openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0363-1
Rating:             critical
References:         #1154353 #1154488 #1160634 #1176447 #1177599 
                    #1183405 #1185377 #1187428 #1187723 #1188605 
                    #1191881 #1193096 #1193506 #1193767 #1193802 
                    #1193861 #1193864 #1193867 #1194048 #1194227 
                    #1194291 #1194880 #1195009 #1195062 #1195065 
                    #1195073 #1195183 #1195184 #1195254 #1195267 
                    #1195293 #1195371 
Cross-References:   CVE-2020-28097 CVE-2021-22600 CVE-2021-39648
                    CVE-2021-39657 CVE-2021-39685 CVE-2021-4159
                    CVE-2021-44733 CVE-2021-45095 CVE-2022-0286
                    CVE-2022-0330 CVE-2022-0435 CVE-2022-22942
                   
CVSS scores:
                    CVE-2020-28097 (NVD) : 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
                    CVE-2020-28097 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-22600 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-22600 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-39648 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-39657 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
                    CVE-2021-39685 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-4159 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-44733 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
                    CVE-2021-45095 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-45095 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-0286 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-0286 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-0435 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22942 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has 20 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive
   various security and bugfixes.


   The following security bugs were fixed:

   - CVE-2022-0435: Fixed remote stack overflow in net/tipc module that
     validate domain record count on input (bsc#1195254).
   - CVE-2022-0330: Fixed flush TLBs before releasing backing store
     (bsc#1194880).
   - CVE-2022-0286: Fixed null pointer dereference in bond_ipsec_add_sa()
     that may have lead to local denial of service (bnc#1195371).
   - CVE-2022-22942: Fixed stale file descriptors on failed usercopy
     (bsc#1195065).
   - CVE-2021-45095: Fixed refcount leak in pep_sock_accept in
     net/phonet/pep.c (bnc#1193867).
   - CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c
     in the TEE subsystem, that could have occured because of a race
     condition in tee_shm_get_from_id during an attempt to free a shared
     memory object (bnc#1193767).
   - CVE-2021-39657: Fixed out of bounds read due to a missing bounds check
     in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local
     information disclosure with System execution privileges needed
     (bnc#1193864).
   - CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a
     race condition in gadget_dev_desc_UDC_show of configfs.c. This could
     lead to local information disclosure with System execution privileges
     needed. User interaction is not needed for exploitation (bnc#1193861).
   - CVE-2021-22600: Fixed double free bug in packet_set_ring() in
     net/packet/af_packet.c that could have been exploited by a local user
     through crafted syscalls to escalate privileges or deny service
     (bnc#1195184).
   - CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that
     mishandled software scrollback (bnc#1187723).
   - CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in
     coerce_reg_to_size (bsc#1194227).


   The following security references were added to already fixed issues:

   - CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large
     endpoint 0 requests (bsc#1193802).


   The following non-security bugs were fixed:

