The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-4378: Fixed stack overflow in __do_proc_dointvec . - CVE-2022-42328: Guests could trigger denial of service via the netback driver . - CVE-2022-42329: Guests could trigger denial of service via the netback driver . - CVE-2022-3643: Guests could trigger NIC interface reset/abort/crash via netback driver . - CVE-2022-3635: Fixed a use-after-free in the tst_timer of the file drivers/atm/idt77252.c . - CVE-2022-41850: Fixed a race condition in roccat_report_event in drivers/hid/hid-roccat.c . - CVE-2022-45934: Fixed a integer wraparound via L2CAP_CONF_REQ packets in l2cap_config_req in net/bluetooth/l2cap_core.c . - CVE-2022-3628: Fixed potential buffer overflow in brcmf_fweh_event_worker in wifi/brcmfmac . - CVE-2022-3567: Fixed a to race condition in inet6_stream_ops/inet6_dgram_ops . - CVE-2022-41858: Fixed a denial of service in sl_tx_timeout in drivers/net/slip . - CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation . - CVE-2022-4095: Fixed a use-after-free in rtl8712 driver . - CVE-2022-3903: Fixed a denial of service with the Infrared Transceiver USB driver . - CVE-2022-42895: Fixed an information leak in the net/bluetooth/l2cap_core.c"s l2cap_parse_conf_req which can be used to leak kernel pointers remotely . - CVE-2022-42896: Fixed a use-after-free vulnerability in the net/bluetooth/l2cap_core.c"s l2cap_connect and l2cap_le_connect_req which may have allowed code execution and leaking kernel memory remotely via Bluetooth . The following non-security bugs were fixed: - Drivers: hv: vmbus: Add VMbus IMC device to unsupported list . - Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening . - Drivers: hv: vmbus: Drop error message when "No request id available" . - Drivers: hv: vmbus: Fix handling of messages with transaction ID of zero . - Drivers: hv: vmbus: Fix potential crash on module unload . - Drivers: hv: vmbus: Introduce vmbus_request_addr_match . - Drivers: hv: vmbus: Introduce vmbus_sendpacket_getid . - Drivers: hv: vmbus: Introduce {lock,unlock}_requestor . - Drivers: hv: vmbus: Move __vmbus_open . - Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer . - Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work . - Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register . - FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR . - FDDI: defxx: Make MMIO the configuration default except for EISA . - KVM: s390: Add a routine for setting userspace CPU state . - KVM: s390: Clarify SIGP orders versus STOP/RESTART . - KVM: s390: Fix handle_sske page fault handling . - KVM: s390: Simplify SIGP Set Arch handling . - KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION . - KVM: s390: reduce number of IO pins to 1 . - KVM: s390: split kvm_s390_logical_to_effective . - KVM: s390: split kvm_s390_real_to_abs . - KVM: s390x: fix SCK locking . - NIU: fix incorrect error return, missed in previous revert . - PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv . - PCI: hv: Add validation for untrusted Hyper-V values . - PCI: hv: Drop msi_controller structure . - PCI: hv: Fix NUMA node assignment when kernel boots with custom NUMA topology . - PCI: hv: Fix a race condition when removing the device . - PCI: hv: Fix hv_arch_irq_unmask for multi-MSI . - PCI: hv: Fix interrupt mapping for multi-MSI . - PCI: hv: Fix multi-MSI to allow more than one MSI vector . - PCI: hv: Fix sleep while in non-sleep context when removing child devices from the bus . - PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg . - PCI: hv: Fix synchronization between channel callback and hv_pci_bus_exit . - PCI: hv: Fix the definition of vector in hv_compose_msi_msg . - PCI: hv: Make the code arch neutral by adding arch specific interfaces . - PCI: hv: Only reuse existing IRTE allocation for Multi-MSI . - PCI: hv: Remove bus device removal unused refcount/functions . - PCI: hv: Remove unnecessary use of %hx . - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg . - PCI: hv: Support for create interrupt v3 . - PCI: hv: Use struct_size helper . - PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening . - PM: hibernate: fix sparse warnings . - Xen/gntdev: do not ignore kernel unmapping error . - add missing bug reference to a hv_netvsc patch file . - always clear the X2APIC_ENABLE bit for PV guest . - arm/xen: Do not probe xenbus as part of an early initcall . - ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 . - bfq: Update cgroup information before merging bio . - blk-mq: add callback of .cleanup_rq . - blktrace: Trace remapped requests correctly . - block/bfq: fix ifdef for CONFIG_BFQ_GROUP_IOSCHED=y . - block: Add a helper to validate the block size . - block: blk_queue_enter / __bio_queue_enter must return -EAGAIN for nowait . - block: do not delete queue kobject before its children . - block: respect