- aaa_base
-
- Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
* respect /etc/update-alternatives/java when setting JAVA_HOME
(bsc#1215434,bsc#1107342)
- containerd
-
- Update to containerd v1.7.7. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
+ 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
- glibc
-
- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to
page size (bsc#1215891, BZ #28676)
- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)
- grub2
-
- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
* 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
* 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
* 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
* 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
* 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
* 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4
- Fix a boot delay regression in PowerPC PXE boot (bsc#1201300)
* 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
- kernel-default
-
- fix x86/mm: print the encryption features in hyperv is disabled
- commit 37d6855
- iio: exynos-adc: request second interupt only when touchscreen
mode is used (git-fixes).
- iio: adc: xilinx-xadc: Correct temperature offset/scale for
UltraScale (git-fixes).
- iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature
thresholds (git-fixes).
- misc: fastrpc: Clean buffers on remote invocation failures
(git-fixes).
- i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
(git-fixes).
- i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
(git-fixes).
- i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
(git-fixes).
- i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
(git-fixes).
- i2c: aspeed: Fix i2c bus hang in slave read (git-fixes).
- drm/i915/pmu: Check if pmu is closed before stopping event
(git-fixes).
- firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
(git-fixes).
- r8152: Release firmware if we have an error in probe
(git-fixes).
- r8152: Cancel hw_phy_work if we have an error in probe
(git-fixes).
- r8152: Run the unload routine if we have errors during probe
(git-fixes).
- r8152: Increase USB control msg timeout to 5000ms as per spec
(git-fixes).
- net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
(git-fixes).
- net: ieee802154: adf7242: Fix some potential buffer overflow
in adf7242_stats_show() (git-fixes).
- treewide: Spelling fix in comment (git-fixes).
- commit e69ab42
- netfilter: nf_tables: skip bound chain on rule flush
(bsc#1215095 CVE-2023-3777).
- commit afb7c25
- Update
patches.suse/0001-x86-sev-Disable-MMIO-emulation-from-user-mode.patch
(bsc#1212649 CVE-2023-46813).
- Update
patches.suse/0002-x86-sev-Check-IOBM-for-IOIO-exceptions-from-user-spa.patch
(bsc#1212649 CVE-2023-46813).
- Update
patches.suse/0003-x86-sev-Check-for-user-space-IOIO-pointing-to-kernel.patch
(bsc#1212649 CVE-2023-46813).
- commit dd6a315
- remove unnecessary WARN_ON_ONCE() (bsc#1214823).
- NFSD: Never call nfsd_file_gc() in foreground paths
(bsc#1215545).
- commit d81dfc3
- btrfs: don't start transaction for scrub if the fs is mounted read-only (bsc#1214874).
- commit cc8e6f1
- quota: Fix slow quotaoff (bsc#1216621).
- commit 988e5f4
- x86/sev: Check for user-space IOIO pointing to kernel space
(bsc#1212649).
- commit 816f817
- x86/sev: Check IOBM for IOIO exceptions from user-space
(bsc#1212649).
- commit 2b69036
- x86/sev: Disable MMIO emulation from user mode (bsc#1212649).
- commit 5dae47e
- ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
(git-fixes).
- ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV (git-fixes).
- ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx
(git-fixes).
- drm/mediatek: Correctly free sg_table in gem prime vmap
(git-fixes).
- drm/amd/pm: add unique_id for gc 11.0.3 (git-fixes).
- commit ad38bcf
- phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
(git-fixes).
- phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes).
- phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes).
- gpio: vf610: set value before the direction to avoid a glitch
(git-fixes).
- platform/surface: platform_profile: Propagate error if profile
registration fails (git-fixes).
- platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c
events (git-fixes).
- platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from
0x20 to 0x2e (git-fixes).
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
(git-fixes).
- USB: serial: option: add entry for Sierra EM9191 with new
firmware (git-fixes).
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
(git-fixes).
- mmc: core: Capture correct oemid-bits for eMMC cards
(git-fixes).
- Bluetooth: hci_sock: Correctly bounds check and pad
HCI_MON_NEW_INDEX name (git-fixes).
- Bluetooth: avoid memcmp() out of bounds warning (git-fixes).
- Bluetooth: hci_sock: fix slab oob read in create_monitor_event
(git-fixes).
- Bluetooth: hci_event: Fix coding style (git-fixes).
- Bluetooth: Reject connection with the device which has same
BD_ADDR (git-fixes).
- Bluetooth: vhci: Fix race when opening vhci device (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
(git-fixes).
