The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input . - CVE-2022-0330: Fixed flush TLBs before releasing backing store . - CVE-2021-45486: Fixed an information leak because the hash table is very small in net/ipv4/route.c . - CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c . - CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object . - CVE-2021-43976: Fixed a flaw that could allow an attacker to cause a denial of service. - CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow an attacker to trigger an out-of-bounds write via a crafted length value. - CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag . - CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks . - CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in coerce_reg_to_size . - CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error . - CVE-2021-4135: Fixed zero-initialize memory inside netdevsim for new map"s value in function nsim_bpf_map_alloc . - CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close and fget simultaneouslyand can potentially trigger a race condition . - CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare . - CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed . - CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation . - CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system . - CVE-2021-33098: Fixed a potential denial of service in Intel Ethernet ixgbe driver due to improper input validation. - CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages . - CVE-2021-28714: Fixed issue with xen/netback to handle rx queue stall detection . - CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms . - CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms . - CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms . - CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation . - CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc . - CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau"s postclose handler could happen if removing device . - CVE-2019-15126: Fixed a vulnerability in Broadcom and Cypress Wi-Fi chips, used in RPi family of devices aka Kr00k. - CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c . The following non-security bugs were fixed: - Bluetooth: fix the erroneous flush_work order . - Build: Add obsolete_rebuilds_subpackage . - ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition . - IPv6: reply ICMP error if the first fragment do not include all headers . - elfcore: fix building with clang . - hv_netvsc: Set needed_headroom according to VF . - ipv6/netfilter: Discard first fragment not including all headers . - kernel-*-subpackage: Add dependency on kernel scriptlets . - kernel-binary.spec.in Stop templating the scriptlets for subpackages . - kernel-binary.spec.in: add zstd to BuildRequires if used - kernel-binary.spec.in: make sure zstd is supported by kmod if used - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Define $image as rpm macro . - kernel-binary.spec: Do not fail silently when KMP is empty . Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided . - kernel-binary.spec: Fix kernel-default-base scriptlets after packaging merge. - kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is enabled . - kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as well. - kernel-cert-subpackage: Fix certificate location in scriptlets . - kernel-source.spec: install-kernel-tools also required on 15.4 - kernel-spec-macros: Since rpm 4.17 %verbose is unusable . The semantic changed in an incompatible way so invoking the macro now causes a build failure. - kprobes: Limit max data_size of the kretprobe instances . - livepatch: Avoid CPU hogging with cond_resched . - memstick: rtsx_usb_ms: fix UAF . - moxart: fix potential use-after-free on remove path . - net, xdp: Introduce xdp_init_buff utility routine . - net, xdp: Introduce xdp_prepare_buff utility routine . - net: Using proper atomic helper . - net: ipv6: Discard next-hop MTU less than minimum link MTU . - net: mana: Add RX fencing . - net: mana: Add XDP support . - net: mana: Allow setting the number of queues while the NIC is down . - net: mana: Fix spelling mistake calledd - called . - net: mana: Fix the netdev_err"s vPort argument in mana_init_port . - net: mana: Improve the HWC error handling . - net: mana: Support hibernation and kexec . - net: mana: Use kcalloc instead of kzalloc . - objtool: Support Clang non-section symbols in ORC generation . - post.sh: detect /usr mountpoint too - recordmcount.pl: fix typo in s390 mcount regex . - recordmcount.pl: look for jgnop instruction as well as bcrl on s390 . - rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can"t use it for dependencies. The filesystem one has to be enough . - rpm/kernel-binary.spec.in: do not strip vmlinux again . - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-obs-build.spec.in: make builds reproducible . - rpm/kernel-source.rpmlintrc: ignore new include/config files. - rpm/kernel-source.spec.in: do some more for vanilla_only. - rpm: Abolish image suffix . - rpm: Abolish scritplet templating . Outsource kernel-binary and KMP scriptlets to suse-module-tools. - rpm: Define $certs as rpm macro . - rpm: Fold kernel-devel and kernel-source scriptlets into spec files . - rpm: fix kmp install path - rpm: use _rpmmacrodir - tty: hvc: replace BUG_ON with negative return value. - vfs: check fd has read access in kernel_read_file_from_fd . - x86/xen: Mark cpu_bringup_and_idle as dead_end_function . - xen/blkfront: do not take local copy of a request from the ring page . - xen/blkfront: do not trust the backend response data blindly . - xen/blkfront: read response from backend only once . - xen/netfront: disentangle tx_skb_freelist . - xen/netfront: do not read data from request on the ring page . - xen/netfront: do not trust the backend response data blindly . - xen/netfront: read response from backend only once . - xen: sync include/xen/interface/io/ring.h with Xen"s newest version . - xfrm: fix MTU regression . Special Instructions and Notes: Please reboot the system after installing this update.