queue limit of max discard segment . - block: rsxx: select CONFIG_CRC32 . - block: use "unsigned long" for blk_validate_block_size . - bnxt_en: Clean up completion ring page arrays completely . - bnxt_en: Do not use static arrays for completion ring pages . - bnxt_en: Fix Priority Bytes and Packets counters in ethtool -S . - bnxt_en: Fix TX timeout when TX ring size is set to the smallest . - bnxt_en: Free context memory after disabling PCI in probe error path . - bnxt_en: Increase maximum RX ring size if jumbo ring is not used . - brd: re-enable __GFP_HIGHMEM in brd_insert_page . - can: peak_pci: peak_pci_remove: fix UAF . - can: peak_usb: pcan_usb_fd_decode_status: fix back to ERROR_ACTIVE state notification . - can: rcar_can: fix suspend/resume . - ceph: check availability of mds cluster on mount after wait timeout . - ceph: do not skip updating wanted caps when cap is stale . - ceph: fix fscache invalidation . - ceph: fix potential race in ceph_check_caps . - ceph: lockdep annotations for try_nonblocking_invalidate . - ceph: return -EINVAL if given fsc mount option on kernel w/o support . - ceph: return -ERANGE if virtual xattr value didn"t fit in buffer . - ceph: return ceph_mdsc_do_request errors from __get_parent . - cuse: prevent clone . - cxgb4: dont touch blocked freelist bitmap after free . - dm era: commit metadata in postsuspend after worker stops . - dm mirror log: clear log bits up to BITS_PER_LONG boundary . - dm mpath: remove harmful bio-based optimization . - dm raid: fix accesses beyond end of raid member array . - dm raid: fix address sanitizer warning in raid_resume . - dm raid: fix address sanitizer warning in raid_status . - dm thin: fix use-after-free crash in dm_sm_register_threshold_callback . - dm: return early from dm_pr_call if DM device is suspended . - e100: fix buffer overrun in e100_get_regs . - e100: fix length calculation in e100_get_regs_len . - floppy: Fix hang in watchdog when disk is ejected . - ftrace: Fix char print issue in print_ip_ins . - ftrace: Fix the possible incorrect kernel message . - ftrace: Fix use-after-free for dynamic ftrace_ops . - ftrace: Optimize the allocation for mcount entries . - fuse: do not check refcount after stealing page . - fuse: retrieve: cap requested size to negotiated max_write . - fuse: use READ_ONCE on congestion_threshold and max_background . - gianfar: Disable EEE autoneg by default . - hv_netvsc: Add check for kvmalloc_array . - hv_netvsc: Add error handling while switching data path . - hv_netvsc: Add validation for untrusted Hyper-V values . - hv_netvsc: Cache the current data path to avoid duplicate call and message . - hv_netvsc: Check VF datapath when sending traffic to VF . - hv_netvsc: Fix error handling in netvsc_set_features . - hv_netvsc: Fix race between VF offering and VF association message from host . - hv_netvsc: Print value of invalid ID in netvsc_send_{completion,tx_complete} . - hv_netvsc: Process NETDEV_GOING_DOWN on VF hot remove . - hv_netvsc: Remove unnecessary round_up for recv_completion_cnt . - hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive . - hv_netvsc: Sync offloading features to VF NIC . - hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening . - hv_netvsc: Wait for completion on request SWITCH_DATA_PATH . - hv_netvsc: use netif_is_bond_master instead of open code . - i40e: Fix kernel crash during module removal . - i40e: Fix reset path while removing the driver . - i40e: fix endless loop under rtnl . - ibmvnic: Free rwi on reset success . - ice: Increase control queue timeout . - igb: Fix position of assignment to *ring . - igc: Fix use-after-free error during reset . - igc: change default return of igc_read_phy_reg . - ipv6: ping: fix wrong checksum for large frames . - ixgbe: Fix packet corruption due to missing DMA sync . - kexec: turn all kexec_mutex acquisitions into trylocks . - kprobes/x86/xen: blacklist non-attachable xen interrupt functions . - livepatch: Add a missing newline character in klp_module_coming . - livepatch: fix race between fork and KLP transition . - macsec: check return value of skb_to_sgvec always . - macsec: fix memory leaks when skb_to_sgvec fails . - md/raid5: Ensure stripe_fill happens on non-read IO with journal . - md: Replace snprintf with scnprintf . - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect . - media: ite-cir: IR receiver stop working after receive overflow . - media: mceusb: RX -EPIPE lockup failure fix . - media: mceusb: TX -EPIPE lockup fix . - media: mceusb: do not read data parameters unless required . - media: mceusb: fix inaccurate debug buffer dumps, and misleading debug messages . - media: mceusb: sanity check for prescaler value . - media: mceusb: sporadic RX truncation corruption fix . - mm, swap, frontswap: fix THP swap if frontswap enabled . - module: change to print useful messages from