Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                   Security update for the Linux Kernel
                                17 May 2022


        AusCERT Security Bulletin Summary

Product:           Linux Kernel
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-28748 CVE-2022-28356 CVE-2022-1516
                   CVE-2022-1419 CVE-2022-1353 CVE-2022-1280
                   CVE-2022-1011 CVE-2021-43389 CVE-2021-38208
                   CVE-2021-20321 CVE-2021-20292 CVE-2019-20811

Original Bulletin: 

Comment: CVSS (Max):  7.0 CVE-2022-1280 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for the Linux Kernel


Announcement ID:   SUSE-SU-2022:1668-1
Rating:            important
References:        #1028340 #1071995 #1084513 #1114648 #1121726 #1129770
                   #1137728 #1172456 #1183723 #1187055 #1191647 #1191958
                   #1194625 #1195651 #1196018 #1196247 #1197075 #1197343
                   #1197391 #1197663 #1197888 #1197914 #1198217 #1198413
                   #1198516 #1198687 #1198742 #1198825 #1198989 #1199012
Cross-References:  CVE-2018-7755 CVE-2019-20811 CVE-2021-20292 CVE-2021-20321
                   CVE-2021-38208 CVE-2021-43389 CVE-2022-1011 CVE-2022-1280
                   CVE-2022-1353 CVE-2022-1419 CVE-2022-1516 CVE-2022-28356
Affected Products:
                   SUSE Linux Enterprise Real Time Extension 12-SP5

An update that solves 13 vulnerabilities and has 17 fixes is now available.


The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

  o CVE-2022-28748: Fixed memory lead over the network by ax88179_178a devices
  o CVE-2022-28356: Fixed a refcount leak bug found in net/llc/af_llc.c (bnc#
  o CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
  o CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create
  o CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register
    function in net/key/af_key.c (bnc#1198516).
  o CVE-2022-1280: Fixed a use-after-free vulnerability in drm_lease_held in
    drivers/gpu/drm/drm_lease.c (bnc#1197914).
  o CVE-2022-1011: Fixed a use-after-free flaw inside the FUSE filesystem in
    the way a user triggers write(). This flaw allowed a local user to gain
    unauthorized access to data from the FUSE filesystem, resulting in
    privilege escalation (bnc#1197343).
  o CVE-2021-43389: Fixed an array-index-out-of-bounds flaw in the
    detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
  o CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and
    BUG) by making a getsockname call after a certain type of failure of a bind
    call (bnc#1187055).
  o CVE-2021-20321: Fixed a race condition accessing file object in the
    OverlayFS subsystem in the way users do rename in specific way with
    OverlayFS. A local user could have used this flaw to crash the system (bnc#
  o CVE-2021-20292: Fixed object validation prior to performing operations on
    the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#
  o CVE-2019-20811: Fixed issue in rx_queue_add_kobject() and
    netdev_queue_add_kobject() in net/core/net-sysfs.c, where a reference count
    is mishandled (bnc#1172456).
  o CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/
    block/floppy.c. The floppy driver will copy a kernel pointer to user memory
    in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl
    and use the obtained kernel pointer to discover the location of kernel code
    and data and bypass kernel security protections such as KASLR (bnc#

The following non-security bugs were fixed:

