{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for kernel-livepatch-MICRO-6-0-RT_Update_5","title":"Title of the patch"},{"category":"description","text":"This update for kernel-livepatch-MICRO-6-0-RT_Update_5 fixes the following issues:\n\n- CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238912)\n- CVE-2025-22115: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241579)\n","title":"Description of the patch"},{"category":"details","text":"SUSE-SLE-Micro-6.1-kernel-58","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20546-1.json"},{"category":"self","summary":"URL for SUSE-SU-2025:20546-1","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520546-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2025:20546-1","url":"https://lists.suse.com/pipermail/sle-updates/2025-August/041108.html"},{"category":"self","summary":"SUSE Bug 1238912","url":"https://bugzilla.suse.com/1238912"},{"category":"self","summary":"SUSE Bug 1241579","url":"https://bugzilla.suse.com/1241579"},{"category":"self","summary":"SUSE Bug 1244337","url":"https://bugzilla.suse.com/1244337"},{"category":"self","summary":"SUSE CVE CVE-2025-21772 page","url":"https://www.suse.com/security/cve/CVE-2025-21772/"},{"category":"self","summary":"SUSE CVE CVE-2025-22115 page","url":"https://www.suse.com/security/cve/CVE-2025-22115/"}],"title":"Security update for kernel-livepatch-MICRO-6-0-RT_Update_5","tracking":{"current_release_date":"2025-07-30T16:17:29Z","generator":{"date":"2025-07-30T16:17:29Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2025:20546-1","initial_release_date":"2025-07-30T16:17:29Z","revision_history":[{"date":"2025-07-30T16:17:29Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64","product":{"name":"kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64","product_id":"kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Micro 6.1","product":{"name":"SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64 as component of SUSE Linux Micro 6.1","product_id":"SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"},"product_reference":"kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.1"}]},"vulnerabilities":[{"cve":"CVE-2025-21772","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-21772"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n   preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n   (which results in partition table entries straddling sector boundaries),\n   bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n   termination - use strnlen() and strncmp() instead of strlen() and\n   strcmp().","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2025-21772","url":"https://www.suse.com/security/cve/CVE-2025-21772"},{"category":"external","summary":"SUSE Bug 1238911 for CVE-2025-21772","url":"https://bugzilla.suse.com/1238911"},{"category":"external","summary":"SUSE Bug 1238912 for CVE-2025-21772","url":"https://bugzilla.suse.com/1238912"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-07-30T16:17:29Z","details":"important"}],"title":"CVE-2025-21772"},{"cve":"CVE-2025-22115","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-22115"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block group refcount race in btrfs_create_pending_block_groups()\n\nBlock group creation is done in two phases, which results in a slightly\nunintuitive property: a block group can be allocated/deallocated from\nafter btrfs_make_block_group() adds it to the space_info with\nbtrfs_add_bg_to_space_info(), but before creation is completely completed\nin btrfs_create_pending_block_groups(). As a result, it is possible for a\nblock group to go unused and have 'btrfs_mark_bg_unused' called on it\nconcurrently with 'btrfs_create_pending_block_groups'. This causes a\nnumber of issues, which were fixed with the block group flag\n'BLOCK_GROUP_FLAG_NEW'.\n\nHowever, this fix is not quite complete. Since it does not use the\nunused_bg_lock, it is possible for the following race to occur:\n\nbtrfs_create_pending_block_groups            btrfs_mark_bg_unused\n                                           if list_empty // false\n        list_del_init\n        clear_bit\n                                           else if (test_bit) // true\n                                                list_move_tail\n\nAnd we get into the exact same broken ref count and invalid new_bgs\nstate for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to\nprevent.\n\nThe broken refcount aspect will result in a warning like:\n\n  [1272.943527] refcount_t: underflow; use-after-free.\n  [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n  [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]\n  [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G        W          6.14.0-rc5+ #108\n  [1272.946368] Tainted: [W]=WARN\n  [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n  [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]\n  [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110\n  [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282\n  [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000\n  [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff\n  [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268\n  [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0\n  [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0\n  [1272.952850] FS:  0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000\n  [1272.953458] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0\n  [1272.954474] Call Trace:\n  [1272.954655]  <TASK>\n  [1272.954812]  ? refcount_warn_saturate+0xba/0x110\n  [1272.955173]  ? __warn.cold+0x93/0xd7\n  [1272.955487]  ? refcount_warn_saturate+0xba/0x110\n  [1272.955816]  ? report_bug+0xe7/0x120\n  [1272.956103]  ? handle_bug+0x53/0x90\n  [1272.956424]  ? exc_invalid_op+0x13/0x60\n  [1272.956700]  ? asm_exc_invalid_op+0x16/0x20\n  [1272.957011]  ? refcount_warn_saturate+0xba/0x110\n  [1272.957399]  btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]\n  [1272.957853]  btrfs_put_block_group.cold+0x5d/0x8e [btrfs]\n  [1272.958289]  btrfs_discard_workfn+0x194/0x380 [btrfs]\n  [1272.958729]  process_one_work+0x130/0x290\n  [1272.959026]  worker_thread+0x2ea/0x420\n  [1272.959335]  ? __pfx_worker_thread+0x10/0x10\n  [1272.959644]  kthread+0xd7/0x1c0\n  [1272.959872]  ? __pfx_kthread+0x10/0x10\n  [1272.960172]  ret_from_fork+0x30/0x50\n  [1272.960474]  ? __pfx_kthread+0x10/0x10\n  [1272.960745]  ret_from_fork_asm+0x1a/0x30\n  [1272.961035]  </TASK>\n  [1272.961238] ---[ end trace 0000000000000000 ]---\n\nThough we have seen them in the async discard workfn as well. It is\nmost likely to happen after a relocation finishes which cancels discard,\ntears down the block group, etc.\n\nFix this fully by taking the lock arou\n---truncated---","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2025-22115","url":"https://www.suse.com/security/cve/CVE-2025-22115"},{"category":"external","summary":"SUSE Bug 1241578 for CVE-2025-22115","url":"https://bugzilla.suse.com/1241578"},{"category":"external","summary":"SUSE Bug 1241579 for CVE-2025-22115","url":"https://bugzilla.suse.com/1241579"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-rt-4-1.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-07-30T16:17:29Z","details":"important"}],"title":"CVE-2025-22115"}]}