- drm: panel-orientation-quirks: Add quirk for One Mix 2S
(git-fixes).
- HID: multitouch: Add required quirk for Synaptics 0xcd7e device
(git-fixes).
- HID: holtek: fix slab-out-of-bounds Write in
holtek_kbd_input_event (git-fixes).
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- wifi: mac80211: allow transmitting EAPOL frames with tainted
key (git-fixes).
- wifi: cfg80211: Fix 6GHz scan configuration (git-fixes).
- wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes).
- wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
(git-fixes).
- Bluetooth: Avoid redundant authentication (git-fixes).
- Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes).
- i2c: mux: Avoid potential false error message in
i2c_mux_add_adapter (git-fixes).
- gpio: timberdale: Fix potential deadlock on &tgpio->lock
(git-fixes).
- commit b480af6
- x86/mm: Print the encryption features correctly when a paravisor
is present (bsc#1206453).
- commit d1a6274
- scsi: iscsi_tcp: restrict to TCP sockets (git-fixes).
- scsi: pm8001: Setup IRQs on resume (git-fixes).
- scsi: mpt3sas: Perform additional retries if doorbell read
returns 0 (git-fixes).
- scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
(git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_fp_int_cmd_read() directly (git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_debug_cmd_read() directly (git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_stop_io_on_error_cmd_read() directly (git-fixes).
- scsi: qla4xxx: Add length check when parsing nlattrs
(git-fixes).
- scsi: be2iscsi: Add length check when parsing nlattrs
(git-fixes).
- scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
(git-fixes).
- scsi: iscsi: Add length check for nlattr payload (git-fixes).
- scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
(git-fixes).
- scsi: mpi3mr: Propagate sense data for admin queue SCSI I/O
(git-fixes).
- net: use sk_is_tcp() in more places (git-fixes).
- commit 24cbf21
- blacklist.conf: added two commmits that break kabi
- commit fdf2030
- nvme-fc: Prevent null pointer dereference in
nvme_fc_io_getuuid() (bsc#1214842).
- commit 3b513db
- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
bsc#1210778).
- commit 86e05f1
- Update
patches.suse/USB-ene_usb6250-Allocate-enough-memory-for-full-obje.patch
(bsc#1216051 CVE-2023-45862).
Retroactively recognized as a security issue
- commit 716929e
- KVM: s390: fix gisa destroy operation might lead to cpu stalls
(git-fixes bsc#1216512).
- commit 3976fa9
- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511).
- commit 2bb6835
- s390/cio: fix a memleak in css_alloc_subchannel (git-fixes
bsc#1216510).
- commit d475feb
- ACPI: irq: Fix incorrect return value in acpi_register_gsi()
(git-fixes).
- Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
(git-fixes).
- mtd: rawnand: qcom: Unmap the right resource upon probe failure
(git-fixes).
- mtd: rawnand: pl353: Ensure program page operations are
successful (git-fixes).
- mtd: rawnand: arasan: Ensure program page operations are
successful (git-fixes).
- mtd: spinand: micron: correct bitmask for ecc status
(git-fixes).
- mtd: physmap-core: Restore map_rom fallback (git-fixes).
- mtd: rawnand: marvell: Ensure program page operations are
successful (git-fixes).
- mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
(git-fixes).
- mmc: core: sdio: hold retuning if sdio in 1-bit mode
(git-fixes).
- ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe
errors (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
(git-fixes).
- ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes).
- ASoC: codecs: wcd938x: drop bogus bind error handling
(git-fixes).
- ASoC: pxa: fix a memory leak in probe() (git-fixes).
- drm/i915: Retry gtt fault when out of fence registers
(git-fixes).
- commit 766bf5d
- bonding: Return pointer to data after pull on skb (bsc#1214754).
- commit fbbe7cc
- bonding: do not assume skb mac_header is set (bsc#1214754).
- commit 88b9ad7
- bonding: Fix extraction of ports from the packet headers
(bsc#1214754).
- commit b871478
- net/sched: fix netdevice reference leaks in
attach_default_qdiscs() (git-fixes).
- commit 31c27cf
- net: sched: add barrier to fix packet stuck problem for lockless
qdisc (bsc#1216345).
- commit 508758e
- net: sched: fixed barrier to prevent skbuff sticking in qdisc
backlog (bsc#1216345).
- commit 839637c
- Fix metadata references
- commit 42e4c9a
- usb: hub: Guard against accesses to uninitialized BOS
descriptors (git-fixes).