  o IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (git-fixes)
  o NFSD: prevent underflow in nfssvc_decode_writeargs() (git-fixes).
  o NFSv4: Do not try to CLOSE if the stateid 'other' field has changed (bsc#
  o NFSv4: Fix a regression in nfs_set_open_stateid_locked() (bsc#1196247).
  o NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE (bsc#1196247).
  o NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE (bsc#1196247).
  o NFSv4: fix open failure with O_ACCMODE flag (git-fixes).
  o NFSv4: recover from pre-mature loss of openstateid (bsc#1196247).
  o PCI/switchtec: Read all 64 bits of part_event_bitmap (git-fixes).
  o PCI: Add device even if driver attach failed (git-fixes).
  o PCI: Do not enable AtomicOps on VFs (bsc#1129770)
  o PCI: Fix overflow in command-line resource alignment requests (git-fixes).
  o PCI: iproc: Fix out-of-bound array accesses (git-fixes).
  o PCI: iproc: Set affinity mask on MSI interrupts (git-fixes).
  o PCI: qcom: Change duplicate PCI reset to phy reset (git-fixes).
  o PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0 (git-fixes).
  o RDMA/rxe: Missing unlock on error in get_srq_wqe() (git-fixes)
  o RDMA/rxe: Restore setting tot_len in the IPv4 header (git-fixes)
  o RDMA/rxe: Use the correct size of wqe when processing SRQ (git-fixes)
  o SUNRPC: Handle low memory situations in call_status() (git-fixes).
  o USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
  o USB: core: Fix bug in resuming hub's handling of wakeup requests
  o USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
  o USB: serial: pl2303: add IBM device IDs (git-fixes).
  o USB: serial: simple: add Nokia phone driver (git-fixes).
  o USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
  o arm64/iommu: handle non-remapped addresses in ->mmap and (git-fixes)
  o arm64/mm: Inhibit huge-vmap with ptdump (git-fixes).
  o arm64: Clear OSDLR_EL1 on CPU boot (git-fixes)
  o arm64: Fix HCR.TGE status for NMI contexts (git-fixes)
  o arm64: Fix size of __early_cpu_boot_status (git-fixes)
  o arm64: Relax GIC version check during early boot (git-fixes)
  o arm64: Save and restore OSDLR_EL1 across suspend/resume (git-fixes)
  o arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint
  o arm64: compat: Allow single-byte watchpoints on all addresses (git-fixes)
  o arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ (git-fixes)
  o arm64: compat: Reduce address limit (git-fixes)
  o arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} (git-fixes)
  o arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug
  o arm64: debug: Ensure debug handlers check triggering exception level
  o arm64: drop linker script hack to hide __efistub_ symbols (git-fixes)
  o arm64: dts: marvell: Fix A37xx UART0 register size (git-fixes)
  o arm64: entry: SP Alignment Fault doesn't write to FAR_EL1 (git-fixes)
  o arm64: fix for bad_mode() handler to always result in panic (git-fixes)
  o arm64: futex: Avoid copying out uninitialised stack in failed (git-fixes)
  o arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP (git-fixes)
  o arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value
  o arm64: hibernate: Clean the __hyp_text to PoC after resume (git-fixes)
  o arm64: hyp-stub: Forbid kprobing of the hyp-stub (git-fixes)
  o arm64: kaslr: ensure randomized quantities are clean also when kaslr
  o arm64: kaslr: ensure randomized quantities are clean to the PoC (git-fixes)
  o arm64: kprobe: Always blacklist the KVM world-switch code (git-fixes)
  o arm64: kprobes: Recover pstate.D in single-step exception handler
  o arm64: only advance singlestep for user instruction traps (git-fixes)
  o arm64: relocatable: fix inconsistencies in linker script and options
  o arm: 9110/1: oabi-compat: fix oabi epoll sparse warning (bsc#1129770)
  o ath10k: fix max antenna gain unit (git-fixes).
  o ath6kl: fix control-message timeout (git-fixes).
  o ath6kl: fix division by zero in send path (git-fixes).
  o ath9k: Fix potential interrupt storm on queue reset (git-fixes).
  o b43: fix a lower bounds test (git-fixes).
  o b43legacy: fix a lower bounds test (git-fixes).
  o backlight: pwm_bl: Improve bootloader/kernel device handover (bsc#1129770)
  o bnx2x: fix napi API usage sequence (bsc#1198217).
  o bonding: pair enable_port with slave_arr_updates (git-fixes).
  o can: gs_usb: fix use of uninitialized variable, detach device on reception
    of invalid USB data (git-fixes).
  o char/mwave: Adjust io port register size (git-fixes).
  o cifs: do not skip link targets when an I/O fails (bsc#1194625).
  o crypto: arm64/aes-ce-cipher - move assembler code to .S file (git-fixes)
  o crypto: arm64/aes-neonbs - don't access already-freed walk.iv (git-fixes)
  o drivers: net: xgene: Fix regression in CRC stripping
  o drm/fb-helper: Mark screen buffers in system memory with (bsc#1129770)
  o fbmem: do not allow too huge resolutions (bsc#1129770)
  o fix parallelism for rpc tasks (bsc#1197663).
  o fs/nfs: Use fatal_signal_pending instead of signal_pending (git-fixes).
  o fsl/fman: Check for null pointer after calling devm_ioremap (git-fixes).
  o hwrng: atmel - disable trng on failure path (git-fixes).
