SUSE Security Update: Security update for the Linux RT Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0555-1
Rating:             critical
References:         #1065729 #1071995 #1082555 #1163405 #1177599 
                    #1183405 #1184209 #1185377 #1186207 #1186222 
                    #1187428 #1187723 #1188605 #1190973 #1192729 
                    #1193096 #1193234 #1193235 #1193242 #1193507 
                    #1193660 #1193669 #1193727 #1193767 #1193861 
                    #1193864 #1193867 #1193927 #1194001 #1194027 
                    #1194048 #1194227 #1194302 #1194410 #1194493 
                    #1194516 #1194529 #1194814 #1194880 #1194888 
                    #1194965 #1194985 #1195065 #1195073 #1195254 
                    #1195272 #1195612 
Cross-References:   CVE-2020-28097 CVE-2021-3564 CVE-2021-39648
                    CVE-2021-39657 CVE-2021-4083 CVE-2021-4135
                    CVE-2021-4149 CVE-2021-4197 CVE-2021-4202
                    CVE-2021-44733 CVE-2021-45095 CVE-2022-0322
                    CVE-2022-0330 CVE-2022-0435 CVE-2022-22942
                    CVE-2022-24448
CVSS scores:
                    CVE-2020-28097 (NVD) : 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
                    CVE-2020-28097 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-3564 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-3564 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-39648 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-39657 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
                    CVE-2021-4083 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-4083 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-4135 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-4149 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-4197 (SUSE): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2021-4202 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-44733 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
                    CVE-2021-45095 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-45095 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-0322 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-0330 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-0435 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22942 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-24448 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-24448 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    SUSE Linux Enterprise Real Time Extension 12-SP5
______________________________________________________________________________

   An update that solves 16 vulnerabilities and has 31 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various
   security and bugfixes.


   The following security bugs were fixed:

   - CVE-2022-0435: Fixed remote stack overflow in net/tipc module that
     validate domain record count on input (bsc#1195254).
   - CVE-2022-24448: Fixed an issue inside fs/nfs/dir.c if an application
     sets the O_DIRECTORY flag, and tries to open a regular file,
     nfs_atomic_open() performs a regular lookup (bnc#1195612).
   - CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel
     HCI device initialization subsystem that could have been used by
     attaching malicious HCI TTY Bluetooth devices. A local user could use
     this flaw to crash the system (bnc#1186207).
   - CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that
     mishandled software scrollback (bnc#1187723).
   - CVE-2021-45095: Fixed refcount leak in pep_sock_accept in
     net/phonet/pep.c (bnc#1193867).
   - CVE-2022-22942: Fixed stale file descriptors on failed usercopy
     (bsc#1195065).
   - CVE-2021-39657: Fixed out of bounds read due to a missing bounds check
     in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local
     information disclosure with System execution privileges needed
     (bnc#1193864).
   - CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a
     race condition in gadget_dev_desc_UDC_show of configfs.c. This could
     lead to local information disclosure with System execution privileges
     needed. User interaction is not needed for exploitation (bnc#1193861).
   - CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c
     in the TEE subsystem, that could have occured because of a race
     condition in tee_shm_get_from_id during an attempt to free a shared
     memory object (bnc#1193767).
   - CVE-2022-0330: Fixed flush TLBs before releasing backing store
     (bsc#1194880).
   - CVE-2022-0322: Fixed SCTP issue with account stream padding length for
     reconf chunk (bsc#1194985).
   - CVE-2021-4197: Use cgroup open-time credentials for process migraton
     perm checks (bsc#1194302).
   - CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag
     (bsc#1194529).
   - CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage
     collection for Unix domain socket file handlers when users call close()
     and fget() simultaneouslyand can potentially trigger a race condition
     (bnc#1193727).
   - CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after
     error (bsc#1194001).
   - CVE-2021-4135: Fixed zero-initialize memory inside netdevsim for new
     map's value in function nsim_bpf_map_alloc (bsc#1193927).