- drm/atomic-helper: relax unregistered connector check
(git-fixes).
- ALSA: usb-audio: Fix microphone sound on Nexigo webcam
(git-fixes).
- ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP
(git-fixes).
- ALSA: hda/realtek - Fixed two speaker platform (git-fixes).
- ALSA: hda/realtek - ALC287 I2S speaker platform support
(git-fixes).
- ALSA: hda: intel-dsp-cfg: add LunarLake support (git-fixes).
- xhci: Keep interrupt disabled in initialization until host is
running (git-fixes).
- commit ebb1cf8
- net: rfkill: gpio: prevent value glitch during probe
(git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
(git-fixes).
- gve: Do not fully free QPL pages on prefill errors (git-fixes).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
(git-fixes).
- Bluetooth: Fix a refcnt underflow problem for hci_conn
(git-fixes).
- Bluetooth: hci_event: Ignore NULL link key (git-fixes).
- nfc: nci: fix possible NULL pointer dereference in
send_acknowledge() (git-fixes).
- thunderbolt: Check that lane 1 is in CL0 before enabling lane
bonding (git-fixes).
- thunderbolt: Workaround an IOMMU fault on certain systems with
Intel Maple Ridge (git-fixes).
- Input: powermate - fix use-after-free in
powermate_config_complete (git-fixes).
- Input: xpad - add PXN V900 support (git-fixes).
- Input: goodix - ensure int GPIO is in input for gpio_count ==
1 && gpio_int_idx == 0 case (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
(git-fixes).
- drm/amdgpu: add missing NULL check (git-fixes).
- drm/amd/display: Don't set dpms_off for seamless boot
(git-fixes).
- pinctrl: avoid unsafe code pattern in find_pinctrl()
(git-fixes).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
(git-fixes).
- ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
(git-fixes).
- commit e8f9edc
- Refresh
patches.suse/NFS-Fix-error-handling-for-O_DIRECT-write-scheduling.patch.
This patch was backported badly and caused data corruption with O_DIRECT
writes to NFS.
- commit d71869e
- intel x86 platform vsec kABI workaround (bsc#1216202).
- commit 2251c9f
- sched/rt: Fix live lock between select_fallback_rq() and RT push
(git fixes (sched)).
- sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes
(sched)).
- commit a2350c1
- blacklist.conf: Applies only to RCU tiny configurations
- commit 1d1726b
- blacklist.conf: Cosmetic change for !SMP configurations
- commit c9d6cc0
- blacklist.conf: KABI hazard, only backport in response to a customer bug to justify the complexity
- commit 96bc817
- sched/deadline,rt: Remove unused parameter from
pick_next_[rt|dl]_entity() (git fixes (sched)).
- Refresh
patches.suse/sched-rt-pick_next_rt_entity-check-list_entry.patch.
- commit d7f894e
- thunderbolt: Restart XDomain discovery handshake after failure
(git-fixes).
- ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM
(git-fixes).
- commit 82c941d
- regmap: fix NULL deref on lookup (git-fixes).
- usb: typec: altmodes/displayport: Signal hpd low when exiting
mode (git-fixes).
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
(git-fixes).
- usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
(git-fixes).
- usb: dwc3: Soft reset phy on probe for host (git-fixes).
- usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap
call (git-fixes).
- usb: musb: Get the musb_qh poniter after musb_giveback
(git-fixes).
- usb: musb: Modify the "HWVers" register address (git-fixes).
- usb: cdnsp: Fixes issue with dequeuing not queued requests
(git-fixes).
- iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
(git-fixes).
- iio: pressure: dps310: Adjust Timeout Settings (git-fixes).
- iio: pressure: bmp280: Fix NULL pointer exception (git-fixes).
- counter: microchip-tcb-capture: Fix the use of internal GCLK
logic (git-fixes).
- Input: psmouse - fix fast_reconnect function for PS/2 mode
(git-fixes).
- dmaengine: stm32-mdma: abort resume if no ongoing transfer
(git-fixes).
- dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
(git-fixes).
- dmaengine: idxd: use spin_lock_irqsave before
wait_event_lock_irq (git-fixes).
- drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid
overflow (git-fixes).
- drm/msm/dsi: fix irq_of_parse_and_map() error checking
(git-fixes).
- drm/msm/dsi: skip the wait for video mode done if not applicable
(git-fixes).
- drm/msm/dp: do not reinitialize phy unless retry during link
training (git-fixes).
- drm/vmwgfx: fix typo of sizeof argument (git-fixes).