  o hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER (git-fixes).
  o i40e: Fix incorrect netdev's real number of RX/TX queues (git-fixes).
  o i40e: add correct exception tracing for XDP (git-fixes).
  o i40e: optimize for XDP_REDIRECT in xsk path (git-fixes).
  o ieee802154: atusb: fix uninit value in atusb_set_extended_addr (git-fixes).
  o io-64-nonatomic: add io{read|write}64{_lo_hi|_hi_lo} macros (git-fixes).
  o libertas: Fix possible memory leak in probe and disconnect (git-fixes).
  o libertas_tf: Fix possible memory leak in probe and disconnect (git-fixes).
  o livepatch: Do not block removal of patches that are safe to unload (bsc#
  o lpfc: Revert driver update to (bsc#1198989)
  o mac80211: mesh: fix potentially unaligned access (git-fixes).
  o media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes).
  o media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes).
  o media: dvb-usb: fix ununit-value in az6027_rc_query (git-fixes).
  o media: em28xx: fix memory leak in em28xx_init_dev (git-fixes).
  o media: lmedm04: Fix misuse of comma (git-fixes).
  o media: rc-loopback: return number of emitters rather than error
  o media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes).
  o media: uvc: do not do DMA on stack (git-fixes).
  o media: v4l2-ioctl: S_CTRL output the right value (git-fixes).
  o media: videobuf2-core: dequeue if start_streaming fails (git-fixes).
  o mt7601u: fix rx buffer refcounting (git-fixes).
  o mwifiex: Read a PCI register after writing the TX ring write pointer
  o mwifiex: Send DELBA requests according to spec (git-fixes).
  o mxser: fix xmit_buf leak in activate when LSR == 0xff (git-fixes).
  o net/mlx5e: Reduce tc unsupported key print level (git-fixes).
  o net: bcmgenet: Don't claim WOL when its not available
  o net: davinci_emac: Fix incorrect masking of tx and rx error channel
  o net: ethernet: mtk_eth_soc: fix return values and refactor MDIO ops
  o net: mana: Add counter for XDP_TX (bsc#1195651).
  o net: mana: Add counter for packet dropped by XDP (bsc#1195651).
  o net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
  o net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe()
  o net: mana: Reuse XDP dropped page (bsc#1195651).
  o net: mana: Use struct_size() helper in mana_gd_create_dma_region() (bsc#
  o net: qlogic: check the return value of dma_alloc_coherent()
  o net: rtlwifi: properly check for alloc_workqueue() failure (git-fixes).
  o net: stmicro: handle clk_prepare() failure during init (git-fixes).
  o net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
  o parisc/sticon: fix reverse colors (bsc#1129770)
  o powerpc/perf: Fix power9 event alternatives (bsc#1137728, LTC#178106,
  o ppp: ensure minimum packet size in ppp_write() (git-fixes).
  o ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE (bsc#
  o qed: display VF trust config (git-fixes).
  o qed: return status of qed_iov_get_link (git-fixes).
  o qed: validate and restrict untrusted VFs vlan promisc mode
  o random: check for signal_pending() outside of need_resched() check
  o random: fix data race on crng_node_pool (git-fixes).
  o rtl8187: fix control-message timeouts (git-fixes).
  o scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
  o scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (bsc#1028340 bsc#
  o tcp: Fix potential use-after-free due to double kfree() (bsc#1197075).
  o tcp: fix race condition when creating child sockets from syncookies (bsc#
  o usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
  o usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect (git-fixes).
  o usb: ulpi: Call of_node_put correctly (git-fixes).
  o usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).
  o veth: Ensure eth header is in skb's linear part (git-fixes).
  o video: backlight: Drop maximum brightness override for brightness (bsc#
  o video: fbdev: atari: Atari 2 bpp (STe) palette bugfix (bsc#1129770)
  o video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (bsc#
  o video: fbdev: chipsfb: use memset_io() instead of memset() (bsc#1129770)
  o video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (bsc#1129770)
  o video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (bsc#
  o video: fbdev: sm712fb: Fix crash in smtcfb_read() (bsc#1129770)
  o video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (bsc#1129770)
  o video: fbdev: udlfb: properly check endpoint type (bsc#1129770)
  o video: hyperv_fb: Fix validation of screen resolution (bsc#1129770)
  o wcn36xx: Fix HT40 capability for 2Ghz band (git-fixes).
  o wcn36xx: add proper DMA memory barriers in rx path (git-fixes).
  o x86/pm: Save the MSR validity status at context setup (bsc#1114648).
  o x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
  o x86/speculation: Restore speculation related MSRs during S3 resume (bsc#
  o xen/blkfront: fix comment for need_copy (git-fixes).
  o xen: detect uninitialized xenbus in xenbus_init (git-fixes).
  o xen: do not continue xenstore initialization in case of errors (git-fixes).
  o xen: fix is_xen_pmu() (git-fixes).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Real Time Extension 12-SP5:
    zypper in -t patch SUSE-SLE-RT-12-SP5-2022-1668=1

