SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3230-1
Rating:             important
References:         #1065600 #1155798 #1168468 #1171675 #1175599 
                    #1175718 #1176019 #1176381 #1176588 #1176979 
                    #1177027 #1177121 #1177193 #1177194 #1177206 
                    #1177258 #1177283 #1177284 #1177285 #1177286 
                    #1177297 #1177384 #1177511 #954532 
Cross-References:   CVE-2020-25212 CVE-2020-25641 CVE-2020-25643
                    CVE-2020-25645
Affected Products:
                    SUSE Linux Enterprise Module for Realtime 15-SP2
______________________________________________________________________________

   An update that solves four vulnerabilities and has 20 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow
     (bsc#1176381).
   - CVE-2020-25643: Added range checks in ppp_cp_parse_cr() (bsc#1177206).
   - CVE-2020-25641: Allowed for_each_bvec to support zero len bvec
     (bsc#1177121).
   - CVE-2020-25645: Added transport ports in route lookup for geneve
     (bsc#1177511).

   The following non-security bugs were fixed:

   - 9p: Fix memory leak in v9fs_mount (git-fixes).
   - ACPI: EC: Reference count query handlers under lock (git-fixes).
   - airo: Fix read overflows sending packets (git-fixes).
   - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
   - ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes).
   - ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1
     (git-fixes).
   - ASoC: kirkwood: fix IRQ error handling (git-fixes).
   - ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect
     functions (git-fixes).
   - ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
     (git-fixes).
   - ath10k: fix array out-of-bounds access (git-fixes).
   - ath10k: fix memory leak for tpc_stats_final (git-fixes).
   - ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
   - Bluetooth: Fix refcount use-after-free issue (git-fixes).
   - Bluetooth: guard against controllers sending zero'd events (git-fixes).
   - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
     (git-fixes).
   - Bluetooth: L2CAP: handle l2cap config request during open state
     (git-fixes).
   - Bluetooth: prefetch channel before killing sock (git-fixes).
   - brcmfmac: Fix double freeing in the fmac usb data path (git-fixes).
   - btrfs: block-group: do not set the wrong READA flag for
     btrfs_read_block_groups() (bsc#1176019).
   - btrfs: block-group: fix free-space bitmap threshold (bsc#1176019).
   - btrfs: block-group: refactor how we delete one block group item
     (bsc#1176019).
   - btrfs: block-group: refactor how we insert a block group item
     (bsc#1176019).
   - btrfs: block-group: refactor how we read one block group item
     (bsc#1176019).
   - btrfs: block-group: rename write_one_cache_group() (bsc#1176019).
   - btrfs: do not take an extra root ref at allocation time (bsc#1176019).
   - btrfs: drop logs when we've aborted a transaction (bsc#1176019).
   - btrfs: fix a race between scrub and block group removal/allocation
     (bsc#1176019).
   - btrfs: fix crash during unmount due to race with delayed inode workers
     (bsc#1176019).
   - btrfs: free block groups after free'ing fs trees (bsc#1176019).
   - btrfs: hold a ref on the root on the dead roots list (bsc#1176019).
   - btrfs: kill the subvol_srcu (bsc#1176019).
   - btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019).
   - btrfs: make inodes hold a ref on their roots (bsc#1176019).
   - btrfs: make the extent buffer leak check per fs info (bsc#1176019).
   - btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root
     (bsc#1176019).
   - btrfs: move the block group freeze/unfreeze helpers into block-group.c
     (bsc#1176019).
   - btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019).
   - btrfs: remove no longer necessary chunk mutex locking cases
     (bsc#1176019).
   - btrfs: rename member 'trimming' of block group to a more generic name
     (bsc#1176019).
   - btrfs: scrub, only lookup for csums if we are dealing with a data extent
     (bsc#1176019).
   - bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host
     removal (git-fixes).
   - clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED
     (git-fixes).
   - clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk
     (git-fixes).
   - clk: tegra: Always program PLL_E when enabled (git-fixes).
   - clk/ti/adpll: allocate room for terminating null (git-fixes).
   - clocksource/drivers/h8300_timer8: Fix wrong return value in
     h8300_8timer_init() (git-fixes).
   - clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes).
   - cpuidle: Poll for a minimum of 30ns and poll for a tick if lower
     c-states are disabled (bnc#1176588).
   - crypto: dh - check validity of Z before export (bsc#1175718).
   - crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718).
   - crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718).
   - crypto: ecdh - check validity of Z before export (bsc#1175718).
   - dmaengine: mediatek: hsdma_probe: fixed a memory leak when
     devm_request_irq fails (git-fixes).
   - dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
     (git-fixes).
   - dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
     (git-fixes).
   - dmaengine: tegra-apb: Prevent race conditions on channel's freeing
     (git-fixes).
   - dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
   - dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling)
     (git-fixes).
   - drivers: char: tlclk.c: Avoid data race between init and interrupt
     handler (git-fixes).
   - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
     (git-fixes).
   - drm/radeon: revert "Prefer lower feedback dividers" (bsc#1177384).
   - e1000: Do not perform reset in reset_task if we are already down
     (git-fixes).
   - ftrace: Move RCU is watching check after recursion check (git-fixes).
   - fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193).
   - gpio: mockup: fix resource leak in error path (git-fixes).
   - gpio: rcar: Fix runtime PM imbalance on error (git-fixes).
   - gpio: siox: explicitly support only threaded irqs (git-fixes).
   - gpio: sprd: Clear interrupt when setting the type as edge (git-fixes).
   - gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
   - hwmon: (applesmc) check status earlier (git-fixes).
   - i2c: aspeed: Mask IRQ status to relevant bits (git-fixes).
   - i2c: core: Call i2c_acpi_install_space_handler() before
     i2c_acpi_register_devices() (git-fixes).
   - i2c: i801: Exclude device from suspend direct complete optimization
     (git-fixes).
   - i2c: tegra: Prevent interrupt triggering after transfer timeout
     (git-fixes).
   - i2c: tegra: Restore pinmux on system resume (git-fixes).
   - ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
   - ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
   - iio: adc: qcom-spmi-adc5: fix driver name (git-fixes).
   - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532).
   - Input: trackpoint - enable Synaptics trackpoints (git-fixes).
   - iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE
     (bsc#1177297).
   - iommu/amd: Fix potential @entry null deref (bsc#1177283).
   - iommu/amd: Re-factor guest virtual APIC (de-)activation code
     (bsc#1177284).
   - iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode
     (bsc#1177285).
   - iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate()
     (bsc#1177286).
   - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing
     PCI_COMMAND_MEMORY (bsc#1176979).
   - leds: mlxreg: Fix possible buffer overflow (git-fixes).
   - lib/mpi: Add mpi_sub_ui() (bsc#1175718).
   - locking/rwsem: Disable reader optimistic spinning (bnc#1176588).
   - mac80211: do not allow bigger VHT MPDUs than the hardware supports
     (git-fixes).
   - mac80211: skip mpath lookup also for control port tx (git-fixes).
   - mac802154: tx: fix use-after-free (git-fixes).
   - media: mc-device.c: fix memleak in media_device_register_entity
     (git-fixes).
   - media: smiapp: Fix error handling at NVM reading (git-fixes).
   - media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
   - mfd: mfd-core: Protect against NULL call-back function pointer
     (git-fixes).
   - mmc: core: Rework wp-gpio handling (git-fixes).
   - mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS
     models (git-fixes).
   - mt76: add missing locking around ampdu action (git-fixes).
   - mt76: clear skb pointers from rx aggregation reorder buffer during
     cleanup (git-fixes).
   - mt76: do not use devm API for led classdev (git-fixes).
   - mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
     (git-fixes).
   - mt76: fix LED link time failure (git-fixes).
   - mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of
     cfi_amdstd_setup() (git-fixes).
   - mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes).
   - mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes).
   - net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes).
   - nfs: Fix security label length not being reset (bsc#1176381).
   - PCI: Avoid double hpmemsize MMIO window assignment (git-fixes).
   - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
   - PCI: tegra194: Fix runtime PM imbalance on error (git-fixes).
   - PCI: tegra: Fix runtime PM imbalance on error (git-fixes).
   - phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes).
   - pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
   - Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes).
   - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP
     (git-fixes).
   - platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes).
   - platform/x86: intel_pmc_core: do not create a static struct device
     (git-fixes).
   - platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE
     reporting (bsc#1175599).
   - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable
     (git-fixes).
   - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse
     (git-fixes).
   - power: supply: max17040: Correct voltage reading (git-fixes).
   - Refresh
     patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch
     (bsc#1168468, bsc#1171675).
   - rtc: ds1374: fix possible race condition (git-fixes).
   - rtc: sa1100: fix possible race condition (git-fixes).
   - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY
     (bsc#1176979).
   - sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU
     scheduler functional and performance backports)).
   - sched/fair: Use dst group while checking imbalance for NUMA balancer
     (bnc#1155798 (CPU scheduler functional and performance backports)).
   - sched/numa: Avoid creating large imbalances at task creation time
     (bnc#1176588).
   - sched/numa: Check numa balancing information only when enabled
     (bnc#1176588).
   - sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU
     scheduler functional and performance backports)).
   - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling
     getpeername() (bsc#1177258).
   - serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
     (git-fixes).
   - serial: 8250_omap: Fix sleeping function called from invalid context
     during probe (git-fixes).
   - serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
   - serial: uartps: Wait for tx_empty in console setup (git-fixes).
   - spi: fsl-espi: Only process interrupts for expected events (git-fixes).
   - staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
     (git-fixes).
   - thermal: rcar_thermal: Handle probe error gracefully (git-fixes).
   - Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI
     (bsc#1177194).
   - usb: dwc3: Increase timeout for CmdAct cleared by device controller
     (git-fixes).
   - USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
   - USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
     (git-fixes).
   - USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
   - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn
     (bsc#1176979).
   - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes).
   - wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes).
   - wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes).
   - xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
   - yam: fix possible memory leak in yam_init_driver (git-fixes).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Realtime 15-SP2:

      zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2020-3230=1



Package List:

   - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64):

      cluster-md-kmp-rt-5.3.18-13.1
      cluster-md-kmp-rt-debuginfo-5.3.18-13.1
      dlm-kmp-rt-5.3.18-13.1
      dlm-kmp-rt-debuginfo-5.3.18-13.1
      gfs2-kmp-rt-5.3.18-13.1
      gfs2-kmp-rt-debuginfo-5.3.18-13.1
      kernel-rt-5.3.18-13.1
      kernel-rt-debuginfo-5.3.18-13.1
      kernel-rt-debugsource-5.3.18-13.1
      kernel-rt-devel-5.3.18-13.1
      kernel-rt-devel-debuginfo-5.3.18-13.1
      kernel-rt_debug-debuginfo-5.3.18-13.1
      kernel-rt_debug-debugsource-5.3.18-13.1
      kernel-rt_debug-devel-5.3.18-13.1
      kernel-rt_debug-devel-debuginfo-5.3.18-13.1
      kernel-syms-rt-5.3.18-13.1
      ocfs2-kmp-rt-5.3.18-13.1
      ocfs2-kmp-rt-debuginfo-5.3.18-13.1

   - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch):

      kernel-devel-rt-5.3.18-13.1
      kernel-source-rt-5.3.18-13.1


References:

   https://www.suse.com/security/cve/CVE-2020-25212.html
   https://www.suse.com/security/cve/CVE-2020-25641.html
   https://www.suse.com/security/cve/CVE-2020-25643.html
   https://www.suse.com/security/cve/CVE-2020-25645.html
   https://bugzilla.suse.com/1065600
   https://bugzilla.suse.com/1155798
   https://bugzilla.suse.com/1168468
   https://bugzilla.suse.com/1171675
   https://bugzilla.suse.com/1175599
   https://bugzilla.suse.com/1175718
   https://bugzilla.suse.com/1176019
   https://bugzilla.suse.com/1176381
   https://bugzilla.suse.com/1176588
   https://bugzilla.suse.com/1176979
   https://bugzilla.suse.com/1177027
   https://bugzilla.suse.com/1177121
   https://bugzilla.suse.com/1177193
   https://bugzilla.suse.com/1177194
   https://bugzilla.suse.com/1177206
   https://bugzilla.suse.com/1177258
   https://bugzilla.suse.com/1177283
   https://bugzilla.suse.com/1177284
   https://bugzilla.suse.com/1177285
   https://bugzilla.suse.com/1177286
   https://bugzilla.suse.com/1177297
   https://bugzilla.suse.com/1177384
   https://bugzilla.suse.com/1177511
   https://bugzilla.suse.com/954532