- nfc: nci: assert requested protocol is valid (git-fixes).
- ieee802154: ca8210: Fix a potential UAF in ca8210_probe
(git-fixes).
- pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes).
- ALSA: hda/realtek: Change model for Intel RVP board (git-fixes).
- commit 7f63276
- platform/x86/intel/vsec: Rework early hardware code
(bsc#1216202).
- Refresh
patches.suse/platform-x86-intel-pmt-Sapphire-Rapids-PMT-errata-fi.patch.
- Refresh
patches.suse/platform-x86-intel-vsec-Add-support-for-Raptor-Lake.patch.
- commit d4b2cf1
- platform/x86/intel: Fix pmt_crashlog array reference
(bsc#1216202).
- commit 21107ae
- platform/x86/intel: Fix 'rmmod pmt_telemetry' panic
(bsc#1216202).
- commit 86f380b
- platform/x86/intel/pmt: telemetry: Fix fixed region handling
(bsc#1216202).
- commit 540aa4c
- netfilter: nf_tables: unbind non-anonymous set if rule
construction fails (git-fixes).
- commit b7f718b
- KVM: SVM: Don't kill SEV guest if SMAP erratum triggers in
usermode (git-fixes).
- commit 5316d19
- KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs
is changed (git-fixes).
- commit 1d58a92
- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
(git-fixes).
- commit d4a31a2
- 9p: virtio: make sure 'offs' is initialized in zc_request
(git-fixes).
- commit 66e7266
- Update config files: unset CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B
for Arm
Configuration option CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y is used
only in the armv7hl + arm64 configurations and appears to be a relic
from the update procedure in commit 98da1c5f42d ("SLE15-SP4: Update the
base kernel version to 5.14.").
Unset it because the option is intended for debugging, not really useful
for production and makes the text size of vmlinux unnecessarily bigger
by ~10%
- commit 4229357
- xen-netback: use default TX queue size for vifs (git-fixes).
- commit 84805af
- usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command
fails (git-fixes).
- commit a60f061
- netfilter: nf_tables: skip immediate deactivate in
_PREPARE_ERROR (CVE-2023-39193 bsc#1215860).
- commit 6c937af
- kabi: workaround for enum nft_trans_phase (bsc#1215104).
- commit 0a3d3d4
- netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with
bound set/chain (git-fixes).
- commit 2e62a61
- Update metadata
- commit e780ccd
- KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway
(git-fixes).
- commit e1b3911
- ceph: remove unnecessary check for NULL in parse_longname()
(bsc#1216333).
- commit 832393c
- ceph: fix type promotion bug on 32bit systems (bsc#1216324).
- libceph: use kernel_connect() (bsc#1216323).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
(bsc#1216322).
- commit b0e62f5
- net: usb: dm9601: fix uninitialized variable use in
dm9601_mdio_read (git-fixes).
- commit 236df4a
- crypto: qat - fix crypto capability detection for 4xxx
(PED-6401).
- crypto: qat - Remove unused function declarations (PED-6401).
- crypto: qat - use kfree_sensitive instead of memset/kfree()
(PED-6401).
- crypto: qat - replace the if statement with min() (PED-6401).
- crypto: qat - add heartbeat counters check (PED-6401).
- crypto: qat - add heartbeat feature (PED-6401).
- crypto: qat - add measure clock frequency (PED-6401).
- crypto: qat - drop obsolete heartbeat interface (PED-6401).
- crypto: qat - add internal timer for qat 4xxx (PED-6401).
- crypto: qat - add fw_counters debugfs file (PED-6401).
- crypto: qat - change value of default idle filter (PED-6401).
- crypto: qat - do not export adf_init_admin_pm() (PED-6401).
- crypto: qat - expose pm_idle_enabled through sysfs (PED-6401).
- crypto: qat - extend configuration for 4xxx (PED-6401).
- crypto: qat - refactor fw config logic for 4xxx (PED-6401).
- crypto: qat - make fw images name constant (PED-6401).
- crypto: qat - move returns to default case (PED-6401).
- crypto: qat - unmap buffers before free for RSA (PED-6401).
- crypto: qat - unmap buffer before free for DH (PED-6401).
- crypto: qat - update slice mask for 4xxx devices (PED-6401).
- crypto: qat - set deprecated capabilities as reserved
(PED-6401).
- crypto: qat - add missing function declaration in adf_dbgfs.h
(PED-6401).
- crypto: qat - move dbgfs init to separate file (PED-6401).
