The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution . - CVE-2016-10277: Potential privilege escalation due to a missing bounds check in the lp driver. A kernel command-line adversary can overflow the parport_nr array to execute code . - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service by leveraging the ability to open a raw socket . - CVE-2017-7533: Bug in inotify code allowing privilege escalation . - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service or possibly have unspecified other impact . - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table . - CVE-2017-1000365: The Linux Kernel imposed a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY , but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. - CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized kernel memory by using a crafted USB device to trigger an integer underflow . - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service by leveraging reference count mishandling . - CVE-2017-1000380: sound/core/timer.c was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents could have bene disclosed when a read and an ioctl happen at the same time - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service via crafted system calls - CVE-2017-1000363: A buffer overflow in kernel commandline handling of the lp parameter could be used by local console attackers to bypass certain secure boot settings. - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted socket and send system calls - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service or possibly have unspecified other impact by leveraging use of the accept system call - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service via a request_key system call for the dead type The following non-security bugs were fixed: - 8250: use callbacks to access UART_DLL/UART_DLM. - ALSA: ctxfi: Fallback DMA mask to 32bit . - ALSA: hda - Fix regression of HD-audio controller fallback modes . - ALSA: hda - using uninitialized data . - ALSA: hda/realtek - Correction of fixup codes for PB V7900 laptop . - ALSA: hda/realtek - Fix COEF widget NID for ALC260 replacer fixup . - ALSA: off by one bug in snd_riptide_joystick_probe . - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode . - Add CVE tag to references - CIFS: backport prepath matching fix . - Drop CONFIG_PPC_CELL from bigmem . - EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr. - Fix scripts/bigmem-generate-ifdef-guard to work on all branches - Fix soft lockup in svc_rdma_send . - IB/mlx4: Demote mcg message from warning to debug . - IB/mlx4: Fix ib device initialization error flow . - IB/mlx4: Fix port query for 56Gb Ethernet links . - IB/mlx4: Handle well-known-gid in mad_demux processing . - IB/mlx4: Reduce SRIOV multicast cleanup warning message to debug level . - IB/mlx4: Set traffic class in AH . - Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation . - Input: cm109 - validate number of endpoints before using them . - Input: hanwang - validate number of endpoints before using them . - Input: yealink - validate number of endpoints before using them . - KEYS: Disallow keyrings beginning with "." to be joined as session keyrings . - NFS: Avoid getting confused by confused server . - NFS: Fix another OPEN_DOWNGRADE bug . - NFS: Fix size of NFSACL SETACL operations . - NFS: Make nfs_readdir revalidate less often . - NFS: tidy up nfs_show_mountd_netid . - NFSD: Do not use state id of 0 - it is reserved . - NFSv4: Do not call put_rpccred under the rcu_read_lock . - NFSv4: Fix another bug in the close/open_downgrade code . - NFSv4: Fix problems with close in the presence of a delegation . - NFSv4: Fix the underestimation of delegation XDR space reservation . - NFSv4: fix getacl head length estimation . - PCI: Fix devfn for VPD access through function 0 . - Remove superfluous make flags - Return short read or 0 at end of a raw device, not EIO . - Revert math64: New div64_u64_rem helper . - SUNRPC: Fix a memory leak in the backchannel code . - Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd . - USB: class: usbtmc.c: Cleaning up uninitialized variables . - USB: class: usbtmc: do not print error when allocating urb fails . - USB: class: usbtmc: do not print on ENOMEM . - USB: iowarrior: fix NULL-deref in write . - USB: iowarrior: fix info ioctl on big-endian hosts . - USB: r8a66597-hcd: select a different endpoint on timeout . - USB: serial: ark3116: fix register-accessor error handling . - USB: serial: ch341: fix open error handling . - USB: serial: cp210x: fix tiocmget error handling . - USB: serial: ftdi_sio: fix line-status over-reporting . - USB: serial: io_edgeport: fix epic-descriptor handling . - USB: serial: io_ti: fix information leak in completion handler . - USB: serial: mos7840: fix another NULL-deref at open . - USB: serial: oti6858: fix NULL-deref at open . - USB: serial: sierra: fix bogus alternate-setting assumption . - USB: serial: spcp8x5: fix NULL-deref at open . - USB: usbip: fix nonconforming hub descriptor . - USB: usbtmc: Add flag rigol_quirk to usbtmc_device_data . - USB: usbtmc: Change magic number to constant . - USB: usbtmc: Set rigol_quirk if device is listed . - USB: usbtmc: TMC request code segregated from usbtmc_read . - USB: usbtmc: add device quirk for Rigol DS6104 . - USB: usbtmc: add missing endpoint sanity check . - USB: usbtmc: fix DMA on stack . - USB: usbtmc: fix big-endian probe of Rigol devices . - USB: usbtmc: fix probe error path . - USB: usbtmc: usbtmc_read sends multiple TMC header based on rigol_quirk . - USB: wusbcore: fix NULL-deref at probe . - Update patches.fixes/nfs-svc-rdma.fix . - Use make --output-sync feature when available . - Xen/PCI-MSI: fix sysfs teardown in DomU . - __bitmap_parselist: fix bug in empty string handling . - acpi: Disable APEI error injection if securelevel is set . - af_key: Add lock to key dump . - af_key: Fix slab-out-of-bounds in pfkey_compile_policy . - ath9k: fix buffer overrun for ar9287 . - blacklist b50a6c584bb4 powerpc/perf: Clear MMCR2 when enabling PMU . - blacklist.conf: Add a few inapplicable items . - blacklist.conf: Blacklist 847fa1a6d3d0 The released kernels are not build with a gas new enough to optimize the jmps so that this patch would be required. - blkback/blktap: do not leak stack data via response ring . - block: do not allow updates through sysfs until registration completes . - block: fix ext_dev_lock lockdep report . - btrfs: Do not clear SGID when inheriting ACLs . - cifs: Timeout on SMBNegotiate request . - cifs: do not compare uniqueids in cifs_prime_dcache unless server inode numbers are in use . backporting upstream commit 2f2591a34db6c9361faa316c91a6e320cb4e6aee - cifs: small underflow in cnvrtDosUnixTm . - cputime: Avoid multiplication overflow on utime scaling . - crypto: nx - off by one bug in nx_of_update_msc . - decompress_bunzip2: off by one in get_next_block . - dentry name snapshots . - devres: fix a for loop bounds check . - dm: fix ioctl retry termination with signal . - drm/mgag200: Add support for G200eH3 - drm/mgag200: Fix to always set HiPri for G200e4 . - ext2: Do not clear SGID when inheriting ACLs . - ext3: Do not clear SGID when inheriting ACLs . - ext4: Do not clear SGID when inheriting ACLs . - ext4: fix fdatasync after extent manipulation operations . - ext4: keep existing extra fields when inode expands . - fbdev/efifb: Fix 16 color palette entry calculation . - firmware: fix directory creation rule matching with make 3.80 . - firmware: fix directory creation rule matching with make 3.82 . - fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit . - fnic: Return "DID_IMM_RETRY" if rport is not ready . - fnic: Using rport-dd_data to check rport online instead of rport_lookup . - fs/block_dev: always invalidate cleancache in invalidate_bdev . - fs/xattr.c: zero out memory copied to userspace in getxattr . - fs: fix data invalidation in the cleancache during direct IO . - fuse: add missing FR_FORCE . - genirq: Prevent proc race against freeing of irq descriptors . - hrtimer: Allow concurrent hrtimer_start for self restarting timers . - initial cr0 bits . - ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route . - irq: Fix race condition . - isdn/gigaset: fix NULL-deref at probe . - isofs: Do not return EACCES for unknown filesystems . - jsm: add support for additional Neo cards . - kernel-binary.spec: Propagate MAKE_ARGS to %build - libata: fix sff host state machine locking while polling . - libceph: NULL deref on crush_decode error path . - libceph: potential NULL dereference in ceph_msg_data_create . - libfc: fixup locking in fc_disc_stop . - libfc: move "pending" and "requested" setting . - libfc: only restart discovery after timeout if not already running . - locking/rtmutex: Prevent dequeue vs. unlock race . - math64: New div64_u64_rem helper . - md/raid0: apply base queue limits *before* disk_stack_limits . - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies . - md/raid1: fix test for "was read error from last working device" . - md/raid5: Fix CPU hotplug callback registration . - md/raid5: do not record new size if resize_stripes fails . - md: ensure md devices are freed before module is unloaded . - md: fix a null dereference . - md: flush -event_work before stopping array . - md: make sure GET_ARRAY_INFO ioctl reports correct clean status . - md: use separate bio_pool for metadata writes . - megaraid_sas: add missing curly braces in ioctl handler . - mlx4: reduce OOM risk on arches with large pages . - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check . - mm/memory-failure.c: use compound_head flags for huge pages . - mm: hugetlb: call huge_pte_alloc only if ptep is null . - mmc: core: add missing pm event in mmc_pm_notify to fix hib restore . - mmc: ushc: fix NULL-deref at probe . - module: fix memory leak on early load_module failures . - mwifiex: printk overflow with 32-byte SSIDs . - net/mlx4: Fix the check in attaching steering rules . - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering . - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV . - net/mlx4_core: Enhance the MAD_IFC wrapper to convert VF port to physical . - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs . - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions . - net/mlx4_core: Get num_tc using netdev_get_num_tc . - net/mlx4_core: Prevent VF from changing port configuration . - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs . - net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach . - net/mlx4_en: Avoid adding steering rules with invalid ring . - net/mlx4_en: Change the error print to debug print . - net/mlx4_en: Fix type mismatch for 32-bit systems . - net/mlx4_en: Resolve dividing by zero in 32-bit system . - net/mlx4_en: Wake TX queues only when there"s enough room . - net/mlx4_en: fix overflow in mlx4_en_init_timestamp . - net: avoid reference counter overflows on fib_rules in multicast forwarding . - net: ip6mr: fix static mfc/dev leaks on table destruction . - net: ipmr: fix static mfc/dev leaks on table destruction . - net: wimax/i2400m: fix NULL-deref at probe . - netxen_nic: set rcode to the return status from the call to netxen_issue_cmd . - nfs: fix nfs_size_to_loff_t . - nfsd4: minor NFSv2/v3 write decoding cleanup . - nfsd: check for oversized NFSv2/v3 arguments . - nfsd: stricter decoding of write-like NFSv2/v3 ops . - ocfs2: Do not clear SGID when inheriting ACLs . - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock . - perf/core: Correct event creation with PERF_FORMAT_GROUP . - perf/core: Fix event inheritance on fork . - powerpc/ibmebus: Fix device reference leaks in sysfs interface . - powerpc/ibmebus: Fix further device reference leaks . - powerpc/mm/hash: Check for non-kernel address in get_kernel_vsid . - powerpc/mm/hash: Convert mask to unsigned long . - powerpc/mm/hash: Increase VA range to 128TB . - powerpc/mm/hash: Properly mask the ESID bits when building proto VSID . - powerpc/mm/hash: Support 68 bit VA . - powerpc/mm/hash: Use context ids 1-4 for the kernel . - powerpc/mm/slice: Convert slice_mask high slice to a bitmap . - powerpc/mm/slice: Fix off-by-1 