The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.131 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-3639: Information leaks using quot;Memory Disambiguationquot; feature in modern CPUs were mitigated, aka quot;Spectre Variant 4quot; . A new boot commandline option was introduced, quot;spec_store_bypass_disablequot;, which can have following values: - auto: Kernel detects whether your CPU model contains an implementation of Speculative Store Bypass and picks the most appropriate mitigation. - on: disable Speculative Store Bypass - off: enable Speculative Store Bypass - prctl: Control Speculative Store Bypass per thread via prctl. Speculative Store Bypass is enabled for a process by default. The state of the control is inherited on fork. - seccomp: Same as quot;prctlquot; above, but all seccomp threads will disable SSB unless they explicitly opt out. The default is quot;seccompquot;, meaning programs need explicit opt-in into the mitigation. Status can be queried via the /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing: - quot;Vulnerablequot; - quot;Mitigation: Speculative Store Bypass disabledquot; - quot;Mitigation: Speculative Store Bypass disabled via prctlquot; - quot;Mitigation: Speculative Store Bypass disabled via prctl and seccompquot; - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space . - CVE-2018-10124: The kill_something_info function in kernel/signal.c might have allowed local users to cause a denial of service via an INT_MIN argument . - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INT_MIN value . - CVE-2018-1000199: An address corruption flaw was discovered while modifying a h/w breakpoint via "modify_user_hw_breakpoint" routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system. - CVE-2018-1130: The Linux kernel was vulnerable to a null pointer dereference in dccp_write_xmit function in net/dccp/output.c in that allowed a local user to cause a denial of service by a number of certain crafted system calls . - CVE-2018-5803: An error in the _sctp_make_chunk function when handling SCTP, packet length could have been exploited by a malicious local user to cause a kernel crash and a DoS. - CVE-2018-1065: The netfilter subsystem mishandled the case of a rule blob that contains a jump but lacks a user-defined chain, which allowed local users to cause a denial of service by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c . - CVE-2018-7492: A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map function allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST . The following non-security bugs were fixed: - acpica: Disassembler: Abort on an invalid/unknown AML opcode . - acpica: Events: Add runtime stub support for event APIs . - acpi / hotplug / PCI: Check presence of slot itself in get_slot_status . - acpi, PCI, irq: remove redundant check for null string pointer . - acpi / scan: Send change uevent with offine environmental data . - acpi / video: Add quirk to force acpi-video backlight on Samsung 670Z5E . - alsa: asihpi: Hardening for potential Spectre v1 . - alsa: control: Hardening for potential Spectre v1 . - alsa: core: Report audio_tstamp in snd_pcm_sync_ptr . - alsa: hda: Hardening for potential Spectre v1 . - alsa: hda - New VIA controller suppor no-snoop path . - alsa: hda/realtek - Add some fixes for ALC233 . - alsa: hdspm: Hardening for potential Spectre v1 . - alsa: line6: Use correct endpoint type for midi output . - alsa: opl3: Hardening for potential Spectre v1 . - alsa: oss: consolidate kmalloc/memset 0 call to kzalloc . - alsa: pcm: Avoid potential races between OSS ioctls and read/write . - alsa: pcm: Fix endless loop for XRUN recovery in OSS emulation . - alsa: pcm: Fix mutex unbalance in OSS emulation ioctls . - alsa: pcm: Fix UAF at PCM release via PCM timer access . - alsa: pcm: potential uninitialized return values . - alsa: pcm: Return -EBUSY for OSS ioctls changing busy streams . - alsa: pcm: Use dma_bytes as size parameter in dma_mmap_coherent . - alsa: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation . - alsa: rawmidi: Fix missing input substream checks in compat ioctls . - alsa: rme9652: Hardening for potential Spectre v1 . - alsa: seq: oss: Fix unbalanced use lock for synth MIDI device . - alsa: seq: oss: Hardening for potential Spectre v1 . - alsa: usb-audio: Skip broken EU on Dell dock USB-audio . - arm64: avoid overflow in VA_START and PAGE_OFFSET . - arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage . - arm: amba: Do not read past the end of sysfs quot;driver_overridequot; buffer . - arm: amba: Fix race condition with driver_override . - arm: amba: Make driver_override output consistent with other buses . - arm: davinci: da8xx: Create DSP device only when assigned memory . - arm: dts: am57xx-beagle-x15-common: Add overide powerhold property . - arm: dts: at91: at91sam9g25: fix mux-mask pinctrl property . - arm: dts: at91: sama5d4: fix pinctrl compatible string . - arm: dts: dra7: Add power hold and power controller properties to palmas . - arm: dts: imx53-qsrb: Pulldown PMIC IRQ pin . - arm: dts: imx6qdl-wandboard: Fix audio channel swap . - arm: dts: ls1021a: add quot;fsl,ls1021a-esdhcquot; compatible string to esdhc node . - arm: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull . - arp: fix arp_filter on l3slave devices . - arp: honour gratuitous ARP _replies_ . - asoc: fsl_esai: Fix divisor calculation failure at lower ratio . - asoc: Intel: cht_bsw_rt5645: Analog Mic support . - asoc: rsnd: SSI PIO adjust to 24bit mode . - asoc: ssm2602: Replace reg_default_raw with reg_default . - async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome . - ata: libahci: properly propagate return value of platform_get_irq . - ath5k: fix memory leak on buf on failed eeprom read . - ath9k_hw: check if the chip failed to wake up . - audit: add tty field to LOGIN event . - autofs: mount point create should honour passed in mode . - bcache: segregate flash only volume write streams . - bcache: stop writeback thread after detaching . - blacklist.conf: Add an omapdrm entry - blk-mq: fix bad clear of RQF_MQ_INFLIGHT in blk_mq_ct_ctx_init . - blk-mq: fix kernel oops in blk_mq_tag_idle . - block: correctly mask out flags in blk_rq_append_bio . - block/loop: fix deadlock after loop_set_status . - block: sanity check for integrity intervals . - bluetooth: Fix missing encryption refresh on Security Request . - bluetooth: Send HCI Set Event Mask Page 2 command only when needed . - bna: Avoid reading past end of buffer . - bnx2x: Allow vfs to disable txvlan offload . - bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave . - bonding: Do not update slave-gt;link until ready to commit . - bonding: fix the err path for dev hwaddr sync in bond_enslave . - bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave . - bonding: process the err returned by dev_set_allmulti properly in bond_enslave . - btrfs: fix incorrect error return ret being passed to mapping_set_error . - btrfs: Fix wrong first_key parameter in replace_path . - btrfs: Only check first key for committed tree blocks . - btrfs: Validate child tree block"s level and first key . - bus: brcmstb_gisb: correct support for 64-bit address output . - bus: brcmstb_gisb: Use register offsets with writes too . - cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN . - cdrom: information leak in cdrom_ioctl_media_changed . - ceph: adding protection for showing cap reservation info . - ceph: always update atime/mtime/ctime for new inode . - ceph: check if mds create snaprealm when setting quota . - ceph: do not check quota for snap inode . - ceph: fix invalid point dereference for error case in mdsc destroy . - ceph: fix root quota realm check . - ceph: fix rsize/wsize capping in ceph_direct_read_write . - ceph: quota: add counter for snaprealms with quota . - ceph: quota: add initial infrastructure to support cephfs quotas . - ceph: quota: cache inode pointer in ceph_snap_realm . - ceph: quota: do not allow cross-quota renames . - ceph: quota: report root dir quota usage in statfs . - ceph: quota: support for ceph.quota.max_bytes . - ceph: quota: support for ceph.quota.max_files . - ceph: quota: update MDS when max_bytes is approaching . - cfg80211: make RATE_INFO_BW_20 the default . - cifs: do not allow creating sockets except with SMB1 posix exensions . - cifs: silence compiler warnings showing up with gcc-8.0.0 . - cifs: silence lockdep splat in cifs_relock_file . - cifs: Use file_dentry . - clk: bcm2835: De-assert/assert PLL reset signal when appropriate . - clk: Fix __set_clk_rates error print-string . - clk: mvebu: armada-38x: add support for 1866MHz variants . - clk: mvebu: armada-38x: add support for missing clocks . - clk: scpi: fix return type of __scpi_dvfs_round_rate . - clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace is enabled . - cpumask: Add helper cpumask_available . - crypto: ahash - Fix early termination in hash walk . - crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one . - cx25840: fix unchecked return values . - cxgb4: fix incorrect cim_la output for T6 . - cxgb4: Fix queue free path of ULD drivers . - cxgb4: FW upgrade fixes . - cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages . - dmaengine: at_xdmac: fix rare residue corruption . - dmaengine: imx-sdma: Handle return value of clk_prepare_enable . - dm ioctl: remove double parentheses . - Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition . - Do not leak MNT_INTERNAL away from internal mounts . - drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 . - drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 . - drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests . - drm/omap: fix tiled buffer stride calculations . - drm/radeon: Fix PCIe lane width calculation . - drm/virtio: fix vq wait_event condition . - e1000e: fix race condition around skb_tstamp_tx . - e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails . - edac, mv64x60: Fix an error handling path . - Enable uinput driver . - esp: Fix memleaks on error paths . - ext4: add validity checks for bitmap block numbers . - ext4: bugfix for mmaped pages in mpage_release_unused_pages . - ext4: do not allow r/w mounts if metadata blocks overlap the superblock . - ext4: do not update checksum of new initialized bitmaps . - ext4: fail ext4_iget for root directory if unallocated . - ext4: fix bitmap position validation . - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea . - ext4: Fix hole length detection in ext4_ind_map_blocks . - ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff . - ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS . - ext4: set h_journal if there is a failure starting a reserved handle . - fanotify: fix logic of events on child . - fix race in drivers/char/random.c:get_reg . - frv: declare jiffies to be located in the .data section . - fs: compat: Remove warning from COMPATIBLE_IOCTL . - fs/proc: Stop trying to report thread stacks . - fs/reiserfs/journal.c: add missing resierfs_warning arg . - genirq: Use cpumask_available for check of cpumask variable . - getname_kernel needs to make sure that -gt;name != -gt;iname in long case . - gpio: label descriptors using the device name . - hdlcdrv: Fix divide by zero in hdlcdrv_ioctl . - hid: core: Fix size as type u32 . - hid: Fix hid_report_len usage . - hid: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device . - hid: i2c-hid: fix size check and type usage . - hwmon: Fix access to uninitialized mutex . - hwmon: Make calibration register value fixed . - hypfs_kill_super: deal with failed allocations . - i40iw: Free IEQ resources . - ib/core: Fix possible crash to access NULL netdev . - ib/core: Generate GID change event regardless of RoCE GID table property . - ib/mlx4: Fix corruption of RoCEv2 IPv4 GIDs . - ib/mlx4: Include GID type when deleting GIDs from HW table under RoCE . - ib/mlx5: Avoid passing an invalid QP type to firmware . - ib/mlx5: Fix an error code in __mlx5_ib_modify_qp . - ib/mlx5: Fix incorrect size of klms in the memory region . - ib/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq . - ib/mlx5: revisit -Wmaybe-uninitialized warning . - ib/mlx5: Set the default active rate and width to QDR and 4X . - ibmvnic: Clean actual number of RX or TX pools . - ibmvnic: Clear pending interrupt after device reset . - ibmvnic: Define vnic_login_client_data name field as unsized array . - ibmvnic: Do not notify peers on parameter change resets . - ibmvnic: Handle all login error conditions . - ib/srp: Fix completion vector assignment algorithm . - ib/srp: Fix srp_abort . - ib/srpt: Fix abort handling . - ib/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write . - iio: hi8435: avoid garbage event at first enable . - iio: hi8435: cleanup reset gpio . - iio: magnetometer: st_magn_spi: fix spi_device_id table . - input: ALPS - fix multi-touch decoding on SS4 plus touchpads . - input: ALPS - fix trackstick button handling on V8 devices . - input: ALPS - fix TrackStick support for SS5 hardware . - input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad . - input: drv260x - fix initializing overdrive voltage . - input: elan_i2c - check if device is there before really probing . - input: elan_i2c - clear INT before resetting controller . - input: elantech - force relative mode on a certain module . - input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list . - input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad . - input: mousedev - fix implicit conversion warning . - iommu/vt-d: Fix a potential memory leak . - ip6_gre: better validate user provided tunnel names . - ip6_tunnel: better validate user provided tunnel names . - ipc/shm: fix use-after-free of shm file via remap_file_pages . - ipmi: create hardware-independent softdep for ipmi_devintf . Refresh patch to mainline version. - ipsec: check return value of skb_to_sgvec always . - ip_tunnel: better validate user provided tunnel names . - ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy . - ipv6: avoid dad-failures for addresses with NODAD . - ipv6: sit: better validate user provided tunnel names . - ipv6: the entire IPv6 header chain must fit the first fragment . - iw_cxgb4: print mapped ports correctly . - jbd2: fix use after free in kjournald2 . - jbd2: if the journal is aborted then do not allow update of the log tail . - jffs2_kill_sb: deal with failed allocations . - jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp . - kABI: add tty include to audit.c . - kABI: protect hid report functions . - kABI: protect jiffies types . - kABI: protect skb_to_sgvec* . - kABI: protect sound/timer.h include in sound pcm.c . - kABI: protect struct cstate . - kABI: protect struct _lowcore . - kABI: protect tty include in audit.h . - kabi/severities: Ignore kgr_shadow_* kABI changes - kbuild: provide a __UNIQUE_ID for clang . - kexec_file: do not add extra alignment to efi memmap . - keys: DNS: limit the length of option strings . - kGraft: fix small race in reversion code . - kobject: do not use WARN for registration failures . - kvm: Fix nopvspin static branch init usage . - kvm: Introduce nopvspin kernel parameter . - kvm: nVMX: Fix handling of lmsw instruction . - kvm: PPC: Book3S PR: Check copy_to/from_user return values . - kvm: SVM: do not zero out segment attributes if segment is unusable or not present . - l2tp: check sockaddr length in pppol2tp_connect . - l2tp: fix missing print session offset info . - lan78xx: Correctly indicate invalid OTP . - leds: pca955x: Correct I2C Functionality . - libceph, ceph: change permission for readonly debugfs entries . - libceph: fix misjudgement of maximum monitor number . - libceph: reschedule a tick in finish_hunting . - libceph: un-backoff on tick when we have a authenticated session . - libceph: validate con-gt;state at the top of try_write . - livepatch: Allow to call a custom callback when freeing shadow variables . - livepatch: Initialize shadow variables safely by a custom callback . - llc: delete timers synchronously in llc_sk_free . - llc: fix NULL pointer deref for SOCK_ZAPPED . - llc: hold llc_sap before release_sock . - llist: clang: introduce member_address_is_nonnull . - lockd: fix lockd shutdown race . - lockd: lost rollback of set_grace_period in lockd_down_net . - mac80211: bail out from prep_connection if a reconfig is ongoing . - mceusb: sporadic RX truncation corruption fix . - md: document lifetime of internal rdev pointer . - md: fix two problems with setting the quot;re-addquot; device state . - md: only allow remove_and_add_spares when no sync_thread running . - md raid10: fix NULL deference in handle_write_completed . - md/raid10: reset the "first" at the end of loop . - md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock . - media: v4l2-compat-ioctl32: do not oops on overlay . - media: videobuf2-core: do not go out of the buffer range . - mei: remove dev_err message on an unsupported ioctl . - mISDN: Fix a sleep-in-atomic bug . - mlx5: fix bug reading rss_hash_type from CQE . - mmc: jz4740: Fix race condition in IRQ mask update . - mm/filemap.c: fix NULL pointer in page_cache_tree_insert . - mm, slab: reschedule cache_reap on the same CPU . - mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block . - mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug . - mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block . - mtd: jedec_probe: Fix crash in jedec_read_mfr . - neighbour: update neigh timestamps iff update is effective . - net: af_packet: fix race in PACKET_{R|T}X_RING . - net: cavium: liquidio: fix up quot;Avoid dma_unmap_single on uninitialized ndataquot; . - net: cdc_ncm: Fix TX zero padding . - net: emac: fix reset timeout with AR8035 phy . - net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control . - netfilter: bridge: ebt_among: add more missing match size checks . - netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize . - netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch . - netfilter: nf_nat_h323: fix logical-not-parentheses warning . - netfilter: x_tables: add and use xt_check_proc_name . - net: fix deadlock while clearing neighbor proxy table . - net: fix possible out-of-bound read in skb_network_protocol . - net: fool proof dev_valid_name . - net: freescale: fix potential null pointer dereference . - net: hns: Fix ethtool private flags . - net: ieee802154: fix net_device reference release too early . - net/ipv6: Fix route leaking between VRFs . - net/ipv6: Increment OUTxxx counters after netfilter hook . - netlink: make sure nladdr has correct size in netlink_connect . - net: llc: add lock_sock in llc_ui_bind to avoid a race condition . - net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport . - net/mlx4_core: Fix memory leak while delete slave"s resources . - net/mlx4_en: Avoid adding steering rules with invalid ring . - net/mlx4_en: Fix mixed PFC and Global pause user control requests . - net/mlx4: Fix the check in attaching steering rules . - net/mlx5: avoid build warning for uniprocessor . - net/mlx5e: Add error print in ETS init . - net/mlx5e: Check support before TC swap in ETS init . - net/mlx5e: E-Switch, Use the name of static array instead of its address . - net/mlx5e: Remove unused define MLX5_MPWRQ_STRIDES_PER_PAGE . - net/mlx5: Fix error handling in load one . - net/mlx5: Fix ingress/egress naming mistake . - net/mlx5: Tolerate irq_set_affinity_hint failures . - net: move somaxconn init from sysctl code . - net: phy: avoid genphy_aneg_done for PHYs without clause 22 support . - net: qca_spi: Fix alignment issues in rx path . - net sched actions: fix dumping which requires several messages to user space . - net/sched: fix NULL dereference in the error path of tcf_bpf_init . - net: validate attribute sizes in neigh_dump_table . - net: x25: fix one potential use-after-free issue . - net: xfrm: use preempt-safe this_cpu_read in ipcomp_alloc_tfms . - nfsv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION . - nfsv4.1: Work around a Linux server bug.. - nospec: Kill array_index_nospec_mask_check . - nospec: Move array_index_nospec parameter checking into separate macro . - ovl: filter trusted xattr for non-admin . - packet: fix bitfield update race . - parisc: Fix out of array access in match_pci_device . - parport_pc: Add support for WCH CH382L PCI-E single parallel port card . - partitions/msdos: Unable to mount UFS 44bsd partitions . - pci/cxgb4: Extend T3 PCI quirk to T4+ devices . - pci: Make PCI_ROM_ADDRESS_MASK a 32-bit constant . - perf/core: Correct event creation with PERF_FORMAT_GROUP . - perf/core: Fix locking for children siblings group read . - perf header: Set proper module name when build-id event found . - perf/hwbp: Simplify the perf-hwbp code, fix documentation . - perf intel-pt: Fix error recovery from missing TIP packet . - perf intel-pt: Fix overlap detection to identify consecutive buffers correctly . - perf intel-pt: Fix sync_switch . - perf intel-pt: Fix timestamp following overflow . - perf probe: Add warning message if there is unexpected event name . - perf report: Ensure the perf DSO mapping matches what libdw sees . - perf: Return proper values for user stack errors . - perf tests: Decompress kernel module before objdump . - perf tools: Fix copyfile_offset update of output offset . - perf trace: Add mmap alias for s390 . - pidns: disable pid allocation if pid_ns_prepare_proc is failed in alloc_pid . - pNFS/flexfiles: missing error code in ff_layout_alloc_lseg . - powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently . - powerpc/64s: Add barrier_nospec . - powerpc/64s: Add support for ori barrier_nospec patching . - powerpc/64s: Enable barrier_nospec based on firmware settings . - powerpc/64s: Enhance the information in cpu_show_meltdown . - powerpc/64s: Enhance the information in cpu_show_spectre_v1 . - powerpc/64s: Fix section mismatch warnings from setup_rfi_flush . - powerpc/64s: Move cpu_show_meltdown . - powerpc/64s: Patch barrier_nospec in modules . - powerpc/64s: Wire up cpu_show_spectre_v1 . - powerpc/64s: Wire up