- crypto: qat - drop redundant adf_enable_aer() (PED-6401).
- crypto: qat - fix apply custom thread-service mapping for dc
service (PED-6401).
- crypto: qat - add support for 402xx devices (PED-6401).
- crypto: qat - make state machine functions static (PED-6401).
- crypto: qat - refactor device restart logic (PED-6401).
- crypto: qat - replace state machine calls (PED-6401).
- crypto: qat - fix concurrency issue when device state changes
(PED-6401).
- crypto: qat - delay sysfs initialization (PED-6401).
- crypto: qat - Include algapi.h for low-level Crypto API
(PED-6401).
- crypto: qat - drop log level of msg in get_instance_node()
(PED-6401).
- Documentation: qat: change kernel version (PED-6401).
- crypto: qat - add qat_zlib_deflate (PED-6401).
- crypto: qat - extend buffer list logic interface (PED-6401).
- crypto: qat - fix spelling mistakes from 'bufer' to 'buffer'
(PED-6401).
- crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe
(PED-6401).
- Documentation: qat: rewrite description (PED-6401).
- commit 3c119b1
- cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307).
- commit 555c311
- vmbus_testing: fix wrong python syntax for integer value
comparison (git-fixes).
- Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present
CPUs (git-fixes).
- Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc()
fails (git-fixes).
- commit a15e7ae
- platform/x86/intel/pmt: Ignore uninitialized entries
(bsc#1216202).
- commit ad7afc0
- nvmet-tcp: Fix a possible UAF in queue intialization setup
(bsc#1215768 CVE-2023-5178).
- commit b965ee1
- bpf: Fix incorrect verifier pruning due to missing register
precision taints (bsc#1215518 CVE-2023-2163).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 71da1d6
- net: mana: Fix oversized sge0 for GSO packets (bsc#1215986).
- net: mana: Fix TX CQE error handling (bsc#1215986).
- commit 3666b58
- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
xsa-441, cve-2023-34324).
- commit 291fb99
- io_uring/rw: remove leftover debug statement (git-fixes).
- commit 1a4c93e
- io_uring/rw: ensure kiocb_end_write() is always called
(git-fixes).
- commit 1b4acf4
- iommu/arm-smmu-v3: Fix soft lockup triggered by (bsc#1215921)
- commit 37b98a0
- arm64/smmu: use TLBI ASID when invalidating entire range (bsc#1215921)
- commit a735cdb
- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
CVE-2023-39189).
- commit 77dc791
- blacklist.conf: the codebase changed too much to backport the patch
- commit 11474a7
- x86/platform/uv: Use alternate source for socket to node data
(bsc#1215696).
- commit d399ded
- kabi: blkcg_policy_data fix KABI (bsc#1216062).
- commit cf25442
- blk-cgroup: support to track if policy is online (bsc#1216062).
- commit 45c3300
- mm, memcg: reconsider kmem.limit_in_bytes deprecation
(bsc#1208788 bsc#1213705).
- commit bdf774a
- Revert "Delete patches.suse/memcg-drop-kmem-limit_in_bytes.patch."
This reverts commit 52c1db3eb4e2acbdd91aaaefddc26b7207cd4c90.
It'll be fixed differently in a following commit.
Restore the commit with upstream commit already for proper sorting.
- commit 8474b47
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being
installed before init (bsc#1216062).
- commit c2395af
- blacklist.conf: Add 82b90b6c5b38 cgroup:namespace: Remove unused cgroup_namespaces_init()
- commit 6f5ac45
- drm/amd: Fix detection of _PR3 on the PCIe root port
(git-fixes).
- Bluetooth: hci_codec: Fix leaking content of local_codecs
(git-fixes).
- Bluetooth: ISO: Fix handling of listen for unicast (git-fixes).
- drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top
(git-fixes).
- drm/amdkfd: Use gpu_offset for user queue's wptr (git-fixes).
- ALSA: hda: intel-sdw-acpi: Use u8 type for link index
(git-fixes).
- drm/amdkfd: Insert missing TLB flush on GFX10 and later
(git-fixes).
- drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV
(git-fixes).
- drm/amdgpu/soc21: don't remap HDP registers for SR-IOV
(git-fixes).
- drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3
(git-fixes).
- drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT
packet (git-fixes).
- commit 81ea9f4
- HID: sony: remove duplicate NULL check before calling
usb_free_urb() (git-fixes).
- commit 7cd0962
- i2c: mux: gpio: Replace custom acpi_get_local_address()
(git-fixes).