   The following non-security bugs were fixed:

   - KVM: remember position in kvm->vcpus array (bsc#1190973).
   - KVM: s390: index kvm->arch.idle_mask by vcpu_idx (bsc#1190973).
   - SUNRPC: Add basic load balancing to the transport switch - kabi fix.
     (bnc#1192729).
   - SUNRPC: Add basic load balancing to the transport switch. (bnc#1192729)
   - SUNRPC: Fix initialisation of struct rpc_xprt_switch (bnc#1192729).
   - SUNRPC: Optimise transport balancing code (bnc#1192729).
   - SUNRPC: Replace division by multiplication in calculation of queue
     length (bnc#1192729).
   - SUNRPC: Skip zero-refcount transports (bnc#1192729).
   - USB: serial: option: add Telit FN990 compositions (git-fixes).
   - bpf: Verifer, adjust_scalar_min_max_vals to always call
     update_reg_bounds() (bsc#1194227).
   - crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
   - ext4: set csum seed in tmp inode while migrating to extents
     (bsc#1195272).
   - fget: clarify and improve __fget_files() implementation (bsc#1193727).
   - hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
   - ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
   - ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
   - ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
   - ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
   - kABI fixup after adding vcpu_idx to struct kvm_cpu (bsc#1190973).
   - kabi: mask new member "empty" of struct Qdisc (bsc#1183405).
   - kabi: revert drop of Qdisc::atomic_qlen (bsc#1183405).
   - kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
   - livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
   - memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
   - mm/hwpoison: do not lock page again when me_huge_page() successfully
     recovers (bsc#1194814).
   - mm/slab: Using proper atomic helper (bsc#1186222).
   - moxart: fix potential use-after-free on remove path (bsc#1194516).
   - net, xdp: Introduce xdp_init_buff utility routine (bsc#1193507).
   - net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193507).
   - net/sched: annotate lockless accesses to qdisc->empty (bsc#1183405).
   - net/sched: fix race between deactivation and dequeue for NOLOCK qdisc
     (bsc#1183405).
   - net/sched: pfifo_fast: fix wrong dereference in pfifo_fast_enqueue
     (bsc#1183405).
   - net/sched: pfifo_fast: fix wrong dereference when qdisc is reset
     (bsc#1183405).
   - net: allow retransmitting a TCP packet if original is still in queue
     (bsc#1188605 bsc#1187428).
   - net: caif: avoid using qdisc_qlen() (bsc#1183405).
   - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero (git-fixes).
   - net: dev: introduce support for sch BYPASS for lockless qdisc
     (bsc#1183405).
   - net: mana: Add RX fencing (bsc#1193507).
   - net: mana: Add XDP support (bsc#1193507).
   - net: sch_generic: aviod concurrent reset and enqueue op for lockless
     qdisc (bsc#1183405).
   - net: sched: Avoid using yield() in a busy waiting loop (bsc#1183405).
   - net: sched: add barrier to ensure correct ordering for lockless qdisc
     (bsc#1183405).
   - net: sched: add empty status flag for NOLOCK qdisc (bsc#1183405).
   - net: sched: always do stats accounting according to TCQ_F_CPUSTATS
     (bsc#1183405).
   - net: sched: avoid unnecessary seqcount operation for lockless qdisc
     (bsc#1183405).
   - net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
   - net: sched: fix tx action reschedule issue with stopped queue
     (bsc#1183405).
   - net: sched: fix tx action rescheduling issue during deactivation
     (bsc#1183405).
   - net: sched: prefer qdisc_is_empty() over direct qlen access
     (bsc#1183405).
   - net: sched: replaced invalid qdisc tree flush helper in qdisc_replace
     (bsc#1183405).
   - net: sched: when clearing NOLOCK, clear TCQ_F_CPUSTATS, too
     (bsc#1183405).
   - net: usb: lan78xx: add Allied Telesis AT29M2-AF (git-fixes).
   - net_sched: avoid resetting active qdisc for multiple times (bsc#1183405).
   - net_sched: get rid of unnecessary dev_qdisc_reset() (bsc#1183405).
   - net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
   - nfs: do not dirty kernel pages read by direct-io (bsc#1194410).
   - nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
   - nvme: return BLK_STS_TRANSPORT unless DNR for NVME_SC_NS_NOT_READY
     (bsc#1163405).
   - of: Add cpu node iterator for_each_of_cpu_node() (bsc#1065729).
   - of: Add device_type access helper functions (bsc#1065729).
   - of: Fix cpu node iterator to not ignore disabled cpu nodes (bsc#1065729).
   - of: Fix property name in of_node_get_device_type (bsc#1065729).
   - of: add node name compare helper functions (bsc#1065729).
   - powerpc/perf: Fix data source encodings for L2.1 and L3.1 accesses
     (bsc#1065729).
   - powerpc/prom_init: Fix improper check of prom_getprop() (bsc#1065729).
   - powerpc/pseries/cpuhp: cache node corrections (bsc#1065729).
   - powerpc/pseries/cpuhp: delete add/remove_by_count code (bsc#1065729).
   - powerpc/pseries/mobility: ignore ibm, platform-facilities updates
     (bsc#1065729).
   - powerpc/traps: do not enable irqs in _exception (bsc#1065729).
   - powerpc: add interrupt_cond_local_irq_enable helper (bsc#1065729).
   - s390/cio: make ccw_device_dma_* more robust (bsc#1193242).
   - s390/pci: add s390_iommu_aperture kernel parameter (bsc#1193234).
   - s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194965).
   - select: Fix indefinitely sleeping task in poll_schedule_timeout()
     (bsc#1194027).
   - tpm: Check for integer overflow in tpm2_map_response_body()
     (bsc#1082555).
   - tpm: add request_locality before write TPM_INT_ENABLE (bsc#1082555).
   - tpm: fix potential NULL pointer access in tpm_del_char_device
     (bsc#1184209 ltc#190917 git-fixes bsc#1193660 ltc#195634).
   - tracing/kprobes: 'nmissed' not showed correctly for kretprobe
     (git-fixes).
   - tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
     (git-fixes).
   - ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
   - usb: core: config: fix validation of wMaxPacketValue entries (git-fixes).
   - usbnet: fix error return code in usbnet_probe() (git-fixes).
   - usbnet: sanity check for maxpacket (git-fixes).
   - vfs: check fd has read access in kernel_read_file_from_fd()
     (bsc#1194888).
   - virtio: write back F_VERSION_1 before validate (bsc#1193235).
   - x86/platform/uv: Add more to secondary CPU kdump info (bsc#1194493).
   - xfrm: fix MTU regression (bsc#1185377, bsc#1194048).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 12-SP5:

