The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis . Enhancements and bugfixes over the previous fixes have been added to this kernel. - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INT_MIN value . - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file . - CVE-2018-7566: There was a buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user . - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors . - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code . - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allowed local users to cause a denial of service by leveraging a race condition with __dm_destroy during creation and removal of DM devices . - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP . - CVE-2017-18208: The madvise_willneed function in mm/madvise.c local users to cause a denial of service by triggering use of MADVISE_WILLNEED for a DAX mapping . - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted USB device . - CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux kernel might allow attackers to cause a denial of service or possibly have unspecified other impact by triggering a negative wake or requeue value . - CVE-2017-16914: The quot;stub_send_ret_submitquot; function allowed attackers to cause a denial of service via a specially crafted USB over IP packet . - CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service by connecting a device, as demonstrated by a Logitech DJ receiver . - CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c attempted to support a FRAGLIST feature without proper memory allocation, which allowed guest OS users to cause a denial of service via a crafted sequence of fragmented packets . - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in block/bio.c did unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup due to an out-of-memory condition . - CVE-2017-16912: The quot;get_pipequot; function allowed attackers to cause a denial of service via a specially crafted USB over IP packet . - CVE-2017-16913: The quot;stub_recv_cmd_submitquot; function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service via a specially crafted USB over IP packet . The following non-security bugs were fixed: - af_iucv: enable control sends in case of SEND_SHUTDOWN . - cifs: fix buffer overflow in cifs_build_path_to_root . - drm/mgag200: fix a test in mga_vga_mode_valid . - hrtimer: Ensure POSIX compliance . - hrtimer: Reset hrtimer cpu base proper on CPU hotplug . - ide-cd: workaround VMware ESXi cdrom emulation bug . - ipc/msg: introduce msgctl . - ipc/sem: introduce semctl . - ipc/shm: introduce shmctl . - jffs2: Fix use-after-free bug in jffs2_iget"s error handling path . - kabi: x86/kaiser: properly align trampoline stack. - keys: do not let add_key update an uninstantiated key . - keys: prevent creating a different user"s keyrings . - leds: do not overflow sysfs buffer in led_trigger_show . - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack . - nfsv4: fix getacl head length estimation . - pci: Use function 0 VPD for identical functions, regular VPD for others . - pipe: actually allow root to exceed the pipe buffer limits . - posix-timers: Protect posix clock array access against speculation . - powerpc/pseries: Support firmware disable of RFI flush . - qeth: repair SBAL elements calculation . - Revert quot;USB: cdc-acm: fix broken runtime suspendquot; - s390/qeth: fix underestimated count of buffer elements . - scsi: sr: workaround VMware ESXi cdrom emulation bug . - usbnet: Fix a race between usbnet_stop and the BH . - x86-64: Move the quot;userquot; vsyscall segment out of the data segment . - x86/espfix: Fix return stack in do_double_fault . - x86/kaiser: properly align trampoline stack . - x86/retpoline: do not perform thunk calls in ring3 vsyscall code . - xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs . - xen/x86/cpu: Check speculation control CPUID bit . - xen/x86/cpu: Factor out application of forced CPU caps . - xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the "clearcpuid=" command-line option . - xen/x86/cpu: Sync CPU feature flags late . - xen/x86/entry: Use IBRS on entry to kernel space . - xen/x86/idle: Toggle IBRS when going idle . - xen/x86/kaiser: Move feature detection up . - xfs: check for buffer errors before waiting . - xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near . - xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near .