- commit ef5fd69
- gpio: aspeed: fix the GPIO number passed to
pinctrl_gpio_set_config() (git-fixes).
- gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes).
- platform/x86: think-lmi: Fix reference leak (git-fixes).
- HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
(git-fixes).
- HID: sony: Fix a potential memory leak in sony_probe()
(git-fixes).
- wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
(git-fixes).
- wifi: mwifiex: Fix oob check condition in
mwifiex_process_rx_packet (git-fixes).
- wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes).
- wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes).
- wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes).
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg (git-fixes).
- leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes).
- regmap: rbtree: Fix wrong register marked as in-cache when
creating new node (git-fixes).
- nilfs2: fix potential use after free in
nilfs_gccache_submit_read_data() (git-fixes).
- Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" (git-fixes).
- serial: 8250_port: Check IRQ data before use (git-fixes).
- firmware: arm_ffa: Don't set the memory region attributes for
MEM_LEND (git-fixes).
- soc: imx8m: Enable OCOTP clock for imx8mm before reading
registers (git-fixes).
- firmware: imx-dsp: Fix an error handling path in
imx_dsp_setup_channels() (git-fixes).
- bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes).
- bus: ti-sysc: Use fsleep() instead of usleep_range() in
sysc_reset() (git-fixes).
- i2c: npcm7xx: Fix callback completion ordering (git-fixes).
- ata: libata-core: Do not register PM operations for SAS ports
(git-fixes).
- ata: libata-core: Fix port and device removal (git-fixes).
- ata: libata-core: Fix ata_port_request_pm() locking (git-fixes).
- ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes).
- ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED
OPERATION CODES (git-fixes).
- gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
(git-fixes).
- clk: tegra: fix error return case for recalc_rate (git-fixes).
- power: supply: ucs1002: fix error code in ucs1002_get_property()
(git-fixes).
- gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
(git-fixes).
- i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes).
- i2c: mux: demux-pinctrl: check the return value of
devm_kstrdup() (git-fixes).
- i2c: i801: unregister tco_pdev in i801_probe() error path
(git-fixes).
- ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
(git-fixes).
- ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
(git-fixes).
- ALSA: hda: Disable power save for solving pop issue on Lenovo
ThinkCentre M70q (git-fixes).
- spi: stm32: add a delay before SPI disable (git-fixes).
- spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes).
- drm/amdgpu: Handle null atom context in VBIOS info ioctl
(git-fixes).
- drm/amd/display: Don't check registers, if using AUX BL control
(git-fixes).
- spi: sun6i: fix race between DMA RX transfer completion and
RX FIFO drain (git-fixes).
- spi: sun6i: reduce DMA RX transfer width to single byte
(git-fixes).
- watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not
already running (git-fixes).
- watchdog: iTCO_wdt: No need to stop the timer in probe
(git-fixes).
- commit 22d41cc
- net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg (git-fixes).
- commit 38bd5fc
- r8152: check budget for r8152_poll() (git-fixes).
- commit b4330ba
- RDMA/core: Require admin capabilities to set system parameters (git-fixes)
- commit 165e98e
- RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes)
- commit ad12009
- RDMA/mlx5: Fix NULL string error (git-fixes)
- commit 5556b81
- IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes)
- commit 8c4cdf4
- RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes)
- commit a7c580d
- RDMA/uverbs: Fix typo of sizeof argument (git-fixes)
- commit 7e80897
- RDMA/cxgb4: Check skb value for failure to allocate (git-fixes)
- commit 6e18278
- RDMA/siw: Fix connection failure handling (git-fixes)
- commit 107f7c6
- RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes)
- commit ecb5c5e
- RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation (git-fixes)
- commit c1704fa
- kABI: fix bpf Invalidate slices on destruction of dynptrs on
stack (bsc#1215863 CVE-2023-39191).
- commit d4285e9
- ring-buffer: Do not attempt to read past "commit" (git-fixes).
- commit ee556e0
- ring-buffer: Avoid softlockup in ring_buffer_resize()
(git-fixes).
- commit bd7050f
- tracing: Make trace_marker{,_raw} stream-like (git-fixes).
- commit fda0bf6
- ring-buffer: Update "shortest_full" in polling (git-fixes).
- commit aad1d04
- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- commit 296da6c
- tracing: Have event inject files inc the trace array ref count
(git-fixes).
- commit 817c093
- tracing: Have option files inc the trace array ref count
(git-fixes).
- commit 921a48a
- tracing: Have current_trace inc the trace array ref count
(git-fixes).