   - ACPI: battery: Add the ThinkPad "Not Charging" quirk (git-fixes).
   - ACPICA: Executer: Fix the REFCLASS_REFOF case in
     acpi_ex_opcode_1A_0T_1R() (git-fixes).
   - ACPICA: Fix wrong interpretation of PCC address (git-fixes).
   - ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
     (git-fixes).
   - ACPICA: Utilities: Avoid deleting the same object twice in a row
     (git-fixes).
   - ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions (git-fixes).
   - ALSA: seq: Set upper limit of processed events (git-fixes).
   - ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
   - Bluetooth: Fix debugfs entry leak in hci_register_dev() (git-fixes).
   - Documentation: fix firewire.rst ABI file path error (git-fixes).
   - HID: apple: Do not reset quirks when the Fn key is not found (git-fixes).
   - HID: quirks: Allow inverting the absolute X/Y values (git-fixes).
   - HID: uhid: Fix worker destroying device without any protection
     (git-fixes).
   - HID: wacom: Reset expected and received contact counts at the same time
     (git-fixes).
   - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
     (git-fixes).
   - RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
   - RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
   - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
     (git-fixes).
   - arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
   - asix: fix wrong return value in asix_check_host_enable() (git-fixes).
   - ata: pata_platform: Fix a NULL pointer dereference in
     __pata_platform_probe() (git-fixes).
   - ath10k: Fix tx hanging (git-fixes).
   - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream (git-fixes).
   - batman-adv: allow netlink usage in unprivileged containers (git-fixes).
   - btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check
     (bsc#1195009).
   - btrfs: tree-checker: annotate all error branches as unlikely
     (bsc#1195009).
   - btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set
     improperly (bsc#1195009).
   - cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
   - clk: si5341: Fix clock HW provider cleanup (git-fixes).
   - crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
   - drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
   - drm/bridge: megachips: Ensure both bridges are probed before
     registration (git-fixes).
   - drm/etnaviv: limit submit sizes (git-fixes).
   - drm/etnaviv: relax submit size limits (git-fixes).
   - drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y
     (git-fixes).
   - drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc (git-fixes).
   - drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (git-fixes).
   - drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy
     (git-fixes).
   - drm/msm: Fix wrong size calculation (git-fixes).
   - drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
   - drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
     (git-fixes).
   - drm/radeon: fix error handling in radeon_driver_open_kms (git-fixes).
   - drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L
     (git-fixes).
   - ext4: set csum seed in tmp inode while migrating to extents
     (bsc#1195267).
   - floppy: Add max size check for user space request (git-fixes).
   - gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock (git-fixes).
   - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
     (git-fixes).
   - hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
   - hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 (git-fixes).
   - hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 (git-fixes).
   - hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
   - hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
   - hwmon: (lm90) Reduce maximum conversion rate for G781 (git-fixes).
   - i2c: designware-pci: Fix to change data types of hcnt and lcnt
     parameters (git-fixes).
   - i2c: i801: Do not silently correct invalid transfer size (git-fixes).
   - i2c: mpc: Correct I2C reset procedure (git-fixes).
   - ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
   - ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
   - ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
   - ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
   - ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
   - ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
   - igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1160634).
   - iwlwifi: fix leaks/bad data after failed firmware load (git-fixes).
   - iwlwifi: mvm: Fix calculation of frame length (git-fixes).
   - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds (git-fixes).
   - iwlwifi: mvm: synchronize with FW after multicast commands (git-fixes).
   - iwlwifi: remove module loading failure message (git-fixes).
   - lib82596: Fix IRQ check in sni_82596_probe (git-fixes).
   - lightnvm: Remove lightnvm implemenation (bsc#1191881).
   - mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
   - media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
   - media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes
     (git-fixes).
   - media: igorplugusb: receiver overflow should be reported (git-fixes).
   - media: m920x: do not use stack on USB reads (git-fixes).
   - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in
     hexium_attach() (git-fixes).
   - media: saa7146: hexium_orion: Fix a NULL pointer dereference in
     hexium_attach() (git-fixes).
   - media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds
     (git-fixes).
   - mlxsw: Only advertise link modes supported by both driver and device
     (bsc#1154488).
   - mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO (git-fixes).
   - mtd: nand: bbt: Fix corner case in bad block table handling (git-fixes).
   - mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
     (git-fixes).
   - mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
     (git-fixes).
   - net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
   - net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).
   - net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering
     (jsc#SLE-8464).
   - net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
   - net/mlx5e: Protect encap route dev from concurrent release
     (jsc#SLE-8464).
   - net: allow retransmitting a TCP packet if original is still in queue
     (bsc#1188605 bsc#1187428).
   - net: bonding: fix bond_xmit_broadcast return value error bug
     (bsc#1176447).
   - net: bridge: vlan: fix memory leak in __allowed_ingress (bsc#1176447).
   - net: bridge: vlan: fix single net device option dumping (bsc#1176447).
   - net: mana: Add RX fencing (bsc#1193506).
   - net: mana: Add XDP support (bsc#1193506).
   - net: sch_generic: aviod concurrent reset and enqueue op for lockless
     qdisc (bsc#1183405).
   - net: sched: add barrier to ensure correct ordering for lockless qdisc
     (bsc#1183405).
   - net: sched: avoid unnecessary seqcount operation for lockless qdisc
     (bsc#1183405).
   - net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
   - net: sched: fix tx action reschedule issue with stopped queue
     (bsc#1183405).
   - net: sched: fix tx action rescheduling issue during deactivation
     (bsc#1183405).
   - net: sched: replaced invalid qdisc tree flush helper in qdisc_replace
     (bsc#1183405).
   - net: sfp: fix high power modules without diagnostic monitoring
     (bsc#1154353).
   - netdevsim: set .owner to THIS_MODULE (bsc#1154353).
   - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed
     bind() (git-fixes).
   - nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
   - phy: uniphier-usb3ss: fix unintended writing zeros to PHY register
     (git-fixes).
   - phylib: fix potential use-after-free (git-fixes).
   - pinctrl: bcm2835: Add support for wake-up interrupts (git-fixes).
   - pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
   - powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a debugfs
     entry (bsc#1195183 ltc#193865).
   - regulator: qcom_smd: Align probe function with rpmh-regulator
     (git-fixes).
   - rsi: Fix use-after-free in rsi_rx_done_handler() (git-fixes).
   - sched/fair: Fix detection of per-CPU kthreads waking a task (git fixes
     (sched/fair)).
   - sched/numa: Fix is_core_idle() (git fixes (sched/numa)).
   - scripts/dtc: dtx_diff: remove broken example from help text (git-fixes).
   - serial: 8250: of: Fix mapped region size when using reg-offset property
     (git-fixes).
   - serial: Fix incorrect rs485 polarity on uart open (git-fixes).
   - serial: amba-pl011: do not request memory region twice (git-fixes).
   - serial: core: Keep mctrl register state and cached copy in sync
     (git-fixes).
   - serial: pl010: Drop CR register reset on set_termios (git-fixes).
   - serial: stm32: fix software flow control transfer (git-fixes).
   - supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
   - tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
   - ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
   - usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
   - usb: gadget: f_fs: Use stream_open() for endpoint files (git-fixes).
   - usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS
     (git-fixes).
   - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
     (git-fixes).
   - usb: roles: fix include/linux/usb/role.h compile issue (git-fixes).
   - usb: typec: tcpm: Do not disconnect while receiving VBUS off (git-fixes).
   - usb: uhci: add aspeed ast2600 uhci support (git-fixes).
   - vfio/iommu_type1: replace kfree with kvfree (git-fixes).
   - video: hyperv_fb: Fix validation of screen resolution (git-fixes).
   - vxlan: fix error return code in __vxlan_dev_create() (bsc#1154353).
   - workqueue: Fix unbind_workers() VS wq_worker_running() race
     (bsc#1195062).
   - x86/gpu: Reserve stolen memory for first integrated Intel GPU
     (git-fixes).
   - xfrm: fix MTU regression (bsc#1185377, bsc#1194048).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-363=1