      zypper in -t patch SUSE-SLE-RT-12-SP5-2022-555=1



Package List:

   - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64):

      cluster-md-kmp-rt-4.12.14-10.78.1
      cluster-md-kmp-rt-debuginfo-4.12.14-10.78.1
      dlm-kmp-rt-4.12.14-10.78.1
      dlm-kmp-rt-debuginfo-4.12.14-10.78.1
      gfs2-kmp-rt-4.12.14-10.78.1
      gfs2-kmp-rt-debuginfo-4.12.14-10.78.1
      kernel-rt-4.12.14-10.78.1
      kernel-rt-base-4.12.14-10.78.1
      kernel-rt-base-debuginfo-4.12.14-10.78.1
      kernel-rt-debuginfo-4.12.14-10.78.1
      kernel-rt-debugsource-4.12.14-10.78.1
      kernel-rt-devel-4.12.14-10.78.1
      kernel-rt-devel-debuginfo-4.12.14-10.78.1
      kernel-rt_debug-4.12.14-10.78.1
      kernel-rt_debug-debuginfo-4.12.14-10.78.1
      kernel-rt_debug-debugsource-4.12.14-10.78.1
      kernel-rt_debug-devel-4.12.14-10.78.1
      kernel-rt_debug-devel-debuginfo-4.12.14-10.78.1
      kernel-syms-rt-4.12.14-10.78.1
      ocfs2-kmp-rt-4.12.14-10.78.1
      ocfs2-kmp-rt-debuginfo-4.12.14-10.78.1

   - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch):

      kernel-devel-rt-4.12.14-10.78.1
      kernel-source-rt-4.12.14-10.78.1


References:

   https://www.suse.com/security/cve/CVE-2020-28097.html
   https://www.suse.com/security/cve/CVE-2021-3564.html
   https://www.suse.com/security/cve/CVE-2021-39648.html
   https://www.suse.com/security/cve/CVE-2021-39657.html
   https://www.suse.com/security/cve/CVE-2021-4083.html
   https://www.suse.com/security/cve/CVE-2021-4135.html
   https://www.suse.com/security/cve/CVE-2021-4149.html
   https://www.suse.com/security/cve/CVE-2021-4197.html
   https://www.suse.com/security/cve/CVE-2021-4202.html
   https://www.suse.com/security/cve/CVE-2021-44733.html
   https://www.suse.com/security/cve/CVE-2021-45095.html
   https://www.suse.com/security/cve/CVE-2022-0322.html
   https://www.suse.com/security/cve/CVE-2022-0330.html
   https://www.suse.com/security/cve/CVE-2022-0435.html
   https://www.suse.com/security/cve/CVE-2022-22942.html
   https://www.suse.com/security/cve/CVE-2022-24448.html
   https://bugzilla.suse.com/1065729
   https://bugzilla.suse.com/1071995
   https://bugzilla.suse.com/1082555
   https://bugzilla.suse.com/1163405
   https://bugzilla.suse.com/1177599
   https://bugzilla.suse.com/1183405
   https://bugzilla.suse.com/1184209
   https://bugzilla.suse.com/1185377
   https://bugzilla.suse.com/1186207
   https://bugzilla.suse.com/1186222
   https://bugzilla.suse.com/1187428
   https://bugzilla.suse.com/1187723
   https://bugzilla.suse.com/1188605
   https://bugzilla.suse.com/1190973
   https://bugzilla.suse.com/1192729
   https://bugzilla.suse.com/1193096
   https://bugzilla.suse.com/1193234
   https://bugzilla.suse.com/1193235
   https://bugzilla.suse.com/1193242
   https://bugzilla.suse.com/1193507
   https://bugzilla.suse.com/1193660
   https://bugzilla.suse.com/1193669
   https://bugzilla.suse.com/1193727
   https://bugzilla.suse.com/1193767
   https://bugzilla.suse.com/1193861
   https://bugzilla.suse.com/1193864
   https://bugzilla.suse.com/1193867
   https://bugzilla.suse.com/1193927
   https://bugzilla.suse.com/1194001
   https://bugzilla.suse.com/1194027
   https://bugzilla.suse.com/1194048
   https://bugzilla.suse.com/1194227
   https://bugzilla.suse.com/1194302
   https://bugzilla.suse.com/1194410
   https://bugzilla.suse.com/1194493
   https://bugzilla.suse.com/1194516
   https://bugzilla.suse.com/1194529
   https://bugzilla.suse.com/1194814
   https://bugzilla.suse.com/1194880
   https://bugzilla.suse.com/1194888
   https://bugzilla.suse.com/1194965
   https://bugzilla.suse.com/1194985
   https://bugzilla.suse.com/1195065
   https://bugzilla.suse.com/1195073
   https://bugzilla.suse.com/1195254
   https://bugzilla.suse.com/1195272
   https://bugzilla.suse.com/1195612