Package List:

  o SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch):
  o SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64):


  o https://www.suse.com/security/cve/CVE-2018-7755.html
  o https://www.suse.com/security/cve/CVE-2019-20811.html
  o https://www.suse.com/security/cve/CVE-2021-20292.html
  o https://www.suse.com/security/cve/CVE-2021-20321.html
  o https://www.suse.com/security/cve/CVE-2021-38208.html
  o https://www.suse.com/security/cve/CVE-2021-43389.html
  o https://www.suse.com/security/cve/CVE-2022-1011.html
  o https://www.suse.com/security/cve/CVE-2022-1280.html
  o https://www.suse.com/security/cve/CVE-2022-1353.html
  o https://www.suse.com/security/cve/CVE-2022-1419.html
  o https://www.suse.com/security/cve/CVE-2022-1516.html
  o https://www.suse.com/security/cve/CVE-2022-28356.html
  o https://www.suse.com/security/cve/CVE-2022-28748.html
  o https://bugzilla.suse.com/1028340
  o https://bugzilla.suse.com/1071995
  o https://bugzilla.suse.com/1084513
  o https://bugzilla.suse.com/1114648
  o https://bugzilla.suse.com/1121726
  o https://bugzilla.suse.com/1129770
  o https://bugzilla.suse.com/1137728
  o https://bugzilla.suse.com/1172456
  o https://bugzilla.suse.com/1183723
  o https://bugzilla.suse.com/1187055
  o https://bugzilla.suse.com/1191647
  o https://bugzilla.suse.com/1191958
  o https://bugzilla.suse.com/1194625
  o https://bugzilla.suse.com/1195651
  o https://bugzilla.suse.com/1196018
  o https://bugzilla.suse.com/1196247
  o https://bugzilla.suse.com/1197075
  o https://bugzilla.suse.com/1197343
  o https://bugzilla.suse.com/1197391
  o https://bugzilla.suse.com/1197663
  o https://bugzilla.suse.com/1197888
  o https://bugzilla.suse.com/1197914
  o https://bugzilla.suse.com/1198217
  o https://bugzilla.suse.com/1198413
  o https://bugzilla.suse.com/1198516
  o https://bugzilla.suse.com/1198687
  o https://bugzilla.suse.com/1198742
  o https://bugzilla.suse.com/1198825
  o https://bugzilla.suse.com/1198989
  o https://bugzilla.suse.com/1199012

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/