cpu_show_spectre_v2 . - powerpc/64: Use barrier_nospec in syscall entry . - powerpc: Add security feature flags for Spectre/Meltdown . - powerpc/[booke|4xx]: Do not clobber TCR[WP] when setting TCR[DIE] . - powerpc/crash: Remove the test for cpu_online in the IPI callback . - powerpc: Do not send system reset request through the oops path . - powerpc/eeh: Fix enabling bridge MMIO windows . - powerpc/lib: Fix off-by-one in alternate feature patching . - powerpc/mm: allow memory hotplug into a memoryless node . - powerpc/mm: Allow memory hotplug into an offline node . - powerpc: Move default security feature flags . - powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops . - powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops . - powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write . - powerpc/powernv: Set or clear security feature flags . - powerpc/powernv: Use the security flags in pnv_setup_rfi_flush . - powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags . - powerpc/pseries: Fix clearing of security feature flags . - powerpc/pseries: Restore default security feature flags on setup . - powerpc/pseries: Set or clear security feature flags . - powerpc/pseries: Use the security flags in pseries_setup_rfi_flush . - powerpc/rfi-flush: Always enable fallback flush on pseries . - powerpc/rfi-flush: Differentiate enabled and patched flush types . - powerpc/rfi-flush: Make it possible to call setup_rfi_flush again . Update patches.suse/powerpc-pseries-rfi-flush-Call-setup_rfi_flush-after.patch . - powerpc/spufs: Fix coredump of SPU contexts . - powerpc: System reset avoid interleaving oops using die synchronisation . - powerpc: Use barrier_nospec in copy_from_user . - pppoe: check sockaddr length in pppoe_connect . - pptp: remove a buggy dst release in pptp_connect . - qlge: Avoid reading past end of buffer . - r8152: add Linksys USB3GIGV1 id . - r8169: fix setting driver_data after register_netdev . - radeon: hide pointless #warning when compile testing . - random: use a tighter cap in credit_entropy_bits_safe . - random: use lockless method of accessing and updating f-gt;reg_idx . - ray_cs: Avoid reading past end of buffer . - rdma/core: Avoid that ib_drain_qp triggers an out-of-bounds stack access . - rdma/mlx5: Protect from NULL pointer derefence . - rdma/qedr: fix QP"s ack timeout configuration . - rdma/qedr: Fix QP state initialization race . - rdma/qedr: Fix rc initialization on CNQ allocation failure . - rdma/rxe: Fix an out-of-bounds read . - rdma/ucma: Check AF family prior resolving address . - rdma/ucma: Check that device exists prior to accessing it . - rdma/ucma: Check that device is connected prior to access it . - rdma/ucma: Do not allow join attempts for unsupported AF family . - rdma/ucma: Do not allow setting RDMA_OPTION_IB_PATH without an RDMA device . - rdma/ucma: Ensure that CM_ID exists prior to access it . - rdma/ucma: Fix use-after-free access in ucma_close . - rdma/ucma: Introduce safer rdma_addr_size variants . - rds; Reset rs-gt;rs_bound_addr in rds_add_bound failure path . - regulator: gpio: Fix some error handling paths in "gpio_regulator_probe" . - resource: fix integer overflow at reallocation . - Revert quot;alsa: pcm: Fix mutex unbalance in OSS emulation ioctlsquot; . - Revert quot;alsa: pcm: Return -EBUSY for OSS ioctls changing busy streamsquot; . - Revert quot;arm: dts: am335x-pepper: Fix the audio CODEC"s reset pinquot; . - Revert quot;arm: dts: omap3-n900: Fix the audio CODEC"s reset pinquot; . - Revert quot;ath10k: send assoc peer command when NSS changedquot; . - Revert quot;cpufreq: Fix governor module removal racequot; . - Revert quot;ip6_vti: adjust vti mtu according to mtu of lower devicequot; . - Revert quot;KVM: Fix stack-out-of-bounds read in write_mmioquot; . - Revert quot;mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.quot; . - Revert quot;mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.quot; . - Revert quot;mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.quot; . - Revert quot;mtip32xx: use runtime tag to initialize command headerquot; . - Revert quot;PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdownquot; . - Revert quot;perf tests: Decompress kernel module before objdumpquot; . - Revert quot;xhci: plat: Register shutdown for xhci_platquot; . - rpc_pipefs: fix double-dput . - rpm/config.sh: build against SP3 in OBS as well. - rpm/config.sh: ensure