The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input . - CVE-2022-0330: Fixed flush TLBs before releasing backing store . - CVE-2022-0286: Fixed null pointer dereference in bond_ipsec_add_sa that may have lead to local denial of service . - CVE-2022-22942: Fixed stale file descriptors on failed usercopy . - CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c . - CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object . - CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large endpoint 0 requests . - CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed . - CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation . - CVE-2021-22600: Fixed double free bug in packet_set_ring in net/packet/af_packet.c that could have been exploited by a local user through crafted syscalls to escalate privileges or deny service . - CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that mishandled software scrollback . The following non-security bugs were fixed: - ACPI: battery: Add the ThinkPad 'Not Charging' quirk . - ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R . - ACPICA: Fix wrong interpretation of PCC address . - ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 . - ACPICA: Utilities: Avoid deleting the same object twice in a row . - ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions . - ALSA: seq: Set upper limit of processed events . - ALSA: usb-audio: Correct quirk for VF0770 . - ALSA: usb-audio: initialize variables that could ignore errors . - ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name . - ASoC: fsl: Add missing error handling in pcm030_fabric_probe . - ASoC: max9759: fix underflow in speaker_gain_control_put . - ASoC: mediatek: mt8173: fix device_node leak . - ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes . - Bluetooth: Fix debugfs entry leak in hci_register_dev . - Bluetooth: refactor malicious adv data check . - Documentation: fix firewire.rst ABI file path error . - HID: apple: Do not reset quirks when the Fn key is not found . - HID: quirks: Allow inverting the absolute X/Y values . - HID: uhid: Fix worker destroying device without any protection . - HID: wacom: Reset expected and received contact counts at the same time . - IB/cm: Avoid a loop when device has 255 ports - IB/hfi1: Fix error return code in parse_platform_config - IB/hfi1: Use kzalloc for mmu_rb_handler allocation - IB/isert: Fix a use after free in isert_connect_request - IB/mlx4: Separate tunnel and wire bufs parameters - IB/mlx5: Add missing error code - IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex - IB/mlx5: Fix error unwinding when set_has_smi_cap fails - IB/mlx5: Return appropriate error code instead of ENOMEM - IB/umad: Return EIO in case of when device disassociated - IB/umad: Return EPOLLERR in case of when device disassociated - Input: wm97xx: Simplify resource management . - NFS: Ensure the server had an up to date ctime before renaming . - NFSv4: Handle case where the lookup of a directory fails . - NFSv4: nfs_atomic_open can race when looking up a non-regular file . - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller . - PM: wakeup: simplify the output logic of pm_show_wakelocks . - RDMA/addr: Be strict with gid size - RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res - RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal - RDMA/bnxt_re: Set queue pair state when being queried - RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait - RDMA/core: Clean up cq pool mechanism . - RDMA/core: Do not access cm_id after its destruction - RDMA/core: Do not indicate device ready when device enablement fails - RDMA/core: Fix corrupted SL on passive side - RDMA/core: Unify RoCE check and re-factor code - RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server - RDMA/cxgb4: Fix the reported max_recv_sge value - RDMA/cxgb4: Validate the number of CQEs - RDMA/cxgb4: add missing qpid increment - RDMA/hns: Add a check for current state before modifying QP - RDMA/hns: Remove the portn field in UD SQ WQE - RDMA/hns: Remove unnecessary access right set during INIT2INIT - RDMA/i40iw: Address an mmap handler exploit in i40iw - RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails - RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr - RDMA/mlx5: Fix potential race between destroy and CQE poll - RDMA/mlx5: Fix query DCT via DEVX - RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters - RDMA/mlx5: Fix wrong free of blue flame register on error - RDMA/mlx5: Issue FW command to destroy SRQ on reentry - RDMA/mlx5: Recover from fatal event in dual port mode - RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation - RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd - RDMA/rxe: Clear all QP fields if creation failed - RDMA/rxe: Compute PSN windows correctly - RDMA/rxe: Correct skb on loopback path - RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt - RDMA/rxe: Fix coding error in rxe_recv.c - RDMA/rxe: Fix missing kconfig dependency on CRYPTO - RDMA/rxe: Remove the unnecessary variable . - RDMA/rxe: Remove useless code in rxe_recv.c - RDMA/siw: Fix a use after free in siw_alloc_mr - RDMA/siw: Fix calculation of tx_valid_cpus size - RDMA/siw: Fix handling of zero-sized Read and Receive Queues. - RDMA/siw: Properly check send and receive CQ pointers - RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp - RDMA/uverbs: Fix a NULL vs IS_ERR bug - RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr - RMDA/sw: Do not allow drivers using dma_virt_ops on highmem configs - USB: core: Fix hang in usb_kill_urb by adding memory barriers . - USB: serial: mos7840: fix probe error handling . - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply . - arm64: Kconfig: add a choice for endianness . - asix: fix wrong return value in asix_check_host_enable . - ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe . - ath10k: Fix tx hanging . - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream . - batman-adv: allow netlink usage in unprivileged containers . - blk-cgroup: fix missing put device in error path from blkg_conf_pref . - blk-mq: introduce blk_mq_set_request_complete . - bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds . - btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check . - btrfs: tree-checker: annotate all error branches as unlikely . - btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly . - cgroup/cpuset: Fix a partition bug with hotplug . - clk: si5341: Fix clock HW provider cleanup . - crypto: qat - fix undetected PFVF timeout in ACK loop . - dma-buf: heaps: Fix potential spectre v1 gadget . - drm/amdgpu: fixup bad vram size on gmc v8 . - drm/bridge: megachips: Ensure both bridges are probed before registration . - drm/etnaviv: limit submit sizes . - drm/etnaviv: relax submit size limits . - drm/i915/overlay: Prevent divide by zero bugs in scaling . - drm/lima: fix warning when CONFIG_DEBUG_SG=y CONFIG_DMA_API_DEBUG=y . - drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc . - drm/msm/dsi: Fix missing put_device call in dsi_get_phy . - drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable . - drm/msm/hdmi: Fix missing put_device call in msm_hdmi_get_phy . - drm/msm: Fix wrong size calculation . - drm/nouveau/kms/nv04: use vzalloc for nv04_display . - drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR . - drm/nouveau: fix off by one in BIOS boundary checking . - drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L . - ext4: fix an use-after-free issue about data=journal writeback mode . - ext4: make sure quota gets properly shutdown on error . - ext4: set csum seed in tmp inode while migrating to extents . - floppy: Add max size check for user space request . - fsnotify: fix fsnotify hooks in pseudo filesystems . - fsnotify: invalidate dcache before IN_DELETE event . - gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock . - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use . - hv_netvsc: Set needed_headroom according to VF . - hwmom: Fix citical alarm status for MAX6680/MAX6681 . - hwmon: Mark alert as broken for MAX6646/6647/6649 . - hwmon: Mark alert as broken for MAX6654 . - hwmon: Mark alert as broken for MAX6680 . - hwmon: Reduce maximum conversion rate for G781 . - i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters . - i2c: i801: Do not silently correct invalid transfer size . - i2c: mpc: Correct I2C reset procedure . - i40iw: Add support to make destroy QP synchronous - ibmvnic: Allow extra failures before disabling . - ibmvnic: Update driver return codes . - ibmvnic: do not spin in tasklet . - ibmvnic: init -greater than running_cap_crqs early . - ibmvnic: remove unused -greater than wait_capability . - ibmvnic: remove unused defines . - igc: Fix TX timestamp support for non-MSI-X platforms . - iwlwifi: fix leaks/bad data after failed firmware load . - iwlwifi: mvm: Fix calculation of frame length . - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds . - iwlwifi: mvm: synchronize with FW after multicast commands . - iwlwifi: remove module loading failure message . - lib82596: Fix IRQ check in sni_82596_probe . - lightnvm: Remove lightnvm implemenation . - mac80211: allow non-standard VHT MCS-10/11 . - media: b2c2: Add missing check in flexcop_pci_isr: . - media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes . - media: igorplugusb: receiver overflow should be reported . - media: m920x: do not use stack on USB reads . - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach . - media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach . - media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds . - mlxsw: Only advertise link modes supported by both driver and device . - mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO . - mtd: nand: bbt: Fix corner case in