The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service . - CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service. - CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit . - CVE-2020-27777: Restrict RTAS requests from userspace . - CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory . - CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel . - CVE-2020-29371: Fixed uninitialized memory leaks to userspace . The following non-security bugs were fixed: - ACPI: GED: fix -Wformat . - ALSA: ctl: fix error path at adding user-defined element set . - ALSA: firewire: Clean up a locking issue in copy_resp_to_buf . - ALSA: mixart: Fix mutex deadlock . - arm64: KVM: Fix system register enumeration . - arm/arm64: KVM: Add PSCI version selection API . - ASoC: qcom: lpass-platform: Fix memory leak . - ath10k: Acquire tx_lock in tx error paths . - batman-adv: set .owner to THIS_MODULE . - Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth controllers . - Bluetooth: hci_bcm: fix freeing not-requested IRQ . - bpf: Zero-fill re-used per-cpu map element . - btrfs: account ticket size at add/delete time . - btrfs: add helper to obtain number of devices with ongoing dev-replace . - btrfs: check rw_devices, not num_devices for balance . - btrfs: do not delete mismatched root refs . - btrfs: fix btrfs_calc_reclaim_metadata_size calculation . - btrfs: fix force usage in inc_block_group_ro . - btrfs: fix invalid removal of root ref . - btrfs: fix reclaim counter leak of space_info objects . - btrfs: fix reclaim_size counter leak after stealing from global reserve . - btrfs: kill min_allocable_bytes in inc_block_group_ro . - btrfs: rework arguments of btrfs_unlink_subvol . - btrfs: split dev-replace locking helpers for read and write . - can: af_can: prevent potential access of uninitialized member in canfd_rcv . - can: af_can: prevent potential access of uninitialized member in can_rcv . - can: dev: can_restart: post buffer from the right context . - can: gs_usb: fix endianess problem with candleLight firmware . - can: m_can: fix nominal bitiming tseg2 min for version greater than = 3.1 . - can: m_can: m_can_handle_state_change: fix state change . - can: m_can: m_can_stop: set device to software init mode before closing . - can: mcba_usb: mcba_usb_start_xmit: first fill skb, then pass to can_put_echo_skb . - can: peak_usb: fix potential integer overflow on shift of a int . - ceph: add check_session_state helper and make it global . - ceph: check session state after bumping session- greater than s_seq . - ceph: fix race in concurrent __ceph_remove_cap invocations . - cifs: Fix incomplete memory allocation on setxattr path . - cifs: remove bogus debug code . - cifs: Return the error from crypt_message when enc/dec key not found . - Convert trailing spaces and periods in path components . - docs: ABI: stable: remove a duplicated documentation . - docs: ABI: sysfs-c2port: remove a duplicated entry . - Drivers: hv: vmbus: Remove the unused "tsc_page" from struct hv_context . - drm/i915/gvt: Set ENHANCED_FRAME_CAP bit . - drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind . - Drop sysctl files for dropped archs, add ppc64le and arm64 . Also fix the ppc64 page size. - efi: cper: Fix possible out-of-bounds access . - efi/efivars: Add missing kobject_put in sysfs entry creation error path . - efi/esrt: Fix reference count leak in esre_create_sysfs_entry . - efi: provide empty efi_enter_virtual_mode implementation . - efivarfs: fix memory leak in efivarfs_create . - efivarfs: revert "fix memory leak in efivarfs_create" . - efi/x86: Do not panic or BUG on non-critical error conditions . - efi/x86: Free efi_pgd with free_pages . - efi/x86: Ignore the memory attributes table on i386 . - efi/x86: Map the entire EFI vendor string before copying it . - fs/proc/array.c: allow reporting eip/esp for all coredumping threads . - fuse: fix page dereference after free . - futex: Do not enable IRQs unconditionally in put_pi_state . - futex: Handle transient "ownerless" rtmutex state correctly . - hv_balloon: disable warning when floor reached . - hv_netvsc: deal with bpf API differences in 4.12 . - hv_netvsc: make recording RSS hash depend on feature flag . - hv_netvsc: record hardware hash in skb . - i40iw: Fix error handling in i40iw_manage_arp_cache - i40iw: fix null pointer dereference on a null wqe pointer - i40iw: Report correct firmware version - IB/cma: Fix ports memory leak in cma_configfs - IB/core: Set qp- greater than real_qp before it may be accessed - IB/hfi1: Add missing INVALIDATE opcodes for trace - IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats - IB/hfi1: Add software counter for ctxt0 seq drop - IB/hfi1: Avoid hardlockup with flushlist_lock - IB/hfi1: Call kobject_put when kobject_init_and_add fails - IB/hfi1: Check for error on call to