sorted patches. - rtc: interface: Validate alarm-time before handling rollover . - rtc: opal: Handle disabled TPO in opal_get_tpo_time . - rtc: snvs: fix an incorrect check of return value . - rtl8187: Fix NULL pointer dereference in priv-gt;conf_mutex . - rxrpc: check return value of skb_to_sgvec always . - s390: add automatic detection of the spectre defense . - s390: add optimized array_index_mask_nospec . - s390: add options to change branch prediction behaviour for the kernel . - s390: add sysfs attributes for spectre . - s390/alternative: use a copy of the facility bit mask . - s390/cio: update chpid descriptor after resource accessibility event . - s390: correct module section names for expoline code revert . - s390: correct nospec auto detection init order . - s390/dasd: fix hanging safe offline . - s390/dasd: fix IO error for newly defined devices . - s390: do not bypass BPENTER for interrupt system calls . - s390: enable CPU alternatives unconditionally . - s390/entry.S: fix spurious zeroing of r0 . - s390: introduce execute-trampolines for branches . - s390/ipl: ensure loadparm valid flag is set . - s390: move nobp parameter functions to nospec-branch.c . - s390: move _text symbol to address higher than zero . - s390/qdio: do not merge ERROR output buffers . - s390/qdio: do not retry EQBS after CCQ 96 . - s390/qeth: consolidate errno translation . - s390/qeth: fix MAC address update sequence . - s390/qeth: translate SETVLAN/DELVLAN errors . - s390: Replace IS_ENABLED with IS_ENABLED . - s390: report spectre mitigation via syslog . - s390: run user space and KVM guests with modified branch prediction . - s390: scrub registers on kernel entry and KVM exit . - s390/uprobes: implement arch_uretprobe_is_alive . - sched/numa: Use down_read_trylock for the mmap_sem . - scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats . - scsi: libiscsi: Allow sd_shutdown on bad transport . - scsi: libsas: initialize sas_phy status according to response of DISCOVER . - scsi: lpfc: Add per io channel NVME IO statistics . - scsi: lpfc: Correct missing remoteport registration during link bounces . - scsi: lpfc: Correct target queue depth application changes . - scsi: lpfc: Enlarge nvmet asynchronous receive buffer counts . - scsi: lpfc: Fix Abort request WQ selection . - scsi: lpfc: Fix driver not recovering NVME rports during target link faults . - scsi: lpfc: Fix lingering lpfc_wq resource after driver unload . - scsi: lpfc: Fix multiple PRLI completion error path . - scsi: lpfc: Fix NULL pointer access in lpfc_nvme_info_show . - scsi: lpfc: Fix NULL pointer reference when resetting adapter . - scsi: lpfc: Fix nvme remoteport registration race conditions . - scsi: lpfc: Fix WQ/CQ creation for older asic"s . - scsi: lpfc: update driver version to 11.4.0.7-2 . - scsi: mpt3sas: Proper handling of set/clear of quot;ATA command pendingquot; flag . - scsi: mptsas: Disable WRITE SAME . - scsi: sd: Defer spinning up drive while SANITIZE is in progress . - sctp: do not check port in sctp_inet6_cmp_addr . - sctp: do not leak kernel memory to user space . - sctp: fix recursive locking warning in sctp_do_peeloff . - sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 . - selftests/powerpc: Fix TM resched DSCR test with some compilers . - selinux: do not check open permission on sockets . - selinux: Remove redundant check for unknown labeling behavior . - selinux: Remove unnecessary check of array base in selinux_set_mapping . - serial: 8250: omap: Disable DMA for console UART . - serial: mctrl_gpio: Add missing module license . - serial: mctrl_gpio: export mctrl_gpio_disable_ms and mctrl_gpio_init . - serial: sh-sci: Fix race condition causing garbage during shutdown . - sh_eth: Use platform device for printing before register_netdev . - sit: reload iphdr in ipip6_rcv . - skbuff: only inherit relevant tx_flags . - skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow . - sky2: Increase D3 delay to sky2 stops working after suspend . - slip: Check if rstate is initialized before uncompressing . - sparc64: ldc abort during vds iso boot . - spi: davinci: fix up dma_mapping_error incorrect patch . - staging: comedi: ni_mio_common: ack ai fifo error interrupts . - staging: ion : Donnot wakeup kswapd in ion system alloc . - staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning . - swap: divide-by-zero when zero length swap file on ssd . - tags: honor