workqueue (bsc#1189573).
  • blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507).
  • blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506).
  • blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503).
  • blk-wbt: make sure throttle is enabled properly (bsc#1189504).
  • block: fix trace completion for chained bio (bsc#1189505).
  • brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes).
  • btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077).
  • btrfs: account for new extents being deleted in total_bytes_pinned (bsc#1135481).
  • btrfs: add a comment explaining the data flush steps (bsc#1135481).
  • btrfs: add btrfs_reserve_data_bytes and use it (bsc#1135481).
  • btrfs: add flushing states for handling data reservations (bsc#1135481).
  • btrfs: add the data transaction commit logic into may_commit_transaction (bsc#1135481).
  • btrfs: call btrfs_try_granting_tickets when freeing reserved bytes (bsc#1135481).
  • btrfs: call btrfs_try_granting_tickets when reserving space (bsc#1135481).
  • btrfs: call btrfs_try_granting_tickets when unpinning anything (bsc#1135481).
  • btrfs: change nr to u64 in btrfs_start_delalloc_roots (bsc#1135481).
  • btrfs: check tickets after waiting on ordered extents (bsc#1135481).
  • btrfs: do async reclaim for data reservations (bsc#1135481).
  • btrfs: don't force commit if we are data (bsc#1135481).
  • btrfs: drop the commit_cycles stuff for data reservations (bsc#1135481).
  • btrfs: factor out create_chunk() (bsc#1189077).
  • btrfs: factor out decide_stripe_size() (bsc#1189077).
  • btrfs: factor out gather_device_info() (bsc#1189077).
  • btrfs: factor out init_alloc_chunk_ctl (bsc#1189077).
  • btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077).
  • btrfs: fix possible infinite loop in data async reclaim (bsc#1135481).
  • btrfs: flush delayed refs when trying to reserve data space (bsc#1135481).
  • btrfs: handle U64_MAX for shrink_delalloc (bsc#1135481).
  • btrfs: handle invalid profile in chunk allocation (bsc#1189077).
  • btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself (bsc#1135481).
  • btrfs: introduce alloc_chunk_ctl (bsc#1189077).
  • btrfs: introduce chunk allocation policy (bsc#1189077).
  • btrfs: make ALLOC_CHUNK use the space info flags (bsc#1135481).
  • btrfs: make shrink_delalloc take space_info as an arg (bsc#1135481).
  • btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077).
  • btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077).
  • btrfs: refactor find_free_dev_extent_start() (bsc#1189077).
  • btrfs: remove orig from shrink_delalloc (bsc#1135481).
  • btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077).
  • btrfs: run delayed iputs before committing the transaction for data (bsc#1135481).
  • btrfs: serialize data reservations if we are flushing (bsc#1135481).
  • btrfs: shrink delalloc pages instead of full inodes (bsc#1135481).
  • btrfs: track ordered bytes instead of just dio ordered bytes (bsc#1135481).
  • btrfs: use btrfs_start_delalloc_roots in shrink_delalloc (bsc#1135481).
  • btrfs: use the btrfs_space_info_free_bytes_may_use helper for delalloc (bsc#1135481).
  • btrfs: use the same helper for data and metadata reservations (bsc#1135481).
  • btrfs: use ticketing for data space reservations (bsc#1135481).
  • can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes).
  • can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes).
  • ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468).
  • ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468).
  • ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427).
  • cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes).
  • cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1190181).
  • cgroup: verify that source is a string (bsc#1190131).
  • cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#11859