- commit 586ee6a
- tracing: Have tracing_max_latency inc the trace array ref count
(git-fixes).
- commit 322c826
- tracing: Increase trace array ref count on enable and filter
files (git-fixes).
- commit fa9da0d
- kprobes: Prohibit probing on CFI preamble symbol (git-fixes).
- commit de7b87f
- bpf: Add override check to kprobe multi link attach (git-fixes).
- commit 6aa8462
- Delete
patches.suse/bpf-Fix-renaming-task_getsecid_subj-current_getsecid.patch.
This patch shouldn't have been backported in the first place because we
did not backport commit 6326948f940d "lsm: security_task_getsecid_subj()
- > security_current_getsecid_subj()".
Drop this patch fix resolve_btfids' complain that
bpf_lsm_current_getsecid_subj is unresolvable.
- commit 9f9ad18
- blacklist.conf: add f655badf2a8f ("bpf: fix propagate_precision() logic for inner frames")
Precision tracking for BPF subprogram is not backported, so we shouldn't
need this fix.
- commit 7b579f5
- kABI: fix bpf Tighten-ptr_to_btf_id checks (git-fixes).
- commit 34ad358
- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback
support (bsc#1212423).
- iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops
callback (bsc#1212423).
- iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops
callback (bsc#1212423).
- commit b7a7693
- selftests/bpf: Add more tests for check_max_stack_depth bug
(git-fixes).
- bpf: Repeat check_max_stack_depth for async callbacks
(git-fixes).
- bpf: Fix subprog idx logic in check_max_stack_depth (git-fixes).
- selftests/bpf: Add selftest for check_stack_max_depth bug
(git-fixes).
- bpf: Fix max stack depth check for async callbacks (git-fixes).
- bpf: fix precision propagation verbose logging (git-fixes).
- bpf: Fix incorrect verifier pruning due to missing register
precision taints (bsc#1215518 CVE-2023-2163).
- selftests/bpf: Add dynptr helper tests (bsc#1215863
CVE-2023-39191).
- selftests/bpf: Add dynptr partial slot overwrite tests
(bsc#1215863 CVE-2023-39191).
- selftests/bpf: Add dynptr var_off tests (bsc#1215863
CVE-2023-39191).
- selftests/bpf: Add dynptr pruning tests (bsc#1215863
CVE-2023-39191).
- selftests/bpf: convenience macro for use with 'asm volatile'
blocks (bsc#1215863 CVE-2023-39191).
- bpf: Avoid recomputing spi in process_dynptr_func (bsc#1215863
CVE-2023-39191).
- bpf: Combine dynptr_get_spi and is_spi_bounds_valid (bsc#1215863
CVE-2023-39191).
- bpf: Allow reinitializing unreferenced dynptr stack slots
(bsc#1215863 CVE-2023-39191).
- bpf: Invalidate slices on destruction of dynptrs on stack
(bsc#1215863 CVE-2023-39191).
- bpf: Fix partial dynptr stack slot reads/writes (bsc#1215863
CVE-2023-39191).
- bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR
(bsc#1215863 CVE-2023-39191).
- bpf: Fix state pruning for STACK_DYNPTR stack slots (bsc#1215863
CVE-2023-39191).
- bpf: Add missing btf_put to register_btf_id_dtor_kfuncs
(git-fixes).
- bpf: Use memmove for bpf_dynptr_{read,write} (bsc#1215863
CVE-2023-39191).
- bpf: Move PTR_TO_STACK alignment check to process_dynptr_func
(bsc#1215863 CVE-2023-39191).
- bpf: Rework check_func_arg_reg_off (bsc#1215863 CVE-2023-39191).
- bpf: Rework process_dynptr_func (bsc#1215863 CVE-2023-39191).
- bpf: Propagate errors from process_* checks in check_func_arg
(bsc#1215863 CVE-2023-39191).
- bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func
(bsc#1215863 CVE-2023-39191).
- selftests/bpf: convert dynptr_fail and map_kptr_fail subtests
to generic tester (bsc#1215863 CVE-2023-39191).
- bpf: Tighten ptr_to_btf_id checks (git-fixes).
- selftests/bpf: Add reproducer for decl_tag in func_proto
argument (git-fixes).
- bpf: Prevent decl_tag from being referenced in func_proto arg
(git-fixes).
- bpf: propagate precision across all frames, not just the last
one (git-fixes).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- bpf: Fix offset calculation error in __copy_map_value and
zero_map_value (git-fixes).