elf_validity_check . - module: fix [e_shstrndx].sh_size=0 OOB access . - module: harden ELF info handling . - natsemi: sonic: stop calling netdev_boot_setup_check . - nbd: do not update block size after device is started . - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode . - net/mlx5: Fix flow table chaining . - net/mlx5e: Fix endianness handling in pedit mask . - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev . - net: aquantia: Fix actual speed capabilities reporting . - net: bcmgenet: Ensure all TX/RX queues DMAs are disabled . - net: ethernet: arc: fix error handling in emac_rockchip_probe . - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled . - net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit . - net: hns3: add limit ets dwrr bandwidth cannot be 0 . - net: hns3: check vlan id before using it . - net: hns3: disable sriov before unload hclge layer . - net: hns3: do not allow call hns3_nic_net_open repeatedly . - net: hns3: fix change RSS "hfunc" ineffective issue . - net: hns3: fix kernel crash when unload VF while it is being reset . - net: hns3: reset DWRR of unused tc to zero . - net: hyperv: remove use of bpf_op_t . - net: ieee802154: adf7242: Fix bug if defined DEBUG . - net: ieee802154: at86rf230: Stop leaking skb"s . - net: ieee802154: ca8210: Stop leaking skb"s . - net: mdiobus: Fix memory leak in __mdiobus_register . - net: moxa: fix UAF in moxart_mac_probe . - net: natsemi: Fix missing pci_disable_device in probe and remove . - net: netvsc: remove break after return . - net: nxp: lpc_eth.c: avoid hang when bringing interface down . - net: qcom/emac: fix UAF in emac_remove . - net: smsc911x: Fix unload crash when link is up . - net: ti: fix UAF in tlan_remove_one . - net: xen-netback: fix return type of ndo_start_xmit function . - nfsd: set the server_scope during service startup . - null_blk: Fix the null_add_dev error path . - null_blk: fix ida error handling in null_add_dev . - null_blk: fix passing of REQ_FUA flag in null_handle_rq . - panic, kexec: make __crash_kexec NMI safe . - phy: mdio: fix memory leak . - ptp: dp83640: do not define PAGE0 . - qed: Fix missing error code in qed_slowpath_start . - rbd: fix possible memory leak in rbd_sysfs_init . - ring-buffer: Add ring_buffer_wake_waiters . - ring-buffer: Allow splice to read previous partially read pages . - ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters . - ring-buffer: Check pending waiters when doing wake ups as well . - ring-buffer: Fix race between reset page and reading page . - ring_buffer: Do not deactivate non-existant pages . - s390/boot: fix absolute zero lowcore corruption on boot . - s390/cio: Fix the "type" field in s390_cio_tpi tracepoint . - s390/cio: dont call css_wait_for_slow_path inside a lock . - s390/cpcmd: fix inline assembly register clobbering . - s390/crash: fix incorrect number of bytes to copy to user space . - s390/crash: make copy_oldmem_page return number of bytes copied . - s390/crypto: fix scatterwalk_unmap callers in AES-GCM . - s390/ctcm: fix potential memory leak . - s390/ctcm: fix variable dereferenced before check . - s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup . - s390/futex: add missing EX_TABLE entry to __futex_atomic_op . - s390/lcs: fix variable dereferenced before check . - s390/mcck: fix invalid KVM guest condition check . - s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag . - s390/mm: use non-quiescing sske for KVM switch to keyed guest . - s390/module: fix loading modules with a lot of relocations . - s390/nmi: handle guarded storage validity failures for KVM guests . - s390/nmi: handle vector validity failures for KVM guests . - s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser/__pcilg_mio_inuser . - s390/pkey: fix paes selftest failure with paes and pkey static build . - s390/pv: fix the forcing of the swiotlb . - s390/qdio: cancel the ESTABLISH ccw after timeout . - s390/qdio: fix roll-back after timeout on ESTABLISH ccw . - s390/qeth: Fix deadlock in remove_discipline . - s390/qeth: Fix error handling during VNICC initialization . - s390/qeth: Fix initialization of vnicc cmd masks during set online . - s390/qeth: Fix vnicc_is_in_use if rx_bcast not set . - s390/qeth: do not defer close_dev work during recovery . - s390/qeth: fix NULL deref in qeth_clear_working_pool_list . - s390/qeth: fix deadlock during failing recovery . - s390/qeth: fix false reporting of VNIC CHAR config failure . - s390/qeth: fix memory leak after failed TX Buffer allocation . - s390/qeth: fix notification for pending buffers during teardown . - s390/qeth: remove driver-wide workqueue . - s390/qeth: vnicc Fix EOPNOTSUPP precedence . - s390/qeth: vnicc Fix init to default . - s390/uaccess: add missing EX_TABLE entries to __clear_user, copy_in_user_mvcos, copy_in_user_mvc, clear_user_xc and __strnlen_user . - s390/zcore: fix race when reading from hardware system area . - s390: Remove arch_has_random, arch_has_random_seed . - s390: appldata depends on PROC_SYSCTL . - s390: define get_cycles macro for arch-override . - s390: fix nospec table alignments . - sbitmap: fix possible io hung due to lost wakeup . - scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND . - scsi: ibmvfc: Avoid path failures during live migration . - scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024 . - scsi: libsas: Fix use-after-free bug in smp_execute_task_sg . - scsi: lpfc: Rework MIB Rx Monitor debug info logic . - scsi: lpfc: Update the obsolete adapter list . - scsi: qla2xxx: Fix serialization of DCBX TLV data request . - scsi: qla2xxx: Use transport-defined speed mask for supported_speeds . - scsi: storvsc: Drop DID_TARGET_FAILURE use . - scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and newer . - scsi: storvsc: Fix validation for unsolicited incoming packets . - scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq . - scsi: storvsc: Resolve data race in storvsc_probe . - scsi: storvsc: Use blk_mq_unique_tag to generate requestIDs . - scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening . - scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback . - scsi: zfcp: Fix double free of FSF request when qdio send fails . - scsi: zfcp: Fix missing auto port scan and thus missing target ports . - selftests/livepatch: better synchronize test_klp_callbacks_busy . - sfp: fix RX_LOS signal handling . - sis900: Fix missing pci_disable_device in probe and remove . - sunrpc: Re-purpose trace_svc_process . - tracing: Add ioctl to force ring buffer waiters to wake up . - tracing: Disable interrupt or preemption before acquiring arch_spinlock_t . - tracing: Do not free snapshot if tracer is on cmdline . - tracing: Simplify conditional compilation code in tracing_set_tracer . - tracing: Wake up ring buffer waiters on closing of the file . - tracing: Wake up waiters when tracing is disabled . - tulip: windbond-840: Fix missing pci_disable_device in probe and remove . - usb: chipidea: udc: check request status before setting device address . - usb: musb: Fix suspend with devices connected for a64 . - vfio/ccw: Do not change FSM state in subchannel event . - vfio: ccw: fix error return in vfio_ccw_sch_event . - virtio-blk: Use blk_validate_block_size to validate block size . - virtio/s390: implement virtio-ccw revision 2 correctly . - virtio_blk: eliminate anonymous module_init module_exit . - virtio_net: move tx vq operation under tx queue lock . - vxlan: add missing rcu_read_lock in neigh_reduce . - x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 . - x86/cpu: Restore AMD"s DE_CFG MSR after resume . - x86/hyperv: Output host build info as normal Windows version number . - x86/hyperv: Set pv_info.name to "Hyper-V" . - x86/microcode/AMD: Apply the patch early on every logical thread . - x86/xen: Distribute switch variables for initialization . - x86/xen: Return from panic notifier . - x86/xen: do not unbind uninitialized lock_kicker_irq . - xen-blkback: prevent premature module unload . - xen-netback: correct success/error reporting for the SKB-with-fraglist case . - xen-netfront: remove warning when unloading module . - xen/balloon: fix balloon initialization for PVH Dom0 . - xen/balloon: fix balloon kthread freezing . - xen/balloon: fix ballooned page accounting without hotplug enabled . - xen/balloon: fix cancelled balloon action . - xen/balloon: use a kernel thread instead a workqueue . - xen/blkback: fix memory leaks . - xen/efi: Set nonblocking callbacks . - xen/gntdev: Avoid blocking in unmap_grant_pages . - xen/gntdev: Fix off-by-one error when unmapping with holes . - xen/gntdev: Fix partial gntdev_mmap cleanup . - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE . - xen/gntdev: Prevent leaking grants . - xen/grant-table: Use put_page instead of free_page . - xen/pciback: Check dev_data before using it . - xen/pciback: remove set but not used variable "old_state" . - xen/pcpu: fix possible memory leak in register_pcpu . - xen/scsiback: add error handling for xenbus_printf . - xen/xenbus: Fix granting of vmalloc"d memory . - xen/xenbus: ensure xenbus_map_ring_valloc returns proper grant status . - xen: Fix XenStore initialisation for XS_LOCAL . - xen: Fix event channel callback via INTX/GSI . - xen: XEN_ACPI_PROCESSOR is Dom0-only . - xen: add error handling for xenbus_printf . - xen: avoid crash in disable_hotplug_cpu . - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage . - xen: xenbus: use put_device instead of kfree . - xenbus: req-greater than body should be updated before req-greater than state . - xenbus: req-greater than err should be updated before req-greater than state . Special Instructions and Notes: Please reboot the system after installing this update.