COMPILED_SOURCE with apart output directory . - tcp: better validation of received ack sequences . - tcp: do not read out-of-bounds opsize . - tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets . - team: avoid adding twice the same option to the event list . - team: fix netconsole setup over team . - thermal: imx: Fix race condition in imx_thermal_probe . - thermal: power_allocator: fix one race condition issue for thermal_instances list . - thunderbolt: Resume control channel after hibernation image is created . - tipc: add policy for TIPC_NLA_NET_ADDR . - tty: Do not call panic at tty_ldisc_init . - tty: make n_tty_read always abort if hangup is in progress . - tty: n_gsm: Allow ADM response in addition to UA for control dlci . - tty: n_gsm: Fix DLCI handling for ADM mode if debug amp; 2 is not set . - tty: n_gsm: Fix long delays with control frame timeouts in ADM mode . - tty: provide tty_name even without CONFIG_TTY . - tty: Use __GFP_NOFAIL for tty_ldisc_get . - ubi: fastmap: Do not flush fastmap work on detach . - ubi: Fix error for write access . - ubifs: Check ubifs_wbuf_sync return code . - ubi: Reject MLC NAND . - um: Use POSIX ucontext_t instead of struct ucontext . - Update config files, add expoline for s390x . - Update patches.suse/x86-nospectre_v2-means-nospec-too.patch . - usb: chipidea: properly handle host or gadget initialization failure . - usb: core: Add quirk for HP v222w 16GB Mini . - usb: dwc2: Improve gadget state disconnection handling . - usb: dwc3: keystone: check return value . - usb: dwc3: pci: Properly cleanup resource . - usb: ene_usb6250: fix first command execution . - usb: ene_usb6250: fix SCSI residue overwriting . - usb:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw . - usb: gadget: align buffer size when allocating for OUT endpoint . - usb: gadget: change len to size_t on alloc_ep_req . - usb: gadget: define free_ep_req as universal function . - usb: gadget: f_hid: fix: Prevent accessing released memory . - usb: gadget: fix request length error for isoc transfer . - usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align . - usb: Increment wakeup count on remote wakeup . - usbip: usbip_host: fix to hold parent lock for device_attach calls . - usbip: vhci_hcd: Fix usb device and sockfd leaks . - usb: musb: gadget: misplaced out of bounds check . - usb: serial: cp210x: add ELDAT Easywave RX09 id . - usb: serial: cp210x: add ID for NI USB serial console . - usb: serial: ftdi_sio: add RT Systems VX-8 cable . - usb: serial: ftdi_sio: add support for Harman FirmwareHubEmulator . - usb: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster . - usb: serial: simple: add libtransistor console . - vfb: fix video mode and line_length being set when loaded . - vfio/pci: Virtualize Maximum Payload Size . - vfio/pci: Virtualize Maximum Read Request Size . - vfio-pci: Virtualize PCIe amp; AF FLR . - vhost: correctly remove wait queue during poll failure . - virtio: add ability to iterate over vqs . - virtio_console: free buffers after reset . - virtio_net: check return value of skb_to_sgvec always . - virtio_net: check return value of skb_to_sgvec in one more location . - vlan: also check phy_driver ts_info for vlan"s real device . - vlan: Fix reading memory beyond skb-gt;tail in skb_vlan_tagged_multi . - vmxnet3: ensure that adapter is in proper state during force_close . - vrf: Fix use after free and double free in vrf_finish_output . - vt: change SGR 21 to follow the standards . - vti6: better validate user provided tunnel names . - vxlan: dont migrate permanent fdb entries during learn . - watchdog: f71808e_wdt: Fix WD_EN register read . - watchdog: hpwdt: Remove legacy NMI sourcing . - wl1251: check return from call to wl1251_acx_arp_ip_filter . - writeback: fix the wrong congested state variable definition . - writeback: safer lock nesting . - x86/asm: Do not use RBP as a temporary register in csum_partial_copy_generic . - x86/bugs: correctly force-disable IBRS on !SKL systems . - x86/bugs: Make sure that _TIF_SSBD does not end up in _TIF_ALLWORK_MASK . - x86/hweight: Do not clobber %rdi . - x86/hweight: Get rid of the special calling convention . - x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds . - x86/platform/UV: Add references to access fixed UV4A HUB MMRs . - x86/platform/uv/BAU: Replace hard-coded values with MMR definitions . - x86/platform/UV: Fix critical UV MMR address error