The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable new features: - Toleration of newer crypto hardware for z Systems - USB 2.0 Link power management for Haswell-ULT The following security bugs were fixed: - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service by leveraging the CAP_NET_ADMIN capability . - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service via an application that made crafted system calls or possibly IPv4 traffic with invalid IP options . - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation . - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service via a crafted ioctl call for a /dev/dri/renderD* device - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service via crafted operations on IrDA devices - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context - CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous pages, which allowed local users to gain privileges or cause a denial of service via a crafted application that triggers writing to page zero . - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service via a multithreaded application - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service via vectors involving a TCP packet with the URG flag - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service via an application that made an IPV6_RECVPKTINFO setsockopt system call - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service via a multithreaded application that peels off an association in a certain buffer-full state - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AF_ALG socket an accept system call is processed, which allowed local users to cause a denial of service via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c . The following non-security bugs were fixed: - NFSD: do not risk using duplicate owner/file/delegation ids . - RAID1: avoid unnecessary spin locks in I/O barrier code . - SUNRPC: Clean up the slot table allocation . - SUNRPC: Initalise the struct xprt upon allocation . - USB: cdc-acm: fix broken runtime suspend . - USB: cdc-acm: fix open and suspend race . - USB: cdc-acm: fix potential urb leak and PM imbalance in write . - USB: cdc-acm: fix runtime PM for control messages . - USB: cdc-acm: fix runtime PM imbalance at shutdown . - USB: cdc-acm: fix shutdown and suspend race . - USB: cdc-acm: fix write and resume race . - USB: cdc-acm: fix write and suspend race . - USB: hub: Fix crash after failure to read BOS descriptor - USB: serial: iuu_phoenix: fix NULL-deref at open . - USB: serial: kl5kusb105: fix line-state error handling . - USB: serial: mos7720: fix NULL-deref at open . - USB: serial: mos7720: fix parallel probe . - USB: serial: mos7720: fix parport use-after-free on probe errors . - USB: serial: mos7720: fix use-after-free on probe errors . - USB: serial: mos7840: fix NULL-deref at open . - USB: xhci-mem: use passed in GFP flags instead of GFP_KERNEL . - Update metadata for serial fixes - Use PF_LESS_THROTTLE in loop device thread . - clocksource: Remove weak from clocksource_default_clock declaration . - dlm: backport fix lvb invalidation conditions . - drm/mgag200: Add support for G200e rev 4 - enic: set skb-hash type properly . - ext4: fix mballoc breakage with 64k block size . - ext4: fix stack memory corruption with 64k block size . - ext4: reject inodes with negative size . - fuse: initialize fc-release before calling it . - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx . - i40e/i40evf: Fix mixed size frags and linearization . - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet . - i40e/i40evf: Rewrite logic for 8 descriptor per packet check . - i40e: Fix TSO with more than 8 frags per segment issue . - i40e: Impose a lower limit on gso size . - i40e: Limit TX descriptor count in cases where frag size is greater than 16K . - i40e: avoid null pointer dereference . - jbd: Fix oops in journal_remove_journal_head . - jbd: do not wait for stale tid caused by wraparound . - kABI: mask struct xfs_icdinode change . - kabi: Protect xfs_mount and xfs_buftarg . - kabi: fix . - lockd: use init_utsname for id encoding . - lockd: use rpc client"s cl_nodename for id encoding . - md linear: fix a race between linear_add and linear_congested . - md/linear: shutup lockdep warnning . - mm/mempolicy.c: do not put mempolicy before using its nodemask . - ocfs2: do not write error flag to user structure we cannot copy from/to . - ocfs2: fix crash caused by stale lvb with fsdlm plugin . - ocfs2: fix error return code in ocfs2_info_handle_freefrag . - ocfs2: null deref on allocation error . - pciback: only check PF if actually dealing with a VF . - pciback: use pci_physfn . - posix-timers: Fix stack info leak in timer_create . - powerpc,cpuidle: Dont toggle CPUIDLE_FLAG_IGNORE while setting smt_snooze_delay . - powerpc/fadump: Fix the race in crash_fadump . - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM . - powerpc/fadump: Update fadump documentation . - powerpc/nvram: Fix an incorrect partition merge . - powerpc/vdso64: Use double word compare on pointers . - rcu: Call out dangers of expedited RCU primitives . - rcu: Direct algorithmic SRCU implementation . - rcu: Flip -completed only once per SRCU grace period . - rcu: Implement a variant of Peter"s SRCU algorithm . - rcu: Increment upper bit only for srcu_read_lock . - rcu: Remove fast check path from __synchronize_srcu . - s390/kmsg: add missing kmsg descriptions . - s390/vmlogrdr: fix IUCV buffer allocation . - s390/zcrypt: Introduce CEX6 toleration - sched/core: Fix TASK_DEAD race in finish_task_switch . - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems . - scsi: zfcp: do not trace pure benign residual HBA responses at default level . - scsi: zfcp: fix rport unblock race with LUN recovery . - scsi: zfcp: fix use-after-free in FC ingress path after TMF . - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send . - sfc: reduce severity of PIO buffer alloc failures . - tcp: abort orphan sockets stalling on zero window probes . - vfs: split generic splice code from i_mutex locking . - virtio_scsi: fix memory leak on full queue condition . - vmxnet3: segCnt can be 1 for LRO packets . - xen-blkfront: correct maximum segment accounting . - xen-blkfront: do not call talk_to_blkback when already connected to blkback. - xen-blkfront: free resources if xlvbd_alloc_gendisk fails. - xfs: Fix lock ordering in splice write . - xfs: Make xfs_icdinode-di_dmstate atomic_t . - xfs: do not assert fail on non-async buffers on ioacct decrement . - xfs: exclude never-released buffers from buftarg I/O accounting . - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 . - xfs: fix up xfs_swap_extent_forks inline extent handling . - xfs: kill xfs_itruncate_start . - xfs: remove the i_new_size field in struct xfs_inode . - xfs: remove the i_size field in struct xfs_inode . - xfs: remove xfs_itruncate_data . - xfs: replace global xfslogd wq with per-mount wq . - xfs: split xfs_itruncate_finish . - xfs: split xfs_setattr . - xfs: track and serialize in-flight async buffers against unmount . - xfs_dmapi: fix the debug compilation of xfs_dmapi .