- bpf: prevent decl_tag from being referenced in func_proto
(git-fixes).
- selftests/bpf: Add reproducer for decl_tag in func_proto return
type (git-fixes).
- bpf: Gate dynptr API behind CAP_BPF (git-fixes).
- selftests/bpf: Add tests for dynamic pointers parameters in
kfuncs (bsc#1215863 CVE-2023-39191).
- bpf: Move dynptr type check to is_dynptr_type_expected()
(bsc#1215863 CVE-2023-39191).
- btf: Export bpf_dynptr definition (git-fixes).
- bpf: Add helper macro bpf_for_each_reg_in_vstate (bsc#1215863
CVE-2023-39191).
- bpf: Add zero_map_value to zero map value with special fields
(git-fixes).
- bpf: Add copy_map_value_long to copy to remote percpu memory
(git-fixes).
- bpf: Fix resetting logic for unreferenced kptrs (git-fixes).
- selftests/bpf: add extra test for using dynptr data slice
after release (bsc#1215863 CVE-2023-39191).
- bpf: Fix ref_obj_id for dynptr data slices in verifier
(git-fixes).
- bpf: Cleanup check_refcount_ok (git-fixes).
- selftests/bpf: Clean up sys_nanosleep uses (git-fixes).
- selftests/bpf: Copy over libbpf configs (bsc#1215863
CVE-2023-39191).
- bpf: Tidy up verifier check_func_arg() (bsc#1215863
CVE-2023-39191).
- commit 824f808
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860).
- commit 6e15654
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7ac0d16
- KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes).
- commit 14aa242
- s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956
LTC#203788 bsc#1215957).
- commit a4355b3
- sched/cpuset: Bring back cpuset_mutex (bsc#1215955).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem
(bsc#1215955).
- commit 59f5010
- blacklist.conf: Add c0f78fd5edcf cgroup/cpuset: Iterate only if DEADLINE tasks are present
... and its prereqs
- commit a4ba12c
- blacklist.conf: Add 98dfdd9ee939 sched/psi: Select KERNFS as needed
- commit d326b7e
- x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772).
- commit 48235ff
- KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772).
- commit 237820b
- x86/cpu: Support AMD Automatic IBRS (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8ed20a4
- nghttp2
-
- security update
- added patches
fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
+ nghttp2-CVE-2023-44487.patch
- openssl-1_1
-
- Displays "fips" in the version string (bsc#1215215)
* Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
- pciutils
-
- Apply "lspci-Fixed-buffer-overflows-in-ls-tree.c.patch" to fix a
buffer overflow error that would cause lspci to crash on systems
with complex topologies. [bsc#1215265]
- Add "pciutils.keyring" so that the tarball's signature can be
verified at build time.
- Use "%license" tag instead of "%doc" to install the package's
license file.
- libtirpc
-
- update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports
- replaces: binddynport-honor-ip_local_reserved_ports.patch
* gss-api: expose gss major/minor error in authgss_refresh()
* rpcb_clnt.c: Eliminate double frees in delete_cache()
* rpcb_clnt.c: memory leak in destroy_addr
* portmapper: allow TCP-only portmapper
* getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
* clnt_raw.c: fix a possible null pointer dereference
* bindresvport.c: fix a potential resource leakage
- update to 1.3.3 (bsc#1201680, CVE-2021-46828):
* Fix DoS vulnerability in libtirpc
- replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
- replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
- preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream)
- update to 1.3.2:
* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
- Update to libtirpc 1.3.1
* Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir
Patches replaced by update:
binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467)
0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680)
0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752)
0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
(bsc#1196647), (bsc#1200800), (bsc#1198176)
* replaces /etc/netconfig-try-2-first by the environment variable
RPCB_V2FIRST
- zlib
-
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
overflow in zipOpenNewFileInZip4_6, bsc#1216378
* CVE-2023-45853.patch
- zchunk
-
- Fix CVE-2023-46228, bsc#1216268
* Handle overflow errors in malformed zchunk files.
- Added patch:
* CVE-2023-46228.patch
- python-urllib3
-
- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
gh#urllib3/urllib3#3139
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
- runc
-
- Update to runc v1.1.9. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000release-packages:SLES-release
-
n/a
- suse-module-tools
-
- Update to version 15.5.3:
* blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
* modprobe.d: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
(note: this is not a full fix for that CVE)
- systemd-rpm-macros
-
- Bump version to 14
- Switch to `systemd-hwdb` tool when updating the HW database. It's been
introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.