error when computing slice mask . - powerpc/mm/slice: Move slice_mask struct definition to slice.c . - powerpc/mm/slice: Update slice mask printing to use bitmap printing . - powerpc/mm/slice: Update the function prototype . - powerpc/mm: Do not alias user region to other regions below PAGE_OFFSET . - powerpc/mm: Remove checks that TASK_SIZE_USER64 is too small . - powerpc/mm: use macro PGTABLE_EADDR_SIZE instead of digital . - powerpc/pci/rpadlpar: Fix device reference leaks . - powerpc/pseries: Release DRC when configure_connector fails . - powerpc: Drop support for pre-POWER4 cpus . - powerpc: Remove STAB code . - random32: fix off-by-one in seeding requirement . - reiserfs: Do not clear SGID when inheriting ACLs . - reiserfs: do not preallocate blocks for extended attributes . - rfkill: fix rfkill_fop_read wait_event usage . - s390/qdio: clear DSCI prior to scanning multiple input queues . - s390/qeth: no ETH header for outbound AF_IUCV . - s390/qeth: size calculation outbound buffers . - sched/core: Remove false-positive warning from wake_up_process . - sched/cputime: Do not scale when utime == 0 . - sched/debug: Print the scheduler topology group mask . - sched/fair, cpumask: Export for_each_cpu_wrap . - sched/fair: Fix min_vruntime tracking . - sched/rt: Fix PI handling vs. sched_setscheduler . Prep for b60205c7c558 sched/fair: Fix min_vruntime tracking - sched/topology: Fix building of overlapping sched-groups . - sched/topology: Fix overlapping sched_group_capacity . - sched/topology: Fix overlapping sched_group_mask . - sched/topology: Move comment about asymmetric node setups . - sched/topology: Optimize build_group_mask . - sched/topology: Refactor function build_overlap_sched_groups . - sched/topology: Remove FORCE_SD_OVERLAP . - sched/topology: Simplify build_overlap_sched_groups . - sched/topology: Verify the first group matches the child domain . - sched: Always initialize cpu-power . - sched: Avoid cputime scaling overflow . - sched: Avoid prev-stime underflow . - sched: Do not account bogus utime . - sched: Fix SD_OVERLAP . - sched: Fix domain iteration . - sched: Lower chances of cputime scaling overflow . - sched: Move nr_cpus_allowed out of "struct sched_rt_entity" . Prep for b60205c7c558 sched/fair: Fix min_vruntime tracking - sched: Rename a misleading variable in build_overlap_sched_groups . - sched: Use swap macro in scale_stime . - scsi: bnx2i: missing error code in bnx2i_ep_connect . - scsi: fix race between simultaneous decrements of -host_failed . - scsi: fnic: Correcting rport check location in fnic_queuecommand_lck . - scsi: mvsas: fix command_active typo . - scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init . - sfc: do not device_attach if a reset is pending . - smsc75xx: use skb_cow_head to deal with cloned skbs . - splice: Stub splice_write_to_file . - svcrdma: Fix send_reply scatter/gather set-up . - target/iscsi: Fix double free in lio_target_tiqn_addtpg . - tracing/kprobes: Enforce kprobes teardown after testing . - tracing: Fix syscall_*regfunc vs copy_process race . - udf: Fix deadlock between writeback and udf_setsize . - udf: Fix races with i_size changes during readpage . - usbtmc: remove redundant braces . - usbtmc: remove trailing spaces . - usbvision: fix NULL-deref at probe . - uwb: hwa-rc: fix NULL-deref at probe . - uwb: i1480-dfu: fix NULL-deref at probe . - vb2: Fix an off by one error in "vb2_plane_vaddr" . - vmxnet3: avoid calling pskb_may_pull with interrupts disabled . - vmxnet3: fix checks for dma mapping errors . - vmxnet3: fix lock imbalance in vmxnet3_tq_xmit . - x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates . - x86/pci-calgary: Fix iommu_free comparison of unsigned expression greater than 0 . - xen: avoid deadlock in xenbus . - xfrm: NULL dereference on allocation failure . - xfrm: Oops on error in pfkey_msg2xfrm_state . - xfrm: dst_entries_init per-net dst_ops . - xfs: Synchronize xfs_buf disposal routines . - xfs: use -b_state to fix buffer I/O accounting release race . - xprtrdma: Free the pd if ib_query_qp fails .