Package List:

   - openSUSE Leap 15.3 (noarch):

      kernel-devel-azure-5.3.18-150300.38.40.4
      kernel-source-azure-5.3.18-150300.38.40.4

   - openSUSE Leap 15.3 (x86_64):

      cluster-md-kmp-azure-5.3.18-150300.38.40.4
      cluster-md-kmp-azure-debuginfo-5.3.18-150300.38.40.4
      dlm-kmp-azure-5.3.18-150300.38.40.4
      dlm-kmp-azure-debuginfo-5.3.18-150300.38.40.4
      gfs2-kmp-azure-5.3.18-150300.38.40.4
      gfs2-kmp-azure-debuginfo-5.3.18-150300.38.40.4
      kernel-azure-5.3.18-150300.38.40.4
      kernel-azure-debuginfo-5.3.18-150300.38.40.4
      kernel-azure-debugsource-5.3.18-150300.38.40.4
      kernel-azure-devel-5.3.18-150300.38.40.4
      kernel-azure-devel-debuginfo-5.3.18-150300.38.40.4
      kernel-azure-extra-5.3.18-150300.38.40.4
      kernel-azure-extra-debuginfo-5.3.18-150300.38.40.4
      kernel-azure-livepatch-devel-5.3.18-150300.38.40.4
      kernel-azure-optional-5.3.18-150300.38.40.4
      kernel-azure-optional-debuginfo-5.3.18-150300.38.40.4
      kernel-syms-azure-5.3.18-150300.38.40.1
      kselftests-kmp-azure-5.3.18-150300.38.40.4
      kselftests-kmp-azure-debuginfo-5.3.18-150300.38.40.4
      ocfs2-kmp-azure-5.3.18-150300.38.40.4
      ocfs2-kmp-azure-debuginfo-5.3.18-150300.38.40.4
      reiserfs-kmp-azure-5.3.18-150300.38.40.4
      reiserfs-kmp-azure-debuginfo-5.3.18-150300.38.40.4


References:

   https://www.suse.com/security/cve/CVE-2020-28097.html
   https://www.suse.com/security/cve/CVE-2021-22600.html
   https://www.suse.com/security/cve/CVE-2021-39648.html
   https://www.suse.com/security/cve/CVE-2021-39657.html
   https://www.suse.com/security/cve/CVE-2021-39685.html
   https://www.suse.com/security/cve/CVE-2021-4159.html
   https://www.suse.com/security/cve/CVE-2021-44733.html
   https://www.suse.com/security/cve/CVE-2021-45095.html
   https://www.suse.com/security/cve/CVE-2022-0286.html
   https://www.suse.com/security/cve/CVE-2022-0330.html
   https://www.suse.com/security/cve/CVE-2022-0435.html
   https://www.suse.com/security/cve/CVE-2022-22942.html
   https://bugzilla.suse.com/1154353
   https://bugzilla.suse.com/1154488
   https://bugzilla.suse.com/1160634
   https://bugzilla.suse.com/1176447
   https://bugzilla.suse.com/1177599
   https://bugzilla.suse.com/1183405
   https://bugzilla.suse.com/1185377
   https://bugzilla.suse.com/1187428
   https://bugzilla.suse.com/1187723
   https://bugzilla.suse.com/1188605
   https://bugzilla.suse.com/1191881
   https://bugzilla.suse.com/1193096
   https://bugzilla.suse.com/1193506
   https://bugzilla.suse.com/1193767
   https://bugzilla.suse.com/1193802
   https://bugzilla.suse.com/1193861
   https://bugzilla.suse.com/1193864
   https://bugzilla.suse.com/1193867
   https://bugzilla.suse.com/1194048
   https://bugzilla.suse.com/1194227
   https://bugzilla.suse.com/1194291
   https://bugzilla.suse.com/1194880
   https://bugzilla.suse.com/1195009
   https://bugzilla.suse.com/1195062
   https://bugzilla.suse.com/1195065
   https://bugzilla.suse.com/1195073
   https://bugzilla.suse.com/1195183
   https://bugzilla.suse.com/1195184
   https://bugzilla.suse.com/1195254
   https://bugzilla.suse.com/1195267
   https://bugzilla.suse.com/1195293
   https://bugzilla.suse.com/1195371