alloc_rsm_map_table - IB/hfi1: Close PSM sdma_progress sleep window - IB/hfi1: Define variables as unsigned long to fix KASAN warning - IB/hfi1: Ensure full Gen3 speed in a Gen4 system - IB/hfi1: Fix memory leaks in sysfs registration and unregistration - IB/hfi1: Fix Spectre v1 vulnerability - IB/hfi1: Handle port down properly in pio - IB/hfi1: Handle wakeup of orphaned QPs for pio - IB/hfi1: Insure freeze_work work_struct is canceled on shutdown - IB/hfi1, qib: Ensure RCU is locked when accessing list - IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM - IB/hfi1: Remove unused define - IB/hfi1: Silence txreq allocation warnings - IB/hfi1: Validate page aligned for a given virtual address - IB/hfi1: Wakeup QPs orphaned on wait list after flush - IB/ipoib: drop useless LIST_HEAD - IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode - IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start - IB/iser: Fix dma_nents type definition - IB/iser: Pass the correct number of entries for dma mapped SGL - IB/mad: Fix use-after-free in ib mad completion handling - IB/mlx4: Add and improve logging - IB/mlx4: Add support for MRA - IB/mlx4: Adjust delayed work when a dup is observed - IB/mlx4: Fix leak in id_map_find_del - IB/mlx4: Fix memory leak in add_gid error flow - IB/mlx4: Fix race condition between catas error reset and aliasguid flows - IB/mlx4: Fix starvation in paravirt mux/demux - IB/mlx4: Follow mirror sequence of device add during device removal - IB/mlx4: Remove unneeded NULL check - IB/mlx4: Test return value of calls to ib_get_cached_pkey - IB/mlx5: Add missing XRC options to QP optional params mask - IB/mlx5: Compare only index part of a memory window rkey - IB/mlx5: Do not override existing ip_protocol - IB/mlx5: Fix clean_mr to work in the expected order - IB/mlx5: Fix implicit MR release flow - IB/mlx5: Fix outstanding_pi index for GSI qps - IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification - IB/mlx5: Fix unreg_umr to ignore the mkey state - IB/mlx5: Improve ODP debugging messages - IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache - IB/mlx5: Prevent concurrent MR updates during invalidation - IB/mlx5: Reset access mask when looping inside page fault handler - IB/mlx5: Set correct write permissions for implicit ODP MR - IB/mlx5: Use direct mkey destroy command upon UMR unreg failure - IB/mlx5: Use fragmented QP"s buffer for in-kernel users - IB/mlx5: WQE dump jumps over first 16 bytes - IB/mthca: fix return value of error branch in mthca_init_cq - IB/qib: Call kobject_put when kobject_init_and_add fails - IB/qib: Fix an error code in qib_sdma_verbs_send - IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value - IB/qib: Remove a set-but-not-used variable - IB/rdmavt: Convert timers to use timer_setup - IB/rdmavt: Fix alloc_qpn WARN_ON - IB/rdmavt: Fix sizeof mismatch - IB/rdmavt: Reset all QPs when the device is shut down - IB/rxe: Fix incorrect cache cleanup in error flow - IB/rxe: Make counters thread safe - IB/srpt: Fix memory leak in srpt_add_one - IB/umad: Avoid additional device reference during open/close - IB/umad: Avoid destroying device while it is accessed - IB/umad: Do not check status of nonseekable_open - IB/umad: Fix kernel crash while unloading ib_umad - IB/umad: Refactor code to use cdev_device_add - IB/umad: Simplify and avoid dynamic allocation of class - IB/usnic: Fix out of bounds index check in query pkey - IB/uverbs: Fix OOPs upon device disassociation - iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode . - iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum . - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill . - Input: adxl34x - clean up a data type in adxl34x_probe . - iw_cxgb4: fix ECN check on the passive accept - iw_cxgb4: only reconnect with MPAv1 if the peer aborts - kABI: add back flush_dcache_range . - kABI workaround for usermodehelper changes . - KVM: arm64: Add missing #include of - less than linux/string.h greater than in guest.c . - KVM: arm64: Factor out core register ID enumeration . - KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST . - KVM: arm64: Refactor kvm_arm_num_regs for easier maintenance . - KVM: arm64: Reject ioctl access to FPSIMD V-regs on SVE vcpus . - KVM host: kabi fixes for psci_version . - libnvdimm/nvdimm/flush: Allow architecture to override the flush barrier . - locking/lockdep: Add debug_locks check in __lock_downgrade . - locking/percpu-rwsem: Use this_cpu_{inc,dec} for read_count . - locktorture: Print ratio of acquisitions, not failures . - mac80211: always wind down STA state . - mac80211: free sta in sta_info_insert_finish on errors . - mac80211: minstrel: fix tx status processing corner case . - mac80211: minstrel: remove deferred sampling code . - mm: always have io_remap_pfn_range set pgprot_decrypted . - net: ena: Capitalize all log strings and improve code readability . - net: ena: Change license into format to SPDX in all files . - net: ena: Change log message to netif/dev function . - net: ena: Change RSS related macros and variables names . - net: ena: ethtool: Add new device statistics . - net: ena: ethtool: add stats printing to XDP queues . - net: ena: ethtool: convert stat_offset to 64 bit resolution . - net: ena: Fix all static chekers" warnings . - net: ena: Remove redundant print of placement policy . - net: ena: xdp: add queue counters for xdp actions . - netfilter: nat: can"t use dst_hold on noref dst . - net/mlx4_core: Fix init_hca fields offset . - nfc: s3fwrn5: use signed integer for parsing GPIO numbers . - NFS: mark nfsiod as CPU_INTENSIVE . - NFS: only invalidate dentrys that are clearly invalid . - NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION . - PCI: pci-hyperv: Fix build errors on non-SYSFS config . - pinctrl: amd: fix incorrect way to disable debounce filter . - pinctrl: amd: use higher precision for 512 RtcClk . - pinctrl: aspeed: Fix GPI only function problem . - platform/x86: toshiba_acpi: Fix the wrong variable assignment . - powerpc/32: define helpers to get L1 cache sizes . - powerpc/64: flush_inval_dcache_range becomes flush_dcache_range . - powerpc/64: reuse PPC32 static inline flush_dcache_range . - powerpc: Chunk calls to flush_dcache_range in arch_*_memory . - powerpc: define helpers to get L1 icache sizes . - powerpc/mm: Flush cache on memory hotplug . - powerpc/pmem: Add flush routines using new pmem store and sync instruction . - powerpc/pmem: Add new instructions for persistent storage and sync . - powerpc/pmem: Avoid the barrier in flush routines . - powerpc/pmem: Fix kernel crash due to wrong range value usage in flush_dcache_range . - powerpc/pmem: Initialize pmem device on newer hardware . - powerpc/pmem: Restrict papr_scm to P8 and above . - powerpc/pmem: Update ppc64 to use the new barrier instruction . - RDMA/bnxt_re: Fix lifetimes in bnxt_re_task - RDMA/bnxt_re: Fix Send Work Entry state check while polling completions - RDMA/bnxt_re: Fix sizeof mismatch for allocation of pbl_tbl. - RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message - RDMA/cma: add missed unregister_pernet_subsys in init failure - RDMA/cm: Add missing locking around id.state in cm_dup_req_handler - RDMA/cma: Fix false error message - RDMA/cma: fix null-ptr-deref Read in cma_cleanup - RDMA/cma: Protect bind_list and listen_list while finding matching cm id - RDMA/cm: Fix checking for allowed duplicate listens - RDMA/cm: Remove a race freeing timewait_info - RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow - RDMA/core: Do not depend device ODP capabilities on kconfig option - RDMA/core: Fix invalid memory access in spec_filter_size - RDMA/core: Fix locking in ib_uverbs_event_read - RDMA/core: Fix protection fault in ib_mr_pool_destroy - RDMA/core: Fix race between destroy and release FD object - RDMA/core: Fix race when resolving IP address - RDMA/core: Prevent mixed use of FDs between shared ufiles - RDMA/cxgb3: Delete and properly mark unimplemented resize CQ function - RDMA: Directly cast the sockaddr union to sockaddr - RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN - RDMA/hns: Correct typo of hns_roce_create_cq - RDMA/hns: Remove unsupported modify_port callback - RDMA/hns: Set the unsupported wr opcode - RDMA/i40iw: fix a potential NULL pointer dereference - RDMA/i40iw: Set queue pair state when being queried - RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah - RDMA/ipoib: Remove check for ETH_SS_TEST - RDMA/ipoib: Return void from ipoib_ib_dev_stop - RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces - RDMA/iwcm: Fix a lock inversion issue - RDMA/iwcm: Fix iwcm work deallocation - RDMA/iwcm: move iw_rem_ref calls out of spinlock - RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case - RDMA/iw_cxgb4: Fix the unchecked ep dereference - RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads - RDMA/mlx4: Initialize ib_spec on the stack - RDMA/mlx4: Read pkey table length instead of hardcoded value - RDMA/mlx5: Clear old rate limit when closing QP - RDMA/mlx5: Delete unreachable handle_atomic code by simplifying SW completion - RDMA/mlx5: Fix access to wrong pointer while performing flush due to error - RDMA/mlx5: Fix a race with mlx5_ib_update_xlt on an implicit MR - RDMA/mlx5: Fix function name typo "fileds" - greater than "fields" - RDMA/mlx5: Return proper error value - RDMA/mlx5: Set GRH fields in query QP on RoCE - RDMA/mlx5: Verify that QP is created with RQ or SQ - RDMA/nes: Remove second wait queue initialization call - RDMA/netlink: Do not always generate an ACK for some netlink operations - RDMA/ocrdma: Fix out of bounds index check in query pkey - RDMA/ocrdma: Remove unsupported