bad block table handling . - mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings . - mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 . - net, xdp: Introduce xdp_init_buff utility routine . - net, xdp: Introduce xdp_prepare_buff utility routine . - net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering . - net/mlx5: E-Switch, fix changing vf VLANID . - net/mlx5e: Protect encap route dev from concurrent release . - net: allow retransmitting a TCP packet if original is still in queue . - net: bonding: fix bond_xmit_broadcast return value error bug . - net: bridge: vlan: fix memory leak in __allowed_ingress . - net: bridge: vlan: fix single net device option dumping . - net: mana: Add RX fencing . - net: mana: Add XDP support . - net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc . - net: sched: add barrier to ensure correct ordering for lockless qdisc . - net: sched: avoid unnecessary seqcount operation for lockless qdisc . - net: sched: fix packet stuck problem for lockless qdisc . - net: sched: fix tx action reschedule issue with stopped queue . - net: sched: fix tx action rescheduling issue during deactivation . - net: sched: replaced invalid qdisc tree flush helper in qdisc_replace . - net: sfp: fix high power modules without diagnostic monitoring . - netdevsim: set .owner to THIS_MODULE . - nfc: llcp: fix NULL error pointer dereference on sendmsg after failed bind . - nvme-core: use list_add_tail_rcu instead of list_add_tail for nvme_init_ns_head . - nvme-fabrics: avoid double completions in nvmf_fail_nonready_command . - nvme-fabrics: ignore invalid fast_io_fail_tmo values . - nvme-fabrics: remove superfluous nvmf_host_put in nvmf_parse_options . - nvme-tcp: fix data digest pointer calculation . - nvme-tcp: fix incorrect h2cdata pdu offset accounting . - nvme-tcp: fix memory leak when freeing a queue . - nvme-tcp: fix possible use-after-completion . - nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t . - nvme: add "iopolicy" module parameter . - nvme: fix use after free when disconnecting a reconnecting ctrl . - nvme: introduce a nvme_host_path_error helper . - nvme: refactor ns-greater than ctrl by request . - phy: uniphier-usb3ss: fix unintended writing zeros to PHY register . - phylib: fix potential use-after-free . - pinctrl: bcm2835: Add support for wake-up interrupts . - pinctrl: bcm2835: Match BCM7211 compatible string . - pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line . - pinctrl: intel: fix unexpected interrupt . - powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a debugfs entry . - powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending . - regulator: qcom_smd: Align probe function with rpmh-regulator . - rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev . - rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev . - rsi: Fix use-after-free in rsi_rx_done_handler . - sched/fair: Fix detection of per-CPU kthreads waking a task . - sched/numa: Fix is_core_idle . - scripts/dtc: dtx_diff: remove broken example from help text . - scripts/dtc: only append to HOST_EXTRACFLAGS instead of overwriting . - serial: 8250: of: Fix mapped region size when using reg-offset property . - serial: Fix incorrect rs485 polarity on uart open . - serial: amba-pl011: do not request memory region twice . - serial: core: Keep mctrl register state and cached copy in sync . - serial: pl010: Drop CR register reset on set_termios . - serial: stm32: fix software flow control transfer . - spi: bcm-qspi: check for valid cs before applying chip select . - spi: mediatek: Avoid NULL pointer crash in interrupt . - spi: meson-spicc: add IRQ check in meson_spicc_probe . - supported.conf: mark rtw88 modules as supported - tty: Add support for Brainboxes UC cards . - tty: n_gsm: fix SW flow control encoding/handling . - ucsi_ccg: Check DEV_INT bit only when starting CCG4 . - udf: Fix NULL ptr deref when converting from inline format . - udf: Restore i_lenAlloc when inode expansion fails . - usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge . - usb: common: ulpi: Fix crash in ulpi_match . - usb: gadget: f_fs: Use stream_open for endpoint files . - usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS . - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 . - usb: roles: fix include/linux/usb/role.h compile issue . - usb: typec: tcpm: Do not disconnect while receiving VBUS off . - usb: uhci: add aspeed ast2600 uhci support . - vfio/iommu_type1: replace kfree with kvfree . - video: hyperv_fb: Fix validation of screen resolution . - vxlan: fix error return code in __vxlan_dev_create . - workqueue: Fix unbind_workers VS wq_worker_running race . - x86/gpu: Reserve stolen memory for first integrated Intel GPU . - xfrm: fix MTU regression . - xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP . Special Instructions and Notes: Please reboot the system after installing this update.