modify_port callback - RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe - RDMA/qedr: Endianness warnings cleanup - RDMA/qedr: Fix doorbell setting - RDMA/qedr: Fix memory leak in user qp and mr - RDMA/qedr: Fix reported firmware version - RDMA/qedr: Fix use of uninitialized field - RDMA/qedr: Remove unsupported modify_port callback - RDMA/qedr: SRQ"s bug fixes - RDMA/qib: Delete extra line - RDMA/qib: Remove all occurrences of BUG_ON - RDMA/qib: Validate - greater than show/store callbacks before calling them - RDMA/rxe: Drop pointless checks in rxe_init_ports - RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM - RDMA/rxe: Fix configuration of atomic queue pair attributes - RDMA/rxe: Fix memleak in rxe_mem_init_user - RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later - RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq - RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars - RDMA/rxe: Prevent access to wr- greater than next ptr afrer wr is posted to send queue - RDMA/rxe: Remove unused rxe_mem_map_pages - RDMA/rxe: Remove useless rxe_init_device_param assignments - RDMA/rxe: Return void from rxe_init_port_param - RDMA/rxe: Return void from rxe_mem_init_dma - RDMA/rxe: Set default vendor ID - RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices - RDMA/rxe: Skip dgid check in loopback mode - RDMA/rxe: Use for_each_sg_page iterator on umem SGL - RDMA/srp: Rework SCSI device reset handling - RDMA/srpt: Fix typo in srpt_unregister_mad_agent docstring - RDMA/srpt: Report the SCSI residual to the initiator - RDMA/ucma: Add missing locking around rdma_leave_multicast - RDMA/ucma: Put a lock around every call to the rdma_cm layer - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated - RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove - RDMA/vmw_pvrdma: Use atomic memory allocation in create AH - reboot: fix overflow parsing reboot cpu number . - regulator: avoid resolve_supply infinite recursion . - regulator: fix memory leak with repeated set_machine_constraints . - regulator: ti-abb: Fix array out of bound read access on the first transition . - regulator: workaround self-referent regulators . - Revert "cdc-acm: hardening against malicious devices" . - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" . - RMDA/cm: Fix missing ib_cm_destroy_id in ib_cm_insert_listen - rxe: correctly calculate iCRC for unaligned payloads - rxe: fix error completion wr_id and qp_num - s390/cio: add cond_resched in the slow_eval_known_fn loop . - s390/cpum_cf,perf: change DFLT_CCERROR counter name . - s390/dasd: Fix zero write for FBA devices . - s390: kernel/uv: handle length extension properly . - sched/core: Fix PI boosting between RT and DEADLINE tasks . - sched/x86: SaveFLAGS on context switch . - scripts/git_sort/git_sort.py: add ceph maintainers git tree - scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported . - scsi: RDMA/srpt: Fix a credit leak for aborted commands - Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode . - staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids . - time: Prevent undefined behaviour in timespec64_to_ns . - tracing: Fix out of bounds write in get_trace_buf . - tty: serial: imx: keep console clocks always on . - Update references in patches.suse/net-smc-tolerate-future-smcd-versions . - USB: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode . - USB: core: driver: fix stray tabs in error messages . - USB: core: Fix regression in Hercules audio card . - USB: gadget: Fix memleak in gadgetfs_fill_super . - USB: gadget: f_midi: Fix memleak in f_midi_alloc . - USB: host: ehci-tegra: Fix error handling in tegra_ehci_probe . - USB: host: xhci-mtk: avoid runtime suspend when removing hcd . - USB: serial: cyberjack: fix write-URB completion race . - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters . - USB: serial: option: add Cellient MPL200 card . - USB: serial: option: Add Telit FT980-KS composition . - USB: serial: pl2303: add device-id for HP GC device . - usermodehelper: reset umask to default before executing user process . - video: hyperv_fb: Fix the cache type when mapping the VRAM . - x86/hyperv: Clarify comment on x2apic mode . - x86/hyperv: Make vapic support x2apic mode . - x86/microcode/intel: Check patch signature before saving microcode for early loading . - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect . - x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled . - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs . - x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP . - x86/sysfb_efi: Add quirks for some devices with swapped width and height . - xfrm: Fix memleak on xfrm state destroy . - xfs: revert "xfs: fix rmap key and record comparison functions" . Special Instructions and Notes: Please reboot the system after installing this update.